Jump to content


Photo

Start page changed to search200.com password


  • This topic is locked This topic is locked
25 replies to this topic

#1 Cleo

Cleo

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 08 June 2004 - 07:34 AM

After running Spybot and Ad-aware, and trying to follow all instructions from http://www.spywarein...jacked/#removal and FAW #227 posted 5-16-04 at 3:58pm, I still have pop-up ads and my start up IE page changes. When opening IE (which I have to use), my start up page is changed to search200.com passthrough. Pop up ads appear often (usually University of Phoenix or Life Insurance) through 62.20.62.53/yyy3.html. When running Spybot, it finds 5 entries of DSO Exploit, which I fix, but it re-appears when re-running Spybot. When running Ad-Aware, it finds a Tracking Cookie, which I fix. It also re-appears. Here is the HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 8:15:25 AM, on 6/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Sprint\PCS Connection Manager\SprintPort\SprintPortA.exe
C:\PROGRA~1\SOFTWA~1\fork platform.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Sprint\PCS Connection Manager\OSCM2.exe
C:\Program Files\WINZIP\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\PROGRA~1\Sprint\PCSCON~1\IPASS\bin\IPASSC~1.EXE
C:\TEMP\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://iis.ncrnet.ncr.com/ncrnet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: Bags List Flaw - {24EBDF04-72D1-9685-F6D0-40244FF771DB} - C:\PROGRA~1\INSIDE~1\ShowRdr.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SprintPort] "C:\Program Files\Sprint\PCS Connection Manager\SprintPort\SprintPortA.exe"
O4 - HKLM\..\Run: [drveq] C:\PROGRA~1\SOFTWA~1\fork platform.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: ItsDeductible7PopUp.lnk = C:\Program Files\ItsDeductible7\ItsD7.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PCS Connection Manager 2.0.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WINZIP\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'bmi_lsp.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://iis.ncrnet.ncr.com/ncrnet
O16 - DPF: {1E1BC012-AC2A-403F-AEE4-A32E1F18986D} (Logoff Class) - https://mya.gateway....cs/pslogoff.dll
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab
O16 - DPF: {4E67B0DB-1CAE-11D2-AD10-02608CA0806B} (NCRVersionControl Class) - http://iis.ncrnet.nc...cab/NCRFile.cab
O16 - DPF: {BA2A9829-8040-4BF3-BDB6-51512826B68B} (Authentication.Authenticate) - http://iis.ncrnet.nc...ab/Validate.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DD3D661B-E8FA-11D2-A018-00A0C9AD89DF} (Phonebook.Application) - http://iis.ncrnet.nc...b/phonebook.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.ncr.com
O17 - HKLM\Software\..\Telephony: DomainName = corp.ncr.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.ncr.com

#2 Cleo

Cleo

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 08 June 2004 - 09:25 AM

:wave: Thanks to the person(s) who will help me. It appears that you are really overwhelmed, and I appreciate your support.

Reading other replies, I've moved HijackThis out of temporary and made several fixes. Here is new HT log:

Logfile of HijackThis v1.97.7
Scan saved at 10:13:30 AM, on 6/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\Program Files\Common Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Sprint\PCS Connection Manager\SprintPort\SprintPortA.exe
C:\PROGRA~1\SOFTWA~1\fork platform.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\Program Files\Common Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Sprint\PCS Connection Manager\OSCM2.exe
C:\Program Files\WINZIP\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\PROGRA~1\Sprint\PCSCON~1\IPASS\bin\IPASSC~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: Bags List Flaw - {24EBDF04-72D1-9685-F6D0-40244FF771DB} - C:\PROGRA~1\INSIDE~1\ShowRdr.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SprintPort] "C:\Program Files\Sprint\PCS Connection Manager\SprintPort\SprintPortA.exe"
O4 - HKLM\..\Run: [drveq] C:\PROGRA~1\SOFTWA~1\fork platform.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Common Files\Trend Micro\OfficeScan Client\pccntmon.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: ItsDeductible7PopUp.lnk = C:\Program Files\ItsDeductible7\ItsD7.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PCS Connection Manager 2.0.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WINZIP\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'bmi_lsp.dll' missing
O16 - DPF: {1E1BC012-AC2A-403F-AEE4-A32E1F18986D} (Logoff Class) - https://mya.gateway....cs/pslogoff.dll
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#3 Cleo

Cleo

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 09 June 2004 - 07:35 AM

BUMP.

