Member Avatar for kanesnuff4

Hey. I've had this bug on my computer for about 2 weeks now. When I start up the computer, there's this weird thing that popups and it says, "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.hta" on the title bar. Also, my IE start page is stuck to "http://dr-search4u.com/index.htm". Oh and when I shut down, I get prompted to close a program called "Win Min" or something.

I went here: http://dr-search4u.com/help.htm and downloaded the little file they reccomend to clear up your computer, but I imagine that just made things worse, probably.

If someone could help me eradicate my computer of this bug and whatever other bugs you might see that have infected my computer via the hijackthis log, I'd greatly appreciate it.

Also... you guys look like you know your stuff. I used to use AdAware and Spybot: Search & Destroy... but they don't seem to be able to stand up to this bug I've got right now. I've heard of stuff like ZoneAlarm and some other programs that are supposedly good. Which can you guys reccomend to prevent stuff like spyware/adware and viruses?


Logfile of HijackThis v1.98.2
Scan saved at 7:11:56 PM, on 1/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\ESPN\BottomLine\bline.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\Downloaded Program Files\eBayTBar.exe
C:\WINDOWS\system32\mshta.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\PictureShare\PSClient.exe
C:\Documents and Settings\Robert D'Agostino\Desktop\HijackThis.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\gtpxnwup.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dr-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dr-search4u.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dr-search4u.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dr-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dr-search4u.com/index.htm
O2 - BHO: eBay Helper Object - {001F2570-5DF5-11d3-B991-00A0C9BB0874} - C:\WINDOWS\Downloaded Program Files\eBayBand.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: eBay Toolbar - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - C:\WINDOWS\Downloaded Program Files\eBayBand.dll
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [npakcvp] c:\windows\fpjasux.exe
O4 - Startup: Check for PictureShare.net Updates.lnk = C:\Program Files\PictureShare\WiseUpdt.exe
O4 - Startup: PictureShare.net Startup.lnk = C:\Program Files\PictureShare\PSClient.exe
O4 - Global Startup: eBay Toolbar.LNK = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: eBay Toolbar - {92D7F210-7F20-11d3-8157-0090278B20DE} - C:\WINDOWS\Downloaded Program Files\eBayBand.dll
O9 - Extra 'Tools' menuitem: eBay Toolbar - {92D7F210-7F20-11d3-8157-0090278B20DE} - C:\WINDOWS\Downloaded Program Files\eBayBand.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop
O16 - DPF: {001F2570-5DF5-11D3-B991-00A0C9BB0874} (eBay Helper Object) - http://download.ebay.com/toolbar/eBayTBar.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O21 - SSODL: SecurityUpdate - {E252938E-79CF-409A-ADBB-B121A33A55F8} - C:\WINDOWS\system32\MCIAADOW.DLL

There's my HiJackThis log ^^.

Thanks for any help you can offer.

  • 4 Contributors
  • 8 Replies
  • 171 Views
  • 14 Hours Discussion Span
  • Latest Post Latest Post by crunchie

Recommended Answers

All 8 Replies

Member Avatar for caperjack

Please give these programs a go first .then post a new hijack log with the newer version .
You hijack version is outdated newer virsion at bottom of this post ,I think the latest version of Ad-Aware setup to scan deeper will help !
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Download then unzip and run CWShredder to clean up clicking "FIX" to have it remove all it finds.

CWShredder available from these places :-


http://www.aluriasoftware.com/tools/cwshredder.zip
Or this as a full download without any unzipping required
http://www.downloads.subratam.org/CWShredder.exe
http://www.spywareinfo.com/downloads/tools/CWShredder.exe

We have found that some of the CWS infections can be removed better from safe mode, rather than normal mode.
To get to safe mode use the F8 key while booting the machine. Detailed instructions from here :-
http://service1.symantec.com/SUPPORT/tsgen...001052409420406
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,


Scanning in Spybot Search and Destroy:

1. Downloaded and Install Spybot S&D, accepting the Default Settings

2. In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it.

3. Close ALL windows except Spybot S&D

4. Click the button to ‘Search for Updates’ then download and install the Updates.

5. Next click the button ‘Check for Problems’

6. When Spybot is complete, it will be showing ‘RED’ entries bold 'Black' entries and ‘GREEN’ entries in the window

7. Make certain there is a check mark beside all of the RED entries ONLY.

8. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries.

9.REBOOT to complete the scan and clear memory.


Finally if you are going to run both Spybot SD and Ad-Aware SE, leave the rescan with HijackThis until you have completed running both tools. If only running Spybot SD then RESCAN with HijackThis and POST your logfile in the same thread using ‘Add Reply’. Please do not attempt to fix anything in HijackThis yourself!


Scanning With Ad-Aware SE :

1. Download and Install Ad-Aware SE, keeping the default options. However, some of the settings will need to be changed before your first scan

2.Close ALL windows except Ad-Aware SE

3. Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.

4. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window

1) In the ‘General’ window make sure the following are selected in green:
*Automatically save log-file
*Automatically quarantine objects prior to removal
*Safe Mode (always request confirmation)

Under Definitions:
*Prompt to udate outdated definitions - set the number of days


2) Click on the ‘Scanning’ button on the left and select in green :

Under Driver, Folders & Files:
*Scan Within Archives

Under Select drives & folders to scan -
*choose all hard drives

Under Memory & Registry: all green
*Scan Active Processes
*Scan Registry
*Deep Scan Registry
*Scan my IE favorites for banned URL’s
*Scan my Hosts file


3) Click on the ‘Advanced’ button on the left and select in green:

Under Shell Integration:
*Move deleted files to recycle bin

Under Logfile Detail Level: (all green)
*include addtional object information
*DESELECT - include negligible objects information
*include environment information

Under Alternate Data Streams:
*Don't log streams smaller than 0 bytes
*Don't log ADS with the following names: CA_INOCULATEIT


4) Click the ‘Tweak’ button and select in green:

Under the ‘Scanning Engine’:
*Unload recognized processes during scanning
*Scan registry for all users instead of current user only


Under the ‘Cleaning Engine’:
*Let Windows remove files in use at next reboot


Under the Log Files:
*Include basic Ad-aware SE settings in logfile
*Include additional Ad-aware SE settings in logfile
*Please do not check or make green: Include Module list in logfile


5. Click on ‘Proceed’ to save the settings.

6. Click ‘Start’

*Choose:'Perform Full System Scan'
*DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

7. Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.

8. If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window

9. Save the log file when it asks and then click ‘finish’

10. REBOOT to complete the removal of what Ad-Aware SE found

Finally after running both Spybot SD and Ad-Aware SE, RESCAN with HijackThis and POST your logfile in the same thread using ‘Add Reply’. Do not attempt to fix anything in HijackThis yourself!
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Please do this.
Download 'Hijack This!'. http://www.spywareinfo.com/~merijn/files/HijackThis.exe
Save it in a convenient permanent folder such as C:\HJT\, double click HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.

Member Avatar for kanesnuff4

Okay I completed these steps so far:

1) downloaded, installed, and ran Spybot Search & Destroy in safe mode
2) downloaded, installed, and ran AdAware SE Personal in safe mode
3) went to TrendMicro.com and ran the free Anti-Virus scan and the following 18 files were marked as "Non-Cleanable":

note- each was listed as "JAVA.BYTEVER.A" under the virus column, and each file began with the following prefix path:

"C:\Documents and Settings\Joe Schmoe\Appilication Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\"

classload.jar-11faa9ed-26fe03f5.zip *GetAccess.class*
classload.jar-11faa9ed-26fe03f5.zip *InsecureClassLoader.class*
classload.jar-11faa9ed-26fe03f5.zip *Dummy.class*
classload.jar-11faa9ed-26fe03f5.zip *Installer.class*
classload.jar-11faa9ed-2fc4c501.zip *GetAccess.class*
classload.jar-11faa9ed-2fc4c501.zip *InsecureClassLoader.class*
classload.jar-11faa9ed-2fc4c501.zip *Dummy.class*
classload.jar-11faa9ed-2fc4c501.zip *Installer.class*
classload.jar-11faa9ed-61a1a4fc.zip *GetAccess.class*
classload.jar-11faa9ed-61a1a4fc.zip *InsecureClassLoader.class*
classload.jar-11faa9ed-61a1a4fc.zip *Dummy.class*
classload.jar-11faa9ed-61a1a4fc.zip *Installer.class*
count1.jar-1df0a004-16d3702c.zip *BlackBox.class*
count1.jar-1df0a004-16d3702c.zip *Dummy.class*
count1.jar-1df0a004-16d3702c.zip *VerifierBug.class*
count1.jar-6fc6bfca-7d523d22.zip *BlackBox.class*
count1.jar-6fc6bfca-7d523d22.zip *Dummy.class*
count1.jar-6fc6bfca-7d523d22.zip *VerifierBug.class*

Okay so I couldn't clean out or delete anything using TrueMicro's online scan. I then downloaded the most updated version of HijackThis and used it and here's the results:

Logfile of HijackThis v1.99.0
Scan saved at 11:28:00 PM, on 1/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\ESPN\BottomLine\bline.exe
C:\Program Files\AIM\aim.exe
C:\windows\frmcrwb.exe
C:\WINDOWS\Downloaded Program Files\eBayTBar.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\PictureShare\PSClient.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Applications\HijackThisv1.99.0.0.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dr-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dr-search4u.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dr-search4u.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dr-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dr-search4u.com/index.htm
O2 - BHO: eBay Helper Object - {001F2570-5DF5-11d3-B991-00A0C9BB0874} - C:\WINDOWS\Downloaded Program Files\eBayBand.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: eBay Toolbar - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - C:\WINDOWS\Downloaded Program Files\eBayBand.dll
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [vrcnupn] c:\windows\ycqqeqh.exe
O4 - Startup: Check for PictureShare.net Updates.lnk = C:\Program Files\PictureShare\WiseUpdt.exe
O4 - Startup: PictureShare.net Startup.lnk = C:\Program Files\PictureShare\PSClient.exe
O4 - Global Startup: eBay Toolbar.LNK = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: eBay Toolbar - {92D7F210-7F20-11d3-8157-0090278B20DE} - C:\WINDOWS\Downloaded Program Files\eBayBand.dll
O9 - Extra 'Tools' menuitem: eBay Toolbar - {92D7F210-7F20-11d3-8157-0090278B20DE} - C:\WINDOWS\Downloaded Program Files\eBayBand.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop
O16 - DPF: {001F2570-5DF5-11D3-B991-00A0C9BB0874} (eBay Helper Object) - http://download.ebay.com/toolbar/eBayTBar.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O21 - SSODL: SecurityUpdate - {E252938E-79CF-409A-ADBB-B121A33A55F8} - C:\WINDOWS\system32\MCIAADOW.DLL
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE

Thanks

- Rob

Member Avatar for kanesnuff4

Oh, forgot to include. I also used CWShredder in safe mode. Nothing doing.

Member Avatar for crunchie

Go to your Control Panel and double click on the Sun Java icon. Go to the cache Tab and clear the cache.

Open Task Manager & end process on the following:
frmcrwb.exe

Go to C:\windows and delete the file manually.

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dr-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dr-search4u.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dr-search4u.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dr-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dr-search4u.com/index.htm

O4 - HKCU\..\Run: [vrcnupn] c:\windows\ycqqeqh.exe

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop

===================

When done, still in hijackthis, go to config\misc tools\delete a file on reboot and paste c:\windows\ycqqeqh.exe into the line and click ok.

Once rebooted, post another log.

Member Avatar for kanesnuff4

Logfile of HijackThis v1.99.0
Scan saved at 12:45:02 AM, on 1/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\ESPN\BottomLine\bline.exe
C:\Program Files\AIM\aim.exe
C:\windows\bitnelt.exe
C:\WINDOWS\Downloaded Program Files\eBayTBar.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\PictureShare\PSClient.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Applications\HijackThisv1.99.0.0.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dr-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dr-search4u.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dr-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dr-search4u.com/index.htm
O2 - BHO: eBay Helper Object - {001F2570-5DF5-11d3-B991-00A0C9BB0874} - C:\WINDOWS\Downloaded Program Files\eBayBand.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: eBay Toolbar - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - C:\WINDOWS\Downloaded Program Files\eBayBand.dll
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [wurpowh] c:\windows\vscffef.exe
O4 - Startup: Check for PictureShare.net Updates.lnk = C:\Program Files\PictureShare\WiseUpdt.exe
O4 - Startup: PictureShare.net Startup.lnk = C:\Program Files\PictureShare\PSClient.exe
O4 - Global Startup: eBay Toolbar.LNK = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: eBay Toolbar - {92D7F210-7F20-11d3-8157-0090278B20DE} - C:\WINDOWS\Downloaded Program Files\eBayBand.dll
O9 - Extra 'Tools' menuitem: eBay Toolbar - {92D7F210-7F20-11d3-8157-0090278B20DE} - C:\WINDOWS\Downloaded Program Files\eBayBand.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {001F2570-5DF5-11D3-B991-00A0C9BB0874} (eBay Helper Object) - http://download.ebay.com/toolbar/eBayTBar.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O21 - SSODL: SecurityUpdate - {E252938E-79CF-409A-ADBB-B121A33A55F8} - C:\WINDOWS\system32\MCIAADOW.DLL
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE

Member Avatar for kanesnuff4

I don't want to mess around with deleting crap using HijackThis but something tells me that bitnelt.exe is quite suspect, indeed. I rebooted and everything and a bunch of the stuff you told me to delete came back and I followed your instructions verbatim. So yeah... something definitely tells me it's that thing.

Member Avatar for dlh6213

Open Task Manager & end process on bitnelt.exe

Go to C:\windows and delete bitnelt.exe manually.

Scan with hijackthis, check the boxes next to all the following entries, make sure you close all browser and explorer windows, and then hit the "Fix checked" button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dr-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dr-search4u.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dr-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dr-search4u.com/index.htm
O4 - HKCU\..\Run: [wurpowh] c:\windows\vscffef.exe
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/insta.../sinstaller.cab

While still in hijackthis, go to config\misc tools\delete a file on reboot
paste 'c:\windows\vscffef.exe' into the line and click OK.

Once rebooted, close all browser windows, scan with HJT, and post a new log.

Member Avatar for crunchie

I cannot find any information on this file:
C:\WINDOWS\system32\MCIAADOW.DLL
Please find it and right click on it. Choose Properties. Click the version tab and get the manufacturer and original filename please. Maybe that will give a clue.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.