Oh, there's a lot more than that going on...
!! Please print out these instructions, as you will have to disconnect from the Internet for parts of this procedure.
1. Download and run LSPFix . When LSPFix opens:
- put a check in the "I know what I am doing" box.
- hilight "dolsp.dll" (and only dolsp.dll!) in the Keep list.
- click the ">>" button to move dolsp.dll to the Remove list.
- click "Finish"
- click OK to close the program.
2. Download CWShredder . Open the program and:
- Click "Fix"
- Click "OK" in the resulting "CWSredder will shut down..." dialog. CWShedder will then start scanning and fixing.
- When the program has finished scanning, click "Next" and then "Finish" to exit.
3. Download L2mfix , save it on your desktop, but don't run it yet.
4. Run HijackThis again and fix the following:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.42.87.219/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.42.87.219/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [WebSavingsfromEbates] C:\Program Files\WebSavingsfromEbates\WebSavingsfromEbatesrun.exe /cp:p
O4 - HKLM\..\Run: [dnsw] C:\WINDOWS\Microsoft.NET\dnsw.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [WhenUSearch] "C:\Program Files\WhenUSearch\Search.exe"
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\system32\winupdt.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Ytwelp.exe
O4 - HKLM\..\Run: [zc8264de] C:\Program Files\zc8264de\zc8264de.exe
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\system32\netsync.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\system32\ap9h4qmo.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [iddvkg] c:\windows\system32\iddvkg.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [jwz] C:\WINDOWS\jwz.exe
O4 - HKLM\..\Run: [USB controller] "C:\WINDOWS\TEMP\ICD2.tmp\svcmm32.exe" /startup
O4 - HKLM\..\Run: [180ax] c:\windows\temp\180ax.exe
O4 - HKLM\..\Run: [qhulypmv] C:\WINDOWS\qhulypmv.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\system32\sysmonnt
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusear...?p=ZNxmk279BBUS
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.ne...ab/1w2fcksh.cab
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/d...ler_VENDARE.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...up1.0.0.8-2.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1489a12...ip/RdxIE601.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50222/QDow_AS2.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.dll
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0010.exe
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\m082lalo1dqc.dll
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)
5. Turn off XP's System Restore feature. Instructions are here .
6. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)
- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".
- Delete the following folders entirely:
C:\Program Files\WebSavingsfromEbates
C:\Program Files\TV Media
C:\Program Files\WindowsSA
C:\Program Files\zc8264de
C:\Program Files\WhenUSearch
C:\Program Files\Web_Rebates
C:\Program Files\MyWebSearch
- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):
Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!
1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5
- Delete the entire content of your C:\Windows\Temp folder.
Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.
- Empty your Recycle Bin.
- Reboot normally.
5. Run L2mfix now:
- Double click l2mfix.exe.
- Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.
- Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening.
- After a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
6. Run HJT again, and post a new log along with the L2mfix log.
DMR
Wombat At Large
7,229 posts since Dec 2003
Reputation Points: 221
Solved Threads: 370
YA there was so much but I didn't have time to finish.
No kidding, I know the feeling!
I can feel myself aging while I'm analyzing logs lately; the new versions of these "nasties" are just taking more and more effort to weed out. :(
DMR
Wombat At Large
7,229 posts since Dec 2003
Reputation Points: 221
Solved Threads: 370
