C:\searchpage.html#1504 hijack. I CANT GET IT OFF!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by The_G_Man75, Jul 17, 2004.

Page 1 of 2
  1. The_G_Man75

    The_G_Man75 Private E-2

    I have had this hijack for a year now, and it is now starting to get more, different hijacks onto my computer, i have found two but cant permanently delete them one is c:\searchpage..blah..blah...blah which has managed to get itself on my c:\ drive and now i cant get it off. another one is 123946.dlr which i cant get rid of either, can anybody help?
     
    The_G_Man75, Jul 17, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jul 17, 2004
    #2
  3. The_G_Man75

    The_G_Man75 Private E-2

    I ran hijack this and fixed the problems which looked dodgy but my homepage is still fixed and unchangeable, i cant even change it temporarily, spybot-s&d isnt picking up anything except the changes. in hijack this even though i've pressed fix it on items like
    R1 - HKCU\Software\InternetExplorer, Search = c:\searchpage.html#1504
    they keep coming back, how do i fix this (with the least possible downloads)?
     
    The_G_Man75, Jul 18, 2004
    #3
  4. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Did you try of Ad-Aware, CWShredder, Kill2me or the other programs listed before Hijack This as the thread Chaslang pointed you to explains?

    About:Buster or HSRemove may work, if you follow the directions. Get them in the Spyware downloads section. :) Thats your best bet with least downloads. Following directions after asking for help will really speed things along as well.
     
    Major Attitude, Jul 18, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Exactly correct Major!!
     
    chaslang, Jul 18, 2004
    #5
  6. The_G_Man75

    The_G_Man75 Private E-2

    I have downloaded Spyware S&D, HijackThis, SpywareBlaster, about:Buster, CWShredder and Ad-Aware, I havent run cws yet but I have run the rest and nothing has changed so far. :(
     
    The_G_Man75, Jul 19, 2004
    #6
  7. The_G_Man75

    The_G_Man75 Private E-2

    CWS and all of the other programs say everything is fine and that nothing is wrong while my internet options are still locked and my homepage is still being reset to c:\searchpage.html#1504, im going to go try HSRemove.
     
    The_G_Man75, Jul 19, 2004
    #7
  8. The_G_Man75

    The_G_Man75 Private E-2

    I have now run HSRemove and been to doxdesk.com/parasites and both came up with nothing. And the other hijack-123946.dlr is still here as well. So...what now?
     
    The_G_Man75, Jul 19, 2004
    #8
  9. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    There is another tool called About:Buster as well that may help you. Its its in the spyware section and instructions are on the download page.
     
    Major Attitude, Jul 19, 2004
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Major, G_Man already said that was tried a few messages ago.
     
    chaslang, Jul 19, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    G_Man,

    Post a HijackThis log
     
    chaslang, Jul 19, 2004
    #11
  12. The_G_Man75

    The_G_Man75 Private E-2

    What is and How do I post a hijack this log?
     
    The_G_Man75, Jul 20, 2004
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download HijackThis here: http://www.majorgeeks.com/download3155.html

    Unzip it and run the executable file.

    Click scan and then save the log.

    This brings up the complete log and process list in a notepad file.

    Copy and paste that info back here.
     
    chaslang, Jul 20, 2004
    #13
  14. The_G_Man75

    The_G_Man75 Private E-2

    all of it?
     
    The_G_Man75, Jul 20, 2004
    #14
  15. The_G_Man75

    The_G_Man75 Private E-2

    Logfile of HijackThis v1.98.0
    Scan saved at 01:09:29, on 20/07/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\cisvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Ulead Systems\Ulead Photo Explorer 7.0\Monitor.exe
    C:\WINNT\system32\SCVHOST.EXE
    C:\WINNT\system32\host32.exe
    C:\WINNT\system32\internat.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\BT Voyager\BT Voyager 2000 Wireless\ADSL WIZARD.EXE
    C:\Program Files\BT Voyager\BT Voyager Wireless\WLM.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1504
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html#1504
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1504
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html#1504
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html#1504
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MARKGR~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\MARKGR~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html#1504
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MARKGR~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\MARKGR~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MARKGR~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html#1504
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MARKGR~1\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html#1504
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {8BD0F0A0-EE95-46A6-B337-A0F19A5A7F3A} - C:\WINNT\system32\mdcjea.dll
    O2 - BHO: (no name) - {DE3BEBDB-AEE7-4277-8B6E-4EEFFA9508AE} - C:\WINNT\system32\oexew.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe
    O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINNT\p_981116.exe /Q:A
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Ulead Memory Card Detector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 7.0\Monitor.exe
    O4 - HKLM\..\Run: [hsim] C:\DOCUME~1\MARKGR~1\LOCALS~1\Temp\toolbar.exe r 5
    O4 - HKLM\..\Run: [MSStartOptimizer] C:\WINNT\system32\SCVHOST.EXE
    O4 - HKLM\..\Run: [RegCompres] C:\WINNT\system32\REGCPM32.EXE
    O4 - HKLM\..\Run: [DSB] C:\Program Files\DSB\DSB.exe
    O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\system32\host32.exe internat.dll,LoadKeyboardProfile
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
    O4 - Global Startup: BT Voyager ADSL Connection Wizard.lnk = C:\Program Files\BT Voyager\BT Voyager 2000 Wireless\ADSL WIZARD.EXE
    O4 - Global Startup: BT Voyager Wireless Utility.lnk = C:\Program Files\BT Voyager\BT Voyager Wireless\WLM.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O13 - DefaultPrefix: c:\searchpage.html?page=
    O13 - WWW Prefix: c:\searchpage.html?page=
    O13 - Home Prefix: c:\searchpage.html?page=
    O13 - Mosaic Prefix: c:\searchpage.html?page=
    O14 - IERESET.INF: START_PAGE_URL=http://www.mark-grimes.co.uk
    O16 - DPF: Ulster Bank AnyTime - https://anytime1.ulsterbank.com/asp/AnyTime.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by10fd.bay10.hotmail.msn.com/activex/HMAtchmt.ocx
    O18 - Filter: text/html - {30640BC7-9927-49A7-A266-59D17C3FA00E} - C:\WINNT\system32\mdcjea.dll
    O18 - Filter: text/plain - {30640BC7-9927-49A7-A266-59D17C3FA00E} - C:\WINNT\system32\mdcjea.dll
     
    The_G_Man75, Jul 20, 2004
    #15
  16. The_G_Man75

    The_G_Man75 Private E-2

    All the R0 and R1 used to be c:\searchpage....
     
    The_G_Man75, Jul 20, 2004
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have a couple problems:
    1) about:blank hijack
    2) searchpage hijack


    Try running About:Buster:
    http://www.majorgeeks.com/download4289.html

    Do some searches in the spyware forum on about:buster and you will find some advice I gave to people on removing this problem making use of About:Buster.
     
    chaslang, Jul 21, 2004
    #17
  18. The_G_Man75

    The_G_Man75 Private E-2

    It said everything was fine
     
    The_G_Man75, Jul 21, 2004
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do a registry search for mdcjea.dll

    I want you to give me the registry key info (this is the full registry path) to the below line that is showing in HijackThis. It will be someplace in the registry and you will also see the string of numbers preceding it to:

    O18 - Filter: text/html - {30640BC7-9927-49A7-A266-59D17C3FA00E} - C:\WINNT\system32\mdcjea.dll

    Continue the search after finding it the first time because I believe it is in your registry in more than one place.

    We are going to have to delete that registry key and delete both HijackThis lines and reboot and delete the mccjea.dll file. You need to be able to view hidden files: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    If you have a problem deleting the file, right click on it and change the attribute from read only ( if it is set) and try again.
     
    chaslang, Jul 21, 2004
    #19
  20. The_G_Man75

    The_G_Man75 Private E-2

    How do I do a registry search or is it just the normal search tool in the start menu?
     
    The_G_Man75, Jul 21, 2004
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You can use Window's built in registry editor called regedit.
    Just click Start, Run, and enter regedit in the open box and click ok.

    Now select Edit, Find and enter what you want to find. I need the full registry path key info you will see at the bottom of the regedit window if you find this in the registry.

    There is a better freeware tool to use for stuff like this called Registrar Lite: http://www.majorgeeks.com/download469.html

    It makes it easier to get the info I'm asking for since you can use copy & paste.
     
    chaslang, Jul 22, 2004
    #21
  22. The_G_Man75

    The_G_Man75 Private E-2

    When i went into registry edit after running from start menu, and searching for mdcjea.dll it came up with three files, and it said at the bottom: -
    mycomputer\HKEY_current_config\software\microsoft\windows\currentversion\internet settings
    when i ran RegLite it came up with five files:
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{30294731-029B-4332-BF66-939456085BEC}\InProcServer32
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{30640BC7-9927-49A7-A266-59D17C3FA00E}\InProcServer32
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BD0F0A0-EE95-46A6-B337-A0F19A5A7F3A}\InProcServer32
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{97B7D35D-C9F7-4FFC-A092-106C553D5949}\InProcServer32
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F44942A-6C0D-4EC8-86E6-C7764CCE529A}\InProcServer32
    all under the value, c:\WINNT\System32\mdcjea.dll
     
    The_G_Man75, Jul 22, 2004
    #22
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm a little confused by your reply. Both regedit and Registrar Lite should have come up with the same info. Registrar Lite just shows all the matches at once whereas with regedit you have to continue scanning after each successive match.

    When you start regedit make sure you click once on the MyComputer icon at the top of regedit to make sure you start at the beginning. And when you find a match write down the full path key at the bottom of regedit. Then hit F3 to look for another possible match and write it down and so on until the whole registry is search. I don't understand why regedit found something Registrar Lite did not and vice versa.

    Also for regedit you said you found 3 files but you only gave one path. What about the other two?
     
    chaslang, Jul 23, 2004
    #23
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    In my first post to you in this thread I asked you to run the two online scans below. It does not look like you done that:
    http://housecall.trendmicro.com/hou.../start_corp.asp
    http://www.pandasoftware.com/active...n_principal.htm

    Tell me what these scans find if anything. I do see some bad stuff in your log.
    Also after running those two scans download and run these:
    Avast Virus Cleaner: http://www.majorgeeks.com/download4188.html
    McAfee Stinger Avert: http://www.majorgeeks.com/download4063.html

    To make sure you have the current version of About:Buster, download it again from here: http://www.majorgeeks.com/download4289.html
    Don't run it yet, just get it unzipped and ready to go.

    Note: some of the items below may no longer be present in you HijackThis log after completing the above scans. That's okay!
    After that run HijackThis and put checks on these items (do not click Fix yet):
    O4 - HKLM\..\Run: [MSStartOptimizer] C:\WINNT\system32\SCVHOST.EXE
    O4 - HKLM\..\Run: [RegCompres] C:\WINNT\system32\REGCPM32.EXE
    O4 - HKLM\..\Run: [DSB] C:\Program Files\DSB\DSB.exe

    Now make sure you terminate your Internet Explorer sessions and then click Fix in HijackThis.

    Make sure you can view hidden files: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    Now reboot into safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

    And delete these (check for all of them even it HijackThis did not show them):
    C:\WINNT\system32\SCVHOST.EXE
    C:\WINNT\system32\REGCPM32.EXE
    C:\Program Files\DSB\DSB.exe

    While still in safe mode run About:Buster and save its log.
    Now reboot in normal and immediately run HijackThis before anything else. Save a log.
    Now connect back here and post the About:Buster and HijackThis logs.
     
    chaslang, Jul 23, 2004
    #24
  25. The_G_Man75

    The_G_Man75 Private E-2

    heres the hijack this log i couldnt make a aboutBuster one because it didnt detect anything
     
