• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Zayxic

Home page hijacked and pop-ups!

23 posts in this topic

My homepage keeps getting hijacked and pop-ups keep coming. The address apprears to be About:Blank. I have run updated Ad-aware and Spybot but it keeps coming back. And I have also gone through the FAQ provided on the website. Any help is appreciated... Thank you in advance.

 

-----------------------------------------------------------------------------------------------

Here's my Hijack This Log:

 

Logfile of HijackThis v1.98.0

Scan saved at 4:03:12 PM, on 7/27/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AClient\Bin\XCDiffCache.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\AClient\Bin\XCGSTask.exe

C:\PROGRA~1\AClient\Bin\XCSCHE~1.EXE

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/customi...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_20_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {288E19A6-0F3D-4333-80FC-CACBE147808C} - C:\WINDOWS\System32\iioccaa.dll

O2 - BHO: IYBookmarkHO Class - {8B11A219-80C8-4B42-B558-B8C14D1AA8C4} - C:\Program Files\Yahoo!\browser\ybmho.dll

O2 - BHO: AutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_20_0.dll

O4 - HKLM\..\Run: [Afaria Client File Differencing] C:\Program Files\AClient\Bin\XCDiffCache.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\\SHS.exe" /background

O4 - HKCU\..\Run: [update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background

O4 - Global Startup: Afaria Client Generic Scheduler.lnk = C:\Program Files\AClient\Bin\XCGSTask.exe

O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra button: Rogers Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll

O9 - Extra 'Tools' menuitem: Rogers &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab28578.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll

O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://sympatico.zone.msn.com/bingame/rock...pcaploader1.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab

O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://sympatico.zone.msn.com/binGame/ZAxRcMgr.cab

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://sympatico.zone.msn.com/bingame/zuma...aploader_v5.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab28578.cab

O18 - Filter: text/html - {635A7DD7-3E70-40FC-BD27-2BEE059E314D} - C:\WINDOWS\System32\iioccaa.dll

O18 - Filter: text/plain - {635A7DD7-3E70-40FC-BD27-2BEE059E314D} - C:\WINDOWS\System32\iioccaa.dll

 

----------------------------------------------------------------------------------------------

 

Here's my About:Buster log (ran in safe mode):

-- Scan 1 --------

About:Buster Version 1.32

Error Removing! : C:\WINDOWS\System32\iioccaa.dll

Attempted Clean Of Temp folder.

Pages Reset... Done!

 

-- Scan 2 --------

About:Buster Version 1.32

Error Removing! : C:\WINDOWS\System32\iioccaa.dll

Attempted Clean Of Temp folder.

Pages Reset... Done!

Edited by Zayxic

Share this post


Link to post
Share on other sites

Click here to download FindnFix.exe (2K/XP only!) by freeatlast. Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information. When done post the contents of Log.txt in this thread.

Share this post


Link to post
Share on other sites

Thanks Daemon for the reply. I downloaded the program and extracted it.

I double-clicked the !log!.bat file and it ran... but froze when it came across

 

C:\WINDOWS\SYSTEM32\ LOCALUI.DLL

Share this post


Link to post
Share on other sites

I read a few other threads that had similar problems and it seems I may have a CWS infection. I have run CWS shredder and it fixed CWS.SearchX, but my homepage is still constantly hijacked back to About:Blank. I have also run the program advised by Daemon, but it keeps freezing on me :techsupport: ... Is there any other programs out there to aid my computer's recovery? Thanks again in advance, and hope to get a fix soon :)

 

Edit: Forgot to add a fresh Hijack This Log (oops >.<)

---------------------------------------------------------------------------------------------

Logfile of HijackThis v1.98.0

Scan saved at 8:59:37 AM, on 7/28/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AClient\Bin\XCDiffCache.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\AClient\Bin\XCGSTask.exe

C:\PROGRA~1\AClient\Bin\XCSCHE~1.EXE

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\mIRC\mirc.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Administrator\My Documents\New Folder\New Folder\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/customi...//www.yahoo.com

