• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
sonneckshock

hijacked homepage - res://sqotl.dll/index.html#966

16 posts in this topic

I am having difficulty removing a homepage hijacker. The new homepage that comes up is

 

res://sqotl.dll/index.html#96676. Using adaware, I found a file, d3cp.exe, that seems to be causing the problem, although I can't seem to delete it.

 

I have also read this site's FAQ and tried those solutions, especially adaware, spybot s &d, cwshredder, and spysweeper. These programs removed many files, but not the above.

 

Any ideas would be appreciated. I have enclosed the logfile.

 

 

Logfile of HijackThis v1.97.7

Scan saved at 7:18:17 PM, on 7/1/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\Drew\Desktop\d3cp.exe

C:\WINDOWS\System32\LXSUPMON.EXE

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe

C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe

C:\PROGRA~1\VISION~1\ONETOU~2.EXE

C:\Documents and Settings\Drew\Desktop\Peter\anything else\Msn Stuff\MsgPlus.exe

C:\WINDOWS\winyl.exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\Program Files\TextBridge Pro 9.0\Bin\Ereg\Remind32.exe

C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe

C:\Documents and Settings\Drew\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

 

res://C:\WINDOWS\sqotl.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://sqotl.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://sqotl.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

 

res://C:\WINDOWS\sqotl.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

 

res://sqotl.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

 

res://C:\WINDOWS\sqotl.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

 

Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {90C2CAE8-913A-DBA5-AC8E-D0896D0378CA} - C:\WINDOWS\msmk32.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton

 

AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program

 

Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

 

C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [instantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo

 

Imaging\Hpi_Monitor.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"

 

-osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico

 

Consumer\IPClient.exe" -l

O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP

 

InSight\Sympatico Consumer\IPMon32.exe"

O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Documents and Settings\Drew\Desktop\Peter\anything

 

else\Msn Stuff\MsgPlus.exe"

O4 - HKLM\..\Run: [winyl.exe] C:\WINDOWS\winyl.exe

O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe

O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor]

 

C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - HKLM\..\RunOnce: [mfcvy32.exe] C:\WINDOWS\system32\mfcvy32.exe

O4 - HKLM\..\RunOnce: [ntyz32.exe] C:\WINDOWS\ntyz32.exe

O4 - HKLM\..\RunOnce: [ieyt32.exe] C:\WINDOWS\ieyt32.exe

O4 - HKLM\..\RunOnce: [winig32.exe] C:\WINDOWS\winig32.exe

O4 - HKLM\..\RunOnce: [ipau32.exe] C:\WINDOWS\system32\ipau32.exe

O4 - HKLM\..\RunOnce: [atlud.exe] C:\WINDOWS\system32\atlud.exe

O4 - HKLM\..\RunOnce: [appao32.exe] C:\WINDOWS\appao32.exe

O4 - HKLM\..\RunOnce: [sdkjl32.exe] C:\WINDOWS\sdkjl32.exe

O4 - HKLM\..\RunOnce: [d3oy.exe] C:\WINDOWS\system32\d3oy.exe

O4 - HKLM\..\RunOnce: [sdkhl.exe] C:\WINDOWS\sdkhl.exe

O4 - HKLM\..\RunOnce: [winmx.exe] C:\WINDOWS\winmx.exe

O4 - HKLM\..\RunOnce: [sdkke.exe] C:\WINDOWS\sdkke.exe

O4 - HKLM\..\RunOnce: [addfn.exe] C:\WINDOWS\system32\addfn.exe

O4 - HKLM\..\RunOnce: [ntor.exe] C:\WINDOWS\system32\ntor.exe

O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe

O4 - Startup: HotSync Manager.LNK = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\TextBridge Pro

 

9.0\Bin\Ereg\Remind32.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel -

 

res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Free Software - C:\Program Files\Cool Timer\hh.html

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.ibm.com/ca/en/

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media

 

Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (FormFlow Form Control) -

 

https://www.cbs.gov.on.ca/obra/forms/Codebase/FormCtl.cab

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) -

 

http://sheetmusic.music123.com/download/mnviewer.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -

 

http://activex.microsoft.com/activex/contr...media/Swdir.cab

O16 - DPF: {42DD9653-28D7-4873-8F71-ADAFE9012CF2} (GameLoader Control) -

 

http://www.netgame.co.jp/page/game/com/GameLoader.cab

O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) -

 

https://www.e-games.com.my/com/EGamesPlugin.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

 

http://207.188.7.150/24b1ab71fb0576dc0e02/...ip/RdxIE601.cab

O16 - DPF: {5B27C20D-FFB6-4054-BA78-DE4A059BC75A} (Microsoft Office Template Downloader) -

 

http://office.microsoft.com/ca/TemplateGallery/msotd.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -

 

http://www.city.north-bay.on.ca/scripts/AxisCamControl.ocx

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

 

http://v4.windowsupdate.microsoft.com/CAB/...7291.1515277778

O16 - DPF: {A67BA5E3-5B79-11D6-A711-00C12601EADE} - http://lolidka.pl/members/lolidka5.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

 

http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control)

 

- http://officeupdate.microsoft.com/Template...nloads/outc.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) -

 

http://chat.msn.com/bin/msnchat45.cab

O16 - DPF: {FD07AC3E-89BC-4EA5-AFCA-19AD8C6C896B} (ShellObj Class) -

 

http://download.mgame.com/Webexe/webexe.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{FFC13397-F41A-4BF9-B292-A74D28A0BCF7}:

 

NameServer = 209.226.175.224 198.235.216.110

Share this post


Link to post
Share on other sites

Hi sonneckshock,

 

Sorry for the delay. If you are still having your hijack concern, let's do this:

 

First, please put HJT in a Permanent folder.

Click My Computer, then C:\

In the menu bar, File->New->Folder.

That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.

This will allow backups to be made and saved By hijackthis in case something goes wrong

Follow this link http://www.netstar.me.uk/hjt/hjt.html if you need help.

 

About:Buster has been updated, so let's try this:

Please download About:Buster and unzip it to your desktop.

Start it, hit Ok, Start, And Ok to start the scan. It will generate a log. Post that log along with a new Hijack this log here.

 

(There is a newer Version of HJT. You can get it here )

Share this post


Link to post
Share on other sites

Hi Autodad -

 

Thanks a lot for your reply.

 

I carried out your suggestions and ran HJT from within a new permanent folder, creating a new log. I also updated About:Buster and generated a log.

 

Both of the generated logs appear below. Once again, thanks for your guidance in this.

 

Sonneckshock

 

 

Logfile of HijackThis v1.97.7

Scan saved at 2:17:09 PM, on 7/12/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\alg.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\LXSUPMON.EXE

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe

C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe

C:\PROGRA~1\VISION~1\ONETOU~2.EXE

C:\Documents and Settings\Drew\Desktop\Peter\anything else\Msn Stuff\MsgPlus.exe

C:\WINDOWS\winyl.exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\Program Files\TextBridge Pro 9.0\Bin\Ereg\Remind32.exe

C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe

C:\WINDOWS\system32\mfcbm.exe

C:\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

 

res://C:\WINDOWS\fsesx.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://fsesx.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://fsesx.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

 

res://C:\WINDOWS\fsesx.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

 

res://fsesx.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

 

res://C:\WINDOWS\fsesx.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

 

Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton

 

AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {E2D8233B-EB51-4A42-F2AA-063A02152A72} - C:\WINDOWS\wincx.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program

 

Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

 

C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [instantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo

 

Imaging\Hpi_Monitor.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"

 

-osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico

 

Consumer\IPClient.exe" -l

O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP

 

InSight\Sympatico Consumer\IPMon32.exe"

O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Documents and Settings\Drew\Desktop\Peter\anything

 

else\Msn Stuff\MsgPlus.exe"

O4 - HKLM\..\Run: [winyl.exe] C:\WINDOWS\winyl.exe

O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe

O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor]

 

C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - HKLM\..\RunOnce: [sysap32.exe] C:\WINDOWS\system32\sysap32.exe

O4 - HKLM\..\RunOnce: [mfcbm.exe] C:\WINDOWS\system32\mfcbm.exe

O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe

O4 - Startup: HotSync Manager.LNK = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\TextBridge Pro

 

9.0\Bin\Ereg\Remind32.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel -

 

res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Free Software - C:\Program Files\Cool Timer\hh.html

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.ibm.com/ca/en/

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media

 

Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (FormFlow Form Control) -

 

https://www.cbs.gov.on.ca/obra/forms/Codebase/FormCtl.cab

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) -

 

http://sheetmusic.music123.com/download/mnviewer.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -

 

http://activex.microsoft.com/activex/contr...media/Swdir.cab

O16 - DPF: {42DD9653-28D7-4873-8F71-ADAFE9012CF2} (GameLoader Control) -

 

http://www.netgame.co.jp/page/game/com/GameLoader.cab

O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) -

 

https://www.e-games.com.my/com/EGamesPlugin.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

 

http://207.188.7.150/24b1ab71fb0576dc0e02/...ip/RdxIE601.cab

O16 - DPF: {5B27C20D-FFB6-4054-BA78-DE4A059BC75A} (Microsoft Office Template Downloader) -

 

http://office.microsoft.com/ca/TemplateGallery/msotd.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -

 

http://www.city.north-bay.on.ca/scripts/AxisCamControl.ocx

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

 

http://v4.windowsupdate.microsoft.com/CAB/...7291.1515277778

O16 - DPF: {A67BA5E3-5B79-11D6-A711-00C12601EADE} - http://lolidka.pl/members/lolidka5.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

 

http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control)

 

- http://officeupdate.microsoft.com/Template...nloads/outc.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) -

 

http://chat.msn.com/bin/msnchat45.cab

O16 - DPF: {FD07AC3E-89BC-4EA5-AFCA-19AD8C6C896B} (ShellObj Class) -

 

http://download.mgame.com/Webexe/webexe.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{FFC13397-F41A-4BF9-B292-A74D28A0BCF7}:

 

NameServer = 209.226.175.224 198.235.216.110

 

 

Log from About:Buster:

 

-- Scan 1 --------

About:Buster Version 1.27

Removed! : C:\WINDOWS\tpdua.dat

Removed! : C:\WINDOWS\uswqn.dat

Removed! : C:\WINDOWS\System32\vlbky.dll

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

Share this post


Link to post
Share on other sites

Hello sonneckshock,

 

Let's try this:

 

Reboot to Safe Mode (tap F8 While restarting) and run About:Buster in safe mode.

Then reboot normally.

 

Next, download Ad-aware from: http://www.lavasoft.de/res/aaw6.exe

 

Install the program and launch it.

 

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

 

Next, we need to configure Ad-aware for a full scan.

 

icon11.gif Click on the Gear icon (second from the left) to access the preferences/settings window

 

1. In the General window make sure the following are selected:

  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :

  • Scan Within Archives
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URL’s
  • Scan my Hosts file
  • Under Click here to select drives + folders, choose:
  • All of your hard drives

icon11.gif Click on the Advanced button on the left and select:

  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details

icon11.gif Click the Tweak button and select:

  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile

    [*]Under the Cleaning Engine:

    • Let Windows remove files in use at next reboot

icon11.gif Click on Proceed to save the settings.

 

icon11.gif Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:

  • Use Custom Scanning Options

icon11.gif Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

 

icon11.gif Save the log file when it asks and then click Finish

 

icon11.gif When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

 

icon11.gifReboot your computer.

 

 

Then take a Free on-line scan at HouseCall

 

You really need to get to Windows Update to get SP1 and all the latest security patches that apply to you.

 

After that, please post a new HJT log.

Share this post


Link to post
Share on other sites

Hi again Autodad -

 

I performed all your suggestions.

 

I ran about:buster in safe mode.

 

I have been using adaware a few times a week, but never with the custom scanning options. This time it scanned 150,000 objects instead of the usual 46,000, and found 53 items, which I removed. Thanks for the tips on its use.

 

I did the free on-line scan at housecall, which found and removed one virus (a trojan).

 

Regarding windows updates, I update at least once a week, but this past week, I have been unable to update several files, getting a "software has not passed windows logo testing" message.

 

These files include:

KB870669

811493 (which I have tried numerous times to install)

Windows Error Reporting

Q319949

Q320678

Q319322

Q320552

 

I received a "problem with "cryptographic services" message a few times, but when I run services.msc, it appears to be turned on.

 

Here is the latest hihjackthis log, followed by the about:buster log. Thanks again for your assistance.

 

Logfile of HijackThis v1.97.7

Scan saved at 11:23:40 PM, on 7/13/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\alg.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\d3ab32.exe

C:\WINDOWS\System32\LXSUPMON.EXE

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe

C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe

C:\PROGRA~1\VISION~1\ONETOU~2.EXE

C:\Documents and Settings\Drew\Desktop\Peter\anything else\Msn Stuff\MsgPlus.exe

C:\WINDOWS\winyl.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\Program Files\TextBridge Pro 9.0\Bin\Ereg\Remind32.exe

C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe

C:\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vlbky.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://vlbky.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://vlbky.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vlbky.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vlbky.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vlbky.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {17ADE0A1-46CA-4FBD-4E9D-1C5F1EE5C178} - C:\WINDOWS\d3cl32.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [instantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l

O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe"

O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Documents and Settings\Drew\Desktop\Peter\anything else\Msn Stuff\MsgPlus.exe"

O4 - HKLM\..\Run: [winyl.exe] C:\WINDOWS\winyl.exe

O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe

O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - HKLM\..\RunOnce: [d3ab32.exe] C:\WINDOWS\system32\d3ab32.exe

O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe

O4 - Startup: HotSync Manager.LNK = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\TextBridge Pro 9.0\Bin\Ereg\Remind32.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Free Software - C:\Program Files\Cool Timer\hh.html

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.ibm.com/ca/en/

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (FormFlow Form Control) - https://www.cbs.gov.on.ca/obra/forms/Codebase/FormCtl.cab

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://sheetmusic.music123.com/download/mnviewer.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://activex.microsoft.com/activex/contr...media/Swdir.cab

O16 - DPF: {42DD9653-28D7-4873-8F71-ADAFE9012CF2} (GameLoader Control) - http://www.netgame.co.jp/page/game/com/GameLoader.cab

O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/24b1ab71fb0576dc0e02/...ip/RdxIE601.cab

O16 - DPF: {5B27C20D-FFB6-4054-BA78-DE4A059BC75A} (Microsoft Office Template Downloader) - http://office.microsoft.com/ca/TemplateGallery/msotd.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.city.north-bay.on.ca/scripts/AxisCamControl.ocx

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7291.1515277778

O16 - DPF: {A67BA5E3-5B79-11D6-A711-00C12601EADE} - http://lolidka.pl/members/lolidka5.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Template...nloads/outc.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O16 - DPF: {FD07AC3E-89BC-4EA5-AFCA-19AD8C6C896B} (ShellObj Class) - http://download.mgame.com/Webexe/webexe.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{FFC13397-F41A-4BF9-B292-A74D28A0BCF7}: NameServer = 209.226.175.224 198.235.216.110

 

New log from About:buster:

 

-- Scan 1 --------

About:Buster Version 1.27

Removed! : C:\WINDOWS\tpdua.dat

Removed! : C:\WINDOWS\uswqn.dat

Removed! : C:\WINDOWS\System32\vlbky.dll

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

Share this post


Link to post
Share on other sites

Hi sonneckshock,

 

Let's try this. First, I suggest that you remove WildTangent if you really don't need it.

 

Set Windows to show hidden files

Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

 

Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

 

Scroll down and find the service called "Network Security Service". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows

 

 

Then, Reboot to Safe Mode (tap F8 while restarting).

 

Go to Task Manager (Ctrl + Alt + Delete) and click on "Processes" then "End Process" for this:

(if it's there)

 

winyl.exe

 

Then close Task Manager.

 

- - -- - -- -

 

Then open Hijackthis, click Scan, then put a check next to the following entries:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vlbky.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://vlbky.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://vlbky.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vlbky.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vlbky.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vlbky.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

 

O2 - BHO: (no name) - {17ADE0A1-46CA-4FBD-4E9D-1C5F1EE5C178} - C:\WINDOWS\d3cl32.dll

 

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

 

O4 - HKLM\..\Run: [iPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l

O4 - HKLM\..\Run: [winyl.exe] C:\WINDOWS\winyl.exe

O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe

O4 - HKLM\..\RunOnce: [d3ab32.exe] C:\WINDOWS\system32\d3ab32.exe

 

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/24b1ab71fb0576dc0e02/...ip/RdxIE601.cab

O16 - DPF: {A67BA5E3-5B79-11D6-A711-00C12601EADE} - http://lolidka.pl/members/lolidka5.exe

 

 

Now, make sure you Close all open Windows (have only HJT open) and click "Fix Checked".

 

 

Then delete this Folder:

 

C:\Program Files\WildTangent\

 

And these files:

 

C:\WINDOWS\winyl.exe

C:\WINDOWS\system32\d3ab32.exe

C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l

 

- - - - - - - -

 

Then, while still in safe mode, run About:Buster.

Start it, (Don't worry about the pop-up that says to fix all random objects, we just did that)

Hit Ok, Start, And Ok to start the scan. It will generate a log. Post that log along with a new Hijack this log here.

 

- - - - - - - -

 

Now run Ad-aware, while still in safe mode.

 

_________

 

Then, reboot normally, and try Windows Update again.

 

After you do the above, please post a new HJT log, and your About Buster log.

Edited by Autodad

Share this post


Link to post
Share on other sites

Hi again Autodad -

 

I removed WildTangent (which I do every week) and turned on the hidden files.

 

I don't appear to have a service in services.msc called "network security service".

 

Could it be "NT LM Security Support Provider"?

 

Thanks

Share this post


Link to post
Share on other sites

Hello sonneckshock,

 

No, it wouldn't be "NT LM Security Support Provider". If you're sure that "Network Security Service" is not there, then please just proceed with the rest of the steps.

Share this post


Link to post
Share on other sites

Hi Autodad - carried out all suggestions. Here is the HJT log and About:buster log. My home page is still hijacked, by the way, and I'm still unable to get critical updates from Microsoft.

 

Thanks again for looking at these logs.

 

Sonneckshock

 

 

Logfile of HijackThis v1.97.7

Scan saved at 12:21:33 PM, on 7/15/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\System32\LXSUPMON.EXE

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe

C:\PROGRA~1\VISION~1\ONETOU~2.EXE

C:\Documents and Settings\Drew\Desktop\Peter\anything else\Msn Stuff\MsgPlus.exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\Program Files\TextBridge Pro 9.0\Bin\Ereg\Remind32.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\netet32.exe

C:\WINDOWS\system32\crxh.exe

C:\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vlbky.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://vlbky.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://vlbky.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vlbky.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vlbky.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vlbky.dll/sp.html#96676

O2 - BHO: (no name) - {17ADE0A1-46CA-4FBD-4E9D-1C5F1EE5C178} - C:\WINDOWS\d3cl32.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [instantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe"

O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Documents and Settings\Drew\Desktop\Peter\anything else\Msn Stuff\MsgPlus.exe"

O4 - HKLM\..\Run: [crxh.exe] C:\WINDOWS\system32\crxh.exe

O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM\..\RunOnce: [netet32.exe] C:\WINDOWS\netet32.exe

O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe

O4 - Startup: HotSync Manager.LNK = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\TextBridge Pro 9.0\Bin\Ereg\Remind32.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Free Software - C:\Program Files\Cool Timer\hh.html

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.ibm.com/ca/en/

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (FormFlow Form Control) - https://www.cbs.gov.on.ca/obra/forms/Codebase/FormCtl.cab

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://sheetmusic.music123.com/download/mnviewer.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://activex.microsoft.com/activex/contr...media/Swdir.cab

O16 - DPF: {42DD9653-28D7-4873-8F71-ADAFE9012CF2} (GameLoader Control) - http://www.netgame.co.jp/page/game/com/GameLoader.cab

O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab

O16 - DPF: {5B27C20D-FFB6-4054-BA78-DE4A059BC75A} (Microsoft Office Template Downloader) - http://office.microsoft.com/ca/TemplateGallery/msotd.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.city.north-bay.on.ca/scripts/AxisCamControl.ocx

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7291.1515277778

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Template...nloads/outc.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O16 - DPF: {FD07AC3E-89BC-4EA5-AFCA-19AD8C6C896B} (ShellObj Class) - http://download.mgame.com/Webexe/webexe.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{FFC13397-F41A-4BF9-B292-A74D28A0BCF7}: NameServer = 209.226.175.224 198.235.216.110

 

 

About:Buster Version 1.27

Removed! : C:\WINDOWS\tpdua.dat

Removed! : C:\WINDOWS\uswqn.dat

Removed! : C:\WINDOWS\System32\vlbky.dll

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

Windows update:

The following items failed to install:

 

Windows XP Service Pack 1 (Express)

Critical Update for ADODB.stream (KB870669)

Security Update for Windows XP (KB840315)

Update for Background Intelligent Transfer Service (BITS) 2.0 and WinHTTP 5.1 (KB842773)

Security Update for Windows XP (KB841873)

Security Update for Windows XP (KB839645)

811493: Security Update (Windows XP)

Share this post


Link to post
Share on other sites

Hello sonneckshock,

 

This one is being real persistant, but so are we!

 

There is a newer version of About:Buster (v1.3) Please get it here: http://downloads.subratam.org/AboutBuster.zip

 

Some of this you have done already, but the files have changed. So please do this:

 

1) Open My Computer and choose "Tools" in in the menu option, then choose "Folder Options".

 

2) Click the "View" tab and under Advanced Settings set it to show "Hidden files and folders"

 

3) Next press "Alt Ctrl Del" and choose the "Processes tab" to bring up a list of running processes.

 

4) Click the "Image Name" button to get the processes in alphabetical order. Scroll through the list of processes and end task on these:

 

netet32.exe

and

crxh.exe

 

(I know you said that "network security service" wasn't there, but please look again)

5) Next, go to Start --> Run and type "Services.msc" (without quotes) then hit OK.

 

6) Scroll down in the right pane of the screen and find the service called "Network Security Service". Double click it.

 

7) In the next window that opens, click the Stop button, then change the Startup Type to Disabled. Now hit Apply and then OK and close any open windows.

 

8)Open HijackThis, click Scan, then put a check next to the following entries:

 

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vlbky.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://vlbky.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://vlbky.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vlbky.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vlbky.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vlbky.dll/sp.html#96676

 

O2 - BHO: (no name) - {17ADE0A1-46CA-4FBD-4E9D-1C5F1EE5C178} - C:\WINDOWS\d3cl32.dll

 

O4 - HKLM\..\Run: [crxh.exe] C:\WINDOWS\system32\crxh.exe

O4 - HKLM\..\RunOnce: [netet32.exe] C:\WINDOWS\netet32.exe

 

 

Then, close all open Windows and Browsers (have only HJT open) and click "Fix Checked".

 

 

9) Reboot to Safe Mode (tap F8 while restarting) and delete these 4 files:

 

 

C:\WINDOWS\d3cl32.dll

C:\WINDOWS\netet32.exe

 

C:\WINDOWS\system32\crxh.exe

C:\WINDOWS\system32\vlbky.dll

 

 

10) Go to Start, --> Run and type in "regedit" (without quotes) and press "Enter".

 

11) In the registry, navigate to the key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

In the left pane if you see something called "__NS_Service_3" right click on it and choose delete.

 

12) Next navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\

In the left pane if you see something called "LEGACY___NS_Service_3" right click on it and choose delete.

 

13) Exit regedit.

 

Now run About:Buster v1.3.

 

Then, rerun Ad-aware.

 

Then, reboot normally and please post a new HJT log.

Share this post


Link to post
Share on other sites

Hi again Autodad -

 

I carried out all your suggestions. The "network security service" item still isn't there under services.

 

Also, in the Registry, in the key, "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\",

"__NS_Service_3" is not there.

 

In the key, "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\", "LEGACY__NS_Service_3" is there, but I was unable to delete it. The error message read, "Cannot delete LEGACY__NS_Service_3: Error while deleting key."

 

I tried deleting individual parts of the key, but nothing would work.

 

Anyway, here are the HJT, Adaware and About:Buster logs.

 

Thanks again.

 

Sonneckshock.

 

Logfile of HijackThis v1.97.7

Scan saved at 12:41:29 PM, on 7/16/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\atlwo32.exe

C:\WINDOWS\System32\LXSUPMON.EXE

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe

C:\PROGRA~1\VISION~1\ONETOU~2.EXE

C:\Documents and Settings\Drew\Desktop\Peter\anything else\Msn Stuff\MsgPlus.exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\Program Files\TextBridge Pro 9.0\Bin\Ereg\Remind32.exe

C:\Hijackthis\HijackThis.exe

 

O2 - BHO: (no name) - {17ADE0A1-46CA-4FBD-4E9D-1C5F1EE5C178} - C:\WINDOWS\d3cl32.dll (file missing)

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [instantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe"

O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Documents and Settings\Drew\Desktop\Peter\anything else\Msn Stuff\MsgPlus.exe"

O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM\..\RunOnce: [atlwo32.exe] C:\WINDOWS\atlwo32.exe

O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe

O4 - Startup: HotSync Manager.LNK = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\TextBridge Pro 9.0\Bin\Ereg\Remind32.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Free Software - C:\Program Files\Cool Timer\hh.html

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.ibm.com/ca/en/

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (FormFlow Form Control) - https://www.cbs.gov.on.ca/obra/forms/Codebase/FormCtl.cab

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://sheetmusic.music123.com/download/mnviewer.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://activex.microsoft.com/activex/contr...media/Swdir.cab

O16 - DPF: {42DD9653-28D7-4873-8F71-ADAFE9012CF2} (GameLoader Control) - http://www.netgame.co.jp/page/game/com/GameLoader.cab

O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab

O16 - DPF: {5B27C20D-FFB6-4054-BA78-DE4A059BC75A} (Microsoft Office Template Downloader) - http://office.microsoft.com/ca/TemplateGallery/msotd.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.city.north-bay.on.ca/scripts/AxisCamControl.ocx

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7291.1515277778

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Template...nloads/outc.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O16 - DPF: {FD07AC3E-89BC-4EA5-AFCA-19AD8C6C896B} (ShellObj Class) - http://download.mgame.com/Webexe/webexe.cab

 

 

Lavasoft Ad-aware Personal Build 6.181

Logfile created on :Friday, July 16, 2004 12:09:33 PM

Created with Ad-aware Personal, free for private use.

Using reference-file :01R332 12.07.2004

______________________________________________________

 

Reffile status:

=========================

Reference file loaded:

Reference Number : 01R332 12.07.2004

Internal build : 264

File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref

Total size : 1304680 Bytes

Signature data size : 1283888 Bytes

Reference data size : 20728 Bytes

Signatures total : 28484

Target categories : 10

Target families : 520

7-16-2004 12:08:00 PM Error retrieving update

 

 

Memory + processor status:

==========================

Number of processors : 1

Processor architecture : Intel Pentium IV

Memory available:25 %

Total physical memory:130544 kb

Available physical memory:32536 kb

Total page file size:315196 kb

Available on page file:257640 kb

Total virtual memory:2097024 kb

Available virtual memory:2051032 kb

OS:

 

Ad-aware Settings

=========================

Set : Activate in-depth scan (Recommended)

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan within archives

Set : Scan my Hosts file

 

Extended Ad-aware Settings

=========================

Set : Unload recognized processes during scanning

Set : Include basic Ad-aware settings in logfile

Set : Include additional Ad-aware settings in logfile

Set : Let windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Always back up reference file, before updating

Set : Play sound if scan produced a result

 

 

7-16-2004 12:09:33 PM - Scan started. (Custom mode)

 

Listing running processes

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ThreadCreationTime : 7-16-2004 3:55:07 PM

BasePriority : Normal

 

 

#:2 [winlogon.exe]

FilePath : \??\C:\WINDOWS\system32\

ThreadCreationTime : 7-16-2004 3:55:19 PM

BasePriority : High

 

 

#:3 [services.exe]

FilePath : C:\WINDOWS\system32\

ThreadCreationTime : 7-16-2004 3:55:24 PM

BasePriority : Normal

FileSize : 99 KB

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

OriginalFilename : services.exe

ProductName : Microsoft

Created on : 11/16/2001 3:01:02 PM

Last accessed : 7/16/2004 3:55:24 PM

Last modified : 8/18/2001 12:00:00 PM

 

#:4 [lsass.exe]

FilePath : C:\WINDOWS\system32\

ThreadCreationTime : 7-16-2004 3:55:24 PM

BasePriority : Normal

FileSize : 11 KB

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

OriginalFilename : lsass.exe

ProductName : Microsoft

Created on : 11/16/2001 3:00:42 PM

Last accessed : 7/16/2004 3:42:44 PM

Last modified : 8/18/2001 12:00:00 PM

 

#:5 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ThreadCreationTime : 7-16-2004 3:55:29 PM

BasePriority : Normal

FileSize : 12 KB

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

ProductName : Microsoft

Created on : 11/16/2001 3:01:05 PM

Last accessed : 7/16/2004 3:55:29 PM

Last modified : 8/18/2001 12:00:00 PM

 

#:6 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ThreadCreationTime : 7-16-2004 3:55:29 PM

BasePriority : Normal

FileSize : 12 KB

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

ProductName : Microsoft

Created on : 11/16/2001 3:01:05 PM

Last accessed : 7/16/2004 3:55:29 PM

Last modified : 8/18/2001 12:00:00 PM

 

#:7 [explorer.exe]

FilePath : C:\WINDOWS\

ThreadCreationTime : 7-16-2004 3:55:41 PM

BasePriority : Normal

FileSize : 977 KB

FileVersion : 6.00.2600.0000 (xpclient.010817-1148)

ProductVersion : 6.00.2600.0000

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

OriginalFilename : EXPLORER.EXE

ProductName : Microsoft

Created on : 11/16/2001 3:00:35 PM

Last accessed : 7/16/2004 3:55:43 PM

Last modified : 8/18/2001 12:00:00 PM

 

#:8 [ad-aware.exe]

FilePath : C:\Program Files\Lavasoft\Ad-aware 6\

ThreadCreationTime : 7-16-2004 4:07:41 PM

BasePriority : Normal

FileSize : 668 KB

FileVersion : 6.0.1.181

ProductVersion : 6.0.0.0

Copyright : Copyright

CompanyName : Lavasoft Sweden

FileDescription : Ad-aware 6 core application

InternalName : Ad-aware.exe

OriginalFilename : Ad-aware.exe

ProductName : Lavasoft Ad-aware Plus

Created on : 4/13/2004 8:57:04 PM

Last accessed : 7/16/2004 3:24:48 PM

Last modified : 7/13/2003 2:00:20 AM

 

Memory scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 0

 

 

Started registry scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Registry scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 0

 

 

Started deep registry scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Deep registry scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 0

 

 

Deep scanning and examining files (C:)

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Tracking Cookie Object recognized!

Type : File

Data : drew@2o7[1].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\Drew\Cookies\

 

Created on : 7/16/2004 1:30:31 AM

Last accessed : 7/16/2004 4:13:02 PM

Last modified : 7/16/2004 1:30:31 AM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : drew@atdmt[2].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\Drew\Cookies\

 

Created on : 7/15/2004 7:38:03 PM

Last accessed : 7/16/2004 4:13:02 PM

Last modified : 7/15/2004 7:38:03 PM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : drew@doubleclick[1].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\Drew\Cookies\

 

Created on : 7/15/2004 7:24:16 PM

Last accessed : 7/16/2004 4:13:02 PM

Last modified : 7/15/2004 7:24:22 PM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : drew@fastclick[2].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\Drew\Cookies\

 

Created on : 7/15/2004 9:55:36 PM

Last accessed : 7/16/2004 4:13:02 PM

Last modified : 7/15/2004 9:55:36 PM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : drew@linksynergy[1].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\Drew\Cookies\

 

Created on : 7/16/2004 2:29:37 PM

Last accessed : 7/16/2004 4:13:03 PM

Last modified : 7/16/2004 2:29:37 PM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : drew@qksrv[1].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\Drew\Cookies\

 

Created on : 7/15/2004 9:55:36 PM

Last accessed : 7/16/2004 4:13:03 PM

Last modified : 7/15/2004 9:55:36 PM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : drew@questionmarket[1].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\Drew\Cookies\

 

Created on : 7/15/2004 7:31:14 PM

Last accessed : 7/16/2004 4:13:03 PM

Last modified : 7/15/2004 7:31:14 PM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : drew@realmedia[2].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\Drew\Cookies\

 

Created on : 7/16/2004 2:29:13 PM

Last accessed : 7/16/2004 4:13:03 PM

Last modified : 7/16/2004 2:29:13 PM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : drew@z1.adserver[1].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\Drew\Cookies\

 

Created on : 7/15/2004 7:24:32 PM

Last accessed : 7/16/2004 4:13:03 PM

Last modified : 7/15/2004 7:27:53 PM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : drew@zedo[1].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\Drew\Cookies\

 

Created on : 7/16/2004 1:25:40 AM

Last accessed : 7/16/2004 4:13:03 PM

Last modified : 7/16/2004 1:25:41 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : dc37.dll

Category : Malware

Comment :

Object : C:\RECYCLER\S-1-5-21-3307217056-808743801-2304659736-1005\

FileSize : 69 KB

Created on : 6/12/2004 6:03:50 AM

Last accessed : 7/16/2004 3:58:15 PM

Last modified : 6/12/2004 6:03:50 AM

 

 

 

Disk scan result for C:\

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 11

 

 

Performing conditional scans..

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

CoolWebSearch Object recognized!

Type : RegValue

Data :

Category : Malware

Comment :

Rootkey : HKEY_CURRENT_USER

Object : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser

Value : ITBarLayout

 

 

Conditional scan result:

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 1

Objects found so far: 12

 

 

12:27:18 PM Scan complete

 

Summary of this scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Total scanning time :00:17:45:328

Objects scanned :134375

Objects identified :12

Objects ignored :0

New objects :12

 

 

About:Buster Version 1.30

Removed! : C:\WINDOWS\akkdxu.dat

Removed! : C:\WINDOWS\bkjpqq.dat

Removed! : C:\WINDOWS\cgibue.dat

Removed! : C:\WINDOWS\dirzto.dat

Removed! : C:\WINDOWS\dynweh.dat

Removed! : C:\WINDOWS\efxxc.dat

Removed! : C:\WINDOWS\emdcqj.dat

Removed! : C:\WINDOWS\fdhejy.dat

Removed! : C:\WINDOWS\fngud.dat

Removed! : C:\WINDOWS\hgaawf.dat

Removed! : C:\WINDOWS\imoah.dat

Removed! : C:\WINDOWS\jzjgg.dat

Removed! : C:\WINDOWS\lemunm.dat

Removed! : C:\WINDOWS\n_gynntm.dat

Removed! : C:\WINDOWS\puqco.dat

Removed! : C:\WINDOWS\qtfvds.dat

Removed! : C:\WINDOWS\rkpnnw.dat

Removed! : C:\WINDOWS\sdkiu32.exe

Removed! : C:\WINDOWS\swysq.dat

Removed! : C:\WINDOWS\tpdua.dat

Removed! : C:\WINDOWS\tyyfvj.dat

Removed! : C:\WINDOWS\urryhm.dat

Removed! : C:\WINDOWS\vzjuvz.dat

Removed! : C:\WINDOWS\xbzlf.dat

Removed! : C:\WINDOWS\xulmcr.dat

Removed! : C:\WINDOWS\yhzhko.dat

Removed! : C:\WINDOWS\System32\atlgo.exe

Removed! : C:\WINDOWS\System32\bpipk.dat

Removed! : C:\WINDOWS\System32\ezryn.dat

Removed! : C:\WINDOWS\System32\gwisf.dat

Removed! : C:\WINDOWS\System32\iwllr.dat

Removed! : C:\WINDOWS\System32\mpmpr.dat

Removed! : C:\WINDOWS\System32\msxf32.exe

Removed! : C:\WINDOWS\System32\pqtay.dat

Removed! : C:\WINDOWS\System32\sdkgk32.exe

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

Share this post


Link to post
Share on other sites

Hi sonneckshock,

 

Can you please find this file: atlwo32.exe. It's located in C:\WINDOWS\atlwo32.exe

 

When you find it, zip it and please send it here with a link to this topic.

 

When I went to this site http://www.harmonyhollow.net/ct.shtml to see what I could find out about Cool Timer,

I get this restricted site http://count.exitexchange.com/exit/1118392 to pop-up.

 

Let's uninstall Cool Timer (see if it is in your add/remove programs).

O8 - Extra context menu item: Free Software - C:\Program Files\Cool Timer\hh.html

_____

 

Go to Task Manager (Ctrl + Alt + Delete) and click on "Processes" then "End Process" for this:

 

atlwo32.exe

 

Close task manager.

 

 

Open Hijackthis click scan , then check these:

 

O2 - BHO: (no name) - {17ADE0A1-46CA-4FBD-4E9D-1C5F1EE5C178} - C:\WINDOWS\d3cl32.dll (file missing)

 

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Documents and Settings\Drew\Desktop\Peter\anything else\Msn Stuff\MsgPlus.exe"

O4 - HKLM\..\RunOnce: [atlwo32.exe] C:\WINDOWS\atlwo32.exe

 

O8 - Extra context menu item: Free Software - C:\Program Files\Cool Timer\hh.html

 

Then Close all open Windows and browsers (have only HJT open ) and click "Fix Checked".

 

Then delete this Folder:

 

C:\Program Files\Cool Timer\

 

and this file:

 

C:\Documents and Settings\Drew\Desktop\Peter\anything else\Msn Stuff\MsgPlus.exe

 

Go here http://www.downloads.subratam.org/CWShredder.exe to get the latest version of CWShredder.

 

Reboot to Safe mode, run CWShredder and About Buster.

 

Then reboot normally and please post a new HJT log, and let us know how you made out.

 

Hang in there!

Share this post


Link to post
Share on other sites

HI Autodad - funny that you should mention that file. I ran my Symantec Virus software about an hour ago, and it found atlwo32.exe, calling it a trojan. It was unable to remove the virus, but on their website they had a series of steps to follow to remove it. Is this virus related to the Cool Timer? I have been using Cool Timer (a stopwatch program) for about 2 years.

 

I will follow your suggestions from your most recent email re CoolTimer. and MSN Stuff.

 

I have CWShredder, and will continue to use it.

 

Also, a few emails ago, you strongly suggested getting SP1 Service pack update from Microsoft Updates. I have been trying to do that for about a week also, and it won't download; I'm in email conversation with MS now. Perhaps plugging that security issue would prevent this happening in the future.

 

Thanks again. I will repost my next HJT.

 

Sonneckshock.

Share this post


Link to post
Share on other sites

Hi again, Autodad -

 

Looks like the final problem was the atlwo32.exe file, as you suggested. My computer seems to be fine now, especially since I was able to download and install the SP1 service pack earlier today. All hijacks and popups appear to be gone.

 

I must really thank you for the time you took to walk me through this. I could not have done this without your guidance. Your suggestions really were astute, and they led step by step to a solution.

 

I have attached hjt and aboutbuster logs as requested.

 

Hard to imagine 10 years ago that these crazy phenomena would come into existence.

 

Sonneckshock

Toronto

 

 

 

PS - Sorry I got rid of the atlwo32.exe file before you could examine it.

 

Logfile of HijackThis v1.97.7

Scan saved at 11:14:46 PM, on 7/19/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\System32\LXSUPMON.EXE

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Visual Networks\Visual IP InSight\Sympatico

 

Consumer\IPMon32.exe

C:\PROGRA~1\VISION~1\ONETOU~2.EXE

C:\Program Files\Palm\HOTSYNC.EXE

C:\Program Files\TextBridge Pro 9.0\Bin\Ereg\Remind32.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\Hijackthis\HijackThis.exe

 

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -

 

C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus -

 

{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton

 

AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

 

C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [LXSUPMON]

 

C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [instantAccess]

 

C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [RegisterDropHandler]

 

C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKLM\..\Run: [CXMon] "C:\Program

 

Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

 

Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

 

Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\Visual

 

Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe"

O4 - HKLM\..\Run: [OneTouch Monitor]

 

C:\PROGRA~1\VISION~1\ONETOU~2.EXE

O4 - HKLM\..\RunServices: [RegisterDropHandler]

 

C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKCU\..\Run: [PPWebCap]

 

C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor]

 

C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer

 

OneTouch\WiseUpdt.exe

O4 - Startup: HotSync Manager.LNK = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program

 

Files\TextBridge Pro 9.0\Bin\Ereg\Remind32.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

 

Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel -

 

res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .mid: C:\Program Files\Internet

 

Explorer\PLUGINS\npqtplugin2.dll

O12 - Plugin for .spop: C:\Program Files\Internet

 

Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.ibm.com/ca/en/

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office

 

Template and Media Control) -

 

http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (FormFlow Form

 

Control) - https://www.cbs.gov.on.ca/obra/forms/Codebase/FormCtl.cab

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes

 

Viewer) - http://sheetmusic.music123.com/download/mnviewer.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave

 

ActiveX Control) -

 

http://activex.microsoft.com/activex/contr...media/Swdir.cab

O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9}

 

(MSSecurityAdvisor Class) -

 

http://download.microsoft.com/download/0/5...d30-427d-a3de-3

 

73c3e5552fc/msSecAdv.cab?1090163621606

O16 - DPF: {42DD9653-28D7-4873-8F71-ADAFE9012CF2} (GameLoader

 

Control) - http://www.netgame.co.jp/page/game/com/GameLoader.cab

O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin

 

Class) - https://www.e-games.com.my/com/EGamesPlugin.cab

O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A}

 

(Microsoft.WinRep) -

 

https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab

O16 - DPF: {5B27C20D-FFB6-4054-BA78-DE4A059BC75A} (Microsoft Office

 

Template Downloader) -

 

http://office.microsoft.com/ca/TemplateGallery/msotd.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall

 

Control) -

 

http://a840.g.akamai.net/7/840/537/2004061...trendmicro.com/

 

housecall/xscan53.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class)

 

- http://www.city.north-bay.on.ca/scripts/AxisCamControl.ocx

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

 

http://v4.windowsupdate.microsoft.com/CAB/...ctl.CAB?37291.1

 

515277778

O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B}

 

(WebResponseAttachments Control) -

 

https://webresponse.one.microsoft.com/oas/A...eX/FileXfer.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash

 

Object) -

 

http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office

 

Tools on the Web Control) -

 

http://officeupdate.microsoft.com/Template...nloads/outc.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control

 

4.5) - http://chat.msn.com/bin/msnchat45.cab

O16 - DPF: {FD07AC3E-89BC-4EA5-AFCA-19AD8C6C896B} (ShellObj Class) -

 

http://download.mgame.com/Webexe/webexe.cab

 

 

 

About:Buster Version 1.30

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Pages Reset... Done!

Share this post


Link to post
Share on other sites

Hi sonneckshock,

 

Glad you got it! Your log looks clean.

 

Here is some free protection you should consider:

Download and install:

 

SpywareBlaster will block bad ActiveX and malevolent cookies.

 

IESPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

 

Check for updates occaisionally.

 

And also see So how did I get infected in the first place?

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0