1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

TOTAL CORRUPTION - HiJack This Log Included

Discussion in 'Virus & Other Malware Removal' started by roscony, Nov 17, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. roscony

    roscony Thread Starter

    Joined:
    Nov 17, 2004
    Messages:
    10
    Ok...I have my neighbors pc which is totally infested with virus, malware, hijack, you name it. I am able to connect to the internet via IE... page is continually re-directed by uschase.com and ads234.com, then it defaults to a blank about:blank page poof!

    Here is startup lists and I am unable to "not load" specific items it always defaults to enabling "all" :
    StartupList report, 11/17/2004, 9:08:01 AM
    StartupList version: 1.52.2
    Started from : C:\Documents and Settings\kaitlyn.WALSHFAMILYCOMP.000\Desktop\HijackThis.EXE
    Detected: Windows XP (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2600.0000)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft Works\WksSb.exe
    C:\WINDOWS\System32\ygztahrx.exe
    C:\documents and settings\kaitlyn.walshfamilycomp.000\local settings\temp\GrMeNIB8q.exe
    C:\WINDOWS\System32\nwufbgtg.exe
    C:\Program Files\Common Files\Dpi\dpi.exe
    C:\WINDOWS\b.exe
    C:\documents and settings\kaitlyn.walshfamilycomp.000\local settings\temp\6xwG.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\jgaw400213a.exe
    C:\WINDOWS\System32\vdplayd.exe
    C:\Program Files\AIM\aim.exe
    C:\Documents and Settings\kaitlyn.WALSHFAMILYCOMP.000\Application Data\ttuh.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\WINDOWS\iexplorr24.exe
    C:\Documents and Settings\kaitlyn.WALSHFAMILYCOMP.000\Desktop\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup]
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    Microsoft Works Calendar Reminders.lnk = ?

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    MSConfig = C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    WildTangent CDA = RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    Spyware Stormer = C:\Program Files\Spyware Stormer\SpywareStormer.Exe
    MS Updates = C:\Documents and Settings\John and Bryan\Local Settings\Temporary Internet Files\Content.IE5\GT6R4XQN\mscache[1].exe
    Microsoft Works Update Detection = C:\Program Files\Microsoft Works\WkDetect.exe
    Microsoft Works Portfolio = C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    lite.exe = C:\WINDOWS\System32\lite.exe
    JUFPZHRC = C:\WINDOWS\JUFPZHRC.exe
    JTBPZ = C:\WINDOWS\JTBPZ.exe
    ildfwpb = C:\WINDOWS\System32\ygztahrx.exe
    GrMeNIB8q = C:\documents and settings\kaitlyn.walshfamilycomp.000\local settings\temp\GrMeNIB8q.exe
    eclpuufz = C:\WINDOWS\System32\nwufbgtg.exe
    Dpi = C:\Program Files\Common Files\Dpi\dpi.exe
    bxxs5 = RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
    AVGCtrl = "C:\Program Files\AVPersonal\AVGNT.EXE" /min
    AutoUpdater = "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    aufbmyqq = C:\WINDOWS\yapjybrm.exe
    Aqua.exe = C:\WINDOWS\System32\Aqua.exe
    Antivirus = C:\WINDOWS\b.exe
    6xwG = C:\documents and settings\kaitlyn.walshfamilycomp.000\local settings\temp\6xwG.exe
    RegistryMechanic = C:\Program Files\Registry Mechanic\RegMech.exe /S
    TV Media = C:\Program Files\TV Media\Tvm.exe
    vdplayd = C:\WINDOWS\System32\vdplayd.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    traffic944c.exe = "C:\WINDOWS\System32\traffic944c.exe"
    wmv9dmod945g.exe = "C:\WINDOWS\System32\wmv9dmod945g.exe"
    SysUpd = C:\WINDOWS\sysupd.exe
    SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
    MoneyStartUp = C:\Program Files\Microsoft Money\System\Money Startup.exe
    mindex474s.exe = "C:\WINDOWS\System32\mindex474s.exe"
    jgaw400213a.exe = "C:\WINDOWS\System32\jgaw400213a.exe"
    iexplorr24 = C:\WINDOWS\iexplorr24.exe
    d3drm818a.exe = "C:\WINDOWS\System32\d3drm818a.exe"
    clcd32973b.exe = "C:\WINDOWS\System32\clcd32973b.exe"
    ccfgnt434d.exe = "C:\WINDOWS\System32\ccfgnt434d.exe"
    AIM = C:\Program Files\AIM\aim.exe -cnetwait.odl
    Aida = C:\Documents and Settings\kaitlyn.WALSHFAMILYCOMP.000\Application Data\ttuh.exe
    TV Media = C:\Program Files\TV Media\Tvm.exe

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=*INI section not found*
    run=*INI section not found*

    Load/Run keys from Registry:

    HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\Windows: load=
    HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=C:\WINDOWS\System32\mmfutil279p.dll

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - (no file) - SOFTWARE
    (no name) - (no file) - {00000000-0000-0000-0000-000000000221}
    (no name) - C:\WINDOWS\mxTarget.dll - {0000607D-D204-42C7-8E46-216055BF9918}
    (no name) - C:\WINDOWS\bxxs5.dll - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9}
    (no name) - (no file) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E}
    (no name) - C:\WINDOWS\System32\nkn.dll - {3DD8695A-9310-4EC8-DA25-6C5505DA7341}
    (no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
    (no name) - C:\WINDOWS\2_0_1browserhelper2.dll - {83DE62E0-5805-11D8-9B25-00E04C60FAF2}
    (no name) - C:\WINDOWS\System32\nvms.dll - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}
    IE Redirector - C:\WINDOWS\System32\ieredir.dll - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}
    (no name) - C:\WINDOWS\System32\mscb.dll - {CE188402-6EE7-4022-8868-AB25173A3E14}
    Search Help - C:\Documents and Settings\kaitlyn.WALSHFAMILYCOMP.000\Local Settings\Temp\zCdjP2Qk7.dll - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841}
    (no name) - C:\WINDOWS\System32\msbe.dll - {F4E04583-354E-4076-BE7D-ED6A80FD66DA}

    --------------------------------------------------

    Enumerating Download Program Files:

    [{33564D57-0000-0010-8000-00AA00389B71}]
    CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------

    Enumerating Winsock LSP files:

    Protocol #1: C:\WINDOWS\System32\lspak.dll
    Protocol #2: C:\WINDOWS\System32\lspak.dll
    Protocol #3: C:\WINDOWS\System32\lspak.dll
    Protocol #9: C:\WINDOWS\System32\lspak.dll

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    End of report, 9,108 bytes
    Report generated in 0.657 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only

    Other than spyware stormer to identify malicious activity, they had nothing set to protect themselves.

