• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
rblancrt

res://qqjtz.dll/index.html#26980 problem

30 posts in this topic

SORRY, I HAD TO REBOOT...PLEASE SEE NEW LOG AT BOTTOM OF POST.

 

I have had this problem for several days now. I read the FAQs and followed the instructions from this post:

 

http://www.spywareinfoforum.com/index.php?showtopic=11150

 

of June 28, 2004.

 

 

According to PGPhamton in the post above "As of June 28th, 2004, Ad-Aware still leaves the service intact - You will still need to post your log to get this variant removed"

 

My log is below. If anyone can help it would be great. I'm sick of this thing.

 

I don't know if I should open IE again and try it or not. I will wait your reply. I scanned with Ad-Aware6 Personal Build 6.181 reference file 01R325 27.06.2004.

 

Thanks for your reply in advance.

 

 

 

 

 

Logfile of HijackThis v1.97.7

Scan saved at 6:23:40 PM, on 6/29/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\khooker.exe

C:\WINDOWS\System32\pctspk.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\NavNT\vptray.exe

C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\INSTAN~1.EXE

C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\WINDOWS\ntiq32.exe

C:\Program Files\NavNT\defwatch.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINDOWS\crix.exe

C:\WINDOWS\System32\MsgSys.EXE

C:\Documents and Settings\Blanton Randy\Local Settings\temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qqjtz.dll/sp.html#26980

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qqjtz.dll/index.html#26980

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qqjtz.dll/index.html#26980

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qqjtz.dll/sp.html#26980

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qqjtz.dll/index.html#26980

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qqjtz.dll/sp.html#26980

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {241DEE3C-B08A-3388-53C6-B2DB4CC5C2A6} - C:\WINDOWS\system32\sdkmf.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [siS KHooker] C:\WINDOWS\System32\khooker.exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [instantAccess] C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

O4 - HKLM\..\Run: [CM-SmWizard] C:\WINDOWS\System\SmWizard.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [ntiq32.exe] C:\WINDOWS\ntiq32.exe

O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKLM\..\RunOnce: [javaah32.exe] C:\WINDOWS\system32\javaah32.exe

O4 - Startup: cleanxp.cmd

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

 

 

 

NEW LOG

 

Logfile of HijackThis v1.97.7

Scan saved at 9:44:26 PM, on 6/29/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\khooker.exe

C:\WINDOWS\System32\pctspk.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\NavNT\vptray.exe

C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\INSTAN~1.EXE

C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\WINDOWS\ntiq32.exe

C:\Program Files\NavNT\defwatch.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINDOWS\system32\apptq32.exe

C:\WINDOWS\System32\MsgSys.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Blanton Randy\Local Settings\temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qqjtz.dll/sp.html#26980

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qqjtz.dll/index.html#26980

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qqjtz.dll/index.html#26980

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qqjtz.dll/sp.html#26980

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qqjtz.dll/index.html#26980

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qqjtz.dll/sp.html#26980

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {241DEE3C-B08A-3388-53C6-B2DB4CC5C2A6} - C:\WINDOWS\system32\sdkmf.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [siS KHooker] C:\WINDOWS\System32\khooker.exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [instantAccess] C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

O4 - HKLM\..\Run: [CM-SmWizard] C:\WINDOWS\System\SmWizard.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [ntiq32.exe] C:\WINDOWS\ntiq32.exe

O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKLM\..\RunOnce: [appuy32.exe] C:\WINDOWS\system32\appuy32.exe

O4 - Startup: cleanxp.cmd

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

Edited by rblancrt

Share this post


Link to post
Share on other sites

I realize everyone is busy, but I read I could bump after 12 hours, but mostly I want to know how I will know when I receive a reply. Will I see it with my original post?

 

I have read that I need to remove this manually, so I definitely need help.

 

Thanks

Share this post


Link to post
Share on other sites

Hi rblancrt,

 

There is a tool to remove this now. First, go to Add/Remove programs and uninstall MyWebSearch.

 

Next, run HijackThis again and place a check beside each of the following items. Once done click the fix checked button.

