all sites open thru http://xlime.offeroptimizer.com

Question

Logfile of HijackThis v1.97.7Scan saved at 5:55:24 PM, on 05/23/2004Platform: Windows XP  (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVG6\avgserv.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exeC:\PROGRA~1\Grisoft\AVG6\avgcc32.exeC:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exeC:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exeC:\windows\msbb.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\Program Files\NetAssistant\bin\mpbtn.exeC:\WINDOWS\System32\devldr32.exeC:\Program Files\Windows Media Player\wmplayer.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\Victor\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dllO2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dllO2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - (no file)O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dllO2 - BHO: (no name) - {EFF80427-F837-4B74-8834-BAF18E0553FD} - c:\PROGRA~1\System\Misc\kabh3.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] 'C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe' /iconO4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUPO4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exeO4 - HKLM\..\Run: [qvuzsnwl] C:\WINDOWS\qvuzsnwl.exeO4 - HKLM\..\Run: [luf] C:\WINDOWS\luf.exeO4 - HKLM\..\Run: [websx] C:\Program Files\websx\int114844.exe -autoO4 - HKLM\..\Run: [jebgzch] C:\WINDOWS\jebgzch.exeO4 - HKLM\..\Run: [xot] C:\WINDOWS\xot.exeO4 - HKLM\..\Run: [jyhkbej] C:\WINDOWS\jyhkbej.exeO4 - HKLM\..\Run: [pkd] C:\WINDOWS\pkd.exeO4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exeO4 - HKLM\..\Run: [AdaptecDirectCD] 'C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe'O4 - HKLM\..\Run: [msbb] c:\windows\msbb.exeO4 - HKLM\..\Run: [hqd] C:\WINDOWS\hqd.exeO4 - HKCU\..\Run: [msnmsgr] 'C:\Program Files\MSN Messenger\msnmsgr.exe' /backgroundO4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exeO4 - Global Startup: LimeWire 4.0.2.lnk = C:\Program Files\LimeWire\LimeWire 4.0.2\LimeWire.exeO9 - Extra button: Related (HKLM)O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)O9 - Extra button: Messenger (HKLM)O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab27571.cabO16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exeO16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab28177.cabO16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cabO16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocxO16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cabO16 - DPF: {7589EEE6-E336-11D4-8A7E-EE1D971D9B47} (AcontiX Control) - http://secure.aconti.net/acontix/goodthinxx.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cabO16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/2000XP/CDTInc/bridge.cabO16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38087.8384259259O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab28177.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cabO16 - DPF: {E0B795B4-FD95-4ABD-A375-27962EFCE8CF} (StarInstall Control) - http://install.stardialer.de/StarInstall.ocxO16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab27571.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{CC2E3B2A-2379-4E58-866D-986B333B6B28}: NameServer = 206.47.244.14 206.47.244.61

Texruss · Answer

Please relocate your hijackthis.exe file to a new folder (preferably HJT) you create in the first level of the C: drive:

FAQ's 2,3,4 http://www.russelltexas.com/spywareinfo/faqhijackthis.htm

In new folder run hijackthis.exe and scan. Check the box left of these entries:

C:\windows\msbb.exe
Comments: nCase parasite

O2 - BHO: (no name) - { 000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
Comments: VX2.aBetterInternet

O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
Comments: Imiserv virus

O2 - BHO: (no name) - { 71ED4FBA-4024-4bbe-91DC-9704C93F453E} - (no file)
Comments: dead link for Blazefind IESearchbar

O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
Comments: BlazeFind hijacker variant

O2 - BHO: (no name) - {EFF80427-F837-4B74-8834-BAF18E0553FD} - c:\PROGRA~1\System\Misc\kabh3.dll
Comments: Random-named trojan
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [qvuzsnwl] C:\WINDOWS\qvuzsnwl.exe
O4 - HKLM\..\Run: [luf] C:\WINDOWS\luf.exe
O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int114844.exe -auto
O4 - HKLM\..\Run: [jebgzch] C:\WINDOWS\jebgzch.exe
O4 - HKLM\..\Run: [xot] C:\WINDOWS\xot.exe
O4 - HKLM\..\Run: [jyhkbej] C:\WINDOWS\jyhkbej.exe
O4 - HKLM\..\Run: [pkd] C:\WINDOWS\pkd.exe
Comments: Random-named trojans

O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
Comments: Imiserv virus

O4 - HKLM\..\Run: [msbb] c:\windows\msbb.exe
Comments: nCase parasite

O4 - HKLM\..\Run: [hqd] C:\WINDOWS\hqd.exe
Comments: Random-named trojan

O4 - Global Startup: LimeWire 4.0.2.lnk = C:\Program Files\LimeWire\LimeWire 4.0.2\LimeWire.exe

O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
Comments: DialerPlatform Dialer
O16 - DPF: {7589EEE6-E336-11D4-8A7E-EE1D971D9B47} (AcontiX Control) - http://secure.aconti.net/acontix/goodthinxx.cab
Comments: Aconti Dialer
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/2000XP/CDTInc/bridge.cab
Comments: IEPlugin
O16 - DPF: {E0B795B4-FD95-4ABD-A375-27962EFCE8CF} (StarInstall Control) - http://install.stardialer.de/StarInstall.ocx
Comments: StarDialer

With all other windows and programs closed except for Hijackthis, click on fix checked button.

Reboot to SAFE MODE and Show HIDDEN FILES and folders

FAQ 8 and 9 on this page: http://www.russelltexas.com/spywareinfo/faqhijackthis.htm

Open Windows Explorer: type the word explorer at Start/Run box and click OK:

Drill on down and delete the following files and/or folders:

C:\windows\msbb.exe                                   file
C:\WINDOWS\bi.dll                                       file
C:\WINDOWS\2_0_1browserhelper2.dll    file
C:\WINDOWS\qvuzsnwl.exe                       file
C:\WINDOWS\luf.exe                                   file
C:\WINDOWS\jebgzch.exe                          file
C:\WINDOWS\xot.exe                                   file
C:\WINDOWS\jyhkbej.exe                             file
C:\WINDOWS\pkd.exe                                   file

C:\Program Files\websx                                folder and all subcontents
C:\Program Files\System\Misc                      folder and all subcontents
C:\Program Files\LimeWire                           folder and all subcontents

Exit Explorer.

Run Disk Cleaner: type cleanmgr at Start/Run. Scan all hard drives and check all categories at the end and click OK.

Reboot to normal mode, update your AVG 6 and run a full system scan, If it finds anything delete the files and then after it completes, reboot and run again in Safe Mode to be double sure.

Browse a bit in normal mode, run a fresh Hijackthis log, and then post it here in this thread. Report any comments.

After the final all clear is given by us you should flush your Restore Points for XP and MIllennium. That means disabling the Restore Point, rebooting to flush it, then re-enabling a new Restore Point. The reason why we need to do this is to purge the bad Trojan files hidden in System Restore which can't be cleaned by your antivirus programs.

See FAQ 12 here: http://www.russelltexas.com/spywareinfo/faqhijackthis.htm

HTH, (sorry it took a while to get to you, but the enemy is legion and we are few).

Texruss

Virus & Spyware

Was this post helpful?