1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

URL www.google default problem

Discussion in 'Web & Email' started by bobolink, Apr 28, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. bobolink

    bobolink Thread Starter

    Joined:
    Jul 30, 2003
    Messages:
    125
    Whenever, (today) I open IE, the web browser is defaulted to: "about:blank"! :confused: No matter how often I set default for google, it returns to this unwanted site! I have run scan on HJT, Spybot and Adaware but can not find any problems in these scans. Can anyone explain this one??? Have I been hijacked? :(
     
  2. jwbirdsong

    jwbirdsong

    Joined:
    Nov 6, 2002
    Messages:
    710
  3. bobolink

    bobolink Thread Starter

    Joined:
    Jul 30, 2003
    Messages:
    125
    Ok, Ok! Here is my HJT log:

    Logfile of HijackThis v1.97.7
    Scan saved at 1:41:10 PM, on 4/28/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
    C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
    C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\RXMON9X.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\COMMON\SWTRAYV4.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\WINDOWS\WEBSHOTS.SCR
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\LLKCKG.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\LLKCKG.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\LLKCKG.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\LLKCKG.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\LLKCKG.DLL/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\LLKCKG.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {1EE7884C-771F-4D5E-9032-2F83426FCAB9} - C:\WINDOWS\SYSTEM\LLKCKG.DLL
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
    O4 - HKLM\..\Run: [RxMon] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
    O4 - HKLM\..\Run: [MadExe] C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\LaunchRA.exe -boot
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
    O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~9\GAMECO~1\COMMON\SWTRAYV4.EXE
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [MicroAttuneDownload] "C:\Program Files\Aveo\Attune\Updater0\atmdlup4.exe" -uninstall
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Webshots\Launcher.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37862.7714699074
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
     
  4. bobolink

    bobolink Thread Starter

    Joined:
    Jul 30, 2003
    Messages:
    125
    :confused:

    Lavasoft Ad-aware Personal Build 6.181
    Logfile created on :Wednesday, April 28, 2004 3:33:46 PM
    Created with Ad-aware Personal, free for private use.
    Using reference-file :01R300 28.04.2004
    ______________________________________________________

    Reffile status:
    =========================
    Reference file loaded:
    Reference Number : 01R300 28.04.2004
    Internal build : 232
    File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\reflist.ref
    Total size : 1067819 Bytes
    Signature data size : 1049543 Bytes
    Reference data size : 18212 Bytes
    Signatures total : 23564
    Target categories : 10
    Target families : 458

    Memory + processor status:
    ==========================
    Number of processors : 1
    Processor architecture : Intel Pentium III
    Memory available:23 %
    Total physical memory:129292 kb
    Available physical memory:156 kb
    Total page file size:1967856 kb
    Available on page file:1867796 kb
    Total virtual memory:2093056 kb
    Available virtual memory:2051648 kb
    OS:Windows (ME)

    Ad-aware Settings
    =========================
    Set : Activate in-depth scan (Recommended)
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep scan registry
    Set : Scan my IE Favorites for banned URLs
    Set : Scan my Hosts file

    Extended Ad-aware Settings
    =========================
    Set : Unload recognized processes during scanning
    Set : Include basic Ad-aware settings in logfile
    Set : Include additional Ad-aware settings in logfile
    Set : Let windows remove files in use at next reboot
    Set : Delete quarantined objects after restoring
    Set : Always back up reference file, before updating
    Set : Play sound if scan produced a result


    4-28-2004 3:33:46 PM - Scan started. (Custom mode)

    Listing running processes
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    #:1 [kernel32.dll]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4279202475
    Threads : 4
    Priority : High
    FileSize : 524 KB
    FileVersion : 4.90.3000
    ProductVersion : 4.90.3000
    Copyright : Copyright (C) Microsoft Corp. 1991-2000
    CompanyName : Microsoft Corporation
    FileDescription : Win32 Kernel core component
    InternalName : KERNEL32
    OriginalFilename : KERNEL32.DLL
    ProductName : Microsoft(R) Windows(R) Millennium Operating System
    Created on : 1/1/1601
    Last accessed : 4/28/2004 4:00:00 AM
    Last modified : 6/8/2000 9:00:00 PM

