954,249 Members — Technology Publication meets Social Media
Username:
Password:
Lost login information?
Have something to say? Contribute New Article Reply to this Article
7 Years Ago
0

Please Help! I have a big Spyware Problem

I cannot install or uninstall anything at all. The progress bar stays at 0%. I believe this a spyware or maybe even a virus. I have tried SpyBot and a few other Spyware programs, and i've deleted all I could find. But after every scan, more come. I tried loading in safe mode, but i can't do anything that way, everything is so limited. Please help as this is one of my most desperate times. :cry: :sad:

P.S. I added a picture of my Task Manager

Attachments Procces.JPG 145.07KB
XpTech
Newbie Poster
7 posts since Jul 2004
Reputation Points: 10
Solved Threads: 0
 
7 Years Ago
0

I know you allready ran some of these ,just do the ones you haven't used yet.
...............................................................................
Download and run this fully working 30 day trial version Trojan Hunter.
http://www.misec.net/trojanhunter/?aff=12129
.........................................................................................................
Download CWShredder from HERE and run the Program in safe mode . Press the "Fix Button" Let it fix all variants. Next, Close the program and all windows and IE windows and run hijackthis and Post a Fresh log.

Reboot to SAFE mode to run CWShredder

How to start computer in safe mode

Then these 2 programs .
Ad-Aware and Spybot

Download the latest version of Ad-Aware at ADAWARE

Setup Ad-Aware .
After installing AAW, and before running the program, update reference files by using the bottom right button in the program, labeled "Check for Updates."

Launch the program, and click on the Gear at the top of the start screen.

Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.

Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.

Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Please make sure that you activate IN-DEPTH scanning before you proceed
.................................................
Increase the strength of Ad-Aware by installing the VX2 Cleaner plug-in.
Close Ad-Aware 6.
Download the free VX2 Cleaner here.
Install the VX2 Cleaner.
Start Ad-Aware and click on "Plug-ins".
Select the VX2 Cleaner plug-in and click "Run Plugin".
If your computer isn’t infected, click "Close".
If your computer is infected:
Select "Clean System".
Reboot your computer.
Scan your computer with Ad-Aware.
Remove any VX2 objects detected.
Reboot your computer again.
Run a second scan to make sure the files have been removed from your computer.
.................................................................
Download SPYBOT

After installing Spybot S&D, update it by using the "Update" button on the left panel of the program. Search for updates and download anything it finds

How to setup Ad-Aware and Spy-Bot S&D Check my signature for details

And after that, please do the following:

........................................................................
Get The latest Version of Hijackthis 1.98

Download 'Hijack This!'. HERE
Download link is on the left

Unzip (extract) it to a folder of its own.Like c:\HJT\hijackthis.exe ,

Then Doubleclick HijackThis.exe (in the new folder), and hit "Scan".
When the scan is finished, the "Scan" button will change into a "Save

Log" button.
Press that, then Ctrl-A to Select All, and copy its contents here. for

hijackthis,most of what it lists will be harmless or even essential,

don't fix anything yet.

Reboot and post a new log

............................................................................................................

caperjack
I hate 20 Questions
Team Colleague
13,069 posts since Aug 2003
Reputation Points: 1,064
Solved Threads: 812
 
7 Years Ago
0

Thanks for your help, I did everything you told me (scanned with ad-aware, spybot...etc.)

And here is the current hijackthis log

Logfile of HijackThis v1.97.7
Scan saved at 6:09:29 PM, on 8/1/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\winlog.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\system32\winel.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\System32\ALGATEWAY.EXE
C:\WINDOWS\mfcsn32.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Yahoo!\browser\YBrowser.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\HJT\HijackThis.exe
C:\Program Files\Microsoft Works\wkswp.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xlsuw.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xlsuw.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xlsuw.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xlsuw.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xlsuw.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xlsuw.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ptgstototpfcbn.com/6VTa9fLZangysiBhGkuU3eARtgq_dl2woVeeUfPKKj6YVncuINyvATg0TCA33w_s.jpg
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.pqsgygfubztbdglz.com/6VTa9fLZanhuDaMSZAjaTMcg9Bo7OPZC/i1MxMndAfQ.html");\nuser_pref("browser.startup.page", 1); (C:\Documents and Settings\Behzad Malekian\Application Data\Mozilla\Profiles\default\0wge8c5n.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Behzad Malekian\Application Data\Mozilla\Profiles\default\0wge8c5n.slt\prefs.js)
O2 - BHO: (no name) - {7EFD4A6B-37E1-C72F-2816-ABB5899646D5} - C:\WINDOWS\system32\javazt32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3_12_0.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Dvd Dash] C:\PROGRA~1\SUPPOR~1\drvwarnhide.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ManagerOnceMapiAcid] C:\Documents and Settings\All Users\Application Data\poll ace manager once\Movestyle.exe
O4 - HKLM\..\Run: [Application Layer Gateway] ALGATEWAY.EXE
O4 - HKLM\..\Run: [mfcsn32.exe] C:\WINDOWS\mfcsn32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Windows Login] winlog.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [Windows Login] winlog.exe
O4 - HKLM\..\RunServices: [WUPDATE16] wupdate16.exe
O4 - HKLM\..\RunServices: [virsscan] C:\WINDOWS\System32\WinT\scsaver.exe
O4 - HKLM\..\RunServices: [Virtual System Monitor] pmfdsd.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKLM\..\RunOnce: [winel.exe] C:\WINDOWS\system32\winel.exe
O4 - HKLM\..\RunOnce: [addkx.exe] C:\WINDOWS\addkx.exe
O4 - HKLM\..\RunOnce: [iesk.exe] C:\WINDOWS\system32\iesk.exe
O4 - HKLM\..\RunOnce: [atlql.exe] C:\WINDOWS\atlql.exe
O4 - HKLM\..\RunOnce: [mfcmo.exe] C:\WINDOWS\mfcmo.exe
O4 - HKLM\..\RunOnce: [mfclh.exe] C:\WINDOWS\mfclh.exe
O4 - HKLM\..\RunOnce: [addtb32.exe] C:\WINDOWS\addtb32.exe
O4 - HKLM\..\RunOnce: [crmj.exe] C:\WINDOWS\system32\crmj.exe
O4 - HKLM\..\RunOnce: [ipos32.exe] C:\WINDOWS\system32\ipos32.exe
O4 - HKLM\..\RunOnce: [sdkwi.exe] C:\WINDOWS\sdkwi.exe
O4 - HKLM\..\RunOnce: [netwd32.exe] C:\WINDOWS\system32\netwd32.exe
O4 - HKLM\..\RunOnce: [apiyf32.exe] C:\WINDOWS\system32\apiyf32.exe
O4 - HKLM\..\RunOnce: [ipbh32.exe] C:\WINDOWS\ipbh32.exe
O4 - HKLM\..\RunOnce: [mfclx32.exe] C:\WINDOWS\mfclx32.exe
O4 - HKLM\..\RunOnce: [winwj.exe] C:\WINDOWS\system32\winwj.exe
O4 - HKLM\..\RunOnce: [ntqr.exe] C:\WINDOWS\system32\ntqr.exe
O4 - HKLM\..\RunOnce: [apple.exe] C:\WINDOWS\apple.exe
O4 - HKLM\..\RunOnce: [ntqb32.exe] C:\WINDOWS\ntqb32.exe
O4 - HKLM\..\RunOnce: [ntoi32.exe] C:\WINDOWS\ntoi32.exe
O4 - HKLM\..\RunOnce: [addoh32.exe] C:\WINDOWS\addoh32.exe
O4 - HKLM\..\RunOnce: [crus.exe] C:\WINDOWS\system32\crus.exe
O4 - HKLM\..\RunOnce: [atlti32.exe] C:\WINDOWS\atlti32.exe
O4 - HKLM\..\RunOnce: [mfcso32.exe] C:\WINDOWS\mfcso32.exe
O4 - HKLM\..\RunOnce: [atlpz32.exe] C:\WINDOWS\atlpz32.exe
O4 - HKLM\..\RunOnce: [ienu.exe] C:\WINDOWS\system32\ienu.exe
O4 - HKLM\..\RunOnce: [crvh.exe] C:\WINDOWS\crvh.exe
O4 - HKLM\..\RunOnce: [ipip32.exe] C:\WINDOWS\ipip32.exe
O4 - HKLM\..\RunOnce: [crin.exe] C:\WINDOWS\system32\crin.exe
O4 - HKLM\..\RunOnce: [crbe.exe] C:\WINDOWS\crbe.exe
O4 - HKLM\..\RunOnce: [addgs.exe] C:\WINDOWS\addgs.exe
O4 - HKLM\..\RunOnce: [mfcnd.exe] C:\WINDOWS\system32\mfcnd.exe
O4 - HKLM\..\RunOnce: [apiun.exe] C:\WINDOWS\apiun.exe
O4 - HKLM\..\RunOnce: [winrn.exe] C:\WINDOWS\winrn.exe
O4 - HKLM\..\RunOnce: [apioz32.exe] C:\WINDOWS\system32\apioz32.exe
O4 - HKLM\..\RunOnce: [sdkea32.exe] C:\WINDOWS\system32\sdkea32.exe
O4 - HKLM\..\RunOnce: [mfcdf32.exe] C:\WINDOWS\system32\mfcdf32.exe
O4 - HKLM\..\RunOnce: [addza32.exe] C:\WINDOWS\addza32.exe
O4 - HKLM\..\RunOnce: [atllf32.exe] C:\WINDOWS\atllf32.exe
O4 - HKLM\..\RunOnce: [sdkql.exe] C:\WINDOWS\sdkql.exe
O4 - HKCU\..\RunOnce: [Application Layer Gateway] ALGATEWAY.EXE
O8 - Extra context menu item: &Download by Morgul - C:\Program Files\Morgul\ieext_cp.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Register in Morgul - C:\Program Files\Morgul\ieext_reg.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2004\\Parser.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: SWF Catcher (HKLM)
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Support (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {35B7E48B-9D81-4C6C-9578-5FD4F620D886} - http://mars.installshield.com/is/x/1001/windows/premier/eval/oci/setup.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/04f7748dcf2f183d5306/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4371/mcfscan.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E0F062A-3101-4071-AAB7-FAA02AA33D70}: NameServer = 206.141.192.60,206.141.193.55
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DB9E277-DC49-4839-94B6-F59C009A7BD6}: NameServer = 206.141.192.60 206.141.193.55


