Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 20 of 41 Posts

·
Registered
Joined
·
26 Posts
Discussion Starter · #1 ·
I'm truly sorry for posting two times, but because of this crazy virus on my computer, I can't click into my own thread unless someone reply's, so I recommend that you would read my first post.

Well, sorry for the delay, here is my HiJackthis Log:

Logfile of HijackThis v1.99.1
Scan saved at 8:14:45 AM, on 6/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\shnlog.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\intmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\Services\{A0E2F207-A1C5-49B9-B9ED-16C1469747CE}\SVCHOST.EXE
C:\Documents and Settings\Joshua\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.the-exit.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesearches.com/search.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesearches.com/search.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = https=sas.r21.mchsi.com:8000
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Joshua\Application Data\Mozilla\Profiles\default\2ox5379o.slt\prefs.js)
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp5975.tmp
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{A0E2F207-A1C5-49B9-B9ED-16C1469747CE}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{0B2F7681-DF27-4259-A469-8031F1A6A04A}\SECURITY.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: >>> FREE PORN GALLERIES <<< - javascript:{document.location='http://sexmaxx.com/freegalleries.htm';}
O8 - Extra context menu item: >>> HARDCORE MOVIES <<< - javascript:{document.location='http://neosexvideo.com/webmasters/df004/access.htm';}
O9 - Extra button: Microsoft® JavaScript® Console - {01280621-95A5-45B6-98D8-C9644E0B95B3} - C:\WINDOWS\System32\comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {01280621-95A5-45B6-98D8-C9644E0B95B3} - C:\WINDOWS\System32\comdlg32.ocx
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Popup Eliminator - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Popup Eliminator - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Microsoft® JavaScript® Console - {01280621-95A5-45B6-98D8-C9644E0B95B3} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {01280621-95A5-45B6-98D8-C9644E0B95B3} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://64.156.188.99/iwasher/pptproactauthwb/internetwasherpro.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/05a44e37b974b70e8805/netzip/RdxIE601.cab
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/PEInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streamingfaith.com/common/mbrowser/MINIBrowser.CAB
O16 - DPF: {D1B80EBF-1A26-4FEC-B0B9-DCB934C6507E} - http://dialup.carpediem.fr/CABS/cd/1,0,3,8/fr/AccesMembre.cab
O16 - DPF: {ED4E6F97-FA1A-4634-B550-AABFEB8DA009} (TulipPlayer Class) - http://www.exstream.to/tulip/cab/3,0,5,19/TulipPlayer2.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: System - {18C5F464-65DE-4BA5-AAE0-6F98890CA7A1} - vr_sys.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG6 Service (AvgServ) - GRISOFT(c) SOFTWARE s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe

========================================================
Just incase you don't find my last post (for I am trying to delete it) here is what it said:

I was skimming through the other posts involving Hijackthis logs and I decided, that for mine, I want to try to explain what I have noticed and done that persuaded me to post my HJT Log.

Here we go.
On the morning of Wednesday, June 15th I just finished watching the cowboy bebop movie, "knockin' on heaven's door" on my desktop so I started up real rhapsody and began listening to foo fighters when suddenly the song stopped!
Suddenly, I realized that my system was running very slowly.

Like before, I immediately started up the newest version/update of AdAware. After running a full system scan and deleting over a hundred spyware objects, I assumed the problem was solved, but after I rebooted, nothing had changed! For the rest of the evening, I just went through my system and manually deleted /uninstalled programs that might have caused the problem. But nothing changed.

Then, I turned off my computer and went to go see batman begins. When I returned and upstarted my PC, I was first presented with a blue screen that states the following:

"A fatal error in IE has occured at 0020:C0011E36 in VXD<01>+00010E36
error was caused by
Trojan-Spy.HTML.SmitFraud.c"

What does that mean?
Then I noticed that my active desktop was replaced with a WARNING popup/wallpaper that (translated) states:

"WARNING! YOUR IN DANGER!
SECURE YOURSELF RIGHT NOW!
REMOVE ALL SPYWARE FROM YOUR PC!"

At the bottom is a "removal instructions" link that takes me to a site that says I have to pay $20 for a spyware removal, and quite frankly, I am (cough) broke (cough)

all last night, I have ran AdAware, Spybot search and destroy (which, by the way states that there are no immediate problems. Can you believe that?) and lastly, I ran microsoft's anti-spyware beta and nothing has changed.

Believe it or not, microsoft's anti-spyware beta picked up/"supposedly"deleted 20+ objects containing "Trojan" but nothing has changed.

Then I heard about a "Safe mode", but I have no idea what that means and/or how to use it.

Other problems include: Everytime I click on most links I am redirected to a clicksearchclick link with links to the words I click.
Secondly, Even though I use firefox, every few minutes I get an IE popup that reminds me I have a virus on my system.

So, If anyone can help me get my computer out of this ditch, it would be much appreciated! Thank you very much!
 

·
Registered
Joined
·
747 Posts
Hi How'sdatgo,

Go to Add/Remove Programs and uninstall (if present):
  • Newdotnet - If there is no uninstall program listed for NewDotNet in Add/Remove programs, then do the following:
    Go to http://www.newdotnet.com/removal.html ; scroll down to Procedure 4 and follow the removal instructions.

Your log shows signs of a CWS infection. To remove this infection:
  • Download CWShredder.
  • Save CWShredder.exe to a convenient location.
  • Double-click on CWShredder.exe.
  • Click "Fix ->" and click "OK" at the prompt.
  • CWShredder will scan and clean your system of CWS files.
  • Click "Next->" and then "Exit".

Then, run one of these Online virus scanners:
Then, please open Start> Run and type MSConfig in the 'Run' box. When the System Configuration Utility opens, go to the 'Startup Tab' and make sure there is a checkmark beside each entry. Then the general tab should have the "normal startup" option checked. REBOOT when asked to by Windows to complete the change

After completing the above please Scan again with HJT and POST a new HJT log in this thread using 'Post Reply'.
 

·
Registered
Joined
·
26 Posts
Discussion Starter · #3 ·
man o man

First of all, I want to thank you for trying to help me out
Though nothing seems to have changed.

It started off great though!
*I uninstalled Newdotnet by following procedure #4
*The CWShredder seemed to remove some items
BUT
The problem came in at the online scanner suggestion

I tried running Panda using internet explorer, but, because of this virus, I can't get it to start,
thanks to clicksearchclick, I am always redirected to a link-type page when I try to run the scan.
SO
I just finished trying Housecall.
After waiting over three hours for the scan to complete, Housecall revealed over 500 infected files!
So, after inputting my name and email to get a number, I click on the "fix?" button only to find none of
the files being "fix?ed". because they were in red.

Then, I go ahead and switch back to "normal startup" and reboot, only to find nothing changed (for the better anyway)
note: I had alot of startup files that I have no idea what they do

So, here is my revised Hijackthis Log
Is there any hope?

==============================================

Logfile of HijackThis v1.99.1
Scan saved at 4:09:23 AM, on 6/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\shnlog.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\Services\{DCAE40C0-2B97-4CA2-9174-1244B8F0D7CD}\SVCHOST.

EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\documents and settings\joshua\local settings\temp\yz.exe
C:\documents and settings\joshua\local settings\temp\vSpX4qFm.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\documents and settings\joshua\local settings\temp\rV.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\Program Files\Common Files\Real\Update_OB\realevent.exe
C:\documents and settings\joshua\local settings\temp\LtWxY.exe
C:\WINDOWS\kdx\KHost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\documents and settings\joshua\local settings\temp\df.exe
C:\WINDOWS\System32\intmon.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\documents and settings\joshua\local settings\temp\9Fm2TG.exe
C:\documents and settings\joshua\local settings\temp\3GSNVeCU.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\documents and settings\joshua\local settings\temp\1.exe
C:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\hookdump.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Joshua\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2

search.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about

:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.

updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www

.updatesearches.com/search.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://

C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http

://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http

://www.updatesearches.com/search.php?qq=%1
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http

://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://

www.updatesearches.com/search.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://

www.updatesearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.

updatesearches.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyServer = https=sas.r21.mchsi.com:8000
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load=??? ??? ??? ? ? ?????
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5

CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:

\Documents and Settings\Joshua\Application Data\Mozilla\Profiles\default\2ox

5379o.slt\prefs.js)
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:

\WINDOWS\System32\hpB447.tmp
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:

\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH

Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{DCAE40C0-2B97

-4CA2-9174-1244B8F0D7CD}\SVCHOST.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01

\bin\jusched.exe
O4 - HKLM\..\Run: [yz] C:\documents and settings\joshua\local

settings\temp\yz.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program

Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program

Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [vSpX4qFm] C:\documents and settings\joshua\local

settings\temp\vSpX4qFm.exe
O4 - HKLM\..\Run: [u3] C:\documents and settings\joshua\local

settings\temp\u3.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [rV] C:\documents and settings\joshua\local

settings\temp\rV.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [r1fjfk6u] C:\WINDOWS\System32\r1fjfk6u.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -

atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1

\PortAOL.exe" -Run
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [ntyr.exe] C:\WINDOWS\system32\ntyr.exe
O4 - HKLM\..\Run: [nhreml] c:\windows\system32\nhreml.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.

DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [msku.exe] C:\WINDOWS\msku.exe
O4 - HKLM\..\Run: [M6E] C:\documents and settings\joshua\local

settings\temp\M6E.exe
O4 - HKLM\..\Run: [LtWxY] C:\documents and settings\joshua\local

settings\temp\LtWxY.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet

Optimizer\optimize.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GLSetIT32] C:\windows\system32\msiexec16.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft

AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.

1\MMKEYBD.EXE
O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\PROGRA~1\ACCELE~1\ANTI-V~

1\EANTH_~1.EXE /Startup
O4 - HKLM\..\Run: [DYio] C:\documents and settings\joshua\local

settings\temp\DYio.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [df] C:\documents and settings\joshua\local

settings\temp\df.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo

AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [crjx.exe] C:\WINDOWS\system32\crjx.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye

Network\bin\bargains.exe
O4 - HKLM\..\Run: [Bt] C:\documents and settings\joshua\local

settings\temp\Bt.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.

exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~

1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AntivirusGold] C:\Program

Files\AntivirusGold\AntivirusGold.exe /h
O4 - HKLM\..\Run: [9Fm2TG] C:\documents and settings\joshua\local

settings\temp\9Fm2TG.exe
O4 - HKLM\..\Run: [3GSNVeCU] C:\documents and settings\joshua\local

settings\temp\3GSNVeCU.exe
O4 - HKLM\..\Run: [2zelnG] C:\documents and settings\joshua\local

settings\temp\2zelnG.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\PjiM.exe
O4 - HKLM\..\Run: [23EQ3ne] 3ivrprop.exe
O4 - HKLM\..\Run: [1] C:\documents and settings\joshua\local settings\temp\1

.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{DCAE40C0-2B97-

4CA2-9174-1244B8F0D7CD}\SECURITY.EXE
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /

startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /

background
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program

Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:

\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: >>> FREE PORN GALLERIES <<< - javascript:

{document.location='http://sexmaxx.com/freegalleries.htm';}
O8 - Extra context menu item: >>> HARDCORE MOVIES <<< - javascript:{document

.location='http://neosexvideo.com/webmasters/df004/access.htm';}
O9 - Extra button: Microsoft® JavaScript® Console - {01280621-95A5-45B6-98D8

-C9644E0B95B3} - C:\WINDOWS\System32\comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {01280621-95A5-45B6-98D8-C

9644E0B95B3} - C:\WINDOWS\System32\comdlg32.ocx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:

\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:

\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D

167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Popup Eliminator - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC}

- C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Popup Eliminator - {A26ABCF0-1C8F-46e7-A67C-

0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:

\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Microsoft® JavaScript® Console - {01280621-95A5-45B6-98D8

-C9644E0B95B3} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {01280621-95A5-45B6-98D8-C

9644E0B95B3} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://

C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing)

(HKCU)
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http

://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download

Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.

net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/

QuickTimeInstaller.exe
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://64.156.188.99/

iwasher/pptproactauthwb/internetwasherpro.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207

.188.7.150/05a44e37b974b70e8805/netzip/RdxIE601.cab
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.

com/inst/PEInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.

com/data/GoogleActivate.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield

International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://

www.streamingfaith.com/common/mbrowser/MINIBrowser.CAB
O16 - DPF: {D1B80EBF-1A26-4FEC-B0B9-DCB934C6507E} - http://dialup.carpediem.

fr/CABS/cd/1,0,3,8/fr/AccesMembre.cab
O16 - DPF: {ED4E6F97-FA1A-4634-B550-AABFEB8DA009} (TulipPlayer Class) - http

://www.exstream.to/tulip/cab/3,0,5,19/TulipPlayer2.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) -

http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http

://www.gamespot.com/KDX/kdx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C

:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG6 Service (AvgServ) - GRISOFT(c) SOFTWARE s.r.o - C:

\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe
 

·
Registered
Joined
·
26 Posts
Discussion Starter · #5 ·
Logfile of HijackThis v1.99.1
Scan saved at 4:09:23 AM, on 6/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\shnlog.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\Services\{DCAE40C0-2B97-4CA2-9174-1244B8F0D7CD}\SVCHOST.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\documents and settings\joshua\local settings\temp\yz.exe
C:\documents and settings\joshua\local settings\temp\vSpX4qFm.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\documents and settings\joshua\local settings\temp\rV.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\Program Files\Common Files\Real\Update_OB\realevent.exe
C:\documents and settings\joshua\local settings\temp\LtWxY.exe
C:\WINDOWS\kdx\KHost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\documents and settings\joshua\local settings\temp\df.exe
C:\WINDOWS\System32\intmon.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\documents and settings\joshua\local settings\temp\9Fm2TG.exe
C:\documents and settings\joshua\local settings\temp\3GSNVeCU.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\documents and settings\joshua\local settings\temp\1.exe
C:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\hookdump.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Joshua\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesearches.com/search.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesearches.com/search.php?qq=%1
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesearches.com/search.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = https=sas.r21.mchsi.com:8000
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load=???
??? ???
?
?
?????
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Joshua\Application Data\Mozilla\Profiles\default\2ox5379o.slt\prefs.js)
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpB447.tmp
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{DCAE40C0-2B97-4CA2-9174-1244B8F0D7CD}\SVCHOST.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [yz] C:\documents and settings\joshua\local settings\temp\yz.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [vSpX4qFm] C:\documents and settings\joshua\local settings\temp\vSpX4qFm.exe
O4 - HKLM\..\Run: [u3] C:\documents and settings\joshua\local settings\temp\u3.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [rV] C:\documents and settings\joshua\local settings\temp\rV.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [r1fjfk6u] C:\WINDOWS\System32\r1fjfk6u.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [ntyr.exe] C:\WINDOWS\system32\ntyr.exe
O4 - HKLM\..\Run: [nhreml] c:\windows\system32\nhreml.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [msku.exe] C:\WINDOWS\msku.exe
O4 - HKLM\..\Run: [M6E] C:\documents and settings\joshua\local settings\temp\M6E.exe
O4 - HKLM\..\Run: [LtWxY] C:\documents and settings\joshua\local settings\temp\LtWxY.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GLSetIT32] C:\windows\system32\msiexec16.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup
O4 - HKLM\..\Run: [DYio] C:\documents and settings\joshua\local settings\temp\DYio.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [df] C:\documents and settings\joshua\local settings\temp\df.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [crjx.exe] C:\WINDOWS\system32\crjx.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Bt] C:\documents and settings\joshua\local settings\temp\Bt.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AntivirusGold] C:\Program Files\AntivirusGold\AntivirusGold.exe /h
O4 - HKLM\..\Run: [9Fm2TG] C:\documents and settings\joshua\local settings\temp\9Fm2TG.exe
O4 - HKLM\..\Run: [3GSNVeCU] C:\documents and settings\joshua\local settings\temp\3GSNVeCU.exe
O4 - HKLM\..\Run: [2zelnG] C:\documents and settings\joshua\local settings\temp\2zelnG.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\PjiM.exe
O4 - HKLM\..\Run: [23EQ3ne] 3ivrprop.exe
O4 - HKLM\..\Run: [1] C:\documents and settings\joshua\local settings\temp\1.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{DCAE40C0-2B97-4CA2-9174-1244B8F0D7CD}\SECURITY.EXE
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: >>> FREE PORN GALLERIES <<< - javascript:{document.location='http://sexmaxx.com/freegalleries.htm';}
O8 - Extra context menu item: >>> HARDCORE MOVIES <<< - javascript:{document.location='http://neosexvideo.com/webmasters/df004/access.htm';}
O9 - Extra button: Microsoft® JavaScript® Console - {01280621-95A5-45B6-98D8-C9644E0B95B3} - C:\WINDOWS\System32\comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {01280621-95A5-45B6-98D8-C9644E0B95B3} - C:\WINDOWS\System32\comdlg32.ocx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Popup Eliminator - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Popup Eliminator - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Microsoft® JavaScript® Console - {01280621-95A5-45B6-98D8-C9644E0B95B3} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {01280621-95A5-45B6-98D8-C9644E0B95B3} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://64.156.188.99/iwasher/pptproactauthwb/internetwasherpro.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/05a44e37b974b70e8805/netzip/RdxIE601.cab
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/PEInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streamingfaith.com/common/mbrowser/MINIBrowser.CAB
O16 - DPF: {D1B80EBF-1A26-4FEC-B0B9-DCB934C6507E} - http://dialup.carpediem.fr/CABS/cd/1,0,3,8/fr/AccesMembre.cab
O16 - DPF: {ED4E6F97-FA1A-4634-B550-AABFEB8DA009} (TulipPlayer Class) - http://www.exstream.to/tulip/cab/3,0,5,19/TulipPlayer2.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG6 Service (AvgServ) - GRISOFT(c) SOFTWARE s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe
 

·
Registered
Joined
·
747 Posts
Hi How'sdatgo,

Please read these instructions carefully and print them out! Be sure to follow ALL instructions.

First, copy and paste the contents of the following quote box and paste it in Notepad. Save it to your desktop as "badfiles.txt" under all files.
C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\system32\perfcii.ini
C:\Windows\System32\helper.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe
C:\documents and settings\joshua\local settings\temp\yz.exe
C:\documents and settings\joshua\local settings\temp\vSpX4qFm.exe
C:\documents and settings\joshua\local settings\temp\u3.exe
C:\WINDOWS\System32\kernels32.exe
C:\documents and settings\joshua\local settings\temp\rV.exe
C:\WINDOWS\System32\r1fjfk6u.exe
C:\WINDOWS\system32\ntyr.exe
c:\windows\system32\nhreml.exe
C:\WINDOWS\msku.exe
C:\documents and settings\joshua\local settings\temp\M6E.exe
C:\documents and settings\joshua\local settings\temp\LtWxY.exe
C:\windows\system32\msiexec16.exe
C:\documents and settings\joshua\local settings\temp\DYio.exe
C:\WINDOWS\System32\dp-him.exe
C:\documents and settings\joshua\local settings\temp\df.exe
C:\WINDOWS\system32\crjx.exe
C:\documents and settings\joshua\local settings\temp\Bt.exe
C:\documents and settings\joshua\local settings\temp\9Fm2TG.exe
C:\documents and settings\joshua\local settings\temp\3GSNVeCU.exe
C:\documents and settings\joshua\local settings\temp\2zelnG.exe
C:\documents and settings\joshua\local settings\temp\1.exe
C:\WINDOWS\System32\win32.exe
C:\winstall.exe
C:\WINDOWS\System32\hookdump.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\hpB447.tmp
C:\Windows\Desktop.html
Then, please right click here and select Save As to download smitfraud.reg. Please save the file somewhere you can find it like on the desktop. To run the reg file, double-click it and click 'Yes' at the confirmation screen.

Then, Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:
Security IGuard
Virtual Maid
Search Maid
WeirdOnTheWeb
PSGuard
Internet Optimizer
BullsEye Network
AntivirusGold
SpySheriff
Ebates_MoeMoneyMaker


Then, please download the Killbox and save it to your Desktop. In the event you already have Killbox, this is a new version that I need you to download. Do not run it yet.

You will need to configure Windows XP to show all files and folders.
1. Open My Computer.
2.Select the Tools menu and click Folder Options.
3. Select the View Tab.
4.Under the Hidden files and folders heading select Show hidden files and folders.
5.Uncheck the Hide protected operating system files (recommended) option.
6.Click Yes to confirm.
7.Click OK.

Then,reboot in Safe mode. To reboot in Safe mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard. If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

Then, open HijackThis, run a scan and check these items:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesearches.com/search.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesearches.com/search.php?qq=%1
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesearches.com/search.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing

F3 - REG:win.ini: load=???
??? ???
?
?
?????

O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpB447.tmp
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{DCAE40C0-2B97-4CA2-9174-1244B8F0D7CD}\SVCHOST.EXE
O4 - HKLM\..\Run: [yz] C:\documents and settings\joshua\local settings\temp\yz.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [vSpX4qFm] C:\documents and settings\joshua\local settings\temp\vSpX4qFm.exe
O4 - HKLM\..\Run: [u3] C:\documents and settings\joshua\local settings\temp\u3.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [rV] C:\documents and settings\joshua\local settings\temp\rV.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [r1fjfk6u] C:\WINDOWS\System32\r1fjfk6u.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [ntyr.exe] C:\WINDOWS\system32\ntyr.exe
O4 - HKLM\..\Run: [nhreml] c:\windows\system32\nhreml.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [msku.exe] C:\WINDOWS\msku.exe
O4 - HKLM\..\Run: [M6E] C:\documents and settings\joshua\local settings\temp\M6E.exe
O4 - HKLM\..\Run: [LtWxY] C:\documents and settings\joshua\local settings\temp\LtWxY.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [GLSetIT32] C:\windows\system32\msiexec16.exe
O4 - HKLM\..\Run: [DYio] C:\documents and settings\joshua\local settings\temp\DYio.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [df] C:\documents and settings\joshua\local settings\temp\df.exe
O4 - HKLM\..\Run: [crjx.exe] C:\WINDOWS\system32\crjx.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Bt] C:\documents and settings\joshua\local settings\temp\Bt.exe
O4 - HKLM\..\Run: [AntivirusGold] C:\Program Files\AntivirusGold\AntivirusGold.exe /h
O4 - HKLM\..\Run: [9Fm2TG] C:\documents and settings\joshua\local settings\temp\9Fm2TG.exe
O4 - HKLM\..\Run: [3GSNVeCU] C:\documents and settings\joshua\local settings\temp\3GSNVeCU.exe
O4 - HKLM\..\Run: [2zelnG] C:\documents and settings\joshua\local settings\temp\2zelnG.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\PjiM.exe
O4 - HKLM\..\Run: [23EQ3ne] 3ivrprop.exe
O4 - HKLM\..\Run: [1] C:\documents and settings\joshua\local settings\temp\1.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{DCAE40C0-2B97-4CA2-9174-1244B8F0D7CD}\SECURITY.EXE
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe

O8 - Extra context menu item: >>> FREE PORN GALLERIES <<< - javascript:{document.location='http://sexmaxx.com/freegalleries.htm';}
O8 - Extra context menu item: >>> HARDCORE MOVIES <<< - javascript:{document.location='http://neosexvideo.com/webmasters/df004/access.htm';}

O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.slotchbar.com (HKLM)

O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://64.156.188.99/iwasher/pptpro...etwasherpro.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/05a44e37b974b7...ip/RdxIE601.cab
O16 - DPF: {D1B80EBF-1A26-4FEC-B0B9-DCB934C6507E} - http://dialup.carpediem.fr/CABS/cd/...AccesMembre.cab

O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe


Now please close all windows and browsers, except HijackThis, and have HijackThis fix them by clicking on Fix Checked.

Then, run Killbox to delete files:
  • Open Killbox.
  • Select "Delete on Reboot".
  • Also open the file "badfiles.txt" and send all the contents of it to the clipboard by highlighting ALL the contents of the notepad file and pressing CTRL + C
  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Then, delete these folders (if found):
C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\LogFiles
C:\Program Files\Security IGuard
C:\Program Files\WeirdOnTheWeb
C:\Program Files\PSGuard
C:\PROGRA~1\NEWDOT~1- This folder starts with NEWDOT and is located in a folder starting with PROGRA.
C:\Program Files\Internet Optimizer
C:\Program Files\BullsEye Network
C:\Program Files\AntivirusGold
C:\Program Files\SpySheriff
C:\PROGRA~1\Toolbar-This folder is located in a folder starting with PROGRA.
C:\Program Files\Ebates_MoeMoneyMaker
C:\WINDOWS\System32\Services\{A3FC1B87-60FF-4D20-9089-840C6B551BAF}
C:\WINDOWS\System32\Services\{A3FC1B87-60FF-4D20-9089-840C6B551BAF}

Then, search for these files and delete them:
msxct.exe
3ivrprop.exe


Then, delete the contents of this folder:
C:\Windows\Prefetch - Delete ALL files inside of the Prefetch folder (do NOT delete the folder, just the files inside the folder).

Then, delete Temp Files. To delete temp files:
Click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there.

Do this same process for %windir%\temp.

Then, delete Temporary Internet Files. To delete Temporary Internet Files:
Open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Reboot into normal mode.

Then, delete the malware service completely:
  1. Go to Start > Run and type in Services.msc then click OK
  2. Click the Extended tab.
  3. Scroll down until you find svchost.exe.
  4. Click once on the service to highlight it.
  5. Click Stop.
  6. Right-Click on the service.
  7. Click on 'Properties'.
  8. Select the 'General' tab.
  9. Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box.
  10. From the drop-down menu, click on 'Disabled'.
  11. Click the 'Apply' tab, then click 'OK'.
  12. Open HijackThis.
  13. Click the Config button.
  14. Click the Misc Tools button.
  15. Select Delete an NT service.
  16. Copy and paste the following into the box:
    moto
  17. Click Ok.

Then, download The Hoster Press "Restore Original Hosts" and press "OK". Exit Program.

Then, right click Here and select Save As to download WinHelp2002's DelDomains.inf. Please save the file somewhere you can find it like on the desktop. To run the inf file, right click on it and select Install.

Then, reboot and post a fresh HijackThis log.
 

·
Registered
Joined
·
26 Posts
Discussion Starter · #7 ·
tj416 said:
First, copy and paste the contents of the following quote box and paste it in Notepad. Save it to your desktop as "badfiles.txt" under all files.
When You say Notepad at the beginning, are you referring to one of those little wordpad files (which I use all the time)
OR
are you referring to the program on my start menu named notepad that creates and edits text files using basic text formatting?

and what do you mean by "under all files"

ps. please forgive the simple questions, I just really want to get this right the first time.

Thanks.
 

·
Registered
Joined
·
747 Posts
Hi How'sdatgo,

I mean the Notepad i.e. located in Start>Programs>Accessories.

are you referring to the program on my start menu named notepad that creates and edits text files using basic text formatting?
That is the one.

I meant to choose "All files" at the 'Save as type' box in the save window (see attachment).
 

Attachments

·
Registered
Joined
·
26 Posts
Discussion Starter · #9 ·
tj416 said:
I mean the Notepad i.e. located in Start>Programs>Accessories.
I located Notepad by doing the following: Start>Programs>Accessories>Notepad
BUT When I click on Notepad, Nothing loads up.
So I rebooted my system and tried again...nothing.
Plus, the Notepad Icon looks a little "down".
What could possibly be the problem now?

Thanks.
 

·
Registered
Joined
·
26 Posts
Discussion Starter · #11 ·
tj416 said:
You have the Peper Trojan. It is a very stubborn infection which requires a specific tool to remove. To remove this trojan:
  • Download PeperFix.exe.
  • Start the tool and click Find and Fix.
  • Reboot to finish removing what it found.
  • Run the tool a second time
  • Reboot to finish removing the entries.
First of all, your suggestion on the notepad problem worked! Thank you for that.

BUT
When I clicked "Find + Fix" using the PeperFix tool, It said in blue letters: "No Peper Files were detected" after scanning through many many files.
So I ran it two more times with the same result.
Since no peper files were detected, I was not prompted to reboot.

Could this possibly be a different Trojan?
OR do I just move on to the next step in your instructions?

THANKS!
 

·
Registered
Joined
·
747 Posts
Hi How'sdatgo,

Proceed with the rest of the steps. I've edited the contents of the Quote box and removed the Peper trojan removal instructions. So start from the beginning of that post.

Note: If you already made a "badfiles.txt" delete it and create it again with the revised contents of the quote box.
 

·
Registered
Joined
·
26 Posts
Discussion Starter · #13 ·
Logfile of HijackThis v1.99.1
Scan saved at 11:00:17 AM, on 6/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\shnlog.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\Services\{DCAE40C0-2B97-4CA2-9174-1244B8F0D7CD}\SVCHOST.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\kdx\KHost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\System32\intmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\hookdump.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Joshua\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesearches.com/search.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesearches.com/search.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = https=sas.r21.mchsi.com:8000
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load=??? ??? ??? ? ? ?????
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Joshua\Application Data\Mozilla\Profiles\default\2ox5379o.slt\prefs.js)
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp6ABB.tmp
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{DCAE40C0-2B97-4CA2-9174-1244B8F0D7CD}\SVCHOST.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [yz] C:\documents and settings\joshua\local settings\temp\yz.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [vSpX4qFm] C:\documents and settings\joshua\local settings\temp\vSpX4qFm.exe
O4 - HKLM\..\Run: [u3] C:\documents and settings\joshua\local settings\temp\u3.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [rV] C:\documents and settings\joshua\local settings\temp\rV.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [r1fjfk6u] C:\WINDOWS\System32\r1fjfk6u.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [ntyr.exe] C:\WINDOWS\system32\ntyr.exe
O4 - HKLM\..\Run: [nhreml] c:\windows\system32\nhreml.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [msku.exe] C:\WINDOWS\msku.exe
O4 - HKLM\..\Run: [M6E] C:\documents and settings\joshua\local settings\temp\M6E.exe
O4 - HKLM\..\Run: [LtWxY] C:\documents and settings\joshua\local settings\temp\LtWxY.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GLSetIT32] C:\windows\system32\msiexec16.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup
O4 - HKLM\..\Run: [DYio] C:\documents and settings\joshua\local settings\temp\DYio.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [df] C:\documents and settings\joshua\local settings\temp\df.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [crjx.exe] C:\WINDOWS\system32\crjx.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Bt] C:\documents and settings\joshua\local settings\temp\Bt.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AntivirusGold] C:\Program Files\AntivirusGold\AntivirusGold.exe /h
O4 - HKLM\..\Run: [9Fm2TG] C:\documents and settings\joshua\local settings\temp\9Fm2TG.exe
O4 - HKLM\..\Run: [3GSNVeCU] C:\documents and settings\joshua\local settings\temp\3GSNVeCU.exe
O4 - HKLM\..\Run: [2zelnG] C:\documents and settings\joshua\local settings\temp\2zelnG.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\PjiM.exe
O4 - HKLM\..\Run: [23EQ3ne] 3ivrprop.exe
O4 - HKLM\..\Run: [1] C:\documents and settings\joshua\local settings\temp\1.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{DCAE40C0-2B97-4CA2-9174-1244B8F0D7CD}\SECURITY.EXE
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: >>> FREE PORN GALLERIES <<< - javascript:{document.location='http://sexmaxx.com/freegalleries.htm';}
O8 - Extra context menu item: >>> HARDCORE MOVIES <<< - javascript:{document.location='http://neosexvideo.com/webmasters/df004/access.htm';}
O9 - Extra button: Microsoft® JavaScript® Console - {01280621-95A5-45B6-98D8-C9644E0B95B3} - C:\WINDOWS\System32\comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {01280621-95A5-45B6-98D8-C9644E0B95B3} - C:\WINDOWS\System32\comdlg32.ocx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Popup Eliminator - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Popup Eliminator - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Microsoft® JavaScript® Console - {01280621-95A5-45B6-98D8-C9644E0B95B3} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {01280621-95A5-45B6-98D8-C9644E0B95B3} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://64.156.188.99/iwasher/pptproactauthwb/internetwasherpro.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/05a44e37b974b70e8805/netzip/RdxIE601.cab
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/PEInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streamingfaith.com/common/mbrowser/MINIBrowser.CAB
O16 - DPF: {D1B80EBF-1A26-4FEC-B0B9-DCB934C6507E} - http://dialup.carpediem.fr/CABS/cd/1,0,3,8/fr/AccesMembre.cab
O16 - DPF: {ED4E6F97-FA1A-4634-B550-AABFEB8DA009} (TulipPlayer Class) - http://www.exstream.to/tulip/cab/3,0,5,19/TulipPlayer2.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG6 Service (AvgServ) - GRISOFT(c) SOFTWARE s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
 

·
Registered
Joined
·
26 Posts
Discussion Starter · #15 ·
Everything was going great, until near the end when you told me to run killbox. That was also going great until I pressed "Delete File". I clicked "Yes" at the delete on Reboot prompt. But I got confused after that. Was I supposed to reboot then and there. I assumed "No", so I did not.

I then only found The AntivirusGold folder.
I ran the search program to check my whole computer, but the probram could not find neither "msxct.exe" or "3ivrprop.exe"

HERE IS WHERE I BELIEVE I MESSED UP
I opened the temp directory that my system uses. And I deleted all the files found there for %temp% just like you said.
BUT
When I tried to do the same for the temp file in %windir%,
I first accidentally deleted a few of the folders in %windir% alone!
DON'T WORRY, I RESTORED THEM
BUT afterwards, I had to turn off the computer due to it freezing!
Meaning, I went back to normal mode before you instructed me to.
That may have messed up everything else I did in the instructions.

ANYWAY
After returning to normal mode earlier than instructed, I returned to safe mode and finally deleted the contents of the %windir% temp folder.

I felt I had made a big mistake, When, after pressing "OK" to delete offline content - Nothing seemed to happen.
You told me it may take quite some time, but nothing seemed to happen at all.

So I moved on.
I deleted the malware service completely afterwards though.

RIGHT NOW,
I am going to try to do it all over again.
I believe I will get it right this time, hopefully.

I will then post a fresh HJT LOG.
Thank you for being patient with me
 

·
Registered
Joined
·
26 Posts
Discussion Starter · #16 ·
I did everything on your instructions.
My internet speed is much much faster ( it used to take me about five minutes just to load up this topic, but now it's instant! )
BUT
The warning screen is still on my desktop.
Here is my new HJT LOG:

Logfile of HijackThis v1.99.1
Scan saved at 10:30:46 PM, on 6/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\kdx\KHost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = https=sas.r21.mchsi.com:8000
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Joshua\Application Data\Mozilla\Profiles\default\2ox5379o.slt\prefs.js)
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp7EDF.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Microsoft® JavaScript® Console - {01280621-95A5-45B6-98D8-C9644E0B95B3} - C:\WINDOWS\System32\comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {01280621-95A5-45B6-98D8-C9644E0B95B3} - C:\WINDOWS\System32\comdlg32.ocx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Popup Eliminator - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Popup Eliminator - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Microsoft® JavaScript® Console - {01280621-95A5-45B6-98D8-C9644E0B95B3} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {01280621-95A5-45B6-98D8-C9644E0B95B3} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/PEInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streamingfaith.com/common/mbrowser/MINIBrowser.CAB
O16 - DPF: {ED4E6F97-FA1A-4634-B550-AABFEB8DA009} (TulipPlayer Class) - http://www.exstream.to/tulip/cab/3,0,5,19/TulipPlayer2.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG6 Service (AvgServ) - GRISOFT(c) SOFTWARE s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
 

·
Registered
Joined
·
747 Posts
Hi How'sdatgo,

Go to Add/Remove Programs and uninstall (if present):
SpyKiller (optional)- "Spyware remover" of questionable quality and repute. There are better alternatives that are freeware to boot. See this page on Rogue/Suspect Anti-Spyware Products & Web Sites.

Then, open HijackThis, run a scan and check these items:
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp7EDF.tmp

If you decided to uninstall SpyKiller, check this item.
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

Now please close all windows and browsers, except HijackThis, and have HijackThis fix them by clicking on Fix Checked.

Then, run Killbox to delete a file:
  • Open Killbox.
  • Select "Delete on Reboot".
  • Copy and paste the following into the the delete box:
    C:\WINDOWS\System32\hp7EDF.tmp
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Then, delete this folder:
C:\Program Files\SpyKiller - Delete this folder if you decided to uninstall Spykiller.

Then, right click here and select Save As to download smitfraud.reg. Please save the file somewhere you can find it like on the desktop. To run the reg file, double-click it and click 'Yes' at the confirmation screen.

Then, reboot (in the normal mode) and post a new log in this thread.
 

·
Registered
Joined
·
26 Posts
Discussion Starter · #18 ·
Logfile of HijackThis v1.99.1
Scan saved at 11:58:23 AM, on 6/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\kdx\KHost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = https=sas.r21.mchsi.com:8000
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Joshua\Application Data\Mozilla\Profiles\default\2ox5379o.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Microsoft® JavaScript® Console - {01280621-95A5-45B6-98D8-C9644E0B95B3} - C:\WINDOWS\System32\comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {01280621-95A5-45B6-98D8-C9644E0B95B3} - C:\WINDOWS\System32\comdlg32.ocx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Popup Eliminator - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Popup Eliminator - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Microsoft® JavaScript® Console - {01280621-95A5-45B6-98D8-C9644E0B95B3} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {01280621-95A5-45B6-98D8-C9644E0B95B3} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/PEInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streamingfaith.com/common/mbrowser/MINIBrowser.CAB
O16 - DPF: {ED4E6F97-FA1A-4634-B550-AABFEB8DA009} (TulipPlayer Class) - http://www.exstream.to/tulip/cab/3,0,5,19/TulipPlayer2.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG6 Service (AvgServ) - GRISOFT(c) SOFTWARE s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe

===================================
Quick Question: Was I supposed to be in "Safe Mode" while I followed the instructions on your last post? Because I was in "Normal mode".
 

·
Registered
Joined
·
747 Posts
Hi How'sdatgo,

Copy the part in bold below into notepad and save it as AVGoldfix.reg
Set Filetype to All Files and save it somewhere easy to find. We will use it later.

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Intel system tool"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusGold]


Then, download Killbox:
  • Click Here to download Killbox by Option^Explicit.
  • Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
  • In the killbox program, select the Delete on Reboot option.
  • Copy the file names below to the clipboard by highlighting them and pressing Control-C:
    C:\Windows\System32\winnook.exe
    C:\Windows\screen.html
  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt if you get one.
  • If the computer does not reboot by itself, do it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Then, doubleclick the AVGoldfix.reg we made earlier.

Then, in the Control Panel click Display > Desktop > Customize desktop > Website > Uncheck "Security Info"

Then, reboot and post a fresh HijackThis log.
 
1 - 20 of 41 Posts
Status
Not open for further replies.
Top