    #:2 [msgsrv32.exe]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294916359
    Threads : 1
    Priority : Normal
    FileSize : 11 KB
    FileVersion : 4.90.3000
    ProductVersion : 4.90.3000
    Copyright : Copyright (C) Microsoft Corp. 1992-1998
    CompanyName : Microsoft Corporation
    FileDescription : Windows 32-bit VxD Message Server
    InternalName : MSGSRV32
    OriginalFilename : MSGSRV32.EXE
    ProductName : Microsoft(R) Windows(R) Millennium Operating System
    Created on : 1/1/1601
    Last accessed : 4/28/2004 4:00:00 AM
    Last modified : 6/8/2000 9:00:00 PM

    #:3 [mmtask.tsk]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294940979
    Threads : 1
    Priority : Normal
    FileSize : 1 KB
    FileVersion : 4.90.3000
    ProductVersion : 4.90.3000
    Copyright : Copyright
    CompanyName : Microsoft Corporation
    FileDescription : Multimedia background task support module
    InternalName : mmtask.tsk
    OriginalFilename : mmtask.tsk
    ProductName : Microsoft Windows
    Created on : 1/1/1601
    Last accessed : 4/28/2004 4:00:00 AM
    Last modified : 6/8/2000 9:00:00 PM

    #:4 [mprexe.exe]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294943607
    Threads : 1
    Priority : Normal
    FileSize : 28 KB
    FileVersion : 4.90.3000
    ProductVersion : 4.90.3000
    Copyright : Copyright (C) Microsoft Corp. 1993-2000
    CompanyName : Microsoft Corporation
    FileDescription : WIN32 Network Interface Service Process
    InternalName : MPREXE
    OriginalFilename : MPREXE.EXE
    ProductName : Microsoft(R) Windows(R) Millennium Operating System
    Created on : 1/1/1601
    Last accessed : 4/28/2004 4:00:00 AM
    Last modified : 6/8/2000 9:00:00 PM

    #:5 [mstask.exe]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294855915
    Threads : 3
    Priority : Normal
    FileSize : 124 KB
    FileVersion : 4.71.2721.1
    ProductVersion : 4.71.2721.1
    Copyright : Copyright (C) Microsoft Corp. 2000
    CompanyName : Microsoft Corporation
    FileDescription : Task Scheduler Engine
    InternalName : TaskScheduler
    OriginalFilename : mstask.exe
    ProductName : Microsoft
    Created on : 1/1/1601
    Last accessed : 4/28/2004 4:00:00 AM
    Last modified : 6/8/2000 9:00:00 PM

    #:6 [ssdpsrv.exe]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294840571
    Threads : 4
    Priority : Normal
    FileSize : 55 KB
    FileVersion : 4.90.3003.0
    ProductVersion : 4.90.3003.0
    Copyright : Copyright (C) Microsoft Corp. 1981-2000
    CompanyName : Microsoft Corporation
    FileDescription : SSDP Service on Windows Millennium
    InternalName : ssdpsrv.exe
    OriginalFilename : ssdpsrv.exe
    ProductName : Microsoft(R) Windows(R) Millennium Operating System
    Created on : 7/12/2002 1:02:39 AM
    Last accessed : 4/28/2004 4:00:00 AM
    Last modified : 12/13/2001 9:38:12 PM

    #:7 [vsmon.exe]
    FilePath : C:\WINDOWS\SYSTEM\ZONELABS\
    ProcessID : 4294869191
    Threads : 16
    Priority : Normal
    FileSize : 805 KB
    FileVersion : 4.5.538.000
    ProductVersion : 4.5.538.000
    Copyright : Copyright
    CompanyName : Zone Labs Inc.
    FileDescription : TrueVector Service
    InternalName : vsmon
    OriginalFilename : vsmon.exe
    ProductName : TrueVector Service
    Created on : 1/8/2004 11:21:52 PM
    Last accessed : 4/28/2004 4:00:00 AM
    Last modified : 12/15/2003 6:56:24 PM

    #:8 [stmgr.exe]
    FilePath : C:\WINDOWS\SYSTEM\RESTORE\
    ProcessID : 4294787259
    Threads : 4
    Priority : Normal
    FileSize : 60 KB
    FileVersion : 4.90.0.2533
    ProductVersion : 4.90.0.2533
    Copyright : Copyright (C) Microsoft Corp. 1981-2000
    CompanyName : Microsoft Corporation
    FileDescription : Microsoft (R) PC State Manager
    InternalName : StateMgr.exe
    OriginalFilename : StateMgr.exe
    ProductName : Microsoft (r) PCHealth
    Created on : 1/1/1601
    Last accessed : 4/28/2004 4:00:00 AM
    Last modified : 6/8/2000 9:00:00 PM

    #:9 [explorer.exe]
    FilePath : C:\WINDOWS\
    ProcessID : 4294785083
    Threads : 15
    Priority : Normal
    FileSize : 220 KB
    FileVersion : 5.50.4134.100
    ProductVersion : 5.50.4134.100
    Copyright : Copyright (C) Microsoft Corp. 1981-2000
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    OriginalFilename : EXPLORER.EXE
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    Created on : 1/1/1601
    Last accessed : 4/28/2004 4:00:00 AM
    Last modified : 6/8/2000 9:00:00 PM

    #:10 [taskmon.exe]
    FilePath : C:\WINDOWS\
    ProcessID : 4294744515
    Threads : 1
    Priority : Normal
    FileSize : 28 KB
    FileVersion : 4.90.3000
    ProductVersion : 4.90.3000
    Copyright : Copyright (C) Microsoft Corp. 1998
    CompanyName : Microsoft Corporation
    FileDescription : Task Monitor
    InternalName : TaskMon
    OriginalFilename : TASKMON.EXE
    ProductName : Microsoft(R) Windows(R) Millennium Operating System
    Created on : 1/1/1601
    Last accessed : 4/28/2004 4:00:00 AM
    Last modified : 6/8/2000 9:00:00 PM

    #:11 [em_exec.exe]
    FilePath : C:\PROGRAM FILES\MOUSEWARE\SYSTEM\
    ProcessID : 4294749695
    Threads : 1
    Priority : Normal
    FileSize : 33 KB
    FileVersion : 9.01.78
    ProductVersion : 9.01
    Copyright : Copyright
    CompanyName : Logitech Inc.
    FileDescription : Control Center
    InternalName : EM_EXEC
    OriginalFilename : EM_EXEC.CPP
    ProductName : MouseWare
    Created on : 9/27/2000 4:06:16 PM
    Last accessed : 4/28/2004 4:00:00 AM
    Last modified : 2/4/2000 1:01:00 PM

    #:12 [motmon.exe]
    FilePath : C:\PROGRAM FILES\MOTIVE\
    ProcessID : 4294894715
    Threads : 3
    Priority : Idle
    FileSize : 136 KB
    FileVersion : 3.02.01.20000518_111104
    ProductVersion : 3.02.01
    Copyright : Copyright 1998, 1999, 2000
    CompanyName : Motive Communications, Inc.
    FileDescription : Motive Monitor Service
    InternalName : 3.02.01.20000518_111104
    OriginalFilename : motmon
    ProductName : Motive System
    Created on : 9/27/2000 4:06:53 PM
    Last accessed : 4/28/2004 4:00:00 AM
    Last modified : 5/18/2000 3:56:44 PM

