0

I have a toolbar on IE that doesn't go away called Universal Search Toolbar. I think it's also changed my homepage to go to simplenter.com. I know part of it is a file called utility.dll. Plus there must be other stuff on my computer cuz I have pop-ups that come up when I'm not even on a web broser or even connect to the internet.


Logfile of HijackThis v1.99.1
Scan saved at 9:34:46 PM, on 3/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\NetRatingsNetmeter\NetMeter\NielsenOnline.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\mshta.exe
C:\WINDOWS\system32\mshta.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\wizard\My Documents\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://b0O.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://b0O.net/searchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://b0O.net/cat
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://b0O.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://b0O.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://b0O.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://b0O.net/searchasst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://b0O.net/cat
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://b0O.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://b0O.net/searchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://b0O.net/searchasst.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://b0O.net/searchasst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://b0O.net/searchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://b0O.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://b0O.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
R3 - URLSearchHook: Universal Searchbar - {5F7AB1DB-A899-46c1-8345-B72B4567EE86} - C:\PROGRA~1\Utility\utility.dll (file missing)
O1 - Hosts: 3466709097 auto.search.msn.com
O1 - Hosts: 3466709097 sea.search.msn.com
O1 - Hosts: 3466709097 search.msn.com
O1 - Hosts: 3466709097 sitefinder.verisign.com
O1 - Hosts: 3466709097 sitefinder-idn.verisign.com
O1 - Hosts: 3466709097 www.your.com your.com
O1 - Hosts: 3466709097 com.org
O1 - Hosts: 3466690378 ad.doubleclick.net
O1 - Hosts: 3466690378 view.atdmt.com
O1 - Hosts: 3466690378 click.atdmt.com
O1 - Hosts: 3466690378 leader.linkexchange.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: Universal Searchbar - {5F7AB1DB-A899-46c1-8345-B72B4567EE86} - C:\PROGRA~1\Utility\utility.dll (file missing)
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [NetMeter] C:\Program Files\NetRatingsNetmeter\NetMeter\NielsenOnline.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.hta
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Web Search - res://C:\PROGRA~1\Utility\utility.dll/GoSrch.dll.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {3CF932B1-F57B-4D4F-B24D-7BADB16778B1} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {3CF932B1-F57B-4D4F-B24D-7BADB16778B1} - (no file) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:19:55 PM 3/9/2007

+ Scan result:

HKLM\SOFTWARE\Classes\Dadu.DaduObj -> Adware.ISTBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Dadu.DaduObj.1 -> Adware.ISTBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Dadu.DaduObj\CLSID -> Adware.ISTBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Dadu.DaduObj\CurVer -> Adware.ISTBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\GoSrch.ContextItem -> Adware.ISTBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\GoSrch.ContextItem.1 -> Adware.ISTBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\GoSrch.ContextItem\CLSID -> Adware.ISTBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\GoSrch.ContextItem\CurVer -> Adware.ISTBar : Cleaned with backup (quarantined).
C:\!KillBox\Utility\utility.dll -> Adware.Simbar : Cleaned with backup (quarantined).
C:\Documents and Settings\wizard\Local Settings\Temporary Internet Files\Content.IE5\KUHBAUBL\utility[1].dll -> Adware.Simbar : Cleaned with backup (quarantined).
C:\Documents and Settings\wizard\Local Settings\Temporary Internet Files\Content.IE5\U6OSXIJ2\toolbar[1].exe -> Adware.Simbar : Cleaned with backup (quarantined).
C:\Program Files\Utility\utility.dll -> Adware.Simbar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5806FEC5-121E-40CE-A519-7BD741E47160}\RP824\A0076508.dll -> Adware.Simbar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5806FEC5-121E-40CE-A519-7BD741E47160}\RP824\A0076544.exe -> Adware.Simbar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5806FEC5-121E-40CE-A519-7BD741E47160}\RP824\A0076545.dll -> Adware.Simbar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5806FEC5-121E-40CE-A519-7BD741E47160}\RP825\A0076546.dll -> Adware.Simbar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5806FEC5-121E-40CE-A519-7BD741E47160}\RP825\A0076555.exe -> Adware.Simbar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5806FEC5-121E-40CE-A519-7BD741E47160}\RP825\A0076620.exe -> Adware.Simbar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5806FEC5-121E-40CE-A519-7BD741E47160}\RP825\A0076621.dll -> Adware.Simbar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5806FEC5-121E-40CE-A519-7BD741E47160}\RP825\A0077619.exe -> Adware.Simbar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5806FEC5-121E-40CE-A519-7BD741E47160}\RP825\A0077620.dll -> Adware.Simbar : Cleaned with backup (quarantined).
C:\WINDOWS\system32\band.exe -> Adware.Simbar : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RealAudio.exe -> Downloader.Small.ajy : Cleaned with backup (quarantined).
C:\Documents and Settings\wizard\Local Settings\Temporary Internet Files\Content.IE5\45SJ5TVO\in[1].exe -> Downloader.Small.ajy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5806FEC5-121E-40CE-A519-7BD741E47160}\RP824\A0076506.exe -> Downloader.Small.ajy : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{CE7C3CF0-4B15-11D1-0BED-709549C10020} -> Hijacker.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE7C3CF0-4B15-11D1-0BED-709549C10020} -> Hijacker.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1275210071-436374069-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE7C3CF0-4B15-11D1-0BED-709549C10020} -> Hijacker.Generic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5806FEC5-121E-40CE-A519-7BD741E47160}\RP824\A0076507.dll -> Hijacker.StartPage.qr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5806FEC5-121E-40CE-A519-7BD741E47160}\RP824\A0076504.dll -> Hijacker.StartPage.sd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5806FEC5-121E-40CE-A519-7BD741E47160}\RP824\A0076505.dll -> Hijacker.StartPage.sd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5806FEC5-121E-40CE-A519-7BD741E47160}\RP825\A0076548.dll -> Hijacker.StartPage.sd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\941d9i5d8r.dll -> Hijacker.StartPage.sd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\a6pkotovrp.dll -> Hijacker.StartPage.sd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\d6x3z6qo1m.dll -> Hijacker.StartPage.sd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rpjrttjv94.dll -> Hijacker.StartPage.sd : Cleaned with backup (quarantined).
[2948] C:\WINDOWS\system32\941d9i5d8r.dll -> Hijacker.StartPage.sd : Cleaned with backup (quarantined).
C:\Documents and Settings\wizard\Local Settings\Temporary Internet Files\Content.IE5\45SJ5TVO\in2[1].exe -> Trojan.Favadd.j : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5806FEC5-121E-40CE-A519-7BD741E47160}\RP825\A0076554.hta -> Trojan.Seeker.d : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5806FEC5-121E-40CE-A519-7BD741E47160}\RP825\A0077618.hta -> Trojan.Seeker.d : Cleaned with backup (quarantined).


::Report end

2
Contributors
8
Replies
9
Views
10 Years
Discussion Span
Last Post by crunchie
0

Download the Hoster.
Run it and press "Restore Original Hosts" and press "OK". Exit Program.
Note that if you have a custom host file, this will remove it.

====

Can you please do the following.

===============

Can you disable Windows Defender as it may interfere with the removal process. Please leave it disabled until your PC has been given the all clear.

  • Open Windows Defender
  • Click Tools
  • Click General Settings
  • Scroll down to Real Time Protection Options
  • Uncheck Turn on Real Time Protection (recommended)
  • After you uncheck this, click on the Save button
  • Close Windows Defender

===============

Scan with HijackThis and then place a check next to all the following, if present:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://b0O.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://b0O.net/searchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://b0O.net/cat
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://b0O.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://b0O.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://b0O.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://b0O.net/searchasst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://b0O.net/cat
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://b0O.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://b0O.net/searchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://b0O.net/searchasst.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://b0O.net/searchasst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://b0O.net/searchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://b0O.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://b0O.net/cat

R3 - URLSearchHook: Universal Searchbar - {5F7AB1DB-A899-46c1-8345-B72B4567EE86} - C:\PROGRA~1\Utility\utility.dll (file missing)

O3 - Toolbar: Universal Searchbar - {5F7AB1DB-A899-46c1-8345-B72B4567EE86} - C:\PROGRA~1\Utility\utility.dll (file missing)

O4 - Global Startup: Microsoft Office.hta

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
...(Unless you've set these with an anti-spyware program like SpyBot's Immunize feature, have HiJackThis fix this.)

O8 - Extra context menu item: &Web Search - res://C:\PROGRA~1\Utility\utility.dll/GoSrch.dll.htm

O9 - Extra button: Microsoft AntiSpyware helper - {3CF932B1-F57B-4D4F-B24D-7BADB16778B1} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {3CF932B1-F57B-4D4F-B24D-7BADB16778B1} - (no file) (HKCU)

O11 - Options group: [INTERNATIONAL] International*


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

folders...

C:\PROGRA~1\Utility

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear.

Select the first option to run Windows in Safe Mode hit enter.

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

0

It's still there. The only things I didn't follow in your instructions were I didn't have hjt fix the 06 entry because I do have spybot, and I delete the folder Utility from C:Program Files, don't know if that's different than PROGRA~1.

Logfile of HijackThis v1.99.1
Scan saved at 1:14:13 PM, on 3/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\NetRatingsNetmeter\NetMeter\NielsenOnline.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\mshta.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\wizard\My Documents\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://b0O.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://b0O.net/searchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://b0O.net/cat
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://b0O.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://b0O.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://b0O.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://b0O.net/searchasst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://b0O.net/cat
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://b0O.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://b0O.net/searchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://b0O.net/searchasst.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://b0O.net/searchasst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://b0O.net/searchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://b0O.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://b0O.net/cat
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
R3 - URLSearchHook: Universal Searchbar - {5F7AB1DB-A899-46c1-8345-B72B4567EE86} - C:\PROGRA~1\Utility\utility.dll
O1 - Hosts: 3466709097 auto.search.msn.com
O1 - Hosts: 3466709097 sea.search.msn.com
O1 - Hosts: 3466709097 search.msn.com
O1 - Hosts: 3466709097 sitefinder.verisign.com
O1 - Hosts: 3466709097 sitefinder-idn.verisign.com
O1 - Hosts: 3466709097 www.your.com your.com
O1 - Hosts: 3466709097 com.org
O1 - Hosts: 3466690378 ad.doubleclick.net
O1 - Hosts: 3466690378 view.atdmt.com
O1 - Hosts: 3466690378 click.atdmt.com
O1 - Hosts: 3466690378 leader.linkexchange.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: IEMozgObj Class - {CE7C3CF0-4B15-11D1-0BED-709549C10020} - C:\WINDOWS\system32\vfd1o3k75l.dll
O3 - Toolbar: Universal Searchbar - {5F7AB1DB-A899-46c1-8345-B72B4567EE86} - C:\PROGRA~1\Utility\utility.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [NetMeter] C:\Program Files\NetRatingsNetmeter\NetMeter\NielsenOnline.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RealAudio.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Web Search - res://C:\PROGRA~1\Utility\utility.dll/GoSrch.dll.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

0

Did you disable Windows Defender as requested before trying to fix with hijackthis?

Run hijackthis and hit the Open the Misc Tools Section and then the Open Uninstall Manager.

Then hit the Save List button. Save to the desktop for easy access. Open the log file and copy the entire list and paste it here please.

===========

Copy the bold text below and paste it into notepad. Save it to your desktop as find.bat and make sure type is set to All Files.


cd\
cd Program Files
DIR /AD /B /P > ProgramFiles.txt
start ProgramFiles.txt
cls
exit


Double click find.bat and let it run for a minute. It will open up a report in notepad. Please copy that text and post it here in your next reply.

0

Yes, I did disable Windows Defender.

AC97 SoftV92 Data Fax Modem with SmartCP
Ad-aware 6 Personal
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.9
ArcSoft PhotoBase 3
ArcSoft PhotoStudio 5
Audacity 1.2.6
AVG Anti-Spyware 7.5
Canon CanoScan Toolbox 4.1
Canon i850
CanoScan LiDE20,30 Manual
Creative Audio Pack
Creative Removable Disk Manager
Creative System Information
Creative ZEN V Series
Dance Praise
DivX
DivX Player
Google Earth
HijackThis 1.99.1
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Format SDK (KB910998)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
MA101 USB Adapter Configuration Utility
Macromedia Flash Player 8
Macromedia Shockwave Player
MDL ISIS Draw 2.5 Standalone
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
MSN Music Assistant
Napster
Napster Burn Engine
Netscape Browser (remove only)
Nielsen Online
OmniPage SE
QuickTime
RealPlayer
RollerCoaster Tycoon
S3Display
S3Gamma2
S3Info2
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
SereneScene Marine Aquarium 2
SimpleToolbar
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Universal Toolbar
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB931836)
VideoLAN VLC media player 0.8.6a
Windows Defender
Windows Defender Signatures
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10
Windows Media Player 10 Hotfix - KB895316
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinZip
Yahoo! Anti-Spy
Yahoo! Browser Services
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Music Jukebox
Yahoo! Photos Easy Upload Tool 1v7
Yahoo! Toolbar
zmc_saver_2

Adobe
Adware Remover Gold
AIM
AOD
AOL
ArcSoft
Atari
Audacity
Audible
Canon
Common
Common Files
ComPlus Applications
CONEXANT
Creative
Creative Installation Information
DAPlus
Digital Praise
DivX
Enigma Software Group
Google
Grisoft
illiminable
InstallShield Installation Information
InterMute
Internet Explorer
iPod
iTunes
Java
Lavasoft
MDL ISIS Draw 2.5
Messenger
Microsoft ActiveSync
microsoft frontpage
Microsoft Office
Microsoft Visual Studio
Microsoft.NET
Movie Maker
mozilla.org
MSN
MSN Gaming Zone
MsnMusic
Napster
NETGEAR
NetMeeting
NetRatingsNetmeter
Netscape
Nutrition Connections
Ocucom
OfficeUpdate11
Online Services
Outlook Express
QuickTime
Real
ScanSoft
ScanSpyware v3.8.0.4
SereneScreen
Spybot - Search & Destroy
SpywareBlaster
TryMedia
Uninstall Information
Utility
VideoLAN
Viewpoint
Visual Studio
Windows Defender
Windows Media Player
Windows NT
WindowsUpdate
WinZip
Wireless Adapter
xerox
Yahoo Games!
Yahoo!

0

Go to add remove programs and uninstall the following;

SimpleToolbar
Universal Toolbar

==

Can you disable Windows Defender as it may interfere with the removal process. Please leave it disabled until your PC has been given the all clear.

  • Open Windows Defender
  • Click Tools
  • Click General Settings
  • Scroll down to Real Time Protection Options
  • Uncheck Turn on Real Time Protection (recommended)
  • After you uncheck this, click on the Save button
  • Close Windows Defender

===============

Scan with HijackThis and then place a check next to all the following, if present:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://b0O.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://b0O.net/searchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://b0O.net/cat
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://b0O.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://b0O.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://b0O.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://b0O.net/searchasst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://b0O.net/cat
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://b0O.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://b0O.net/searchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://b0O.net/searchasst.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://b0O.net/searchasst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://b0O.net/searchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://b0O.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://b0O.net/cat

R3 - URLSearchHook: Universal Searchbar - {5F7AB1DB-A899-46c1-8345-B72B4567EE86} - C:\PROGRA~1\Utility\utility.dll

O2 - BHO: IEMozgObj Class - {CE7C3CF0-4B15-11D1-0BED-709549C10020} - C:\WINDOWS\system32\vfd1o3k75l.dll

O3 - Toolbar: Universal Searchbar - {5F7AB1DB-A899-46c1-8345-B72B4567EE86} - C:\PROGRA~1\Utility\utility.dll

O8 - Extra context menu item: &Web Search - res://C:\PROGRA~1\Utility\utility.dll/GoSrch.dll.htm


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

folders...

C:\PROGRA~1\Utility

files...

C:\WINDOWS\system32\vfd1o3k75l.dll

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear.

Select the first option to run Windows in Safe Mode hit enter.

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

0

Well, it still wasn't getting rid of it. Then I went into safe mode, rand spybot, adaware, avg, deleted the utility folder, and had hjt fix all those same things, and had hostxpert change everything back to defalt, changed my homepage on internet options. Now it looks like it's gone. I hope it doesn't come back.

So, do I need to put windows defender back to real time protection, or avg?

0

Logfile of HijackThis v1.99.1
Scan saved at 10:11:19 PM, on 3/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\NetRatingsNetmeter\NetMeter\NielsenOnline.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\wizard\My Documents\Hijackthis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [NetMeter] C:\Program Files\NetRatingsNetmeter\NetMeter\NielsenOnline.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

0

So, do I need to put windows defender back to real time protection, or avg?

If you have purchased AVG then use that, otherwise it's Windows Defender :).
Your log looks good now. Good job.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.