1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

even hijackthis can't get this off!

Discussion in 'Virus & Other Malware Removal' started by secretary1, Jun 30, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. secretary1

    secretary1 Thread Starter

    Joined:
    Jun 30, 2004
    Messages:
    14
    Our computer has been hijacked by a browser redirector (we assume) and we can not get it off. We used hijackthis and it did find problems but when it removes the problems...they come right back on reboot.
    Also, we have tracked these down in the registry and deleted them but they even reappear in the registry right before our eyes.
    Also we have used spybot s&d and each time there are several problems it cannot fix and asks to scan at reboot at which time it finds more problems but still cannot fix them all until reboot...going in a circle it seems.

    We would appreciate any suggestions.

    Here is the hijackthis log...

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\cisvc.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\system32\scagent.exe
    C:\WINDOWS\System32\svchost.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\PROGRA~1\COMMON~1\RandSync\Translators\CasioOrg\CasAgnt.exe
    C:\PROGRA~1\COMMON~1\rsMenu.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\System32\nlqfbj.exe
    C:\documents and settings\pastor\local settings\temp\OasT1BLG1.exe
    C:\WINDOWS\System32\wjview.exe
    C:\Program Files\Bargain Buddy\bin2\bargains.exe
    C:\Program Files\Internet Optimizer\optimize.exe
    C:\WINDOWS\System32\IEHost.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\dp-him.exe
    C:\WINDOWS\uptodate.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\Program Files\Save\Save.exe
    C:\WINDOWS\System32\dsqenb32.exe
    C:\Program Files\VVSN\VVSN.exe
    C:\WINDOWS\system32\pcs\pcsvc.exe
    C:\Program Files\Common Files\Dpi\dpi.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Documents and Settings\Pastor\Application Data\ttuh.exe
    C:\windows\winserv.exe
    C:\PROGRA~1\CLOCKS~1\Sync.exe
    C:\WINDOWS\System32\dumdmoe.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Documents and Settings\Pastor\Application Data\DownloadPlus.exe
    C:\Program Files\WebSavingsfromEbates\WebSavingsfromEbates.exe
    C:\WINDOWS\System32\HuhTdA.exe
    C:\WINDOWS\System32\Ghr5e.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\SysAI\SysAI.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\Program Files\Internet Optimizer\actalert.exe
    C:\DOCUME~1\Pastor\LOCALS~1\Temp\msbb.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Documents and Settings\Pastor\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/1521/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us/1521/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1521/ (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1521/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/1521/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1521/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1521/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1521/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1521/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1521/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1521/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1521/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1521/ (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1521/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1521/ (obfuscated)
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll
    O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1C4DA27D-4D52-4465-A089-98E01BB725CA} - C:\WINDOWS\System32\inetdctr.dll
    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
    O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem218.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\Program Files\Bargain Buddy\bin2\apuc.dll
    O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL
    O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
    O4 - HKLM\..\Run: [Harmony 98 - CasioOrg] C:\PROGRA~1\COMMON~1\RandSync\Translators\CasioOrg\CasAgnt.exe EN
    O4 - HKLM\..\Run: [Enterprise Harmony '99] C:\PROGRA~1\COMMON~1\rsMenu.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [fuihrgexqecgu] C:\WINDOWS\System32\nlqfbj.exe
    O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
    O4 - HKLM\..\Run: [OasT1BLG1.exe] C:\documents and settings\pastor\local settings\temp\OasT1BLG1.exe
    O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"
    O4 - HKLM\..\Run: [msbb] c:\docume~1\pastor\locals~1\temp\msbb.exe
    O4 - HKLM\..\Run: [tcfwrwd] C:\WINDOWS\tcfwrwd.exe
    O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Kwz2Xc1b.exe
    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
    O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
    O4 - HKLM\..\Run: [WhenUSearch] C:\Program Files\WhenUSearch\Search.exe
    O4 - HKLM\..\Run: [oF3Q34h] dsqenb32.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Pastor\Application Data\ttuh.exe
    O4 - HKCU\..\Run: [winlogon] c:\windows\winserv.exe
    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
    O4 - HKCU\..\Run: [Zos4RQNmh] dumdmoe.exe
    O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Pastor\Application Data\DownloadPlus.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
    O9 - Extra button: Sidesearch (HKLM)
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O13 - DefaultPrefix: http://nkvd.us/1521/
    O13 - WWW Prefix: http://nkvd.us/1521/
    O13 - Home Prefix: http://nkvd.us/1521/
    O13 - Mosaic Prefix: http://nkvd.us/1521/
    O15 - Trusted Zone: *.blazefind.com
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.searchbarcash.com
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://213.159.117.131/legal/x.chm::/load.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/09bfd2b3c44bf2750906/netzip/RdxIE601.cab
     
  2. bill.aam

    bill.aam

    Joined:
    Apr 29, 2004
    Messages:
    7,218
    This needs to be moved to the Security Forum.
     