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_20_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: IYBookmarkHO Class - {8B11A219-80C8-4B42-B558-B8C14D1AA8C4} - C:\Program Files\Yahoo!\browser\ybmho.dll

O2 - BHO: AutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_20_0.dll

O4 - HKLM\..\Run: [Afaria Client File Differencing] C:\Program Files\AClient\Bin\XCDiffCache.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\\SHS.exe" /background

O4 - HKCU\..\Run: [update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background

O4 - Global Startup: Afaria Client Generic Scheduler.lnk = C:\Program Files\AClient\Bin\XCGSTask.exe

O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra button: Rogers Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll

O9 - Extra 'Tools' menuitem: Rogers &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab28578.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll

O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://sympatico.zone.msn.com/bingame/rock...pcaploader1.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab

O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://sympatico.zone.msn.com/binGame/ZAxRcMgr.cab

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://sympatico.zone.msn.com/bingame/zuma...aploader_v5.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab28578.cab

Edited by Zayxic

Share this post


Link to post
Share on other sites

Click here to download and install Registrar Lite. Install, run, copy and paste this line to reglite's address bar:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

 

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.

Share this post


Link to post
Share on other sites

You are infected, delete the FnF folder, redownload and try again. Let me know how you get on.

Share this post


Link to post
Share on other sites

Ok I redownloaded and extracted FnF, but it still froze at the localui.dll file, as stated above.

 

Let me know how you get on.

:huh: sorry, but what do you mean by this? How I log on? (either way hope this answers it) Well on this comp, theres no pass to logging into windows. Also I have a router that this comp is connected to, so I don't have to connect to the internet manually.

 

 

--------------------------------------------------------------------

Hijack this log:

Logfile of HijackThis v1.98.0

Scan saved at 7:03:13 AM, on 7/30/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\AClient\Bin\XCDiffCache.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\AClient\Bin\XCGSTask.exe

C:\PROGRA~1\AClient\Bin\XCSCHE~1.EXE

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\mIRC\mirc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Documents and Settings\Administrator\My Documents\New Folder\New Folder\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/customi...//www.yahoo.com

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_20_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: IYBookmarkHO Class - {8B11A219-80C8-4B42-B558-B8C14D1AA8C4} - C:\Program Files\Yahoo!\browser\ybmho.dll

O2 - BHO: AutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_20_0.dll

O4 - HKLM\..\Run: [Afaria Client File Differencing] C:\Program Files\AClient\Bin\XCDiffCache.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\\SHS.exe" /background

O4 - HKCU\..\Run: [update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background

O4 - Global Startup: Afaria Client Generic Scheduler.lnk = C:\Program Files\AClient\Bin\XCGSTask.exe

O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra button: Rogers Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll

O9 - Extra 'Tools' menuitem: Rogers &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab28578.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll

O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://sympatico.zone.msn.com/bingame/rock...pcaploader1.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab

O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://sympatico.zone.msn.com/binGame/ZAxRcMgr.cab

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://sympatico.zone.msn.com/bingame/zuma...aploader_v5.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab28578.cab

Share this post


Link to post
Share on other sites

Ok... Will be waiting for your answer... :whistle:

 

Edit: Forgot to say I will be gone for the week on vacation :D so I apologize if I don't reply quickly, but when I am back I will reply ASAP :lol:

Edited by Zayxic

Share this post


Link to post
Share on other sites

OK, change in direction. Using Windows Explorer, go to your root drive: C:\ and create a new folder called 'Hijack' and within that folder, create two new folders, one called 'Backups' and one called 'Junk'.

 

Use the Registrar Lite program. Copy and paste the key below into reglite's address bar and hit 'Go':

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\

 

Click on the Windows key to highlight it, and use the top menu File>Export and save as (in the C:\Hijack\Backups folder):

 

1.) Winkey.reg (Save as type: regedit4 .reg type)

2.) Winkey.hiv (Save as type: Scroll to select-regetd32/WinAPI *hiv *dat files)

 

Navigate to C:\Hijack\Backups and confirm both files have been successfully saved.

 

Use the Registrar Lite program again. Copy and paste the key below into reglite's address bar and hit 'Go':

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Right-click on the Windows key in the left pane and rename it to something else - for example:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows

 

DoubleClick "Appinit_Dlls" value on right pane and erase the data in the 'Value' box at the the bottom of the new pane. The data to remove will be:

 

"C:\WINDOWS\System32\logb.dll ", hit 'Apply' and 'Ok' to set.

 

Rename 'NotWindows' back to 'Windows' in the left pane, close Registrar Lite and reboot the computer. If all goes well the hidden process will not run at startup and you should now be able to find and *see* the logb.dll in C:\WINDOWS\System32.

 

Unzip and run Winfile from here. Open it up, click File>Move...

 

Copy and paste this into the 'From' box: C:\WINDOWS\System32\logb.dll

Copy and paste this into the 'To' box: C:\Hijack\Junk\logb.dll

 

Hit OK. Close Winfile and check in C:\Junk for that file - let me know what's there.

 

Navigate to C:\Hijack\Backups and double-click on the winkey.reg file. Answer yes to the prompt. Run reglite again, copy and paste the key below into reglite's address bar and hit 'Go':

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\

 

Click on the Windows key to highlight it, and use the top menu File>Import browse to and select the "winkey.hiv" you saved earlier. Hit 'open', merge and 'ok' it.

 

Click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. Reboot when done. Run HJT and post a new log.

Share this post


Link to post
Share on other sites

Ok I did all that you have instructed, but when I came to the part torun winfile to move the logb.dll file, Winfile said

"File Manager cannot move C:\WINDOWS\System32\logb.dll: There are no more files."

(This step:

Unzip and run Winfile from here. Open it up, click File>Move...

 

Copy and paste this into the 'From' box: C:\WINDOWS\System32\logb.dll

Copy and paste this into the 'To' box: C:\Hijack\Junk\logb.dll

 

When I go check the Junk folder, it's empty. Otherwise all the other steps worked accordingly I believe. Once again I thank you for your help and patience hehe, this little bugger is stubborn.

Share this post


Link to post
Share on other sites

Do this again:

run, copy and paste this line to reglite's address bar:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

 

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.

Share this post


Link to post
Share on other sites

Hmmm - it didn't get revealed. Let's try again - the first part of the fix will still be OK, the two files you saved are still relevant. Pick up from here:

 

Use the Registrar Lite program again. Copy and paste the key below into reglite's address bar and hit 'Go':

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Right-click on the Windows key in the left pane and rename it to something else - for example:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows

 

DoubleClick "Appinit_Dlls" value on right pane and erase the data in the 'Value' box at the the bottom of the new pane. The data to remove will be:

 

"C:\WINDOWS\System32\logb.dll ", hit 'Apply' and 'Ok' to set.

 

Rename 'NotWindows' back to 'Windows' in the left pane, close Registrar Lite and reboot the computer. If all goes well the hidden process will not run at startup and you should now be able to find and *see* the logb.dll in C:\WINDOWS\System32.

 

Unzip and run Winfile from here. Open it up, click File>Move...

 

Copy and paste this into the 'From' box: C:\WINDOWS\System32\logb.dll 

Copy and paste this into the 'To' box: C:\Hijack\Junk\logb.dll 

 

Hit OK. Close Winfile and check in C:\Hijack\Junk for that file - let me know what's there.

Share this post


Link to post
Share on other sites

Ok... this time I forgot to change the notwindows folder back to windows before I rebooted, but I continued with the process and now the logb.dll is in the junk folder... is that good?

Share this post


Link to post
Share on other sites

Yes, that's very good. Make sure the key is renamed back as Windows then do this:

 

Navigate to C:\Hijack\Backups and double-click on the winkey.reg file. Answer yes to the prompt. Run reglite again, copy and paste the key below into reglite's address bar and hit 'Go':

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\

 

Click on the Windows key to highlight it, and use the top menu File>Import browse to and select the "winkey.hiv" you saved earlier. Hit 'open', merge and 'ok' it.

 

Click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. Reboot when done. Run HJT and post a new log.

Share this post


Link to post
Share on other sites

ok done... CWShredder didn't turn up anything :/ but heres my new HJT log:

 

Logfile of HijackThis v1.98.0

Scan saved at 1:55:15 PM, on 8/7/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\AClient\Bin\XCDiffCache.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\AClient\Bin\XCGSTask.exe

C:\PROGRA~1\AClient\Bin\XCSCHE~1.EXE

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Documents and Settings\Administrator\My Documents\New Folder\New Folder\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_20_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: IYBookmarkHO Class - {8B11A219-80C8-4B42-B558-B8C14D1AA8C4} - C:\Program Files\Yahoo!\browser\ybmho.dll

O2 - BHO: AutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_20_0.dll

O4 - HKLM\..\Run: [Afaria Client File Differencing] C:\Program Files\AClient\Bin\XCDiffCache.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - HKCU\..\Run: [update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background

O4 - Global Startup: Afaria Client Generic Scheduler.lnk = C:\Program Files\AClient\Bin\XCGSTask.exe

O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra button: Rogers Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll

O9 - Extra 'Tools' menuitem: Rogers &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab28578.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll

O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://sympatico.zone.msn.com/bingame/rock...pcaploader1.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://sympatico.zone.msn.com/bingame/zuma...aploader_v5.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab28578.cab

O20 - AppInit_DLLs: c:\windows\system32\logb.dll

Share this post


Link to post
Share on other sites

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entry by checking the box to the left and clicking 'fixed checked':

 

O20 - AppInit_DLLs: c:\windows\system32\logb.dll

 

Reboot back into normal mode, rescan with HJT and post a new log here for a final check over.

 

Also could you try to delete the C:\Junk folder - this may be difficult, let me know how you get on.

Share this post


Link to post
Share on other sites

Ok, i deleted the logb.dll in hjt and did a rescan after reboot. I also deleted the C:\Hijack\Junk folder (no problems came up, just pressed the delete button). Heres the new HJT log:

 

Logfile of HijackThis v1.98.0

Scan saved at 2:34:58 PM, on 8/7/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AClient\Bin\XCDiffCache.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\AClient\Bin\XCGSTask.exe

C:\PROGRA~1\AClient\Bin\XCSCHE~1.EXE

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Documents and Settings\Administrator\My Documents\New Folder\New Folder\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_20_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: IYBookmarkHO Class - {8B11A219-80C8-4B42-B558-B8C14D1AA8C4} - C:\Program Files\Yahoo!\browser\ybmho.dll

O2 - BHO: AutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_20_0.dll

O4 - HKLM\..\Run: [Afaria Client File Differencing] C:\Program Files\AClient\Bin\XCDiffCache.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - HKCU\..\Run: [update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background

O4 - Global Startup: Afaria Client Generic Scheduler.lnk = C:\Program Files\AClient\Bin\XCGSTask.exe

O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra button: Rogers Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll

O9 - Extra 'Tools' menuitem: Rogers &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab28578.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll

O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://sympatico.zone.msn.com/bingame/rock...pcaploader1.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://sympatico.zone.msn.com/bingame/zuma...aploader_v5.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab28578.cab

Share this post


Link to post
Share on other sites

Looks good - how is it running now?

 

Click here to make sure that you have the latest Critical Update patches for Windows. It's very important to keep your system up to date to avoid unnecessary security risks.

Share this post


Link to post
Share on other sites

So far so good... Adaware and Spybot show up clean :) Thanks for all the help. Greatly appreciated it Daemon. If anything else comes up I will be back hehe, I just hope when I return its not about another problem :p

Share this post


Link to post
Share on other sites

You're welcome - glad to help :D

 

To help keep you clean follow the recommendations in Tony's article here:

 

So how did I get infected in the first place?

 

 

 

As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0