have log !!!!!!!!!!! finally

Question

joal 0 Junior Poster in Training

19 Years Ago

Sorry, I asked to stop the thread too soon, I found a site and was able to download Hijack This........ :mrgreen:

Logfile of HijackThis v1.97.7
Scan saved at 2:04:51 PM, on 10/10/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\WINDOWS\SYSTEM\MYOTTH.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\COOKIE WASHER\AOLWASHER.EXE
C:\AMERICA ONLINE 6.0\AOLTRAY.EXE
C:\PROGRAM FILES\CALLWAVE\IAM.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\NEW FOLDER\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo!
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\WINDOWS\TV MEDIA\TVMBHO.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\SYSTEM\WINB2S32.DLL
O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\PROGRAM FILES\SIDEFIND\SFBHO.DLL (file missing)
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - (no file)
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL
O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL
O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL
O2 - BHO: (no name) - {B5A1CC04-81FB-CBE6-9E56-CCC142D61CA0} - C:\WINDOWS\Gnjivgpg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL (file missing)
O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINDOWS\SYSTEM\WINB2S32.DLL
O3 - Toolbar: Search - {C08EB1CA-DF5A-D96E-5DAD-41FC8200E624} - C:\WINDOWS\Gnjivgpg.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [TV Media] C:\WINDOWS\TV MEDIA\Tvm.exe
O4 - HKLM\..\Run: [ysbfikylj] C:\WINDOWS\SYSTEM\MYOTTH.EXE
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [dyaapxo] C:\WINDOWS\SYSTEM\myotth.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [ccWasher] C:\Program Files\Cookie Washer\aolwasher.exe /0
O4 - HKCU\..\Run: [TV Media] C:\WINDOWS\TV MEDIA\Tvm.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKLM\..\RunOnce: [washindex] C:\Program Files\Cookie Washer\washidx.exe "??????? ????????"
O4 - HKCU\..\RunOnce: [washindex] C:\Program Files\Cookie Washer\washidx.exe "??????? ????????"
O4 - Startup: America Online 6.0 Tray Icon.lnk = C:\America Online 6.0\aoltray.exe
O4 - Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.EXE
O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC (HKLM)
O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC (HKLM)
O9 - Extra button: SideFind (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,13/mcgdmgr.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab

windows-virus

9 Contributors
52 Replies
723 Views
5 Months Discussion Span
Latest Post 19 Years Ago Latest Post by DMR

All 52 Replies

crunchie 990 Most Valuable Poster

19 Years Ago

Have you tried here; https://ssl.perfora.net/tools.radiosplace.com/HijackThis.exe

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

p3-450 8 Junior Poster in Training · Answer 1 · 2004-10-11T01:08:49+00:00

Hi

First you need to download, update and run both AdAware and Spybot S&D both from my sig below.

Then you need to update Hijackthis to the current version, which you can also find in my sig, unzip it to a permanent folder, and not on the desktop or in a temp directory.

Now with all Internet browsers closed, run a hijackthis scan and post the new log.

joal 0 Junior Poster in Training · Answer 2 · 2004-10-11T05:02:44+00:00

I am unable to load the newer version of Hijack This, but had some hope that if I scanned with lavasoft and spybot and tried to close some programs on browser, the log may be more helpful . I cannot close all programs... as computer shuts down
...joal

Logfile of HijackThis v1.97.7
Scan saved at 7:06:22 PM, on 10/10/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\WINDOWS\SYSTEM\MYOTTH.EXE
C:\WINDOWS\ptsnoop.exe
C:\AMERICA ONLINE 6.0\AOLTRAY.EXE
C:\PROGRAM FILES\CALLWAVE\IAM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\NEW FOLDER\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo!
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\WINDOWS\TV MEDIA\TVMBHO.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\SYSTEM\WINB2S32.DLL
O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\PROGRAM FILES\SIDEFIND\SFBHO.DLL (file missing)
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - (no file)
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL
O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL
O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL
O2 - BHO: (no name) - {B5A1CC04-81FB-CBE6-9E56-CCC142D61CA0} - C:\WINDOWS\Gnjivgpg.dll
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL (file missing)
O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINDOWS\SYSTEM\WINB2S32.DLL
O3 - Toolbar: Search - {C08EB1CA-DF5A-D96E-5DAD-41FC8200E624} - C:\WINDOWS\Gnjivgpg.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [TV Media] C:\WINDOWS\TV MEDIA\Tvm.exe
O4 - HKLM\..\Run: [ysbfikylj] C:\WINDOWS\SYSTEM\MYOTTH.EXE
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [dyaapxo] C:\WINDOWS\SYSTEM\myotth.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [ccWasher] C:\Program Files\Cookie Washer\aolwasher.exe /0
O4 - HKCU\..\Run: [TV Media] C:\WINDOWS\TV MEDIA\Tvm.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: America Online 6.0 Tray Icon.lnk = C:\America Online 6.0\aoltray.exe
O4 - Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.EXE
O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC (HKLM)
O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC (HKLM)
O9 - Extra button: SideFind (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,13/mcgdmgr.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab

joal 0 Junior Poster in Training · Answer 3 · 2004-10-11T06:14:05+00:00

ok, hjt said that I now have the new version, it allegedly replaced old one, and could shut down programs on browser and did scans with spybot and lavasoft...... here's hoping
Joal
Logfile of HijackThis v1.97.7
Scan saved at 8:19:18 PM, on 10/10/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\WINDOWS\SYSTEM\MYOTTH.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\COOKIE WASHER\AOLWASHER.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\AMERICA ONLINE 6.0\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\NEW FOLDER\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo!
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\WINDOWS\TV MEDIA\TVMBHO.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\SYSTEM\WINB2S32.DLL
O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\PROGRAM FILES\SIDEFIND\SFBHO.DLL (file missing)
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - (no file)
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL
O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL
O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL
O2 - BHO: (no name) - {B5A1CC04-81FB-CBE6-9E56-CCC142D61CA0} - C:\WINDOWS\Gnjivgpg.dll
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL (file missing)
O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINDOWS\SYSTEM\WINB2S32.DLL
O3 - Toolbar: Search - {C08EB1CA-DF5A-D96E-5DAD-41FC8200E624} - C:\WINDOWS\Gnjivgpg.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [TV Media] C:\WINDOWS\TV MEDIA\Tvm.exe
O4 - HKLM\..\Run: [ysbfikylj] C:\WINDOWS\SYSTEM\MYOTTH.EXE
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [dyaapxo] C:\WINDOWS\SYSTEM\myotth.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [ccWasher] C:\Program Files\Cookie Washer\aolwasher.exe /0
O4 - HKCU\..\Run: [TV Media] C:\WINDOWS\TV MEDIA\Tvm.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\RunServices: [ccWasher] C:\Program Files\Cookie Washer\aolwasher.exe /0
O4 - HKCU\..\RunServices: [TV Media] C:\WINDOWS\TV MEDIA\Tvm.exe
O4 - HKCU\..\RunServices: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: America Online 6.0 Tray Icon.lnk = C:\America Online 6.0\aoltray.exe
O4 - Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.EXE
O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC (HKLM)
O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC (HKLM)
O9 - Extra button: SideFind (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,13/mcgdmgr.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab

deonnanicole 5 Posting Whiz in Training · Answer 4 · 2004-10-11T06:47:50+00:00

The newest version of hijackthis is 1.98.2, so you are still running the older version. Did you try using the update feature within hijackthis? If so and that didn't work, try downloading it from a website. You can try this one:

http://www.computercops.biz/zx/merjin/hijackthis.zip

dlh6213 27 Posting Maven Team Colleague · Answer 5 · 2004-10-11T21:46:42+00:00

You can probably go ahead and use the older version of HJT until your system gets cleaned up enough to get the latest one easier. HJT has an Update feature within it or you can try to get it from here:
http://www.softpedia.com/progDownlo...nload-5034.html

First thing you should do is download sysclean from http://www.trendmicro.com/download/dcs.asp making sure to download and install the latest pattern file. There's a link to it at the lower left-hand colum of the page. Note that it will not work without the pattern file which must be unzipped into the same folder as sysclean. Let it scan and fix anything it finds; it may take awhile.

After that finishes, close all windows, scan with HJT, and have it fix the following entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\PROGRAM FILES\SIDEFIND\SFBHO.DLL (file missing)
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - (no file)
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL (file missing)
O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC (HKLM)
O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC (HKLM)
O9 - Extra button: SideFind (HKLM)

There will be more, but that will need to be handled by the pro's.

Next, go to Windows Update and get all the Critical Updates for your system.

Get SpywareBlaster from here:
http://www.javacoolsoftware.com/spywareblaster.html
Update it and have it enable all protection.

Reboot and, if you haven't been able to yet, try again to update HJT.

Close all windows, scan with HJT, and post a new log.

joal 0 Junior Poster in Training · Answer 6 · 2004-10-12T06:22:08+00:00

Great I was about to ask if someone would be kind enough to work with this log so that I could make an attempt to update the existing HJT.
It will take me several days,
thanks much
joal

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 7 · 2004-10-12T17:07:39+00:00

Download CWShredder from here & run it. Select the fix button & it will fix everything related to CoolWebSearch that is stored in it's database. Close ALL windows, including Internet Explorer, before running CWShredder. Reboot.

To help prevent this from happening again, install the patches for the vulnerabilities that this hijacker exploits by going here for your critical updates.

Reboot after doing this & post another log please.

joal 0 Junior Poster in Training · Answer 8 · 2004-10-14T21:50:50+00:00

For several days, I have tried as many sites and ways as I know to download the CW Shredder, even the program that one loads prior if the coolsearch / is keeping one from a download of shredder.Also cannot load Sysclean, I was able to download patternfile, but that was all, and I tried this many times as well.
I was able to delete the files mentioned above from the log I gave, as suggested by dlh6213, this has helped tremendously. I still can't interest anyone in burning the newer HJT, so ..... are there anymore files I could delete? Is there a program that collsearch doesn't recognize yet? I may have a bit of a wait.....
thanks
joal

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 9 · 2004-10-15T16:02:44+00:00

Private message me your email addy & I will send the latest version of hijackthis to you. Will also send CWShredder.

joal 0 Junior Poster in Training · Answer 10 · 2004-10-17T18:21:19+00:00

There seems to be a new StartPage Spyware Removal Tool for IE October 15, 2004 , it's by Softpedia, any imput on this?
To date I cannot download any updated version of HJT nor the CWS Shredder, or the smartool type program that loads prior to the shredder.
I did have a thread with a log from an old version of HJT, and it helped to delete [help of what to delete provided here]
I am wondering if I have a variant of the cws trojan that keeps any downloads from being installed,
I do have Spybot and managed to get a relatively new version of "Lava softs" adware remover, and also the updated version from windows, what wouldn't download, I have saved an icon to finish download in possible near future.
Also hearing rumor that HJT may not be updated again......
Trying to keep computer running , have security high... the msconfig constantly readjusts no matter what I do.
Thanks
joal :cry:

joal 0 Junior Poster in Training · Answer 11 · 2004-10-17T18:25:28+00:00

I am grateful for you're extending yourself, began a new thread, not sure it was appropiate.
joal

joal 0 Junior Poster in Training · Answer 12 · 2004-10-17T23:45:03+00:00

Progress, was able to get critcal objects in quarantine and a few removed before computer froze, the first in some time since the CWS scum. [referring to Ad Aware SE]
joal

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 13 · 2004-10-18T17:33:37+00:00

You should keep to the same thread to avoid any confusion :). I will go look for it & merge it with this one.

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 14 · 2004-10-18T17:41:35+00:00

What happened to the files I sent you by email? Did you receive them?

joal 0 Junior Poster in Training · Answer 15 · 2004-10-19T04:23:58+00:00

Yes, tried for two days, ask friend to help, but they came up empty, although once the CWShredder was there, but when I tried to use it, it came up "error".
If I didn't have a witness, I would think I was bonkers.
I have been able to delete now on Ad Aware , I am hoping i could get the files down enough to load the program that is used prior to the Shredder.
But.... I am having to quarantine about 900 critical objects a day, and delete , I updated windows, set security, msconfig changes itself, and files replicate and move around...... Thanks much for all the help you have given
joal

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 16 · 2004-10-19T17:24:47+00:00

crunchie 990 Most Valuable Poster

19 Years Ago

Can you post me a new log please.

joal 0 Junior Poster in Training · Answer 17 · 2004-10-19T22:33:39+00:00

This is the only HJT version I can download
thanks
joal

Logfile of HijackThis v1.97.7
Scan saved at 12:40:58 PM, on 10/19/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\WINDOWS\SYSTEM\MYOTTH.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\COOKIE WASHER\AOLWASHER.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\AMERICA ONLINE 6.0\AOLTRAY.EXE
C:\PROGRAM FILES\CALLWAVE\IAM.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo!
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\WINDOWS\TV MEDIA\TVMBHO.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\SYSTEM\WINB2S32.DLL
O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\PROGRAM FILES\SIDEFIND\SFBHO.DLL (file missing)
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - (no file)
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL
O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL
O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL
O2 - BHO: (no name) - {B5A1CC04-81FB-CBE6-9E56-CCC142D61CA0} - C:\WINDOWS\Gnjivgpg.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL (file missing)
O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINDOWS\SYSTEM\WINB2S32.DLL
O3 - Toolbar: Search - {C08EB1CA-DF5A-D96E-5DAD-41FC8200E624} - C:\WINDOWS\Gnjivgpg.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [TV Media] C:\WINDOWS\TV MEDIA\Tvm.exe
O4 - HKLM\..\Run: [ysbfikylj] C:\WINDOWS\SYSTEM\MYOTTH.EXE
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [dyaapxo] C:\WINDOWS\SYSTEM\myotth.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [ccWasher] C:\Program Files\Cookie Washer\aolwasher.exe /0
O4 - HKCU\..\Run: [TV Media] C:\WINDOWS\TV MEDIA\Tvm.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKLM\..\RunOnce: [washindex] C:\Program Files\Cookie Washer\washidx.exe "??????? ????????"
O4 - HKCU\..\RunOnce: [washindex] C:\Program Files\Cookie Washer\washidx.exe "??????? ????????"
O4 - Startup: America Online 6.0 Tray Icon.lnk = C:\America Online 6.0\aoltray.exe
O4 - Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.EXE
O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC (HKLM)
O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC (HKLM)
O9 - Extra button: SideFind (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,13/mcgdmgr.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 18 · 2004-10-20T15:50:40+00:00

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm

R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\WINDOWS\TV MEDIA\TVMBHO.DLL
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\SYSTEM\WINB2S32.DLL
O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\PROGRAM FILES\SIDEFIND\SFBHO.DLL (file missing)
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - (no file)
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL
O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL
O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL
O2 - BHO: (no name) - {B5A1CC04-81FB-CBE6-9E56-CCC142D61CA0} - C:\WINDOWS\Gnjivgpg.dll
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL

O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL (file missing)
O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINDOWS\SYSTEM\WINB2S32.DLL
O3 - Toolbar: Search - {C08EB1CA-DF5A-D96E-5DAD-41FC8200E624} - C:\WINDOWS\Gnjivgpg.dll

O4 - HKLM\..\Run: [TV Media] C:\WINDOWS\TV MEDIA\Tvm.exe
O4 - HKLM\..\Run: [ysbfikylj] C:\WINDOWS\SYSTEM\MYOTTH.EXE
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [dyaapxo] C:\WINDOWS\SYSTEM\myotth.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKCU\..\Run: [TV Media] C:\WINDOWS\TV MEDIA\Tvm.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe

O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm

O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC (HKLM)
O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC (HKLM)
O9 - Extra button: SideFind (HKLM)

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\WINDOWS\TV MEDIA-folder
C:\PROGRAM FILES\SIDEFIND-folder
C:\PROGRA~1\TOOLBAR-folder
c:\program files\180solutions-folder
C:\PROGRA~1\Web Offer-folder

C:\WINDOWS\SYSTEM\MYOTTH.EXE-file
C:\WINDOWS\BXXS5.DLL-file

Reboot normally after doing the above, rescan with hijackthis making certain that all instances of Internet Explorer are closed, then post that log here please.

joal 0 Junior Poster in Training · Answer 19 · 2004-10-20T18:23:55+00:00

As you will see, I rebooted and got the files back that I checked and HJT got rid of.
I cannot reboot in safe mode, windows will not load.
I am getting "error"....windows cannot find BXX5.DLL, .. but nevertheless it is running.
is it possible to delete in a normal mode. the following..
tv media
sidefind
etc the ones you suggested to delete in safe mode.... uh... where do I find them to delete in either mode?
On the day I was severely infected with this scum, I noticed many gibberish files in windows and deleted, one was gnjivgpg.dll which HJT shows, can I delete this?
I included the log, though it is all back

Logfile of HijackThis v1.97.7
Scan saved at 8:21:51 AM, on 10/20/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\WINDOWS\SYSTEM\MYOTTH.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\PROGRAM FILES\COOKIE WASHER\AOLWASHER.EXE
C:\AMERICA ONLINE 6.0\AOLTRAY.EXE
C:\PROGRAM FILES\CALLWAVE\IAM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo!
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\WINDOWS\TV MEDIA\TVMBHO.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\SYSTEM\WINB2S32.DLL (file missing)
O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\PROGRAM FILES\SIDEFIND\SFBHO.DLL (file missing)
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - (no file)
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL (file missing)
O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL (file missing)
O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL (file missing)
O2 - BHO: (no name) - {B5A1CC04-81FB-CBE6-9E56-CCC142D61CA0} - C:\WINDOWS\Gnjivgpg.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL (file missing)
O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINDOWS\SYSTEM\WINB2S32.DLL (file missing)
O3 - Toolbar: Search - {C08EB1CA-DF5A-D96E-5DAD-41FC8200E624} - C:\WINDOWS\Gnjivgpg.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [TV Media] C:\WINDOWS\TV MEDIA\Tvm.exe
O4 - HKLM\..\Run: [ysbfikylj] C:\WINDOWS\SYSTEM\MYOTTH.EXE
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [dyaapxo] C:\WINDOWS\SYSTEM\myotth.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [ccWasher] C:\Program Files\Cookie Washer\aolwasher.exe /0
O4 - HKCU\..\Run: [TV Media] C:\WINDOWS\TV MEDIA\Tvm.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: America Online 6.0 Tray Icon.lnk = C:\America Online 6.0\aoltray.exe
O4 - Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.EXE
O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC (HKLM)
O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC (HKLM)
O9 - Extra button: SideFind (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,13/mcgdmgr.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab

joal 0 Junior Poster in Training · Answer 20 · 2004-10-20T18:30:33+00:00

Oh, under running process to delete tv media etc, ok, is it possible to delete in normal mode?
My computer no longer shuts off by itself,
thanks
joal

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 21 · 2004-10-20T18:35:19+00:00

If you are having trouble with hijackthis fixing the problem it is possibly because you have Internet Explorer open Hijackthis cannot work correctly if even ONE instance of Internet Explorer remains open.
You will find the files to delete manually by opening Windows explorer (Not IE) & going to the directory where the file/folder is. For instance, if you want to delete C:\WINDOWS\BXXS5.DLL you go to C which is your hard drive, then go down to Windows & open that by double clicking on it. From there you search within that folder for the file.
The gibberish file can be deleted.
Follow the instructions from my previous post except for the safe mode part. You will have to reboot first. If you still have problems I will give you instructions to try a different way of removal.
I am off now until tomorrow, so I will check how you go then :).

joal 0 Junior Poster in Training · Answer 22 · 2004-10-20T23:17:45+00:00

This is log after reboot, deleted tv media, could not find rest under c/program files, could only locate them under msconfig.....???

Logfile of HijackThis v1.97.7
Scan saved at 1:11:39 PM, on 10/20/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\AMERICA ONLINE 6.0\AOLTRAY.EXE
C:\PROGRAM FILES\CALLWAVE\IAM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo!
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [ccWasher] C:\Program Files\Cookie Washer\aolwasher.exe /0
O4 - HKCU\..\Run: [TV Media] C:\WINDOWS\TV MEDIA\Tvm.exe
O4 - Startup: America Online 6.0 Tray Icon.lnk = C:\America Online 6.0\aoltray.exe
O4 - Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,13/mcgdmgr.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 23 · 2004-10-21T15:28:39+00:00

Looking a lot better. Have hijackthis fix these then delete the file\folder manually;

O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun

O4 - HKCU\..\Run: [TV Media] C:\WINDOWS\TV MEDIA\Tvm.exe

How is your computer since removing those files?

joal 0 Junior Poster in Training · Answer 24 · 2004-10-21T23:47:02+00:00

My computer is working great, and much thanks to you, I get a warning about
[bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun

I deleted all back up files, on Hijack This, and also some gibberish files, and lost internet connection, tho I had back up files created for this event, I chose to upgrade to aol9.0 and now have some on line aids .
Aol is not my choice ultimately, but it will keep me running and hopefully I will be able to download some updates and keep more current.
I am grateful for your patience and help...... still working on getting the new Hijack This
joal

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 25 · 2004-10-22T16:47:10+00:00

Download LSPfix from here
On the opening screen, click the "I know what I'm doing" checkbox. Then click Finish.

That should restore your Winsock files for your internet connection.
Make sure that the file you are getting the error message for is removed from hijackthis. It sounds like the file is gone, but the registry entry is still there.

joal 0 Junior Poster in Training · Answer 26 · 2004-10-24T07:32:16+00:00

Thanks much
the CWShredder looks good, I now have it, and have been updating spybot and adaware.
Will be trying to download HJT newest version, but need to keep up with updates and keep track .
joal

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 27 · 2004-10-24T08:23:20+00:00

crunchie 990 Most Valuable Poster

19 Years Ago

Cool :). Post the log when you manage to get it.

joal 0 Junior Poster in Training · Answer 28 · 2004-10-26T06:38:41+00:00

well, I cannot download the updated HJT, fustrating, I have tried every site listed from this forum, and navigating is now difficult as my cursor is freezing constantly.
The AOL Optimized has quirks, and have had to spend much time in the technical help section.
I run either Ad Aware or Spybot everyday, and the CWShredder gives a clean bill of health, but there seems to be a wide varity of scumware that these two programs find.
joal

have log !!!!!!!!!!! finally

Recommended Answers Collapse Answers

All 52 Replies

Recommended Answers