1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

2 Days and Counting ... Need Help!

Discussion in 'Virus & Other Malware Removal' started by fecitymavi, Jul 16, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. fecitymavi

    fecitymavi Thread Starter

    Joined:
    May 31, 2002
    Messages:
    101
    I have been messing with viruses and infections for 2 days and it seems like I'm spinning in mud. I have another thread:

    http://forums.techguy.org/t250735.html

    I have scanned with Ad-Aware 3 times and keep finding New Objects. I have HJT and posted it below. Before I started any of these procedures, I couldn't even get to the internet with being redirected, AKA Hijacked. I have since been able to at least close some windows and be able to do enough surfing to get to this forum and download some software. The problem I face now is that when I do start surfing around I get Hijacked by www.81.9.3.87/go/"whatever advertisement goes here".htm

    Here are system specs:

    345 MHz AMD-K6 3D processor
    192 MB Ram
    30 GB HD
    XP PRO NTFS File System

    Foloowing is the newest HJT logfile:

    Logfile of HijackThis v1.98.0
    Scan saved at 3:45:56 PM, on 7/16/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\atievxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\winlogon.exe
    C:\mssys.exe
    C:\mssys.exe
    C:\WINDOWS\sachost.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
    C:\WINDOWS\System32\Zso5Vyh.exe
    C:\WINDOWS\System32\LhacSfW.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\dbghelp.exe
    C:\Program Files\HiJackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.sharempeg.com/find/
    R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http:///
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://4-v.net/srchasst.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://martfinder.com/index.htm?aff=8020
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://4-v.net/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.hand-book.com/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.ramgo.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.hand-book.com/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://ie.search.psn.cn/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - _{9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
    R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
    O2 - BHO: TwaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - (no file)
    O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod-1.dll
    O2 - BHO: MealEq - {84175708-C522-59D8-9BB3-44B1FC95CDC9} - C:\PROGRA~1\POKESP~1\Army media.dll
    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
    O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: bolt drive 1 - {0A7FADDF-DB55-8385-86B6-EF9797DBB2F3} - C:\PROGRA~1\POKESP~1\Army media.dll
    O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b
    O4 - HKLM\..\Run: [WinAuth] C:\WINDOWS\winlogon.exe
    O4 - HKLM\..\Run: [MsSystem] c:\mssys.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [Onlune Sarvice] C:\WINDOWS\sachost.exe
    O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe
    O4 - HKLM\..\Run: [OMDLG32C] C:\WINDOWS\System32\OMDLG32C.exe
    O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
    O4 - HKLM\..\Run: [iisqxmmlyq] C:\WINDOWS\System32\pirdre.exe
    O4 - HKLM\..\Run: [4NF83B75G#QPFN] C:\WINDOWS\System32\Xryu.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [dbghelp] C:\WINDOWS\System32\dbghelp.exe
    O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
    O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O13 - WWW. Prefix: http://ehttp.cc/?
    O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\jioqmxyf.exe
    O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.236/buka.chm::/x.exe
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe
    O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://super-gals.com/scj/rotation/templates/um2/x.chm::/ad.exe
    O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe
    O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_US_XP.cab
    O16 - DPF: {50A28604-52F2-11D6-8F0F-5254AB11D5C2} - http://teecontact.idilis.ro/webcam.exe
    O16 - DPF: {986DDE35-E955-11D0-A707-000000521958} - http://69.56.176.75/webplugin.cab
    O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cab
    O19 - User stylesheet: C:\WINDOWS\win32.bmp


    Thank You all for your efforts!
     
  2. Sponsor

  3. KeithKman

    KeithKman

    Joined:
    Dec 28, 2002
    Messages:
    1,983
    You got a few nasties. Have you ran SpyBot?

    Do this in order:

    1) Open Internet Explorer -> Tools -> Internet Options -> delete cookies, delete files (select off-line content), clear history. Then click OK and exit Internet Explorer.


    2) Read www.safer-networking.org and then download and install SpyBot - search & destroy (yes, it's FREE). After you install SpyBot, open it up. Click the "Search for updates" button. After SpyBot searches for updates and displays them click and select each one (if they are not already clicked and selected). Now click the "Download updates" button at the top. After SpyBot downloads the updates and installs them you may now run SpyBot. Click the "Search & Destroy" button in the left pane. After you do so, click the "Check for problems" button at the bottom. After SpyBot scans your computer and finds any spyware on your computer, select the entries SpyBot finds (if they are not already clicked and selected) and click the "Fix selected problems" button at the bottom of the screen. SpyBot will now clean any spyware you may have on your computer. Depending on how much spyware you have on your computer, SpyBot may ask you to restart your computer and rescan with SpyBot to clean all the spyware files off your computer. Click "OK" and restart your computer if necessary. After SpyBot removes all the spyware files off your computer, I highly recommend you take advantage of the Immunize feature. Click the "Immunize" button followed by "OK" and then click the "Immunize" button in the right pane. After you do all of this, you may exit SpyBot.


    3) Run one of the following free online Anti-Virus scans here:

    http://housecall.trendmicro.com - I found this to work the best.

    http://security.symantec.com/default.asp

    http://www.pandasoftware.com/activescan

    http://www.ravantivirus.com/scan


    4) Post a fresh HiJackThis log.
     
  4. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    Looks like you have a peper infection ... that needs to be removed before anything else.

    Download the PeperFix.exe tool: http://downloads.subratam.org/PeperFix.exe

    Click on the PeperFix.exe to launch it.

    Click the Find and Fix button.

    Restart your computer, and post a fresh HJT log.
     
  5. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    That is definitely peper. You also have a CWS infection so please run CWShredder before you post the new log.

    Click here to download CWShredder. Close all browser windows, click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

    When it is finished restart your computer.

    Come back here and post another Hijack This log and we'll get rid of what's left.
     
  6. fecitymavi

    fecitymavi Thread Starter

    Joined:
    May 31, 2002
    Messages:
    101
    Thank you all for the help. I have started Spybot S&D and fixed 40 out 41 with the other getting looked at after reboot. I have already DL CWShredder and will be getting to that a little later. I must head to work so I'll be back in the am. Thanks again and keep up the great work!
     
  7. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    Make sure to run the peper tool, or you won't make much headway ...
     
  8. fecitymavi

    fecitymavi Thread Starter

    Joined:
    May 31, 2002
    Messages:
    101
  9. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Run CWShredder too.
     
  10. fecitymavi

    fecitymavi Thread Starter

    Joined:
    May 31, 2002
    Messages:
    101
    I have completed both PepperFix and CWShredder. Below is a copy of my HJT log.

    Logfile of HijackThis v1.98.0
    Scan saved at 11:06:51 AM, on 7/21/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\atievxx.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\sachost.exe
    C:\WINDOWS\win32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\dbghelp.exe
    C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\HiJackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - _{9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
    R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    F2 - REG:system.ini: Shell=Explorer.exe monitor.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod-1.dll
    O2 - BHO: MealEq - {84175708-C522-59D8-9BB3-44B1FC95CDC9} - C:\PROGRA~1\POKESP~1\Army media.dll
    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: bolt drive 1 - {0A7FADDF-DB55-8385-86B6-EF9797DBB2F3} - C:\PROGRA~1\POKESP~1\Army media.dll
    O4 - HKLM\..\Run: [Onlune Sarvice] C:\WINDOWS\sachost.exe
    O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe
    O4 - HKLM\..\Run: [OMDLG32C] C:\WINDOWS\System32\OMDLG32C.exe
    O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
    O4 - HKLM\..\Run: [iisqxmmlyq] C:\WINDOWS\System32\pirdre.exe
    O4 - HKLM\..\Run: [4NF83B75G#QPFN] C:\WINDOWS\System32\TafqX5mo.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [dbghelp] C:\WINDOWS\System32\dbghelp.exe
    O4 - HKCU\..\Run: [monitor] monitor.exe
    O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
    O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.236/buka.chm::/x.exe
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe
    O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://super-gals.com/scj/rotation/templates/um2/x.chm::/ad.exe
    O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe
    O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_US_XP.cab
    O16 - DPF: {986DDE35-E955-11D0-A707-000000521958} - http://69.56.176.75/webplugin.cab
    O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cab
    O19 - User stylesheet: C:\WINDOWS\win32.bmp
     
  11. Infidel_Kastro

    Infidel_Kastro

    Joined:
    Nov 21, 2003
    Messages:
    5,402
    Did you run the peperfix? It is still showing that you have the peper trojan?
    O4 - HKLM\..\Run: [iisqxmmlyq] C:\WINDOWS\System32\pirdre.exe
    O4 - HKLM\..\Run: [4NF83B75G#QPFN] C:\WINDOWS\System32\TafqX5mo.exe

    Rerun the peper trojan fix and post a new log.
     
  12. fecitymavi

    fecitymavi Thread Starter

    Joined:
    May 31, 2002
    Messages:
    101
    When I run PepperFix.exe, it comes back with no files found. I will run it again and see if it will work.

    Also, I just encountered a new problem. When I re-boot I get a "Windows can not find "monitor.exe". Make sure you have typed the name correctly. To search for a file, click the Start button and then Search.
     
  13. fecitymavi

    fecitymavi Thread Starter

    Joined:
    May 31, 2002
    Messages:
    101
    Logfile of HijackThis v1.98.0
    Scan saved at 12:19:22 PM, on 7/21/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\atievxx.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\sachost.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
    C:\WINDOWS\System32\dbghelp.exe
    C:\Program Files\HiJackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://martfinder.com/index.htm?aff=8020
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - _{9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
    R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    F2 - REG:system.ini: Shell=Explorer.exe monitor.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod-1.dll
    O2 - BHO: MealEq - {84175708-C522-59D8-9BB3-44B1FC95CDC9} - C:\PROGRA~1\POKESP~1\Army media.dll
    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: bolt drive 1 - {0A7FADDF-DB55-8385-86B6-EF9797DBB2F3} - C:\PROGRA~1\POKESP~1\Army media.dll
    O4 - HKLM\..\Run: [Onlune Sarvice] C:\WINDOWS\sachost.exe
    O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe
    O4 - HKLM\..\Run: [OMDLG32C] C:\WINDOWS\System32\OMDLG32C.exe
    O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
    O4 - HKLM\..\Run: [iisqxmmlyq] C:\WINDOWS\System32\pirdre.exe
    O4 - HKLM\..\Run: [4NF83B75G#QPFN] C:\WINDOWS\System32\TafqX5mo.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [dbghelp] C:\WINDOWS\System32\dbghelp.exe
    O4 - HKCU\..\Run: [monitor] monitor.exe
    O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
    O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.236/buka.chm::/x.exe
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe
    O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://super-gals.com/scj/rotation/templates/um2/x.chm::/ad.exe
    O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe
    O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_US_XP.cab
    O16 - DPF: {986DDE35-E955-11D0-A707-000000521958} - http://69.56.176.75/webplugin.cab
    O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cab
    O19 - User stylesheet: C:\WINDOWS\win32.bmp
     
  14. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Click here to download CWShredder. Close all browser windows, click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

    When it is finished restart your computer.



    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html

    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://martfinder.com/index.htm?aff=8020

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    R3 - URLSearchHook: (no name) - _{9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)

    R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)

    F2 - REG:system.ini: Shell=Explorer.exe monitor.exe

    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

    O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod-1.dll

    O2 - BHO: MealEq - {84175708-C522-59D8-9BB3-44B1FC95CDC9} - C:\PROGRA~1\POKESP~1\Army media.dll

    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)

    O3 - Toolbar: bolt drive 1 - {0A7FADDF-DB55-8385-86B6-EF9797DBB2F3} - C:\PROGRA~1\POKESP~1\Army media.dll

    O4 - HKLM\..\Run: [Onlune Sarvice] C:\WINDOWS\sachost.exe

    O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe

    O4 - HKLM\..\Run: [OMDLG32C] C:\WINDOWS\System32\OMDLG32C.exe

    O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe

    O4 - HKLM\..\Run: [iisqxmmlyq] C:\WINDOWS\System32\pirdre.exe

    O4 - HKLM\..\Run: [4NF83B75G#QPFN] C:\WINDOWS\System32\TafqX5mo.exe

    O4 - HKCU\..\Run: [dbghelp] C:\WINDOWS\System32\dbghelp.exe

    O4 - HKCU\..\Run: [monitor] monitor.exe

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

    O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.236/buka.chm::/x.exe

    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe

    O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://super-gals.com/scj/rotation/.../x.chm::/ad.exe

    O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe

    O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downloadv3.com/binari...DHTML_US_XP.cab

    O16 - DPF: {986DDE35-E955-11D0-A707-000000521958} - http://69.56.176.75/webplugin.cab

    O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binari...tpe32_EN_XP.cab

    O19 - User stylesheet: C:\WINDOWS\win32.bmp


    Restart to safe mode.

    How to start your computer in safe mode

    Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Now find and delete these files:

    C:\WINDOWS\win32.bmp
    C:\WINDOWS\sachost.exe
    C:\WINDOWS\win32.exe
    C:\WINDOWS\System32\OMDLG32C.exe
    C:\WINDOWS\System32\pirdre.exe
    C:\WINDOWS\System32\TafqX5mo.exe
    C:\WINDOWS\System32\dbghelp.exe
    Search for monitor.exe and delete it.

    Delete this folder:

    C:\Program Files\WindowsSA

    Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Next navigate to the C:\Documents and Settings\your user name here\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


    Empty the Recycle Bin


    urn off System Restore:

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.
    Restart your computer.

    When you are sure you are clean turn it back on and create a restore point.


    Go here and do an online virus scan.

    Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the exact file name and file location so you can delete it yourself.


    Also I notice that you do not have an antivirus running or a firewall. If I may so this without being rude, with the net as it is these days it is quite foolish to be without an antivirus and a firewall. By all means get both ASAP! See this thread for some good free ones:

    http://forums.techguy.org/t110854/s.html
     
  15. fecitymavi

    fecitymavi Thread Starter

    Joined:
    May 31, 2002
    Messages:
    101
    WOW!!! I can almost see the end of the rainbow. I did ALMOST everything that was advised but somethings didNOT adhere. I couldn't find C:\Windows\System32\Pirdre.exe
    C:\Windows\System32\OMDLG32C.exe
    C:\Windows\System32\TafqX5mo.exe
    C:\Windows\System32\debughelp.exe

    Nor could I find monitor.exe or C:\programfiles\WindowsSA.

    Also, I was unable to successfully download housecall.trendmicro.

    On the positive, my HJT log is a lot smaller and I'm able to surf with little intereference from before. I need to get to sleep so I'm sane for work tomorrow but I do feel alot better about the END coming soon.

    Thanks for all the work and please check out my last HJT log:

    Logfile of HijackThis v1.98.0
    Scan saved at 9:19:35 AM, on 7/22/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\atievxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
    C:\WINDOWS\System32\dbghelp.exe
    C:\Program Files\HiJackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\Winnet.exe
    O4 - HKLM\..\Run: [WhenUSearch] "C:\Program Files\WhenUSearch\Search.exe"
    O4 - HKLM\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
    O4 - HKLM\..\Run: [websearch] javaw -cp "C:\Program Files\websearch\System\Code" Main lp: "C:\Program Files\websearch"
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
    O4 - HKLM\..\Run: [tHmZB5] C:\documents and settings\patsr\local settings\temp\tHmZB5.exe
    O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
    O4 - HKLM\..\Run: [Nf6iIbRtN] C:\documents and settings\patsr\local settings\temp\Nf6iIbRtN.exe
    O4 - HKLM\..\Run: [msbb] c:\windows\180solutions\msbb.exe
    O4 - HKLM\..\Run: [license bleh] C:\PROGRA~1\MESSBA~1\fiveprogram.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
    O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
    O4 - HKLM\..\Run: [Browser Pal] C:\PROGRA~1\BROWSE~1\adblck.exe -s
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [dbghelp] C:\WINDOWS\System32\dbghelp.exe
    O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
    O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\AddClass.exe
    O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
    O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
     
  16. Infidel_Kastro

    Infidel_Kastro

    Joined:
    Nov 21, 2003
    Messages:
    5,402
    I don't know whats going on, but you have become infected with more stuff.
    Boot into safe-mode.
    navigate to the following areas and delete the bold type files or folders:
    C:\Program Files\WhenUSearch
    C:\Program Files\Save
    C:\Program Files\websearch
    C:\Program Files\Common files\updater
    C:\documents and settings\patsr\local settings\temp\Nf6iIbRtN.exe
    c:\windows\180solutions
    C:\Program Files\Internet Optimizer
    C:\Program Files\ClearSearch
    C:\PROGRA~1\ezula
    C:\WINDOWS\System32\dbghelp.exe
    C:\Program Files\CasinoOnline
    C:\PROGRA~1\ezula\mmod.exe
    C:\WINDOWS\AddClass.exe
    C:\Program Files\Common Name
    Use HJT to remove the following:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
    O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\Winnet.exe
    O4 - HKLM\..\Run: [WhenUSearch] "C:\Program Files\WhenUSearch\Search.exe"
    O4 - HKLM\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
    O4 - HKLM\..\Run: [websearch] javaw -cp "C:\Program Files\websearch\System\Code" Main lp: "C:\Program Files\websearch"
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
    O4 - HKLM\..\Run: [tHmZB5] C:\documents and settings\patsr\local settings\temp\tHmZB5.exe
    O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
    O4 - HKLM\..\Run: [Nf6iIbRtN] C:\documents and settings\patsr\local settings\temp\Nf6iIbRtN.exe
    O4 - HKLM\..\Run: [msbb] c:\windows\180solutions\msbb.exe

    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
    O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [dbghelp] C:\WINDOWS\System32\dbghelp.exe
    O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
    O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\AddClass.exe


    I don't know what this is:
    O4 - HKLM\..\Run: [license bleh] C:\PROGRA~1\MESSBA~1\fiveprogram.exe
     
  17. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/251180