  3. LukeW

    LukeW

    Joined:
    Jun 9, 2004
    Messages:
    214
  4. secretary1

    secretary1 Thread Starter

    Joined:
    Jun 30, 2004
    Messages:
    14
    why the security forum?
     
  5. Jedi_Master

    Jedi_Master

    Joined:
    Mar 12, 2002
    Messages:
    5,520

    Howdy folks...

    secretary1...

    This is mainly a Security/virus/hyjack issue, the folks that frequent the Security forum will have a better knowlege of how to remove these...

    From the looks of it you have been hyjacked by...

    Blaze find

    Twain Tech


    Among many others...


    What I would suggest is Open Hyjackthis, click on Scan put a check to remove these...

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/1521/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us/1521/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1521/ (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1521/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/1521/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1521/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1521/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1521/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1521/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1521/ (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1521/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1521/ (obfuscated)
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll
    O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
    O2 - BHO: (no name) - {1C4DA27D-4D52-4465-A089-98E01BB725CA} - C:\WINDOWS\System32\inetdctr.dll
    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
    O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem218.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\Program Files\Bargain Buddy\bin2\apuc.dll
    O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [fuihrgexqecgu] C:\WINDOWS\System32\nlqfbj.exe
    O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
    O4 - HKLM\..\Run: [OasT1BLG1.exe] C:\documents and settings\pastor\local settings\temp\OasT1BLG1.exe
    O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"
    O4 - HKLM\..\Run: [msbb] c:\docume~1\pastor\locals~1\temp\msbb.exe
    O4 - HKLM\..\Run: [tcfwrwd] C:\WINDOWS\tcfwrwd.exe
    O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Kwz2Xc1b.exe
    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
    O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
    O4 - HKLM\..\Run: [WhenUSearch] C:\Program Files\WhenUSearch\Search.exe
    O4 - HKLM\..\Run: [oF3Q34h] dsqenb32.exe
    O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Pastor\Application Data\ttuh.exe
    O4 - HKCU\..\Run: [winlogon] c:\windows\winserv.exe
    O4 - HKCU\..\Run: [Zos4RQNmh] dumdmoe.exe
    O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Pastor\Application Data\DownloadPlus.exe
    O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
    O13 - DefaultPrefix: http://nkvd.us/1521/
    O13 - WWW Prefix: http://nkvd.us/1521/
    O13 - Home Prefix: http://nkvd.us/1521/
    O13 - Mosaic Prefix: http://nkvd.us/1521/
    O15 - Trusted Zone: *.blazefind.com
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.searchbarcash.com
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://213.159.117.131/legal/x.chm::/load.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/09bfd2b3c44bf2...ip/RdxIE601.cab


    Then boot to Safe mode, and delete these files in bold...

    C:\Program Files\ClearSearch\CSIE.DLL
    C:\WINDOWS\nem219.dll
    C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll
    C:\WINDOWS\twaintec.dll
    C:\Program Files\SysAI\AproposPlugin.dll
    C:\WINDOWS\System32\inetdctr.dll
    C:\WINDOWS\System32\stlbdist.DLL
    C:\WINDOWS\2_0_1browserhelper2.dll
    C:\WINDOWS\wsem218.dll
    C:\WINDOWS\System32\bridge.dll
    C:\Program Files\SEP\sep.dll
    _____________________________
    C:\Program Files\Bargain Buddy\bin2\apuc.dll <<< before you remove this one go to Add remove programs and remove Bargin Buddy if it is there...
    _____________________________
    C:\WINDOWS\System32\idctup20.exe
    C:\WINDOWS\System32\nlqfbj.exe
    C:\documents and settings\pastor\local settings\temp\OasT1BLG1.exe
    c:\docume~1\pastor\locals~1\temp\msbb.exe
    C:\WINDOWS\tcfwrwd.exe
    C:\Program Files\ClearSearch\Loader.exe
    C:\WINDOWS\System32\IEHost.exe
    C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
    C:\WINDOWS\System32\dp-him.exe
    C:\WINDOWS\System32\Kwz2Xc1b.exe
    C:\WINDOWS\uptodate.exe
    C:\Program Files\Save\Save.exe
    C:\Program Files\WhenUSearch\Search.exe
    dsqenb32.exe <<< this one you will have to do a file search for...
    C:\Program Files\VVSN\VVSN.exe
    C:\WINDOWS\system32\pcs\pcsvc.exe
    C:\Program Files\Common Files\Dpi\dpi.exe
    C:\Documents and Settings\Pastor\Application Data\ttuh.exe
    c:\windows\winserv.exe
    dumdmoe.exe <<< this one you will have to do a file search for...
    C:\Documents and Settings\Pastor\Application Data\DownloadPlus.exe

    Reboot then run Spybot and Cwshredder then reboot again, and repost a hyjackthis log...

    I will also request this moved to the Security forum...
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Moved to Security
     
  7. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    You also need to run CWShredder.

    Click here to download CWShredder. Close all browser windows, click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

    When it is finished restart your computer.

    Come back here and post another Hijack This log and we'll get rid of what's left.
     
  8. secretary1

    secretary1 Thread Starter

    Joined:
    Jun 30, 2004
    Messages:
    14
    Jedi_Master
    Wow, thanks so much for all your input and instruction. I wish I could have had this obviously valuable information sooner because since the computer in question is in an office and needed to be used for work asap, we ended up doing a system restore. All is well as far as we can tell.
    I've never seen anything like it before. We sure hope it never happens again. Do you have any ideas on how the hijack occured? We would appreciate any information or suggestions on how to prevent future occurances.
    Again, THANKS for your help.
     
  9. secretary1

    secretary1 Thread Starter

    Joined:
    Jun 30, 2004
    Messages:
    14
    firman1
    Thank you for your input and willingness to help. We will take your and jedi's suggestion and d/l the CWShredder for future problems.
    What a great forum!
    Thanks again.
     
  10. Jedi_Master

    Jedi_Master

    Joined:
    Mar 12, 2002
    Messages:
    5,520
    Well...

    Sorry I was so late...but I got off work @ 5:00 pm, ummm...if you did a system restore, the Spyware may still be on there, please post another Hyjackthis log...

    As far as preventing this from happening, there are several things you can do, ie: install a firewall, use the Imune on Spybot ect...

    I think there is a Sticky post somewhere in the Security forums for preventing these things from happening...
     
  11. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.


    IMPORTANT!: I highly recommend that you go to Windows update and install all "Critical Updates and Service Packs" ASAP!. This will patch numerous security holes in IE and Windows.
     
  12. secretary1

    secretary1 Thread Starter

    Joined:
    Jun 30, 2004
    Messages:
    14
    OK this is the 'after system restore' hijackthis log... did the CWShredder, and it did find a problem and fix it...
    everything look ok ya think?
    Thanks!


    StartupList report, 7/1/2004, 4:11:36 PM
    StartupList version: 1.52
    Started from : C:\Documents and Settings\Pastor\Desktop\Testers\HijackThis.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\cisvc.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\svchost.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\PROGRA~1\COMMON~1\RandSync\Translators\CasioOrg\CasAgnt.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\PROGRA~1\COMMON~1\rsMenu.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\Documents and Settings\Pastor\Desktop\Testers\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Digital Line Detect.lnk = ?

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    DwlClient = C:\Program Files\Common Files\Dell\EUSW\Support.exe
    VirusScan Online = c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    MCUpdateExe = C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    MCAgentExe = C:\Program Files\McAfee.com\Agent\mcagent.exe
    Harmony 98 - CasioOrg = C:\PROGRA~1\COMMON~1\RandSync\Translators\CasioOrg\CasAgnt.exe EN
    Enterprise Harmony '99 = C:\PROGRA~1\COMMON~1\rsMenu.exe
    AdaptecDirectCD = "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\System32\SSBEZIER.SCR
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    McAfee.com Update Check (D38TPT21-Owner).job
    McAfee.com Update Check (D38TPT21-Pastor).job
    McAfee.com Update Check (ERIC-Pastor).job

    --------------------------------------------------

    Enumerating Download Program Files:

    [SysProWmi Class]
    InProcServer32 = C:\WINDOWS\System32\Dell\SystemProfiler\SysPro.ocx
    CODEBASE = http://support.dell.com/systemprofiler/SysPro.CAB

    [RdxIE Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll
    CODEBASE = http://207.188.7.150/09bfd2b3c44bf2750906/netzip/RdxIE601.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    End of report, 4,953 bytes
    Report generated in 0.031 seconds
     
  13. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    We need to see the default Hijack This scan, not a startuplist.
     
  14. secretary1

    secretary1 Thread Starter

    Joined:
    Jun 30, 2004
    Messages:
    14
    OK Thank you...hope this is what you need.



    Logfile of HijackThis v1.97.7
    Scan saved at 9:45:13 AM, on 7/2/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\cisvc.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\svchost.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\PROGRA~1\COMMON~1\RandSync\Translators\CasioOrg\CasAgnt.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\PROGRA~1\COMMON~1\rsMenu.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\Documents and Settings\Pastor\Desktop\Testers\HijackThis.exe

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/09bfd2b3c44bf2750906/netzip/RdxIE601.cab
     
  15. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Clean! (y)
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/244904

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice