• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
bjebaz

Homepage hijacked to res://pymbn.dll/index.html#96

21 posts in this topic

My homepage keeps going to res://pymbn.dll/index.html#96. I have tried using ad-aware, about buster, and spybot and none of them have worked. I read the FAQ and the tutorial already.

 

Here is the HijackThis Log v1.98.0Logfile of HijackThis v1.98.0

Scan saved at 8:03:05 PM, on 7/29/2004

Platform: Windows 2000 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.00 (5.00.2920.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe

C:\WINDOWS\system32\MSTask.exe

C:\WINDOWS\Explorer.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe

C:\WINDOWS\system32\atlvh32.exe

C:\WINDOWS\system32\d3xw.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pymbn.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://pymbn.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://pymbn.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pymbn.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pymbn.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://pymbn.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {6FA3BCDE-9CB2-3DEF-6909-0B2629F9CE74} - C:\WINDOWS\mslk32.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [d3xw.exe] C:\WINDOWS\system32\d3xw.exe

O4 - HKCU\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O4 - Global Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe

O12 - Plugin for : C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

Share this post


Link to post
Share on other sites

HKLM\System\CurrentControlSet\Services

+ NICSer_WMP11 C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe

+ ½O.#ž‚„?õØ´â C:\WINDOWS\ntff.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ QuickTime Task Apple Computer, Inc. C:\Program Files\QuickTime\qttask.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

+ ntff.exe C:\WINDOWS\ntff.exe

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

+ WinZip Quick Pick.lnk WinZip Executable WinZip Computing, Inc. C:\Program Files\WinZip\WZQKPICK.EXE

+ Wireless-B PCI Adapter Utility.lnk Linksys Instant WLAN Monitor The Linksys Group, Inc. C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

+ PopUpStopperFreeEdition Pop-Up Stopper Free Edition Panicware, Inc. C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe

+ SpySweeper Spy Sweeper Webroot Software, Inc. C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Share this post


Link to post
Share on other sites

Well done!

 

+ ½O.#ž‚„?õØ´â C:\WINDOWS\ntff.exe <-is the dodgy service

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

+ ntff.exe C:\WINDOWS\ntff.exe <- is the startup!

 

 

Run the tool again, find the line with "½O.#ž‚„?õØ´â ",

Select it by hiliting, RightClick and choose-> Delete!

 

Select and delete the

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

+ ntff.exe C:\WINDOWS\ntff.exe

As well!

 

Restart computer in safe mode:

find and delete the following files:

 

WINDOWS\*mslk32.dll, *msopt.dll *ntff.exe, files!

 

C:\WINDOWS\system32\*atlvh32.exe, *d3xw.exe files!

 

Still in safe mode, run

hijackthis and fix checked:

*R1/R0 lines- All

*R3 - Default URLSearchHook is missing

*O2 - BHO: (no name) - {6FA3BCDE-9CB2-3DEF-6909-0B2629F9CE74} - C:\WINDOWS\mslk32.dll

*O4 - HKLM\..\Run: [d3xw.exe] C:\WINDOWS\system32\d3xw.exe

*O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

 

Reboot in regular mode, post new hijackthis log and new

results from 'Autoruns' scan (With same configurations as before)

Share this post


Link to post
Share on other sites

I looked everywhere and those files you told me to delete are not there. Also, the 04 line that you said to delete was not there either. I deleted what was there though. Here is the log and the results:

 

 

Logfile of HijackThis v1.98.0

Scan saved at 10:13:14 PM, on 7/29/2004

Platform: Windows 2000 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.00 (5.00.2920.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe

C:\WINDOWS\system32\MSTask.exe

C:\WINDOWS\System32\WBEM\WinMgmt.exe

C:\WINDOWS\ntff.exe

C:\WINDOWS\Explorer.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe

C:\WINDOWS\System32\drwtsn32.exe

C:\WINDOWS\System32\drwtsn32.exe

C:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\btnzn.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://btnzn.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://btnzn.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\btnzn.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\btnzn.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://btnzn.dll/index.html#96676

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {7C25DF9E-175A-AEBC-1715-65139942B8A6} - C:\WINDOWS\msni.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\RunOnce: [ntff.exe] C:\WINDOWS\ntff.exe

O4 - HKCU\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O4 - Global Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe

O12 - Plugin for : C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

 

--------------------------------------------------------------------

 

HKLM\System\CurrentControlSet\Services

+ NICSer_WMP11 C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe

+ ½O.#ž‚„?õØ´â C:\WINDOWS\ntff.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ QuickTime Task Apple Computer, Inc. C:\Program Files\QuickTime\qttask.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

+ ntff.exe C:\WINDOWS\ntff.exe

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

+ WinZip Quick Pick.lnk WinZip Executable WinZip Computing, Inc. C:\Program Files\WinZip\WZQKPICK.EXE

+ Wireless-B PCI Adapter Utility.lnk Linksys Instant WLAN Monitor The Linksys Group, Inc. C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

+ PopUpStopperFreeEdition Pop-Up Stopper Free Edition Panicware, Inc. C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe

+ SpySweeper Spy Sweeper Webroot Software, Inc. C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Share this post


Link to post
Share on other sites

Download and install this tool:

 

http://p-nand-q.com/download/pserv_cpl/pserv-2.3.exe

 

Restart in safe mode only!

 

Run it from Start> Programs> pserv.cpl >Services and Devices

 

When the list of services appear, locate the entry:

 

½O.#ž‚„?õØ´â C:\WINDOWS\ntff.exe

 

RightClick and select -> 'Disable'!

 

Click 'ok' and close.

 

Make sure all hidden/system/protected files are set as visible in folder options/view and locate the following files:

 

WINDOWS\*ntff.exe, *msni.dll, *msopt.dll And delete all!

 

*Unless you'll find the 'ntff.exe' file, the entire process will regenerate! :scratchhead:

 

Still in safe mode, run hijackthis and fix:

*R1/R0/R3 lines- All!

*O2 - BHO: (no name) - {7C25DF9E-175A-AEBC-1715-65139942B8A6} - C:\WINDOWS\msni.dll

*O4 - HKLM\..\RunOnce: [ntff.exe] C:\WINDOWS\ntff.exe

*O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

 

Re-run hijackthis and compare!

Make sure none of the pointed entries are present!

 

When done, run 'pserv.cpl' again, locate the :

½O.#ž‚„?õØ´â C:\WINDOWS\ntff.exe

Service, RightClick and choose -> Delete!

 

Reboot to normal mode, post fresh hijackthis log and fresh scan results from AutoRuns (as before)

Share this post


Link to post
Share on other sites

I deleted the ntff.exe one, msni.dll would not delete because it said it was running in an application, and msopt was not there.

 

 

 

Logfile of HijackThis v1.98.0

Scan saved at 11:30:53 PM, on 7/29/2004

Platform: Windows 2000 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.00 (5.00.2920.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe

C:\WINDOWS\system32\MSTask.exe

C:\WINDOWS\System32\WBEM\WinMgmt.exe

C:\WINDOWS\Explorer.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe

C:\WINDOWS\System32\drwtsn32.exe

C:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uymxc.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://uymxc.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\uymxc.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uymxc.dll/sp.html#37049

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {7C25DF9E-175A-AEBC-1715-65139942B8A6} - C:\WINDOWS\msni.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O4 - Global Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe

O12 - Plugin for : C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

 

 

 

-----------------------------------------------------------------------

 

 

 

HKLM\System\CurrentControlSet\Services

+ NICSer_WMP11 C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ QuickTime Task Apple Computer, Inc. C:\Program Files\QuickTime\qttask.exe

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

+ WinZip Quick Pick.lnk WinZip Executable WinZip Computing, Inc. C:\Program Files\WinZip\WZQKPICK.EXE

+ Wireless-B PCI Adapter Utility.lnk Linksys Instant WLAN Monitor The Linksys Group, Inc. C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

+ PopUpStopperFreeEdition Pop-Up Stopper Free Edition Panicware, Inc. C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe

+ SpySweeper Spy Sweeper Webroot Software, Inc. C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Share this post


Link to post
Share on other sites

Ok... Some progress...

The Service was succesfully stopped!

 

msni.dll is only browser helper object.

It is not active in safe mode.

 

You need to try again and follow the steps as

described, now that the *invisible "ntff.exe"

was found at last! :scratchhead:

There is a fair chance msopt.dll will be found as well!

 

If no luck,

Download this tool and use it to delete the file during restart:

 

http://noeld.com/programs.asp?cat=misc#copylock

Run, select 'Add File to delete' browse to the

C:\WINDOWS\msni.dll< file, Click >Add And >Apply.

It will prompt you to restart, if needed!

 

Search for the following files in Windows and/or System32

folder and delete if found: (In safe mode or with CopyLock)

*uymxc.dll

*btnzn.dll

*pymbn.dll

 

Run hijackthis again, and use the

Config>backups tab, Select> all and delete it's backups.

 

When done, return to main hijackthis window and fix checked all the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uymxc.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://uymxc.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\uymxc.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uymxc.dll/sp.html#37049

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {7C25DF9E-175A-AEBC-1715-65139942B8A6} - C:\WINDOWS\msni.dll (*might say... File missing/no file)

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

 

Run again and compare!

These lines should no longer show if the files are deleted!

 

Post another hijack and Autoruns log when done!

Edited by freeatlast

Share this post


Link to post
Share on other sites

I downloaded that tool and deleted msni.dll. Also I deleted btncn.dll and pymbn.dll, but uymxc was not there. msopt.dll was NOT there. The only reason that I couldn't find ntff.exe was that I hadn't gone to folder options and taken off the hide option. Once I did that, the ntff.exe file showed up. I cannot find that msopt.dll file.

 

 

Logfile of HijackThis v1.98.0

Scan saved at 1:16:31 AM, on 7/30/2004

Platform: Windows 2000 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.00 (5.00.2920.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe

C:\WINDOWS\system32\MSTask.exe

C:\WINDOWS\System32\WBEM\WinMgmt.exe

C:\WINDOWS\Explorer.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe

C:\HJT\HijackThis.exe

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O4 - Global Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe

O12 - Plugin for : C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

 

 

 

------------------------------------------------------------------------

 

 

 

HKLM\System\CurrentControlSet\Services

+ NICSer_WMP11 C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ QuickTime Task Apple Computer, Inc. C:\Program Files\QuickTime\qttask.exe

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

+ WinZip Quick Pick.lnk WinZip Executable WinZip Computing, Inc. C:\Program Files\WinZip\WZQKPICK.EXE

+ Wireless-B PCI Adapter Utility.lnk Linksys Instant WLAN Monitor The Linksys Group, Inc. C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

+ PopUpStopperFreeEdition Pop-Up Stopper Free Edition Panicware, Inc. C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe

+ SpySweeper Spy Sweeper Webroot Software, Inc. C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Share this post


Link to post
Share on other sites

Good progress this time!

Nearly all cleaned up! ;)

 

Still left with the pesky 018- entry.

 

Let's try another way...

Download registry search tool from the 'FINDnFIX page' link in my singnature.

(RegSrch.zip)

Unzip, run, copy and paste to the search box:

msopt.dll

 

It will run for a minute or 2 and eventually generate wordpad text report.

Copy and post it here.

Other logs are not needed at this point.

Share this post


Link to post
Share on other sites

REGEDIT4

; RegSrch.vbs © Bill James

 

; Registry search results for string "msopt.dll" 7/30/2004 1:32:51 PM

 

; NOTE: This file will be deleted when you close WordPad.

; You must manually save this file to a new location if you want to refer to it again later.

; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4A8DADD4-5A25-4d41-8599-CB7458766220}\InprocServer32]

@="C:\\WINDOWS\\msopt.dll"

Share this post


Link to post
Share on other sites

Good:

 

Go to Start/run/type:

regedit

 

Click on edit> find

Enter:

msopt.dll

Into the search box and hit -> find next...

 

In the first result, it should be selected on the right pane.

Locate this folder on the left pane:

{4A8DADD4-5A25-4d41-8599-CB7458766220}

RightClick and delete it!

 

Restart your computer, delete all previous

hijackthis backups, scan and post the hopefully last hijackthis log!

 

we're nearly done! ;)

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.98.0

Scan saved at 4:12:54 PM, on 7/30/2004

Platform: Windows 2000 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.00 (5.00.2920.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe

C:\WINDOWS\system32\MSTask.exe

C:\WINDOWS\System32\WBEM\WinMgmt.exe

C:\WINDOWS\Explorer.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HJT\HijackThis.exe

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O4 - Global Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe

O12 - Plugin for : C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

 

 

 

 

Thanks a lot for all of your help. I don't know if it is completely cleared up but my homepage is fixed and there are no more pop-ups.

Share this post


Link to post
Share on other sites

Yup! ;) Your original problem is gone!

 

The remains are leftovers flagged by

hijackthis but it has trouble clearing them up.

 

Do this:

Fix checked again the "O18 - Protocol" line in hijackthis.

Rescan and check it.

If no longer there, all's well!

 

If-- still there after fixing, Run the 'RegSrch' again,

Copy and enter:

{4A8DADD4-5A25-4D41-8599-CB7458766220}

As the string to search.

Wait for the results, and save the text report.

 

Next, run it and enter:

icoo

 

To the box.

Copy and post here both scan results!

We'll get em next ;)

Share this post


Link to post
Share on other sites

REGEDIT4

; RegSrch.vbs © Bill James

 

; Registry search results for string "{4A8DADD4-5A25-4D41-8599-CB7458766220}" 7/30/2004 10:06:22 PM

 

; NOTE: This file will be deleted when you close WordPad.

; You must manually save this file to a new location if you want to refer to it again later.

; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\icoo]

"CLSID"="{4A8DADD4-5A25-4d41-8599-CB7458766220}"

 

 

--------------------------------------------------------------------------

 

 

REGEDIT4

; RegSrch.vbs © Bill James

 

; Registry search results for string "icoo" 7/30/2004 10:07:21 PM

 

; NOTE: This file will be deleted when you close WordPad.

; You must manually save this file to a new location if you want to refer to it again later.

; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\icoo]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\icoo]

Share this post


Link to post
Share on other sites

Well done!

 

Since you're familiar with regedit

already, run it again from Start/run:

Scroll back up to 'MyComputer'

Slowly expand these subfolders:

 

HKEY_LOCAL_MACHINE\>

SOFTWARE\> Classes\>

icoo <Delete the "icoo" Subfolder!

 

HKEY_LOCAL_MACHINE\ >

SOFTWARE\ >

Classes\ >

PROTOCOLS\>

Handler\icoo <- Delete the "icoo" Folder!

 

Post hijackthis log when done!

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.98.0

Scan saved at 10:38:18 PM, on 7/30/2004

Platform: Windows 2000 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.00 (5.00.2920.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe

C:\WINDOWS\system32\MSTask.exe

C:\WINDOWS\System32\WBEM\WinMgmt.exe

C:\WINDOWS\Explorer.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O4 - Global Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe

O12 - Plugin for : C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

 

 

 

I think it might be clean!

Share this post


Link to post
Share on other sites

You got it! :thumbsup:

 

Be sure to keep it that way! ;)

 

BUT---

bjebaz Posted on Jul 31 2004, 12:31 AM

  Logfile of HijackThis v1.98.0

Scan saved at 10:38:18 PM, on 7/30/2004

Platform: Windows 2000 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.00 (5.00.2920.0000)

 

Your system is way out of Date...

No Service packs and Discontinued IE version... ?

ASAP-- hop on to Windows updates (links bellow) , scan and

install ALL security patches on offer, including but not limited to:

-IE6/SP1

-SP4 For Win2K!

 

Unless you do so, all these

baddies and many more will come back to haunt you!

 

Good luck!

Edited by freeatlast

Share this post


Link to post
Share on other sites

Glad we could help :D

 

 

 

As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0