    #:13 [rxmon9x.exe]
    FilePath : C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\
    ProcessID : 4294734559
    Threads : 7
    Priority : Normal
    FileSize : 64 KB
    FileVersion : 1, 0, 0, 1
    ProductVersion : 1, 0, 0, 1
    Copyright : Copyright
    CompanyName : Dell Computer Corporation
    FileDescription : Rx Monitor for 9x
    InternalName : RxMon9x
    OriginalFilename : RxMon9x.exe
    ProductName : Dell OpenManage Resolution Assistant
    Created on : 9/27/2000 4:06:48 PM
    Last accessed : 4/28/2004 4:00:00 AM
    Last modified : 7/30/2000 11:06:56 AM

    #:14 [systray.exe]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294689891
    Threads : 2
    Priority : Normal
    FileSize : 36 KB
    FileVersion : 4.90.3000
    ProductVersion : 4.90.3000
    Copyright : Copyright (C) Microsoft Corp. 1993-2000
    CompanyName : Microsoft Corporation
    FileDescription : System Tray Applet
    InternalName : SYSTRAY
    OriginalFilename : SYSTRAY.EXE
    ProductName : Microsoft(R) Windows(R) Millennium Operating System
    Created on : 1/1/1601
    Last accessed : 4/28/2004 4:00:00 AM
    Last modified : 6/8/2000 9:00:00 PM

    #:15 [navapw32.exe]
    FilePath : C:\PROGRAM FILES\NORTON ANTIVIRUS\
    ProcessID : 4294672967
    Threads : 13
    Priority : Normal
    FileSize : 73 KB
    FileVersion : 8.07.17
    ProductVersion : 8.07.17
    Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
    CompanyName : Symantec Corporation
    FileDescription : Norton AntiVirus Agent
    InternalName : NAVAPW32
    OriginalFilename : NAVAPW32.EXE
    ProductName : Norton AntiVirus
    Created on : 3/5/2002 8:04:48 PM
    Last accessed : 4/28/2004 4:00:00 AM
    Last modified : 2/27/2002 3:27:58 PM

    #:16 [realplay.exe]
    FilePath : C:\PROGRAM FILES\REAL\REALPLAYER\
    ProcessID : 4294655163
    Threads : 6
    Priority : Normal
    FileSize : 20 KB
    FileVersion : 6.0.8.131
    ProductVersion : 6.0.8.131
    Copyright : Copyright
    CompanyName : RealNetworks, Inc.
    FileDescription : RealPlayer
    InternalName : REALPLAY
    OriginalFilename : REALPLAY.EXE
    ProductName : RealPlayer (32-bit)
    Created on : 1/11/2001 1:13:31 AM
    Last accessed : 4/28/2004 4:00:00 AM
    Last modified : 1/11/2001 1:13:32 AM

    #:17 [mm_tray.exe]
    FilePath : C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\
    ProcessID : 4294646975
    Threads : 1
    Priority : Normal
    FileSize : 100 KB
    FileVersion : 1, 0, 0, 1
    ProductVersion : 4.00.0180
    Copyright : Copyright (C) MusicMatch 1998-1999
    CompanyName : MusicMatch
    FileDescription : mmjb MFC Application
    InternalName : mmjb
    OriginalFilename : mmjb.EXE
    ProductName : MusicMatch Jukebox
    Created on : 9/27/2000 4:14:18 PM
    Last accessed : 4/28/2004 4:00:00 AM
    Last modified : 11/12/2001 2:11:16 AM

    #:18 [qttask.exe]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294626067
    Threads : 1
    Priority : Normal
    FileSize : 28 KB
    Created on : 11/28/2001 11:34:31 PM
    Last accessed : 4/28/2004 4:00:00 AM
    Last modified : 11/28/2001 11:34:32 PM

    #:19 [swtrayv4.exe]
    FilePath : C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\COMMON\
    ProcessID : 4294631707
    Threads : 2
    Priority : Normal
    FileSize : 24 KB
    FileVersion : 4.03.253
    ProductVersion : 4.03.253
    Copyright : Copyright
    CompanyName : Microsoft Corporation
    FileDescription : MS SideWinder Tray Application
    InternalName : MS SideWinder Tray Application
    OriginalFilename : SWTRAYV4.EXE
    ProductName : Microsoft Game Controller Software
    Created on : 12/29/2001 8:50:50 PM
    Last accessed : 4/28/2004 4:00:00 AM
    Last modified : 6/2/2000 11:07:58 PM

    #:20 [zlclient.exe]
    FilePath : C:\PROGRAM FILES\ZONE LABS\ZONEALARM\
    ProcessID : 4294604127
    Threads : 6
    Priority : Normal
    FileSize : 677 KB
    FileVersion : 4.5.538.000
    ProductVersion : 4.5.538.000
    Copyright : Copyright
    CompanyName : Zone Labs Inc.
    FileDescription : Zone Labs Client
    InternalName : zlclient
    OriginalFilename : zlclient.exe
    ProductName : Zone Labs Client
    Created on : 1/8/2004 11:21:54 PM
    Last accessed : 4/28/2004 4:00:00 AM
    Last modified : 12/15/2003 6:57:12 PM

    #:21 [wmiexe.exe]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294620007
    Threads : 3
    Priority : Normal
    FileSize : 16 KB
    FileVersion : 4.90.2452.1
    ProductVersion : 4.90.2452.1
    Copyright : Copyright (C) Microsoft Corp. 1981-1999
    CompanyName : Microsoft Corporation
    FileDescription : WMI service exe housing
    InternalName : wmiexe
    OriginalFilename : wmiexe.exe
    ProductName : Microsoft(R) Windows(R) Millennium Operating System
    Created on : 1/1/1601
    Last accessed : 4/28/2004 4:00:00 AM
    Last modified : 6/8/2000 9:00:00 PM

    #:22 [wkcalrem.exe]
    FilePath : C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\
    ProcessID : 4294523123
    Threads : 2
    Priority : Normal
    FileSize : 52 KB
    FileVersion : 5.00.1928.1
    ProductVersion : 5.00.1928.1
    CompanyName : Microsoft
    FileDescription : Microsoft
    InternalName : WkCalRem
    OriginalFilename : WKCALREM.EXE
    ProductName : Microsoft
    Created on : 9/5/1999 2:23:00 AM
    Last accessed : 4/28/2004 4:00:00 AM
    Last modified : 9/5/1999 2:23:00 AM

    #:23 [webshots.scr]
    FilePath : C:\WINDOWS\
    ProcessID : 4294445643
    Threads : 1
    Priority : Normal
    FileSize : 1912 KB
    FileVersion : 2.0.0.4324
    ProductVersion : 2.0.0.4324
    Copyright : Copyright (C) 2003
    CompanyName : Webshots.com
    FileDescription : Webshots Photo Manager
    InternalName : Webshots2
    OriginalFilename : Webshots2.EXE
    ProductName : The Webshots Desktop
    Created on : 1/2/2004 8:40:53 PM
    Last accessed : 4/28/2004 4:00:00 AM
    Last modified : 10/30/2003 5:51:20 PM

    #:24 [ad-aware.exe]
    FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\
    ProcessID : 4294377683
    Threads : 2
    Priority : Normal
    FileSize : 668 KB
    FileVersion : 6.0.1.181
    ProductVersion : 6.0.0.0
    Copyright : Copyright
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-aware 6 core application
    InternalName : Ad-aware.exe
    OriginalFilename : Ad-aware.exe
    ProductName : Lavasoft Ad-aware Plus
    Created on : 8/30/2003 3:19:35 AM
    Last accessed : 4/28/2004 4:00:00 AM
    Last modified : 7/13/2003 2:00:20 AM

    Memory scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Started registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    CoolWebSearch Object recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment : "HOMEOldSP"
    Rootkey : HKEY_LOCAL_MACHINE
    Object : SOFTWARE\Microsoft\Internet Explorer\Main
    Value : HOMEOldSP


    Registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 1
    Objects found so far: 1


    Started deep registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Deep registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 1


    Deep scanning and examining files (C:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Tracking Cookie Object recognized!
    Type : File
    Data : [email protected][2].txt
    Category : Data Miner
    Comment :
    Object : C:\WINDOWS\Profiles\default\Cookies\

    Created on : 4/28/2004 4:43:47 AM
    Last accessed : 4/28/2004 4:00:00 AM
    Last modified : 4/28/2004 4:43:48 AM



    Tracking Cookie Object recognized!
    Type : File
    Data : [email protected][2].txt
    Category : Data Miner
    Comment :
    Object : C:\WINDOWS\Profiles\default\Cookies\

    Created on : 4/28/2004 6:06:24 PM
    Last accessed : 4/28/2004 4:00:00 AM
    Last modified : 4/28/2004 6:06:26 PM



    Disk scan result for C:\
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 3


    Scanning Hosts file(C:\WINDOWS\hosts)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Hosts file scan result:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    0 entries scanned.
    New objects :0
    Objects found so far: 3




    Performing conditional scans..
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    CoolWebSearch Object recognized!
    Type : RegKey
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_CLASSES_ROOT
    Object : PROTOCOLS\Filter\text/html


    CoolWebSearch Object recognized!
    Type : RegKey
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_CLASSES_ROOT
    Object : PROTOCOLS\Filter\text/plain


    CoolWebSearch Object recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    Value : ITBarLayout


    Conditional scan result:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 3
    Objects found so far: 6


    3:48:08 PM Scan complete

    Summary of this scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Total scanning time :00:14:21:840
    Objects scanned :95191
    Objects identified :6
    Objects ignored :0
    New objects :6
     
  5. bobolink

    bobolink Thread Starter

    Joined:
    Jul 30, 2003
    Messages:
    125
    Is Anyone there... hello??
     
  6. jwbirdsong

    jwbirdsong

    Joined:
    Nov 6, 2002
    Messages:
    710
    Firstly Put HJT in its own folder for keeping of backup is..eg c:\my documents\HJT
    Now run it agin and remove check the following for removal

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\LLKCKG.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\LLKCKG.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\LLKCKG.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\LLKCKG.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\LLKCKG.DLL/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\LLKCKG.DLL/sp.html (obfuscated)

    O2 - BHO: (no name) - {1EE7884C-771F-4D5E-9032-2F83426FCAB9} - C:\WINDOWS\SYSTEM\LLKCKG.DLL

    Download and run
    http://www.spywareinfo.com/~merijn/files/CWShredder.exe

    I don't think I missed any but do this then re run and post a new log
     
  7. bobolink

    bobolink Thread Starter

    Joined:
    Jul 30, 2003
    Messages:
    125
    Thanks JW Birdsong!! (y) ;)

    I'm not sure what makes you think my HJT is not in 'MyDocs' file, cause that's right where I keep it... oh well.

    Here is the new HJT. Also thanks for helping me locate CWShredder. That scan is very consice and easy to see malware bugs.

    Logfile of HijackThis v1.97.7
    Scan saved at 9:09:23 PM, on 4/28/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
    C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
    C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\RXMON9X.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\COMMON\SWTRAYV4.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\WINDOWS\WEBSHOTS.SCR
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\HPZSTATX.EXE
    C:\WINDOWS\TEMP\TD_0016.DIR\HIJACKTHIS.EXE

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
    O4 - HKLM\..\Run: [RxMon] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
    O4 - HKLM\..\Run: [MadExe] C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\LaunchRA.exe -boot
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
    O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~9\GAMECO~1\COMMON\SWTRAYV4.EXE
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [MicroAttuneDownload] "C:\Program Files\Aveo\Attune\Updater0\atmdlup4.exe" -uninstall
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Webshots\Launcher.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37862.7714699074
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
     
  8. bobolink

    bobolink Thread Starter

    Joined:
    Jul 30, 2003
    Messages:
    125
    I shut down my computer after fixing in HJT but when I returned and rebooted, the same problem in IE returned.. did I miss something? the Bugs still remain. Is there a method to this I am missing?

    Here are CWS and HJT scan reports!!

    CWShredder v1.57.0 scan only report
    Please understand that a CWShredder 'Scan only' report
    might not be sufficient to troubleshoot an infected system.
    You can use HijackThis for that:
    http://www.merijn.org/files/hijackthis.zip
    http://www.spywareinfo.com/~merijn/files/hijackthis.zip

    Windows ME (4.90.3000 )
    Windows dir: C:\WINDOWS
    Windows system dir: C:\WINDOWS\system
    AppData folder: C:\WINDOWS\Profiles\default\Application Data
    Username: default

    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar
    Infected data: res://C:\WINDOWS\SYSTEM\LLKCKG.DLL/sp.html (obfuscated)
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
    Infected data: res://C:\WINDOWS\SYSTEM\LLKCKG.DLL/sp.html (obfuscated)
    Infected Registry value:
    HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar
    Infected data: res://C:\WINDOWS\SYSTEM\LLKCKG.DLL/sp.html (obfuscated)
    Infected Registry value:
    HKLM\Software\Microsoft\Internet Explorer\Main,Search Page
    Infected data: res://C:\WINDOWS\SYSTEM\LLKCKG.DLL/sp.html (obfuscated)
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
    Infected data: res://C:\WINDOWS\SYSTEM\LLKCKG.DLL/sp.html (obfuscated)
    Infected Registry value:
    HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL
    Infected data: http://www.searchv.com/search.html
    Infected Registry value:
    HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant,http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    Infected data: res://C:\WINDOWS\SYSTEM\LLKCKG.DLL/sp.html (obfuscated)
    Found Hosts file: C:\WINDOWS\hosts (210 bytes, A)
    Found CWS.Control (if filesize is over 50k) file: C:\WINDOWS\control.exe (2144 bytes, A)
    Registry value: DefaultPrefix (should be http://) [] http://
    Registry value: WWW Prefix (should be http://) [www] http://
    Registry value: Mosaic Prefix (should be http://) [mosaic] http://
    Registry value: Home Prefix (should be http://) [home] http://
    Found Win.ini file: C:\WINDOWS\win.ini (8391 bytes, A)
    Found line in Win.ini: load=
    Found line in Win.ini: run=
    Found System.ini file: C:\WINDOWS\system.ini (2495 bytes, A)
    Found line in System.ini: shell=Explorer.exe

    - END OF REPORT -

    Logfile of HijackThis v1.97.7
    Scan saved at 10:01:20 PM, on 4/28/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
    C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
    C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\RXMON9X.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\COMMON\SWTRAYV4.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\WINDOWS\WEBSHOTS.SCR
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\LLKCKG.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\LLKCKG.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\LLKCKG.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\LLKCKG.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\LLKCKG.DLL/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\LLKCKG.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {C97046D0-33EE-4BF7-84B1-E5772184CAF5} - C:\WINDOWS\SYSTEM\LLKCKG.DLL
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
    O4 - HKLM\..\Run: [RxMon] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
    O4 - HKLM\..\Run: [MadExe] C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\LaunchRA.exe -boot
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
    O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~9\GAMECO~1\COMMON\SWTRAYV4.EXE
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [MicroAttuneDownload] "C:\Program Files\Aveo\Attune\Updater0\atmdlup4.exe" -uninstall
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Webshots\Launcher.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37862.7714699074
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
     
  9. bobolink

    bobolink Thread Starter

    Joined:
    Jul 30, 2003
    Messages:
    125
    This is the portion of my adaware scan that shows the malware... they are all registry values so I suspect that fixes in HJT will not do the trick. any advise?

    Started registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    CoolWebSearch Object recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment : "HOMEOldSP"
    Rootkey : HKEY_LOCAL_MACHINE
    Object : SOFTWARE\Microsoft\Internet Explorer\Main
    Value : HOMEOldSP


    Registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 1
    Objects found so far: 1


    Started deep registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Deep registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 1


    Deep scanning and examining files (C:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Tracking Cookie Object recognized!
    Type : File
    Data : [email protected][1].txt
    Category : Data Miner
    Comment :
    Object : C:\WINDOWS\Profiles\default\Cookies\

    Created on : 4/29/2004 1:54:04 AM
    Last accessed : 4/28/2004 4:00:00 AM
    Last modified : 4/29/2004 1:54:06 AM



    Tracking Cookie Object recognized!
    Type : File
    Data : [email protected][1].txt
    Category : Data Miner
    Comment :
    Object : C:\WINDOWS\Profiles\default\Cookies\

    Created on : 4/29/2004 2:11:19 AM
    Last accessed : 4/28/2004 4:00:00 AM
    Last modified : 4/29/2004 2:11:20 AM



    Disk scan result for C:\
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 3


    Scanning Hosts file(C:\WINDOWS\hosts)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Hosts file scan result:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    0 entries scanned.
    New objects :0
    Objects found so far: 3




    Performing conditional scans..
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    CoolWebSearch Object recognized!
    Type : RegKey
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_CLASSES_ROOT
    Object : PROTOCOLS\Filter\text/html


    CoolWebSearch Object recognized!
    Type : RegKey
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_CLASSES_ROOT
    Object : PROTOCOLS\Filter\text/plain


    CoolWebSearch Object recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    Value : ITBarLayout


    Conditional scan result:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 3
    Objects found so far: 6


    10:26:24 PM Scan complete

    Summary of this scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Total scanning time :00:14:37:210
    Objects scanned :95344
    Objects identified :6
    Objects ignored :0
    New objects :6
     
  10. jwbirdsong

    jwbirdsong

    Joined:
    Nov 6, 2002
    Messages:
    710
    Are you ONLY running CWS using scan only or are you having it fix, also??? ARE all windows closed when you run it?? CWS should take care of those entries....
     
  11. Viji R

    Viji R

    Joined:
    Sep 13, 2003
    Messages:
    20
    I am new, so most probably you guys have tried this already. But when I had this similar problem - what fixed it was McAfee VirusScan - which reported the bug StartPage Trojan - which is supposed to be a family of trojans that hijacks the ... what else - the Start Page. Anyway, cleaning that (after I shut down System Restore) fixed it up for me. You can check on this on the Virus Information Page of www.McAfee.com . But it is an old bug apparently. Maybe you restored something from an old archive that had it.

    Hope this solves your problem.

    Viji
     
  12. jwbirdsong

    jwbirdsong

    Joined:
    Nov 6, 2002
    Messages:
    710
    What an idiot I am..you've got a little work ahead of you....1st go to http://www.spywareinfo.com/~merijn/ then scroll down the page 1\2 and read 24MAR log...Get the PV.Zip and follow merijn's direction exactly...Same for the next file KillBox.zip...After all of that you can run CWShredder & HJTand then post a new (Hopefully clean) log back here..Sorry I didn't catch it the first time around
     
  13. bobolink

    bobolink Thread Starter

    Joined:
    Jul 30, 2003
    Messages:
    125
    Thanks, I couldnt uderstand why these bugs kept reappearing even after I ran "fix" in CWS and HJT. Adaware and Spybot were not finding these when I ran scans, neither did anything show up in Norton AntiVirus. This may take me a while so I'll be back later.

    Thanks for your patience... I am an outdoor person but do a lot of research with my computer, so when these problems effect my work, I become consumed untill I can get back to nomal operation. I am on a steep learning curve here... again thanks. ;-)
     
  14. bobolink

    bobolink Thread Starter

    Joined:
    Jul 30, 2003
    Messages:
    125
    I was not successful in locating the bad file under PV. I was able to follow all instructions but felt I could not get to second level in downloading Killbox as there was nothing found in PV to kill. Do you have other suggestions?
     
  15. jwbirdsong

    jwbirdsong

    Joined:
    Nov 6, 2002
    Messages:
    710
    Post your PV log here...w/ new HJT log
    And re: you previous msg..EVERYBODY is on a steep learning curve(like straight up) when it comes to this one..
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/224531

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice