Find your solution!

Y4J · 13-Aug-2004, 01:31 AM #1

Recently, when I try to go to a webpage (like hotmail for example) and it would load up fine, then in like 3 seconds it will change into a page that it says "about:blank" in the web addy bar and has all this search stuff. I rean spybot and ad aware and I got rid of everything but I still get it. Not all the time but often.

Can you help me?

Y4J · 13-Aug-2004, 03:52 AM #2

Bump (wow went to almost next page within the hour lol)

I also wanted to point out, it does it ALOT when I try to check my email at hotmail. lol. But I don't think that makes a difference. : P

**dvk01** · 13-Aug-2004, 04:40 AM #3

go to http://www.thespykiller.co.uk/files/HijackThis.exe and download 'Hijack This!'.
make sure it is placed into it's own folder, not a temporary folder. Then doubleclick the Hijackthis.exe.
Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.

Y4J · 13-Aug-2004, 02:18 PM #4

Don't worry. I already have HijackThis

IMPORTANT Now when I click on things like My Computer and so on, a window pops up saying "Windows Explorer encountered a problem and needs to close." So I had to run HijackThis on safe mode.

Here is the log.

Logfile of HijackThis v1.98.0
Scan saved at 11:11:09 AM, on 8/13/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Y4J\Desktop\HIJACK\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Y4J\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Y4J\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Y4J\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Y4J\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Y4J\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://db105.com:81/cgi-bin/index.cgi?c=0
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Y4J\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://db105.com:81/cgi-bin/index.cgi?c=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BHO - {06CAD548-14DD-4fa3-9EA9-05F83C18CBD7} - C:\WINDOWS\System32\mspxs32.dll
O2 - BHO: (no name) - {347C6DC0-12F9-42E3-A818-C77F90352D3E} - C:\WINDOWS\System32\msdoh.dll
O2 - BHO: (no name) - {6FF83379-EA44-75BD-D357-115505D92E18} - C:\WINDOWS\System32\xqw.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Win32 Explorer] C:\WINDOWS\System32\explorer32.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Win32 Explorer] C:\WINDOWS\System32\explorer32.exe
O4 - HKCU\..\Run: [Pkh] C:\WINDOWS\System32\uvqle.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.db105.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Filter: text/html - {3A5CCB1D-5735-421E-AAEE-BB3B20DF2419} - C:\WINDOWS\System32\msdoh.dll
O18 - Filter: text/plain - {3A5CCB1D-5735-421E-AAEE-BB3B20DF2419} - C:\WINDOWS\System32\msdoh.dll

Flrman1 · 13-Aug-2004, 02:25 PM #5

A new version of Hijack This has been released so get rid of the old one and Click here to download the new one, come back here and post the log from it.

Also please do this:

Click here to download FindNFix.

Extract it (it should autoextract to C:\FindnFix when you double click it)

Go to the C:\FindnFix folder and doubleclick on !LOG!.BAT and let it run. It will generate a log.txt file. Copy and paste log.txt back here in your next reply.

Y4J · 13-Aug-2004, 04:44 PM #6

Ok here's the new Hijack Log..

Logfile of HijackThis v1.98.2
Scan saved at 1:33:41 PM, on 8/13/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Speed Disk\nopdb.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Y4J\Desktop\HiJackNEW\hijackthis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Y4J\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Y4J\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Y4J\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Y4J\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Y4J\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://db105.com:81/cgi-bin/index.cgi?c=0
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Y4J\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://db105.com:81/cgi-bin/index.cgi?c=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BHO - {06CAD548-14DD-4fa3-9EA9-05F83C18CBD7} - (no file)
O2 - BHO: (no name) - {347C6DC0-12F9-42E3-A818-C77F90352D3E} - C:\WINDOWS\System32\msdoh.dll
O2 - BHO: (no name) - {6FF83379-EA44-75BD-D357-115505D92E18} - C:\WINDOWS\System32\xqw.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Win32 Explorer] C:\WINDOWS\System32\explorer32.exe
O4 - HKCU\..\Run: [Win32 Explorer] C:\WINDOWS\System32\explorer32.exe
O4 - HKCU\..\Run: [Pkh] C:\WINDOWS\System32\uvqle.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.db105.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Filter: text/html - {3A5CCB1D-5735-421E-AAEE-BB3B20DF2419} - C:\WINDOWS\System32\msdoh.dll
O18 - Filter: text/plain - {3A5CCB1D-5735-421E-AAEE-BB3B20DF2419} - C:\WINDOWS\System32\msdoh.dll

---------------------

Ok and here is the Log from the FindnFix...

Fri 13 Aug 04 13:35:40

»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»

*System:
Microsoft Windows XP Professional 5.1 (Build 2600)
*IE version:
6.0.2600.0000

The type of the file system is NTFS.

__________________________________
!!*Creating backups...!!

The operation completed successfully
__________________________________

*Local time:
Friday, August 13, 2004 (8/13/2004)
1:35 PM, Pacific Daylight Time
*Uptime:
13:35:42 up 0 days, 0:04:02

----------------------------------------------------
»»Member of...: ("ADMIN" logon + group match required!)

User is a member of group YADAOIV\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Group BUILTIN\Administrators matches list.
Group BUILTIN\Users matches list.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

User: [YADAOIV\Y4J], is a member of:

BUILTIN\Administrators
\Everyone

»»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»
The list will produce a small database of files that will match certain criteria.
Ex: read only files, s/h files, last modified date. size, etc.
The filters provided and registry scan should match the
corresponding file(s) listed.
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Unless the file match the entire criteria, it should not be pointed to remove
without attempting to confirm it's nature!
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!
If in doubt, always search the file(s) and properties according to criteria!

The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder

___________________________________________________________________________ ___
***YOU NEED TO DISABLE YOUR ACTIVE ANTI VIRUS PROTECTION TO AVOID CONFLICTS!***
___________________________________________________________________________ ___

»»»»»»»»»»»»»»»»»»***LOG!***(*updated 8/14)»»»»»»»»»»»»»»»»

»»»*»»»*Use at your own risk!»»»*»»»*

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...

»»»»» (*2*) »»»»»........

»»»»» (*3*) »»»»»........

C:\WINDOWS\SYSTEM32\
kkpr73l.dll Thu Jul 8 2004 11:18:54p ..SHR 270,209 263.88 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 270,209 bytes 263.88 K

unknown/hidden files...

C:\WINDOWS\SYSTEM32\
kkpr73l.dll Thu Jul 8 2004 11:18:54p ..SHR 270,209 263.88 K

1 item found: 1 file, 0 directories.
Total of file sizes: 270,209 bytes 263.88 K

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\KKPR73L.DLL
SNiF 1.34 statistics

Matching files : 1 Amount in bytes : 270209
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

»»»»»(*5*)»»»»»

»»»»»(*6*)»»»»»

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»»Search by size...
*List of files specs that match the criteria:
*Note: Not all files listed here are infected!
___________________________________________________________________________
Path: C:\WINDOWS\SYSTEM32 Including: *.DLL
10. Admparse Dll 57,344 . . . . A 8-23-01 5:00 am
553. Licwmi Dll 57,344 . . . . A 8-23-01 5:00 am
1. 6to4svc Dll 35,840 . . . . A 8-23-01 5:00 am
440. Jgmd400 Dll 35,840 . . . . A 8-23-01 5:00 am
756. Mssign32 Dll 35,840 . . . . A 8-23-01 5:00 am
806. Narrhook Dll 35,840 . . . . A 8-23-01 5:00 am
1000. Rshx32 Dll 35,840 . . . . A 8-23-01 5:00 am
1036. Sens Dll 35,840 . . . . A 8-23-01 5:00 am
197. Dmserver Dll 21,504 . . . . A 8-23-01 5:00 am
417. Ipxrip Dll 21,504 . . . . A 8-23-01 5:00 am
1139. Udhisapi Dll 21,504 . . . . A 8-23-01 5:00 am
1283. Wsock32 Dll 21,504 . . . . A 8-23-01 5:00 am

___________________________________________________________________________ _
*By size and date...

No matches found.

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

BHO search...

**File C:\WINDOWS\SYSTEM32\MSDOH.DLL
00001FF8: 25 25 25 30 32 78 00 00 . 00 00 00 00 C0 82 05 B3 %%%02x.. ....À‚.³

"C:\WINDOWS\system32\"
msdoh.dll Aug 12 2004 30720 "msdoh.dll"

1 item found: 1 file, 0 directories.
Total of file sizes: 30,720 bytes 30.00 K

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

»»Checking for AppInit_DLLs (empty) value...
________________________________
!"AppInit_DLLs"=""!

Value Matches
________________________________

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs =
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

»»Security settings for 'Windows' key:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM

»»Performing string scan....
00001150: ?
00001190: vk f AppInit_
000011D0

LLs G vk UDeviceNotSelectedTimeout
00001210: 1 5 ( W 9 0 ! vk ' zGDIProce
00001250:ssHandleQuota" vk Spooler2 y e s
00001290: 0 ` vk =pswapdisk vk
000012D0: R TransmissionRetryTimeout 0 `
00001310: vk ' 0 USERProcessHandleQuota
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:
00001590:
000015D0:

---------- WIN.TXT
fùAppInit_DLLsÖæG
--------------
--------------
$011C8: AppInit_DLLs
$011F7: UDeviceNotSelectedTimeout
$01247: zGDIProcessHandleQuota
$012E0: TransmissionRetryTimeout
$01330: USERProcessHandleQuota
--------------
--------------
No strings found.

--------------
--------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

..........
*Debug...
--------------
--------------
Ntdll.DLL at 77F50000
Kernel32.DLL at 77E60000
..........
A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value exists and reports as 2 bytes, including the 2 for string termination.

[AppInitDLLs]
Ansi string : ""
0000 00 00 | ..
-----------------------

»»»»»»Backups list...»»»»»»
13:39:32 up 0 days, 0:07:51
-----------------------
Fri 13 Aug 04 13:39:32

C:\FINDNFIX\
keyback.hiv Fri Aug 13 2004 1:35:40p A.... 8,192 8.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 8,192 bytes 8.00 K

C:\FINDNFIX\KEYS1\
winkey.reg Fri Aug 13 2004 1:35:40p A.... 287 0.28 K

1 item found: 1 file, 0 directories.
Total of file sizes: 287 bytes 0.28 K

*Temp backups...

"C:\Documents and Settings\Y4J\Local Settings\Temp\Backs2\"
keyback2.hi_ Aug 13 2004 8192 "keyback2.hi_"
winkey2.re_ Aug 13 2004 287 "winkey2.re_"

2 items found: 2 files, 0 directories.
Total of file sizes: 8,479 bytes 8.28 K

C:\FINDNFIX\
JUNKXXX Fri Aug 13 2004 1:35:40p .D... <Dir>

1 item found: 0 files, 1 directory.

___________________________________________________________________________ _____
***THE FIX IS NOT COMPATIBLE WITH EARLIER;UNPATCHED VERSIONS OF WIN2K'(SP3 and BELLOW)'
AND/OR LAX OF SECURITY UPDATES AND SERVICE PACKS FOR ALL PLATFORMS!
MINIMAL REQUIREMENTS INCLUDE:
_________XP HOME/PRO; SP1; IE6/SP1
_________2K/SP4; IE6/SP1
___________________________________________________________________________ _____
-----END------
Fri 13 Aug 04 13:39:33

-----------

Flrman1 · 13-Aug-2004, 06:25 PM #7

Click here to download CWShredder. Close all browser windows, click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

When it is finished restart your computer.

Go here and download Adaware SE.

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

From main window :Click Start then under Select a scan Mode tick Perform full system scan.

Next deselect Search for negligible risk entries.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Restart your computer.

Come back here and post another Hijack This log and we'll get rid of what's left.

Y4J · 13-Aug-2004, 06:36 PM #8

I will do the cshredder thing right now, but just letting you know, I already ran adaware (see top post) be back with other stuff.

Y4J · 13-Aug-2004, 06:43 PM #9

Well, after I ran CWShredder, it said this..

----------------
Done!
Removed from your system:
- CWS.Searchx
- 6 infected IE registry values
-----------------------

And That search thing is gone! So maybe that helped it. Looks like I had a search tojan?

Here is my log"

Logfile of HijackThis v1.98.2
Scan saved at 3:41:45 PM, on 8/13/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Speed Disk\nopdb.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Y4J\Desktop\HiJackNEW\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://db105.com:81/cgi-bin/index.cgi?c=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mugglenet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://db105.com:81/cgi-bin/index.cgi?c=0
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://db105.com:81/cgi-bin/index.cgi?c=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://db105.com:81/cgi-bin/index.cgi?c=0
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://db105.com:81/cgi-bin/index.cgi?c=0
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BHO - {06CAD548-14DD-4fa3-9EA9-05F83C18CBD7} - (no file)
O2 - BHO: (no name) - {6FF83379-EA44-75BD-D357-115505D92E18} - C:\WINDOWS\System32\xqw.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Win32 Explorer] C:\WINDOWS\System32\explorer32.exe
O4 - HKCU\..\Run: [Win32 Explorer] C:\WINDOWS\System32\explorer32.exe
O4 - HKCU\..\Run: [Pkh] C:\WINDOWS\System32\uvqle.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.db105.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

Flrman1 · 13-Aug-2004, 06:59 PM **#10**

Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://db105.com:81/cgi-bin/index.cgi?c=0

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://db105.com:81/cgi-bin/index.cgi?c=0

