C:\window\system32\notfound/html

David,

As I suggested in  your other thread, please post the log from the troubled machine into this thread.

Jim

I cannot get into the internet or email from my other machine.

David,

You'll need to write the log onto a floppy, and bring it back to the working machine so you can post it.

See this note in your other thread.

Jim

Here is the output from the Hijack:::

 

Logfile of HijackThis v1.97.7
Scan saved at 1:48:52 PM, on 5/29/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\NORTON~2\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\System32\fastopern.exe
C:\Program Files\Picasa\PicasaMediaDetector.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\rundll32.exe
C:\documents and settings\amber\local settings\temp\VwCtBkF3c.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\WINDOWS\System32\conrcl.exe
C:\WINDOWS\suohwkv.exe
C:\WINDOWS\Wast.exe
C:\WINDOWS\Wast.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\conrcl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Microsoft Works\MSWorks.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32/left.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sbcyahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sbcyahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {087173EF-9829-4F49-8340-A524177D3F60} - C:\WINDOWS\System32\inetp60.dll
O2 - BHO: (no name) - {0EC6CCCC-770E-8163-AF43-EA1493E02F8B} - C:\WINDOWS\System32\lgggtwbv.dll
O2 - BHO: (no name) - {10BDAE38-6AF6-61C4-06D4-ED9BCCCD8327} - C:\WINDOWS\System32\eihinysx.dll
O2 - BHO: (no name) - {35572AD5-16B9-4E6C-B65F-004D3E7AAFA4} - C:\WINDOWS\lcvghti.dll
O2 - BHO: (no name) - {761D23E8-EFF8-DA74-0C81-7C077FE15489} - C:\WINDOWS\System32\vrrgakar.dll
O2 - BHO: (no name) - {84718BA6-AB25-4687-2ACD-401034B1C5C1} - C:\WINDOWS\System32\rdxeoapk.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O2 - BHO: (no name) - {C6046842-4C97-13F8-3499-C3ACA41C5FFF} - C:\WINDOWS\System32\fprwbmde.dll
O2 - BHO: (no name) - {CBD7BCA6-3530-6F62-74C7-9D26C56EFD91} - C:\WINDOWS\System32\ekylrxwk.dll
O2 - BHO: (no name) - {CDD2B3EF-E01F-DEED-D97D-06D1BED6C681} - C:\WINDOWS\System32\uwuxuanl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [fastopern.exe] C:\WINDOWS\System32\fastopern.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [Rundll32_8] rundll32.exe C:\WINDOWS\System32\inetp60.dll,DllRunServer
O4 - HKLM\..\Run: [VwCtBkF3c] C:\documents and settings\amber\local settings\temp\VwCtBkF3c.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [238Q3mQ] conrcl.exe
O4 - HKLM\..\Run: [pqbzylp] C:\WINDOWS\suohwkv.exe
O4 - HKLM\..\Run: [Wast] C:\WINDOWS\Wast
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AutoLoader2wra1aNeZYLP] "C:\WINDOWS\System32\conrcl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DFC6C9FC-3241-458E-A521-462214874650}: NameServer = 151.164.20.201,154.164.11.201

 

Here is the output from the Hijack

And a hijack it is! I spotted several potential problems, but I'm not one of the trained experts.

Over to you, ChrisRLG and Texruss!

(edit) Please see this thread for background info. Not even resetting TCP cleaned things up enough for DHCP to work.

The machine is presently unable to obtain an IP address, so the HJT download was transferred manually to the infected machine, and the log brought back to a working system via SneakerNet.

Jim

Message Edited by jimw on 05-29-2004 02:23 PM

Warning! Unsafe Hijackthis folder! Please create a new folder named HJT in the first level of the C: drive. Copy or move the hijackthis executable file into the HJT folder and delete all other zip copies and extracted copies elsewhere.

See FAQ's 2,3,4 at http://www.russelltexas.com/spywareinfo/faqhijackthis.htm

You'll need to burn these programs to CDR to take to sick machine:

CWS Shredder...Adaware....Spybot    (links below)

You have a CoolWebsearch infection. (The notfound.html reference in New Users thread seems to indicate this)

Get CW Shredder to repair your CoolWebSearch infestations:
http://www.spywareinfo.com/~merijn/files/cwshredder.zip version 1.57.0

Follow the directions for running the program at the next link.

http://www.bleepingcomputer.com/forums/index.php?showtutorial=47

At bleepingcomputer.com start reading at the section that says:

You can download this program here: CWShredder

(Note...we have noticed recently some CWS variants are harder to remove unless the shredder is run in Safe Mode...hit F8 while booting to enter Safe Mode and run the shredder.) Make sure you FIX any items it finds!

After cleaning with the shredder in Safe Mode do this:

Reboot in normal mode Windows and download and run these two programs (Spybot S&D and Adaware). Use Spybot first. (1.3 version)
http://majorgeeks.com/download2471.html

Follow the directions completely at:

http://www.cjwd.demon.co.uk/spybot-adaware.html

Go slow on the instructions to set up the custom scan options for Adaware. These settings will be retained for future custom scans so don't go nuts thinking you have to do this every time you run it!

Reboot if asked by either program and let it complete any cleanup. Then reboot a final time after running both and run Windows Disk Cleanup: Start/Run/ type: cleanmgr

I check all the categories at the end of the scan and click OK.

After cleaning with these tools follow these directions:

Run Hijackthis in a safe folder, scan and check the box left of these if still present:

C:\documents and settings\amber\local settings\temp\VwCtBkF3c.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\WINDOWS\System32\conrcl.exe
C:\WINDOWS\suohwkv.exe
C:\WINDOWS\Wast.exe
C:\WINDOWS\Wast.exe
C:\WINDOWS\System32\conrcl.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Common files\WinTools\WSup.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32/left.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sbcyahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sbcyahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll

O2 - BHO: (no name) - {087173EF-9829-4F49-8340-A524177D3F60} - C:\WINDOWS\System32\inetp60.dll
O2 - BHO: (no name) - {0EC6CCCC-770E-8163-AF43-EA1493E02F8B} - C:\WINDOWS\System32\lgggtwbv.dll
O2 - BHO: (no name) - {10BDAE38-6AF6-61C4-06D4-ED9BCCCD8327} - C:\WINDOWS\System32\eihinysx.dll
O2 - BHO: (no name) - {35572AD5-16B9-4E6C-B65F-004D3E7AAFA4} - C:\WINDOWS\lcvghti.dll
O2 - BHO: (no name) - {761D23E8-EFF8-DA74-0C81-7C077FE15489} - C:\WINDOWS\System32\vrrgakar.dll
O2 - BHO: (no name) - {84718BA6-AB25-4687-2ACD-401034B1C5C1} - C:\WINDOWS\System32\rdxeoapk.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O2 - BHO: (no name) - {C6046842-4C97-13F8-3499-C3ACA41C5FFF} - C:\WINDOWS\System32\fprwbmde.dll
O2 - BHO: (no name) - {CBD7BCA6-3530-6F62-74C7-9D26C56EFD91} - C:\WINDOWS\System32\ekylrxwk.dll
O2 - BHO: (no name) - {CDD2B3EF-E01F-DEED-D97D-06D1BED6C681} - C:\WINDOWS\System32\uwuxuanl.dll
O4 - HKLM\..\Run: [fastopern.exe] C:\WINDOWS\System32\fastopern.exe
O4 - HKLM\..\Run: [Rundll32_8] rundll32.exe C:\WINDOWS\System32\inetp60.dll,DllRunServer
O4 - HKLM\..\Run: [VwCtBkF3c] C:\documents and settings\amber\local settings\temp\VwCtBkF3c.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [238Q3mQ] conrcl.exe
O4 - HKLM\..\Run: [pqbzylp] C:\WINDOWS\suohwkv.exe
O4 - HKLM\..\Run: [Wast] C:\WINDOWS\Wast
O4 - HKLM\..\Run: [AutoLoader2wra1aNeZYLP] "C:\WINDOWS\System32\conrcl.exe"
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{DFC6C9FC-3241-458E-A521-462214874650}: NameServer = 151.164.20.201,154.164.11.201
Comments: don't check this one...but first DNS 151.164.20.201 resolves to Plano, Tx SBC. The second number 154.164.11.201 is blocked so a check with your ISP might determine whether this is a valid secondary DNS.

With no other windows open click on fix checked button in Hijackthis.

Reboot to SAFE MODE and Show HIDDEN FILES and folders

FAQ 8 and 9 on this page: http://www.russelltexas.com/spywareinfo/faqhijackthis.htm

Open Windows Explorer: type the word explorer at Start/Run box and click OK:

Drill on down and delete the following files and/or folders:  (some may not be present and this is normal after the Hijackthis fix...but look hard before giving up on a missing file)


C:\documents and settings\amber\local settings\temp\   delete all files in temp folder...leave folder name alone

C:\Program Files\Common files\WinTools    folder

Files

C:\WINDOWS\System32\conrcl.exe
C:\WINDOWS\suohwkv.exe
C:\WINDOWS\Wast.exe
C:\WINDOWS\System32/left.html
C:\WINDOWS\mxTarget.dll
C:\WINDOWS\System32\inetp60.dll
C:\WINDOWS\System32\lgggtwbv.dll
C:\WINDOWS\System32\eihinysx.dll
C:\WINDOWS\lcvghti.dll
C:\WINDOWS\System32\vrrgakar.dll
C:\WINDOWS\System32\rdxeoapk.dll
C:\WINDOWS\System32\fprwbmde.dll
C:\WINDOWS\System32\ekylrxwk.dll
C:\WINDOWS\System32\uwuxuanl.dll
C:\WINDOWS\System32\fastopern.exe

Reboot in normal mode Windows and run Disk Cleaner: type cleanmgr at Start/Run. Scan all hard drives and check all categories at the end and click OK.

Post back a fresh log here.


After the final all clear is given by us you should flush your Restore Points for XP. That means disabling the Restore Point, rebooting to flush it, then re-enabling a new Restore Point. The reason why we need to do this is to purge the bad files hidden in System Restore which can't be cleaned by your antivirus programs.

See FAQ 12 here: http://www.russelltexas.com/spywareinfo/faqhijackthis.htm

HTH,

Texruss

 

OK... It appears that I am getting much closer.... I hope... My system seems to be clear of any virus, spyware, malware etc... I hope. What I nightmare...

Here is where I am at now. when I reboot my Symantec Email proxy tells me that it cannot scan my email messages because your network is not properply configured.

When I open IE I just get a blank page...

Are are my next recommendations...

 

 

David,

Please post a new HijackThis log so Texruss or ChrisRLG can see what remains to be done.

P.S. The Forum servers are agonizingly slow today, and it's a US holiday weekend, so don't be surprised if it takes a while before you new log gets reviewed.

Jim

Still have a bunch...you'll have to kill those bad files...

Run Hijackthis...scan and check:

C:\WINDOWS\System32\fastopern.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\WINDOWS\System32\conrcl.exe
C:\WINDOWS\suohwkv.exe
C:\WINDOWS\System32\conrcl.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Common files\WinTools\WSup.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32/left.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - (no file)

O2 - BHO: (no name) - {0EC6CCCC-770E-8163-AF43-EA1493E02F8B} - (no file)
O2 - BHO: (no name) - {10BDAE38-6AF6-61C4-06D4-ED9BCCCD8327} - (no file)
O2 - BHO: (no name) - {761D23E8-EFF8-DA74-0C81-7C077FE15489} - (no file)
O2 - BHO: (no name) - {84718BA6-AB25-4687-2ACD-401034B1C5C1} - (no file)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O2 - BHO: (no name) - {C6046842-4C97-13F8-3499-C3ACA41C5FFF} - (no file)
O2 - BHO: (no name) - {CBD7BCA6-3530-6F62-74C7-9D26C56EFD91} - (no file)
O2 - BHO: (no name) - {CDD2B3EF-E01F-DEED-D97D-06D1BED6C681} - (no file)
O4 - HKLM\..\Run: [Rundll32_8] rundll32.exe C:\WINDOWS\System32\inetp60.dll,DllRunServer
O4 - HKLM\..\Run: [VwCtBkF3c] C:\documents and settings\amber\local settings\temp\VwCtBkF3c.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [238Q3mQ] conrcl.exe
O4 - HKLM\..\Run: [Wast] C:\Windows\wast.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab

With no other windows open click on fix checked button in Hijackthis.

Reboot to SAFE MODE and Show HIDDEN FILES and folders  (a MUST)

FAQ 8 and 9 on this page: http://www.russelltexas.com/spywareinfo/faqhijackthis.htm

Open Windows Explorer: type the word explorer at Start/Run box and click OK:

Drill on down and delete the following files and/or folders:

FILES:
C:\WINDOWS\System32\fastopern.exe
C:\WINDOWS\System32\conrcl.exe
C:\WINDOWS\System32\inetp60.dll
C:\WINDOWS\suohwkv.exe
C:\Windows\wast.exe


FOLDERS and all subcontents of folder
C:\Program Files\Common files\WinTools

Reboot in normal mode Windows and run Disk Cleaner: type cleanmgr at Start/Run. Scan all hard drives and check all categories at the end and click OK.

Browse a bit in Windows IE and then run a fresh HJT log and post it here.


Texruss

I have deleted the files.... I cannot connect to IE to browse at all. That is one of my problems.

>I cannot connect to IE to browse at all

Does IE load at all? Be more specific.

Please post a fresh HJT log,

Texruss

Here is the latest view... I cannot connect to the IE. I just get a blank page.

Logfile of HijackThis v1.97.7
Scan saved at 5:31:42 AM, on 5/31/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\NORTON~2\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Picasa\PicasaMediaDetector.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\documents and settings\amber\local settings\temp\VwCtBkF3c.exe
C:\documents and settings\amber\local settings\temp\VwCtBkF3c.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32/left.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sbcyahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sbcyahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0EC6CCCC-770E-8163-AF43-EA1493E02F8B} - (no file)
O2 - BHO: (no name) - {10BDAE38-6AF6-61C4-06D4-ED9BCCCD8327} - (no file)
O2 - BHO: (no name) - {761D23E8-EFF8-DA74-0C81-7C077FE15489} - (no file)
O2 - BHO: (no name) - {84718BA6-AB25-4687-2ACD-401034B1C5C1} - (no file)
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O2 - BHO: (no name) - {C6046842-4C97-13F8-3499-C3ACA41C5FFF} - (no file)
O2 - BHO: (no name) - {CBD7BCA6-3530-6F62-74C7-9D26C56EFD91} - (no file)
O2 - BHO: (no name) - {CDD2B3EF-E01F-DEED-D97D-06D1BED6C681} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [Rundll32_8] rundll32.exe C:\WINDOWS\System32\inetp60.dll,DllRunServer
O4 - HKLM\..\Run: [VwCtBkF3c] C:\documents and settings\amber\local settings\temp\VwCtBkF3c.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DFC6C9FC-3241-458E-A521-462214874650}: NameServer = 151.164.20.201,154.164.11.201

 

Let's run Hijackthis in Safe Mode.

 

Reboot to Safe Mode (tap F8 repeatedly while starting up and select Safe Mode in Startup Menu). Also many Dells have an F12 function key which also boots to the Startup Menu.

 

Run Hijackthis and scan. Check these items with the box to the left of each one:

C:\documents and settings\amber\local settings\temp\VwCtBkF3c.exe
C:\documents and settings\amber\local settings\temp\VwCtBkF3c.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32/left.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
Comments: RedSwoosh infection
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sbcyahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sbcyahoo.com
Comments: notice the malformed URL (missing period after sbc)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - (no file)
O2 - BHO: (no name) - {0EC6CCCC-770E-8163-AF43-EA1493E02F8B} - (no file)
O2 - BHO: (no name) - {10BDAE38-6AF6-61C4-06D4-ED9BCCCD8327} - (no file)
O2 - BHO: (no name) - {761D23E8-EFF8-DA74-0C81-7C077FE15489} - (no file)
O2 - BHO: (no name) - {84718BA6-AB25-4687-2ACD-401034B1C5C1} - (no file)
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O2 - BHO: (no name) - {C6046842-4C97-13F8-3499-C3ACA41C5FFF} - (no file)
O2 - BHO: (no name) - {CBD7BCA6-3530-6F62-74C7-9D26C56EFD91} - (no file)
O4 - HKLM\..\Run: [Rundll32_8] rundll32.exe C:\WINDOWS\System32\inetp60.dll,DllRunServer
O4 - HKLM\..\Run: [VwCtBkF3c] C:\documents and settings\amber\local settings\temp\VwCtBkF3c.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab

With no other windows open click on fix checked button in HIjackthis.

Next: Show HIDDEN FILES and folders    (This is a MUST)
 
Open Windows Explorer: type the word explorer at Start/Run box and click OK:

Drill on down and delete the following files and/or folders or folder contents:

C:\documents and settings\amber\local settings\temp\ All files in temp folder, but NOT the foldername temp.
C:\WINDOWS\System32/left.html   file
C:\WINDOWS\System32\inetp60.dll

Reboot in normal mode Windows and run Disk Cleaner: type cleanmgr at Start/Run. Scan all hard drives and check all categories at the end and click OK.

Download and run these two programs (Spybot S&D and Adaware) at the link below. Use Spybot first.

Chris has posted an excellent tutorial by dgosling on how to run Spybot S&D and also how to enable customized deep scanning functions for Adaware. Once you set these options they will be retained for future scans by Adaware.

Follow the directions in this detailed guide for Spybot and Adaware...go slow on the directions for the custom setup of Adaware. These custom settings will be retained for future custom scans so don't go nuts thinking you have to do this every time you run it! It may take you five minutes to set them up, but it's worth it. Print the instructions out and follow along as you set the checkboxes.

http://www.cjwd.demon.co.uk/spybot-adaware.html

Browse a bit after running these two programs (hopefully you will able to download and run IE after the Safe Mode work). Then post a fresh log.

HTH,

Texruss


After the final all clear is given by us you should flush your Restore Points for XP and MIllennium. That means disabling the Restore Point, rebooting to flush it, then re-enabling a new Restore Point. The reason why we need to do this is to purge the bad files hidden in System Restore which can't be cleaned by your antivirus programs.

See FAQ 12 here: http://www.russelltexas.com/spywareinfo/faqhijackthis.htm

I am getting two errors when I now reboot:

 

1. RUNDLL

    Error Loading C:\windows\system32\inetp60.dll - The specified module could not be found.

2. RUNDLL32.EXE - Entry Point not found

The procedure entry point remote assistance prepare system restore could not be loaded in the dynamic link library WINSTA.dll