0

Allright, I am having a problem, that I can't solve for the life of me. Whenever I type an incorrect URL, I get redirected here: http://th.msie.cc/index.php?aid=20038.

I have run HiJack this and removed entries pointing to the location.
I have run CWShredder which claimed to remove the coolsearch.com.
I downloaded ie-spyad.zip and installed that, and nothing solves the problem. Ad-Aware and spy bot dont find a thing.

I tried to update Internet Explorer, and each time it says it was unable to pass Windows Logo Verification. I also searched google, and found a similar thread, http://www.daniweb.com/techtalkforums/thread5657.html , which was unable to help me.

Here is my result from HijackThis:
Logfile of HijackThis v1.97.7
Scan saved at 12:58:31 PM, on 5/19/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Popup Ad Filter\PopFilter.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\EtherBoo\Local Settings\Temporary Internet Files\Content.IE5\S9E38HUR\ie6setup[1].exe
C:\DOCUME~1\EtherBoo\LOCALS~1\Temp\IXP000.TMP\ie6wzd.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
D:\Install Files, Patches, Cracks and Fixes\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://slashdot.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://slashdot.org
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Popup Ad Filter\PopFilter.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\System32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\EtherBoo\LOCALS~1\Temp\IXP000.TMP\"
O4 - Startup: Resume Windows Update Installation.lnk = C:\WINDOWS\Windows Update Setup Files\ie6setup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I'm at my wits end and looking for help, can someone please help me?

2
Contributors
9
Replies
10
Views
13 Years
Discussion Span
Last Post by EtherBoo
0

C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\EtherBoo\Local Settings\Temporary Internet Files\Content.IE5\S9E38HUR\ie6setup[1].exe
C:\DOCUME~1\EtherBoo\LOCALS~1\Temp\IXP000.TMP\ie6wzd.exe

The above entries appear to indicate that not only did you run HJT while IE was still open, but that some sort of update to IE was running as well.

Close all open programs, run HJT this again, and post the new log.

0

OK, I opened the task manager and closed everything, even explorer, and when I ran the scan, I closed the task manager also. This also seems to be time released as I went to work for a few hours (I'm a contractor) came back 3 hours later, and TeaTime was telling me that things were trying to change my registry. I told it to deny the changes, but it changed them anyway.

Here is the log from HijackThis

Logfile of HijackThis v1.97.7
Scan saved at 3:06:08 PM, on 5/19/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Install Files, Patches, Cracks and Fixes\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jnfinh.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://slashdot.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Popup Ad Filter\PopFilter.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Resume Windows Update Installation.lnk = C:\WINDOWS\Windows Update Setup Files\ie6setup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I am debating running CWShredder, because I think it will find this problem again, but I will wait for your instructions.

0

OK, first-

The " C:\WINDOWS\system32\spoolsv.exe" entry could indicate a virus, although the file can also be a legit component of Windows' printing subsystem. Check the link below for more info and run a full anti-virus scan of your system, making sure you've got the latest virus definition updates for your AV proggie installed:

http://www.sophos.com/virusinfo/analyses/trojgraybirda.html

Also, have HJT fix these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jnfinh.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

Have you run SpyBot and Ad Aware yet? If not, look through some of the other threads here for instructions on how to download and use those programs. Run them after you do your virus scan, let them fix what they find, and then post a fresh HJT log.

0

Allright, I closed Hijack This since my last post. I didn't see anything extra from the link you sent, but I am running a virus scan right now. I did run AdAware and Spybot, and spybot continually finds a DSO exploit. I'm just ran it and it found a web dialer. It seems as if the problems go away, and come back when I turn my back, and they are in abundance. I'll remove those lines from HJT, but here is my newest scan.

Logfile of HijackThis v1.97.7
Scan saved at 3:50:36 PM, on 5/19/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Outlook Express\msimn.exe
D:\Install Files, Patches, Cracks and Fixes\HijackThis\HijackThis.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jnfinh.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jnfinh.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jnfinh.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jnfinh.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jnfinh.dll/sp.html (obfuscated)
O2 - BHO: (no name) - {0A0C31E7-AC63-44D9-97E9-E3D0BC35FE7F} - C:\WINDOWS\System32\jnfinh.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Popup Ad Filter\PopFilter.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Resume Windows Update Installation.lnk = C:\WINDOWS\Windows Update Setup Files\ie6setup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

0

It seems as if the problems go away, and come back when I turn my back

Ah...fnargle! Sorry- I forgot to mention that you might want to turn off XP's System Restore function before doing some of this stuff. If your system was infected when XP took its last restore "snapshot", XP itself could unwittingly be bringing some of the fixed problems back to life. An explanation of the process can be found here:

http://www.pchell.com/virus/systemrestore.shtml

0

My computer is a mess, I can't run virus checks, they crash everytime I try. I'm considering just doing a format, which should fix the problem. I don't think I'm dealing with a worm or anything that will stay dormant. Let me know what you think, I'm running out of options....
I tried to clena things out in safe mode, here is my newest HJT Scan....I still cant run virus scans after this btw.


Logfile of HijackThis v1.97.7
Scan saved at 4:12:02 PM, on 5/19/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Popup Ad Filter\PopFilter.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Install Files, Patches, Cracks and Fixes\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Popup Ad Filter\PopFilter.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

0

Ah...fnargle! Sorry- I forgot to mention that you might want to turn off XP's System Restore function before doing some of this stuff. If your system was infected when XP took its last restore "snapshot", XP itself could unwittingly be bringing some of the fixed problems back to life. An explanation of the process can be found here:

http://www.pchell.com/virus/systemrestore.shtml

But I thought that it only restored info if I told it to? Do some virus's come back from the dead with sys restore?

Do you think I have another option besides Formating and reinstalling?

0

Sorry- I'm late for an appointment so I hve to log off now. I'll be back later if no one else picks up on this in the mean time..

0

I've decided to just format, short of a mistake on a partition size, everything is working properly. Thanks for the help.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.