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mugglenet.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://db105.com:81/cgi-bin/index.cgi?c=0

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://db105.com:81/cgi-bin/index.cgi?c=0

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://db105.com:81/cgi-bin/index.cgi?c=0

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://db105.com:81/cgi-bin/index.cgi?c=0

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://db105.com:81/cgi-bin/index.cgi?c=0

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://db105.com:81/cgi-bin/index.cgi?c=0

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://db105.com:81/cgi-bin/index.cgi?c=0

R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

O2 - BHO: BHO - {06CAD548-14DD-4fa3-9EA9-05F83C18CBD7} - (no file)

O2 - BHO: (no name) - {6FF83379-EA44-75BD-D357-115505D92E18} - C:\WINDOWS\System32\xqw.dll

O4 - HKLM\..\Run: [Win32 Explorer] C:\WINDOWS\System32\explorer32.exe

O4 - HKCU\..\Run: [Win32 Explorer] C:\WINDOWS\System32\explorer32.exe

O4 - HKCU\..\Run: [Pkh] C:\WINDOWS\System32\uvqle.exe

O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.db105.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com

O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.c

Restart to safe mode.

How to start your computer in safe mode

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete these files:

C:\WINDOWS\System32\explorer32.exe
C:\WINDOWS\System32\uvqle.exe

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to the C:\Documents and Settings\Y4J\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the Recycle Bin

Run CWShredder again while in safe mode.

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

IMPORTANT!: I highly recommend that you go to Windows update and install all "Critical Updates and Service Packs" ASAP!. This will patch numerous security holes in IE and Windows. Many baddies get on your machine by taking advantage of these vulnerabilities. As your machine stands now it is wide open to attack from all sorts of nasties. You need to get these updates IMMEDITELY!

Flrman1 · 17-Aug-2004, 08:23 AM **#11**

Why did you delete your last post? What's up?

Y4J · 17-Aug-2004, 10:37 PM **#12**

Well check it out. I'm going to post this log. The last log was before I used anything. Now after I scanned with Adaware and spybot and cwshredder. So some might still be on the log, but some might be new. Here it is.

By the way, thx in advance..

---------------------------

Logfile of HijackThis v1.98.2
Scan saved at 7:32:01 PM, on 8/17/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Speed Disk\nopdb.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\twlerm.exe
C:\Program Files\eMusic\eMusicClient.exe
C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\PROGRA~1\COMMON~1\tsa\ts.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Y4J\Desktop\HiJackNEW\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://db105.com:81/cgi-bin/index.cgi?c=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mugglenet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://db105.com:81/cgi-bin/index.cgi?c=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://db105.com:81/cgi-bin/index.cgi?c=0
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://db105.com:81/cgi-bin/index.cgi?c=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll (file missing)
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA880F} - C:\WINDOWS\EliteBar\EliteBar version 40.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [fkmsyiwt] C:\WINDOWS\System32\twlerm.exe
O4 - HKLM\..\Run: [eMusicClient Systray] C:\Program Files\eMusic\eMusicClient.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [hnequc] C:\WINDOWS\System32\hnequc.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
O4 - HKCU\..\Run: [Tsa] C:\PROGRA~1\COMMON~1\tsa\tsm.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.db105.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50183/QDow_AS2.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

Flrman1 · 17-Aug-2004, 11:17 PM **#13**

Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://db105.com:81/cgi-bin/index.cgi?c=0

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://db105.com:81/cgi-bin/index.cgi?c=0

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://db105.com:81/cgi-bin/index.cgi?c=0

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://db105.com:81/cgi-bin/index.cgi?c=0

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://db105.com:81/cgi-bin/index.cgi?c=0

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://db105.com:81/cgi-bin/index.cgi?c=0

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://db105.com:81/cgi-bin/index.cgi?c=0

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://db105.com:81/cgi-bin/index.cgi?c=0

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll (file missing)

O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA880F} - C:\WINDOWS\EliteBar\EliteBar version 40.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

O4 - HKLM\..\Run: [fkmsyiwt] C:\WINDOWS\System32\twlerm.exe

O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

O4 - HKLM\..\Run: [hnequc] C:\WINDOWS\System32\hnequc.exe

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE

O4 - HKCU\..\Run: [Tsa] C:\PROGRA~1\COMMON~1\tsa\tsm.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)

O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)

O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.db105.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com

O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab

O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50183/QDow_AS2.cab

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.cab

Restart to safe mode.

How to start your computer in safe mode

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete these files:

C:\WINDOWS\System32\twlerm.exe
C:\WINDOWS\System32\hnequc.exe

delete these folders:

C:\Program Files\Web_Rebates
C:\Program Files\TV Media
C:\Program Files\My Daily Horoscope
C:\Program Files\Common Files\tsa

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the Recycle Bin

Click here to download LspFix

Launch the application, and click the "I know what I'm doing" checkbox.

Check all instances of lspak.dll and cdlsp.dll (and nothing else) , and move them to the "Remove" pane.
Then click Finish.

Now start your computer in Safe Mode and delete:

The C:\windows\system32\lspak.dll file
The c:\windows\system32\cdlsp.dll file

Click Here and download the VX2Finder.exe tool. Click on the VX2Finder.exe and then click on the Click to Find VX2.Betterinternet button. It will display the files, the Guardian Key and User Agent string. Now click the Make Log button. It will open the log in notepad. Copy and paste that log here and wait for further instructions.

Y4J · 18-Aug-2004, 12:33 AM **#14**

Ok first off, my computer is ALREADY working better. Here are the logs.

HiJackLog:

Logfile of HijackThis v1.98.2
Scan saved at 9:31:13 PM, on 8/17/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\documents and settings\y4j\local settings\temp\WO70y1.exe
C:\documents and settings\y4j\local settings\temp\gfRtlcWbr.exe
C:\documents and settings\y4j\local settings\temp\WO70y1.exe
C:\documents and settings\y4j\local settings\temp\gfRtlcWbr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Y4J\Desktop\HiJackNEW\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.mugglenet.com/
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll (file missing)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Y4J\Local Settings\Temp\ewgm3Loc.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WO70y1.exe] C:\documents and settings\y4j\local settings\temp\WO70y1.exe
O4 - HKLM\..\Run: [gfRtlcWbr.exe] C:\documents and settings\y4j\local settings\temp\gfRtlcWbr.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKLM\..\Run: [WO70y1] C:\documents and settings\y4j\local settings\temp\WO70y1.exe
O4 - HKLM\..\Run: [gfRtlcWbr] C:\documents and settings\y4j\local settings\temp\gfRtlcWbr.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.my-internet.info
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

--------------------

And here's the VX2 log:

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---
C:\WINDOWS\System32\lspak.dll

Keys Under Notify---
crypt32chain
cryptnet
cscdll
igfxcui
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon

Guardian Key--- is called:

User Agent String---
{B254BE33-DE70-41A0-9FA6-E05792461438}

Flrman1 · 18-Aug-2004, 06:26 PM **#15**

I don't know what you are doing in between posting these logs, but whatever it is, don't do it! You have some new baddies in every log you post!

Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.

Run VX2Finder again and click on the Find VX2.Betterinternet button. It will display the entries as before.

Click on the User Agent button and it will delete the user agent string.

Restart your computer,

Download the Hoster from here . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.

Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://db105.com:81/cgi-bin/index.cgi?c=0

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://db105.com:81/cgi-bin/index.cgi?c=0

R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)

R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll (file missing)

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)

O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll

O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)

O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Y4J\Local Settings\Temp\ewgm3Loc.dll

O4 - HKLM\..\Run: [WO70y1.exe] C:\documents and settings\y4j\local settings\temp\WO70y1.exe

O4 - HKLM\..\Run: [gfRtlcWbr.exe] C:\documents and settings\y4j\local settings\temp\gfRtlcWbr.exe

O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe

O4 - HKLM\..\Run: [WO70y1] C:\documents and settings\y4j\local settings\temp\WO70y1.exe

O4 - HKLM\..\Run: [gfRtlcWbr] C:\documents and settings\y4j\local settings\temp\gfRtlcWbr.exe

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O15 - Trusted Zone: *.my-internet.info

Restart to safe mode and delete these files:

C:\WINDOWS\conscorr.exe
C:\WINDOWS\System32\lspak.dll

Delete these folders:

C:\Program Files\TV Media
C:\Program Files\Web_Rebates

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to the C:\Documents and Settings\y4j\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the Recycle Bin

IMPORTANT!: I highly recommend that you go to Windows update and install all "Critical Updates and Service Packs" ASAP!. This will patch numerous security holes in IE and Windows. Many baddies get on your machine by taking advantage of these vulnerabilities. As your machine stands now it is wide open to attack from all sorts of nasties. You need to get these updates IMMEDITELY!

Tag Cloud
adware audio bios blue screen boot bsod computer crash dell desktop driver drivers email error excel firefox freeze google hard drive hardware hijackthis install internet laptop linux malware network no sound outlook problem recovery router screen server slow sound speakers spyware startup trojan usb video virus vista vundo windows windows 7 windows vista windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)