Jump to content
Sign in to follow this  
jatt7846

Browser Hijacked, Homepage Changes, Turns Off

Recommended Posts

I have been having massive problems with my PC for a few months now. Most of the sites have been hijacked by some search engine (http://69.31.85.152/enter.htm?id=9). Whenever I log on to eBay it takes me to this different page and same thing with a lot of other sites including hotmail. The only way I can get around is by running Spy Sweeper which temporarily solves the problem for about 15 minutes of web use for some of the sites but eBay is permanently hijacked.

The home page changes periodically as well.

Can someone please help?????????

Share this post


Link to post
Share on other sites

Hi jatt7846,

 

Welcome to the PC Pitstops Forums.

 

My name is Trevuren and I will be helping you with your log

 

There are certain procedures that you must follow before we can make any beneficial changes to the way your system is working.

 

1) Things in these forums have a tendancy to get confusing at times. In order to make sure that you can always find your way back here consider Bookmarking this page.

 

2) I would also recommend that you enable "email notification" in your Control Panel Settings so you will know when I have replied to one of your posts.

 

3) Please follow all the steps described in the following link before posting your HijackThis log.

 

Do These Things First

 

Regards,

 

Trevuren

Share this post


Link to post
Share on other sites

Hi Trevuren,

I want to thank you for taking the time to help me out. I tried running Adware after downloading it but the application would not open. I ran Spybot and Spy Sweeper. Downladed Hijack This application and ran the scan. Here is the file from this scan. Please let me know what do after this.

 

Logfile of HijackThis v1.99.1

Scan saved at 8:57:48 PM, on 3/11/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\HP\KBD\KBD.EXE

C:\windows\system\hpsysdrv.exe

C:\PROGRA~1\WinPatrol.exe

C:\WINDOWS\System32\tibs3.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Netscape\Netscape\Netscp.exe

C:\Program Files\Microsoft Office\Office\1033\msoffice.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\zstatus.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Hijack This\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=9

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=9

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/sp.htm?id=9

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://letgohome.com/sp.htm?id=9

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - Default URLSearchHook is missing

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\6s5i5rw9.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\6s5i5rw9.slt\prefs.js)

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\gs2027r9lxm.dll

O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\System32\w32sup.exe

O4 - HKLM\..\Run: [s3TRAY2] S3tray2.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

O4 - HKLM\..\Run: [WinPatrol] "c:\PROGRA~1\WinPatrol.exe"

O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe

O4 - HKLM\..\Run: [dnscleaner] C:\WINDOWS\dnscleaner.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: CompuServe 7.0 Tray Icon.lnk = C:\Program Files\CompuServe 7.0\cstray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)

O9 - Extra button: Microsoft AntiSpyware helper - {1134A921-FAA4-408B-B988-17B862D5FEF0} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1134A921-FAA4-408B-B988-17B862D5FEF0} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {1706AF00-5B3B-477A-A02E-860F9857A9D1} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1706AF00-5B3B-477A-A02E-860F9857A9D1} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {3B413E53-E912-4DB5-AD20-E2DAE1A7BB20} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {3B413E53-E912-4DB5-AD20-E2DAE1A7BB20} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {58396E3F-67BC-4683-8143-1464BD4762D6} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {58396E3F-67BC-4683-8143-1464BD4762D6} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {67F58C3A-57E4-4F19-A51E-321504A0336B} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {67F58C3A-57E4-4F19-A51E-321504A0336B} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {77823D14-1C37-4D41-969F-A8D5BF6A4984} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {77823D14-1C37-4D41-969F-A8D5BF6A4984} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {7C18C0EA-5D96-4280-AB46-910C191A4F55} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7C18C0EA-5D96-4280-AB46-910C191A4F55} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {8A353DD2-3EFA-4160-A84B-44D73DFAA19D} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8A353DD2-3EFA-4160-A84B-44D73DFAA19D} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {C3199577-F4C2-4475-BCE9-4A7A148E7BEF} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C3199577-F4C2-4475-BCE9-4A7A148E7BEF} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {CA3B0DB6-4B03-4B79-8EB7-DDA14EAFCF22} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {CA3B0DB6-4B03-4B79-8EB7-DDA14EAFCF22} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {DE2BA1C2-53F3-4F34-8508-9DCAAB25CE8D} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DE2BA1C2-53F3-4F34-8508-9DCAAB25CE8D} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {E38F12A1-81E1-4998-9189-FD9A0E8EC664} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E38F12A1-81E1-4998-9189-FD9A0E8EC664} - (no file) (HKCU)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O13 - WWW. Prefix: http://

O15 - Trusted Zone: *.greg-search.com

O16 - DPF: {073E2947-7AD1-67DB-8238-5A8770FF639B} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {0B48E232-6362-11A6-56E1-260E67A668FA} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {0D41F0E9-B13A-4252-29A3-095E62F67D18} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {0F136A3C-D1E2-58A8-E64A-1B1D4EC27114} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {1A2428B1-ECBB-5529-5046-46E55989721F} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {1A41DBCB-9C88-48DC-B2FD-4FB12711E23C} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {1D11835C-7679-50B8-2EA0-4E055EACE185} - http://69.50.163.12/1/rdgUS1124.exe

O16 - DPF: {25FA0253-D4E5-70C4-8B84-082E26BDDD55} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {28D1E0AD-862D-1757-1DEE-563321246496} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {2B88574B-1F6D-5A4C-EE5D-50403D3ABE09} - http://69.50.163.12/1/rdgUS1124.exe

O16 - DPF: {2F91A676-939F-2468-94E4-697418A063A0} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {37249927-F80D-73F2-CB0F-419014E304C9} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {3EA3B664-1E0E-59D4-BB2C-221626838F20} - http://69.50.163.12/1/rdgUS1124.exe

O16 - DPF: {3EFCF256-A8EB-2ECE-99E9-45B15F14AA51} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {40DCF6EE-1384-15E4-398B-7BAA08342C16} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {4768F832-B86E-6D8B-E4F1-29E862ABC955} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {4B846B2F-DE42-3D8D-7E92-32AA16A22EF6} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-18.cab

O16 - DPF: {514143ED-8E0A-637C-3F4B-777A2B77CEDF} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102055712460

O16 - DPF: {6517C659-F13C-29D4-8889-63801C15C8F5} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {6A095A8A-F838-4F5D-A2F5-49566F67BD27} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} (VacPro.internazionale_ver4) - http://www.globalphon.com/dialer/internazionale_ver4.CAB

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

O20 - AppInit_DLLs: piy60wsx4j6.dll

O23 - Service: mserv.exe (anem) - Unknown owner - C:\WINDOWS\mserv.exe (file missing)

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

 

Thanks again

Share this post


Link to post
Share on other sites

Hi jatt7846,

 

That was an excellent geginning. However we have a lot more work to do.

 

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

 

1) Please download CWShredder. Download the stand alone version which is free

 

.Check for Update

.Click Fix.

.Exit CWShredder.

.REBOOT your system

 

2) I want you to run at least one, and preferably both, of the following FREE online antivirus scanners, making sure that you choose to do a "complete scan" and letting the program fix everything it finds. It is also necessary to REBOOT your system after running each program.

 

TrendMicro Free Virus Scanner and Panda Software Online Virus Scanner.

 

3) I would also like you to download and run a free trial version of an anti-trojan program called Trojan Hunter: Trojan Hunter . Let it scan your whole system and remove anything it finds.

REBOOT your system.

 

4) Finally, with all windows closed except for HJT, run HijackThis, click on SCAN, then on Save Log and POST log back into this thread.

 

Regards,

 

Trevuren

Share this post


Link to post
Share on other sites

After running the 2 scans (wow they were long scans) I tried Trojan Hunter but kept getting the Microsoft Windows Error Message. Also when I ran the Panda Scan it said Infected Files: 876 but it Disinfected only 30. I think the Adware / Spyware is just detected but not fixed........only the viruses are disinfected.

Here is the new HJT log

 

Logfile of HijackThis v1.99.1

Scan saved at 11:56:22 PM, on 3/11/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\HP\KBD\KBD.EXE

C:\windows\system\hpsysdrv.exe

C:\PROGRA~1\WinPatrol.exe

C:\WINDOWS\kdx\KHost.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\System32\tibs3.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Netscape\Netscape\Netscp.exe

C:\Program Files\Microsoft Office\Office\1033\msoffice.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

C:\WINDOWS\wanmpsvc.exe

C:\Hijack This\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=9

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=9

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/sp.htm?id=9

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://letgohome.com/sp.htm?id=9

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - Default URLSearchHook is missing

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\6s5i5rw9.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\6s5i5rw9.slt\prefs.js)

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\gs2027r9lxm.dll

O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\System32\w32sup.exe

O4 - HKLM\..\Run: [s3TRAY2] S3tray2.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

O4 - HKLM\..\Run: [WinPatrol] "c:\PROGRA~1\WinPatrol.exe"

O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe

O4 - HKLM\..\Run: [dnscleaner] C:\WINDOWS\dnscleaner.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: CompuServe 7.0 Tray Icon.lnk = C:\Program Files\CompuServe 7.0\cstray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)

O9 - Extra button: Microsoft AntiSpyware helper - {1134A921-FAA4-408B-B988-17B862D5FEF0} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1134A921-FAA4-408B-B988-17B862D5FEF0} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {1706AF00-5B3B-477A-A02E-860F9857A9D1} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1706AF00-5B3B-477A-A02E-860F9857A9D1} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {3B413E53-E912-4DB5-AD20-E2DAE1A7BB20} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {3B413E53-E912-4DB5-AD20-E2DAE1A7BB20} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {58396E3F-67BC-4683-8143-1464BD4762D6} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {58396E3F-67BC-4683-8143-1464BD4762D6} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {67F58C3A-57E4-4F19-A51E-321504A0336B} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {67F58C3A-57E4-4F19-A51E-321504A0336B} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {77823D14-1C37-4D41-969F-A8D5BF6A4984} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {77823D14-1C37-4D41-969F-A8D5BF6A4984} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {7C18C0EA-5D96-4280-AB46-910C191A4F55} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7C18C0EA-5D96-4280-AB46-910C191A4F55} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {8A353DD2-3EFA-4160-A84B-44D73DFAA19D} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8A353DD2-3EFA-4160-A84B-44D73DFAA19D} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {C3199577-F4C2-4475-BCE9-4A7A148E7BEF} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C3199577-F4C2-4475-BCE9-4A7A148E7BEF} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {CA3B0DB6-4B03-4B79-8EB7-DDA14EAFCF22} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {CA3B0DB6-4B03-4B79-8EB7-DDA14EAFCF22} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {DE2BA1C2-53F3-4F34-8508-9DCAAB25CE8D} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DE2BA1C2-53F3-4F34-8508-9DCAAB25CE8D} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {E38F12A1-81E1-4998-9189-FD9A0E8EC664} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E38F12A1-81E1-4998-9189-FD9A0E8EC664} - (no file) (HKCU)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O13 - WWW. Prefix: http://

O15 - Trusted Zone: *.greg-search.com

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {073E2947-7AD1-67DB-8238-5A8770FF639B} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {0B48E232-6362-11A6-56E1-260E67A668FA} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {0D41F0E9-B13A-4252-29A3-095E62F67D18} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {0F136A3C-D1E2-58A8-E64A-1B1D4EC27114} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {1A2428B1-ECBB-5529-5046-46E55989721F} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {1A41DBCB-9C88-48DC-B2FD-4FB12711E23C} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {1D11835C-7679-50B8-2EA0-4E055EACE185} - http://69.50.163.12/1/rdgUS1124.exe

O16 - DPF: {25FA0253-D4E5-70C4-8B84-082E26BDDD55} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {28D1E0AD-862D-1757-1DEE-563321246496} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {2B88574B-1F6D-5A4C-EE5D-50403D3ABE09} - http://69.50.163.12/1/rdgUS1124.exe

O16 - DPF: {2F91A676-939F-2468-94E4-697418A063A0} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {37249927-F80D-73F2-CB0F-419014E304C9} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {3EA3B664-1E0E-59D4-BB2C-221626838F20} - http://69.50.163.12/1/rdgUS1124.exe

O16 - DPF: {3EFCF256-A8EB-2ECE-99E9-45B15F14AA51} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {40DCF6EE-1384-15E4-398B-7BAA08342C16} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {4768F832-B86E-6D8B-E4F1-29E862ABC955} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {4B846B2F-DE42-3D8D-7E92-32AA16A22EF6} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-18.cab

O16 - DPF: {514143ED-8E0A-637C-3F4B-777A2B77CEDF} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102055712460

O16 - DPF: {6517C659-F13C-29D4-8889-63801C15C8F5} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {6A095A8A-F838-4F5D-A2F5-49566F67BD27} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} (VacPro.internazionale_ver4) - http://www.globalphon.com/dialer/internazionale_ver4.CAB

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

O20 - AppInit_DLLs: piy60wsx4j6.dll

O23 - Service: mserv.exe (anem) - Unknown owner - C:\WINDOWS\mserv.exe (file missing)

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Share this post


Link to post
Share on other sites

Hi jatt7846,

 

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

 

 

1) You have Winpatrol running on your machine and that is good.

But prior to doing the fix below with hijackthis it needs to be turned off.

Please do the following.

Right click the running icon of winpatrol, and choose exit.

Unless it is turned off it could interfer with the fix by hijackthis.

 

2)Now let's do some work on your log:

 

First we need to make all files and folders VISIBLE:

 

Go to start>control panel>folder options>view (tab)

*choose to "show hidden files and folders,"

*uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.

*Close the window with ok

*All hidden files will now be visible

 

Close all browser windows and RUN HijackThis.

. Click the SCAN button to produce a log.

. Click the Config button located in the lower right hand corner of the HijackThis window.

. When the new screen opens, find and click the Miscellaneous Tools button.

. Then choose the Open Process Manager button.

. From the list of processes, hilight the following item by clicking it, then DELETE it by clicking the KILL button:

 

C:\WINDOWS\System32\tibs3.exe

 

Once all items have been KILLED, click the Back button which will return you to the HijackThis main window. Now place a check mark beside each one of the following Mandatory items as well as those Optional items that you choose based upon the information provided in green.

 

MANDATORY ITEMS

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=9

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://letgohome.com/sp.htm?id=9

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://letgohome.com/sp.htm?id=9

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://letgohome.com/sp.htm?id=9

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\gs2027r9lxm.dll

O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\System32\w32sup.exe

O4 - HKLM\..\Run: [s3TRAY2] S3tray2.exe

O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program

Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe

O4 - HKLM\..\Run: [dnscleaner] C:\WINDOWS\dnscleaner.exe

O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

O9 - Extra button: Microsoft AntiSpyware helper - {1134A921-FAA4-408B-B988-17B862D5FEF0} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1134A921-FAA4-408B-B988-17B862D5FEF0} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {1706AF00-5B3B-477A-A02E-860F9857A9D1} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1706AF00-5B3B-477A-A02E-860F9857A9D1} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {3B413E53-E912-4DB5-AD20-E2DAE1A7BB20} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {3B413E53-E912-4DB5-AD20-E2DAE1A7BB20} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {58396E3F-67BC-4683-8143-1464BD4762D6} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {58396E3F-67BC-4683-8143-1464BD4762D6} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {67F58C3A-57E4-4F19-A51E-321504A0336B} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {67F58C3A-57E4-4F19-A51E-321504A0336B} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {77823D14-1C37-4D41-969F-A8D5BF6A4984} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {77823D14-1C37-4D41-969F-A8D5BF6A4984} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {7C18C0EA-5D96-4280-AB46-910C191A4F55} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7C18C0EA-5D96-4280-AB46-910C191A4F55} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {8A353DD2-3EFA-4160-A84B-44D73DFAA19D} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8A353DD2-3EFA-4160-A84B-44D73DFAA19D} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {C3199577-F4C2-4475-BCE9-4A7A148E7BEF} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C3199577-F4C2-4475-BCE9-4A7A148E7BEF} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {CA3B0DB6-4B03-4B79-8EB7-DDA14EAFCF22} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {CA3B0DB6-4B03-4B79-8EB7-DDA14EAFCF22} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {DE2BA1C2-53F3-4F34-8508-9DCAAB25CE8D} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DE2BA1C2-53F3-4F34-8508-9DCAAB25CE8D} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {E38F12A1-81E1-4998-9189-FD9A0E8EC664} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E38F12A1-81E1-4998-9189-FD9A0E8EC664} - (no file) (HKCU)

O13 - WWW. Prefix: http://

O15 - Trusted Zone: *.greg-search.com

O16 - DPF: {073E2947-7AD1-67DB-8238-5A8770FF639B} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {0B48E232-6362-11A6-56E1-260E67A668FA} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {0D41F0E9-B13A-4252-29A3-095E62F67D18} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {0F136A3C-D1E2-58A8-E64A-1B1D4EC27114} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {1A2428B1-ECBB-5529-5046-46E55989721F} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {1A41DBCB-9C88-48DC-B2FD-4FB12711E23C} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {1D11835C-7679-50B8-2EA0-4E055EACE185} - http://69.50.163.12/1/rdgUS1124.exe

O16 - DPF: {25FA0253-D4E5-70C4-8B84-082E26BDDD55} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {28D1E0AD-862D-1757-1DEE-563321246496} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {2B88574B-1F6D-5A4C-EE5D-50403D3ABE09} - http://69.50.163.12/1/rdgUS1124.exe

O16 - DPF: {2F91A676-939F-2468-94E4-697418A063A0} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {37249927-F80D-73F2-CB0F-419014E304C9} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {3EA3B664-1E0E-59D4-BB2C-221626838F20} - http://69.50.163.12/1/rdgUS1124.exe

O16 - DPF: {3EFCF256-A8EB-2ECE-99E9-45B15F14AA51} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {40DCF6EE-1384-15E4-398B-7BAA08342C16} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {4768F832-B86E-6D8B-E4F1-29E862ABC955} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {4B846B2F-DE42-3D8D-7E92-32AA16A22EF6} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {514143ED-8E0A-637C-3F4B-777A2B77CEDF} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {6517C659-F13C-29D4-8889-63801C15C8F5} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {6A095A8A-F838-4F5D-A2F5-49566F67BD27} - http://69.50.182.94/1/rdgUS1754.exe

O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} (VacPro.internazionale_ver4) - http://www.globalphon.com/dialer/internazionale_ver4.CAB

O20 - AppInit_DLLs: piy60wsx4j6.dll

O23 - Service: mserv.exe (anem) - Unknown owner - C:\WINDOWS\mserv.exe (file missing)

 

 

OPTIONAL ITEMS

 

The following item is considered to be a "resource hog". Its removal should enhance the performance of your system.

 

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE

 

If you did not put the following item in your Trusted Zone, then include it in the Fix:

 

O15 - Trusted Zone: *.greg-search.com

 

Now with all the items selected and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window and Reboot Your System in Safe Mode

 

How to use the F8 method to Start Your Computer in Safe Mode

 

*Restart the computer.

*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.

*Use the arrow keys to select the Safe mode menu item

*press Enter.

 

 

Using Windows Explorer, locate the following files/folders, and delete them (if they are present):

 

FILES

 

C:\WINDOWS\System32\gs2027r9lxm.dll

C:\WINDOWS\System32\w32sup.exe

C:\WINDOWS\mserv.exe

C:\WINDOWS\System32\tibs3.exe

C:\WINDOWS\dnscleaner.exe

C:\S3tray2.exe

C:\piy60wsx4j6.dll

C:\rdgUS1754.exe

 

 

FOLDERS (with all their content)

 

C:\Program Files\WildTangent

C:\Program Files\MarketBrowser

 

Exit Explorer, and REBOOT BACK INTO NORMAL MODE

 

Finally,RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everytjhing looks now.

 

Regards,

 

Trevuren

Share this post


Link to post
Share on other sites

Hi There,

It is not letting me get into the "Folder Options". When I click on it I get an error message-----"(null) is not a valid Win32 application" How can I make the files and folder visible without getting into this folder? Thanks.

Share this post


Link to post
Share on other sites

Hi,

I did most of the things you suggested. I did not know what I was trying to do when you mentioned "Reboot your system in safe mode". I tried pressing F8 several time but nothing happened.

The only files available were

C:\Windows\System32\tibs3.exe

C:\Windows\dnscleaner.exe

The only folder available was

C:\Program Files\Market Browser

 

Here is the new HJT log. Please let me know how it looks.

 

Logfile of HijackThis v1.99.1

Scan saved at 11:57:41 AM, on 3/12/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\HP\KBD\KBD.EXE

C:\windows\system\hpsysdrv.exe

C:\PROGRA~1\WinPatrol.exe

C:\WINDOWS\kdx\KHost.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Netscape\Netscape\Netscp.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Hijack This\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\6s5i5rw9.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\6s5i5rw9.slt\prefs.js)

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

O4 - HKLM\..\Run: [WinPatrol] "c:\PROGRA~1\WinPatrol.exe"

O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: CompuServe 7.0 Tray Icon.lnk = C:\Program Files\CompuServe 7.0\cstray.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-18.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102055712460

O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

O20 - AppInit_DLLs: piy60wsx4j6.dll

O23 - Service: mserv.exe (anem) - Unknown owner - C:\WINDOWS\mserv.exe (file missing)

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Share this post


Link to post
Share on other sites

Hi jatt7846, We are making excellent progress and are left with 2 slightly difficult ones to get rid of. Just follow my lead and we will get you nice and clear.

 

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

 

We will start by working on the bad 020 file. This time I want you to start by REBOOTING into SAFE MODE. Inasmuch as you had a bit of a problem with this last time go to this link and choose the method which is applicable to your system.

 

Symantec Safe Mode

 

Now while in safe mode, with all other windows closed except HijackThis, run HJT, click SCAN and place a check mark beside the following entry:

 

O20 - AppInit_DLLs: piy60wsx4j6.dll

 

With the item selected, click FIX and exit the program.

 

Now using Windows Explorer, find and DELETE the following file:

 

piy60wsx4j6.dll.

 

1) It may be in the C:\Windows (folder) or

2) C:\Windows\system32 (folder) or

3) If you cannot find it through Windows Explorer, GOTO START>>Search>>For Files and Folders. Choose the "all files and folders" option and copy and paste piy60wsx4j6.dll into the box labelled "All or part of the File Name". Let it run its course. If it finds 1 or more instances of the file, Right Click on each one and select DELETE. When all is finished, return to your desktop and following the instructions provided in the link I gave you, REBOOT your system into Normal Mode.

 

Now run HJT,

Click SCAN,

Produce a log

Post the log into this thread.

 

 

Regards,

 

Trevuren

Share this post


Link to post
Share on other sites

Hi Trevuren,

I was out of town for 7 days and just got back this morning. I want to thank you for all your help so far.....the computer seems to be getting a lot better. I tried to do what you said in your previous message but it did not work because I got an error message when I clicled on "Fix Checked". Here is what the message said:

 

An unexpected error has occurred at procedure:modBackup_MakeBackup(sItem=O20-AppInit_DLLs: piy60wsx4j6.dll)

Error #5 - Invalid procedure call or argument

Please e-mail me at [email protected], reporting the following:

*What you were trying to fix when the error occurred, if applicable

*How you can reproduce the error

*A complete HijackThis scan log, if possible

Windows Version: Windows NT 5.01.2600

MSIE version: 6.02800.1106

HijackThis version: 1.99.1

This message has been copied to your clipboard.

Click OK to continue the rest of the scan.

 

Also, here is the log

Logfile of HijackThis v1.99.1

Scan saved at 4:20:28 PM, on 3/20/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\explorer.exe

C:\Hijack This\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\6s5i5rw9.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\6s5i5rw9.slt\prefs.js)

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

O4 - HKLM\..\Run: [WinPatrol] "c:\PROGRA~1\WinPatrol.exe"

O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: CompuServe 7.0 Tray Icon.lnk = C:\Program Files\CompuServe 7.0\cstray.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-18.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102055712460

O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

O20 - AppInit_DLLs: piy60wsx4j6.dll

O23 - Service: mserv.exe (anem) - Unknown owner - C:\WINDOWS\mserv.exe (file missing)

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Share this post


Link to post
Share on other sites

Hi jatt7846, We will try that one again but we will reverse the order of things a bit.

 

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

 

With all other windows closed except HijackThis, run HJT, click SCAN and place a check mark beside the following entry:

 

O20 - AppInit_DLLs: piy60wsx4j6.dll

 

With the item selected, click FIX and exit the program.

 

REBOOT INTO SAFE MODE

 

Inasmuch as you had a bit of a problem with this go to this link and choose the method which is applicable to your system.

 

Symantec Safe Mode

 

Remember to write down the instructions so they will be handy when you need them.

Now using Windows Explorer, find and DELETE the following file:

 

piy60wsx4j6.dll.

 

1) It may be in the C:\Windows (folder) or

2) C:\Windows\system32 (folder) or

3) If you cannot find it through Windows Explorer, GOTO START>>Search>>For Files and Folders. Choose the "all files and folders" option and copy and paste piy60wsx4j6.dll into the box labelled "All or part of the File Name". Let it run its course. If it finds 1 or more instances of the file, Right Click on each one and select DELETE. When all is finished, return to your desktop and following the instructions provided in the link I gave you, REBOOT your system into Normal Mode.

 

Now run HJT,

Click SCAN,

Produce a log

Post the log into this thread.

 

 

Regards,

 

Trevuren

Share this post


Link to post
Share on other sites

Hi,

The same error message came up when I tried to "Fix Selected" line item.

 

An unexpected error has occurred at procedure:modBackup_MakeBackup(sItem=O20-AppInit_DLLs: piy60wsx4j6.dll)

Error #5 - Invalid procedure call or argument

Please e-mail me at [email protected], reporting the following:

*What you were trying to fix when the error occurred, if applicable

*How you can reproduce the error

*A complete HijackThis scan log, if possible

Windows Version: Windows NT 5.01.2600

MSIE version: 6.02800.1106

HijackThis version: 1.99.1

This message has been copied to your clipboard.

Click OK to continue the rest of the scan.

Share this post


Link to post
Share on other sites

Hi,

Here is the latest log. Please advise.

 

Logfile of HijackThis v1.99.1

Scan saved at 5:27:27 PM, on 4/12/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\HP\KBD\KBD.EXE

C:\windows\system\hpsysdrv.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Netscape\Netscape\Netscp.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\stop.11316_4.exe

C:\Hijack This\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=31631

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=31631

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31631

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=31631

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31631

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://letgohome.com/sp.htm?id=31631

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\6s5i5rw9.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\6s5i5rw9.slt\prefs.js)

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\H7U1CS~1.DLL

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

O4 - HKLM\..\Run: [WinPatrol] "c:\PROGRA~1\WinPatrol.exe"

O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: CompuServe 7.0 Tray Icon.lnk = C:\Program Files\CompuServe 7.0\cstray.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102055712460

O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

O20 - AppInit_DLLs: cv9319k4d4h6ox7.dll.dll.dll.dll

O23 - Service: mserv.exe (anem) - Unknown owner - C:\WINDOWS\mserv.exe (file missing)

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Share this post


Link to post
Share on other sites

Hi jatt7846,

 

You have caught a few new fish here.

 

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

 

1. Download "service Filter" from : HERE to your Desktop.

 

2 . Now open Service Filter by clicking on its icon.

. Then click OK and OK again when prompted.

. A Wordpad text will appear on your desktop. Scroll down the list of services until you find the service containing the name: mserv.exe (anem) - Unknown owner - C:\WINDOWS\mserv.exe.

 

For the 023 involved, carefully write down the name that appears beside the label "Service Name". This name will be required in the next step.

. Close the program when finished.

----------------------------

3. Now we need to work from the Command Prompt

 

Go Start>>Programs>>Accessories>>Command Prompt

 

. A black box will appear with a flashing cursor. At the cursor, type cd.. then cd.. again and repeat the procedure until the writing preceeding the cursor says C:\>

 

. Now carefully type the following: sc delete "servicename", where the word servicename is replaced by the real service name, probably anem that you have written down. Press ENTER.

 

.Close the Command Prompt box.

------------------------------------------

4.

  • Download AppInit_DLLs Fix.
  • Unzip the contents of appinitfix.zip to a convenient location.
  • Double-click on appinitfix.reg.
  • When it asks you to merge the information to the registry click "Yes".
5. Now do a complete scan with Ad-Aware SE and let it remove all it finds.

 

6. Reboot your system into Safe Mode

 

7. Using Windows Explorer, DELETE the following files, if they are present:

 

C:\WINDOWS\mserv.exe

cv9319k4d4h6ox7.dll.dll.dll.dll

 

8. REBOOT back into Normal Mode

 

9. Finally, run HijackThis and with all windows closed except for HJT, click SCAN, produce a LOG and POST it in this thread for review. There are more entries to fix.

 

Regards,

 

Trevuren

Share this post


Link to post
Share on other sites

Hi Trevuren,

Service Name was "anem" and I did the sc delete "anem"

Did not find mserv.exe or cv9319k4d4h6ox7.dll.dll.dll.dll files.

 

This search engine seems to have totally taken over the web browser and I can barely even get to this site after numerous tries. This problem was solved for a while but it has reappeared.

 

Here is the new scan log

 

Logfile of HijackThis v1.99.1

Scan saved at 9:03:29 PM, on 4/12/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\HP\KBD\KBD.EXE

C:\windows\system\hpsysdrv.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Netscape\Netscape\Netscp.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Hijack This\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=31631

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=31631

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31631

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=31631

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31631

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://letgohome.com/sp.htm?id=31631

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\6s5i5rw9.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\6s5i5rw9.slt\prefs.js)

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\H7U1CS~1.DLL

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

O4 - HKLM\..\Run: [WinPatrol] "c:\PROGRA~1\WinPatrol.exe"

O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: CompuServe 7.0 Tray Icon.lnk = C:\Program Files\CompuServe 7.0\cstray.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102055712460

O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

O20 - AppInit_DLLs: piy60wsx4j6.dll

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Share this post


Link to post
Share on other sites

Hi jatt7846,

 

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

 

Before doing any fixes, we must turn off certain programs that could interfere with malware removal:

 

1. To disable SpySweeper:

 

Open it click >Options over to the left then >program options >Uncheck "load at windows startup".

Over to the left click "shields" and uncheck all there.

Uncheck "home page shield".

Uncheck 'automaticly restore default without notifiction

 

2. To disable WinPatrol

 

Right click the running icon of winpatrol, and choose exit

 

 

Now let's do some work on your log:

 

First we need to make all files and folders VISIBLE:

 

Go to start>control panel>folder options>view (tab)

*choose to "show hidden files and folders,"

*uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.

*Close the window with ok

*All hidden files will now be visible

 

Close all browser windows and RUN HijackThis.

. Click the SCAN button to produce a log.

Place a check mark beside each one of the following items:

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=31631

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=31631

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31631

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=31631

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31631

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://letgohome.com/sp.htm?id=31631

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\6s5i5rw9.slt\prefs.js)

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\H7U1CS~1.DLL

O20 - AppInit_DLLs: piy60wsx4j6.dll

 

 

Now with all the items selected, delete them by clicking the FIX checked button. Close the HijackThis window and Reboot Your System in Safe Mode

 

How to use the F8 method to Start Your Computer in Safe Mode

 

*Restart the computer.

*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.

*Use the arrow keys to select the Safe mode menu item

*press Enter.

 

 

Using Windows Explorer, locate the following files, and DELETE them (if they are present):

 

 

C:\WINDOWS\System32\H7U1CS~1.DLL

piy60wsx4j6.dll

C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\6s5i5rw9.slt\prefs.js)

 

Exit Explorer, and REBOOT BACK INTO NORMAL MODE

 

Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everytjhing looks now.

 

Regards,

 

Trevuren

Share this post


Link to post
Share on other sites

Hi Trevuren,

When trying to delete piy60wsx4j6.dll I got an error message "ACCESS IS DENIED"

 

Did everything else and when running the new log I see that some of the items that were fixed have reappeared. Here it is

 

Logfile of HijackThis v1.99.1

Scan saved at 10:47:14 PM, on 4/12/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\HP\KBD\KBD.EXE

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\kdx\KHost.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Netscape\Netscape\Netscp.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Hijack This\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31631

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=31631

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\6s5i5rw9.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\6s5i5rw9.slt\prefs.js)

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~1.DLL

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

O4 - HKLM\..\Run: [WinPatrol] "c:\PROGRA~1\WinPatrol.exe"

O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: CompuServe 7.0 Tray Icon.lnk = C:\Program Files\CompuServe 7.0\cstray.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102055712460

O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

O20 - AppInit_DLLs: 661itj884fgux47.dll.dll.dll.dll.dll.dll.dll.dll

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Share this post


Link to post
Share on other sites

Hi jatt7846,

 

Sorry for the non-reply. I must have deleted your email by mistake.

 

  • Download AppInit_DLLs Fix.
  • Unzip the contents of appinitfix.zip to a convenient location.
  • Double-click on appinitfix.reg.
  • When it asks you to merge the information to the registry click "Yes".
Now do a complete scan with Ad-Aware SE and post a new HJT log for review.

 

 

Regards,

 

Trevuren

Share this post


Link to post
Share on other sites

Here is the new log

 

Logfile of HijackThis v1.99.1

Scan saved at 9:19:51 PM, on 4/14/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\HP\KBD\KBD.EXE

C:\windows\system\hpsysdrv.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Netscape\Netscape\Netscp.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\zstatus.exe

C:\WINDOWS\explorer.exe

C:\Hijack This\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=31631

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=31631

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31631

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=31631

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31631

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://letgohome.com/sp.htm?id=31631

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\6s5i5rw9.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\6s5i5rw9.slt\prefs.js)

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\3UGHUM~1.DLL

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

O4 - HKLM\..\Run: [WinPatrol] "c:\PROGRA~1\WinPatrol.exe"

O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\RunOnce: [AAW] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Aware.exe" "+b1"

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo

O4 - Startup: winupdate78549030[1].exe

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: CompuServe 7.0 Tray Icon.lnk = C:\Program Files\CompuServe 7.0\cstray.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102055712460

O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

O20 - AppInit_DLLs: 77bzl8w5933i7.dll.dll

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Share this post


Link to post
Share on other sites

Hi jatt7846,

 

 

1. I want you to download CWShredder (the stand alone version is free).

Run the program and click Check for Update. Make sure that all browser windows are closed with the exception of CWShredder and choose FIX. Here is the link:

CWS Shredder

 

REBOOT YOUR SYSTEM

 

2. We will re-run the previous fix

 

Double-click on appinitfix.reg.

When it asks you to merge the information to the registry click "Yes".

 

3. Now do a complete scan with Ad-Aware SE and post a new HJT log for review.

 

 

Regards,

 

Trevuren

Share this post


Link to post
Share on other sites

Hi, after running Adware SE it was not able to remove 8 items.

Here is the new log

Logfile of HijackThis v1.99.1

Scan saved at 10:38:30 PM, on 4/14/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\HP\KBD\KBD.EXE

C:\windows\system\hpsysdrv.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Netscape\Netscape\Netscp.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\zstatus.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\1myr3zy980ybthd.exe

C:\WINDOWS\System32\h9skp63xcw12thd.exe

C:\Hijack This\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=31631

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=31631

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31631

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=31631

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31631

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\6s5i5rw9.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\6s5i5rw9.slt\prefs.js)

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\G9RVIW~1.DLL

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

O4 - HKLM\..\Run: [WinPatrol] "c:\PROGRA~1\WinPatrol.exe"

O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\1myr3zy980ybthd.exe

O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo

O4 - Startup: winupdate78549030[1].exe

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: CompuServe 7.0 Tray Icon.lnk = C:\Program Files\CompuServe 7.0\cstray.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102055712460

O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

O20 - AppInit_DLLs: piy60wsx4j6.dll

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Share this post


Link to post
Share on other sites

Hi jatt7846,

 

Apparently, our traditional methods of dealing with your infection don't seem to be having any effect. Today I will do another HJT complete fix to clear out as much as I can then I will get you to run a little program so we can find out what is going on. The order in which we will be doing these procedures will be reversed.

 

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

 

1. Launch Notepad, and copy/paste the box below into a new text file. Save it as FindDLL.bat and save it on your Desktop.

 

dir C:\WINDOWS\System32\*.dll.dll > BadDLL.txt

notepad BadDLL.txt

 

Locate FindDLL.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here with your new HJT log.

 

2. You have WinPatrol running on your system. It is a good program but must be disabled while we do our HJT fix because it could stop some of the changes from taking effect.

 

Right click the running icon of winpatrol, and choose exit

 

3. Now let's do some work on your log:

 

First we need to make all files and folders VISIBLE:

 

Go to start>control panel>folder options>view (tab)

*choose to "show hidden files and folders,"

*uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.

*Close the window with ok

*All hidden files will now be visible

 

Close all browser windows and RUN HijackThis.

. Click the SCAN button to produce a log.

. Click the Config button located in the lower right hand corner of the HijackThis window.

. When the new screen opens, find and click the Miscellaneous Tools button.

. Then choose the Open Process Manager button.

. From the list of processes, hilight the following items by clicking them, ONE AT A TIME, then DELETE them by clicking the KILL button:

 

C:\WINDOWS\System32\1myr3zy980ybthd.exe

C:\WINDOWS\System32\h9skp63xcw12thd.exe

 

Once all items have been KILLED, click the Back button which will return you to the HijackThis main window. Now place a check mark beside each one of the following items:

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=31631

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=31631

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31631

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=31631

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31631

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\G9RVIW~1.DLL

O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\1myr3zy980ybthd.exe

O4 - Startup: winupdate78549030[1].exe

O20 - AppInit_DLLs: piy60wsx4j6.dll

 

Now with all the items selected, delete them by clicking the FIX checked button. Close the HijackThis window and Reboot Your System in Safe Mode

 

How to use the F8 method to Start Your Computer in Safe Mode

 

*Restart the computer.

*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.

*Use the arrow keys to select the Safe mode menu item

*press Enter.

 

 

Using Windows Explorer, locate the following files and DELETE them (if they are present)

 

C:\WINDOWS\System32\1myr3zy980ybthd.exe

C:\WINDOWS\System32\h9skp63xcw12thd.exe

C:\WINDOWS\System32\G9RVIW~1.DLL

winupdate78549030[1].exe

piy60wsx4j6.dll

 

Exit Explorer, and REBOOT BACK INTO NORMAL MODE

 

Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everytjhing looks now.

 

Regards,

 

Trevuren

Share this post


Link to post
Share on other sites

Hi Trevuren

Thanks for all your help so far.

I did not understand what you want me to do in Step 1. :help: Which box are you referring to that I need to copy into this Notepad?

Where will the information come into this document that you want me to paste along with the HJT log?

Share this post


Link to post
Share on other sites

Hi jatt7846,

 

1. Open Notepad

 

2. Copy this text :

 

dir C:\WINDOWS\System32\*.dll.dll > BadDLL.txt

notepad BadDLL.txt

 

from here into the open Notepad file.

 

3. Close the Notepad file and name it : FindDll.bat (We have now created a program to find a file)

 

4. Now click on this program that we just made called FindDll.bat. Another Notepad file will open with some text in it. It is this text that I want you to post back here for review.

 

 

Trevuren

Share this post


Link to post
Share on other sites

Hi jatt7846,

 

We have decided to bring in the cavalry on this one

 

 

1. Download the program "DLL COMPARE" to your Desktop from HERE

 

2. Click the program ICON, then RUN in the window that appeared.

 

3. Click Locate.com (A Notepad log appears on your desktop).

 

4. Click COMPARE in the lower part of the Dll Compare window.

 

5. When the program has finished, click Make a Log of What Was Found.

 

6. POST this log into this thread for review.

 

 

Regards,

 

Trevuren

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×
×
  • Create New...