• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Cleo

Start page changed to search200.com password

26 posts in this topic

After running Spybot and Ad-aware, and trying to follow all instructions from http://www.spywareinfo.com/articles/hijacked/#removal and FAW #227 posted 5-16-04 at 3:58pm, I still have pop-up ads and my start up IE page changes. When opening IE (which I have to use), my start up page is changed to search200.com passthrough. Pop up ads appear often (usually University of Phoenix or Life Insurance) through 62.20.62.53/yyy3.html. When running Spybot, it finds 5 entries of DSO Exploit, which I fix, but it re-appears when re-running Spybot. When running Ad-Aware, it finds a Tracking Cookie, which I fix. It also re-appears. Here is the HijackThis log:

 

Logfile of HijackThis v1.97.7

Scan saved at 8:15:25 AM, on 6/8/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\basfipm.exe

C:\Program Files\Network ICE\BlackICE\blackd.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Iomega\AutoDisk\ADService.exe

C:\WINDOWS\System32\BRMFRSMG.EXE

C:\WINDOWS\System32\CCM\CcmExec.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

C:\Program Files\Sprint\PCS Connection Manager\SprintPort\SprintPortA.exe

C:\PROGRA~1\SOFTWA~1\fork platform.exe

C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\Program Files\Logitech\iTouch\kbdtray.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\Program Files\Sprint\PCS Connection Manager\OSCM2.exe

C:\Program Files\WINZIP\WZQKPICK.EXE

C:\Program Files\Microsoft Office\Office10\msoffice.exe

C:\PROGRA~1\Sprint\PCSCON~1\IPASS\bin\IPASSC~1.EXE

C:\TEMP\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://iis.ncrnet.ncr.com/ncrnet

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

O3 - Toolbar: Bags List Flaw - {24EBDF04-72D1-9685-F6D0-40244FF771DB} - C:\PROGRA~1\INSIDE~1\ShowRdr.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [bascstray] BascsTray.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [sprintPort] "C:\Program Files\Sprint\PCS Connection Manager\SprintPort\SprintPortA.exe"

O4 - HKLM\..\Run: [drveq] C:\PROGRA~1\SOFTWA~1\fork platform.exe

O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Global Startup: ItsDeductible7PopUp.lnk = C:\Program Files\ItsDeductible7\ItsD7.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: PCS Connection Manager 2.0.lnk = ?

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WINZIP\WZQKPICK.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O10 - Broken Internet access because of LSP provider 'bmi_lsp.dll' missing

O14 - IERESET.INF: START_PAGE_URL=http://iis.ncrnet.ncr.com/ncrnet

O16 - DPF: {1E1BC012-AC2A-403F-AEE4-A32E1F18986D} (Logoff Class) - https://mya.gateway.ncr.com/Site004C/psynch...cs/pslogoff.dll

O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab

O16 - DPF: {4E67B0DB-1CAE-11D2-AD10-02608CA0806B} (NCRVersionControl Class) - http://iis.ncrnet.ncr.com/cab/NCRFile.cab

O16 - DPF: {BA2A9829-8040-4BF3-BDB6-51512826B68B} (Authentication.Authenticate) - http://iis.ncrnet.ncr.com/cab/Validate.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DD3D661B-E8FA-11D2-A018-00A0C9AD89DF} (Phonebook.Application) - http://iis.ncrnet.ncr.com/cab/phonebook.cab

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.ncr.com

O17 - HKLM\Software\..\Telephony: DomainName = corp.ncr.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.ncr.com

Share this post


Link to post
Share on other sites

:wave: Thanks to the person(s) who will help me. It appears that you are really overwhelmed, and I appreciate your support.

 

Reading other replies, I've moved HijackThis out of temporary and made several fixes. Here is new HT log:

 

Logfile of HijackThis v1.97.7

Scan saved at 10:13:30 AM, on 6/8/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\basfipm.exe

C:\Program Files\Network ICE\BlackICE\blackd.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Common Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Iomega\AutoDisk\ADService.exe

C:\WINDOWS\System32\BRMFRSMG.EXE

C:\Program Files\Common Files\Trend Micro\OfficeScan Client\ofcdog.exe

C:\WINDOWS\System32\CCM\CcmExec.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

C:\Program Files\Sprint\PCS Connection Manager\SprintPort\SprintPortA.exe

C:\PROGRA~1\SOFTWA~1\fork platform.exe

C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\Program Files\Logitech\iTouch\kbdtray.exe

C:\Program Files\Common Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Common Files\Trend Micro\OfficeScan Client\pccntupd.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\Program Files\Sprint\PCS Connection Manager\OSCM2.exe

C:\Program Files\WINZIP\WZQKPICK.EXE

C:\Program Files\Microsoft Office\Office10\msoffice.exe

C:\PROGRA~1\Sprint\PCSCON~1\IPASS\bin\IPASSC~1.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\HijackThis\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

O3 - Toolbar: Bags List Flaw - {24EBDF04-72D1-9685-F6D0-40244FF771DB} - C:\PROGRA~1\INSIDE~1\ShowRdr.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [bascstray] BascsTray.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [sprintPort] "C:\Program Files\Sprint\PCS Connection Manager\SprintPort\SprintPortA.exe"

O4 - HKLM\..\Run: [drveq] C:\PROGRA~1\SOFTWA~1\fork platform.exe

O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Common Files\Trend Micro\OfficeScan Client\pccntmon.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Global Startup: ItsDeductible7PopUp.lnk = C:\Program Files\ItsDeductible7\ItsD7.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: PCS Connection Manager 2.0.lnk = ?

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WINZIP\WZQKPICK.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O10 - Broken Internet access because of LSP provider 'bmi_lsp.dll' missing

O16 - DPF: {1E1BC012-AC2A-403F-AEE4-A32E1F18986D} (Logoff Class) - https://mya.gateway.ncr.com/Site004C/psynch...cs/pslogoff.dll

O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

BUMP.

 

I've spent hours working on this myself, and think I've done everything I can do on my own. I've read many of the postings and tried many things. I've resolved many, but still have a possessed PC.

 

1) When running Spybot, I get no entries after I flagged the re-occurring 5 DSO Exploit entries to ignore (per posting I found).

 

2) When running Ad-Aware, I get only the two re-occurring Tracker Cookies, that I continue to fix/delete.

 

3) When running HijackThis, the following line re-occurs. I delete it, but it re-occurs when I re-boot:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://search200.com/passthrough/index/htm...//www.yahoo.com

 

So, the remaining symptoms on my system are:

 

1) The re-occurring search200.com passthrough toolbar when I open Internet Explorer, and

 

2) Pop up ads appear often (usually University of Phoenix or Life Insurance) after a window "62.20.62.53/yyy3.html" appears on my bottom toolbar.

 

Any help you could give me would be appreciated. Note: I do use this PC for work and need MSN IM.

 

THANKS!!!!! :D

 

Here is my HijackThis log (before I deleted the first R0 AGAIN):

 

Logfile of HijackThis v1.97.7

Scan saved at 8:16:40 AM, on 6/9/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\basfipm.exe

C:\Program Files\Network ICE\BlackICE\blackd.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Common Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Iomega\AutoDisk\ADService.exe

C:\WINDOWS\System32\BRMFRSMG.EXE

C:\Program Files\Common Files\Trend Micro\OfficeScan Client\ofcdog.exe

C:\WINDOWS\System32\CCM\CcmExec.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

C:\Program Files\Sprint\PCS Connection Manager\SprintPort\SprintPortA.exe

C:\PROGRA~1\SOFTWA~1\fork platform.exe

C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\Program Files\Logitech\iTouch\kbdtray.exe

C:\Program Files\Common Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Common Files\Trend Micro\OfficeScan Client\pccntupd.exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\Program Files\Sprint\PCS Connection Manager\OSCM2.exe

C:\Program Files\WINZIP\WZQKPICK.EXE

C:\Program Files\Microsoft Office\Office10\msoffice.exe

C:\PROGRA~1\Sprint\PCSCON~1\IPASS\bin\IPASSC~1.EXE

C:\Program Files\HijackThis\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/index.htm.../www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

O3 - Toolbar: Bags List Flaw - {24EBDF04-72D1-9685-F6D0-40244FF771DB} - C:\PROGRA~1\INSIDE~1\ShowRdr.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [bascstray] BascsTray.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [sprintPort] "C:\Program Files\Sprint\PCS Connection Manager\SprintPort\SprintPortA.exe"

O4 - HKLM\..\Run: [drveq] C:\PROGRA~1\SOFTWA~1\fork platform.exe

O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Common Files\Trend Micro\OfficeScan Client\pccntmon.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Global Startup: ItsDeductible7PopUp.lnk = C:\Program Files\ItsDeductible7\ItsD7.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: PCS Connection Manager 2.0.lnk = ?

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WINZIP\WZQKPICK.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O10 - Broken Internet access because of LSP provider 'bmi_lsp.dll' missing

O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

 

The following is my latest vx2 log:

 

Log for VX2.BetterInternet File Finder

 

Files Found---

C:\WINDOWS\System32\6aO4SVC.DLL

C:\WINDOWS\System32\6bO4SVC.DLL

C:\WINDOWS\System32\6cO4SVC.DLL

C:\WINDOWS\System32\6dO4SVC.DLL

C:\WINDOWS\System32\6eO4SVC.DLL

C:\WINDOWS\System32\6fO4SVC.DLL

C:\WINDOWS\System32\6gO4SVC.DLL

C:\WINDOWS\System32\6hO4SVC.DLL

C:\WINDOWS\System32\6iO4SVC.DLL

C:\WINDOWS\System32\6jO4SVC.DLL

C:\WINDOWS\System32\6kO4SVC.DLL

C:\WINDOWS\System32\6lO4SVC.DLL

C:\WINDOWS\System32\6mO4SVC.DLL

C:\WINDOWS\System32\6nO4SVC.DLL

C:\WINDOWS\System32\6pO4SVC.DLL

C:\WINDOWS\System32\6qO4SVC.DLL

C:\WINDOWS\System32\6rO4SVC.DLL

C:\WINDOWS\System32\6sO4SVC.DLL

C:\WINDOWS\System32\6uO4SVC.DLL

C:\WINDOWS\System32\6vO4SVC.DLL

C:\WINDOWS\System32\6wO4SVC.DLL

C:\WINDOWS\System32\6xO4SVC.DLL

C:\WINDOWS\System32\6yO4SVC.DLL

C:\WINDOWS\System32\6zO4SVC.DLL

C:\WINDOWS\System32\AvTXPRXY.DLL

 

 

Guardian Key--- is called:

 

User Agent String---

Share this post


Link to post
Share on other sites

Thanks, Cleo

 

It seems that no one has come to your aid since your original posting on 06-08-04, and it is know 06-14-04. It makes me wonder if there is a solution to this problem or if everyone is that busy to give a solution. At any rate, I will still post my problem(s) and if someone give a solution; I will post it ASAP. And I hope that you will do the same.

 

Thanks and good luck :wave:

 

 

P.S. What is Guardian Key and VX2.BetterInternet File Finder?

Share this post


Link to post
Share on other sites

Thanks, Cleo :wave:

 

It seems that no one has come to your aid since your original posting on 06-08-04, and it is know 06-14-04. It makes me wonder if there is a solution to this problem or if everyone is that busy to give a solution. At any rate, I will still post my problem(s) and if someone give a solution; I will post it ASAP. And I hope that you will do the same.

 

Thanks and good luck

 

 

P.S. What is Guardian Key and VX2.BetterInternet File Finder?

Share this post


Link to post
Share on other sites

BUMP, please.

 

To vicegripj, thanks for your reply. Waiting for someone to come to my aid.

 

VX2Finder from a posting named "Hijack Problem - http://69.20.62.53/yyy2.html"

 

Download VX2Finder from this link:

http://www.downloads.subratam.org/VX2Finder.exe

 

 

Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*.

 

Copy and paste the contents of the log into your next reply here.

--------------------------------

 

Sign off and stay off the internet until the entire procedure is complete.

 

Open VX2Finder and click on the *click to find VX2.BetterInternet* button.

 

Then select the *Delete these files* button.

You will be left with notice about one to be deleted on reboot.

It will ask to reboot on deletion of the last file (Reboot)

 

-----------------

Once back in Windows

 

 

Open VX2Finder again and click on these buttons in the right pane:

 

user agent, Guardian.reg, restore policy

 

Exit and reboot.

 

Run Vx2Finder once more and click on the *click to find VX2.BetterInternet* button. Then click *make log*.