 

O2 - BHO: (no name) - {241DEE3C-B08A-3388-53C6-B2DB4CC5C2A6} - C:\WINDOWS\system32\sdkmf.dll

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

O4 - HKLM\..\Run: [ntiq32.exe] C:\WINDOWS\ntiq32.exe

O4 - HKLM\..\RunOnce: [appuy32.exe] C:\WINDOWS\system32\appuy32.exe

 

Go to Start > All Programs > Startup. Look for cleanxp.cmd. Right click it, select properties. Post back any and all details you can find about this file (file location, target path, version info, etc.)

 

Now, download About:Buster from either of the following locations.

 

http://www.atribune.org/downloads/AboutBuster.zip

or

http://tools.zerosrealm.com/AboutBuster.zip

 

Make sure you have printed this page and close ALL Internet Explorer windows. This is a very important step!!

 

Run AboutBuster.exe, click ok, then start, then OK. Make a copy of the log once it finishes. Then run aboutbuster.exe again. Make a copy of that log.

 

Reboot and post a new HijackThis log along with the two reports from About:Buster.

Share this post


Link to post
Share on other sites

Thanks OSC for your help. In Add/Remove programs I don't see MyWebSearch.

 

Should I just continue with your instructions?

Share this post


Link to post
Share on other sites

Hi rblancrt,

 

Yes, please remove them. :)

Edited by OSC

Share this post


Link to post
Share on other sites

Sorry to be a pain, but I can't remove them...when I try another window opens that has the address "res://c:\progra~1\mywebs~1\bar\2.bin\mwsbar.dll/101 or the same address with 106 at the end.

 

Any advice?

Share this post


Link to post
Share on other sites

I ran about:buster, hijack, adaware, spybot and cws and still this damn thing is in here. The more annoying thing is i work for a tech company, and we have 3 other guys here including myself whom are stumped on how to remove this. any other ideas?

Share this post


Link to post
Share on other sites

Follow this canned fix.

 

 

Visit this page http://www.ducky.atribune.org . Download About:Buster and save it to your desktop. Then startup Hijack this. Tick the boxes next to these items.

 

O2 - BHO: (no name) - {6B27A8C5-5D2A-2032-990C-6EB938D4766F} - C:\WINDOWS\ntmu.dll

O4 - HKLM\..\Run: [winym.exe] C:\WINDOWS\winym.exe

O4 - HKLM\..\RunOnce: [iezo32.exe] C:\WINDOWS\iezo32.exe

 

Then close all windows and hit fix checked. Start About:Buster. On the first prompt hit ok, then start, then ok again. It will run a while. Once it is done there will be a log in the white box. Save that log somewhere. Restart your computer. Post a new Hijack this log and the buster log.

 

If the fix does not work. Reboot into safe mode by tapping F8

Several times when the computer is first booting. Then running About:Buster.

Share this post


Link to post
Share on other sites

the annoying thing is its taken us about a week and a half to figure out what to even call this hijack cause it doesnt say anything on the hijacked page.

 

i did find the ip of where this is coming from and the domain name.

81.211.105.20

search-all-fast.com

 

he has ports 21, 22, 25, 53, 80, 81, 110 and 587 and is located in holland.

Share this post


Link to post
Share on other sites

Wait Sandbox rblancrt started this thread. Im sorry but please start your thread by going to the main page and pressing 'new topic'. rblancrt can you please post a new Hjt log.

Share this post


Link to post
Share on other sites

Hi Rubber DuckY,

 

Thanks for your help. Here is my latest log:

 

 

Logfile of HijackThis v1.97.7

Scan saved at 6:14:44 PM, on 6/30/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\khooker.exe

C:\WINDOWS\System32\pctspk.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\NavNT\vptray.exe

C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\INSTAN~1.EXE

C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\WINDOWS\ntiq32.exe

C:\Program Files\NavNT\defwatch.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINDOWS\system32\apptq32.exe

C:\WINDOWS\System32\MsgSys.EXE

C:\Documents and Settings\Blanton Randy\Local Settings\temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qqjtz.dll/sp.html#26980

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qqjtz.dll/index.html#26980

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qqjtz.dll/index.html#26980

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qqjtz.dll/sp.html#26980

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qqjtz.dll/index.html#26980

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qqjtz.dll/sp.html#26980

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {241DEE3C-B08A-3388-53C6-B2DB4CC5C2A6} - C:\WINDOWS\system32\sdkmf.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [siS KHooker] C:\WINDOWS\System32\khooker.exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [instantAccess] C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

O4 - HKLM\..\Run: [CM-SmWizard] C:\WINDOWS\System\SmWizard.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [ntiq32.exe] C:\WINDOWS\ntiq32.exe

O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKLM\..\RunOnce: [appuy32.exe] C:\WINDOWS\system32\appuy32.exe

O4 - Startup: cleanxp.cmd

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

Share this post


Link to post
Share on other sites

Visit this page http://www.ducky.atribune.org . Download About:Buster and save it to your desktop. Then startup Hijack this. Tick the boxes next to these items.

 

O2 - BHO: (no name) - {241DEE3C-B08A-3388-53C6-B2DB4CC5C2A6} - C:\WINDOWS\system32\sdkmf.dll

O4 - HKLM\..\Run: [ntiq32.exe] C:\WINDOWS\ntiq32.exe

O4 - HKLM\..\RunOnce: [appuy32.exe] C:\WINDOWS\system32\appuy32.exe

 

Then close all windows and hit fix checked. Start About:Buster. On the first prompt hit ok, then start, then ok again. It will run a while. Once it is done there will be a log in the white box. Save that log somewhere. Restart your computer. Post a new Hijack this log and the buster log.

 

If the fix does not work. Reboot into safe mode by tapping F8

Several times when the computer is first booting. Then running About:Buster.

Share this post


Link to post
Share on other sites

Hi RubbeR DuckY,

 

Here are my HJT and Buster logs after following your instructions:

 

I got the hijack page the 2nd time I opened IE so I don't know if it helped, but thanks for your help.

 

 

Logfile of HijackThis v1.97.7

Scan saved at 6:50:16 PM, on 6/30/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\khooker.exe

C:\WINDOWS\System32\pctspk.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\NavNT\vptray.exe

C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\INSTAN~1.EXE

C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\NavNT\defwatch.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINDOWS\System32\MsgSys.EXE

C:\WINDOWS\javaiz.exe

C:\WINDOWS\winbv32.exe

C:\Documents and Settings\Blanton Randy\Local Settings\temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jptxt.dll/sp.html#26980

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jptxt.dll/index.html#26980

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jptxt.dll/index.html#26980

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jptxt.dll/sp.html#26980

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jptxt.dll/index.html#26980

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jptxt.dll/sp.html#26980

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {0CF480F1-257D-1A25-B315-E66C5C67677C} - C:\WINDOWS\sysxq32.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [siS KHooker] C:\WINDOWS\System32\khooker.exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [instantAccess] C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

O4 - HKLM\..\Run: [CM-SmWizard] C:\WINDOWS\System\SmWizard.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [winbv32.exe] C:\WINDOWS\winbv32.exe

O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - Startup: cleanxp.cmd

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

 

 

 

 

AND HERE IS THE BUSTER LOG:

 

 

About:Buster Version 1.23

Removed! : C:\WINDOWS\qqzxvf.dat

Removed! : C:\WINDOWS\heoyhl.dat

Removed! : C:\WINDOWS\ntuxzs.dat

Removed! : C:\WINDOWS\gmlqai.dat

Removed! : C:\WINDOWS\fjilhl.dat

Removed! : C:\WINDOWS\bnofzb.dat

Removed! : C:\WINDOWS\pjbeyt.dat

Removed! : C:\WINDOWS\ddldib.dat

Removed! : C:\WINDOWS\qqjtz.dll

Removed! : C:\WINDOWS\qzfgkd.dat

Removed! : C:\WINDOWS\tgwtut.dat

Removed! : C:\WINDOWS\hmabg.dat

Removed! : C:\WINDOWS\ktiymw.dat

Removed! : C:\WINDOWS\appta.dll

Removed! : C:\WINDOWS\mizwk.dat

Removed! : C:\WINDOWS\n_jbtpmq.dat

Removed! : C:\WINDOWS\ntiq32.exe

Removed! : C:\WINDOWS\eevygv.dat

Removed! : C:\WINDOWS\ksgolo.dat

Removed! : C:\WINDOWS\n_dhkyoi.dat

Removed! : C:\WINDOWS\fidkln.dat

Removed! : C:\WINDOWS\pmsivb.dat

Removed! : C:\WINDOWS\hkwkzl.dat

Removed! : C:\WINDOWS\System32\apptq32.exe

Removed! : C:\WINDOWS\System32\pgvzp.dat

Removed! : C:\WINDOWS\System32\appuy32.exe

Removed! : C:\WINDOWS\System32\slpos.dat

Removed! : C:\WINDOWS\System32\gvvrr.dat

Removed! : C:\WINDOWS\System32\bzxgf.dat

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Removed __NS_Service_3 Key

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

Share this post


Link to post
Share on other sites

Hello again RubbeR DuckY and thanks for your patience.

 

Below are my new HJT and Buster logs after running About:Buster in safe mode.

 

 

Do you see anything wrong now?

 

Are the MyWeb Search entries a problem? And should I be cleaning out my history, etc. on IE now?

 

 

Logfile of HijackThis v1.97.7

Scan saved at 7:20:45 PM, on 6/30/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\Blanton Randy\Local Settings\temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

 

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {0CF480F1-257D-1A25-B315-E66C5C67677C} - C:\WINDOWS\sysxq32.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [siS KHooker] C:\WINDOWS\System32\khooker.exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [instantAccess] C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

O4 - HKLM\..\Run: [CM-SmWizard] C:\WINDOWS\System\SmWizard.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - Startup: cleanxp.cmd

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

 

 

 

 

About:Buster Version 1.23

Removed! : C:\WINDOWS\javaiz.exe

Removed! : C:\WINDOWS\winbv32.exe

Removed! : C:\WINDOWS\ewkrdy.dat

Removed! : C:\WINDOWS\hmabg.dat

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Removed __NS_Service_3 Key

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

Share this post


Link to post
Share on other sites

In Safe Mode - Fix this item in Hijack This

 

O2 - BHO: (no name) - {0CF480F1-257D-1A25-B315-E66C5C67677C} - C:\WINDOWS\sysxq32.dll

 

Run About:Buster again. Then boot into normal mode and tell us how its going.

Share this post


Link to post
Share on other sites

Thanks RubbeR DuckY for your help.

 

Here are my newest logs after following your instructions:

 

I had to restart twice...1st time I guess I didn't hit F8 enough..it went to the login but I didn't log in. 2nd time went to safe mode. I hope this didn't interfere with the process.

 

I haven't tried anything in IE yet except this forum.

 

I can still see the hijack page listed in my address bar if I pull it down.

 

What do you suggest now?

 

Logfile of HijackThis v1.97.7

Scan saved at 7:56:53 PM, on 6/30/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\Blanton Randy\Local Settings\temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

 

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [siS KHooker] C:\WINDOWS\System32\khooker.exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [instantAccess] C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

O4 - HKLM\..\Run: [CM-SmWizard] C:\WINDOWS\System\SmWizard.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - Startup: cleanxp.cmd

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

 

 

 

About:Buster Version 1.23

Removed! : C:\WINDOWS\javazq32.exe

Removed! : C:\WINDOWS\apink32.exe

Removed! : C:\WINDOWS\zzwoxi.dat

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Removed __NS_Service_3 Key

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

Share this post


Link to post
Share on other sites

HELLO RubbeR DuckY!!!

 

So far everything seems OK. I have been to several sites and haven't been redirected once!!

 

Apparently, you, and your software, are awesome!!

 

Is there anything I need to check about IE settings (security, zones, etc.), that the spy may have changed?

 

And, PLEASE tell me how I can prevent this from happening again, if that is possible.

 

 

Once again, thanks for the awesome help and all your patience and work. If will be happy to make a donation.

 

If there seems to be a problem later I will let you know, but for now it looks GREAT!!

Share this post


Link to post
Share on other sites

Great to here it. Wow this one was a tuffy. You were patient also and waited for me to research what to do next. It just pisses me off to the people who keep bumping their threads every 5 minutes. Once a day is enough.

 

Good job :thumbsup:

Share this post


Link to post
Share on other sites

I just heard today of someone at work who has this same or very similar problem. I will definitely be sending him to this forum.

 

More work for you, I know, but it's really great that there is someone out there to give you back your computer when some #%##@# seems to have taken it over.

 

Thanks again.

Share this post


Link to post
Share on other sites

Just a question about About:Buster. Is it Ok to run it occasionally like I do SpyBot, etc. even when I don't seem to have a problem.

 

I don't really know everything it does, so just thought I would ask.

 

Thanks.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0