Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

KTucktx

7 Posts

2360

July 13th, 2004 01:00

HIjack this

THis is my problem-My homepage kept chnaging to some wierd search page.  I loaded SpyWare Guard and it now tells me when it is being changed, which is every few minutes.  I ran SpyBot and AdAware with no luck.  SpyHunter found other problems but wanted me to pay for them to be fixed.  Well before I pay I want to KNOW it will be fixed-and this booger on my computer is just that!  I have run virus scans and have found none.  One program I ran said I had Download.Trojan; Trojan.StartPage and Trojan.ByteVerify

I ran HIjack this and fixed many items when I checked them by using the guide in Merinj and the additional guides to help me know what was good or bad.  I found the homepage that keeps changing on one of these items that it said to fix.  SO hopefully that will solve that problem.  However I came across a few that were not on any of the lists.  These particular items are the ones that keep popping up with an error meessage and asking if I would like to send the problem to Microsoft.  Here they are:

O4 - HKLM\..\Run: [craf32.exe] C:\WINDOWS\craf32.exe
O4 - HKCU\..\Run: [ifsutil] C:\WINDOWS\System32\ifsutil.exe
O4 - HKCU\..\Run: [wttknofc] C:\WINDOWS\LastGood\wttknofc.exe
O4 - HKCU\..\Run: [wluyawad] C:\WINDOWS\LastGood\wluyawad.exe
O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe

The one below would not delete even after I removed it in Add/Remove programs


O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

Please help!!

 

Truck_Driver379

8 Posts

July 13th, 2004 01:00

does it happen to say About:Blank    and soes it have a pop up that says u have spyware???

KTucktx

7 Posts

July 13th, 2004 02:00

I was not sure if you were replying to me or truckdriver.  I have already run HijackThis, so I am assuming you were replyin to truckdriver.   Can you tell me if I should check the items that I had listed in Hijackthis?

Texruss

2 Intern

 • 

3.4K Posts

July 13th, 2004 02:00

Spyhunter is a terrible knockoff program:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Ktucktx...Please stay in this thread...reply to this message...truckdriver...return to you original post. One victim per thread.

We need you to download and install an analysis and repair tool called Hijackthis.

Download the hotfix version 1.98 Hijackthis zipped file from here:

http://www.majorgeeks.com/download3155.html

Please unzip Hijackthis.zip or move the hijackthis.exe file into a new folder you create in the root (first) level of the C: drive. Name this folder HJT for best and safest results. Don't place it on the Wallpaper, in a temp folder, or in the root level of the C: drive or the My Documents folder. It will create many backup files and they need to be stored in a unique Hijackthis folder.

Hijackthis FAQ (Frequently Asked Questions) at:

http://russelltexas.com/malware/faqhijackthis.htm

After downloading, and unzipping the hijackthis file into a safe folder you create (preferably a folder named HJT in the first level of the C: drive)...run Hijackthis, click on the 'scan' button and then 'save log' button.

Copy and paste the contents of the text file you save into a reply to this message. A lot of posters make mistakes here in copying and pasting so read the left info sidebar called Copy and Paste at http://www.tomcoyote.com/hjt

Special Notice! Hijackthis is a powerful tool that edits the brains of Windows (the Registry). DO NOT FIX anything in the Hijackthis log screen without assistance from the DellForum experts! Most of the line items in the scanned log are normal for Windows operation. Hijackthis should identify the vast majority of your problems and enable us to help you clean them off your system.


Stay in this thread for continuity. Reply to this message.

HTH (Hope that Helps)

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

Please be aware only the following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley.

Also...these longtime DellForum regulars have proven to me time and again their advice is excellent for malware questions in general, Windows operations, and many specific items in Hijackthis logs:  jimw, ddeerrff, and msgale. Please follow their advice when they respond to your problems. They have a proven track record here.

Texruss

2 Intern

 • 

3.4K Posts

July 13th, 2004 02:00

Ktucktx:

Post an entire log as a reply here. All those items you listed are hostile, but I need to see the whole log.

Texruss

Texruss

2 Intern

 • 

3.4K Posts

July 13th, 2004 03:00

Well I am about bushed...but hang on for a few minutes and I'll have my reply here tonight...last post for me coming up next.

Texruss

Texruss

2 Intern

 • 

3.4K Posts

July 13th, 2004 03:00

Warning! Unsafe Hijackthis folder! Please create a new folder named HJT in the first level of the C: drive. Copy or move the hijackthis executable file into the HJT folder and delete all other zip copies and extracted copies elsewhere.

See FAQ's 2,3,4 at http://russelltexas.com/malware/faqhijackthis.htm

Hit Control-Shift-Escape keys at same time. Click on Processes tab and End Task for the following entries:

craf32.exe
CFD.exe
d3pd32.exe
ifsutil.exe

Run Hijackthis in safe new folder, scan and check the box left of these numbered line items:

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {DFCA6089-FC42-BEAA-AD1E-45928A767714} - C:\WINDOWS\craf32.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\RunOnce: [crye32.exe] C:\WINDOWS\system32\crye32.exe
O4 - HKLM\..\RunOnce: [sysac.exe] C:\WINDOWS\sysac.exe
O4 - HKLM\..\RunOnce: [mseo32.exe] C:\WINDOWS\system32\mseo32.exe
O4 - HKLM\..\RunOnce: [crel32.exe] C:\WINDOWS\system32\crel32.exe
O4 - HKLM\..\RunOnce: [javaop.exe] C:\WINDOWS\javaop.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [ifsutil] C:\WINDOWS\System32\ifsutil.exe
O4 - HKCU\..\Run: [wttknofc] C:\WINDOWS\LastGood\wttknofc.exe
O4 - HKCU\..\Run: [wluyawad] C:\WINDOWS\LastGood\wluyawad.exe
O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

With no other windows open click on fix checked button in Hijackthis.

Exit Hijackthis.

Reboot to SAFE MODE

Show HIDDEN FILES and folders

These necessary options are explained in FAQ's 8 and 9 on this page:

http://www.russelltexas.com/malware/faqhijackthis.htm

Hit Control-Shift-Escape keys at same time. Click on Processes tab and End Task for the following entries:

craf32.exe
CFD.exe
d3pd32.exe
ifsutil.exe

Open Windows Explorer: type the word explorer at Start/Run box and click OK:

Navigate down the folder structure in left hand window and then in the right window delete the following files and/or folders: (if present...some may be gone...but look very carefully and make sure you have enabled hidden files option):

FILES:
C:\WINDOWS\craf32.dll
C:\WINDOWS\sysac.exe
C:\WINDOWS\system32\crye32.exe
C:\WINDOWS\javaop.exe

C:\WINDOWS\system32\mseo32.exe
C:\WINDOWS\system32\crel32.exe
C:\WINDOWS\System32\ifsutil.exe

FOLDERS:
C:\Program Files\TV Media
C:\WINDOWS\LastGood
C:\Documents and Settings\All Users\Applications\IESERVICE

Exit Windows Explorer...right button click and empty the Recycle Bin.


Reboot in normal mode Windows and run Disk Cleanup: type cleanmgr at Start/Run. Scan all hard drives and check all categories at the end and click OK.

If you have any problems with Disk Cleanup completing...XP users can fix it here:

 http://www2.whidbey.net/djdenham/DeleteOldFiles.htm

Next...download and run these two programs (Spybot S&D and Adaware) at the link below. Use Spybot first.

Most of the Internet baddies can be killed by a one-two punch with Spybot and Adaware assuming these three factors are achieved:

1. Latest version
2. Configured correctly for running options
3. New definitions from update feature

Chris has posted an excellent tutorial by dgosling on how to run Spybot S&D and also how to enable customized deep scanning functions for Adaware. Once you set these options they will be retained for future scans by Adaware.

Follow the directions in this detailed guide for Spybot and Adaware...print out the directions in the custom scan tutorial as a reference while you set these options for the custom setup of Adaware. These custom settings will be retained for future custom scans so don't go nuts thinking you have to do this every time you run it! It may take you five minutes to set them up, but it's worth it.

http://www.cjwd.demon.co.uk/spybot-adaware.html

Please note the free Spybot 1.3 does have a slight bug...it detects some DSO exploits falsely. Hopefully an upgrade will fix this.The problem is not serious and should not deter people from using Spybot.

Reboot and browse a bit, exit IE 6 and post a new Hijackthis log.

Special Comments: After the final all clear is given by us you should flush your Restore Points for XP. That means disabling the Restore Point, rebooting to flush it, then re-enabling a new Restore Point. The reason why we need to do this is to purge the bad files hidden in System Restore which can't be cleaned by your antivirus programs.

See FAQ 12 here: http://www.russelltexas.com/malware/faqhijackthis.htm


Also...uninstall Broadjump in Control Panel/Add Remove Programs.

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

Please be aware only the following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley.

Also...these longtime DellForum regulars have proven to me time and again their advice is excellent for malware questions in general, Windows operations, and many specific items in Hijackthis logs:  jimw, ddeerrff, and msgale. Please follow their advice when they respond to your problems. They have a proven track record here.

BTW...clicking on people's usernames at the left will reveal information about them if they chose to have an open profile. My credentials are available for your perusal.

KTucktx

7 Posts

July 13th, 2004 03:00

Okay I HOpe this is what you wanted and I hope it is not too late!!

 

 

Logfile of HijackThis v1.98.0
Scan saved at 11:17:36 PM, on 7/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\craf32.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\d3pd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Greg & Kristi\Local Settings\Temporary Internet Files\Content.IE5\WTEVG9IB\HijackThis[1].exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ifsutil.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.komando.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {DFCA6089-FC42-BEAA-AD1E-45928A767714} - C:\WINDOWS\craf32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [craf32.exe] C:\WINDOWS\craf32.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\RunOnce: [crye32.exe] C:\WINDOWS\system32\crye32.exe
O4 - HKLM\..\RunOnce: [sysac.exe] C:\WINDOWS\sysac.exe
O4 - HKLM\..\RunOnce: [mseo32.exe] C:\WINDOWS\system32\mseo32.exe
O4 - HKLM\..\RunOnce: [crel32.exe] C:\WINDOWS\system32\crel32.exe
O4 - HKLM\..\RunOnce: [javaop.exe] C:\WINDOWS\javaop.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [ifsutil] C:\WINDOWS\System32\ifsutil.exe
O4 - HKCU\..\Run: [wttknofc] C:\WINDOWS\LastGood\wttknofc.exe
O4 - HKCU\..\Run: [wluyawad] C:\WINDOWS\LastGood\wluyawad.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

KTucktx

7 Posts

July 13th, 2004 15:00

Okay now I am getting VERY frustrated!!  I have been on this non stop (except of course for a few hours sleep!)  THis is the log I now have after I did everything you said and ran Hijackthis at the end ,second time at the end.  And I am still getting my homepage changed every few minutes, but now it changes to something different each time.  These homepages and start pages were in the R1 log of hijack this so I checked them to remove them, rebooted and this is the log I got and theya re still there; however, my original homepage is gone from this list now!  ANd the Broadjump will not leave when I go to add/remove and try to get rid of it!!!!  Am I just going to have to reformat do you think?

Logfile of HijackThis v1.98.0
Scan saved at 11:41:02 AM, on 7/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\d3pd32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\craf32.exe
C:\HJT2\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\itdvm.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://itdvm.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://itdvm.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\itdvm.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\itdvm.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://itdvm.dll/index.html#37049
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {F21F2035-7713-13F6-878C-9E4C7091045A} - C:\WINDOWS\system32\javaen.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [craf32.exe] C:\WINDOWS\craf32.exe
O4 - HKLM\..\RunOnce: [javadl32.exe] C:\WINDOWS\system32\javadl32.exe
O4 - HKLM\..\RunOnce: [netwz.exe] C:\WINDOWS\netwz.exe
O4 - HKLM\..\RunOnce: [mskw32.exe] C:\WINDOWS\mskw32.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

Thank you for your help and anyone elsoe that can help

Texruss

2 Intern

 • 

3.4K Posts

July 13th, 2004 19:00

Hang in there...your system is now displaying the bad CoolWebSearch homepage hijacker....it requires different fixes and there is no automatic reoval tool.

Go here and try the fixes... yours is the June 19th infection entry from CWS:

http://russelltexas.com/malware/malware.htm


  Try fixes 2 and 3 first...they are newer and easier...

All the best,

Texruss



 

KTucktx

7 Posts

July 14th, 2004 04:00

 I cannot believe it!!  IT WORKED!!!    Now please tell me what I need to do on regular basis and what I need to install to keep this machine working !  THank you SOOOOOOOOOO much!

Texruss

2 Intern

 • 

3.4K Posts

July 14th, 2004 05:00

Well, we like to see a final log...but here's preventative maintenance:

http://russelltexas.com/malware/allclear.htm

Texruss

KTucktx

7 Posts

July 14th, 2004 14:00

I'm sorry I was so excited I forgot to paste!!  I hope this is all clear.  I have included the hijack this log and the AboutBuster log.  Thanks

 

Logfile of HijackThis v1.98.0
Scan saved at 10:34:05 AM, on 7/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT2\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.amaisd.org/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

Scan 1 --------

About:Buster Version 1.27

Removed! : C:\WINDOWS\bnvmu.dat

Removed! : C:\WINDOWS\epxrci.dat

Removed! : C:\WINDOWS\fvwutj.dat

Removed! : C:\WINDOWS\gobod.dat

Removed! : C:\WINDOWS\inneyh.dat

Removed! : C:\WINDOWS\itdvm.dat

Removed! : C:\WINDOWS\itdvm.dll

Removed! : C:\WINDOWS\jtsrpy.dat

Removed! : C:\WINDOWS\n_skunyh.dat

Removed! : C:\WINDOWS\wdqueb.dat

Removed! : C:\WINDOWS\System32\aklpz.dat

Removed! : C:\WINDOWS\System32\ealez.dat

Removed! : C:\WINDOWS\System32\ealez.dll

Removed! : C:\WINDOWS\System32\gyoro.dat

Removed! : C:\WINDOWS\System32\nthst32.dll

Removed! : C:\WINDOWS\System32\ugjow.dll

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

runinflac0

1 Message

April 14th, 2005 17:00

I have a problemn. Whenevrer i open a folder with movies in it i get a window that says that winsows has encountered a problem,. and then shortly after i recieve the "dr watson postmortem debugger" window. and then all of explorer shuts down. I have done a search with adaware and then with hijack this. this is my hijack this log. can anybody help me?

Logfile of HijackThis v1.99.0
Scan saved at 1:57:50 PM, on 4/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\K-Lite Codec Pack\real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Invisible Keylogger\nvsr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\hikackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\K-Lite Codec Pack\real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Ennr] C:\Documents and Settings\Flaco\Application Data\tert.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102035838203
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



thank you

Was this post helpful?

View All

No Events found!

Top