    Downloaded and ran stinger.exe (McAffee) with latest defs 8 Nov. It identified and cleaned over 246,000 files.

    Installed Spybot, Spyware Blaster, Ad-Aware 6. SpyBot can not clean all issues. Also installed Reg Editor trial...numerouse errors. I REALLY DON'T WANT TO RE-INSTALL THERE PC :eek: ... Just get cleaned and internet accessible..with my recommendations :rolleyes: for the "right fix"

    Installed and ran HiJack This...Here's what I got... they have soooo much on there system, I'm not sure what's good and what's not...

    Logfile of HijackThis v1.98.2
    Scan saved at 9:16:07 AM, on 11/17/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft Works\WksSb.exe
    C:\WINDOWS\System32\ygztahrx.exe
    C:\documents and settings\kaitlyn.walshfamilycomp.000\local settings\temp\GrMeNIB8q.exe
    C:\WINDOWS\System32\nwufbgtg.exe
    C:\Program Files\Common Files\Dpi\dpi.exe
    C:\WINDOWS\b.exe
    C:\documents and settings\kaitlyn.walshfamilycomp.000\local settings\temp\6xwG.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\jgaw400213a.exe
    C:\WINDOWS\System32\vdplayd.exe
    C:\Program Files\AIM\aim.exe
    C:\Documents and Settings\kaitlyn.WALSHFAMILYCOMP.000\Application Data\ttuh.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Documents and Settings\kaitlyn.WALSHFAMILYCOMP.000\Desktop\HijackThis.exe
    C:\WINDOWS\iexplorr24.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32/left.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uchase.com/scan.php?ask=&a=1367
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: CSIECore Class - {00000000-0000-0000-0000-000000000221} - (no file)
    O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
    O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
    O2 - BHO: (no name) - {3DD8695A-9310-4EC8-DA25-6C5505DA7341} - C:\WINDOWS\System32\nkn.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
    O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\System32\ieredir.dll
    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
    O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\kaitlyn.WALSHFAMILYCOMP.000\Local Settings\Temp\zCdjP2Qk7.dll
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe
    O4 - HKLM\..\Run: [MS Updates] C:\Documents and Settings\John and Bryan\Local Settings\Temporary Internet Files\Content.IE5\GT6R4XQN\mscache[1].exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [lite.exe] C:\WINDOWS\System32\lite.exe
    O4 - HKLM\..\Run: [JUFPZHRC] C:\WINDOWS\JUFPZHRC.exe
    O4 - HKLM\..\Run: [JTBPZ] C:\WINDOWS\JTBPZ.exe
    O4 - HKLM\..\Run: [ildfwpb] C:\WINDOWS\System32\ygztahrx.exe
    O4 - HKLM\..\Run: [GrMeNIB8q] C:\documents and settings\kaitlyn.walshfamilycomp.000\local settings\temp\GrMeNIB8q.exe
    O4 - HKLM\..\Run: [eclpuufz] C:\WINDOWS\System32\nwufbgtg.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
    O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [aufbmyqq] C:\WINDOWS\yapjybrm.exe
    O4 - HKLM\..\Run: [Aqua.exe] C:\WINDOWS\System32\Aqua.exe
    O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\b.exe
    O4 - HKLM\..\Run: [6xwG] C:\documents and settings\kaitlyn.walshfamilycomp.000\local settings\temp\6xwG.exe
    O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /S
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [vdplayd] C:\WINDOWS\System32\vdplayd.exe
    O4 - HKCU\..\Run: [traffic944c.exe] "C:\WINDOWS\System32\traffic944c.exe"
    O4 - HKCU\..\Run: [wmv9dmod945g.exe] "C:\WINDOWS\System32\wmv9dmod945g.exe"
    O4 - HKCU\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
    O4 - HKCU\..\Run: [mindex474s.exe] "C:\WINDOWS\System32\mindex474s.exe"
    O4 - HKCU\..\Run: [jgaw400213a.exe] "C:\WINDOWS\System32\jgaw400213a.exe"
    O4 - HKCU\..\Run: [iexplorr24] C:\WINDOWS\iexplorr24.exe
    O4 - HKCU\..\Run: [d3drm818a.exe] "C:\WINDOWS\System32\d3drm818a.exe"
    O4 - HKCU\..\Run: [clcd32973b.exe] "C:\WINDOWS\System32\clcd32973b.exe"
    O4 - HKCU\..\Run: [ccfgnt434d.exe] "C:\WINDOWS\System32\ccfgnt434d.exe"
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\kaitlyn.WALSHFAMILYCOMP.000\Application Data\ttuh.exe
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
    O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: (no name) - {4D8E6154-D6B1-4770-A9A1-4919686F415E} - (no file) (HKCU)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{86E7854C-559B-4518-BB8D-3DB7407A6367}: NameServer = 198.6.1.60 198.6.1.70
    O20 - AppInit_DLLs: C:\WINDOWS\System32\mmfutil279p.dll


    Your feedback and support is greatly appreciated... (y) (y) :)
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,315
    Download the LPS Fix:

    http://cexx.org/lspfix.htm

    Launch the application, and click the "I know what I'm doing" checkbox.

    Check all instances of lspak.dll (and nothing else), and move them to the "Remove" pane.
    Then click Finish.

    Now start your computer in Safe Mode and delete:

    The C:\windows\system32\lspak.dll file

    Please download and run the following program(s):

    CWSHREDDER

    http://www.intermute.com/spysubtrac...r_download.html

    Close all browser windows, open cwshredder.exe then click "Fix" and let it run.

    Then restart your computer.

    IMPORTANT! To help prevent this from happening again, you should install all the Microsoft security patches and critical updates.

    AD-AWARE

    Go here: http://www.lavasoftusa.com/support/download/
    and download Ad-Aware SE Personal

    Install the program and launch it.

    First, in the bottom right-hand corner of the main window click on Check for updates now then click Connect and download the latest reference files.

    Then, in the main window: Click Start and under Select a scan Mode tick Perform full system scan.

    Then, deselect Search for negligible risk entries.

    To start the scan, click the Next button.

    When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose select all from the drop down menu and then click Next)

    Restart your computer.

    SPYBOT SEARCH & DESTROY

    http://majorgeeks.com/download2471.html

    Open Spybot Search & Destroy (Click Start, Programs, Spybot S&D (Advanced Mode). Click online, Search for updates, Download all available updates. Close all Browser windows, Click ''Check for Problems''. Anything that needs to be fixed it will show in red and have a green check in the box to the left. Click ''Fix Selected Problems'', Then restart your computer.

    Then, after rebooting, please post another log and we’ll see what’s left to get rid of.
     
  3. roscony

    roscony Thread Starter

    Joined:
    Nov 17, 2004
    Messages:
    10
    Ok, I ran cw shredder and removed the file you recommended, and the rest except for the MS Security updates. Want to fix what's broke first!!

    Here's the latest from adaware, I will post hijack this separate...

    There are several things here that I think have to be removed... want to run the list by you before i go hacking away...

    Also, there is still lingering viruses and malware.

    There are specific sites which call for automatic IE connection to them at startup, they are:

    www.clickspring.net

    fp.clickspring.net
    1ds648239uioperjzkshdhdgg2332owoht93nvn.biz

    and two errors which show up at bootup:
    ccfgnt434d.exe and wmv9dmod945g.exe

    Here's the files:


    Lavasoft Ad-aware Personal Build 6.181
    Logfile created on :Friday, November 19, 2004 7:23:42 AM
    Created with Ad-aware Personal, free for private use.
    Using reference-file :01R217 08.09.2003
    ______________________________________________________

    Ad-aware Settings
    =========================
    Set : Activate in-depth scan (Recommended)
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep scan registry
    Set : Scan my IE Favorites for banned URLs
    Set : Scan within archives
    Set : Scan my Hosts file


    11-19-2004 7:23:42 AM - Scan started. (Custom mode)

    Listing running processes
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    #:1 [smss.exe]
    FilePath : \SystemRoot\System32\
    ThreadCreationTime : 11-19-2004 2:22:22 PM
    BasePriority : Normal


    #:2 [winlogon.exe]
    FilePath : \??\C:\WINDOWS\system32\
    ThreadCreationTime : 11-19-2004 2:22:27 PM
    BasePriority : High


    #:3 [services.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 11-19-2004 2:22:27 PM
    BasePriority : Normal
    FileSize : 99 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Services and Controller app
    InternalName : services.exe
    OriginalFilename : services.exe
    ProductName : Microsoft
    Created on : 8/18/2001 12:00:00 PM
    Last accessed : 11/19/2004 3:23:43 PM
    Last modified : 8/18/2001 12:00:00 PM

    #:4 [lsass.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 11-19-2004 2:22:27 PM
    BasePriority : Normal
    FileSize : 11 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : LSA Shell (Export Version)
    InternalName : lsass.exe
    OriginalFilename : lsass.exe
    ProductName : Microsoft
    Created on : 8/18/2001 12:00:00 PM
    Last accessed : 11/19/2004 3:23:43 PM
    Last modified : 8/18/2001 12:00:00 PM

    #:5 [svchost.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 11-19-2004 2:22:29 PM
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 8/18/2001 12:00:00 PM
    Last accessed : 11/19/2004 3:23:43 PM
    Last modified : 8/18/2001 12:00:00 PM

    #:6 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 11-19-2004 2:22:29 PM
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 8/18/2001 12:00:00 PM
    Last accessed : 11/19/2004 3:23:43 PM
    Last modified : 8/18/2001 12:00:00 PM

    #:7 [lexbces.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 11-19-2004 2:22:32 PM
    BasePriority : Normal
    FileSize : 296 KB
    FileVersion : 8.16
    ProductVersion : 8.16
    Copyright : (C) 1993 - 2003 Lexmark International, Inc.
    CompanyName : Lexmark International, Inc.
    FileDescription : LexBce Service
    InternalName : LexBce Service
    OriginalFilename : LexBceS.exe
    ProductName : MarkVision for Windows (32 bit)
    Created on : 9/28/2003 8:09:03 PM
    Last accessed : 11/19/2004 3:23:43 PM
    Last modified : 2/25/2003 5:52:00 AM

    #:8 [spoolsv.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 11-19-2004 2:22:33 PM
    BasePriority : Normal
    FileSize : 50 KB
    FileVersion : 5.1.2600.0 (XPClient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Spooler SubSystem App
    InternalName : spoolsv.exe
    OriginalFilename : spoolsv.exe
    ProductName : Microsoft
    Created on : 8/18/2001 12:00:00 PM
    Last accessed : 11/19/2004 3:23:43 PM
    Last modified : 8/18/2001 12:00:00 PM

    #:9 [lexpps.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 11-19-2004 2:22:34 PM
    BasePriority : Normal
    FileSize : 170 KB
    FileVersion : 8.16
    ProductVersion : 8.16
    Copyright : (C) 1993 - 2003 Lexmark International, Inc.
    CompanyName : Lexmark International, Inc.
    FileDescription : LEXPPS.EXE
    InternalName : LEXPPS
    OriginalFilename : LEXPPS.EXE
    ProductName : MarkVision for Windows (32 bit)
    Created on : 9/28/2003 8:09:03 PM
    Last accessed : 11/19/2004 3:23:43 PM
    Last modified : 2/25/2003 5:50:00 AM

    #:10 [avguard.exe]
    FilePath : C:\Program Files\AVPersonal\
    ThreadCreationTime : 11-19-2004 2:22:34 PM
    BasePriority : Normal
    FileSize : 236 KB
    FileVersion : 6.28.00.07
    ProductVersion : 6.28.00.07
    Copyright : Copyright
    CompanyName : H+BEDV Datentechnik GmbH
    FileDescription : Antivirus Service for Windows XP/2000/NT
    InternalName : NTGuard
    OriginalFilename : Guard.exe
    ProductName : Windows XP/2000/XP Guard Service
    Created on : 10/15/2004 4:25:02 PM
    Last accessed : 11/19/2004 3:23:43 PM
    Last modified : 10/15/2004 4:25:02 PM

    #:11 [avwupsrv.exe]
    FilePath : C:\Program Files\AVPersonal\
    ThreadCreationTime : 11-19-2004 2:22:34 PM
    BasePriority : Normal
    FileSize : 36 KB
    FileVersion : 6.28.00.01
    ProductVersion : 6.28.00.01
    Copyright : Copyright
    CompanyName : H+BEDV Datentechnik GmbH, Germany
    FileDescription : AntiVir Software Update Service for Windows
    InternalName : AntiVir Update Service
    OriginalFilename : AVWUpSrv.exe
    ProductName : AntiVir Update Service for Windows XP, 2000, NT
    Created on : 11/15/2004 2:06:57 AM
    Last accessed : 11/19/2004 3:23:43 PM
    Last modified : 9/30/2004 5:11:00 PM

    #:12 [explorer.exe]
    FilePath : C:\WINDOWS\
    ThreadCreationTime : 11-19-2004 2:25:44 PM
    BasePriority : Normal
    FileSize : 977 KB
    FileVersion : 6.00.2600.0000 (xpclient.010817-1148)
    ProductVersion : 6.00.2600.0000
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    OriginalFilename : EXPLORER.EXE
    ProductName : Microsoft
    Created on : 8/18/2001 12:00:00 PM
    Last accessed : 11/19/2004 2:25:45 PM
    Last modified : 8/18/2001 12:00:00 PM

    #:13 [wkssb.exe]
    FilePath : C:\Program Files\Microsoft Works\
    ThreadCreationTime : 11-19-2004 2:25:54 PM
    BasePriority : Normal
    FileSize : 304 KB
    FileVersion : 6.00.1902.0
    ProductVersion : 6.00.1902.0
    Copyright : Copyright
    CompanyName : Microsoft
    FileDescription : Microsoft
    InternalName : WKSPF
    OriginalFilename : WksSb.exe
    ProductName : Microsoft
    Created on : 8/10/2000 6:00:00 PM
    Last accessed : 11/19/2004 2:25:54 PM
    Last modified : 8/10/2000 6:00:00 PM

    #:14 [avsched32.exe]
    FilePath : C:\Program Files\AVPersonal\
    ThreadCreationTime : 11-19-2004 2:26:00 PM
    BasePriority : Normal
    FileSize : 108 KB
    FileVersion : 6.28.00.00
    ProductVersion : 6.28.00.00
    Copyright : Copyright
    CompanyName : H+BEDV Datentechnik GmbH
    FileDescription : AVSched32
    InternalName : AVSched32
    OriginalFilename : AVSched32.exe
    ProductName : AVSched32
    Created on : 9/30/2004 5:10:58 PM
    Last accessed : 11/19/2004 2:26:00 PM
    Last modified : 9/30/2004 5:10:58 PM

    #:15 [avgnt.exe]
    FilePath : C:\Program Files\AVPersonal\
    ThreadCreationTime : 11-19-2004 2:26:02 PM
    BasePriority : Normal
    FileSize : 124 KB
    FileVersion : 6.28.00.01
    ProductVersion : 6.28.00.01
    Copyright : Copyright
    CompanyName : H+BEDV Datentechnik GmbH
    FileDescription : AntiVir Guard/XP Control Program
    InternalName : AVGNT
    OriginalFilename : AVGNT.EXE
    ProductName : AntiVir Guard Control Program
    Created on : 9/30/2004 5:10:56 PM
    Last accessed : 11/19/2004 2:26:01 PM
    Last modified : 9/30/2004 5:10:56 PM

    #:16 [teatimer.exe]
    FilePath : C:\Program Files\Spybot - Search & Destroy\
    ThreadCreationTime : 11-19-2004 2:26:15 PM
    BasePriority : Idle
    FileSize : 1014 KB
    FileVersion : 1, 3, 0, 12
    ProductVersion : 1, 3, 0, 12
    CompanyName : Safer Networking Limited
    FileDescription : System settings protector
    InternalName : TeaTimer
    OriginalFilename : TeaTimer.exe
    ProductName : Spybot - Search & Destroy
    Created on : 5/12/2004 9:03:00 AM
    Last accessed : 11/19/2004 2:26:14 PM
    Last modified : 5/12/2004 9:03:00 AM

    #:17 [msmsgs.exe]

    FilePath : C:\Program Files\Messenger\
    ThreadCreationTime : 11-19-2004 2:26:17 PM
    BasePriority : Normal
    FileSize : 1052 KB
    FileVersion : 4.0.0155
    ProductVersion : Version 4.0
    Copyright : Copyright (c) Microsoft Corporation 1997-2001
    CompanyName : Microsoft Corporation
    FileDescription : Messenger Client
    InternalName : msmsgs
    OriginalFilename : msmsgs.exe
    ProductName : Messenger
    Created on : 8/2/2001 1:14:34 PM
    Last accessed : 11/19/2004 3:23:44 PM
    Last modified : 8/2/2001 1:14:34 PM

    #:18 [jgaw400213a.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 11-19-2004 2:26:20 PM
    BasePriority : Normal
    FileSize : 101 KB
    Created on : 10/16/2004 11:29:53 PM
    Last accessed : 11/19/2004 2:26:20 PM
    Last modified : 10/16/2004 11:29:41 PM


    #:19 [clcd32973b.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 11-19-2004 2:26:23 PM
    BasePriority : Normal
    FileSize : 101 KB
    Created on : 9/16/2004 8:43:39 PM
    Last accessed : 11/19/2004 2:26:23 PM
    Last modified : 9/16/2004 8:43:23 PM

    #:20 [aim.exe]
    FilePath : C:\Program Files\AIM\
    ThreadCreationTime : 11-19-2004 2:26:25 PM
    BasePriority : Normal
    FileSize : 60 KB
    FileVersion : 5.5.3572
    ProductVersion : 5.5.3572
    Copyright : Copyright
    CompanyName : America Online, Inc.
    FileDescription : AOL Instant Messenger
    InternalName : AIM
    OriginalFilename : AIM.EXE
    ProductName : AOL Instant Messenger
    Created on : 3/7/2004 6:34:39 PM
    Last accessed : 11/19/2004 2:26:30 PM
    Last modified : 2/4/2004 8:29:24 PM

    #:21 [ttuh.exe]
    FilePath : C:\Documents and Settings\kaitlyn.WALSHFAMILYCOMP.000\Application Data\
    ThreadCreationTime : 11-19-2004 2:26:27 PM
    BasePriority : Normal
    FileSize : 66 KB
    Created on : 9/16/2004 8:49:46 PM
    Last accessed : 11/19/2004 2:26:27 PM
    Last modified : 11/19/2004 6:09:19 AM
    -- *I don't know what this is?*

    #:22 [wkcalrem.exe]
    FilePath : C:\Program Files\Common Files\Microsoft Shared\Works Shared\
    ThreadCreationTime : 11-19-2004 2:26:39 PM
    BasePriority : Normal
    FileSize : 24 KB
    FileVersion : 6.00.1828.1
    ProductVersion : 6.00.1828.1
    Copyright : Copyright
    CompanyName : Microsoft
    FileDescription : Microsoft
    InternalName : WkCalRem
    OriginalFilename : WKCALREM.EXE
    ProductName : Microsoft
    Created on : 8/10/2000 6:00:00 PM
    Last accessed : 11/19/2004 2:26:39 PM
    Last modified : 8/10/2000 6:00:00 PM

    #:23 [ad-aware.exe]
    FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
    ThreadCreationTime : 11-19-2004 3:23:17 PM
    BasePriority : Normal
    FileSize : 668 KB
    FileVersion : 6.0.1.181
    ProductVersion : 6.0.0.0
    Copyright : Copyright
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-aware 6 core application
    InternalName : Ad-aware.exe
    OriginalFilename : Ad-aware.exe
    ProductName : Lavasoft Ad-aware Plus
    Created on : 11/15/2004 5:08:02 AM
    Last accessed : 11/19/2004 2:56:03 PM
    Last modified : 7/13/2003 6:00:20 AM

    Memory scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Started registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Huntbar Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : Software\BTIEIN



    Registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 1

    Objects found so far: 1


    Started deep registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Deep registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 1


    Deep scanning and examining files (C:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    eAcceleration Object recognized!
    Type : File
    Data : a0001757.exe
    Object : C:\System Volume Information\_restore{F2F4BFF3-162D-4BF8-8BAB-EF27DEE794BD}\RP24\
    FileSize : 657 KB
    FileVersion : 1, 0, 00, 0014
    ProductVersion : 1, 0, 00, 0014
    Copyright : Copyright 2002 eAcceleration Corporation
    CompanyName : Accelereration Software International Corporation
    FileDescription : eAcceleration Installer
    InternalName : Eac Installer
    OriginalFilename : sfx.exe
    ProductName : eAcceleration Installer
    Created on : 4/6/2003 2:44:03 PM
    Last accessed : 11/19/2004 3:30:45 PM
    Last modified : 4/6/2003 2:44:15 PM



    PeopleOnPage Object recognized!
    Type : File
    Data : a0001758.dll
    Object : C:\System Volume Information\_restore{F2F4BFF3-162D-4BF8-8BAB-EF27DEE794BD}\RP24\
    FileSize : 140 KB
    Created on : 8/11/2004 4:16:11 PM
    Last accessed : 11/19/2004 3:30:46 PM
    Last modified : 8/11/2004 4:15:17 PM



    TopSearch Object recognized!
    Type : File
    Data : a0001759.dll
    Object : C:\System Volume Information\_restore{F2F4BFF3-162D-4BF8-8BAB-EF27DEE794BD}\RP24\
    FileSize : 213 KB
    FileVersion : 1, 0, 0, 9
    ProductVersion : 1, 0, 0, 0
    Copyright : Copyright Altnet Inc.
    CompanyName : Altnet Inc.
    FileDescription : TopSearch
    InternalName : TopSearch
    OriginalFilename : TopSearch.dll
    ProductName : Altnet Inc. TopSearch

    Created on : 10/28/2002 6:37:36 PM
    Last accessed : 11/19/2004 3:30:46 PM
    Last modified : 10/28/2002 6:37:36 PM



    Ebates MoneyMaker Object recognized!
    Type : File
    Data : a0001761.exe
    Object : C:\System Volume Information\_restore{F2F4BFF3-162D-4BF8-8BAB-EF27DEE794BD}\RP24\
    FileSize : 24 KB
    Created on : 12/6/2003 5:10:00 PM
    Last accessed : 11/19/2004 3:30:46 PM
    Last modified : 12/6/2003 5:10:00 PM



    UpdateLoader Malware Object recognized!
    Type : File
    Data : a0001762.dll
    Object : C:\System Volume Information\_restore{F2F4BFF3-162D-4BF8-8BAB-EF27DEE794BD}\RP24\
    FileSize : 84 KB
    FileVersion : 1, 0, 0, 1
    ProductVersion : 1, 0, 0, 1
    Copyright : Copyright 2003
    FileDescription : update_loader Module
    InternalName : update_loader
    OriginalFilename : update_loader.DLL
    ProductName : update_loader Module
    Created on : 7/20/2003 9:20:52 PM
    Last accessed : 11/19/2004 3:30:46 PM
    Last modified : 7/20/2003 9:20:53 PM



    SearchbarCash Object recognized!
    Type : File
    Data : a0001763.exe
    Object : C:\System Volume Information\_restore{F2F4BFF3-162D-4BF8-8BAB-EF27DEE794BD}\RP24\
    FileSize : 90 KB
    Created on : 7/20/2003 9:21:40 PM
    Last accessed : 11/19/2004 3:30:46 PM
    Last modified : 7/20/2003 9:21:44 PM



    Disk scan result for C:\
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 7


    Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Hosts file scan result:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    10 entries scanned.
    New objects :0
    Objects found so far: 7




    Performing conditional scans..
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Huntbar Object recognized!
    Type : Folder
    Object : c:\program files\common files\BTLINK


    Huntbar Object recognized!
    Type : Folder
    Object : c:\program files\common files\btlink\.


    Conditional scan result:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 2
    Objects found so far: 9


    7:34:16 AM Scan complete

    Summary of this scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Total scanning time :00:10:32:329
    Objects scanned :120904
    Objects identified :9
    Objects ignored :0
    New objects :9

    --------------------------------------------------------------------------

    Located: HK_LM:Run, Aqua.exe
    command: C:\WINDOWS\System32\Aqua.exe
    file: C:\WINDOWS\System32\Aqua.exe
    size: 122548
    MD5: 3cfd8a59cd50817321aedbe48f797750
    ---I don't know what this is?


    Located: HK_LM:Run, AVGCtrl
    command: C:\Program Files\AVPersonal\AVGNT.EXE /min

    Located: HK_LM:Run, AVSCHED32
    command: C:\Program Files\AVPersonal\AVSched32.EXE /min

    Located: HK_LM:Run, Microsoft Works Portfolio
    command: C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

    Located: HK_LM:Run, Microsoft Works Update Detection
    command: C:\Program Files\Microsoft Works\WkDetect.exe
    file: C:\Program Files\Microsoft Works\WkDetect.exe
    size: 28739
    MD5: 3141750fad211c6dadf7c2dc2ec74da8

    Located: HK_LM:Run, oisen
    command: C:\WINDOWS\System32\oisen.exe

    Located: HK_LM:Run, RegistryMechanic
    command: C:\Program Files\Registry Mechanic\RegMech.exe /S

    Located: HK_LM:Run, Spyware Stormer
    command: C:\Program Files\Spyware Stormer\SpywareStormer.Exe
    file: C:\Program Files\Spyware Stormer\SpywareStormer.Exe
    size: 901120
    MD5: 7bc6ca66b6ccba77d9df772b11c74236

    Located: HK_CU:Run, AIM
    command: C:\Program Files\AIM\aim.exe -cnetwait.odl

    Located: HK_CU:Run, ccfgnt434d.exe
    command: "C:\WINDOWS\System32\ccfgnt434d.exe"
    file: C:\WINDOWS\System32\ccfgnt434d.exe
    size: 103424
    MD5: 7c734a173c6e57147a6f2fb66ada72f6

    Located: HK_CU:Run, clcd32973b.exe
    command: "C:\WINDOWS\System32\clcd32973b.exe"
    file: C:\WINDOWS\System32\clcd32973b.exe
    size: 103424
    MD5: 7c734a173c6e57147a6f2fb66ada72f6
    --I don't know??

    Located: HK_CU:Run, d3drm818a.exe
    command: "C:\WINDOWS\System32\d3drm818a.exe"
    file: C:\WINDOWS\System32\d3drm818a.exe
    size: 103424
    MD5: 7c734a173c6e57147a6f2fb66ada72f6
    --I don't know??

    Located: HK_CU:Run, jgaw400213a.exe
    command: "C:\WINDOWS\System32\jgaw400213a.exe"
    file: C:\WINDOWS\System32\jgaw400213a.exe
    size: 103424
    MD5: 7c734a173c6e57147a6f2fb66ada72f6
    --I don't know??

    Located: HK_CU:Run, mindex474s.exe
    command: "C:\WINDOWS\System32\mindex474s.exe"
    file: C:\WINDOWS\System32\mindex474s.exe
    size: 103424
    MD5: 7c734a173c6e57147a6f2fb66ada72f6
    --I don't know??

    Located: HK_CU:Run, MoneyStartUp
    command: C:\Program Files\Microsoft Money\System\Money Startup.exe
    file: C:\Program Files\Microsoft Money\System\Money Startup.exe
    size: 24625
    MD5: 334e3339bd852836277af2c57f16e208

    Located: HK_CU:Run, MSMSGS
    command: "C:\Program Files\Messenger\msmsgs.exe" /background
    file: C:\Program Files\Messenger\msmsgs.exe
    size: 1077277
    MD5: 10a98fa310d1b6664f999378efd031ba

    Located: HK_CU:Run, SpybotSD TeaTimer
    command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    size: 1038336
    MD5: 58f7e6434d285f4c98ad3621e0bd8c8d

    Located: HK_CU:Run, traffic944c.exe
    command: "C:\WINDOWS\System32\traffic944c.exe"
    file: C:\WINDOWS\System32\traffic944c.exe
    size: 103424
    MD5: 7c734a173c6e57147a6f2fb66ada72f6
    --I don't know??

    Located: HK_CU:Run, wmv9dmod945g.exe
    command: "C:\WINDOWS\System32\wmv9dmod945g.exe"
    file: C:\WINDOWS\System32\wmv9dmod945g.exe
    size: 103424
    MD5: 7c734a173c6e57147a6f2fb66ada72f6
    --not sure?

    Located: Startup (common), Microsoft Office.lnk
    command: C:\Program Files\Microsoft Office\Office\OSA9.EXE
    file: C:\Program Files\Microsoft Office\Office\OSA9.EXE
    size: 65588
    MD5: 1a80248ec5d290a391ce27326dd13e29

    Located: Startup (common), Microsoft Works Calendar Reminders.lnk
    command: C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    file: C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    size: 24633
    MD5: 7084b58a098d2f83b304832251a8c6a8
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,315
    I'm aware that there are still things to clean up. That's why I asked you to post a new Hijack This log after following those recommendations so that we can see what's left to get rid of. Please do so now so that we can continue.
     
  5. roscony

    roscony Thread Starter

    Joined:
    Nov 17, 2004
    Messages:
    10
    Logfile of HijackThis v1.98.2
    Scan saved at 6:27:11 PM, on 11/19/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\AVPersonal\AVGUARD.EXE
    C:\Program Files\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft Works\WksSb.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\System32\clcd32973b.exe
    C:\Documents and Settings\kaitlyn.WALSHFAMILYCOMP.000\Application Data\ttuh.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\kaitlyn.WALSHFAMILYCOMP.000\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32/left.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
    O2 - BHO: (no name) - {3DD8695A-9310-4EC8-DA25-6C5505DA7341} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
    O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\System32\ieredir.dll
    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
    O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - (no file)
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Aqua.exe] C:\WINDOWS\System32\Aqua.exe
    O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /S
    O4 - HKLM\..\Run: [oisen] C:\WINDOWS\System32\oisen.exe
    O4 - HKLM\..\Run: [AVSCHED32] C:\Program Files\AVPersonal\AVSched32.EXE /min
    O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
    O4 - HKCU\..\Run: [traffic944c.exe] "C:\WINDOWS\System32\traffic944c.exe"
    O4 - HKCU\..\Run: [wmv9dmod945g.exe] "C:\WINDOWS\System32\wmv9dmod945g.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
    O4 - HKCU\..\Run: [mindex474s.exe] "C:\WINDOWS\System32\mindex474s.exe"
    O4 - HKCU\..\Run: [jgaw400213a.exe] "C:\WINDOWS\System32\jgaw400213a.exe"
    O4 - HKCU\..\Run: [d3drm818a.exe] "C:\WINDOWS\System32\d3drm818a.exe"
    O4 - HKCU\..\Run: [clcd32973b.exe] "C:\WINDOWS\System32\clcd32973b.exe"
    O4 - HKCU\..\Run: [ccfgnt434d.exe] "C:\WINDOWS\System32\ccfgnt434d.exe"
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\kaitlyn.WALSHFAMILYCOMP.000\Application Data\ttuh.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
    O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {4D8E6154-D6B1-4770-A9A1-4919686F415E} - (no file) (HKCU)
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{86E7854C-559B-4518-BB8D-3DB7407A6367}: NameServer = 198.6.1.60 198.6.1.70
    O20 - AppInit_DLLs: C:\WINDOWS\System32\mmfutil279p.dll
     
  6. roscony

    roscony Thread Starter

    Joined:
    Nov 17, 2004
    Messages:
    10
    also, on another note...the dial-up connection only connects at 4 Kbps
     
  7. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,315
    Go to Control Panel – Add/Remove programs and remove these, if present:

    Web_Rebates
    NaviSeach
    CashBack
    Bargain Buddy


    Click Start > Run > and type in:

    services.msc

    Click OK.

    In the services window find ISEXEng.

    Right click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.


    Copy the contents of the quote box to notepad. Go to File > Save As and name it Fix.reg (save as type: 'all files') and save it to your desktop.


    Perform the following steps in safe mode:

    Double click on the Fix.reg file you saved to enter it into the registry. Answer yes when asked to have its contents added to the registry.

    Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click “fix checked”.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32/left.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

    R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)

    O2 - BHO: (no name) - SOFTWARE - (no file)

    O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll

    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)

    O2 - BHO: (no name) - {3DD8695A-9310-4EC8-DA25-6C5505DA7341} - (no file)

    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll

    O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\System32\ieredir.dll

    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll

    O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - (no file)

    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll

    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

    O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe

    O4 - HKLM\..\Run: [Aqua.exe] C:\WINDOWS\System32\Aqua.exe

    O4 - HKLM\..\Run: [oisen] C:\WINDOWS\System32\oisen.exe

    O4 - HKCU\..\Run: [traffic944c.exe] "C:\WINDOWS\System32\traffic944c.exe"

    O4 - HKCU\..\Run: [wmv9dmod945g.exe] "C:\WINDOWS\System32\wmv9dmod945g.exe"

    O4 - HKCU\..\Run: [mindex474s.exe] "C:\WINDOWS\System32\mindex474s.exe"

    O4 - HKCU\..\Run: [jgaw400213a.exe] "C:\WINDOWS\System32\jgaw400213a.exe"

    O4 - HKCU\..\Run: [d3drm818a.exe] "C:\WINDOWS\System32\d3drm818a.exe"

    O4 - HKCU\..\Run: [clcd32973b.exe] "C:\WINDOWS\System32\clcd32973b.exe"

    O4 - HKCU\..\Run: [ccfgnt434d.exe] "C:\WINDOWS\System32\ccfgnt434d.exe"

    O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\kaitlyn.WALSHFAMILYCOMP.000\Application Data\ttuh.exe

    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

    O9 - Extra button: (no name) - {4D8E6154-D6B1-4770-A9A1-4919686F415E} - (no file) (HKCU)

    O20 - AppInit_DLLs: C:\WINDOWS\System32\mmfutil279p.dll


    Then boot to safe mode (see how below), locate and delete these files and/or folders:

    C:\Program Files\Spyware Stormer - folder
    C:\WINDOWS\System32\Aqua.exe - file
    C:\WINDOWS\System32\oisen.exe - file
    C:\WINDOWS\System32\traffic944c.exe - file
    C:\WINDOWS\System32\wmv9dmod945g.exe - file
    C:\WINDOWS\System32\mindex474s.exe - file
    C:\WINDOWS\System32\jgaw400213a.exe - file
    C:\WINDOWS\System32\d3drm818a.exe - file
    C:\WINDOWS\System32\clcd32973b.exe - file
    C:\WINDOWS\System32\ccfgnt434d.exe - file
    C:\Documents and Settings\kaitlyn.WALSHFAMILYCOMP.000\Application Data\ttuh.exe - file
    C:\Program Files\Web_Rebates - folder
    C:\WINDOWS\System32\angelex.exe - file
    C:\WINDOWS\System32\nvms.dll - file
    C:\WINDOWS\System32\mscb.dll - file
    C:\WINDOWS\System32\msbe.dll - file

    How to restart to safe mode:
    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

    Because XP will not always show you hidden files and folders by default, Go to Start - Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders"
    Click "Apply" then "OK"

    Then reboot and post another log please.
     
  8. roscony

    roscony Thread Starter

    Joined:
    Nov 17, 2004
    Messages:
    10
    Cookie,

    Here is lates log after above instructions..

    Logfile of HijackThis v1.98.2
    Scan saved at 11:57:20 AM, on 11/21/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\AVPersonal\AVGUARD.EXE
    C:\Program Files\AVPersonal\AVWUPSRV.EXE
    C:\Program Files\Microsoft Works\WksSb.exe
    C:\Program Files\AVPersonal\AVSched32.EXE
    C:\Program Files\AVPersonal\AVGNT.EXE
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AIM\aim.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\kaitlyn.WALSHFAMILYCOMP.000\Desktop\HijackThis.exe

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [AVSCHED32] C:\Program Files\AVPersonal\AVSched32.EXE /min
    O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{86E7854C-559B-4518-BB8D-3DB7407A6367}: NameServer = 198.6.1.60 198.6.1.70



    IE can not access any webpages, it just gives the Page Can not be displayed white page. However, all apps (i.e. windows update, spybot, etc..) is able to connect to the server to request and download any updates available.

    What next?

    Diane
     
  9. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,315
    Rescan with Hijack This and have it fix these items:

    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm


    Try repairing IE:

    Click Start > Settings > Control Panel, then double-click Add/Remove Programs . On the Install/Uninstall tab, doubleclick "Microsoft Internet Explorer 6 SP1 and Internet Tools", click the Repair Internet Explorer option, and then click OK
     
  10. roscony

    roscony Thread Starter

    Joined:
    Nov 17, 2004
    Messages:
    10
    ok..i did all this and still get a page cannot be dipslayed when trying to connect to the internet. I also still connect at only "4 Kpbs" !

    MS Security Updates are all updated up to windows xp2.
     
  11. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,315
    It looks like there were some things gound in system restore. Disabled system restore off to flush out all previous restore points. Leave it disabled while you run the two on-line scans:

    Do a couple of on-line virus scans at these links:

    http://housecall.trendmicro.com/ (be sure to check “auto Clean” before scanning)


    http://www.pandasoftware.com/activescan/
     
  12. roscony

    roscony Thread Starter

    Joined:
    Nov 17, 2004
    Messages:
    10
    No viruses found scanning with Trend. I'm now getting to internet pages, just certain url's are not working. I am still connecting at 4Kbps, on a 56K Conexant modem. Have any idea why the low connection speed, could it be a system related problem?
     
  13. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,315
    Download the VX2Finder.exe tool. Click on the VX2Finder.exe and then click on the Click to Find VX2.Betterinternet button. It will display the files, the Guardian Key and User Agent string. Now click the Make Log button. It will open the log in notepad. Copy and paste that log here and wait for further instructions.

    http://www.subratam.org/?page=removal
     
  14. roscony

    roscony Thread Starter

    Joined:
    Nov 17, 2004
    Messages:
    10
    It will not make a log, so here is a copy and paste of log excluding the files it lists for option to delete:

    Files Found---
    C:\WINDOWS\System32\6bo4svc.dll
    C:\WINDOWS\System32\6co4svc.dll
    C:\WINDOWS\System32\6eo4svc.dll
    C:\WINDOWS\System32\6fo4svc.dll
    C:\WINDOWS\System32\6io4svc.dll
    C:\WINDOWS\System32\6lo4svc.dll
    C:\WINDOWS\System32\6mo4svc.dll
    C:\WINDOWS\System32\6po4svc.dll
    C:\WINDOWS\System32\6wo4svc.dll
    C:\WINDOWS\System32\6yo4svc.dll
    C:\WINDOWS\System32\aaptif.dll
    C:\WINDOWS\System32\acaamon.dll
    C:\WINDOWS\System32\aolui.dll
    C:\WINDOWS\System32\assldp.dll
    C:\WINDOWS\System32\awptif.dll

    Additional Files---

    Keys Under Notify---
    crypt32chain
    cryptnet
    cscdll
    ScCertProp
    Schedule
    sclgntfy
    SensLogn
    termsrv
    wlballoon


    Guardian Key--- is called:

    Guardian Key--- :

    User Agent String---
    {95A2D290-DAFC-4C12-A17C-40C60F5BBB0B}


    Also attached is host log, which it did create
     

    Attached Files:

  15. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,315
    IMPORTANT!: Before you run this tool please close ALL running programs. Sign off and stay off the internet until the entire procedure is complete.


    Now run VX2Finder again and click on the Find VX2.Betterinternet button. It will display the entries as before. Select all these files

    C:\WINDOWS\System32\6bo4svc.dll
    C:\WINDOWS\System32\6co4svc.dll
    C:\WINDOWS\System32\6eo4svc.dll
    C:\WINDOWS\System32\6fo4svc.dll
    C:\WINDOWS\System32\6io4svc.dll
    C:\WINDOWS\System32\6lo4svc.dll
    C:\WINDOWS\System32\6mo4svc.dll
    C:\WINDOWS\System32\6po4svc.dll
    C:\WINDOWS\System32\6wo4svc.dll
    C:\WINDOWS\System32\6yo4svc.dll
    C:\WINDOWS\System32\aaptif.dll
    C:\WINDOWS\System32\acaamon.dll
    C:\WINDOWS\System32\aolui.dll
    C:\WINDOWS\System32\assldp.dll
    C:\WINDOWS\System32\awptif.dll

    This time click on the Delete these files button. It will give you a message about one file to be deleted on reboot.

    It will ask to reboot to delete the last file. Go ahead and Restart the computer

    After it reboots run VX2Finder again and click on the User Agent button and it will delete the user agent string.

    Next click on the Guardian.reg button and it will delete the Guardian Key.

    Finally click the Restore Policy button to restore the Debug policy altered in the look2Me installation.

    Restart your computer


    Run VX2Finder and save the log as post it showing all the files (do not exclude any). Come back here and post that log along with another Hijack This log.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - TOTAL CORRUPTION HiJack
  1. SOUPyelmo
    Replies:
    1
    Views:
    360
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/297442

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice