1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

IE hijacked

Discussion in 'Virus & Other Malware Removal' started by tim_struble, Sep 14, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. tim_struble

    tim_struble Thread Starter

    Joined:
    Sep 14, 2004
    Messages:
    14
    Hello,
    Something has modified my IE 6.0 home page so it says about:blank and it takes me to a web search engine. I also get popups saying spyware has been detected. I change the home page but it keeps coming back. Also, every time I have a web page redirection (I think) it takes me to this same search engine which says it is about:blank. I am running Windows Xp. I do not have the problem with Netscape.

    I tried symantec, spybot, ad-aware...nothing fixed it. Norton did say it found a backdoor.agent.B virus with filename mse.dll but it said it couldn't fix it. I tried to delete the file manually but it always says it can't because it is in use...even in safe mode. But I am not sure if it is directly related to the hijacker or not.

    I downloaded hijackthis and here are the results. Can anyone help?

    Thanks,
    Tim

    Logfile of HijackThis v1.97.7
    Scan saved at 3:10:36 PM, on 9/14/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\drivers\trcboot.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINDOWS\System32\Hummingbird\Connectivity\8.00\Inetd\inetd32.exe
    C:\Program Files\c4ebreg\isamsmt.exe
    c:\sdwork\issimsvc.exe
    C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\PROGRA~1\Xpoint\xpadmin\xpadmin.exe
    C:\PROGRA~1\Xpoint\agent\Xpagent.exe
    C:\WINDOWS\System32\drivers\ldlcserv.exe
    C:\PROGRA~1\Xpoint\EEClient\xpclient.exe
    C:\WINDOWS\system32\cmd.exe
    C:\PROGRA~1\Xpoint\SAS\jre\bin\javaw.exe
    C:\Program Files\NavNT\vptray.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\WINDOWS\System32\RunDll32.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\Program Files\MProcessor\mprocessor.exe
    C:\Program Files\Zone Labs\Integrity Client\iclient.exe
    C:\Program Files\Stampede\TurboGold\tgclui32.exe
    C:\Program Files\Lotus\SameTime Client\Connect.exe
    C:\Program Files\AT&T Network Client\NetClient.exe
    C:\Program Files\TightVNC\vncviewer.exe
    C:\Program Files\Hummingbird\Connectivity\8.00\HostExplorer\hostex32.exe
    C:\PROGRA~1\HUMMIN~1\CONNEC~1\8.00\HOSTEX~1\HEOleAut.exe
    C:\workstuff\putty\putty.exe
    C:\Notes\NLNOTES.EXE
    C:\Program Files\Stampede\TurboGold\ntgclhap.exe
    C:\Notes\nwrdaemn.EXE
    C:\Notes\nupdate.EXE
    C:\Notes\nhldaemn.EXE
    C:\workstuff\putty\putty.exe
    C:\workstuff\putty\putty.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\GoGoData.com\GOGODA~1\ADBUST~1.EXE
    C:\Program Files\GoGoData.com\GoGoData AdBuster\GoGoTray.exe
    C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
    C:\workstuff\putty\putty.exe
    C:\workstuff\putty\putty.exe
    C:\workstuff\putty\putty.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\workstuff\putty\putty.exe
    C:\progra~1\c4ebreg\c4ebreg.exe
    C:\Program Files\DownloadWare\dw.exe
    C:\Program Files\NAVISearch\bin\nls.exe
    C:\Program Files\Netscape\Netscape\Netscp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\RECOMM~1\v15\rh.exe
    C:\Program Files\NavNT\vpc32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\taskmgr.exe
    C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://msnbc.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
    O2 - BHO: Recommended Hotfix - {0421701D-CF13-4E70-ADF0-45A953E7CB8B} - C:\Program Files\Recommended Hotfix - 421701D\v15\RH.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - C:\Program Files\Aladdin Systems\Internet Cleanup\PopFiltr.dll
    O2 - BHO: (no name) - {3EB9C349-7473-48AC-A59B-42F31751974B} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {7F54F59E-E171-4A09-B9A4-53918C0867AC} - C:\WINDOWS\System32\mglb.dll
    O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
    O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
    O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\WINDOWS\System32\apuc.dll
    O2 - BHO: (no name) - {E65C99D4-90FC-874C-CEE5-F3B811CFDA59} - C:\WINDOWS\Ynadexji.dll
    O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: GoGoData AdBuster - {3EB9C349-7473-48AC-A59B-42F31751974B} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
    O3 - Toolbar: Search - {B9AAE2E2-9A27-11FB-6E0F-90E0AAFF8787} - C:\WINDOWS\Ynadexji.dll
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [C4EBReg] "C:\progra~1\c4ebreg\c4ebreg.exe" /q
    O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
    O4 - HKLM\..\Run: [NPDTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ISAM SMT Service] "C:\Program Files\c4ebreg\isamsmt.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
    O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
    O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
    O4 - HKCU\..\Run: [GoGoTray.exe] C:\Program Files\GoGoData.com\GoGoData AdBuster\GoGoTray.exe
    O4 - HKLM\..\RunOnce: [djebmm350.exe] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\djebmm350.exe"
    O4 - HKCU\..\RunOnce: [NetSP - restore database] "C:\Program Files\AT&T Network Client\NetSP.exe" -show
    O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe
    O4 - Global Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
    O4 - Global Startup: Stampede TurboGold.lnk = ?
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra 'Tools' menuitem: GoGoData AdBuster (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://msnbc.com
    O15 - Trusted Zone: *.blazefind.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.searchbarcash.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.skoobidoo.com
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_adult.cab
    O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/2000XP/CDTInc/bridge.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37728.4312152778
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{213BCB18-80F1-4E93-A600-1FB49BDCFAE2}: Domain = kntnny.adelphia.net
    O17 - HKLM\System\CCS\Services\Tcpip\..\{213BCB18-80F1-4E93-A600-1FB49BDCFAE2}: NameServer = 9.0.2.1,9.0.3.1
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,855
    Hi and welcome to TSG,

    Download this: http://downloads.subratam.org/FINDnFIX.exe
    Extract it (it should autoextract to C:\FindnFix when you double click it)

    Go to the C:\FindnFix folder and doubleclick on !LOG!.BAT and let it run. It will generate a log.txt file. Copy and paste the log.txt back here in your next reply.

    Anyone else with a similar problem, do NOT attempt to follow these instructions on your own. Expert help is required to interpret the log and deleting the wrong file can cause serious damage to your system!

    Then download the latest version of Hijack This 1.98.2 and post another log as well.
     
  3. tim_struble

    tim_struble Thread Starter

    Joined:
    Sep 14, 2004
    Messages:
    14
    Thank you for the quick reply. Here is the ne hijackthis log, followed by the findNfix log:

    Logfile of HijackThis v1.98.2
    Scan saved at 11:02:23 AM, on 9/15/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\drivers\trcboot.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINDOWS\System32\Hummingbird\Connectivity\8.00\Inetd\inetd32.exe
    C:\Program Files\c4ebreg\isamsmt.exe
    c:\sdwork\issimsvc.exe
    C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\PROGRA~1\Xpoint\xpadmin\xpadmin.exe
    C:\PROGRA~1\Xpoint\agent\Xpagent.exe
    C:\PROGRA~1\Xpoint\EEClient\xpclient.exe
    C:\WINDOWS\System32\drivers\ldlcserv.exe
    C:\WINDOWS\system32\cmd.exe
    C:\PROGRA~1\Xpoint\SAS\jre\bin\javaw.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\NavNT\vptray.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\WINDOWS\System32\RunDll32.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\NaviSearch\bin\nls.exe
    C:\Program Files\MProcessor\mprocessor.exe
    C:\Program Files\GoGoData.com\GoGoData AdBuster\GoGoTray.exe
    C:\Program Files\Zone Labs\Integrity Client\iclient.exe
    C:\Program Files\Stampede\TurboGold\tgclui32.exe
    C:\PROGRA~1\GoGoData.com\GOGODA~1\ADBUST~1.EXE
    C:\Program Files\AT&T Network Client\NetClient.exe
    C:\Program Files\Lotus\SameTime Client\Connect.exe
    C:\Program Files\TightVNC\vncviewer.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Notes\NLNOTES.EXE
    C:\Program Files\Stampede\TurboGold\ntgclhap.exe
    C:\Notes\nwrdaemn.EXE
    C:\Notes\nupdate.EXE
    C:\Notes\nhldaemn.EXE
    C:\Program Files\Hummingbird\Connectivity\8.00\HostExplorer\hostex32.exe
    C:\PROGRA~1\HUMMIN~1\CONNEC~1\8.00\HOSTEX~1\HEOleAut.exe
    C:\workstuff\putty\putty.exe
    C:\workstuff\putty\putty.exe
    C:\workstuff\putty\putty.exe
    C:\progra~1\c4ebreg\c4ebreg.exe
    C:\workstuff\putty\putty.exe
    C:\workstuff\putty\putty.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\RECOMM~1\v15\rh.exe
    C:\Program Files\Netscape\Netscape\Netscp.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://msnbc.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
    O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
    O2 - BHO: Recommended Hotfix - {0421701D-CF13-4E70-ADF0-45A953E7CB8B} - C:\Program Files\Recommended Hotfix - 421701D\v15\RH.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: ICHlprObj Class - {1f0c8547-2639-4c91-b8aa-c7eca24c3163} - C:\Program Files\Aladdin Systems\Internet Cleanup\ic3hlpr.dll
    O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - C:\Program Files\Aladdin Systems\Internet Cleanup\PopFiltr.dll
    O2 - BHO: GoGoData AdBuster - {3EB9C349-7473-48AC-A59B-42F31751974B} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {7F54F59E-E171-4A09-B9A4-53918C0867AC} - C:\WINDOWS\System32\mglb.dll
    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
    O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\WINDOWS\System32\apuc.dll
    O2 - BHO: (no name) - {E65C99D4-90FC-874C-CEE5-F3B811CFDA59} - C:\WINDOWS\Ynadexji.dll
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: GoGoData AdBuster - {3EB9C349-7473-48AC-A59B-42F31751974B} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
    O3 - Toolbar: Search - {B9AAE2E2-9A27-11FB-6E0F-90E0AAFF8787} - C:\WINDOWS\Ynadexji.dll
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [C4EBReg] "C:\progra~1\c4ebreg\c4ebreg.exe" /q
    O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
    O4 - HKLM\..\Run: [NPDTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ISAM SMT Service] "C:\Program Files\c4ebreg\isamsmt.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
    O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
    O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
    O4 - HKCU\..\Run: [GoGoTray.exe] C:\Program Files\GoGoData.com\GoGoData AdBuster\GoGoTray.exe
    O4 - HKCU\..\RunOnce: [NetSP - restore database] "C:\Program Files\AT&T Network Client\NetSP.exe" -show
    O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe
    O4 - Global Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
    O4 - Global Startup: Stampede TurboGold.lnk = ?
    O9 - Extra button: (no name) - {1A00C40B-DA85-4aa3-A67F-582D9347EECD} - C:\WINDOWS\System32\TD.exe (file missing)
    O9 - Extra 'Tools' menuitem: MaxSpeed - {1A00C40B-DA85-4aa3-A67F-582D9347EECD} - C:\WINDOWS\System32\TD.exe (file missing)
    O9 - Extra button: (no name) - {7B6E4BB4-8464-47CF-9A5B-F82F6B408A6E} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
    O9 - Extra 'Tools' menuitem: GoGoData AdBuster - {7B6E4BB4-8464-47CF-9A5B-F82F6B408A6E} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
    O9 - Extra button: IC 3.0 - {bba9a1cb-c90a-4912-8f01-dfa51a2b4102} - C:\Program Files\Aladdin Systems\Internet Cleanup\ic3hlpr.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://msnbc.com
    O15 - Trusted Zone: *.blazefind.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.searchbarcash.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.skoobidoo.com
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_adult.cab
    O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/2000XP/CDTInc/bridge.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{213BCB18-80F1-4E93-A600-1FB49BDCFAE2}: Domain = kntnny.adelphia.net
    O17 - HKLM\System\CCS\Services\Tcpip\..\{213BCB18-80F1-4E93-A600-1FB49BDCFAE2}: NameServer = 9.0.2.1,9.0.3.1
    O18 - Filter: text/html - {DCEDCF25-CB39-4D41-B16B-AEB6B6C0D557} - C:\WINDOWS\System32\mglb.dll
    O18 - Filter: text/plain - {DCEDCF25-CB39-4D41-B16B-AEB6B6C0D557} - C:\WINDOWS\System32\mglb.dll
    O21 - SSODL: System - {751B0DAB-4895-4028-BBEA-084F45A5866F} - C:\WINDOWS\system32\system32.dll (file missing)

    ****************************************************
    Here is the findNfix log:
    *****************************************************

    Wed 15 Sep 04 10:52:51

    »»»»»»»»»»»»»»»»»»***LOG!***(*updated *9/1*)»»»»»»»»»»»»»»»»

    *System:
    Microsoft Windows XP Professional 5.1 Service Pack 1 (Build 2600)
    *IE version:
    6.0.2800.1106 SP1-Q810847-Q818529-Q813951-Q330994-Q828750-Q824145-Q832894-Q837009-Q831167

    The type of the file system is NTFS.


    MS-DOS Version 5.00.500

    *command.com test passed!

    __________________________________
    !!*Creating backups...!!

    The operation completed successfully
    10:52:50.82 Wed 09/15/2004
    __________________________________

    *Local time:
    Wednesday, September 15, 2004 (9/15/2004)
    10:52 AM, Eastern Daylight Time
    *Uptime:
    10:52:53 up 0 days, 17:43:09

    *Path:
    C:\FINDnFIX
    ----------------------------------------------------
    »»Member of...: ("ADMIN" logon + group match required!)

    User is a member of group TSTRUBLE-XP\None.
    User is a member of group \Everyone.
    User is a member of group BUILTIN\Administrators.
    User is a member of group BUILTIN\Users.
    User is a member of group \LOCAL.
    User is a member of group NT AUTHORITY\INTERACTIVE.
    User is a member of group NT AUTHORITY\Authenticated Users.
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    Group BUILTIN\Administrators matches list.
    Group BUILTIN\Users matches list.

    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    User: [TSTRUBLE-XP\tstruble], is a member of:

    BUILTIN\Administrators
    \Everyone

    Running in WORKSTATION MODE.

    SystemDrive is C:
    SystemRoot is C:\WINDOWS
    Logon Domain is TSTRUBLE-XP
    Administrator's Name is tstruble
    Computer Name is TSTRUBLE-XP
    LOGON SERVER is \\TSTRUBLE-XP

    »»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»
    The list will produce a small database of files that will match certain criteria.
    Ex: read only files, s/h files, last modified date. size, etc.
    The filters provided and registry scan should match the
    corresponding file(s) listed.
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Unless the file match the entire criteria, it should not be pointed to remove
    without attempting to confirm it's nature!
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!
    If in doubt, always search the file(s) and properties according to criteria!

    The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder

    ______________________________________________________________________________
    ***YOU NEED TO DISABLE YOUR ACTIVE ANTI VIRUS PROTECTION TO AVOID CONFLICTS!***
    ______________________________________________________________________________

    ......Scanning for file(s)...
    *Note! The list(s) may include legitimate files!
    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

    »»»»» (*1*) »»»»» .........
    »»Read access error(s)...

    C:\WINDOWS\SYSTEM32\MSEB.DLL +++ File read error
    \\?\C:\WINDOWS\System32\MSEB.DLL +++ File read error

    »»»»» (*2*) »»»»»........
    MSEB.DLL Can't Open!

    »»»»» (*3*) »»»»»........

    No matches found.

    unknown/hidden files...

    No matches found.

    »»»»» (*4*) »»»»».........
    Sniffing..........
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    SNiF 1.34 statistics

    Matching files : 0 Amount in bytes : 0
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.DLL

    »»»»»(*5*)»»»»»
    ¯ Access denied ® ..................... MSEB.DLL .....57344 22.06.2004

    »»»»»(*6*)»»»»»
    fgrep: can't open input C:\WINDOWS\SYSTEM32\MSEB.DLL

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»»Search by size...
    *List of files and specs according to 'size' :
    *Note: Not all files listed here are infected, but *may include* the
    name and spces of the offending file...
    ___________________________________________________________________________
    Path: C:\WINDOWS\SYSTEM32 Including: *.DLL

    688. Mseb Dll 57,344 . . . . . 6-22-04 1:55 pm

    ____________________________________________________________________________
    *By size and date...


    C:\WINDOWS\SYSTEM32\
    mseb.dll Tue Jun 22 2004 1:55:20p ..... 57,344 56.00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 57,344 bytes 56.00 K

    No matches found.

    No matches found.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\MSEB.DLL
    SNiF 1.34 statistics

    Matching files : 1 Amount in bytes : 57344
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.DLL
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    SNiF 1.34 statistics

    Matching files : 0 Amount in bytes : 0
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.DLL
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    SNiF 1.34 statistics

    Matching files : 0 Amount in bytes : 0
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.DLL

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»


    BHO search and other files...

    **File C:\WINDOWS\SYSTEM32\MGLB.DLL
    00001FF8: 25 25 25 30 32 78 00 00 . 00 00 00 00 C0 82 05 B3 %%%02x.. ....À‚.³
    fgrep: can't open input C:\WINDOWS\SYSTEM32\MSEB.DLL


    No matches found.

    No matches found.

    *sp.html found in temp folder:
    --a-- - - - - - 7,977 09-15-2004 sp.html
    File: <C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html>

    CRC-32 : F0592224

    MD5 : 4E6A7B88 1D220147 4719A3CD BAE8D6FE




    *Filter keys search...
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html
    CLSID = {DCEDCF25-CB39-4D41-B16B-AEB6B6C0D557}

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain
    CLSID = {DCEDCF25-CB39-4D41-B16B-AEB6B6C0D557}

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

    »»Checking for AppInit_DLLs (empty) value...
    ________________________________
    !"AppInit_DLLs"=""!

    Value does not match
    ________________________________

    »»Comparing *saved* key with *original*...

    REGDIFF 2.1 - Freeware written by Gerson Kurz (http://www.p-nand-q.com)

    Comparing File #1 (Keys1\winkey.reg) with File #2 (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows).

    Value "AppInit_DLLs" in key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" has different lengths (1 vs 29)

    »»Dumping Values........
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710
    AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM



    »»Performing string scan....
    00001150: ?
    00001190: vk UDeviceNo
    000011D0:tSelectedTimeout 1 5 @ vk ' z
    00001210:GDIProcessHandleQuota" 9 0 | vk X
    00001250:Spooler2 y e s n vk =pswapdisk
    00001290: 8 h vk ( R TransmissionRetryTimeout
    000012D0: vk ' V USERProcessHandleQuotaL 8
    00001310:h vk : H ~ AppInit_DLLsiles` C :
    00001350:\ W I N D O W S \ S y s t e m 3 2 \ m s e b . d l l \ T e m p
    00001390:\ d r v 2 F . t m p . d l l \ L O C A L S ~ 1 \ T e m p \ d r
    000013D0:v 2 4 . t m p . d l l
    00001410:
    00001450:
    00001490:
    000014D0:
    00001510:
    00001550:
    00001590:
    000015D0:

    ---------- WIN.TXT
    AppInit_DLLsiles`ÿÿÿC
    --------------
    --------------
    $011C7: UDeviceNotSelectedTimeout
    $0120F: zGDIProcessHandleQuota
    $012B8: TransmissionRetryTimeout
    $012E8: USERProcessHandleQuotaL
    $01338: AppInit_DLLsiles
    --------------
    --------------
    C:\WINDOWS\System32\mseb.dll
    \Temp\drv2F.tmp.dll
    \LOCALS~1\Temp\drv24.tmp.dll
    --------------
    --------------
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710
    "AppInit_DLLs"=""

    .............
    A handle was successfully obtained for the
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
    This key has 0 subkeys.
    The AppInitDLLs value exists and reports as 58 bytes, including the 2 for string termination.

    [AppInitDLLs]
    Ansi string : "C:\WINDOWS\System32\mseb.dll"
    0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 | C.:.\.W.I.N.D.O.
    0010 57 00 53 00 5c 00 53 00 79 00 73 00 74 00 65 00 | W.S.\.S.y.s.t.e.
    0020 6d 00 33 00 32 00 5c 00 6d 00 73 00 65 00 62 00 | m.3.2.\.m.s.e.b.
    0030 2e 00 64 00 6c 00 6c 00 00 00 | ..d.l.l...
    -----------------------

    »»»»»»Backups list...»»»»»»
    10:54:28 up 0 days, 17:44:45
    -----------------------
    Wed 15 Sep 04 10:54:28


    C:\FINDNFIX\
    keyback.hiv Wed Sep 15 2004 10:52:52a A.... 8,192 8.00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 8,192 bytes 8.00 K

    C:\FINDNFIX\KEYS1\
    winkey.reg Wed Sep 15 2004 10:52:52a A.... 287 0.28 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 287 bytes 0.28 K

    *Temp backups...

    "C:\Documents and Settings\Administrator\Local Settings\Temp\Backs2\"
    keyback2.hi_ Sep 15 2004 8192 "keyback2.hi_"
    winkey2.re_ Sep 15 2004 287 "winkey2.re_"

    2 items found: 2 files, 0 directories.
    Total of file sizes: 8,479 bytes 8.28 K
    -D---- JUNKXXX 00000000 10:52.52 15/09/2004
    A----- STARTIT .BAT 00000060 10:52.52 15/09/2004

    ________________________________________________________________________________
    ***THE FIX IS NOT COMPATIBLE WITH EARLIER;UNPATCHED VERSIONS OF WIN2K'(SP3 and BELLOW)'
    AND/OR LAX OF SECURITY UPDATES AND SERVICE PACKS FOR ALL PLATFORMS!
    MINIMAL REQUIREMENTS INCLUDE:
    _________XP HOME/PRO; SP1; IE6/SP1
    _________2K/SP4; IE6/SP1
    ________________________________________________________________________________
    »»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»
    -----END------
    Wed 15 Sep 04 10:54:30
    
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,855
    Ok we have identified the hidden file that keeps loading the hijack. This will take a couple more steps to fix.

    IMPORTANT! DISABLE YOUR ANTI-VIRUS PROTECTION TO AVOID ANY CONFLICTS!

    Get ready to restart:

    First doubleclick on the FIX.bat file in the 'FINDnFIX' folder.
    Wait for the popup alert to restart your computer in 15 seconds.

    On restart, navigate to C:\Windows\System32 folder:

    Locate and select the MSEB.DLL file (as it will be visible)
    and use the folder's top menu and got to Edit > Move to Folder...

    Select the C:\FINDnFIX\junkxxx as destination and move the MSEB.DLL file there.

    Now look in the C:\FINDnFIX folder and locate the RESTORE.bat file. Doubleclick it to run it.

    Wait for it to run and it will produce a 'log1.txt' file! Copy that log and paste it here!
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - hijacked
  1. genubi
    Replies:
    0
    Views:
    278
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/273957

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice