• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
jashac

hijack to index.html 96676

10 posts in this topic

Could you please help eliminate this hijack? I've read the FAQ. I've scanned with CWShreader, Spybot, Ad-aware, Registry mechanic, and PCBug Doctor. When I start MS Internet Explorer it is redirected to res://afvcn.dll/index.html#96676.

 

Using HijackThis, I've eliminated the redirects (the first six lines of the HijackThis log), reset my homepage, and that works for one itteration, then IE home page is reset again.

 

Problem two: after all this 'fixing' I'm now missing shell.dll, and bridge.dll.

Problem three: Notepad comes up fine, but quits randomly.

 

I don't know if problems two and three are related to the hijack, or to fixes.

 

Could you please help? Following is my HijackThis log:

 

Logfile of HijackThis v1.97.7

Scan saved at 12:04:37 PM, on 7/1/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\Wintab32.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\GeoGraphix\Tools\GGXNASrv.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Dantz\Retrospect\retrorun.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\system32\netxv32.exe

C:\Program Files\Intel\ASF Agent\ASFAgent.exe

C:\Program Files\GeoGraphix\Tools\GeoSync.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe

C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\nteu.exe

C:\WINDOWS\System32\NDrv.exe

C:\Program Files\America Online 9.0\aoltray.exe

C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe

C:\WINDOWS\system32\ntvdm.exe

C:\Program Files\America Online 9.0\waol.exe

C:\Program Files\America Online 9.0\shellmon.exe

C:\Program Files\America Online 9.0\aolwbspd.exe

C:\Program Files\Hijackthis\hijackthis\HijackThis.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZENG04.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\afvcn.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://afvcn.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://afvcn.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\afvcn.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://afvcn.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\afvcn.dll/sp.html#96676

F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,

O2 - BHO: (no name) - {FD00640A-25C5-1166-CC13-F7669822B594} - C:\WINDOWS\system32\atljw32.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [iPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l

O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [nteu.exe] C:\WINDOWS\nteu.exe

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe

O4 - HKLM\..\RunOnce: [javabp32.exe] C:\WINDOWS\javabp32.exe

O4 - HKLM\..\RunOnce: [crtr32.exe] C:\WINDOWS\crtr32.exe

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE

O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\MSOffice\Office\MSOFFICE.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe

O9 - Extra button: Real.com (HKLM)

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corporate.vecta-exp.com

O17 - HKLM\Software\..\Telephony: DomainName = corporate.vecta-exp.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{234CF7D0-7546-45E2-8337-D91D96E4EF6A}: NameServer = 205.188.146.146

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corporate.vecta-exp.com

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = corporate.vecta-exp.com

 

Thanks a bunch. ..Jasha

Share this post


Link to post
Share on other sites

Thanks

Here is the new hijackThis log:

 

Logfile of HijackThis v1.98.0

Scan saved at 3:36:56 PM, on 7/1/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\Wintab32.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\GeoGraphix\Tools\GGXNASrv.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Dantz\Retrospect\retrorun.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\system32\netxv32.exe

C:\Program Files\Intel\ASF Agent\ASFAgent.exe

C:\Program Files\GeoGraphix\Tools\GeoSync.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe

C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\nteu.exe

C:\WINDOWS\System32\NDrv.exe

C:\Program Files\America Online 9.0\aoltray.exe

C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe

C:\WINDOWS\system32\ntvdm.exe

C:\Program Files\America Online 9.0\waol.exe

C:\Program Files\America Online 9.0\shellmon.exe

C:\Program Files\America Online 9.0\aolwbspd.exe

C:\PROGRA~1\WinZip\winzip32.exe

C:\Program Files\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\afvcn.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://afvcn.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://afvcn.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\afvcn.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\afvcn.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://afvcn.dll/index.html#96676

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,

O2 - BHO: (no name) - {FD00640A-25C5-1166-CC13-F7669822B594} - C:\WINDOWS\system32\atljw32.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [iPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l

O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [nteu.exe] C:\WINDOWS\nteu.exe

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\RunOnce: [javabp32.exe] C:\WINDOWS\javabp32.exe

O4 - HKLM\..\RunOnce: [crtr32.exe] C:\WINDOWS\crtr32.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe

O4 - HKCU\..\RunOnce: [RealPlayer0] "C:\Program Files\Real\RealPlayer\realplay.exe" "/firstrun"

O4 - HKCU\..\RunOnce: [RealPlayer1] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"

O4 - HKCU\..\RunOnce: [RealPlayer2] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe"

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE

O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\MSOffice\Office\MSOFFICE.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0104d69b6e57b8...ip/RdxIE601.cab

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corporate.vecta-exp.com

O17 - HKLM\Software\..\Telephony: DomainName = corporate.vecta-exp.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{234CF7D0-7546-45E2-8337-D91D96E4EF6A}: NameServer = 205.188.146.146

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corporate.vecta-exp.com

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = corporate.vecta-exp.com

 

sure appreciate your time on this, Jasha

Share this post


Link to post
Share on other sites

Hi,jashac

 

Can you try this please?

 

Please download this tool called 'About:Buster':

 

http://www.downloads.subratam.org/AboutBuster.zip

 

Unzip it to your desktop.

 

DO NOT relaunch Internet Explorer at any point during this.

 

Now, boot in to safe mode. Instructions on how to do so are in the following link:

 

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

 

(Follow the instructions revelant to your operating system. In this case it is either Windows 2000 or XP)

 

Once in safe mode, Run HijackThis again, close all open windows (that includes Internet Explorer and Windows Explorer), put a checkmark next to the following, and press "Fix Checked":

 

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\afvcn.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://afvcn.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://afvcn.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\afvcn.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\afvcn.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://afvcn.dll/index.html#96676

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/

 

R3 - Default URLSearchHook is missing

 

F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,

 

O2 - BHO: (no name) - {FD00640A-25C5-1166-CC13-F7669822B594} - C:\WINDOWS\system32\atljw32.dll

 

O4 - HKLM\..\Run: [iPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l

O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [nteu.exe] C:\WINDOWS\nteu.exe

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load

O4 - HKLM\..\RunOnce: [javabp32.exe] C:\WINDOWS\javabp32.exe

O4 - HKLM\..\RunOnce: [crtr32.exe] C:\WINDOWS\crtr32.exe

 

Guy's not sure here

O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe

 

 

DO NOT relaunch Internet Explorer.

 

Launch the About:Buster program you had earlier downloaded. Click 'OK' to the first prompt you get upon launching the program. Now, click the big 'Start' button. Click the 'OK' button you now see. Leave it to scan (that can take some time, so please be patient). Once it has finished, (it'll have text, beside the 'OK' button, identical to 'Done Scanning') then copy/paste it's report somewhere. To copy/paste it all, please select (highlight) with your mouse ALL of the text in the white box (in About:Buster). Right-click with your mouse and select 'Copy'.

 

Now, launch Notepad and RIGHT-click in the empty space. Select 'Paste'. Now the logfile from About:Buster will have been copied into Notepad. Click 'File' (in the menus...) > 'Save As'. Save it in C:\ and as Log.txt.

 

Now, restart the computer as normal and you'll return into Windows 'Normal' mode.Once back in 'Normal' mode, re-scan with HijackThis. Save that new logfile. Post that new logfile from HijackThis aswell as the Log.txt you saved in safe mode (which is the logfile/report from About:Buster).

 

 

Now you have some items that need to be removed

from safe Mode & Hidden and System files so do not

fix any of this let the Pros here have a look at this

 

Good luck :wave:

Share this post


Link to post
Share on other sites

Rootkit - thanks for your help. I will proceed as you suggest. In the meantime, I've downloaded TrojanHunter and run it. It found trojans, adware.IELoad.100, Adware.JDF.100, LittleWitch.621, and TrojanDownlader.agent.103. Sould I have it delete these before I proceed?

Thanks.

Share this post


Link to post
Share on other sites

The link to symatnic for booting in safe mode is not working. (I've tired various itterations and cannot get there) Is it different thanpressing F8 during the start-up?

 

I'm wanting to follow your instructions explicitly. Thanks. J

Share this post


Link to post
Share on other sites

Rootkit,

thanks for guidence..

I did run trojanHunter.

followed your instructions

following is the HijackThis log (normal mode) after deleting items in the Safe Mode:

 

Logfile of HijackThis v1.98.0

Scan saved at 3:07:21 PM, on 7/2/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)[/color]

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\Wintab32.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\GeoGraphix\Tools\GGXNASrv.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Dantz\Retrospect\retrorun.exe

C:\Program Files\GeoGraphix\AdaptiveServer80\win32\dbsrv8.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Intel\ASF Agent\ASFAgent.exe

C:\Program Files\GeoGraphix\Tools\GeoSync.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\NDrv.exe

C:\Program Files\America Online 9.0\aoltray.exe

C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe

C:\WINDOWS\system32\userinit.exe

C:\Program Files\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\afvcn.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://afvcn.dll/index.html#96676

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/

R3 - Default URLSearchHook is missing

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE

O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\MSOffice\Office\MSOFFICE.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0104d69b6e57b8...ip/RdxIE601.cab

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corporate.vecta-exp.com

O17 - HKLM\Software\..\Telephony: DomainName = corporate.vecta-exp.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corporate.vecta-exp.com

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = corporate.vecta-exp.com

 

Interesting because the R.. entrys were not there in Safe Mode. I went back to Safe Mode and reran HijackThis scan to make sure I hadn't just missed them. not there...

 

Following is the AboutBuster log run in safe mode:

 

About:Buster Version 1.23

Removed! : C:\WINDOWS\eifesk.dat

Removed! : C:\WINDOWS\htdoiz.dat

Removed! : C:\WINDOWS\ixvkyz.dat

Removed! : C:\WINDOWS\mqbdju.dat

Removed! : C:\WINDOWS\ncpgcf.dat

Removed! : C:\WINDOWS\qudwsn.dat

Removed! : C:\WINDOWS\rvpggw.dat

Removed! : C:\WINDOWS\xusbvb.dat

Removed! : C:\WINDOWS\xysjfa.dat

Removed! : C:\WINDOWS\yetopp.dat

Removed! : C:\WINDOWS\System32\yjxdp.dat

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Removed __NS_Service_3 Key

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

What's next?

Thanks in advance, ...Jasha

Share this post


Link to post
Share on other sites

Hey guys,

during the interm, I've continued to get updates for Ad-aware, Spybot, TrojanHunter, and Registry Mechanic, and run them.

It appears that the Highjack is gone.

How do I tell for sure?

 

Also in searching around, I found Home Search remorve at www.hsremove.com/

 

has anyone used this successfully?

 

Thanks .... JashaC

Share this post


Link to post
Share on other sites

One remaining problem:

I use a rolodex program called Sharkware. When I start it I get an error message which says: Cannot find SHELL.DLL

 

Following is an excerpt from CEShredder scan only report:

Hosts file not present

Shell Registry value: HKLM\..\WinLogon [shell] Explorer.exe

 

How can I fix this?

Thanks,

Jasha

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0