I've spent hours working on this myself, and think I've done everything I can do on my own. I've read many of the postings and tried many things. I've resolved many, but still have a possessed PC.

1) When running Spybot, I get no entries after I flagged the re-occurring 5 DSO Exploit entries to ignore (per posting I found).

2) When running Ad-Aware, I get only the two re-occurring Tracker Cookies, that I continue to fix/delete.

3) When running HijackThis, the following line re-occurs. I delete it, but it re-occurs when I re-boot:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://search200.com...//www.yahoo.com

So, the remaining symptoms on my system are:

1) The re-occurring search200.com passthrough toolbar when I open Internet Explorer, and

2) Pop up ads appear often (usually University of Phoenix or Life Insurance) after a window "62.20.62.53/yyy3.html" appears on my bottom toolbar.

Any help you could give me would be appreciated. Note: I do use this PC for work and need MSN IM.

THANKS!!!!! :D

Here is my HijackThis log (before I deleted the first R0 AGAIN):

Logfile of HijackThis v1.97.7
Scan saved at 8:16:40 AM, on 6/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\Program Files\Common Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Sprint\PCS Connection Manager\SprintPort\SprintPortA.exe
C:\PROGRA~1\SOFTWA~1\fork platform.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\Program Files\Common Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Sprint\PCS Connection Manager\OSCM2.exe
C:\Program Files\WINZIP\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\PROGRA~1\Sprint\PCSCON~1\IPASS\bin\IPASSC~1.EXE
C:\Program Files\HijackThis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com.../www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: Bags List Flaw - {24EBDF04-72D1-9685-F6D0-40244FF771DB} - C:\PROGRA~1\INSIDE~1\ShowRdr.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SprintPort] "C:\Program Files\Sprint\PCS Connection Manager\SprintPort\SprintPortA.exe"
O4 - HKLM\..\Run: [drveq] C:\PROGRA~1\SOFTWA~1\fork platform.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Common Files\Trend Micro\OfficeScan Client\pccntmon.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: ItsDeductible7PopUp.lnk = C:\Program Files\ItsDeductible7\ItsD7.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PCS Connection Manager 2.0.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WINZIP\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'bmi_lsp.dll' missing
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab


The following is my latest vx2 log:

Log for VX2.BetterInternet File Finder

Files Found---
C:\WINDOWS\System32\6aO4SVC.DLL
C:\WINDOWS\System32\6bO4SVC.DLL
C:\WINDOWS\System32\6cO4SVC.DLL
C:\WINDOWS\System32\6dO4SVC.DLL
C:\WINDOWS\System32\6eO4SVC.DLL
C:\WINDOWS\System32\6fO4SVC.DLL
C:\WINDOWS\System32\6gO4SVC.DLL
C:\WINDOWS\System32\6hO4SVC.DLL
C:\WINDOWS\System32\6iO4SVC.DLL
C:\WINDOWS\System32\6jO4SVC.DLL
C:\WINDOWS\System32\6kO4SVC.DLL
C:\WINDOWS\System32\6lO4SVC.DLL
C:\WINDOWS\System32\6mO4SVC.DLL
C:\WINDOWS\System32\6nO4SVC.DLL
C:\WINDOWS\System32\6pO4SVC.DLL
C:\WINDOWS\System32\6qO4SVC.DLL
C:\WINDOWS\System32\6rO4SVC.DLL
C:\WINDOWS\System32\6sO4SVC.DLL
C:\WINDOWS\System32\6uO4SVC.DLL
C:\WINDOWS\System32\6vO4SVC.DLL
C:\WINDOWS\System32\6wO4SVC.DLL
C:\WINDOWS\System32\6xO4SVC.DLL
C:\WINDOWS\System32\6yO4SVC.DLL
C:\WINDOWS\System32\6zO4SVC.DLL
C:\WINDOWS\System32\AvTXPRXY.DLL


Guardian Key--- is called:

User Agent String---

#4 Cleo

Cleo

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 10 June 2004 - 07:39 AM

BUMP.

#5 Cleo

Cleo

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 11 June 2004 - 08:31 AM

Bump.

#6 Cleo

Cleo

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 14 June 2004 - 06:51 AM

Bump.

#7 vicegripj

vicegripj

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 14 June 2004 - 12:06 PM

Thanks, Cleo

It seems that no one has come to your aid since your original posting on 06-08-04, and it is know 06-14-04. It makes me wonder if there is a solution to this problem or if everyone is that busy to give a solution. At any rate, I will still post my problem(s) and if someone give a solution; I will post it ASAP. And I hope that you will do the same.

Thanks and good luck :wave:


P.S. What is Guardian Key and VX2.BetterInternet File Finder?

#8 vicegripj

vicegripj

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 14 June 2004 - 12:23 PM

Thanks, Cleo :wave:

It seems that no one has come to your aid since your original posting on 06-08-04, and it is know 06-14-04. It makes me wonder if there is a solution to this problem or if everyone is that busy to give a solution. At any rate, I will still post my problem(s) and if someone give a solution; I will post it ASAP. And I hope that you will do the same.

Thanks and good luck


P.S. What is Guardian Key and VX2.BetterInternet File Finder?

#9 Cleo

Cleo

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 16 June 2004 - 06:52 AM

BUMP, please.

To vicegripj, thanks for your reply. Waiting for someone to come to my aid.

VX2Finder from a posting named "Hijack Problem - [url="http://69.20.62.53/yyy2.html""]http://69.20.62.53/yyy2.html"[/url]

Download VX2Finder from this link:
http://www.downloads...g/VX2Finder.exe


Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*.

Copy and paste the contents of the log into your next reply here.
--------------------------------

Sign off and stay off the internet until the entire procedure is complete.

Open VX2Finder and click on the *click to find VX2.BetterInternet* button.

Then select the *Delete these files* button.
You will be left with notice about one to be deleted on reboot.
It will ask to reboot on deletion of the last file (Reboot)

-----------------
Once back in Windows


Open VX2Finder again and click on these buttons in the right pane:

user agent, Guardian.reg, restore policy

Exit and reboot.

Run Vx2Finder once more and click on the *click to find VX2.BetterInternet* button. Then click *make log*.
Post it here with a fresh HijackThis log please.

Good luck.

#10 Cleo

Cleo

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 17 June 2004 - 07:03 AM

Bump.

#11 Cleo

Cleo

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 18 June 2004 - 08:38 AM

Bump - no help since 6/8/04.

#12 JoeUlowetz

JoeUlowetz

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 18 June 2004 - 09:29 AM

Hi Cleo,

I'm not much of an expert, having been a member here for just 3 days, but one thing in your HijackThis log did look suspicious to me:
O4 - Global Startup: ItsDeductible7PopUp.lnk = C:\Program Files\ItsDeductible7\ItsD7.exe

If you don't know what this is, you could try renaming the file and rebooting and seeing if this makes a difference. Change the name to anything, for example: ItsD7.exe.test

If you are unable to rename it (because it is in use), then you can try rebooting into Safe Mode and renaming it there, or (something I discovered yesterday), right-click on the file in Explorer, choose Properties, click the Security Tab, and check DENY for execute. They try rebooting.

I'm new to this board and to this problem, but it appears there is some new malware that is hijacking lots of PCs suddenly, so the support people here may be overwhelmed. I've been watching other threads for similar issues to look for solutions.

Good luck.
-Joe

#13 Cleo

Cleo

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 21 June 2004 - 06:11 AM

Thanks Joe. ItsDeductible7 is a SW program I use for my taxes. But, I need to remove the program anyway. The hijacking started way after that. But I really appreciate you trying to help. I'll delete this and two other tax programs and post a new hijactthis log.

Thanks again.
Cleo

#14 Cleo

Cleo

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 21 June 2004 - 06:42 AM

Bump.

Spybot is clean.

AdAware - I removed the following re-occuring Tracking Cookies:

c:\documents and settings\tk12482\cookies\tk124826@bluestreak[1].txt
c:\documents and settings\tk12482\cookies\tk124826@cgi-bin[1].txt
c:\documents and settings\tk12482\cookies\tk124826@search200[2].txt
c:\valueclick[2].txt

VX2Finder log is as follows:

Log for VX2.BetterInternet File Finder

Files Found---


Guardian Key--- is called:

User Agent String---


HJT log is as follows:

Logfile of HijackThis v1.97.7
Scan saved at 7:33:08 AM, on 6/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Program Files\Nortel Networks\Extranet_serv.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Sprint\PCS Connection Manager\SprintPort\SprintPortA.exe
C:\PROGRA~1\SOFTWA~1\fork platform.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Common Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Sprint\PCS Connection Manager\OSCM2.exe
C:\Program Files\WINZIP\WZQKPICK.EXE
C:\Program Files\Common Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\PROGRA~1\Sprint\PCSCON~1\IPASS\bin\IPASSC~1.EXE
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\HijackThis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: Bags List Flaw - {24EBDF04-72D1-9685-F6D0-40244FF771DB} - C:\PROGRA~1\INSIDE~1\ShowRdr.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SprintPort] "C:\Program Files\Sprint\PCS Connection Manager\SprintPort\SprintPortA.exe"
O4 - HKLM\..\Run: [drveq] C:\PROGRA~1\SOFTWA~1\fork platform.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Common Files\Trend Micro\OfficeScan Client\pccntmon.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PCS Connection Manager 2.0.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WINZIP\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'bmi_lsp.dll' missing
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab
O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - http://portal.uga.ed...t/LocalExec.CAB
O16 - DPF: {BA2A9829-8040-4BF3-BDB6-51512826B68B} (Authentication.Authenticate) - http://iis.ncrnet.nc...ab/Validate.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DD3D661B-E8FA-11D2-A018-00A0C9AD89DF}
O17 - HKLM\System\CCS\Services\Tcpip\..\{B752F298-9CAE-4933-BFF5-2E782500E121}: NameServer = 149.25.1.19,149.25.24.231


Current systems are:

When I re-boot, IE opens with Search200.com toolbar even though I've removed it in HiJackThis, and changed my default home page in Control Panel and IE Tools. When closing Search200.com toolbar, a pop up add appears. This is much better than when I started, but cannot remove these final problems.

#15 Cleo

Cleo

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 21 June 2004 - 06:53 AM

I should add that I still get other pop-up ads, but not the all consuming number that I did.

Thanks for any help I can get.

#16 dannyrboy

dannyrboy

    Member

  • New Member
  • Pip
  • 3 posts

Posted 21 June 2004 - 11:11 PM

I am new here too. I have downloaded ad aware, spybot, hijack this, Cwshredder, installed norton antivirus, Bazooka scanner, spyware guard and updated all. Each one of these programs either fixed problems or gave me the info to manually fix them(bazooka best for manual). Only one spyware that keeps trying to load is search200, but I believe spyware guard is the program that stops it by giving me the option of wether I want my homepage changed to it or left alone. I still get a pop up once in a while usually only while surfing the net. but nothing like I was getting.
None of the other progarms remove search200. they all seem to find something but as of yet all the posts I have read on Seach200 cannot make it go away. As I said Spyware guard after running it at least stops the home page change and gives you the option to not let it. I dont know if this helps you any but after scanning with all these programs and manually deleting spyware files for hours on my 3 computers it has at least dramatically decreased the pop ups and home page changes.

#17 Cleo

Cleo

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 22 June 2004 - 07:54 AM

Bump.

#18 JoeUlowetz

JoeUlowetz

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 22 June 2004 - 12:55 PM

Cleo,

In case this helps, there is a new update for AdAware as of this morning; you can get it by using "check for updates now" in AdAware. I just did this and AdAware seems to have finally remove the last of my popup problem (and there was great rejoicing...)!

There is also a pinned message in this forum that talks about this problem:
http://www.spywarein...?showtopic=8847

Good luck.
-Joe

#19 dannyrboy

dannyrboy

    Member

  • New Member
  • Pip
  • 3 posts

Posted 23 June 2004 - 12:33 AM

Thanks the Adaware update worked for me no more search200 on my systems

#20 Cleo

Cleo

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 23 June 2004 - 07:18 AM

Thanks for the replies with what worked for some. Unfortunately, it has not worked for me. Here's my current status.

I followed all the instructions under "Pinned: All "hijacked Users" - Please read this.":
a. Ran CoolWeb Shredder
b. Ran TrendMicro virus scan
c. Updated Ad-Aware to v6.0 Build 6.1.81 ref. file: 01R324 22.06.2004
and ran in safe mode (Ad-Aware did find a search 200 registry which
I selected Ad-Aware to delete)
d. Updated and ran Spybot
e. Installed and ran Trojan Hunter

When rebooting into normal mode, I still have the situation where I open IE and get hijacked with a search200.com passthrough toolbar at the bottom of my screen. I still get pop up ads. I have not used Spyware guard as dannyrboy suggests to select not having it show up, as I would prefer to get rid of it.

Sorry about the previous BUMPS. I'm a newbee and I read on one of the instructions that I should BUMP if I didn't receive a response in 24 hours.

Looks like you are overloaded, so I appreciate any help I can get.

Here is a new HijackThis log without me deleting the search200 registry entry, as I've done many times.

Logfile of HijackThis v1.97.7
Scan saved at 7:58:55 AM, on 6/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Nortel Networks\Extranet_serv.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Sprint\PCS Connection Manager\SprintPort\SprintPortA.exe
C:\PROGRA~1\SOFTWA~1\fork platform.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Common Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Sprint\PCS Connection Manager\OSCM2.exe
C:\Program Files\Common Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\PROGRA~1\Sprint\PCSCON~1\IPASS\bin\IPASSC~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: Bags List Flaw - {24EBDF04-72D1-9685-F6D0-40244FF771DB} - C:\PROGRA~1\INSIDE~1\ShowRdr.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SprintPort] "C:\Program Files\Sprint\PCS Connection Manager\SprintPort\SprintPortA.exe"
O4 - HKLM\..\Run: [drveq] C:\PROGRA~1\SOFTWA~1\fork platform.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Common Files\Trend Micro\OfficeScan Client\pccntmon.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\HijackThis\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PCS Connection Manager 2.0.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'bmi_lsp.dll' missing
O16 - DPF: {1E1BC012-AC2A-403F-AEE4-A32E1F18986D} (Logoff Class) - https://mya.gateway....cs/pslogoff.dll
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab
O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - http://portal.uga.ed...t/LocalExec.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DD3D661B-E8FA-11D2-A018-00A0C9AD89DF}
O17 - HKLM\System\CCS\Services\Tcpip\..\{B752F298-9CAE-4933-BFF5-2E782500E121}: NameServer = 149.25.1.19,149.25.24.231

#21 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 23 June 2004 - 09:43 AM

:) Just so that you know you are not being ignored - I will handle this case for you but I need to ask for your patience while I review the log

Please keep an eye on this message for a resolution shortly.

#22 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 23 June 2004 - 09:51 AM

  • How to Remove CoolWebSearch with CoolWeb Shredder <= Please click on this link for instructions on how to download and use CoolWebSearch Shredder which will help remove a CWS infection on your computer. Make sure you close all programs and windows before running it and be sure to click on the "Fix" button.
  • Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com...B_PVER}&ar=home
    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
    O3 - Toolbar: Bags List Flaw - {24EBDF04-72D1-9685-F6D0-40244FF771DB} - C:\PROGRA~1\INSIDE~1\ShowRdr.dll
    O4 - HKLM\..\Run: [drveq] C:\PROGRA~1\SOFTWA~1\fork platform.exe
    O10 - Broken Internet access because of LSP provider 'bmi_lsp.dll' missing <= Bytemobile Macara Connection Optimizer (seems to be installed in connection with Sprint PCS Connection Manager), this "Was" a valid entry but the file is missing so this entry can be deleted.
  • Please reboot into safe mode - How do I boot into "Safe" mode?
  • The following FILES, DIRECTORIES and DIRECTORY CONTENTS (But not the directory) need to be deleted while in safe mode. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". If the files etc listed are not present - Do not worry, just delete those that you can find. If no path is listed, you may need to search for the file(s) - To search, click on "Start" => "Search" => "For Files and Folders" => "All Files and Folders" and type in the file name. You can delete it right from the search results window.
    • DIRECTORY CONTENTS (But not the directory)
      • C:\Windows\Temp\
      • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested.
      • C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
      • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
      • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
      • Empty your "Recycle Bin"
    • DIRECTORIES
      • Nothing Yet
    • FILES
      • C:\PROGRA~1\SOFTWA~1\fork platform.exe
  • Reboot again and log in normally, repost a new HijackThis log into this message for further review.


