IE hijacked to searchmyrequest.com

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Snagged

Thread Starter
Joined
Mar 30, 2004
Messages
6
Hi
I am a novice with an old PC, so pls go easy on the abbreviations (!). I am using Internet Explorer 6 on Win98, and the home page was hijacked to searchmyrequest.com. (SMR) and several adult sites are bookmarked under Favorites and show up under the address bar ! !

I ran Spybots (nothing but tracking cookies detected) ran Ad-aware which identified several hijack issues, checked them all, quarantined and deleted them all, re-set my internet options to the correct home page. When I re-booted, I was still hijacked to SMR. Ran Ad-aware multiple times, but it no longer seems to find hijack objects. I've avoided the nuisance, by not turning off my computer (smile) but now On certain sites (Yahoo home page and NBC news ) the following text is appearing.....what do I do now? Thanks for any help


Warning: mysql_connect(): Too many connections in /usr/home/searchmyrequest/sites/searchmyrequest.com/mods/doubleclick.php on line 23

Warning: mysql_db_query(): supplied argument is not a valid MySQL-Link resource in /usr/home/searchmyrequest/sites/searchmyrequest.com/mods/doubleclick.php on line 26

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /usr/home/searchmyrequest/sites/searchmyrequest.com/mods/doubleclick.php on line 27

Warning: mysql_db_query(): supplied argument is not a valid MySQL-Link resource in /usr/home/searchmyrequest/sites/searchmyrequest.com/mods/doubleclick.php on line 33

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /usr/home/searchmyrequest/sites/searchmyrequest.com/mods/doubleclick.php on line 34

Warning: mysql_db_query(): supplied argument is not a valid MySQL-Link resource in /usr/home/searchmyrequest/sites/searchmyrequest.com/mods/doubleclick.php on line 45
 
Joined
Feb 15, 2004
Messages
826
Hi, Please download HijackThis from here. Make a new folder for the program and then open it, click Scan. When it finishes scanning, do no remove anything but instead save the log and post it here.

Someone will be glad to help you afterwards
 

Snagged

Thread Starter
Joined
Mar 30, 2004
Messages
6
This was originally posted before I saw the response to run CWShredder. A new hijacker log was created after I ran CWShredder, and is set out later in this thread......I came back and edited this entry to delete the preliminary HJT log so no one would waste their time analyzing it.....Thanks!
 
Joined
Jul 26, 2002
Messages
46,331
Click here to download CWShredder. Close all browser windows,UnZip the file, click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

When it is finished restart your computer.

IMPORTANT!: To help prevent this from happening again, I strongly recommend you install the patches for the vulnerabilities that this hijacker exploits.

The simplest way to make sure you have all the security patches is to go to Windows update and install all "Critical Updates and Service Packs"


Come back here and post another Hijack This log and we'll get rid of what's left.
 

Snagged

Thread Starter
Joined
Mar 30, 2004
Messages
6
Followed your advice and ran CWShredder, shut down and rebooted... also ordered the microsoft updates/patches.....I re-ran the HijackThis.....here is the log....what do I do next ? (thanks)

Logfile of HijackThis v1.97.7
Scan saved at 12:13:40 AM, on 3/31/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\INTEL\INTEL EXPRESS 3D GRAPHICS CARD\DISPLAY PROPERTIES\GFXICON.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CGMENU.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\QDCSFS.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CG16EH.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NSCHED32.EXE
C:\QUICKEN4\QWDLLS.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\ALARM.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\DAD9.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\REGISTER\REMIND32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOWNLOAD FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmyrequest.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmyrequest.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmyrequest.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmyrequest.com/hp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmyrequest.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ACT
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
O1 - Hosts: 64.237.45.18 www.burstnet.com
O1 - Hosts: 64.237.45.18 oz.valueclick.com
O1 - Hosts: 64.237.45.18 a.tribalfusion.com
O1 - Hosts: 64.237.45.18 servedby.advertising.com
O1 - Hosts: 64.237.45.18 pagead2.googlesyndication.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: [IntelExpress3DTray] C:\Program Files\Intel\Intel Express 3D Graphics Card\Display Properties\gfxicon.exe
O4 - HKLM\..\Run: [Norton CrashGuard Monitor] "C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CGMenu.EXE"
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\QDCSFS.exe /scheduler
O4 - HKLM\..\Run: [v9tuhp671r] C:\WINDOWS\GC6ZPNHPS1.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKCU\..\Run: [aimboot] %SystemRoot%\awinrar.exe
O4 - Startup: Norton Program Scheduler.lnk = C:\Program Files\Norton SystemWorks\Norton AntiVirus\nsched32.exe
O4 - Startup: Quicken Startup.lnk = C:\QUICKEN4\QWDLLS.EXE
O4 - Startup: Billminder.lnk = C:\QUICKEN4\BILLMIND.EXE
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .mid: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O12 - Plugin for .wav: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O12 - Plugin for .aif: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O13 - WWW. Prefix: http://
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37590.4215740741
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9.5/ticker.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O19 - User stylesheet: (file missing)
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
When you ran CWshredder did you click on FIX and not scan only?
 

Snagged

Thread Starter
Joined
Mar 30, 2004
Messages
6
Yes, followed the directions to a T! I take it the results of the HJT log surprise you..... Should I run it again? (thanks)
 

Snagged

Thread Starter
Joined
Mar 30, 2004
Messages
6
I ran CWShredder again, when I opened it I got a warning window that CWShredder had detected a trojan that was seeking to close it down, then I clicked Fix and it said the system was "clean", here is the HJT log

Logfile of HijackThis v1.97.7
Scan saved at 7:43:23 PM, on 3/31/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\INTEL\INTEL EXPRESS 3D GRAPHICS CARD\DISPLAY PROPERTIES\GFXICON.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CGMENU.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\QDCSFS.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CG16EH.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NSCHED32.EXE
C:\QUICKEN4\QWDLLS.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\ALARM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\DAD9.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\REGISTER\REMIND32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\MY DOWNLOAD FILES\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/html/index.cfm?p=16&m=32
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ACT
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
O1 - Hosts: 64.237.45.18 www.burstnet.com
O1 - Hosts: 64.237.45.18 oz.valueclick.com
O1 - Hosts: 64.237.45.18 a.tribalfusion.com
O1 - Hosts: 64.237.45.18 servedby.advertising.com
O1 - Hosts: 64.237.45.18 pagead2.googlesyndication.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: [IntelExpress3DTray] C:\Program Files\Intel\Intel Express 3D Graphics Card\Display Properties\gfxicon.exe
O4 - HKLM\..\Run: [Norton CrashGuard Monitor] "C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CGMenu.EXE"
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\QDCSFS.exe /scheduler
O4 - HKLM\..\Run: [0xjysva8ex] C:\WINDOWS\LMMME2VB0B.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKCU\..\Run: [aimboot] %SystemRoot%\awinrar.exe
O4 - Startup: Norton Program Scheduler.lnk = C:\Program Files\Norton SystemWorks\Norton AntiVirus\nsched32.exe
O4 - Startup: Quicken Startup.lnk = C:\QUICKEN4\QWDLLS.EXE
O4 - Startup: Billminder.lnk = C:\QUICKEN4\BILLMIND.EXE
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .mid: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O12 - Plugin for .wav: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O12 - Plugin for .aif: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O13 - WWW. Prefix: http://
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38077.1476388889
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9.5/ticker.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O19 - User stylesheet: (file missing)
 
Joined
Feb 15, 2004
Messages
826
Remove these entries from HJT:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about :blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about :blank

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about :blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about :blank

O1 - Hosts: 64.237.45.18 www.burstnet.com

O1 - Hosts: 64.237.45.18 oz.valueclick.com

O1 - Hosts: 64.237.45.18 a.tribalfusion.com

O1 - Hosts: 64.237.45.18 servedby.advertising.com

O1 - Hosts: 64.237.45.18 pagead2.googlesyndication.com

O4 - HKLM\..\Run: [0xjysva8ex] C:\WINDOWS\LMMME2VB0B.EXE

O4 - HKCU\..\Run: [aimboot] %SystemRoot%\awinrar.exe

O19 - User stylesheet: (file missing)


Reboot to safe mode, enable viewing of hidden/system files (instructions below)

Delete the following files
C:\Windows\awinrar.exe
C:\WINDOWS\LMMME2VB0B.EXE

Also, while in safe mode, attempt to run CWShredder again (Fix instead of scan only).

Reboot

How to get to safe mode - http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
How to view hidden/system files - http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Post a new log here.
 
Joined
Jul 26, 2002
Messages
46,331
First please do this:

Navigate to the C:\Windows folder and locate the LMMME2VB0B.EXE file. Right click it and copy it. Put the copy in a zipped folder. Attach a copy of that zipped folder and send it to me here. Please include a link to this thread so I'll remember where it came from.

Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about :blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about :blank

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about :blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about :blank

O1 - Hosts: 64.237.45.18 www.burstnet.com
O1 - Hosts: 64.237.45.18 oz.valueclick.com
O1 - Hosts: 64.237.45.18 a.tribalfusion.com
O1 - Hosts: 64.237.45.18 servedby.advertising.com
O1 - Hosts: 64.237.45.18 pagead2.googlesyndication.com

O4 - HKCU\..\Run: [aimboot] %SystemRoot%\awinrar.exe

O4 - HKLM\..\Run: [0xjysva8ex] C:\WINDOWS\LMMME2VB0B.EXE

O19 - User stylesheet: (file missing)


Restart to safe mode and delete:

The C:\WINDOWS\LMMME2VB0B.EXE file
The C:\Windows\awinrar.exe file.
 
Joined
Feb 15, 2004
Messages
826
FLRMAN1!! Did you miss this file ?!? :D
C:\Windows\awinrar.exe

CWS-related? Right?

Edit: Aha, i see you fixed it ;)
 
Joined
Jul 26, 2002
Messages
46,331
I want a copy of the LMMME2VB0B.EXE file before you delete it. Please follow my directions for sending that file.
 

Snagged

Thread Starter
Joined
Mar 30, 2004
Messages
6
I followed Nok1 instructions, removed entries from HJT, rebooted to safe mode, enabled viewing of hidden files, deleted Awinrar.exe and LMMME2VBOB.exe, ran CWShredder in safe mode, re booted, ran HJT, and am posting the log below...BUT did not read down and see flrman 1's instruction to copy and send the LMMME2Vbob.exe file.....is this going to be a problem?

Thanks

Logfile of HijackThis v1.97.7
Scan saved at 11:50:28 PM, on 3/31/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\INTEL\INTEL EXPRESS 3D GRAPHICS CARD\DISPLAY PROPERTIES\GFXICON.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CGMENU.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\QDCSFS.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CG16EH.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NSCHED32.EXE
C:\QUICKEN4\QWDLLS.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\ALARM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\DAD9.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\REGISTER\REMIND32.EXE
C:\MY DOWNLOAD FILES\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/html/index.cfm?p=16&m=32
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ACT
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: [IntelExpress3DTray] C:\Program Files\Intel\Intel Express 3D Graphics Card\Display Properties\gfxicon.exe
O4 - HKLM\..\Run: [Norton CrashGuard Monitor] "C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CGMenu.EXE"
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\QDCSFS.exe /scheduler
O4 - HKLM\..\Run: [54xw74byfg] C:\WINDOWS\LMMME2VB0B.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - Startup: Norton Program Scheduler.lnk = C:\Program Files\Norton SystemWorks\Norton AntiVirus\nsched32.exe
O4 - Startup: Quicken Startup.lnk = C:\QUICKEN4\QWDLLS.EXE
O4 - Startup: Billminder.lnk = C:\QUICKEN4\BILLMIND.EXE
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .mid: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O12 - Plugin for .wav: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O12 - Plugin for .aif: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O13 - WWW. Prefix: http://
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38077.1476388889
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9.5/ticker.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
Joined
Jul 26, 2002
Messages
46,331
This one is back:

O4 - HKLM\..\Run: [54xw74byfg] C:\WINDOWS\LMMME2VB0B.EXE,

but it is different this time.

This is how it looked in the first log:

O4 - HKLM\..\Run: [0xjysva8ex] C:\WINDOWS\LMMME2VB0B.EXE

Fix this one again:

O4 - HKLM\..\Run: [54xw74byfg] C:\WINDOWS\LMMME2VB0B.EXE,

Boot to safe mode and delete the C:\WINDOWS\LMMME2VB0B.EXE file if it is still there.

Please send me a copy of that file according to my previous instructions befor you delete it.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top