1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Hijacked by ZestyFind and yyy2.html - Please help

Discussion in 'Virus & Other Malware Removal' started by tannertime, Apr 26, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. tannertime

    tannertime Thread Starter

    Joined:
    Apr 25, 2004
    Messages:
    3
    I have cleaned on this eMachine for 2 days now, referring to the info I found in many posts here. Thought I had a 'clean' machine at lunch, had run killbox, and have run lavasoft / spybot / spysweeper / and Norton on it, and they came back clean, updated Windows XP (home edition). I had deleted all of the 118 - 121.msgs as suggested by Mosaic1 - plus any *.copy.dll's .

    I took a lunch break, rebooted my machine, and even as I was glancing thru my email on MailWasher, I.E. sites started popping up and disappearing. By looking at the history file, I saw that it was the dreaded redirects from http://69.20.62.53/yyy2.html. Sure enough while I was trying to 'google' some info about the redirects, ZestyFind jumped in and took over my I.E.

    Wonder if you guys can help? Here's the V2x log, the 'Hijack this' log, the 'Process Finder' results, the 'DumpRight' needed info, and the 'Privilege' info you might need. Thanks for your consideration.

    Don

    ===========================================

    Log for VX2.BetterInternet File Finder

    Files Found---

    C:\WINDOWS\System32\2rdsrch.cpy.dll

    C:\WINDOWS\System32\2rdsrch.dll

    Guardian Key---

    Asynchronous 000

    DllName C:\WINDOWS\system32\2rdsrch.dll

    Impersonate 000

    Logon WinLogon

    Version 122

    ID {77C476A5-1D8E-452D-BEEC-0E963FAF6B97}

    IDex AX

    User Agent String---

    {77C476A5-1D8E-452D-BEEC-0E963FAF6B97}


    --------------------------------------------------------------------------------


    Logfile of HijackThis v1.97.7

    Scan saved at 9:17:45 PM, on 4/25/2004

    Platform: Windows XP SP1 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\rundll32.exe

    C:\WINDOWS\system32\LEXBCES.EXE

    C:\WINDOWS\system32\spoolsv.exe

    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

    C:\WINDOWS\System32\cisvc.exe

    C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

    C:\Program Files\Roxio\GoBack\GBPoll.exe

    C:\PROGRA~1\NORTON~3\NORTON~1\GHOSTS~2.EXE

    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

    C:\Program Files\Norton Internet Security\NISUM.EXE

    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

    C:\WINDOWS\System32\tcpsvcs.exe

    C:\WINDOWS\system32\slserv.exe

    C:\WINDOWS\System32\snmp.exe

    C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe

    C:\Program Files\Norton Internet Security\SymProxySvc.exe

    C:\WINDOWS\System32\MsPMSPSv.exe

    C:\Program Files\Norton Internet Security\NISSERV.EXE

    C:\WINDOWS\Explorer.EXE

    C:\Program Files\BroadJump\Client Foundation\CFD.exe

    C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe

    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe

    C:\Program Files\Norton Internet Security\IAMAPP.EXE

    C:\Program Files\Common Files\Symantec Shared\ccApp.exe

    C:\Program Files\RNmail\rn.exe

    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

    C:\Program Files\QuickTime\qttask.exe

    G:\Program Files\5 Star Support\messenger.exe

    C:\Program Files\Enfish\Enfish Professional\EtiTray.exe

    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

    C:\Program Files\Roxio\GoBack\GBTray.exe

    C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE

    C:\Program Files\Microsoft Office\Office\OSA.EXE

    C:\Program Files\Clipboard Magic\ClipboardMagic.exe

    C:\Program Files\MailWasher Pro\MailWasher.exe

    C:\Program Files\Enfish\Enfish Professional\PropMSvr.exe

    C:\Program Files\Enfish\Enfish Professional\EtiSchd2.exe

    C:\WINDOWS\System32\cidaemon.exe

    C:\Program Files\Internet Explorer\iexplore.exe

    C:\Program Files\BroadPage\BroadPage.exe

    G:\My Zip Files\HijackThis.exe

    C:\Program Files\FlashGet\flashget.exe

    C:\Program Files\Crypt Edit\CryptEdit.exe

    C:\Program Files\Outlook Express\msimn.exe

    G:\My Zip Files\PRIVIL~1\DumpRights.exe

    C:\PROGRA~1\Enfish\ENFISH~1\DexEng2.exe

    C:\Program Files\ICQ\Icq.exe

    C:\Program Files\Messenger\msmsgs.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972}_ - (no file)

    R3 - URLSearchHook: (no name) - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB}_ - (no file)

    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)

    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\don\prefs.js)

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

    O3 - Toolbar: Enfish Find... - {1F680408-B58A-40B0-A330-50A344786F97} - C:\Program Files\Enfish\Enfish Professional\EtiFndBr.dll

    O3 - Toolbar: Copernic Meta - {F79AD27F-8140-4E33-8B1D-C4FC6B663CCA} - C:\WINDOWS\Downloaded Program Files\CopernicMeta.dll

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

    O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe

    O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe

    O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE

    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

    O4 - HKLM\..\Run: [RNmail] "C:\Program Files\RNmail\rn.exe" /path "C:\Program Files\RNmail"

    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKLM\..\Run: [VTPreset] VTPreset.exe

    O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE

    O4 - HKCU\..\Run: [IntegrityMessenger] "G:\Program Files\5 Star Support\messenger.exe"

    O4 - HKCU\..\Run: [Slingshot Tray App] C:\Program Files\Enfish\Enfish Professional\EtiTray.exe /startup

    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

    O4 - Startup: Clipboard Magic.lnk = C:\Program Files\Clipboard Magic\ClipboardMagic.exe

    O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher Pro\MailWasher.exe

    O4 - Startup: Norton Disk Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE

    O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe

    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

    O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE

    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm

    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

    O8 - Extra context menu item: E-&mail Page - C:\WINDOWS\Web\Mailto_URL.HTM

    O8 - Extra context menu item: Search Using Copernic Meta - res://C:\WINDOWS\Downloaded Program Files\CopernicMeta.dll/HTML/SearchExt

    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

    O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.9...trans.html

    O9 - Extra button: ICQ Pro (HKLM)

    O9 - Extra 'Tools' menuitem: ICQ (HKLM)

    O9 - Extra button: AIM (HKLM)

    O9 - Extra button: FlashGet (HKLM)

    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)

    O9 - Extra button: MoneySide (HKLM)

    O9 - Extra button: Yahoo! Messenger (HKLM)

    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

    O9 - Extra button: Messenger (HKLM)

    O9 - Extra 'Tools' menuitem: Messenger (HKLM)

    O12 - Plugin for รน: C:\Program Files\Internet Explorer\PLUGINS\NPNetZIP.DLL

    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll

    O12 - Plugin for .exe: C:\Program Files\Internet Explorer\PLUGINS\NPNetZIP.DLL

    O12 - Plugin for .zip: C:\Program Files\Internet Explorer\PLUGINS\NPNetZIP.DLL

    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

    O16 - DPF: Copernic Meta - file://C:\DOCUME~1\Don\LOCALS~1\Temp\CopernicMeta0.cab

    O16 - DPF: EtiGrab - http://www.enfish.com/smart_install/etiGrab.cab

    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab

    O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab

    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200...taller.exe

    O16 - DPF: {57A00229-310A-4763-BF17-3D3D391A9DC7} - http://www.copernic.com/software/meta/I...nstall.cab

    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab

    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...1688657407

    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/mail/autocomplete.cab

    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/Shar.../cabsa.cab

    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab

    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?315

    O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/trigge...Signed.cab

    O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://www.paltalk.com/prod/RegDload.CAB


    --------------------------------------------------------------------------------


    DiamondCS Commandline Retrieval Tool for Windows NT4/2K/XP

    Copyright (C) 2003, DiamondCS - http://www.diamondcs.com.au

    ---

    684 - \SystemRoot\System32\smss.exe

    <Error> Unable to read memory from PID 684

    968 - \??\C:\WINDOWS\system32\winlogon.exe

    winlogon.exe

    1016 - C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\services.exe

    1028 - C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\lsass.exe

    1288 - C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\system32\svchost -k rpcss

    1568 - C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\System32\svchost.exe -k netsvcs

    1904 - C:\WINDOWS\system32\rundll32.exe

    rundll32.exe "C:\WINDOWS\system32\2rdsrch.cpy.dll",UMonitor

    264 - C:\WINDOWS\system32\LEXBCES.EXE

    C:\WINDOWS\system32\LEXBCES.EXE

    284 - C:\WINDOWS\system32\spoolsv.exe

    C:\WINDOWS\system32\spoolsv.exe

    316 - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

    "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

    816 - C:\WINDOWS\System32\cisvc.exe

    C:\WINDOWS\System32\cisvc.exe

    832 - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

    "C:\Program Files\Executive Software\DiskeeperLite\DKService.exe"

    876 - C:\Program Files\Roxio\GoBack\GBPoll.exe

    "C:\Program Files\Roxio\GoBack\GBPoll.exe"

    888 - C:\PROGRA~1\NORTON~3\NORTON~1\GHOSTS~2.EXE

    C:\PROGRA~1\NORTON~3\NORTON~1\GHOSTS~2.EXE

    1148 - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

    "C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe"

    1340 - C:\Program Files\Norton Internet Security\NISUM.EXE

    "C:\Program Files\Norton Internet Security\NISUM.EXE"

    1524 - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

    "C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE"

    1988 - C:\WINDOWS\System32\tcpsvcs.exe

    C:\WINDOWS\System32\tcpsvcs.exe

    2000 - C:\WINDOWS\system32\slserv.exe

    slserv.exe

    348 - C:\WINDOWS\System32\snmp.exe

    C:\WINDOWS\System32\snmp.exe

    404 - C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe

    C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe

    540 - C:\Program Files\Norton Internet Security\SymProxySvc.exe

    "C:\Program Files\Norton Internet Security\SymProxySvc.exe"

    396 - C:\WINDOWS\System32\MsPMSPSv.exe

    C:\WINDOWS\System32\MsPMSPSv.exe

    1392 - C:\Program Files\Norton Internet Security\NISSERV.EXE

    "C:\Program Files\Norton Internet Security\NISSERV.EXE"

    2804 - C:\WINDOWS\Explorer.EXE

    C:\WINDOWS\Explorer.EXE

    2904 - C:\Program Files\BroadJump\Client Foundation\CFD.exe

    "C:\Program Files\BroadJump\Client Foundation\CFD.exe"

    3028 - C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe

    "C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe"

    3124 - C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe

    "C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe"

    3180 - C:\Program Files\Norton Internet Security\IAMAPP.EXE

    "C:\Program Files\Norton Internet Security\IAMAPP.EXE"

    3196 - C:\Program Files\Common Files\Symantec Shared\ccApp.exe

    "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    3332 - C:\Program Files\RNmail\rn.exe

    "C:\Program Files\RNmail\rn.exe" /path "C:\Program Files\RNmail"

    3400 - C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

    "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe"

    3420 - C:\Program Files\QuickTime\qttask.exe

    "C:\Program Files\QuickTime\qttask.exe" -atboottime

    3488 - G:\Program Files\5 Star Support\messenger.exe

    "G:\Program Files\5 Star Support\messenger.exe"

    3504 - C:\Program Files\Enfish\Enfish Professional\EtiTray.exe

    "C:\Program Files\Enfish\Enfish Professional\EtiTray.exe" /startup

    3512 - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

    "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

    3568 - C:\Program Files\Roxio\GoBack\GBTray.exe

    "C:\Program Files\Roxio\GoBack\GBTray.exe"

    3608 - C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE

    "C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\SYSDOC32.EXE" /STARTUP

    3616 - C:\Program Files\Microsoft Office\Office\OSA.EXE

    "C:\Program Files\Microsoft Office\Office\OSA.EXE" -b

    3632 - C:\Program Files\Clipboard Magic\ClipboardMagic.exe

    "C:\Program Files\Clipboard Magic\ClipboardMagic.exe"

    3640 - C:\Program Files\MailWasher Pro\MailWasher.exe

    "C:\Program Files\MailWasher Pro\MailWasher.exe" C:\Program Files\MailWasher Pro\MailWasher.exe

    3892 - C:\Program Files\Enfish\Enfish Professional\PropMSvr.exe

    "C:\Program Files\Enfish\Enfish Professional\PropMSvr.exe"

    3116 - C:\Program Files\Enfish\Enfish Professional\EtiSchd2.exe

    "C:\Program Files\Enfish\Enfish Professional\EtiSchd2.exe" /startup

    3224 - C:\PROGRA~1\Enfish\ENFISH~1\DexEng2.exe

    C:\PROGRA~1\Enfish\ENFISH~1\DexEng2.exe -Embedding

    3764 - C:\WINDOWS\System32\cidaemon.exe

    cidaemon.exe DownLevelDaemon "c:\system volume information\catalog.wci" 196672l 816l

    3164 - C:\Program Files\Internet Explorer\iexplore.exe

    "C:\Program Files\Internet Explorer\iexplore.exe"

    3624 - C:\Program Files\BroadPage\BroadPage.exe

    "C:\Program Files\BroadPage\BroadPage.exe"

    1472 - G:\My Zip Files\HijackThis.exe

    "G:\My Zip Files\HijackThis.exe"

    2616 - C:\Program Files\FlashGet\flashget.exe

    "C:\Program Files\FlashGet\flashget.exe"

    456 - C:\Program Files\Crypt Edit\CryptEdit.exe

    "C:\Program Files\Crypt Edit\CryptEdit.exe" "C:\DOCUME~1\Don\LOCALS~1\Temp\vx2.log"

    2964 - C:\Program Files\Outlook Express\msimn.exe

    "C:\Program Files\Outlook Express\msimn.exe"

    2116 - C:\Program Files\Messenger\msmsgs.exe

    "C:\Program Files\Messenger\msmsgs.exe" -Embedding

    3296 - C:\Program Files\NetZIP\NetZIPX.exe

    "C:\Program Files\NetZIP\NetZIPX.exe" "G:\MYZIPF~1\PROCES~1.ZIP "

    3008 - C:\WINDOWS\System32\cmd.exe

    cmd /c ""G:\My Zip Files\PROCES~1\ProcessFinder\tool.bat" "


    --------------------------------------------------------------------------------


    Privilege

    "SeDebugPrivilege->(Debug Programs)" is in the "privileges I don't have"


    --------------------------------------------------------------------------------


    Dump Rights

    "SeDebugPrivilege->(Debug Programs)" does not have a plus sign in front of it and cannot be expanded.


    --------------------------------------------------------------------------------

    I had deleted the Guardian key and the 2rdsrch.dll before lunch, but they're back now.

    Thanks again for your help.
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and check:

    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972}_ - (no file)

    R3 - URLSearchHook: (no name) - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB}_ - (no file)

    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)

    O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/trigge...Signed.cab


    Close all applications and browser windows before you click "fix checked".
     
  3. tannertime

    tannertime Thread Starter

    Joined:
    Apr 25, 2004
    Messages:
    3
    Hi, Thanks for your reply. I have been out of town most of the week and this is the first time I have had time to reply.

    I tried deleting the three URLSearchHooks and they wouldn't go away, so I went into the registry and manually deleted them. I also deleted as many temporary files as I could.

    I'm still having problems. The minute I open an I.E. Browser, http://66.33.0.35/spyblocs/adv/bm/bmpop.html or some other redirects take over. I've run Kill2me, Killbox and even got the new Norton 2004 anti-virus to see if it would help.

    Below is the latest HJT file. Let me know if you have any ideas.

    Thanks, Don

    Logfile of HijackThis v1.97.7
    Scan saved at 12:16:49 AM, on 5/2/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    C:\Program Files\RNmail\rn.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\Roxio\GoBack\GBTray.exe
    C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
    C:\Program Files\Roxio\GoBack\GBPoll.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\snmp.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\Program Files\BroadPage\BroadPage.exe
    C:\Program Files\Outlook Express\Msimn.exe
    C:\Program Files\Messenger\msmsgs.exe
    G:\My Zip Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\don\prefs.js)
    O3 - Toolbar: Copernic Meta - {F79AD27F-8140-4E33-8B1D-C4FC6B663CCA} - C:\WINDOWS\Downloaded Program Files\CopernicMeta.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    O4 - HKLM\..\Run: [RNmail] "C:\Program Files\RNmail\rn.exe" /path "C:\Program Files\RNmail"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
    O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher Pro\MailWasher.exe
    O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: Search Using Copernic Meta - res://C:\WINDOWS\Downloaded Program Files\CopernicMeta.dll/HTML/SearchExt
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
    O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {57A00229-310A-4763-BF17-3D3D391A9DC7} - http://www.copernic.com/software/meta/Install/CopernicMetaInstall.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37602.1688657407
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/mail/autocomplete.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?315
    O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://www.paltalk.com/prod/RegDload.CAB
     
  4. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Hi:)
    Your log is clean......can you locate this dll
    "C:\WINDOWS\system32\2rdsrch.cpy.dll"
    Right clcik and see whats listed in properties.....ie: who the vendor is.
    Yo may need to show hidden files.

    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    ;)
     
  5. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    $teve,

    That file is L2M.
     
  6. tannertime

    tannertime Thread Starter

    Joined:
    Apr 25, 2004
    Messages:
    3
    Steve,

    I had already found and deleted the 2rdsrch.dll and the 2rdsrch.cpy.dll before I received your reply - and it has not come back (thank goodness) but I think they're just renaming it into another 'dll' or 'gif'.

    I have Windows set up so that it shows all files. Even though the computer looks clean, every time I boot up, more ad stuff comes in - cydoor, adtools, lopdotcom, ncase, MetaDirect, virtumonde - just to mention a few.

    I have found a couple of places they are hiding some of the stuff. There's a 'dll' file called awaamon.dll that is a hidden file, but I can't get to it to erase it, and it is tied to HTLM>Software>Microsoft>WindowsNT>Current Version> Winlogon>Notify>Guardian, DllName, C:\WINDOWS\system32\awaamon.dll
    and Guardian is also tied to {77C476A5-1D8E-452D-BEEC-0E963FAF6B97} - which shows up under HKLM\..\Internet Settings\User Agent\ Post Platform. Everytime I erase them they come back with the next boot-up.

    I have another sneaky one called 'PureFordKind.exe' - which you've probably seen. It resides in several places also. First it's in C:\program files\spam htm\PureFordKind.exe (and sometimes instead of that, in the \spam htm directory, the're be 3 other files. One is a 'bin' file, a 'dll' file and I don't remember the other one right now, because it was replaced by the 'exe' program this time') PureFordKind is also found in HKLM\..\Run: [Thunk VGA] C:\program files\spam htm\Pure Ford Kind.exe. When I try to delete it it is back if I even do a registry search - without re-booting! It's the strangest thing.

    So that's some of the places where I suspect problems are hiding, especially since I can't erase any of them. I think that possibly some lead program is either creating new 'dll' files, which let these other 'trojans' in, or either it's a self learning AI.

    Could this [non-erasing] problem be caused by administrative issues? When I sat the computer up I set up two users - both with administrative powers, so I thought that was that. But is there a higher authority position in the Windows setup? The other person rarely uses this computer, and thus is having no problems, plus she uses Netscape as her browser.

    Any thoughts?

    One last item, there are always two or three non-erasable files left in Temp folder under my user name in the Documents and settings. I've been able to erase every other temp file on the computer. Right now the files are '~DFBF27.tmp', '~DFD38B.tmp', and 'Perflib_Perfdata_964.dat'. I was able to trick the computer one time by putting them into the 'CopyFile' program you told someone about, but they were right back sooon enough.


    Thanks, Don
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/223899

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice