• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Tommymac

New User screw-up

7 posts in this topic

Ok - this is the first time I've used anything like this so go easy on me. I'm fairly new to the Internet and just had Broadband enabled and already I'm being hijacked. I've run Norton virus checker and I'm all clear. I was infected with the Sasser worm but downloaded a patch from MSN to fix. I've run ad-aware and deleted loads of spyware. I have a firewall enabled.

 

The site listed in the topic description above - is the one that keeps taking over my address bar and eventually my Browser closes unrequested as I try to escape. I also have a pop-up blocker enabled and thankfully a request for me to install a "xxxtoolbar" is being intercepted.

 

I've read the FAQ page and now reached this stage. I've run Hijackthis and saved as a log file but my inexperience means that I am unsure of what to do next. If I paste the log here can anyone help?

Share this post


Link to post
Share on other sites

Can you please download HijackThis from this link, install it into C:\HJT. Run it, click on scan, save log and please post your entire log here for analysis.

 

Thank you.

Share this post


Link to post
Share on other sites

Here you go Phantom - all advice appreciated.

 

 

Logfile of HijackThis v1.97.7

Scan saved at 17:06:39, on 25/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\drivers\dcfssvc.exe

C:\Norman\NVC\BIN\Zanda.exe

C:\WINDOWS\System32\svchost.exe

C:\NORMAN\Nvc\BIN\nvcoas.exe

C:\NORMAN\Nvc\BIN\NJEEVES.EXE

C:\WINDOWS\System32\svcpack.exe

C:\WINDOWS\Explorer.EXE

C:\ATI-CPanel\atiptaxx.exe

C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Lexmark X74-X75\lxbbbmon.exe

C:\Program Files\Ahead\InCD\InCD.exe

C:\Norman\NVC\BIN\ZLH.EXE

C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Messenger Plus! 2\MsgPlus.exe

C:\NORMAN\Nvc\BIN\NYMSE.EXE

C:\WINDOWS\System32\enbiei.exe

C:\NORMAN\Nvc\BIN\cclaw.exe

C:\PROGRA~1\RECTBA~1\AudioWaveManager.exe

C:\WINDOWS\winlogon.exe

C:\Program Files\Common files\updmgr\updmgr.exe

C:\WINDOWS\System32\mslaugh.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\WINDOWS\System32\wugrds.exe

C:\WINDOWS\System32\cvmonitor.exe

C:\WINDOWS\System32\MSlti32.exe

C:\WINDOWS\System32\wuam.exe

C:\PROGRA~1\BTYAHO~1\SMARTB~1\MotiveSB.exe

C:\WINDOWS\sp.exe

C:\Program Files\BT Yahoo! Help\bin\mpbtn.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\WINDOWS\System32\wuauclt.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\YPAGER.EXE

C:\Program Files\Yahoo!\browser\ybrwicon.exe

C:\Program Files\Yahoo!\browser\ybrowser.exe

C:\Documents and Settings\Tom McIver\Local Settings\Temporary Internet Files\Content.IE5\FIGBGBNB\HijackThis[1].exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://acc.count-all.com/--/?seojz (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://acc.count-all.com/---/?seojz (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://acc.count-all.com/--/?seojz (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acc.count-all.com/-/?seojz (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://acc.count-all.com/--/?seojz (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://acc.count-all.com/---/?seojz (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://acc.count-all.com/--/?seojz (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http:///

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://acc.count-all.com/-/?seojz about:blank (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://acc.count-all.com/--/?seojz (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ultralinks.info/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://acc.count-all.com/--/?seojz (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://acc.count-all.com/--/?seojz (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://acc.count-all.com/---/?seojz (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.rightfinder.net/search/

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?seojz (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?seojz (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.rightfinder.net/search/

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcpack.exe

O1 - Hosts: 66.118.163.109 auto.search.msn.com

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll

O2 - BHO: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~2.DLL (file missing)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\System32\DReplace.dll

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: (no name) - {24A3F733-86BF-8E9C-CCC4-F392DD766BC1} - C:\PROGRA~1\CORNST~1\ace soap.dll (file missing)

O2 - BHO: (no name) - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: new about base - {B81248D4-6C66-EB5E-CB84-7BA1BAC2E440} - C:\PROGRA~1\CORNST~1\ace soap.dll (file missing)

O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\NVC\BIN\ZLH.EXE /LOAD /SPLASH

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Tapicfg.exe] \tapicfg.exe

O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"

O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe

O4 - HKLM\..\Run: [Program Start] C:\PROGRA~1\RECTBA~1\AudioWaveManager.exe

O4 - HKLM\..\Run: [iCQ Net] C:\WINDOWS\winlogon.exe -stealth

O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe

O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe

O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY

O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe

O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [win updates] wugrds.exe

O4 - HKLM\..\Run: [cvmonitor.exe] cvmonitor.exe

O4 - HKLM\..\Run: [Microsoft AUT Update] MSlti32.exe

O4 - HKLM\..\Run: [Microsoft Update Time] wuam.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTYAHO~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\RunServices: [win updates] wugrds.exe

O4 - HKLM\..\RunServices: [cvmonitor.exe] cvmonitor.exe

O4 - HKLM\..\RunServices: [Microsoft AUT Update] MSlti32.exe

O4 - HKLM\..\RunServices: [Microsoft Update Time] wuam.exe

O4 - HKCU\..\Run: [incrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c

O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\AddClass.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [sp] C:\WINDOWS\sp.exe

O4 - HKCU\..\Run: [win updates] wugrds.exe

O4 - HKCU\..\Run: [Microsoft Update Time] wuam.exe

O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti32.exe

O4 - Global Startup: BT Yahoo! Help.lnk = C:\Program Files\BT Yahoo! Help\bin\matcli.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O9 - Extra button: BT Yahoo! Sidebar (HKLM)

O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar (HKLM)

O9 - Extra button: Money Viewer (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O13 - WWW Prefix: http://ehttp.cc/?

O13 - WWW. Prefix: http://ehttp.cc/?

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls.../20/SassCln.CAB

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab

O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btopenworld.com/templates/...bcontrol012.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{E405FF72-BE40-4A2F-A7EE-CE10F5BF7782}: NameServer = 194.72.9.38 194.74.65.87

O19 - User stylesheet: C:\WINDOWS\default.css (HKLM)

Share this post


Link to post
Share on other sites

Please read the "Pinned" topics - This would of removed a large number of the infections that you have.

 

Due to the number of infections that you have, can you please run through the following procedures and after you have completed them, reboot and post another HijackThis log into this message for further review:

  1. Run either of these free online virus scans.

[*]How to use Ad-Aware to remove Spyware <= Please check this link for instructions on how to download, install and then use adaware. Run this program as soon as possible.

[*]How to use Spybot to remove Spyware <= Please check this link for instructions on how to download, install and then use spybot. Run this as soon as possible as it may catch things that adaware misses.

[*]Download, install and run Tojan Hunter (Trial)

Share this post


Link to post
Share on other sites

OK - completed as you suggest. Cleared a lot of crappy stuff out but the offender still appears and hijacks home page. Lates Hijackthis log below.

 

Regards...

 

Logfile of HijackThis v1.97.7

Scan saved at 11:37:47, on 26/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\drivers\dcfssvc.exe

C:\Norman\NVC\BIN\Zanda.exe

C:\WINDOWS\System32\svchost.exe

C:\NORMAN\Nvc\BIN\nvcoas.exe

C:\NORMAN\Nvc\BIN\NJEEVES.EXE

C:\WINDOWS\Explorer.EXE

C:\ATI-CPanel\atiptaxx.exe

C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\Lexmark X74-X75\lxbbbmon.exe

C:\Norman\NVC\BIN\ZLH.EXE

C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\NORMAN\Nvc\BIN\NYMSE.EXE

C:\Program Files\Messenger Plus! 2\MsgPlus.exe

C:\WINDOWS\System32\enbiei.exe

C:\PROGRA~1\RECTBA~1\AudioWaveManager.exe

C:\NORMAN\Nvc\BIN\cclaw.exe

C:\Program Files\Common files\updater\wupdater.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\WINDOWS\System32\cvmonitor.exe

C:\WINDOWS\System32\MSlti32.exe

C:\WINDOWS\System32\wuam.exe

C:\PROGRA~1\BTYAHO~1\SMARTB~1\MotiveSB.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\sp.exe

C:\Program Files\BT Yahoo! Help\bin\mpbtn.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\YPAGER.EXE

C:\Program Files\Yahoo!\browser\ybrwicon.exe

C:\PROGRA~1\Yahoo!\browser\ybrowser.exe

C:\Documents and Settings\Tom McIver\Local Settings\Temporary Internet Files\Content.IE5\FIGBGBNB\HijackThis[1].exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://acc.count-all.com/--/?seojz (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rightfinder.net/search/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rightfinder.net/hp/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acc.count-all.com/-/?seojz (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rightfinder.net/search/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.rightfinder.net/search/

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http:///

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rightfinder.net/hp/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rightfinder.net/search/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ultralinks.info/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.rightfinder.net/search/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rightfinder.net/search/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.rightfinder.net/search/

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?seojz (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?seojz (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.rightfinder.net/search/

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcpack.exe

O1 - Hosts: 66.118.163.109 auto.search.msn.com

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll

O2 - BHO: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\System32\DReplace.dll

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: (no name) - {24A3F733-86BF-8E9C-CCC4-F392DD766BC1} - (no file)

O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll

O2 - BHO: (no name) - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: new about base - {B81248D4-6C66-EB5E-CB84-7BA1BAC2E440} - (no file)

O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\NVC\BIN\ZLH.EXE /LOAD /SPLASH

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Tapicfg.exe] \tapicfg.exe

O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"

O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe

O4 - HKLM\..\Run: [Program Start] C:\PROGRA~1\RECTBA~1\AudioWaveManager.exe

O4 - HKLM\..\Run: [iCQ Net] C:\WINDOWS\winlogon.exe -stealth

O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe

O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe

O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY

O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe

O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [win updates] wugrds.exe

O4 - HKLM\..\Run: [cvmonitor.exe] cvmonitor.exe

O4 - HKLM\..\Run: [Microsoft AUT Update] MSlti32.exe

O4 - HKLM\..\Run: [Microsoft Update Time] wuam.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTYAHO~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load

O4 - HKLM\..\RunServices: [win updates] wugrds.exe

O4 - HKLM\..\RunServices: [cvmonitor.exe] cvmonitor.exe

O4 - HKLM\..\RunServices: [Microsoft AUT Update] MSlti32.exe

O4 - HKLM\..\RunServices: [Microsoft Update Time] wuam.exe

O4 - HKCU\..\Run: [incrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c

O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\AddClass.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [sp] C:\WINDOWS\sp.exe

O4 - HKCU\..\Run: [win updates] wugrds.exe

O4 - HKCU\..\Run: [Microsoft Update Time] wuam.exe

O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti32.exe

O4 - Global Startup: BT Yahoo! Help.lnk = C:\Program Files\BT Yahoo! Help\bin\matcli.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O9 - Extra button: BT Yahoo! Sidebar (HKLM)

O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar (HKLM)

O9 - Extra button: Money Viewer (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O13 - WWW Prefix: http://ehttp.cc/?

O13 - WWW. Prefix: http://ehttp.cc/?

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls.../20/SassCln.CAB

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab

O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btopenworld.com/templates/...bcontrol012.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{E405FF72-BE40-4A2F-A7EE-CE10F5BF7782}: NameServer = 194.72.9.38 194.74.65.87

O19 - User stylesheet: C:\WINDOWS\default.css (HKLM)

Share this post


Link to post
Share on other sites

Tried to add - that "Rightfinder" listed below is what hijacks my home page, while "Sexymagnet" hijacks the address bar.......!!

Share this post


Link to post
Share on other sites

  1. Please create a new directory C:\HJT and move the HijackThis.exe file into that directory and only run it from there. That way we can ensure that we have the backup files available in the event that they are needed.
  2. How to Remove CoolWebSearch with CoolWeb Shredder <= Please click on this link for instructions on how to download and use CoolWebSearch Shredder which will help remove a CWS infection on your computer. Make sure you close all programs and windows before running it and be sure to click on the "Fix" button. Even if you already have it, download it again and make sure you are running v1.59.0.
  3. Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://acc.count-all.com/--/?seojz (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rightfinder.net/search/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rightfinder.net/hp/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acc.count-all.com/-/?seojz (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.rightfinder.net/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http:///
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rightfinder.net/hp/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rightfinder.net/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ultralinks.info/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.rightfinder.net/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.rightfinder.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?seojz (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?seojz (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.rightfinder.net/search/
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcpack.exe
    O1 - Hosts: 66.118.163.109 auto.search.msn.com
    O2 - BHO: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
    O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\System32\DReplace.dll
    O2 - BHO: (no name) - {24A3F733-86BF-8E9C-CCC4-F392DD766BC1} - (no file)
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
    O2 - BHO: (no name) - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: new about base - {B81248D4-6C66-EB5E-CB84-7BA1BAC2E440} - (no file)
    O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe
    O4 - HKLM\..\Run: [iCQ Net] C:\WINDOWS\winlogon.exe -stealth
    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
    O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
    O4 - HKLM\..\Run: [win updates] wugrds.exe
    O4 - HKLM\..\Run: [cvmonitor.exe] cvmonitor.exe
    O4 - HKLM\..\Run: [Microsoft AUT Update] MSlti32.exe
    O4 - HKLM\..\Run: [Microsoft Update Time] wuam.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\RunServices: [win updates] wugrds.exe
    O4 - HKLM\..\RunServices: [cvmonitor.exe] cvmonitor.exe
    O4 - HKLM\..\RunServices: [Microsoft AUT Update] MSlti32.exe
    O4 - HKLM\..\RunServices: [Microsoft Update Time] wuam.exe
    O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\AddClass.exe
    O4 - HKCU\..\Run: [sp] C:\WINDOWS\sp.exe
    O4 - HKCU\..\Run: [win updates] wugrds.exe
    O4 - HKCU\..\Run: [Microsoft Update Time] wuam.exe
    O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti32.exe
    O13 - WWW Prefix: http://ehttp.cc/?
    O13 - WWW. Prefix: http://ehttp.cc/?
    O19 - User stylesheet: C:\WINDOWS\default.css (HKLM)
  4. The following are optional to delete as they are resource hogs:
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" <= This program has been known to install adware. It can be removed through "add/Remove Programs" but it is optional.
    O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY <= This is considered optional but ... As long as you keep Kazaa, you will keep having these infections, I strongly suggest uninstalling and removing it.
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
  5. Please reboot into safe mode - How do I boot into "Safe" mode?
  6. The following FILES, DIRECTORIES and DIRECTORY CONTENTS (But not the directory) need to be deleted while in safe mode. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". If the files etc listed are not present - Do not worry, just delete those that you can find. If no path is listed, you may need to search for the file(s) - To search, click on "Start" => "Search" => "For Files and Folders" => "All Files and Folders" and type in the file name. You can delete it right from the search results window.

    1. DIRECTORY CONTENTS (But not the directory)
      • C:\Windows\Temp\
      • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested.
      • C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
      • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
      • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
      • Empty your "Recycle Bin"

[*]DIRECTORIES

  • C:\Program Files\Common files\updmgr\
  • C:\Program Files\Common files\updater\

[*]FILES

  • C:\WINDOWS\System32\DReplace.dll
  • C:\WINDOWS\System32\bridge.dll
  • enbiei.exe
  • mslaugh.exe
  • wugrds.exe
  • cvmonitor.exe
  • MSlti32.exe
  • wuam.exe
  • C:\WINDOWS\System32\bridge.dll
  • wugrds.exe
  • cvmonitor.exe
  • MSlti32.exe
  • wuam.exe
  • C:\WINDOWS\AddClass.exe
  • C:\WINDOWS\sp.exe
  • wugrds.exe
  • wuam.exe
  • MSlti32.exe
  • C:\WINDOWS\default.css

[*]Reboot again and log in normally, repost a new HijackThis log into this message for further review.[/list

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0