#23 Cleo

Cleo

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 24 June 2004 - 06:08 AM

Thank you for your reply! So far so good after I executed the steps you suggested!

Here's my new log.

Logfile of HijackThis v1.97.7
Scan saved at 7:03:00 AM, on 6/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Sprint\PCS Connection Manager\SprintPort\SprintPortA.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Common Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Sprint\PCS Connection Manager\OSCM2.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\HijackThis\hijackthis\HijackThis.exe
C:\PROGRA~1\Sprint\PCSCON~1\IPASS\bin\IPASSC~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://iis.ncrnet.ncr.com/ncrnet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SprintPort] "C:\Program Files\Sprint\PCS Connection Manager\SprintPort\SprintPortA.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Common Files\Trend Micro\OfficeScan Client\pccntmon.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\HijackThis\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PCS Connection Manager 2.0.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {1E1BC012-AC2A-403F-AEE4-A32E1F18986D} (Logoff Class) - https://mya.gateway....cs/pslogoff.dll
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab
O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - http://portal.uga.ed...t/LocalExec.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Let me know if you suggest anything else.

By the way, there's a special place in heaven for all the volunteers who are helping all of us uneducated, helpless people!

THANK YOU!

#24 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 24 June 2004 - 09:59 AM

Your log is looking clear except for one entry ...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://iis.ncrnet.ncr.com/ncrnet
I am not getting a match on this site - Do you know what it is? If not, delete it in HijackThis.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

I am working on a cleanup/stay clean regime for Windows XP ... Please feel free to use it as you see fit...
The following is a recommended maintenance regime for Windows XP:
  • The following DIRECTORY CONTENTS (But not the directory), need to be regularly emptied. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". Click on "Apply to All Folders" and then respond "Yes" when prompted and click on "OK" to apply the change.
    • %windir%\prefetch\
    • %windir%\Temp\
    • %temp%\
    • %userprofile%\Local Settings\Temp\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
  • Click on "Start" => "Settings" => "Control Panel" => "Internet Options". Click on "Delete Files", select "Delete All Offline Content" and click on "OK". Click on "OK" once more to close the options panel.
  • Right click on "Recycle Bin" and select "Empty Recycle Bin" and respond "Yes" when prompted.
  • Back-Up your files. You can use Windows backup which must be installed from the XP CD <cd-Drive>\valuadd\msft\ntbackup. Be sure to back up the following:
    • Office documents
    • Email data - Messages and address book
    • Games saves.
    • Digital Photos and other artwork.
    • Moveis that you have created or edited.
    • MP3's and other music files.
    • Browser favorites and bookmarks.
    • Downloaded files/programs.
    • Passwords, security codes etc for anything that is password protected like Quicken.
    • Activation codes for applications doownloaded and registered.
  • Do not go without an anti-virus program. Free ones include:
  • Be sure to run a periodic Trojan Scan with any of the following programs:
  • Use a Firewall such as ZoneAlarm
  • Regularly scan for adware and spyware using the following programs:
  • Defragment your system. Click on "Start" => "Programs" => "Accessories" => "System Tools" => "Disk Defragmenter".
  • Update your system. Go to Microsoft Windows Update and download all critical updates for your system.
  • Cleanup Your Disk. Click on "Start" => "Programs" => "Accessories" => "System Tools" => "Disk Cleanup".
  • Clear your icon cache. Delete the following file: %userprofile%\Local Settings\Application Data\IconCache.db. Reboot.
  • As bad as it may sound - Once a year reinstall your O/S from scratch - i.e. Reformat your hard drive but be 100% certain that you have backed everything up as listed above.


#25 Cleo

Cleo

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 25 June 2004 - 07:05 AM

I do recognize the line you referenced, so I think I'm in great shape. Thanks again for your help and advice.

#26 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 25 June 2004 - 09:46 AM

It has been a pleasure to help you :)

The problems here look to be resolved so I will close the thread. If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

If you would like to make a contribution to help support SpywareInfo, please check this link for more information.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button