    The_G_Man75, Jul 24, 2004
    #25
  26. The_G_Man75

    The_G_Man75 Private E-2

    heres the hijack this log i couldnt make a aboutBuster one because it didnt detect anything
    Logfile of HijackThis v1.98.0
    Scan saved at 00:45:15, on 24/07/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\cisvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Ulead Systems\Ulead Photo Explorer 7.0\Monitor.exe
    C:\WINNT\system32\host32.exe
    C:\winnt\180solutions\msbb.exe
    C:\WINNT\system32\SCVHOST.EXE
    C:\WINNT\system32\internat.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\BT Voyager\BT Voyager 2000 Wireless\ADSL WIZARD.EXE
    C:\Program Files\BT Voyager\BT Voyager Wireless\WLM.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
    C:\Program Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1504
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html#1504
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1504
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html#1504
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html#1504
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MARKGR~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\MARKGR~1\LOCALS~1\Temp\sp.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mark-grimes.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MARKGR~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\MARKGR~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MARKGR~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html#1504
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MARKGR~1\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html#1504
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINNT\questmod.dll
    O2 - BHO: (no name) - {9F44942A-6C0D-4EC8-86E6-C7764CCE529A} - C:\WINNT\system32\mdcjea.dll
    O2 - BHO: (no name) - {DE3BEBDB-AEE7-4277-8B6E-4EEFFA9508AE} - C:\WINNT\system32\loruxi.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe
    O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINNT\p_981116.exe /Q:A
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Ulead Memory Card Detector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 7.0\Monitor.exe
    O4 - HKLM\..\Run: [hsim] C:\DOCUME~1\MARKGR~1\LOCALS~1\Temp\toolbar.exe r 5
    O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\system32\host32.exe internat.dll,LoadKeyboardProfile
    O4 - HKLM\..\Run: [msbb] c:\winnt\180solutions\msbb.exe
    O4 - HKLM\..\Run: [MSStartOptimizer] C:\WINNT\system32\SCVHOST.EXE
    O4 - HKLM\..\Run: [RegCompres] C:\WINNT\system32\REGCPM32.EXE
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
    O4 - Global Startup: BT Voyager ADSL Connection Wizard.lnk = C:\Program Files\BT Voyager\BT Voyager 2000 Wireless\ADSL WIZARD.EXE
    O4 - Global Startup: BT Voyager Wireless Utility.lnk = C:\Program Files\BT Voyager\BT Voyager Wireless\WLM.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O13 - DefaultPrefix: c:\searchpage.html?page=
    O13 - WWW Prefix: c:\searchpage.html?page=
    O13 - Home Prefix: c:\searchpage.html?page=
    O13 - Mosaic Prefix: c:\searchpage.html?page=
    O14 - IERESET.INF: START_PAGE_URL=http://www.mark-grimes.co.uk
    O16 - DPF: Ulster Bank AnyTime - https://anytime1.ulsterbank.com/asp/AnyTime.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by10fd.bay10.hotmail.msn.com/activex/HMAtchmt.ocx
    O18 - Filter: text/html - {97B7D35D-C9F7-4FFC-A092-106C553D5949} - C:\WINNT\system32\mdcjea.dll
    O18 - Filter: text/plain - {97B7D35D-C9F7-4FFC-A092-106C553D5949} - C:\WINNT\system32\mdcjea.dll
     
    The_G_Man75, Jul 24, 2004
    #26
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It's rather obvious that you have a problem following directions. I have given you many things to do since the beginning of this thread and you keep ignoring various steps. You never answer questions that are asked nor do you provide feedback that indicates that you have executed any of the steps. You have a whole bunch of problems that I have been trying to work on. Come back when you are serious about fixing the problems and you have learned to follow directions. I do not like wasting my time. There are many more users here that take fixing their problems more serious than you do, and they do not waste my time.

    Also do not post anymore HijackThis logs unless you are asked to do so. See the new rules of the forum: http://forums.majorgeeks.com/showthread.php?t=35407
     
    chaslang, Jul 24, 2004
    #27
  28. The_G_Man75

    The_G_Man75 Private E-2

    Number one, i posted the HJT log because you asked me to
    two, unless i say otherwise i have done everything you said
    three, aswcleaner and stinger found nothing
    four, the online scanners crashed everytime i tried them and i tried them three times
    five, if i dont give results i have not been given any
    six, the regedit and reglite, sorry, i read them through again and realised i misunderstood and still do not understand those instructions could you explain them please
     
    The_G_Man75, Jul 26, 2004
    #28
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm not telepathic. I need feedback. Remember I'm not sitting next to you. And I specifically asked for information on what happened.
    And you are right, I did ask for that HJT log. I forgot when I posted that. Sorry about that! The rules have since changed. So now even when asked to post a log, post it as an attachment. Refer to the link I gave you.


    See! This is important information that you were not telling me. If the online scanners are not running you have something on your system that is causing this to happen. These tools run fine 95 % of the time. Do you get any particular error messages? Again this is important information.

    Again, how am I supposed to know that. And there are always results. Sometimes the result is no problems or files found. Sometimes there are problems found. Maybe the program fails to run to completion or aborts unexpectedly. Maybe it runs all the way thru
    and tells you nothing. But unless you tell me what happened, I don't know what happened and what you got (even if it was nothing at all) may be the wrong thing to be happening. You have to tell me what happens exactly. About:Buster always gives a report even when nothing is found. That would have been useful information.

    Just use Reglite (Registrar Lite). It's easier and faster. Run it and click the Search icon (the magnifier glass) and enter mdcjea.dll in the "Text to search for box" and hit return.
    On the right side of the window all matching entries in the registry will come up. Just copy & paste each key back here. Assuming you did this correctly the last time we should see those same 5 lines you gave me before. I was confuses because you said somethings different happened using regedit and that did not make sense.
     
    chaslang, Jul 26, 2004
    #29
  30. The_G_Man75

    The_G_Man75 Private E-2

    Sorry and, when i tried the trend micro link it came up with the download option and i clicked save, a while later it comes up with Internet explorer has generated errors and must be closed and the option to send an error log to microsoft, when i tried the pandasoftware link, it just couldnt find the page, here are the files Registrar Lite gave me
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{30294731-029B-4332-BF66-939456085BEC}\InProcServer32
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{30640BC7-9927-49A7-A266-59D17C3FA00E}\InProcServer32
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BD0F0A0-EE95-46A6-B337-A0F19A5A7F3A}\InProcServer32
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{97B7D35D-C9F7-4FFC-A092-106C553D5949}\InProcServer32
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F44942A-6C0D-4EC8-86E6-C7764CCE529A}\InProcServer32
     
    The_G_Man75, Jul 26, 2004
    #30
  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay the Panda link was broken (probably a bad cut and paste on my part). Here is the correct link:
    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    The TrendMicro link should ask you to choose a country option then it will download an .CAB file to your system. You have to click okay on the certificate popup. After that completes you just choose the disk drive or drives to scan, select Auto Clean, and then run it. How far did you get?

    Have you downloaded and installed Erunt to do registry backups yet? I don't remember if I mentioned that in your thread yet. If not, downloaded it here and do a backup and then do the below deletions.

    And for those five CLSID registry keys that you found, I want you to delete them. So for example you need to delete:
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{30294731-029B-4332-BF66-939456085BEC}
    do the same for all 4 remaining CLSIDs

    Then make sure Internet Explorer is not running and have HijackThis fix:
    O2 - BHO: (no name) - {9F44942A-6C0D-4EC8-86E6-C7764CCE529A} - C:\WINNT\system32\mdcjea.dll

    Let me know the results of this. By the way you still don't have proper protection on your system. You now have added to your problems since a couple logs back. I now see:
    O4 - HKLM\..\Run: [msbb] c:\winnt\180solutions\msbb.exe
     
    chaslang, Jul 26, 2004
    #31
  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you get these lines fixed yet:

    O4 - HKLM\..\Run: [MSStartOptimizer] C:\WINNT\system32\SCVHOST.EXE
    O4 - HKLM\..\Run: [RegCompres] C:\WINNT\system32\REGCPM32.EXE
    O4 - HKLM\..\Run: [DSB] C:\Program Files\DSB\DSB.exe
     
    chaslang, Jul 26, 2004
    #32
  33. The_G_Man75

    The_G_Man75 Private E-2

    I fixed those lines last time you asked me to but i think they may have come back, at trend micro i got as far as pressing 'save' on the download box, the pand one is still running (its gonna take a while) so far it's picked up 7 infected files, once its finished, ill do everything else and get back to you.
     
    The_G_Man75, Jul 27, 2004
    #33
  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! Also see if you can get started on fixing the 180solutions (N-case) msbb.exe junk. See this link: http://www.doxdesk.com/parasite/nCase.html Try to follow along the manual removal instructions because the uninstaller does not typically work.
     
    chaslang, Jul 27, 2004
    #34
  35. The_G_Man75

    The_G_Man75 Private E-2

    The panda scan came up with two trojans which couldnt be disinfected (there was 20 overall) they're called startpage.fh and ranky.aa the pictures it gave of startpage.fh are identical to my reset homepage, but it didnt detect the ones on the c:\ drive, ive downloaded erunt and run it, i'm about to do everything with the files in RegLite but first, you mentioned about protection, what do you suggest?
     
    The_G_Man75, Jul 27, 2004
    #35
  36. The_G_Man75

    The_G_Man75 Private E-2

    i searched in reglite for mdcjea.dll and ONE file came up so i deleted it anyway, im now gonna do the stuff with hijack this and doxdesk
     
    The_G_Man75, Jul 27, 2004
    #36
  37. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    See the stuff in this link: http://forums.majorgeeks.com/showthread.php?t=38053

    If you already have Spybot S&D installed, use the Immunize feature.
    Download and install SpywareBlaster and SpywareGuard

    Get a firewall installed as mentioned in the link above.
     
    chaslang, Jul 27, 2004
    #37
  38. The_G_Man75

    The_G_Man75 Private E-2

    i searched the whole registry and it came up with 6 files for mdcjea.dll, i deleted them and followed the instructions on doxdesk but im still getting a start-up page and a message saying 'already running!' every half an hour and i dont know why, i thought it was to do with 123946.dll but i clicked on one of the links it added to my desktop and it had an unistall button and is now gone and ill download those spyware links now
     
    The_G_Man75, Jul 27, 2004
    #38
  39. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Which two were not disinfected? And what do you mean it didn't detect the ones on the C:\ drive? What drive were you running it on?
     
    chaslang, Jul 27, 2004
    #39
  40. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    In your previous message you said there was only one occurrence of mdcjea.dll.
    What was different now that you detected 6 of them?

    What does the start-up page say on it?
     
    chaslang, Jul 27, 2004
    #40
  41. The_G_Man75

    The_G_Man75 Private E-2

    when i was trying to copy the key from one of the files earlier i must have copied in to the 'search:' by accident so i only picked up one, then i changed it to search to whole registry and it came up with six.
    the startup page, by which i mean redirected homepage is the one piictured on pandasoftware underneath searchpage.fh and by not detecting to one on the c:\ drive i mean that i have some files on my c drive which i dont know what are, theyre called cc.c, outtmp.cfg and searchpage and they all come back even after i delete them
    i am not familiar with ss&d so how do i use immunise?
     
    The_G_Man75, Jul 27, 2004
    #41
  42. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The Immunize button for SpyBot S&D is right on the main window that comes up when you run it. Just click on it. It will tell you how many you are already immunized against and how many you can be immunized against. Just tell it to immunized for all.
     
    chaslang, Jul 27, 2004
    #42
  43. The_G_Man75

    The_G_Man75 Private E-2

    it is done
     
    The_G_Man75, Jul 28, 2004
    #43
  44. The_G_Man75

    The_G_Man75 Private E-2

    spywareguard and SS&D keep popping up to tell me that a BHO has just been added i keep saying remove it but it is really annoying
     
    The_G_Man75, Jul 28, 2004
    #44
  45. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Does it give more info than a BHO? How about a file name or a registry CLSID (the long string of hexi-decimal numbers between {} )?
     
    chaslang, Jul 28, 2004
    #45
  46. The_G_Man75

    The_G_Man75 Private E-2

    yes,
    "The following BHO has been added to your system:
    {9DAB679E-AA77-9C08-5BB73852AA86}

    ProgID: n/a
    File Location: C:\WINNT\System32\mdcjea.dll"
     
    The_G_Man75, Jul 28, 2004
    #46
  47. The_G_Man75

    The_G_Man75 Private E-2

    btw IE doesnt start at c:\searchpage.html#1504 anymore it starts a about:blank page which has something to do msbb
     
    The_G_Man75, Jul 28, 2004
    #47
  48. The_G_Man75

    The_G_Man75 Private E-2

    The clsid (Ive just noticed) varies from time to time
     
    The_G_Man75, Jul 28, 2004
    #48
  49. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Remember this one. I had you searching for it in the registry to clean all the lines up related to it. Didn't you get those all fixed?
     
    chaslang, Jul 28, 2004
    #49
  50. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I alread mentioned a little ways back that you have to fix the msbb.exe stuff (part of n-case).
    I gave you a link to use in trying to fix it. Did you do that?
     
    chaslang, Jul 28, 2004
    #50
Page 1 of 2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds