allaboutsearching invasion

Computing.Net > Forums > Security and Virus > allaboutsearching invasion

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

allaboutsearching invasion

Name: Lrpjazz
Date: May 11, 2004 at 08:52:09 Pacific
OS: windows XP home edition
CPU/Ram: celeron 2.3GB, 512K

Comment:

I know other people have asked about this but it is my understanding that each case can be a little different.
I use Windows XP and aol 9.0. I can't use aol except for email because Internet Explorer seems to have been taken over by allaboutsearching. I also had look2me but that seems to have been remnoved successfully (I hope!). I have run Spybot S&D as well as Spyhunter but still, every time I try to go somewhere in aol or just in IE alone I get Cannot Find Server (on the bar) and This page cannot be displayed. The uninstaller from allaboutasearching did nothing as far as I can tell. I can post a Hijackthis log. Please help, and THANK YOU!
Lewis

Sponsored Link

Ads by Google

Response Number 1

Name: blender
Date: May 11, 2004 at 17:39:09 Pacific

Reply:

Lrpjazz
Yes post your hijack log.
Also post a log from this VX2 finder tool so I can see if VX2/L2m is really gone (look2me):
VX2Finder.exe
Save the download to disk, double click VX2Finder.exe to start, click on "find vx2.betterinternet info" then "log" and paste those results in reply.
_______________________________
I never give up!
Windows Update

Response Number 2

Name: Lrpjazz
Date: May 11, 2004 at 19:14:16 Pacific

Reply:

THANK YOU. Here is the VX2 log. After that is the Hijackthis log.
Log for VX2.BetterInternet File Finder
Files Found---
C:\WINDOWS\System32\abaamon.dll
C:\WINDOWS\System32\acmparse.dll
C:\WINDOWS\System32\acsnt.dll
C:\WINDOWS\System32\ajtxprxy.dll
C:\WINDOWS\System32\apctres.dll
C:\WINDOWS\System32\astxprxy.dll
C:\WINDOWS\System32\ayaamon.dll
C:\WINDOWS\System32\azmparse.dll

Guardian Key--- is called:
User Agent String---

Logfile of HijackThis v1.97.7
Scan saved at 11:24:48 AM, on 5/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\WINDOWS\woxcyhmx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\Keyhost.exe
C:\WINDOWS\System32\tsqshutdn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\SahAgent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\mhvphsur.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\aim\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\LrxH5.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\WINDOWS\System32\LrxH5.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Rachel Porter\My Documents\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\sb.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://server224.smartbotpro.net/7search/?002-nhp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zestyfind.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://server224.smartbotpro.net/7search/?003-nhp
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.gonnasearch.com/iesearch.php?ref=sb
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://wabu.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp...sion_id=18
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.blazefind.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=3
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.gonnasearch.com/iesearch.php?ref=sb
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: (no name) - {92F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [2N85L533MR#GJT] C:\WINDOWS\System32\Cjo9f.exe
O4 - HKLM\..\Run: [ltmwvrvt] C:\WINDOWS\woxcyhmx.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SafeSurfingUpdate] C:\WINDOWS\System32\SSUpdate.exe
O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\version.exe
O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\Keyhost.exe
O4 - HKLM\..\Run: [tsqshutdn.exe] C:\WINDOWS\System32\tsqshutdn.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [PGStub.exe] C:\Documents and Settings\Rachel Porter\dp-b23011805.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [qsxvrtmc] C:\WINDOWS\System32\mhvphsur.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [tsqshutdn.exe] C:\WINDOWS\System32\tsqshutdn.exe
O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O8 - Extra context menu item: &FastSeeker Search - res://C:\Program Files\FastSeeker\FastSeekerToolbar.dll/cmsearch.html
O8 - Extra context menu item: &IE Toolbar search - res://C:\Program Files\Internet Explorer\Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
O9 - Extra button: IE Addon (HKLM)
O9 - Extra 'Tools' menuitem: IE Addon (HKLM)
O9 - Extra button: Whistle (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'lsp.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc...tor/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu....0.0.6.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_99/QDow.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/2000XP/bridge.cab
O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} (SBFullS Control) - http://www.spyblast.com/download/SBFS.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://cdn2.adsdk.com/bannerfarm/47309/...031209.EXE
O16 - DPF: {E0B795B4-FD95-4ABD-A375-27962EFCE8CF} - http://www.stardialer.de/install/StarInstall.ocx
END OF EMAIL MESSAGE

Response Number 3

Name: blender
Date: May 12, 2004 at 09:28:17 Pacific

Reply:

Lrpjazz
You have lots of work to do....Your computer has seriously been comprimised...
You will want to print this out since the instructions are lengthly. You are in for the long haul...Yes we can fix it.
First thing that goes is VX2 files.
Open task manager by hitting the ctrl+alt+del keys at the same time.
Click the processes tab.
Scroll down thru the list...if You see any instances of Rundll32.exe running; hilight it and click end task.
Ok the warning.
Do that for each one you see running.
Next start VX2Finder.exe
Click "find VX2.BetterInternet info"
Go thru the list displayed, click each one and click the delete button.
Click the Pol button and reboot. <--this resets user rights assignments for debug privledges the look2me messed up.
You also have trojan peper.
Download this uninstaller:
http://www.memorywatcher.com/uninst.exe
Save the download to disk and run it while online
It will run and close kinda quick...that is normal.
Reboot and run it again.
Reboot.
You also have cool web search infection.
Go here and download the removal tool:
CWShredder.exe
Save it to disk, go offline and run the tool.
Click fix not just scan.
Reboot and run the tool again to be sure it fixes it all.
Next download LSPfix from here:
LSPFix.exe
Save it to disk..do nothing with it yet.
Next Go to add/remove programs and uninstall the following if listed:
Toolbar <--hijacker
Shop at home agent <--hijacks your internet
WinTools <--installs trojans...it did
Fast Seeker Toolbar <--hijacker
Reboot when done.
Now...start LSPfix.exe you downloaded earlier.
Look in the left pane for lsp.dll if it is listed:
Check the box I know what I am doing
Hilight lsp.dll Nothing else!
Move it to the remove pane using the >>
Click finish
If lsp.dll is not listed; Close the program.
Next go here to run a virus scan:
Housecall virus scan
Check its autoclean feature and run a scan on the whole computer.
Shut off norton to prevent conflicts.
Clean/delete what it finds.
Reboot when done

Next download Ad-aware from here:
Ad-Aware
Once installed Update it by clicking the globe icon> connect> ok.
Then follow instructions here on how to set up and use it:
How to use ad-aware
Shut off norton av to prevent conflicts.
Do the scan while offline (pull the cable if needed)
Let it remove everything it finds.
Reboot after it is done scanning/cleaning.

Post a new vx2 log and hijackthis log.
Let me know what housecall cannot fix or delete.
There will be more to do!
I also need to know if there are more user accounts on this computer.
_________________________________
I never give up!
Windows Update

Response Number 4

Name: Lrpjazz
Date: May 13, 2004 at 13:01:38 Pacific

Reply:

THANK you again for your help. I'm sorry for the delay and it was a lot to do. I have already noticed significant improvement--IE now can go online to the location you choose.
Here are some details first:
-I was able to get through everything you said except the last step of running Ad-aware. No windows were open and I unplugged the cord to the wireless home network. I disabled Norton autoprotect. I ran Ad-aware 4 times and every time it froze at this point:
Deep searching files on C
Searching for dynamically created keys
It had found at that point:
109 new objects including:
4 processes
73 registry keys
23 registry values
9 files
ALSO When I ran housecall it found two trojans but the options to clean or delete were not available. The trojans were:
troj small.eu
troj winfavs.a
(I didn't search drives A,D,E which are the floppy, CD and DVD drives.)
ALSO when I ran CWshredder I deleted C:\WIndows\SAHuninstall.exe. I assume that was the right thing to do.
I notice that even when I end Rundll32.exe it periodically comes back (maybe when I reboot).
As per your question, this is my daughter's computer (age 13) which I bought last July and at first she clicked on various offers which I'm sure began the problems (I quickly warned her not to do so again). There are two other users, myself and my son, but each of us have only used this computer once, maybe twice.
I don't if this is notable, but all the bookmarks she saves in Mozilla keep disppearing (perhaps when we run Spyhunter or Spybot?).
Also once we get the computer clean, I wonder if something like PC-illin is a good investment (or if there is something like that for free)?
HERE is the latest hijackthis log, followed by the VX2 log. THANK YOU!
Lrpjazz
Logfile of HijackThis v1.97.7
Scan saved at 3:45:17 PM, on 5/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\WINDOWS\woxcyhmx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\aim\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Rachel Porter\My Documents\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50032
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zestyfind.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://wabu.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.blazefind.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: (no name) - {92F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [ltmwvrvt] C:\WINDOWS\woxcyhmx.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SafeSurfingUpdate] C:\WINDOWS\System32\SSUpdate.exe
O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\version.exe
O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\Keyhost.exe
O4 - HKLM\..\Run: [tsqshutdn.exe] C:\WINDOWS\System32\tsqshutdn.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [PGStub.exe] C:\Documents and Settings\Rachel Porter\dp-b23011805.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [qsxvrtmc] C:\WINDOWS\System32\mhvphsur.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [tsqshutdn.exe] C:\WINDOWS\System32\tsqshutdn.exe
O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O8 - Extra context menu item: &IE Toolbar search - res://C:\Program Files\Internet Explorer\Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
O9 - Extra button: IE Addon (HKLM)
O9 - Extra 'Tools' menuitem: IE Addon (HKLM)
O9 - Extra button: Whistle (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_99/QDow.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/2000XP/bridge.cab
O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} (SBFullS Control) - http://www.spyblast.com/download/SBFS.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://cdn2.adsdk.com/bannerfarm/47309/BundleOuter1132031209.EXE
O16 - DPF: {E0B795B4-FD95-4ABD-A375-27962EFCE8CF} - http://www.stardialer.de/install/StarInstall.ocx
Log for VX2.BetterInternet File Finder
Files Found---

Guardian Key--- is called:
User Agent String---
END of post

Response Number 5

Name: blender
Date: May 13, 2004 at 17:07:22 Pacific

Reply:

Lrpjazz
Ok..now you are rid of the remaning vx2.
That "my web search" installs problems of its own. I highly recommend uninstalling it.
You can do that thru add/remove programs.
There will likely be a few different "my web search" items listed....I would remove them all.
Reboot when done.
It should be fine now to leave rundll32.exe running...I just wanted to make sure it was stopped to remove the items listed in vx2 log.
Rundll32.exe is a valid system file...so just in case...don't try deleting it.
Start the task manager again and end task on the following:
woxcyhmx.exe
Start hijackthis again and check the following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://wabu.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zestyfind.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.blazefind.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: (no name) - {92F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [ltmwvrvt] C:\WINDOWS\woxcyhmx.exe
O4 - HKLM\..\Run: [SafeSurfingUpdate] C:\WINDOWS\System32\SSUpdate.exe
O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\version.exe
O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\Keyhost.exe
O4 - HKLM\..\Run: [tsqshutdn.exe] C:\WINDOWS\System32\tsqshutdn.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [PGStub.exe] C:\Documents and Settings\Rachel Porter\dp-b23011805.exe
O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [qsxvrtmc] C:\WINDOWS\System32\mhvphsur.exe
O4 - HKCU\..\Run: [tsqshutdn.exe] C:\WINDOWS\System32\tsqshutdn.exe
O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O8 - Extra context menu item: &IE Toolbar search - res://C:\Program Files\Internet Explorer\Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
O9 - Extra button: IE Addon (HKLM)
O9 - Extra 'Tools' menuitem: IE Addon (HKLM)
O9 - Extra button: Whistle (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_99/QDow.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/2000XP/bridge.cab
O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} (SBFullS Control) - http://www.spyblast.com/download/SBFS.cab
O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://cdn2.adsdk.com/bannerfarm/47309/BundleOuter1132031209.EXE
O16 - DPF: {E0B795B4-FD95-4ABD-A375-27962EFCE8CF} - http://www.stardialer.de/install/StarInstall.ocx
Once all are checked, close all open windows and click fix checked
Reboot the computer to safe mode when done, and remove the following files/folders. You will need to show hidden files and folders...here's how:
Show all files and folders
C:\program files\my web search <--folder
c:\program files\winfavorites <--folder
C:\WINDOWS\woxcyhmx.exe <--file
C:\WINDOWS\System32\SSUpdate.exe <--file
C:\WINDOWS\System32\version.exe <--file
C:\WINDOWS\System32\Keyhost.exe <--file
C:\WINDOWS\System32\tsqshutdn.exe <--file
c:\WINDOWS\System32\zzb.exe <--file
C:\WINDOWS\System32\SahAgent.exe <-file
C:\WINDOWS\System32\bridge.dll <--file
C:\WINDOWS\System32\mhvphsur.exe <--file
C:\Documents and Settings\Rachel Porter\dp-b23011805.exe <--file

You will need to do a search for PGStub.exe...once you find it...delete it.
Next wile still in safe mode empty out the following folders:
C:\Windows\Temp <--clear contents
C:\documents and settings\Rachel Porter\local settings\temp <--clear entire contents.
Then empty out temporary internet files by going to internet options in your control panel.
Click "delete files"
At the popup check "delete offline content"
Click ok.
Click "clear history"
Click ok.
Now try your ad-aware scan in safe mode...with so little running in safe mode it should go fine.
Let it remove whatever it finds.
Once done...reboot to normal windows.
All users need cleaning out.
Because we deleted a pile of files you might see startup errors on the other users...thats ok...we will fix that.
Even if you and your son use the computer only ocassionally...there will still be stuff installed to those accounts.
As for why her favorites do not stay saved in Mozilla..I don't know yet...likely because the sytem has been infected pretty bad. Hopefully once we are done...mozilla will work ok.
You will need to place a shortcut to ad-aware on your desktop as well as your son's.
You will also need to place a copy of hijackthis on your and your sons account.
Make a seperate folder on the desktops and copy the hijack program to both locations. (shortcuts dont work right with hijack)
Run ad-aware on both accounts and clean out all the temp files in both accounts as instructed above for Rachel's account.
(you will need to log into each account from fresh boot)
Post a new hijack log from the account you are working on now and a log from the other 2 accounts.
Just for simplicity..so I don't get confused...
When posting the logs...label each one...eg: Rachel, Dad, Son.
As for you question about PC Cillin...I have not ran that antivirus program but do understand it is pretty good. I use McAfee and like it. I do not like Norton...
Many people have had good results from AVG antivirus. You can get the free version which works quite well.
AVG Free
You will have to make a choice tho...as running 2 antivirus programs will conflict.
If you decide to use avg...you need to enter a valid email so they can send you the key needed for install.
Once we are done the cleanup..there is a few other programs (free) to install for spyware protection. Your daughter will not even see those "offers" popups.
________________________________
I never give up!
Windows Update

lsp.dll shop at home toolbar ie addons registry	clear buffer c exel makro clear contents zonealarm too invasive
See More

Response Number 6

Name: Lrpjazz
Date: May 14, 2004 at 15:27:33 Pacific

Reply:

OK! I did it all as you instructed. Maybe there were just too many things for Ad-aware to handle. I had been trying to run a custom scan but that continued to freeze, even in safe mode. So I ran a "smart scan" and ir found 304 things and worked fine. Then I ran the custom scan and it found another 84 items! I did this for all users as you instructed.
A few things--
There was no "my web search" under add/remove programs (I think I'd already deleted it) but there is still a My way SPeedbar and a My Search Bar--I don't know if these are problems. Also there are tons of Windows HP Hotfix listed there.
I didn't find version.exe--I did see version.dll but I didn't delete it.
I did delete keyhost.exe and also keyhost HTML (which I assume was OK to delete).
I did deloete SAHagent.exe and also a few other SAH files (again I assume this is OK).
I never found dp-b23011805.exe, nor PGStub.exe.
There was no "local settings" folder under any User's name.
Other than those, everything went well I think.
What about the future? I've been using Spyhunter primarily, and then sometimes Spybot S&D. I'm glad you said you don't like Norton as it never seems to do anything, so I uninstalled it.
If I use AVG, does that work as a prevention? Should I still run Spyhunter and/or Spybot on occasion?
Should I use any of the various programs that you have had me download in the past few days?
Below are the latest hijackthis logs for each user. THANKS AGAIN!!
Lrpjazz
RACHEL:
Logfile of HijackThis v1.97.7
Scan saved at 6:20:22 PM, on 5/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\aim\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Rachel Porter\My Documents\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SON:
Logfile of HijackThis v1.97.7
Scan saved at 6:20:22 PM, on 5/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\aim\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Rachel Porter\My Documents\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
ME (DAD):
Logfile of HijackThis v1.97.7
Scan saved at 6:20:22 PM, on 5/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\aim\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Rachel Porter\My Documents\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
END OF POSTING

Response Number 7

Name: Lrpjazz
Date: May 14, 2004 at 18:18:53 Pacific

Reply:

WAIT--I just tried aol 9.0 and it is still doing what it did before--it connects but only to the welcome screen and email--no buddy lists, no internet. Infrequently, while booting up aol, the screen goes blakc and the computer restarts!
Lrpjazz

Response Number 8

Name: Lrpjazz
Date: May 15, 2004 at 18:45:18 Pacific

Reply:

Wait again--I believe I found out the AOL problem. Theer is an option of a "shell start" which gives you access to email only. Somehow that was what the desktop icon was for. I deleted that and made a shortcut for the full AOL and it seems to be fine now.
How does everything else look based on my hijackthis lists above?
Lrpjazz

Response Number 9

Name: blender
Date: May 20, 2004 at 15:20:22 Pacific

Reply:

Lrpjazz
Hello again..sorry for taking so long to come back...I am buzy on several forums and I guess I got lost in the flood of malware..
Anyway all 3 logs look good.
Good thing you didn't delete version.dll It is a valid file.
Glad you got AOL working ok...I wouldnt know how to help there anyway...I don't use it.
About that my way speedbar and My Way search bar...anything having to do with "MyWay" is junk...since we killed it in hijack, you should be able to delete the "myWay" folder itself from the programs files folder. If it still shows in add/rem programs (in control panel) it will tell you it may already may have been removed, then asks if you want it removed from list...say yes and it will be cleared off.
All those Xp hotfix items...leave those...they are your windows updates and patches.
As per your email about avg removing spyhunter...That is odd..but I don't recommend Spyhunter anyway...here is why:
SpyHunter not Recommended
I use both Spybot search and destroy and Ad-Aware.
Spybot can be downloaded here:
Spybot
I scan with spybot and ad-aware about once a week after updating.
My antivirus is scedueled to scan once a week and it auto updates.
I think with the free avg there is only one scedueled scan option.
For added future protection see this link:
How did I get Infected?
Most of the programs they mention there are free, small, take almost no resorces, and all work well with each other.
Good luck, take care and all the best.
Oh ya...Some of those files you couldn't find...like the local settings folder in each user's folder...they are hidden files.
Some of the others you couldn't find either because they are hidden or ad-aware removed them.
If you need help to show hidden files see here:
Show hidden files and folders
Also keep in mind you will need to enable all protection in spywareblaster for each user and if you install IE-Spyad you will need to install on each user as well.
The ie-spyad folder will show in c:\ie-spyad for all users..just install from there.
Spywareblaster is accessable from all users.
Once you have finished cleaning up the hidden stuff...you will need to clean out your system restore..windows will have backed up a ton of infected files...and since windows locks the restore folder from modification by any program including antivirus...it cant be cleaned.
The only way to do that is disable system restore, reboot, and if all is clean then turn system restore back on.
If you need help with that:
Disable/enable System Restore
_____________________________

I never give up!
Windows Update

Response Number 10

Name: Lrpjazz
Date: May 20, 2004 at 19:09:11 Pacific

Reply:

I'll do everything as you suggest and I expect this computer will work much better from now on. Thanks so much for your courteous and detailed assistance!!
Lrpjazz

Response Number 11

Name: blender
Date: May 20, 2004 at 23:27:30 Pacific

Reply:

Lrpjazz
Glad things are much better.
Happy to help.
Good luck.
___________________________________
I never give up!
Windows Update

Sponsored Link

Ads by Google

QHosts questions

Weatherbug - is it a secu...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: allaboutsearching invasion

AllAboutSearching woes

Summary

www.computing.net/answers/security/allaboutsearching-woes/11846.html

Invasion of privacy

Summary

www.computing.net/answers/security/invasion-of-privacy/21800.html

allaboutsearching & hijack this

Summary

www.computing.net/answers/security/allaboutsearching-amp-hijack-this/10838.html

From the Geek Dictionary
User - A user is someone who uses a computer. Each user can have their own account...

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 3 Days.
Discuss in The Lounge
Poll History

Recent Posts
possible exe virus

My acer aspire one

Server Hangs

Best motherboard for Intel Core 2 Q9650

Via AC97 integrated chipset not working.....

All Awaiting Reply

Tom's News
Large Hadron Collider Sees First Particle Collisions

Cop Tasers and Arrests 10-year-old Girl

Microsoft Fires Back at Xbox Live Lawsuit

Xbox 360 is Now Four Years Old

Star Trek Online Goes Open Beta in January

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE