• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
drewster

C:\WINDOWS\SYSTEM32|msjm.dll

10 posts in this topic

Read many threads and reached a dead end. Running Spybot,AVG, Symantec, ewido, spyware blaster and cannot seem to track down the C:\WINDOWS\SYSTEM32|msjm.dll file. Spybot finds the file but cannot read it. AVG just gives the virus warning but doesn't find it on the scan. I turned off system restore and it still appears. I turned off symantec's active protection but still can't find it and AVG warning still appears. I show all hidden files and of course it is still there. Below is the current HJT log. I hope you can help. Thank you for this site and your time.

 

Logfile of HijackThis v1.97.7

Scan saved at 9:30:58 AM, on 7/30/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

C:\WINDOWS\System32\hphmon04.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\WINDOWS\System32\xhjofe.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Microsoft Money\System\mnyexpr.exe

C:\WINDOWS\System32\yvssn.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\Intel\ASF Agent\ASFAgent.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\BRMFRSMG.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\hijackthis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.cc/o/cgi-bin/index.cgi?c=4

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchmeup.cc/o/cgi-bin/index_sp.cgi?c=4

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmeup.cc/o/cgi-bin/index_sp.cgi?c=4/%s

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1D665F6D-20DD-4908-96A4-FCB9BE553A6D} - C:\WINDOWS\System32\ennkaaa.dll (file missing)

O2 - BHO: (no name) - {47AB4352-9565-29BF-8872-65550BD32A4F} - C:\WINDOWS\System32\ttaywhtd.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {A2833482-B023-4C65-B09D-EE47A4E8CC56} - (no file)

O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe

O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [rvjthxm] C:\WINDOWS\System32\xhjofe.exe

O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [spyware Begone] c:\freescan\freescan.exe -FastScan

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [Xmb] C:\WINDOWS\System32\yvssn.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKCU)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)

O15 - Trusted Zone: *.clickspring.net

O15 - Trusted Zone: *.flingstone.com

O15 - Trusted Zone: *.mt-download.com

O15 - Trusted Zone: *.my-internet.info

O15 - Trusted Zone: *.searchbarcash.com

O15 - Trusted Zone: *.searchmeup.cc

O15 - Trusted Zone: *.searchmiracle.com

O15 - Trusted Zone: *.skoobidoo.com

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8189.2321296296

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Our apologies that no response has been forthcoming - Too many logs and too few volunteers :(

 

If you are still having a problem and due to the time pased:

  • Double click on "My Computer" to open it.
  • Double click on the local "C-Drive" to open it.
  • Click on "File" => "New Folder" and name it HJT. i.e. The folder will be C:\HJT.
  • Please download HijackThis from any of the following locations:

    [*]Install/Unzip it into C:\HJT.

    [*]Only run HijackThis from C:\HJT\HijackThis.exe. That way we can ensure that we have the backup files available in the event that they are needed.

    [*]Run HijackThis, click on scan and wait for the scan to finish.

    [*]The "Scan" button will change to "Save Log", click on it and simply press "Save" on the window that will appear.

    [*]Notepad will open with a copy of the log.

    • Click on "Edit" => "Select All".
    • Click on "Edit" => "Copy". This will copy the contents of the Notepad instance to the clipboard.

    [*]Please post your entire log here for analysis.

Share this post


Link to post
Share on other sites

I can see why you are so busy you provide life saving support. Thanks for the help this should be the current HJT log.

 

 

 

Logfile of HijackThis v1.97.7

Scan saved at 2:03:35 PM, on 8/2/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

C:\WINDOWS\System32\hphmon04.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\WINDOWS\System32\xhjofe.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Microsoft Money\System\mnyexpr.exe

C:\WINDOWS\System32\yvssn.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\Intel\ASF Agent\ASFAgent.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\BRMFRSMG.EXE

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.cc/o/cgi-bin/index.cgi?c=4

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchmeup.cc/o/cgi-bin/index_sp.cgi?c=4

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmeup.cc/o/cgi-bin/index_sp.cgi?c=4/%s

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1D665F6D-20DD-4908-96A4-FCB9BE553A6D} - C:\WINDOWS\System32\ennkaaa.dll (file missing)

O2 - BHO: (no name) - {47AB4352-9565-29BF-8872-65550BD32A4F} - C:\WINDOWS\System32\ttaywhtd.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {A2833482-B023-4C65-B09D-EE47A4E8CC56} - (no file)

O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe

O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [rvjthxm] C:\WINDOWS\System32\xhjofe.exe

O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [spyware Begone] c:\freescan\freescan.exe -FastScan

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [Xmb] C:\WINDOWS\System32\yvssn.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKCU)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)

O15 - Trusted Zone: *.clickspring.net

O15 - Trusted Zone: *.flingstone.com

O15 - Trusted Zone: *.mt-download.com

O15 - Trusted Zone: *.my-internet.info

O15 - Trusted Zone: *.searchbarcash.com

O15 - Trusted Zone: *.searchmeup.cc

O15 - Trusted Zone: *.searchmiracle.com

O15 - Trusted Zone: *.skoobidoo.com

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab

O16 - DPF: {9723C9A8-7B0B-4479-BDC4-6B6D3F5D9079} (Oracle iMeeting Installer) - https://meet.netsuite.com/imtapp/res/jar/instctrl.dll

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8189.2321296296

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

  1. Download CWShredder from any of the following sites:

  • NOTE: If CWShredder does not run, a variant of CWS could be preventing you from running the shredder. Download the CoolWebSearch.Smartkiller (v1/v2) Miniremoval Tool and save that to a directory called C:\CWS. Run the downloaded program, called miniremoval_coolwebsearch_smartkiller.exe, to remove the variant of CoolWebSearch that is stopping you from running your removal tool.
  • Save CWShredder.exe in C:\CWS.
  • Close all programs and windows.
  • Navigate using windows explorer or My Computer to the C:\CWS folder and double click on the file CWShredder.exe.
  • The first thing you should do is check for updates to CWShredder. You can do this by clicking on the button labeled "Check for update". If updates are found, click on the “Download and open the update” bar.
  • Click on the “Fix” icon and let it scan your computer.
  • CWShredder will then start scanning your hard drive for the various CoolWebSearch variants and remove them if they are found. If one is found it will tell you, otherwise it will state that it is "not present". When it is done you will be presented with a button labeled "Next".
  • When you are finished examining the results, press the “Next” button to see a summary of the fixing process.
  • How do I prevent future infection?
    We strongly recommend you install the patch, available from this MS security bulletin. If you have Windows XP with Service Pack 1a, your system has no MS Java VM. Information on removing the MS Java VM completely and replacing it with the newer, safer Sun Java VM can be found here.

[*]We need to remove a program called "Twain-Tec". To do this, first you need to disable System restore as per the instructions at here . Twiantec.dll is a transponder. HijackThis will detect it as a BHO but it must not be removed using HijackThis. This is because of the remaining registry entries and files which can be dangerous. Instead the following method of removal is preferable and complete:

Go to "Add/Remove Programs" => Uninstall "Twain-Tech". Reboot the computer to SAFE mode - How do I boot into "Safe" mode?. Delete twaintech.dll and twaintec.ini If twaintech.dll is in use, then you would need to rename it, reboot the computer, and then delete it.

[*]Run HijackThis (This should, typically, be run from C:\HJT\HijackThis.exe)

  • Click on "Config" in the bottom right corner of the HijackThis window.
  • Make sure that the "Main" tab is selected at the top.
  • Place a checkmark in the box labelled "Make backups before fixing items".
  • Click on "Back" in the bottom right corner.
  • Make sure all Browser windows are closed otherwise it may interfere with the fixing of items.
  • Click on "Scan" and then place a check mark in the following boxes (If they still exist), And click on "Fix Checked":

    • R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.searchmeup.cc/o/cgi-bin/index.cgi?c=4
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchmeup.cc/o/cgi-bin/index_sp.cgi?c=4
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmeup.cc/o/cgi-bin/index_sp.cgi?c=4/%s
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {1D665F6D-20DD-4908-96A4-FCB9BE553A6D} - C:\WINDOWS\System32\ennkaaa.dll (file missing)
O2 - BHO: (no name) - {47AB4352-9565-29BF-8872-65550BD32A4F} - C:\WINDOWS\System32\ttaywhtd.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {A2833482-B023-4C65-B09D-EE47A4E8CC56} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [rvjthxm] C:\WINDOWS\System32\xhjofe.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [Xmb] C:\WINDOWS\System32\yvssn.exe
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmeup.cc
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com

[*]Please reboot into safe mode - How do I boot into "Safe" mode?

[*]The following DIRECTORY CONTENTS (But not the directory), DIRECTORIES and FILES, need to be deleted while in safe mode. Make sure your settings allow you to view "Hidden files". Open up any explorer window and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". If the files etc listed are not present - Do not worry, just delete those that you can find. If no path is listed, you may need to search for the file(s) - To search, click on "Start" => "Search" => "For Files and Folders" => "All Files and Folders" and type in the file name. You can delete it right from the search results window.

  1. DIRECTORY CONTENTS (But not the directory)
    • %windir%\Temp\
    • %temp%\
    • %userprofile%\Local Settings\Temp\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
    • Click on "Start" => "Settings" => "Control Panel" => "Internet Options". Click on "Delete Files", select "Delete All Offline Content" and click on "OK". <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested. Click on "OK" once more to close the options panel.
    • Right click on "Recycle Bin" and select "Empty Recycle Bin" and respond "Yes" when prompted.

[*]DIRECTORIES

  • Nothing to Delete

[*]FILES

  • C:\WINDOWS\twaintec.dll
  • C:\WINDOWS\System32\ttaywhtd.dll
  • C:\WINDOWS\System32\xhjofe.exe
  • C:\WINDOWS\alchem.exe
  • C:\WINDOWS\wupdt.exe
  • C:\WINDOWS\System32\yvssn.exe

[*]Reboot again and log in normally, repost a new HijackThis log into this message for further review.

Share this post


Link to post
Share on other sites

Struggled to uninstall twaintec, I could not find the program in the uninstall routine but was able to hunt and delete all of the copies of twaintec. The Twaintec folders still remain however.

 

Also was not able to remove the Microsoft JVM could not execute run command so I am thinking the machine may already have the SUN JVM installed.

 

The AVG notice is still poping up repeatedly but I am sure I did something I deleted a ton of files. Hope I made some progress. Here is the latest HJT log.

 

 

Logfile of HijackThis v1.97.7

Scan saved at 1:25:40 PM, on 8/3/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

C:\WINDOWS\System32\hphmon04.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Microsoft Money\System\mnyexpr.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\Intel\ASF Agent\ASFAgent.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\BRMFRSMG.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\wuauclt.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe

O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [spyware Begone] c:\freescan\freescan.exe -FastScan

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab

O16 - DPF: {9723C9A8-7B0B-4479-BDC4-6B6D3F5D9079} (Oracle iMeeting Installer) - https://meet.netsuite.com/imtapp/res/jar/instctrl.dll

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8189.2321296296

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

The log looks clean :)

 

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

  1. Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  2. Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  3. IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  4. MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  5. Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  6. Run Ad-Aware with the latest update.
    • Download the latest version of Ad-Aware from here.
    • After installing Ad-aware, and before running the program, Please be sure to update the reference file as per these instructions.
    • Reconfigure Ad-Aware for Full Scan as per the following instructions:
      • Launch the program, and click on the Gear at the top of the start screen.
      • Click the "Scanning" button (On the left side).
      • Under Drives & Folders, select "Scan within Archives" (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
      • Click "Click here to select Drives + folders" and select your installed hard drives.
      • Under Memory & Registry, select all options.
      • Click the "Advanced" button (On the left hand side).
      • Under "Log-file detail", select all options.
      • Click the "Tweak" button (Again, on the left hand side).
      • Expand "Scanning Engine" by clicking on the "+" (Plus) symbol) and select the following:
        • "Include additional Ad-aware settings in logfile"
        • "Unload recognized processes during scanning."

[*]Under "Cleaning Engine", select the following:

  • "Automatically try to unregister objects prior to deletion."
  • "Let Windows remove files in use after reboot."

[*]Click on "Proceed" to save these Preferences.

[*]Click on the "Scan Now" button on the left.

[*]Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".

[*]Select "Activate in-Depth scan".

[*]Close all programs except ad-aware.

[*]Click on "Next" in the bottom right corner to start the scan.

[*]Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.

[*]After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.

[*]Download the latest version of Spybot from either:

  • Install spybot and by default is should install into C:\Program Files\Spybot - Search & Destroy.
  • Run Spybot by clicking on "Start" => "Programs" => "Spybot - Search & Destroy" => "Spybot - Search & Destroy".
  • The first time you run it, allow it to create a backup of your registry when prompted. This will take a few minutes to complete.
  • Click on "Search for Updates".
  • If any updates are found, place a check mark next to each and click on "Download Updates".
  • Click on "Immunize" and once it detect what has or has not been blocked, block all remaining items by clicking on the green plus sign next to immunize at the top.
  • Click on "Search & Destroy" => "Check for Problems".
  • If any problems are found, be sure to click on "Fix Selected Problems".

Share this post


Link to post
Share on other sites

Thank you very much for the help!!!! I will uninstall AVG and install the apps you recommend. Thanks again for all the help.

Share this post


Link to post
Share on other sites

AVg is anti-virus right? If so, Do not uninstall as you still need virus protection unless you go and ourchase McAfee or Symantec.

Share this post


Link to post
Share on other sites

As long as you have antivirus protection :) Personally, I prefer Norton so if you have the latest dat files etc, uninstall AVG.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0