• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
lukdani

Hijacked by your-searcher.com

12 posts in this topic

I am experiencing two problems; I don't know if they are related.

 

(1) My browser has been hijacked to your-searcher.com.

 

(2) At shutdown (running Win2k), I always get a mysterious program called Win Min which is " not responding".

 

Here is my log. Any help is highly appreciated.

 

Logfile of HijackThis v1.97.7

Scan saved at 11:34:45 AM, on 5/30/2004

Platform: Windows 2000 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\LEXBCES.EXE

C:\WINNT\system32\LEXPPS.EXE

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINNT\System32\CTsvcCDA.EXE

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\ZONELABS\vsmon.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\MsPMSPSv.exe

C:\WINNT\Explorer.exe

C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

D:\realjukebox\tsystray.exe

C:\WINNT\loadqm.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

E:\Download\aim\aim.exe

C:\winnt\dllhelp.exe

C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

D:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe

D:\Corel\Programs\MFIndexer.exe

D:\Microsoft Office\Office\1033\msoffice.exe

E:\Download\Security\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [RealJukeboxSystray] D:\realjukebox\tsystray.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [p3w.exe] C:\documents and settings\luki\local settings\temp\p3w.exe

O4 - HKLM\..\Run: [WinISO] TASKMANAGE.EXE

O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [AIM] E:\Download\aim\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [dllhelp] c:\winnt\dllhelp.exe

O4 - HKCU\..\Run: [iEengine] C:\Program Files\Internet Explorer\IEengine.exe

O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

O4 - Global Startup: Acrobat Assistant.lnk = D:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe

O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = D:\Corel\Programs\MFIndexer.exe

O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: winlogin.exe

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e52972...all/xscan53.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

Share this post


Link to post
Share on other sites

Could you click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. Reboot when done.

 

Click here to download Spybot Search & Destroy - install, update, scan and fix all RED items it finds. Reboot when done.

 

Click here to download Ad-Aware and install. Before scanning click on "check for updates now" to make sure you have the latest reference file. Then click the gear wheel at the top and check these options:

 

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

 

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

 

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

 

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

 

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

 

Reboot when done. Rescan with HJT and post a new log here so that any remnants can be removed manually.

Share this post


Link to post
Share on other sites

Thanks for your help.

 

I had already run CWShredder, Spybot and Ad-Aware prior to my initial post. Anyway, I reran them using the switches you recommended.

 

The one change I can see in the new log is that now I seem to have also winlogin.exe among the running processes...Here it is:

 

Logfile of HijackThis v1.97.7

Scan saved at 12:07:33 PM, on 5/31/2004

Platform: Windows 2000 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\LEXBCES.EXE

C:\WINNT\system32\LEXPPS.EXE

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINNT\System32\CTsvcCDA.EXE

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\ZONELABS\vsmon.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\MsPMSPSv.exe

C:\WINNT\Explorer.exe

C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

D:\realjukebox\tsystray.exe

C:\WINNT\loadqm.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

E:\Download\aim\aim.exe

C:\winnt\dllhelp.exe

C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

D:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe

D:\Corel\Programs\MFIndexer.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe

D:\Microsoft Office\Office\1033\msoffice.exe

E:\Download\Security\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [RealJukeboxSystray] D:\realjukebox\tsystray.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [p3w.exe] C:\documents and settings\luki\local settings\temp\p3w.exe

O4 - HKLM\..\Run: [WinISO] TASKMANAGE.EXE

O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [AIM] E:\Download\aim\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [dllhelp] c:\winnt\dllhelp.exe

O4 - HKCU\..\Run: [iEengine] C:\Program Files\Internet Explorer\IEengine.exe

O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

O4 - Global Startup: Acrobat Assistant.lnk = D:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe

O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = D:\Corel\Programs\MFIndexer.exe

O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: winlogin.exe

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e52972...all/xscan53.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

Share this post


Link to post
Share on other sites

OK. Click here to download TheKillbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. Make sure the 'Create backup before deleting file' box is checked. In the 'Paste Full Path of File to Delete' box, copy and paste this entry:

 

c:\winnt\dllhelp.exe

 

Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". In the window that opens up, click on the File menu and choose "Add File". The c:\winnt\dllhelp.exe listing should show up in the window. Then repeat the process, this time adding:

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe

 

If that's successful you should have the two files listed. Then repeat so that these files appear in the list as well:

 

C:\documents and settings\luki\local settings\temp\p3w.exe

C:\Program Files\Internet Explorer\IEengine.exe

 

When they are all there, in the same window choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.

 

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again.

 

Open HijackThis, scan and when complete, remove the following entries (if still there) by checking the box to the left and clicking 'fixed checked':

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm

O4 - HKLM\..\Run: [p3w.exe] C:\documents and settings\luki\local settings\temp\p3w.exe

O4 - HKLM\..\Run: [WinISO] TASKMANAGE.EXE

O4 - HKCU\..\Run: [dllhelp] c:\winnt\dllhelp.exe

O4 - HKCU\..\Run: [iEengine] C:\Program Files\Internet Explorer\IEengine.exe

O4 - Global Startup: winlogin.exe

 

Reboot when done. Rescan with HJT and post a new log.

Share this post


Link to post
Share on other sites

Thanks for your help.

 

I followed your instructions and the problem seems to be gone. Here is the current log; please let me know if there is still anything suspicious...

 

Logfile of HijackThis v1.97.7

Scan saved at 4:35:22 PM, on 5/31/2004

Platform: Windows 2000 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\LEXBCES.EXE

C:\WINNT\system32\LEXPPS.EXE

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINNT\System32\CTsvcCDA.EXE

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\ZONELABS\vsmon.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\MsPMSPSv.exe

C:\WINNT\Explorer.exe

C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

D:\realjukebox\tsystray.exe

C:\WINNT\loadqm.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

E:\Download\aim\aim.exe

C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

D:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe

D:\Corel\Programs\MFIndexer.exe

D:\Microsoft Office\Office\1033\msoffice.exe

E:\Download\Security\HijackThis.exe

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [RealJukeboxSystray] D:\realjukebox\tsystray.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [AIM] E:\Download\aim\aim.exe -cnetwait.odl

O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

O4 - Global Startup: Acrobat Assistant.lnk = D:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe

O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = D:\Corel\Programs\MFIndexer.exe

O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e52972...all/xscan53.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

Share this post


Link to post
Share on other sites

Well, everything was fine, but unfortunately only for a little while...

 

In no time one of my kids went on the web and managed to get into new trouble..but I will start a new post with that one.

 

Thanks very much for your help.

Share this post


Link to post
Share on other sites

OK, here is the problem. I now get all kinds of popups and weird behavior as soon as I try to go on the Web.

 

After taking a look, I seem to have the bookedspace BHO. The HJT log shows this bxxs5.dll that I cannot get rid of. I have tried to delete it in Safe model, fix it with HJT etc, but it keeps coming back...

 

Here is my current log.

 

 

Logfile of HijackThis v1.97.7

Scan saved at 10:32:44 AM, on 6/1/2004

Platform: Windows 2000 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\LEXBCES.EXE

C:\WINNT\system32\LEXPPS.EXE

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINNT\System32\CTsvcCDA.EXE

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\ZONELABS\vsmon.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\MsPMSPSv.exe

C:\WINNT\Explorer.exe

C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

D:\realjukebox\tsystray.exe

C:\WINNT\loadqm.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

E:\Download\aim\aim.exe

C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

D:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe

D:\Corel\Programs\MFIndexer.exe

D:\Microsoft Office\Office\1033\msoffice.exe

E:\Download\Security\HijackThis.exe

 

O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\bxxs5.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [RealJukeboxSystray] D:\realjukebox\tsystray.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [AIM] E:\Download\aim\aim.exe -cnetwait.odl

O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

O4 - Global Startup: Acrobat Assistant.lnk = D:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe

O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = D:\Corel\Programs\MFIndexer.exe

O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e52972...all/xscan53.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

Share this post


Link to post
Share on other sites

I'm looking suspiciously at the Media Player entry. Lets try something. With only HJT running, have it fix:

 

O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\bxxs5.dll

O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe

O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun

 

Then delete this folder:

 

C:\Program Files\Windows Media Player\

 

Click here to download System Security Suite. Extract it from the zip file into a folder and doubleclick on sss.exe. Check the boxes under the 'Items to Clear' tab and click 'Clear Selected Items'. You will be prompted to reboot, do so. Repeat for all log-in accounts on your computer.

 

If you find that WMP has been affected, download the legitimate version from here:

 

http://www.microsoft.com/windows/windowsme...ies/player.aspx

Share this post


Link to post
Share on other sites

Well, I think you were right. The wmplayer.exe file had a date stamp of yesterday, when the re-infection (or whatever) occurred.

 

After following your instructions, everything seems to be back to normal. Here is the current HJT log -- let me know if you see any other suspect entries...

 

Thanks very much for your help.

 

Logfile of HijackThis v1.97.7

Scan saved at 11:24:59 PM, on 6/1/2004

Platform: Windows 2000 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\LEXBCES.EXE

C:\WINNT\system32\LEXPPS.EXE

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINNT\System32\CTsvcCDA.EXE

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\ZONELABS\vsmon.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\MsPMSPSv.exe

C:\WINNT\Explorer.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

D:\realjukebox\tsystray.exe

C:\WINNT\loadqm.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

E:\Download\aim\aim.exe

C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

D:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe

D:\Corel\Programs\MFIndexer.exe

D:\Microsoft Office\Office\1033\msoffice.exe

E:\Download\Security\HijackThis.exe

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [RealJukeboxSystray] D:\realjukebox\tsystray.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [AIM] E:\Download\aim\aim.exe -cnetwait.odl

O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

O4 - Global Startup: Acrobat Assistant.lnk = D:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe

O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = D:\Corel\Programs\MFIndexer.exe

O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e52972...all/xscan53.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0