Post it here with a fresh HijackThis log please.

 

Good luck.

Share this post


Link to post
Share on other sites

Hi Cleo,

 

I'm not much of an expert, having been a member here for just 3 days, but one thing in your HijackThis log did look suspicious to me:

O4 - Global Startup: ItsDeductible7PopUp.lnk = C:\Program Files\ItsDeductible7\ItsD7.exe

 

If you don't know what this is, you could try renaming the file and rebooting and seeing if this makes a difference. Change the name to anything, for example: ItsD7.exe.test

 

If you are unable to rename it (because it is in use), then you can try rebooting into Safe Mode and renaming it there, or (something I discovered yesterday), right-click on the file in Explorer, choose Properties, click the Security Tab, and check DENY for execute. They try rebooting.

 

I'm new to this board and to this problem, but it appears there is some new malware that is hijacking lots of PCs suddenly, so the support people here may be overwhelmed. I've been watching other threads for similar issues to look for solutions.

 

Good luck.

-Joe

Share this post


Link to post
Share on other sites

Thanks Joe. ItsDeductible7 is a SW program I use for my taxes. But, I need to remove the program anyway. The hijacking started way after that. But I really appreciate you trying to help. I'll delete this and two other tax programs and post a new hijactthis log.

 

Thanks again.

Cleo

Share this post


Link to post
Share on other sites

Bump.

 

Spybot is clean.

 

AdAware - I removed the following re-occuring Tracking Cookies:

 

c:\documents and settings\tk12482\cookies\tk124826@bluestreak[1].txt

c:\documents and settings\tk12482\cookies\tk124826@cgi-bin[1].txt

c:\documents and settings\tk12482\cookies\tk124826@search200[2].txt

c:\valueclick[2].txt

 

VX2Finder log is as follows:

 

Log for VX2.BetterInternet File Finder

 

Files Found---

 

 

Guardian Key--- is called:

 

User Agent String---

 

 

HJT log is as follows:

 

Logfile of HijackThis v1.97.7

Scan saved at 7:33:08 AM, on 6/21/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\basfipm.exe

C:\Program Files\Network ICE\BlackICE\blackd.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Common Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\BRMFRSMG.EXE

C:\Program Files\Iomega\AutoDisk\ADService.exe

C:\WINDOWS\System32\CCM\CcmExec.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\Common Files\Trend Micro\OfficeScan Client\ofcdog.exe

C:\Program Files\Nortel Networks\Extranet_serv.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

C:\Program Files\Sprint\PCS Connection Manager\SprintPort\SprintPortA.exe

C:\PROGRA~1\SOFTWA~1\fork platform.exe

C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

C:\Program Files\Logitech\iTouch\kbdtray.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\Program Files\Common Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\Program Files\Sprint\PCS Connection Manager\OSCM2.exe

C:\Program Files\WINZIP\WZQKPICK.EXE

C:\Program Files\Common Files\Trend Micro\OfficeScan Client\pccntupd.exe

C:\Program Files\Microsoft Office\Office10\msoffice.exe

C:\PROGRA~1\Sprint\PCSCON~1\IPASS\bin\IPASSC~1.EXE

C:\WINDOWS\System32\WISPTIS.EXE

C:\Program Files\HijackThis\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

O3 - Toolbar: Bags List Flaw - {24EBDF04-72D1-9685-F6D0-40244FF771DB} - C:\PROGRA~1\INSIDE~1\ShowRdr.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [bascstray] BascsTray.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [sprintPort] "C:\Program Files\Sprint\PCS Connection Manager\SprintPort\SprintPortA.exe"

O4 - HKLM\..\Run: [drveq] C:\PROGRA~1\SOFTWA~1\fork platform.exe

O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Common Files\Trend Micro\OfficeScan Client\pccntmon.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: PCS Connection Manager 2.0.lnk = ?

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WINZIP\WZQKPICK.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O10 - Broken Internet access because of LSP provider 'bmi_lsp.dll' missing

O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab

O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - http://portal.uga.edu/nps/portal/gadgets/c...t/LocalExec.CAB

O16 - DPF: {BA2A9829-8040-4BF3-BDB6-51512826B68B} (Authentication.Authenticate) - http://iis.ncrnet.ncr.com/cab/Validate.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DD3D661B-E8FA-11D2-A018-00A0C9AD89DF}

O17 - HKLM\System\CCS\Services\Tcpip\..\{B752F298-9CAE-4933-BFF5-2E782500E121}: NameServer = 149.25.1.19,149.25.24.231

 

 

Current systems are:

 

When I re-boot, IE opens with Search200.com toolbar even though I've removed it in HiJackThis, and changed my default home page in Control Panel and IE Tools. When closing Search200.com toolbar, a pop up add appears. This is much better than when I started, but cannot remove these final problems.

Share this post


Link to post
Share on other sites

I should add that I still get other pop-up ads, but not the all consuming number that I did.

 

Thanks for any help I can get.

Share this post


Link to post
Share on other sites

I am new here too. I have downloaded ad aware, spybot, hijack this, Cwshredder, installed norton antivirus, Bazooka scanner, spyware guard and updated all. Each one of these programs either fixed problems or gave me the info to manually fix them(bazooka best for manual). Only one spyware that keeps trying to load is search200, but I believe spyware guard is the program that stops it by giving me the option of wether I want my homepage changed to it or left alone. I still get a pop up once in a while usually only while surfing the net. but nothing like I was getting.

None of the other progarms remove search200. they all seem to find something but as of yet all the posts I have read on Seach200 cannot make it go away. As I said Spyware guard after running it at least stops the home page change and gives you the option to not let it. I dont know if this helps you any but after scanning with all these programs and manually deleting spyware files for hours on my 3 computers it has at least dramatically decreased the pop ups and home page changes.

Share this post


Link to post
Share on other sites

Cleo,

 

In case this helps, there is a new update for AdAware as of this morning; you can get it by using "check for updates now" in AdAware. I just did this and AdAware seems to have finally remove the last of my popup problem (and there was great rejoicing...)!

 

There is also a pinned message in this forum that talks about this problem:

http://www.spywareinfoforum.com/index.php?showtopic=8847

 

Good luck.

-Joe

Share this post


Link to post
Share on other sites

Thanks for the replies with what worked for some. Unfortunately, it has not worked for me. Here's my current status.

 

I followed all the instructions under "Pinned: All "hijacked Users" - Please read this.":

a. Ran CoolWeb Shredder

b. Ran TrendMicro virus scan

c. Updated Ad-Aware to v6.0 Build 6.1.81 ref. file: 01R324 22.06.2004

and ran in safe mode (Ad-Aware did find a search 200 registry which

I selected Ad-Aware to delete)

d. Updated and ran Spybot

e. Installed and ran Trojan Hunter

 

When rebooting into normal mode, I still have the situation where I open IE and get hijacked with a search200.com passthrough toolbar at the bottom of my screen. I still get pop up ads. I have not used Spyware guard as dannyrboy suggests to select not having it show up, as I would prefer to get rid of it.

 

Sorry about the previous BUMPS. I'm a newbee and I read on one of the instructions that I should BUMP if I didn't receive a response in 24 hours.

 

Looks like you are overloaded, so I appreciate any help I can get.

 

Here is a new HijackThis log without me deleting the search200 registry entry, as I've done many times.

 

Logfile of HijackThis v1.97.7

Scan saved at 7:58:55 AM, on 6/23/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\basfipm.exe

C:\Program Files\Network ICE\BlackICE\blackd.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Common Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\WINDOWS\system32\sessmgr.exe

C:\WINDOWS\System32\SCardSvr.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\Program Files\Iomega\AutoDisk\ADService.exe

C:\WINDOWS\System32\BRMFRSMG.EXE

C:\WINDOWS\System32\CCM\CcmExec.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\Common Files\Trend Micro\OfficeScan Client\ofcdog.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\Program Files\Nortel Networks\Extranet_serv.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\Program Files\Logitech\iTouch\kbdtray.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

C:\Program Files\Sprint\PCS Connection Manager\SprintPort\SprintPortA.exe

C:\PROGRA~1\SOFTWA~1\fork platform.exe

C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\Program Files\Common Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\Program Files\Sprint\PCS Connection Manager\OSCM2.exe

C:\Program Files\Common Files\Trend Micro\OfficeScan Client\pccntupd.exe

C:\Program Files\Microsoft Office\Office10\msoffice.exe

C:\PROGRA~1\Sprint\PCSCON~1\IPASS\bin\IPASSC~1.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\HijackThis\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/index.htm...B_PVER}&ar=home

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

O3 - Toolbar: Bags List Flaw - {24EBDF04-72D1-9685-F6D0-40244FF771DB} - C:\PROGRA~1\INSIDE~1\ShowRdr.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [bascstray] BascsTray.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [sprintPort] "C:\Program Files\Sprint\PCS Connection Manager\SprintPort\SprintPortA.exe"

O4 - HKLM\..\Run: [drveq] C:\PROGRA~1\SOFTWA~1\fork platform.exe

O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Common Files\Trend Micro\OfficeScan Client\pccntmon.exe"

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\HijackThis\TrojanHunter 3.9\THGuard.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: PCS Connection Manager 2.0.lnk = ?

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O10 - Broken Internet access because of LSP provider 'bmi_lsp.dll' missing

O16 - DPF: {1E1BC012-AC2A-403F-AEE4-A32E1F18986D} (Logoff Class) - https://mya.gateway.ncr.com/Site004C/psynch...cs/pslogoff.dll

O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab

O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - http://portal.uga.edu/nps/portal/gadgets/c...t/LocalExec.CAB

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DD3D661B-E8FA-11D2-A018-00A0C9AD89DF}

O17 - HKLM\System\CCS\Services\Tcpip\..\{B752F298-9CAE-4933-BFF5-2E782500E121}: NameServer = 149.25.1.19,149.25.24.231

Share this post


Link to post
Share on other sites

:) Just so that you know you are not being ignored - I will handle this case for you but I need to ask for your patience while I review the log

 

Please keep an eye on this message for a resolution shortly.

Share this post


Link to post
Share on other sites

  1. How to Remove CoolWebSearch with CoolWeb Shredder <= Please click on this link for instructions on how to download and use CoolWebSearch Shredder which will help remove a CWS infection on your computer. Make sure you close all programs and windows before running it and be sure to click on the "Fix" button.
  2. Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/index.htm...B_PVER}&ar=home
    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
    O3 - Toolbar: Bags List Flaw - {24EBDF04-72D1-9685-F6D0-40244FF771DB} - C:\PROGRA~1\INSIDE~1\ShowRdr.dll
    O4 - HKLM\..\Run: [drveq] C:\PROGRA~1\SOFTWA~1\fork platform.exe
    O10 - Broken Internet access because of LSP provider 'bmi_lsp.dll' missing <= Bytemobile Macara Connection Optimizer (seems to be installed in connection with Sprint PCS Connection Manager), this "Was" a valid entry but the file is missing so this entry can be deleted.
  3. Please reboot into safe mode - How do I boot into "Safe" mode?
  4. The following FILES, DIRECTORIES and DIRECTORY CONTENTS (But not the directory) need to be deleted while in safe mode. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". If the files etc listed are not present - Do not worry, just delete those that you can find. If no path is listed, you may need to search for the file(s) - To search, click on "Start" => "Search" => "For Files and Folders" => "All Files and Folders" and type in the file name. You can delete it right from the search results window.

    1. DIRECTORY CONTENTS (But not the directory)
      • C:\Windows\Temp\
      • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested.
      • C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
      • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
      • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
      • Empty your "Recycle Bin"

[*]DIRECTORIES

  • Nothing Yet

[*]FILES

  • C:\PROGRA~1\SOFTWA~1\fork platform.exe

[*]Reboot again and log in normally, repost a new HijackThis log into this message for further review.

Share this post


Link to post
Share on other sites

Thank you for your reply! So far so good after I executed the steps you suggested!

 

Here's my new log.

 

Logfile of HijackThis v1.97.7

Scan saved at 7:03:00 AM, on 6/24/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\basfipm.exe

C:\Program Files\Network ICE\BlackICE\blackd.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Common Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\WINDOWS\system32\sessmgr.exe

C:\WINDOWS\System32\SCardSvr.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\System32\BRMFRSMG.EXE

C:\Program Files\Iomega\AutoDisk\ADService.exe

C:\WINDOWS\System32\CCM\CcmExec.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\Common Files\Trend Micro\OfficeScan Client\ofcdog.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\msiexec.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

C:\Program Files\Sprint\PCS Connection Manager\SprintPort\SprintPortA.exe

C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\Program Files\Common Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\Program Files\Logitech\iTouch\kbdtray.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\Program Files\Sprint\PCS Connection Manager\OSCM2.exe

C:\Program Files\Microsoft Office\Office10\msoffice.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\Program Files\HijackThis\hijackthis\HijackThis.exe

C:\PROGRA~1\Sprint\PCSCON~1\IPASS\bin\IPASSC~1.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://iis.ncrnet.ncr.com/ncrnet

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [bascstray] BascsTray.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [sprintPort] "C:\Program Files\Sprint\PCS Connection Manager\SprintPort\SprintPortA.exe"

O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Common Files\Trend Micro\OfficeScan Client\pccntmon.exe"

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\HijackThis\TrojanHunter 3.9\THGuard.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: PCS Connection Manager 2.0.lnk = ?

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {1E1BC012-AC2A-403F-AEE4-A32E1F18986D} (Logoff Class) - https://mya.gateway.ncr.com/Site004C/psynch...cs/pslogoff.dll

O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab

O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - http://portal.uga.edu/nps/portal/gadgets/c...t/LocalExec.CAB

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

Let me know if you suggest anything else.

 

By the way, there's a special place in heaven for all the volunteers who are helping all of us uneducated, helpless people!

 

THANK YOU!

Share this post


Link to post
Share on other sites

Your log is looking clear except for one entry ...

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://iis.ncrnet.ncr.com/ncrnet

I am not getting a match on this site - Do you know what it is? If not, delete it in HijackThis.

 

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

To protect yourself further:

  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.

I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

 

I am working on a cleanup/stay clean regime for Windows XP ... Please feel free to use it as you see fit...

The following is a recommended maintenance regime for Windows XP:

  1. The following DIRECTORY CONTENTS (But not the directory), need to be regularly emptied. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". Click on "Apply to All Folders" and then respond "Yes" when prompted and click on "OK" to apply the change.
    • %windir%\prefetch\
    • %windir%\Temp\
    • %temp%\
    • %userprofile%\Local Settings\Temp\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\

[*]Click on "Start" => "Settings" => "Control Panel" => "Internet Options". Click on "Delete Files", select "Delete All Offline Content" and click on "OK". Click on "OK" once more to close the options panel.

[*]Right click on "Recycle Bin" and select "Empty Recycle Bin" and respond "Yes" when prompted.

[*]Back-Up your files. You can use Windows backup which must be installed from the XP CD <cd-Drive>\valuadd\msft\ntbackup. Be sure to back up the following:

  • Office documents
  • Email data - Messages and address book
  • Games saves.
  • Digital Photos and other artwork.
  • Moveis that you have created or edited.
  • MP3's and other music files.
  • Browser favorites and bookmarks.
  • Downloaded files/programs.
  • Passwords, security codes etc for anything that is password protected like Quicken.
  • Activation codes for applications doownloaded and registered.

[*]Do not go without an anti-virus program. Free ones include:

[*]Be sure to run a periodic Trojan Scan with any of the following programs:

[*]Use a Firewall such as ZoneAlarm

[*]Regularly scan for adware and spyware using the following programs:

[*]Defragment your system. Click on "Start" => "Programs" => "Accessories" => "System Tools" => "Disk Defragmenter".

[*]Update your system. Go to Microsoft Windows Update and download all critical updates for your system.

[*]Cleanup Your Disk. Click on "Start" => "Programs" => "Accessories" => "System Tools" => "Disk Cleanup".

[*]Clear your icon cache. Delete the following file: %userprofile%\Local Settings\Application Data\IconCache.db. Reboot.

[*]As bad as it may sound - Once a year reinstall your O/S from scratch - i.e. Reformat your hard drive but be 100% certain that you have backed everything up as listed above.

Share this post


Link to post
Share on other sites

I do recognize the line you referenced, so I think I'm in great shape. Thanks again for your help and advice.

Share this post


Link to post
Share on other sites

It has been a pleasure to help you :)

 

The problems here look to be resolved so I will close the thread. If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

 

If you would like to make a contribution to help support SpywareInfo, please check this link for more information.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0