• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
robocomp

$50 reward for removal of hijacker

31 posts in this topic

I have posted my logfile previously with minimal help from anyone on this site....thought this might provide a little extra incentive.....thanks

 

 

Logfile of HijackThis v1.97.7

Scan saved at 9:36:31 PM, on 5/26/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Antivirus\Norton Personal Firewall 2003\NISUM.EXE

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Antivirus\Norton Personal Firewall 2003\ccPxySvc.exe

C:\WINDOWS\system32\gearsec.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Antivirus\NAV2003\navapsvc.exe

C:\Antivirus\NAV2003\AdvTools\NPROTECT.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\System32\BRMFRSMG.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\iPod\bin\iPodManager.exe

F:\Utilities\AccountLogon\AccountLogon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Internet Explorer\iexplore.exe

F:\Utilities\Hijack This\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Antivirus\NAV2003\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\ANTIVI~1\NAV2003\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe

O4 - HKCU\..\Run: [AccountLogon] F:\Utilities\AccountLogon\AccountLogon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html

O8 - Extra context menu item: AccountLogon - C:\WINDOWS\al-popup-christopher milne.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html

O9 - Extra button: TREND MICRO HouseCall (HKLM)

O9 - Extra button: AccountLogon (HKCU)

O9 - Extra 'Tools' menuitem: AccountLogon (HKCU)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O13 - Home Prefix: c:\searchpage.html?page=

O13 - Mosaic Prefix: c:\searchpage.html?page=

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab

O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7969.7170949074

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

O19 - User stylesheet: C:\WINDOWS\color.css

Share this post


Link to post
Share on other sites

good 1 im bumpen this one because the same happened to me... exect i still have NO Hep *caugh*WinHelp2002*caugh*

Share this post


Link to post
Share on other sites

Ok, but what is your problem? Popups? I see there is some fishy stuff like

 

http: cashsearch.biz/redir.php [Link disabled - it will resize your browser window and who knows what else. -cnm] (Redir means redirect??) I am a complete newbie and am guessing that it's fishy, but I think if you explained to the members what problem you are having, it might be easier for them.

 

What is

 

O4 - HKCU\..\Run: [AccountLogon] F:\Utilities\AccountLogon\AccountLogon.exe??

 

Do you even have drive called "F"? That one smells fishey as well.

Edited by cnm

Share this post


Link to post
Share on other sites

I've been to a lot of proums and this is a common problem people not being specific enough with their problems. Make sure you give the symptoms and what have you tried, if you haven't done so

 

good luck

Share this post


Link to post
Share on other sites

The first thing i would do is run adaware, spybot s&d and cwshredder, and see whats left over, updating norton and scanning your computer wouldn't hurt either. The cascading style sheet (O19 - User stylesheet: C:\WINDOWS\color.css) looks pretty dodgy to me as well, so i would give that a scan with your av software.

Also open IE -> tools -> internet options -> accessibilty and take the tick out of "format my documents using my style sheet"

Edited by Charybdis

Share this post


Link to post
Share on other sites

hey, you are in serious luck (for 50$ i suppose i am too ;) )

 

i just resloved the exact same problem:

 

Go to start>run and type regedit. Press enter.

 

Navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

 

Highlight

ShellServiceObjectDelayLoad

in the left pane

Look in the right pane for this item:

 

system

 

Right click on System and choose delete from the menu.

 

Restart the computer.

 

Close all windows and have hijackthis fix the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php

 

 

Do a search for and delete file system32.dll

 

Download ad-aware here -> http://fileforum.betanews.com/detail.php3?fid=965718306

 

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

 

Then ........

 

From main window :Click "Start" then " Activate in-depth scan"

 

then......

 

click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

 

then.........

 

Click the "Tweak" button.

 

Open up the "Scanning Engine" section and tick "Unload recognized processes during scanning"

 

Then........"Cleaning engine" and "Let windows remove files in use at next reboot" and "Automatically try to unregister objects prior to deletion"

 

then...... click "proceed" to save your settings.

 

Now to scan it´s just to click the "Next" button.

 

When scan is finished, mark everything for removal and get rid of it. .(Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

 

 

 

 

 

there ya go, i cant take full credit for that, but 50 bones is alllways a good thing.

also.. glad to help ;)

Share this post


Link to post
Share on other sites

hobb64 has given advice, but provide, please, a new hijackthis log after you've finish.

 

Also, if you feel $50 is really worth solving it, when we work for free, go to here: http://www.spywareinfo.com/support.php and make a donation to spywareinfo.com.

 

I'd assume that each post merits the same effort, whether $0.02 is offered, or $200. All the work is pro-bono just the same.

Edited by Kevin_b_er

Share this post


Link to post
Share on other sites
I have followed hobb64's instructions, but I still can not post my log files to this site.

 

those were directed for robocomp. it seems you have something different going on as well.

Share this post


Link to post
Share on other sites

I appreciate the help and followed hobb64 instructions and the sex page was removed, however the about:blank is still hijacking my homepage and i need to resolved this before the problem is totally solved. here is the current hijackthis logfile. I tried to fix the about:blank line in hijackthis, to no avail.. thanks

 

 

Logfile of HijackThis v1.97.7

Scan saved at 9:05:58 PM, on 5/28/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Antivirus\Norton Personal Firewall 2003\NISUM.EXE

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Antivirus\Norton Personal Firewall 2003\ccPxySvc.exe

C:\WINDOWS\system32\gearsec.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Antivirus\NAV2003\navapsvc.exe

C:\Antivirus\NAV2003\AdvTools\NPROTECT.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\System32\BRMFRSMG.EXE

C:\Program Files\VVSN\VVSN.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\iPod\bin\iPodManager.exe

F:\Utilities\AccountLogon\AccountLogon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Documents and Settings\Christopher Milne\Application Data\urpo.exe

F:\Utilities\Hijack This\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {1B0FBB41-C9ED-42AC-9455-CDF9CC0023F1} - c:\windows\system32\fabple.dll (file missing)

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Antivirus\NAV2003\NavShExt.dll

O2 - BHO: (no name) - {EB9B0E42-9127-47C5-B610-B5D79610CAAD} - c:\windows\system32\leobej.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\ANTIVI~1\NAV2003\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe

O4 - HKLM\..\Run: [Geek Superhero] C:\Program Files\Geek Superhero\GeekSuperhero.exe

O4 - HKLM\..\Run: [ist service uninstall] C:\Documents and Settings\Christopher Milne\Desktop\msstasks.exe /u

O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe

O4 - HKCU\..\Run: [AccountLogon] F:\Utilities\AccountLogon\AccountLogon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe

O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Christopher Milne\Application Data\urpo.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: AccountLogon - C:\WINDOWS\al-popup-christopher milne.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: TREND MICRO HouseCall (HKLM)

O9 - Extra button: AccountLogon (HKCU)

O9 - Extra 'Tools' menuitem: AccountLogon (HKCU)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O13 - Home Prefix: c:\searchpage.html?page=

O13 - Mosaic Prefix: c:\searchpage.html?page=

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab

O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7969.7170949074

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

Share this post


Link to post
Share on other sites

You still have quite a few nasties.

 

Fix these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {1B0FBB41-C9ED-42AC-9455-CDF9CC0023F1} - c:\windows\system32\fabple.dll (file missing)

O2 - BHO: (no name) - {EB9B0E42-9127-47C5-B610-B5D79610CAAD} - c:\windows\system32\leobej.dll

O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

 

When you have done this, restart your computer, open Internet Explorer, choose Tools, Internet Options, and change your homepage to something other than about:blank. Then click Apply, then OK. Close Internet Explorer and re-open it. This should fix your issue. :)

Share this post


Link to post
Share on other sites

thanks nighty. I have tested that and had a lot of problems with it crashing and not working.

Share this post


Link to post
Share on other sites

I have tried hijack this and altough it removes some things you suggest, it will not remove about:blank or the obfuscated ones. thanks for the help. any other suggestions? thanks

 

 

 

 

Logfile of HijackThis v1.97.7

Scan saved at 10:31:37 AM, on 5/29/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Antivirus\Norton Personal Firewall 2003\NISUM.EXE

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Antivirus\Norton Personal Firewall 2003\ccPxySvc.exe

C:\WINDOWS\system32\gearsec.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\Antivirus\NAV2003\navapsvc.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\iPod\bin\iPodManager.exe

C:\Antivirus\NAV2003\AdvTools\NPROTECT.EXE

C:\Program Files\VVSN\VVSN.exe

F:\Utilities\AccountLogon\AccountLogon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Documents and Settings\Christopher Milne\Application Data\urpo.exe

C:\WINDOWS\System32\BRMFRSMG.EXE

F:\Utilities\Hijack This\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://c:\windows\system32\leobej.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: (no name) - {BC102126-EE42-4CAF-A6AC-E7B7ECFFDA9E} - c:\windows\system32\leobej.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Antivirus\NAV2003\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\ANTIVI~1\NAV2003\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe

O4 - HKLM\..\Run: [Geek Superhero] C:\Program Files\Geek Superhero\GeekSuperhero.exe

O4 - HKLM\..\Run: [ist service uninstall] C:\Documents and Settings\Christopher Milne\Desktop\msstasks.exe /u

O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe

O4 - HKCU\..\Run: [AccountLogon] F:\Utilities\AccountLogon\AccountLogon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Christopher Milne\Application Data\urpo.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: AccountLogon - C:\WINDOWS\al-popup-christopher milne.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: TREND MICRO HouseCall (HKLM)

O9 - Extra button: AccountLogon (HKCU)

O9 - Extra 'Tools' menuitem: AccountLogon (HKCU)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O13 - Home Prefix: c:\searchpage.html?page=

O13 - Mosaic Prefix: c:\searchpage.html?page=

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab

O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7969.7170949074

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

Share this post


Link to post
Share on other sites

The only one responding that knows what he is doing told you what to do.

Take a minuite and see Shadowars response .

Share this post


Link to post
Share on other sites

here it is: thanks

 

 

 

--==***@@@ FIND-ALL' VERSION MODIFIED -5/27 @@@***==--

--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

 

Sun 05/30/2004

11:01 AM

 

System Info:

 

Microsoft Windows XP [Version 5.1.2600]

F: "DRIVE F" (07F7:3139) - FS:FAT clusters:32k

Total: 80 004 153 344 [75G] - Free: 58 812 989 440 [55G]

 

 

*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

*Notepad version :

5.1.2600.0 C:\WINDOWS\system32\notepad.exe

5.1.2600.0 C:\WINDOWS\notepad.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;

 

 

 

Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\CTLLEK.DLL +++ File read error

\\?\C:\WINDOWS\System32\CTLLEK.DLL +++ File read error

 

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

@=""

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BC102126-EE42-4CAF-A6AC-E7B7ECFFDA9E}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]

@="NAV Helper"

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{EA39FA77-E2AC-4153-B632-B2BAABC1A972}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{EA39FA77-E2AC-4153-B632-B2BAABC1A972}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_Dlls REG_SZ

 

*Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

Share this post


Link to post
Share on other sites

Ok run start.bat again.

This time select option 2 than option 2.

 

It will perform a bunch of things.

 

than at the end it will reboot.

 

After the reboot upon startup of windows a second thing will run.

 

It should clean most of the hijacker.

 

Please post the logs.txt it generates at the end. it will be in the dllfix folder if it doesnt open automatically.

 

Post that along with a new findall report and a hijackthis log.

 

So:

logs.txt

find-all report

hijackthis log.

Share this post


Link to post
Share on other sites

got nothing but a bunch of error messages both before and after reboot. your program did not work...thanks for the effort though

Share this post


Link to post
Share on other sites

there was no find all report

 

 

 

 

CWSDLL/Searchx Appinit Fix By Shadowwar

Version 2.00 052804

Please Do not mirror Without Permission!

I can be contacted at spywaresubmit at aol.com

Sun 05/30/2004

05:19 PM

 

Backing up Registry Hive

 

The operation completed successfully

 

Deleting Windows Key

 

The operation completed successfully

 

Adding Test Windows Key

 

The operation completed successfully

 

Restoring temp Values Key

 

The operation completed successfully

 

Deleting Bad Appinit Value

 

The operation completed successfully

 

 

Backup of Modified Hiv

 

The operation completed successfully

 

Deleting test Windows key

 

The operation completed successfully

 

Deleting Filter text

Share this post


Link to post
Share on other sites

have tried in safe mode and cannot remove it either. keeps popping up in norton antivirus and will not remove it. it is a backdoor keystroke virus and i need to remove it. it is in the windows system32 folder. thanks

Share this post


Link to post
Share on other sites

can't remove lsd_f3.dll. it is in windows system 32 file. even tried in safe mode and says other programs are running and wont shut it down. any suggestions. this should be an easy one for you guys. this is a trojan virus that record keystrokes. thanks

Share this post


Link to post
Share on other sites

ok i had a bug that i fixed in it. Please post a findall report.

It should of cleared most but we may need to add back the reg entries.

 

Also post a hijackthis log.

Share this post


Link to post
Share on other sites

Closing this really old topic.

 

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0