I am really appreciating your help, thanks

XpTech
Newbie Poster
7 posts since Jul 2004
Reputation Points: 10
Solved Threads: 0
 
7 Years Ago
0

WOW! ,I can't believe that you computer is running!A number of issues ,I summoned help from our Resident expert ,Crunchie ,please stand By!thanks
You could run a free online virus scan while you are waiting .Check to auto fix and then scan .Here
http://housecall.trendmicro.com/housecall/start_corp.asp

caperjack
I hate 20 Questions
Team Colleague
13,069 posts since Aug 2003
Reputation Points: 1,064
Solved Threads: 812
 
7 Years Ago
0

Thanks, I'll be scanning and waiting.

XpTech
Newbie Poster
7 posts since Jul 2004
Reputation Points: 10
Solved Threads: 0
 
7 Years Ago
0

Hi. First of all you need to update hijackthis to version 1.98.1 Run hijackthis & go to *Config\Misc Tools\Check for update on-line*. Remove 1.97 from the folder it is in & replace it with 1.98.1.

Download About:buster from http://malwarebytes.biz/AboutBuster.zip and unzip it to your desktop. Do not run yet.

Please go here for Wintools removal instructions.

When done please open Task Manager & end process on the following;
winlog.exe
winel.exe
ALGATEWAY.EXE
mfcsn32.exe

Then delete these files manually;

C:\WINDOWS\System32\winlog.exe
C:\WINDOWS\system32\winel.exe
C:\WINDOWS\System32\ALGATEWAY.EXE
C:\WINDOWS\mfcsn32.exe

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,

N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.pqsgygfubztbdglz.com/6VTa9fLZanhuDaMSZAjaTMcg9Bo7OPZC/i1MxMndAfQ.html");\nuser_pref("browser.startup.page", 1); (C:\Documents and Settings\Behzad Malekian\Application Data\Mozilla\Profiles\default\0wge8c5n.slt\prefs.js)

O2 - BHO: (no name) - {7EFD4A6B-37E1-C72F-2816-ABB5899646D5} - C:\WINDOWS\system32\javazt32.dll

Is this next one legitimate? If not, have HJT fix it.
O4 - HKLM\..\Run: [Dvd Dash] C:\PROGRA~1\SUPPOR~1\drvwarnhide.exe

O4 - HKLM\..\Run: [ManagerOnceMapiAcid] C:\Documents and Settings\All Users\Application Data\poll ace manager once\Movestyle.exe
O4 - HKLM\..\Run: [Application Layer Gateway] ALGATEWAY.EXE
O4 - HKLM\..\Run: [mfcsn32.exe] C:\WINDOWS\mfcsn32.exe
O4 - HKLM\..\Run: [Windows Login] winlog.exe
O4 - HKLM\..\RunServices: [Windows Login] winlog.exe
O4 - HKLM\..\RunServices: [WUPDATE16] wupdate16.exe
O4 - HKLM\..\RunServices: [virsscan] C:\WINDOWS\System32\WinT\scsaver.exe
O4 - HKLM\..\RunServices: [Virtual System Monitor] pmfdsd.exe
O4 - HKLM\..\RunOnce: [winel.exe] C:\WINDOWS\system32\winel.exe
O4 - HKLM\..\RunOnce: [addkx.exe] C:\WINDOWS\addkx.exe
O4 - HKLM\..\RunOnce: [iesk.exe] C:\WINDOWS\system32\iesk.exe
O4 - HKLM\..\RunOnce: [atlql.exe] C:\WINDOWS\atlql.exe
O4 - HKLM\..\RunOnce: [mfcmo.exe] C:\WINDOWS\mfcmo.exe
O4 - HKLM\..\RunOnce: [mfclh.exe] C:\WINDOWS\mfclh.exe
O4 - HKLM\..\RunOnce: [addtb32.exe] C:\WINDOWS\addtb32.exe
O4 - HKLM\..\RunOnce: [crmj.exe] C:\WINDOWS\system32\crmj.exe
O4 - HKLM\..\RunOnce: [ipos32.exe] C:\WINDOWS\system32\ipos32.exe
O4 - HKLM\..\RunOnce: [sdkwi.exe] C:\WINDOWS\sdkwi.exe
O4 - HKLM\..\RunOnce: [netwd32.exe] C:\WINDOWS\system32\netwd32.exe
O4 - HKLM\..\RunOnce: [apiyf32.exe] C:\WINDOWS\system32\apiyf32.exe
O4 - HKLM\..\RunOnce: [ipbh32.exe] C:\WINDOWS\ipbh32.exe
O4 - HKLM\..\RunOnce: [mfclx32.exe] C:\WINDOWS\mfclx32.exe
O4 - HKLM\..\RunOnce: [winwj.exe] C:\WINDOWS\system32\winwj.exe
O4 - HKLM\..\RunOnce: [ntqr.exe] C:\WINDOWS\system32\ntqr.exe
O4 - HKLM\..\RunOnce: [apple.exe] C:\WINDOWS\apple.exe
O4 - HKLM\..\RunOnce: [ntqb32.exe] C:\WINDOWS\ntqb32.exe
O4 - HKLM\..\RunOnce: [ntoi32.exe] C:\WINDOWS\ntoi32.exe
O4 - HKLM\..\RunOnce: [addoh32.exe] C:\WINDOWS\addoh32.exe
O4 - HKLM\..\RunOnce: [crus.exe] C:\WINDOWS\system32\crus.exe
O4 - HKLM\..\RunOnce: [atlti32.exe] C:\WINDOWS\atlti32.exe
O4 - HKLM\..\RunOnce: [mfcso32.exe] C:\WINDOWS\mfcso32.exe
O4 - HKLM\..\RunOnce: [atlpz32.exe] C:\WINDOWS\atlpz32.exe
O4 - HKLM\..\RunOnce: [ienu.exe] C:\WINDOWS\system32\ienu.exe
O4 - HKLM\..\RunOnce: [crvh.exe] C:\WINDOWS\crvh.exe
O4 - HKLM\..\RunOnce: [ipip32.exe] C:\WINDOWS\ipip32.exe
O4 - HKLM\..\RunOnce: [crin.exe] C:\WINDOWS\system32\crin.exe
O4 - HKLM\..\RunOnce: [crbe.exe] C:\WINDOWS\crbe.exe
O4 - HKLM\..\RunOnce: [addgs.exe] C:\WINDOWS\addgs.exe
O4 - HKLM\..\RunOnce: [mfcnd.exe] C:\WINDOWS\system32\mfcnd.exe
O4 - HKLM\..\RunOnce: [apiun.exe] C:\WINDOWS\apiun.exe
O4 - HKLM\..\RunOnce: [winrn.exe] C:\WINDOWS\winrn.exe
O4 - HKLM\..\RunOnce: [apioz32.exe] C:\WINDOWS\system32\apioz32.exe
O4 - HKLM\..\RunOnce: [sdkea32.exe] C:\WINDOWS\system32\sdkea32.exe
O4 - HKLM\..\RunOnce: [mfcdf32.exe] C:\WINDOWS\system32\mfcdf32.exe
O4 - HKLM\..\RunOnce: [addza32.exe] C:\WINDOWS\addza32.exe
O4 - HKLM\..\RunOnce: [atllf32.exe] C:\WINDOWS\atllf32.exe
O4 - HKLM\..\RunOnce: [sdkql.exe] C:\WINDOWS\sdkql.exe
O4 - HKCU\..\RunOnce: [Application Layer Gateway] ALGATEWAY.EXE

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/f...etup1.0.0.8.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/04f7748dcf2f18...ip/RdxIE601.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\Windows\System32\wsaupdater.exe-file
C:\PROGRA~1\SUPPOR~1-folder (If not legitimate)
C:\Documents and Settings\All Users\Application Data\poll ace manager once-folder
C:\WINDOWS\System32\WinT-folder

C:\WINDOWS\addkx.exe
C:\WINDOWS\system32\iesk.exe
C:\WINDOWS\atlql.exe
C:\WINDOWS\mfcmo.exe
C:\WINDOWS\mfclh.exe
C:\WINDOWS\addtb32.exe
C:\WINDOWS\system32\crmj.exe
C:\WINDOWS\system32\ipos32.exe
C:\WINDOWS\sdkwi.exe
C:\WINDOWS\system32\netwd32.exe
C:\WINDOWS\system32\apiyf32.exe
C:\WINDOWS\ipbh32.exe
C:\WINDOWS\mfclx32.exe
C:\WINDOWS\system32\winwj.exe
C:\WINDOWS\system32\ntqr.exe
C:\WINDOWS\apple.exe
C:\WINDOWS\ntqb32.exe
C:\WINDOWS\ntoi32.exe
C:\WINDOWS\addoh32.exe
C:\WINDOWS\system32\crus.exe
C:\WINDOWS\atlti32.exe
C:\WINDOWS\mfcso32.exe
C:\WINDOWS\atlpz32.exe
C:\WINDOWS\system32\ienu.exe
C:\WINDOWS\crvh.exe
C:\WINDOWS\ipip32.exe
C:\WINDOWS\system32\crin.exe
C:\WINDOWS\crbe.exe
C:\WINDOWS\addgs.exe
C:\WINDOWS\system32\mfcnd.exe
C:\WINDOWS\apiun.exe
C:\WINDOWS\winrn.exe
C:\WINDOWS\system32\apioz32.exe
C:\WINDOWS\system32\sdkea32.exe
C:\WINDOWS\system32\mfcdf32.exe
C:\WINDOWS\addza32.exe
C:\WINDOWS\atllf32.exe
C:\WINDOWS\sdkql.exe

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Still in safe mode, do the following;

Run About:buster, click OK, Start, and OK again to start the scan. Let it scan and fix everything it finds.

Still in safe mode, do a full system scan with Adaware. When the scan is finished select *next* & place a check in the boxes to the left of what is found & click *next* again. Let it delete those entries.

Reboot your computer in normal mode.

Can you download the following app.
VX2Finder
Reboot and stay off the internet until the entire procedure is complete.

1.) Run Vx2Finder click on the 'Click to find VX2.BetterInternet' button.
2.) Then click 'make log'.
3.) Highlight all the files and click the 'Delete these files' button.
4.) You will be left with notice about one to be deleted on reboot.
5.) Reboot
6.) Run VX2Finder again and click on these buttons in the right pane:
- user agent
- Guardian.reg
- restore policy
7.) Exit and reboot once more.
8.) Run VX2Finder again click on the 'Click to Find VX2.BetterInternet' Button.
9.) Click 'Make Log'
10.) Post the first log and the second log in your next thread with another hijackthis log.

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 
7 Years Ago
0

Thanks for your help ;)

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---


Logfile of HijackThis v1.98.1
Scan saved at 12:25:59 PM, on 8/3/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\ipho.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\Behzad Malekian\Desktop\VX2Finder(126).exe
C:\Program Files\Microsoft Works\wkswp.exe
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Microsoft Works\wkgdcach.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.docdtyxppyzptosc.net/6VTa9fLZangysiBhGkuU3eARtgq_dl2woVeeUfPKKj4oLXDZZIgLezg0TCA33w_s.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Behzad Malekian\Application Data\Mozilla\Profiles\default\0wge8c5n.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Behzad Malekian\Application Data\Mozilla\Profiles\default\0wge8c5n.slt\prefs.js)
O2 - BHO: (no name) - {EB88038F-9FCA-144C-1828-0E3D30A95BAB} - C:\WINDOWS\system32\addnt32.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3_12_0.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Login] winlog.exe
O4 - HKLM\..\RunServices: [Windows Login] winlog.exe
O4 - HKLM\..\RunOnce: [atlsf32.exe] C:\WINDOWS\atlsf32.exe
O4 - HKLM\..\RunOnce: [mfcph32.exe] C:\WINDOWS\system32\mfcph32.exe
O4 - HKLM\..\RunOnce: [addkx.exe] C:\Windows\addkx.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Download by Morgul - C:\Program Files\Morgul\ieext_cp.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Register in Morgul - C:\Program Files\Morgul\ieext_reg.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2004\\Parser.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Support - {F497ADFA-4C56-441D-BE6B-1FDD26D5045C} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {35B7E48B-9D81-4C6C-9578-5FD4F620D886} - http://mars.installshield.com/is/x/1001/windows/premier/eval/oci/setup.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/04f7748dcf2f183d5306/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4371/mcfscan.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E0F062A-3101-4071-AAB7-FAA02AA33D70}: NameServer = 206.141.192.60,206.141.193.55
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DB9E277-DC49-4839-94B6-F59C009A7BD6}: NameServer = 206.141.192.60 206.141.193.55
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

XpTech
Newbie Poster
7 posts since Jul 2004
Reputation Points: 10
Solved Threads: 0
 
7 Years Ago
0

Reboot into safe mode following the instructions here & Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.docdtyxppyzptosc.net/6VT...g0TCA33w_s.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {EB88038F-9FCA-144C-1828-0E3D30A95BAB} - C:\WINDOWS\system32\addnt32.dll (file missing)

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3_12_0.dll (file missing)

O4 - HKLM\..\Run: [Windows Login] winlog.exe
O4 - HKLM\..\RunServices: [Windows Login] winlog.exe
O4 - HKLM\..\RunOnce: [atlsf32.exe] C:\WINDOWS\atlsf32.exe
O4 - HKLM\..\RunOnce: [mfcph32.exe] C:\WINDOWS\system32\mfcph32.exe
O4 - HKLM\..\RunOnce: [addkx.exe] C:\Windows\addkx.exe

These are still there too, so remove them also;

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/f...etup1.0.0.8.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/04f7748dcf2f18...ip/RdxIE601.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

navigate to & delete the following if found:

C:\WINDOWS\System32\winlog.exe
C:\WINDOWS\ipho.exe
C:\WINDOWS\atlsf32.exe
C:\WINDOWS\system32\mfcph32.exe
C:\Windows\addkx.exe

Reboot normally after doing the above then post a fresh log please.

Go here for an on-line scan & set it to autoclean for you.
Try this scan as well.

Did VX2 finder find anything?

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 
7 Years Ago
0

The VX2 Finder Didn't Find Anything. I am still vius scanning with PandaActiveScan. TrendMicro just froze everytime I tried it. Here is the current hijackthis log

C:\PROGRA~1\Yahoo!\browser\YBrowser.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/index.html?http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.pjokpuvbjvfnjdqwkmez.com/6VTa9fLZangysiBhGkuU3eARtgq_dl2woVeeUfPKKj4dSyc9P4iyVzg0TCA33w_s.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Behzad Malekian\Application Data\Mozilla\Profiles\default\0wge8c5n.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Behzad Malekian\Application Data\Mozilla\Profiles\default\0wge8c5n.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dvd Dash] C:\PROGRA~1\SUPPOR~1\drvwarnhide.exe
O4 - HKLM\..\Run: [winlogin] C:\WINDOWS\System32\winlogin.exe
O4 - HKLM\..\RunServices: [Windows Login] winlog.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Download by Morgul - C:\Program Files\Morgul\ieext_cp.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Register in Morgul - C:\Program Files\Morgul\ieext_reg.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2004\\Parser.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Support - {F497ADFA-4C56-441D-BE6B-1FDD26D5045C} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {35B7E48B-9D81-4C6C-9578-5FD4F620D886} - http://mars.installshield.com/is/x/1001/windows/premier/eval/oci/setup.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4371/mcfscan.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E0F062A-3101-4071-AAB7-FAA02AA33D70}: NameServer = 206.141.192.60,206.141.193.55
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DB9E277-DC49-4839-94B6-F59C009A7BD6}: NameServer = 206.141.192.60 206.141.193.55
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll


Thanks For Your Help, My PC has improved a lot, but it is still kinda slow, and it takes for ever for it to load my desktop, and I only have one startup item.

XpTech
Newbie Poster
7 posts since Jul 2004
Reputation Points: 10
Solved Threads: 0
 
7 Years Ago
0

Thought I had replied to this yesterday :o . Doesn't look like a full log. Please reboot in normal mode & rescan with HJT & post the log again.

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 
7 Years Ago
0

Logfile of HijackThis v1.98.1
Scan saved at 10:40:35 PM, on 8/4/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\ipho.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\winlogin.exe
C:\Program Files\AIM\aim.exe
c:\progra~1\intern~1\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\YBrowser.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/index.html?http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.pjokpuvbjvfnjdqwkmez.com/6VTa9fLZangysiBhGkuU3eARtgq_dl2woVeeUfPKKj4dSyc9P4iyVzg0TCA33w_s.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Behzad Malekian\Application Data\Mozilla\Profiles\default\0wge8c5n.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Behzad Malekian\Application Data\Mozilla\Profiles\default\0wge8c5n.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dvd Dash] C:\PROGRA~1\SUPPOR~1\drvwarnhide.exe
O4 - HKLM\..\Run: [winlogin] C:\WINDOWS\System32\winlogin.exe
O4 - HKLM\..\RunServices: [Windows Login] winlog.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Download by Morgul - C:\Program Files\Morgul\ieext_cp.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Register in Morgul - C:\Program Files\Morgul\ieext_reg.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2004\\Parser.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Support - {F497ADFA-4C56-441D-BE6B-1FDD26D5045C} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {35B7E48B-9D81-4C6C-9578-5FD4F620D886} - http://mars.installshield.com/is/x/1001/windows/premier/eval/oci/setup.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4371/mcfscan.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E0F062A-3101-4071-AAB7-FAA02AA33D70}: NameServer = 206.141.192.60,206.141.193.55
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DB9E277-DC49-4839-94B6-F59C009A7BD6}: NameServer = 206.141.192.60 206.141.193.55
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

XpTech
Newbie Poster
7 posts since Jul 2004
Reputation Points: 10
Solved Threads: 0
 
7 Years Ago
0

Open Task Manager & end process on the following;
ipho.exe
winlogin.exe

Then delete those files manually.

C:\WINDOWS\ipho.exe
C:\WINDOWS\System32\winlogin.exe

Reboot into safe mode & have nothing else running except for hijackthis then;
Rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/in.../www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.pjokpuvbjvfnjdqwkmez.com...g0TCA33w_s.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

O4 - HKLM\..\Run: [winlogin] C:\WINDOWS\System32\winlogin.exe
O4 - HKLM\..\RunServices: [Windows Login] winlog.exe

Reboot normally after doing the above then post a fresh log please.

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 

This article has been dead for over three months

Post: Markdown Syntax: Formatting Help
You
 
© 2012 DaniWeb® LLC
Home | About Us | Contact Us | Terms of Service | Advertising Opportunities
RSS Feed RSS Feed