0

Here is the log


Logfile of HijackThis v1.97.7

Scan saved at 7:35:59 PM, on 9/27/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

C:\Program Files\WindUpdates\WinUpdt.exe

C:\WINDOWS\system32\pcs\pcsvc.exe

C:\Program Files\Common files\updater\wupdater.exe

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\javaao32.exe

C:\WINDOWS\System32\RUNDLL32.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\WINDOWS\System32\SahAgent.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Common Files\WinTools\WToolsA.exe

C:\Program Files\Winamp\winampa.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\WindUpdates\WinKA.exe

C:\Documents and Settings\user\Application Data\patn.exe

C:\WINDOWS\System32\??oolsv.exe

C:\PROGRA~1\Web Offer\wo.exe

C:\Program Files\AIM\aim.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\America Online 9.0\aoltray.exe

C:\WINDOWS\system32\javaeh32.exe

C:\Program Files\LimeWire\LimeWire 4.0.8\LimeWire.exe

C:\WINDOWS\System32\WScript.exe

C:\Program Files\America Online 9.0\waol.exe

C:\WINDOWS\system32\pctspk.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Common Files\WinTools\WToolsS.exe

C:\Program Files\Common Files\WinTools\WSup.exe

C:\Program Files\America Online 9.0\shellmon.exe

C:\Program Files\Common Files\Aol\aoltpspd.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Toolbar\TBPS.exe

C:\PROGRA~1\Toolbar\PIB.exe

C:\Program Files\AOL Companion\companion.exe

C:\Program Files\BitTorrent\btdownloadgui.exe

C:\Documents and Settings\user\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50188

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wnpmg.dll/sp.html#37049

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wnpmg.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wnpmg.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wnpmg.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wnpmg.dll/sp.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50188

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50188

R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll

O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts

O1 - Hosts: 81.211.105.69 lender-search.com

O1 - Hosts: 81.211.105.68 hot-searches.com

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\Program Files\Toolbar\toolbar.dll

O2 - BHO: (no name) - {C8BB1A0B-3BD8-621D-0F8F-1519A8738D3E} - C:\WINDOWS\system32\apisl.dll

O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll (file missing)

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKLM\..\Run: [rxvesryq] C:\WINDOWS\System32\ldimxt.exe

O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe

O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe

O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe

O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [javaao32.exe] C:\WINDOWS\javaao32.exe

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKCU\..\Run: [Tstt] C:\Documents and Settings\user\Application Data\patn.exe

O4 - HKCU\..\Run: [Gpsbl] C:\WINDOWS\System32\??oolsv.exe

O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - Startup: Snsicon.lnk = C:\SLIDESHW\Snsicon.exe

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe

O4 - Global Startup: LimeWire 4.0.8.lnk = C:\Program Files\LimeWire\LimeWire 4.0.8\LimeWire.exe

O4 - Global Startup: Search.vbs

O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm47533

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra button: AOL Toolbar (HKLM)

O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: PartyPoker.com (HKLM)

O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: WeatherBug (HKCU)

O10 - Hijacked Internet access by New.Net

O10 - Broken Internet access because of LSP provider 'lsp.dll' missing

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O15 - Trusted Zone: *.05p.com

O15 - Trusted Zone: *.blazefind.com

O15 - Trusted Zone: *.clickspring.net

O15 - Trusted Zone: *.flingstone.com

O15 - Trusted Zone: *.mt-download.com

O15 - Trusted Zone: *.my-internet.info

O15 - Trusted Zone: *.scoobidoo.com

O15 - Trusted Zone: *.searchbarcash.com

O15 - Trusted Zone: *.searchmiracle.com

O15 - Trusted Zone: *.slotch.com

O15 - Trusted Zone: *.xxxtoolbar.com

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=4ff5c7fab0c65e932eaa5dc98deadd8dc28470e1370cfc64cbe012acfd59df5f1ac4e42e1fb14b1633b0e8258af195b728572a7d1705ab00aa0a01510ef96bf0:872f1e63d289d95ca7ec47c4891aa171

O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_serial.cab

O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50188/QDow_AS2.cab

O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {D03A1C33-1913-4533-A8C1-F2C8D13045DE} - http://www.cjb.net/search.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{923484E2-115C-4CD5-9BB6-F8316AC3052A}: NameServer = 205.188.146.146

5
Contributors
27
Replies
28
Views
13 Years
Discussion Span
Last Post by crunchie
0

Here is the log

You have been clobbered, but good. I count at least six malware programs, maybe more.

Start by running Spybot - Search & Destroy to get rid of as many of them as possible automatically. Make sure that it is v1.3 and up-to-date (it updates itself during installation, but you have to be on-line). Also, your HijackThis version needs an update (note: embedded links).

Once you have run Spybot - Search & Destroy and the new version of HijackThis, post the new list and we will provide further assistance

0

here is some stuff that sounds suspicous and remember to make a restore point before removing things with hjt. Next time don't space it out that is ridiculous, don't run bittorrent while scanning, and do a ad-aware scan, spybot S&D scan, and a virus scan before posting your hjt log.

C:\WINDOWS\System32\??oolsv.exe
C:\PROGRA~1\Web Offer\wo.exe

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm47533
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: WeatherBug (HKCU)
O10 - Hijacked Internet access by New.Net
O4 - HKCU\..\Run: [Gpsbl] C:\WINDOWS\System32\??oolsv.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe


O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.xxxtoolbar.com

0

Here is the log

You, too, have been clobbered pretty hard.

Start by running Spybot - Search & Destroy to get rid of as many of them as possible automatically. Make sure that it is v1.3 and up-to-date (it updates itself during installation, but you have to be on-line). Also, your HijackThis version needs an update (note: embedded links).

Once you have run Spybot - Search & Destroy and the new version of HijackThis, post the new list and we will provide further assistance

Here's the bad stuff. Understand that you may not be able to fix it all with HijackThis--a follow-up search on Google may be in order. for example, Tvm.exe.

Also, note the filenames with paths for the stuff you disable here so you can delete the files later.

There are several hijackers that manipulate your TCP/IP stack in such a way that removal of the infecting software leaves a gap. Think of it as a chain with a broken link. The fix may lie in a utility called LSPFix which can repair the TCP/IP stack.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50188
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wnpmg.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wnpmg.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wnpmg.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wnpmg.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wnpmg.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50188
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50188
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
O1 - Hosts: 81.211.105.69 lender-search.com
O1 - Hosts: 81.211.105.68 hot-searches.com
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\Program Files\Toolbar\toolbar.dll
O2 - BHO: (no name) - {C8BB1A0B-3BD8-621D-0F8F-1519A8738D3E} - C:\WINDOWS\system32\apisl.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll (file missing)
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [rxvesryq] C:\WINDOWS\System32\ldimxt.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [javaao32.exe] C:\WINDOWS\javaao32.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [Tstt] C:\Documents and Settings\user\Application Data\patn.exe
O4 - HKCU\..\Run: [Gpsbl] C:\WINDOWS\System32\??oolsv.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Global Startup: Search.vbs
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm47533
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Broken Internet access because of LSP provider 'lsp.dll' missing
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.xxxtoolbar.com

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=4ff5c7fab0c65e932eaa5dc98deadd8dc28470e1370cfc64cbe012acfd59df5f1ac4e42e1fb14b1633b0e8258af195b728572a7d1705ab00aa0a01510ef96bf0:872f1e63d289d95ca7ec47c4891aa171
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_serial.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50188/QDow_AS2.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

0

Logfile of HijackThis v1.97.7
Scan saved at 2:43:49 AM, on 10/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\WindUpdates\WinUpdt.exe
C:\Program Files\WindUpdates\WinKA.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Winad Client\Winad.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Winad Client\WinClt.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\America Online 9.0a\aolwbspd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Program Files\LimeWire\LimeWire 4.0.8\LimeWire.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\user\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50038
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://thenewsearch.com/thenewsearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://thenewsearch.com/thenewsearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
O1 - Hosts: 81.211.105.69 lender-search.com
O1 - Hosts: 81.211.105.68 hot-searches.com
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll (file missing)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: CSBrBHO - {96DA5BEE-4ACC-476C-B3EC-54C6730C4293} - C:\PROGRA~1\Comet\Install\Temp\brbho.dll (file missing)
O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-414456544F4E} - C:\WINDOWS\System32\ADV.dll
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\WINDOWS\System32\apuc.dll (file missing)
O2 - BHO: CSBHO - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C:\PROGRA~1\Comet\Bin\csbho.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll (file missing)
O3 - Toolbar: Comet Toolbar - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\PROGRA~1\Comet\Bin\csietb.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: Advanced Search - {9EAC0102-5E61-2312-BC2D-414456544F4E} - C:\WINDOWS\System32\ADV.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [Wast] C:\WINDOWS\wast2.exe 2
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: LimeWire 4.0.8.lnk = C:\Program Files\LimeWire\LimeWire 4.0.8\LimeWire.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm185XXUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{923484E2-115C-4CD5-9BB6-F8316AC3052A}: NameServer = 205.188.146.146


anybody can help me with this thanks

0

Go to add\remove programs & uninstall the following:
Mywebsearch
Web_Rebates

Go to http://www.accs-net.com/smallfish/comet.htm for removal instructions for Comet.

Please go here for Wintools removal instructions.

1. Download and Install Ad-Aware SE, keeping the default options. However, some of the settings will need to be changed before your first scan

2.Close ALL windows except Ad-Aware SE

3. Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.

4. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window

1) In the ‘General’ window make sure the following are selected in green:
*Automatically save log-file
*Automatically quarantine objects prior to removal
*Safe Mode (always request confirmation)

Under Definitions:
*Prompt to udate outdated definitions - set the number of days


2) Click on the ‘Scanning’ button on the left and select in green :

Under Driver, Folders & Files:
*Scan Within Archives

Under Select drives & folders to scan -
*choose all hard drives

Under Memory & Registry: all green
*Scan Active Processes
*Scan Registry
*Deep Scan Registry
*Scan my IE favorites for banned URL’s
*Scan my Hosts file


3) Click on the ‘Advanced’ button on the left and select in green:

Under Shell Integration:
*Move deleted files to recycle bin

Under Logfile Detail Level: (all green)
*include addtional object information
*DESELECT - include negligible objects information
*include environment information

Under Alternate Data Streams:
*Don't log streams smaller than 0 bytes
*Don't log ADS with the following names: CA_INOCULATEIT


4) Click the ‘Tweak’ button and select in green:

Under the ‘Scanning Engine’:
*Unload recognized processes during scanning
*Scan registry for all users instead of current user only


Under the ‘Cleaning Engine’:
*Let Windows remove files in use at next reboot


Under the Log Files:
*Include basic Ad-aware SE settings in logfile
*Include additional Ad-aware SE settings in logfile
*Please do not check or make green: Include Module list in logfile


5. Click on ‘Proceed’ to save the settings.

6. Click ‘Start’

*Choose:'Perform Full System Scan'
*DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

7. Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.

8. If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window

9. Save the log file when it asks and then click ‘finish’

10. REBOOT to complete the removal of what Ad-Aware SE found

Download & instal Spybot S&D 1.3 from here. Update it before scanning.
After the scan is complete, have spybot fix everything marked RED.
On the page that first opens when you start Spybot there is an option to immunise, you should do this. In the immunise section there is also a link to download Spywareblaster. This program will prevent the install of bad activex controls that it has knowledge of. Download that & you can keep it updated by selecting the same link that you use to download it. Reboot

Update hijackthis to version 1.98.2. Run hijackthis & go to *Config\Misc Tools\Check for update on-line*. If the site is down, go here. Remove the old version by deleting the file manually. Unzip the new version into the hijackthis folder.

Reboot & post a new log.

0

dude why did you tell me to install Ad-Aware SE,It messed up my desktop my display.It took up everything with a html here is the script even more problems

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!----
***** This file is automatically generated by Microsoft Windows *****
--------><HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=windows-1252"></HEAD>
<BODY
style="BORDER-RIGHT: medium none; BORDER-TOP: medium none; BORDER-LEFT: medium none; BORDER-BOTTOM: medium none"
bottomMargin=0 bgColor=#004e98 leftMargin=0 background="" topMargin=0
rightMargin=0>
<DIV
style="LEFT: 0px; WIDTH: 800px; POSITION: absolute; TOP: 0px; HEIGHT: 600px"><IMG
style="LEFT: 0px; WIDTH: 100%; POSITION: absolute; TOP: 0px; HEIGHT: 100%" cache
src="file:///C:/WINDOWS/Prairie%20Wind.bmp"> </DIV><IFRAME id=0
style="BACKGROUND: none transparent scroll repeat 0% 0%; LEFT: 0px; WIDTH: 800px; POSITION: absolute; TOP: 1px; HEIGHT: 569px"
name=DeskMovrW marginWidth=0 marginHeight=0
src="file:///C:/WINDOWS/Web/desktop.html" frameBorder=0 scrolling=no
subscribed_url="C:\WINDOWS\Web\desktop.html" resizeable=""> </IFRAME>&nbsp;
</BODY></HTML>

0

where did you get ad-aware se and do you have at least one firewall and antivirus thing running because that sounds ridiculous.

1

so you cant help me,i guess that was a bad idea to do what crunchie said.That isn't right to do,but learned my lesson.

0

That advice is given to everyone. I have never heard of Adaware doing this. Do a system restore back to a time before it happened, download the latest version of hijackthis, (1.98.2) unzip it in a permanent folder & post it here.

0

if anybody is right here it is crunchie he is the leading mod with spyware problems and has helped me out many of times you probably got ad-aware from the wrong place or you have no firewall and let in a virus while downloading it.

0

Exactly what I was going to say Billy....I downloaded Adaware SE with absolutely no problem. Sure, you should be careful about who you take advice from, but in my opinion no one should hesitate to follow Crunchie's advice...he definitely helped me clean up my computer with no problems at all. :)

0

I did a system restore and it didn't go away,but here is the new log from hijack the newer version you told me to download.

Logfile of HijackThis v1.98.2
Scan saved at 7:29:06 PM, on 10/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\America Online 9.0a\aolwbspd.exe
C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
C:\Program Files\ICQ\Icq.exe
C:\Documents and Settings\user\My Documents\beast\Beast2.07.exe
C:\Documents and Settings\user\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://best-search.cc/index.php?v=6&aff=5564342
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://thenewsearch.com/thenewsearch.html[/url
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://thenewsearch.com/thenewsearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
O1 - Hosts: 81.211.105.69 lender-search.com
O1 - Hosts: 81.211.105.68 hot-searches.com
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: CSBrBHO - {96DA5BEE-4ACC-476C-B3EC-54C6730C4293} - C:\PROGRA~1\Comet\Install\Temp\brbho.dll (file missing)
O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-414456544F4E} - C:\WINDOWS\System32\ADV.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: Advanced Search - {9EAC0102-5E61-2312-BC2D-414456544F4E} - C:\WINDOWS\System32\ADV.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Wast] C:\WINDOWS\wast2.exe 2
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: LimeWire 4.0.8.lnk = C:\Program Files\LimeWire\LimeWire 4.0.8\LimeWire.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm185XXUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{923484E2-115C-4CD5-9BB6-F8316AC3052A}: NameServer = 205.188.146.146
O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - (no file)
O20 - AppInit_DLLs: mad.dll

1

R3 - Default URLSearchHook is missing
O1 - Hosts: 81.211.105.69 lender-search.com
O1 - Hosts: 81.211.105.68 hot-searches.com
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)

next time please dont past your hijackthis log all spaced out like that i dunno about everyone else but to me it is really annoying since i am used to looking at them regulary. there some other things that look a little suspicous but i will wait until someone with more experience like crunchie have a look at it.

0

Open Task Manager & end process on the following:
pcsvc.exe

Then delete the following folder;
C:\WINDOWS\system32\pcs

Uninstall Mywebsearch from add\remove programs.

Go to http://www.accs-net.com/smallfish/comet.htm for removal instructions for Comet.

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing

O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
O1 - Hosts: 81.211.105.69 lender-search.com
O1 - Hosts: 81.211.105.68 hot-searches.com

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: CSBrBHO - {96DA5BEE-4ACC-476C-B3EC-54C6730C4293} - C:\PROGRA~1\Comet\Install\Temp\brbho.dll (file missing)
O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-414456544F4E} - C:\WINDOWS\System32\ADV.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O3 - Toolbar: Advanced Search - {9EAC0102-5E61-2312-BC2D-414456544F4E} - C:\WINDOWS\System32\ADV.dll

O4 - HKLM\..\Run: [Wast] C:\WINDOWS\wast2.exe 2
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusear...?p=ZRxdm185XXUS

O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe
-Adult Content Dialer
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
-Adult Content Dialer

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\PROGRA~1\Comet-folder
C:\Program Files\WindUpdates-folder
C:\Program Files\Winad Client-folder

C:\WINDOWS\System32\ADV.dll-file
C:\WINDOWS\wast2.exe 2-file

Reboot normally after doing the above, rescan with hijackthis making certain that all instances of Internet Explorer are closed, then post that log here please.

0

Updated log


Logfile of HijackThis v1.98.2

Scan saved at 9:41:07 PM, on 10/13/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\user\My Documents\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://best-search.cc/index.php?v=6&aff=5564342
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://thenewsearch.com/thenewsearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://thenewsearch.com/thenewsearch.html
O2 - BHO: Sidesearch BHO - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1500.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [explorer] C:\WINDOWS\system32\explorer.exe -go -c53 -w1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Sidesearch - {000007C6-17DF-4438-92A4-DE5537471BA3} - C:\Program Files\Lycos\Sidesearch\sidesearch1500.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {07637823-C894-4A52-B3F9-5D777FD8E36A} - http://www.mydailyhoroscope.net/mdh/install.cab
O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - (no file)
O20 - AppInit_DLLs: mad.dll
O21 - SSODL: SystemCheck - {54645654-2225-4455-44A1-9F4543D34544} - C:\WINDOWS\System32\vbsys.dll

0

crunchie do you have any advice on my desktop with the whole html thing.I tried a system restore,but it didnt go away.My desktop backround is all white and just shows the icons if you want i can send u a screen shot.

0

Download CWShredder from here & run it. Select the fix button & it will fix everything related to CoolWebSearch that is stored in it's database. Close ALL windows, including Internet Explorer, before running CWShredder. Reboot.

To help prevent this from happening again, install the patches for the vulnerabilities that this hijacker exploits by going here for your critical updates.

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

O2 - BHO: Sidesearch BHO - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1500.dll

O16 - DPF: {07637823-C894-4A52-B3F9-5D777FD8E36A} - http://www.mydailyhoroscope.net/mdh/install.cab
O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - (no file)

Delete the Lycos folder.

Reboot after doing this & post another log please.

0

Logfile of HijackThis v1.98.2

Scan saved at 1:01:23 AM, on 10/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\iuwayt.exe
C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\America Online 9.0a\aolwbspd.exe
C:\Documents and Settings\user\My Documents\hijackthis\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ckcqqdwxv] C:\WINDOWS\System32\ldimxt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {99410CDE-6F16-42CE-9D49-3807F78F0287} (ZangoInstaller Class) - http://infinity.zango.com/gateway/resources/default/zangoinstaller.cab?productid=763
O17 - HKLM\System\CCS\Services\Tcpip\..\{923484E2-115C-4CD5-9BB6-F8316AC3052A}: NameServer = 205.188.146.146
O20 - AppInit_DLLs: mad.dll
O21 - SSODL: SystemCheck - {54645654-2225-4455-44A1-9F4543D34544} - C:\WINDOWS\System32\vbsys.dll

0

You keep getting stuff. Any reason why you keep putting the spaces between the entries?

Download LSPfix from here
On the opening screen, click the "I know what I'm doing" checkbox. Check all instances of "calsp.dll" (and nothing else), and move them to the "Remove" pane. Then click Finish.

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com

O4 - HKLM\..\Run: [ckcqqdwxv] C:\WINDOWS\System32\ldimxt.exe

O20 - AppInit_DLLs: mad.dll

O21 - SSODL: SystemCheck - {54645654-2225-4455-44A1-9F4543D34544} - C:\WINDOWS\System32\vbsys.dll

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\WINDOWS\System32\ldimxt.exe
C:\WINDOWS\System32\vbsys.dll
c:\windows\system32\calsp.dll

Search for mad.dll & delete it too.

Reboot normally after doing the above, rescan with hijackthis making certain that all instances of Internet Explorer are closed, then post that log here please.

0

Logfile of HijackThis v1.98.2

Scan saved at 3:02:30 PM, on 10/18/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\iuwayt.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\system32\mfcab32.exe

C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe

C:\WINDOWS\System32\ctfmon.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\mfcbn32.exe

C:\WINDOWS\system32\pctspk.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\America Online 9.0a\waol.exe

C:\Program Files\America Online 9.0a\shellmon.exe

C:\Program Files\America Online 9.0a\aolwbspd.exe

C:\Documents and Settings\user\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ayekq.dll/sp.html#29126

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ayekq.dll/sp.html#29126

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ayekq.dll/sp.html#29126

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ayekq.dll/sp.html#29126

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ayekq.dll/sp.html#29126

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ayekq.dll/sp.html#29126

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ayekq.dll/sp.html#29126

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O1 - Hosts: 69.20.16.183 auto.search.msn.com

O1 - Hosts: 69.20.16.183 search.netscape.com

O1 - Hosts: 69.20.16.183 ieautosearch

O2 - BHO: (no name) - {9A97938E-3801-E2EE-A8B9-09345664E3BE} - C:\WINDOWS\system32\syszm32.dll

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [mfcab32.exe] C:\WINDOWS\system32\mfcab32.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [AIM] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{923484E2-115C-4CD5-9BB6-F8316AC3052A}: NameServer = 205.188.146.146

0

Download Registrar Lite from here:
http://www.resplendence.com/download/reglite.exe

Put it in its own folder. You may want to keep this program. It is an excellent free, registry editor.

Install, run, copy and paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.

Another HJT log too please.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.