Hijack This log

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by alisa, Jun 10, 2004.

  1. alisa

    alisa Private E-2

    I have Spyware problems that are going to be the death of me. I've ran Spyware and Ad Aware which say my system is clean, but every time I log into Internet Explorer the pop up boxes start again. I constantly have to remove Internet Optimizer and Optimizer Active Alert from my Add/Remove programs. I also notice Media Loads and Clever IE Hooker.Jeirud returning over and over. Every once in awhile it will also reset my homepage and something like 10 ads will pop up at the same time. I'm also having trouble restarting (having to do it manually each time) and of course, my programs are running slow. I've attached my Hijack This log. A million thanks for your help.

    Logfile of HijackThis v1.97.7
    Scan saved at 10:20:09 PM, on 6/9/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)
    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    C:\WINDOWS\PRODSL.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\CWMCWI.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
    C:\WINDOWS\TEMP\QYW3QZ.EXE
    C:\WINDOWS\SYSTEM\ASYCXC32.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\WINDOWS\RunDLL.exe
    C:\WINDOWS\SYSTEM\CJSWT.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\WINDOWS\SYSTEM\GESU.EXE
    C:\WINDOWS\SYSTEM\GESU.EXE
    C:\HJT\HIJACKTHIS.EXE
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\SearchBar.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winsearch.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.com/home/winsearch.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.msn.com"); (C:\Program Files\Netscape\Users\cmountain\prefs.js)
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD0.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
    O2 - BHO: (no name) - {0B90AA1B-F649-44C3-9FD3-736C332CBBCF} - C:\WINDOWS\SYSTEM\IEENHANCER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
    O4 - HKLM\..\Run: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [RealJukeboxSystray] C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
    O4 - HKLM\..\Run: [Morpheus] C:\Program Files\Morpheus\Morpheus.exe /SYSTRAY
    O4 - HKLM\..\Run: [ProDsl] C:\WINDOWS\ProDsl.exe /P
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [System Tray] C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\CH63CHUN\SCREEN_TEMP.PIF
    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
    O4 - HKLM\..\Run: [puwsxav] C:\WINDOWS\SYSTEM\cwmcwi.exe
    O4 - HKLM\..\Run: [QYW3QZ] C:\WINDOWS\TEMP\QYW3QZ.EXE
    O4 - HKLM\..\Run: [zif] C:\WINDOWS\zif.exe
    O4 - HKLM\..\Run: [4THQMFQ5XMTXYD] C:\WINDOWS\SYSTEM\Yfk8.exe
    O4 - HKLM\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\TVM.EXE
    O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\SYSTEM\Adstartup.exe
    O4 - HKLM\..\Run: [r39X36R] ASYCXC32.EXE
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [System Tray] C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\CH63CHUN\SCREEN_TEMP.PIF
    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
    O4 - HKCU\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\TVM.EXE
    O4 - HKCU\..\Run: [a0q7RWdpi] CJSWT.EXE
    O4 - HKCU\..\RunServices: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\RunServices: [System Tray] C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\CH63CHUN\SCREEN_TEMP.PIF
    O4 - HKCU\..\RunServices: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
    O4 - HKCU\..\RunServices: [TV Media] C:\PROGRAM FILES\TV MEDIA\TVM.EXE
    O4 - HKCU\..\RunServices: [a0q7RWdpi] CJSWT.EXE
    O4 - Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {B75522A5-65BB-473C-8878-6C35035F26C5} (TourSenderX Control) - http://www.ilookabout.com/TourSenderXControl.ocx
    O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify214.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021017/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9785B270-8955-469B-95F9-7EC56BF0E5C2} (ImagePosterX Control) - http://images.ilookabout.com/ImagePosterXControl.ocx
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -
    O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38062.7762731481
     
    alisa, Jun 10, 2004
    #1
  2. Noid2000

    Noid2000 Private E-2

    Alisa,

    As a new member of the board - I wanted to share points or two I learned on Adware(Malware) issues. If you are using systems with more than one profile you need to check all of them - clean out the Cookies and Recents folder Also check all the TEMP folders as well

    I run HiJack and SpyBot - Identify the programs and then let Microsoft ADD-REMOVE do its work -- and then let the other two delete the files

    I have discovered that some Adware programs hook into the Ad Aware program in IE and if they are removed with Add-Remove then IE can be disabled -- which is why I like the HiJack utility -- tells us which BHO is effected.

    The biggest pain is the manual cleanup but I also discovered that McAfee versions 7.x and higher detect Adware and cleans then IF ran in the old DOS mode (Command line scanner to the new generation). The instructions are on McAfee's site - NAI.COM

    Good Luck !!
     
    Noid2000, Jun 10, 2004
    #2
  3. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    Hi Alisa, well looking through there i see several problems, please make sure your ad-aware and spybot are updated to the latest reference files then reboot into safe mode before scanning fix everything found , reboot normally and please run an online virus scan here and fix anything found
    http://housecall.trendmicro.com/
    or a trojan scan here
    http://www.trojanscan.com/
    Do all these things then repost hopefully a smaller cleaner log, and we can take it from there :)
     
    General_Lee_Stoned, Jun 10, 2004
    #3
  4. alisa

    alisa Private E-2

    Thanks very much. Here's what I've done so far:

    1. Deleted suspcious files from Add/Remove in Control Panel.
    2. Ran Ad Aware and Spybot in Safe Mode multiple times, then again in regular mode. (Doesn't seem to want to delete file called CleverIEHooker.Jeired)
    3. Wrote file names from Ad Aware and Spybot and manually searched Windows Explorer to make sure they were fully deleted. Also deleted cookies & temp files.
    4. Ran Disk Cleanup.
    5. Ran Trend Micro Virus scan (it found 40 infected files plus a worm. Couldn't delete 12 .cab files because it says they are in use).

    It may be worth noting that after running Micro Virus scan and rebooting, I can no longer open Internet Explorer at all. I can also no longer log off the internet. That icon seems disabled. I am writing this from Netscape. Here is my Hijack This file:

    Logfile of HijackThis v1.97.7
    Scan saved at 7:36:28 PM, on 6/11/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\PRODSL.EXE
    C:\WINDOWS\SYSTEM\CWMCWI.EXE
    C:\WINDOWS\TEMP\QYW3QZ.EXE
    C:\WINDOWS\RunDLL.exe
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
    C:\HJT\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\SearchBar.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winsearch.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.com/home/winsearch.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\PROGRAM FILES\TV MEDIA\TvmBho.dll
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.msn.com"); (C:\Program Files\Netscape\Users\cmountain\prefs.js)
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD0.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
    O2 - BHO: (no name) - {0B90AA1B-F649-44C3-9FD3-736C332CBBCF} - C:\WINDOWS\SYSTEM\IEENHANCER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
    O4 - HKLM\..\Run: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [RealJukeboxSystray] C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
    O4 - HKLM\..\Run: [Morpheus] C:\Program Files\Morpheus\Morpheus.exe /SYSTRAY
    O4 - HKLM\..\Run: [ProDsl] C:\WINDOWS\ProDsl.exe /P
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
    O4 - HKLM\..\Run: [puwsxav] C:\WINDOWS\SYSTEM\cwmcwi.exe
    O4 - HKLM\..\Run: [QYW3QZ] C:\WINDOWS\TEMP\QYW3QZ.EXE
    O4 - HKLM\..\Run: [zif] C:\WINDOWS\zif.exe
    O4 - HKLM\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\TVM.EXE
    O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\SYSTEM\Adstartup.exe
    O4 - HKLM\..\Run: [AutoLoaderrwqr1IMjdLLO] "C:\WINDOWS\SYSTEM\ASYCXC32.EXE" /PC="AM.WILD" /HideUninstall
    O4 - HKLM\..\Run: [r39X36R] ASYCXC32.EXE
    O4 - HKLM\..\Run: [bpcpost.exe] C:\WINDOWS\SYSTEM\bpcpost.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [VidSvr] \vidsvr.exe /Automation
    O4 - HKLM\..\RunServices: [Announcements] \annclist.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
    O4 - HKCU\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\TVM.EXE
    O4 - HKCU\..\Run: [a0q7RWdpi] CJSWT.EXE
    O4 - HKLM\..\RunOnce: [TV Media] C:\PROGRAM FILES\TV MEDIA\TVM.EXE
    O4 - HKCU\..\RunOnce: [TV Media] C:\PROGRAM FILES\TV MEDIA\TVM.EXE
    O4 - Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Real.com (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {B75522A5-65BB-473C-8878-6C35035F26C5} (TourSenderX Control) - http://www.ilookabout.com/TourSenderXControl.ocx
    O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify214.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -
    O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38062.7762731481
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
     
    alisa, Jun 11, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Alisa,

    Check this out on CleverIEHooker: http://www.pestpatrol.com/PestInfo/c/cleveriehooker.asp
    For those cab files that were infected and could not be cleaned, two steps to take:
    1) you need to disable WinME's system restore feature (to avoid getting reinfected from system backups)

    2) You need to boot in safe mode and try scanning again
     
    chaslang, Jun 11, 2004
    #5
  6. alisa

    alisa Private E-2

    Here's an update. I checked under Control Panel/System Properties and my Disable System Restore box was checked. So I'm not sure why I couldn't remove those .cab files. I also re-installed McAfee VirusScan 8.0 since I had let it expire awhile back.

    I ran Ad Aware and Spybot in safe mode again. Ad Aware found 50 bad files - frustrating since I feel like I'm constantly running virus scans. Spybot found 2 - always the same ones: CleverIEHooder.Jeired and DSO Exploit. I spent a bunch of time with the link you sent over about CleverIEHooker and think I figured how to get into my registry. But I only found one file under the list they said to potentially delete. I deleted it, but of course Spybot says .jeired is still there.

    Since I work from home on this computer, I'm pulling my hair out. Here's my Hijack This file. Thanks for your help.

    Logfile of HijackThis v1.97.7
    Scan saved at 11:33:26 PM, on 6/13/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    C:\WINDOWS\DELAYRUN.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
    C:\WINDOWS\PRODSL.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
    C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
    C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\HJT\HIJACKTHIS.EXE
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\SearchBar.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winsearch.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.com/home/winsearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
    R3 - Default URLSearchHook is missing
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.msn.com"); (C:\Program Files\Netscape\Users\cmountain\prefs.js)
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD0.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
    O2 - BHO: (no name) - {0B90AA1B-F649-44C3-9FD3-736C332CBBCF} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
    O4 - HKLM\..\Run: [ProDsl] C:\WINDOWS\ProDsl.exe /P
    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
    O4 - HKLM\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\TVM.EXE
    O4 - HKLM\..\Run: [bpcpost.exe] C:\WINDOWS\SYSTEM\bpcpost.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
    O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
    O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\SYSTEM\Adstartup.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Real.com (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {B75522A5-65BB-473C-8878-6C35035F26C5} (TourSenderX Control) - http://www.ilookabout.com/TourSenderXControl.ocx
    O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify214.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021017/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -
    O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38062.7762731481
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
     
    alisa, Jun 14, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You said "But I only found one file under the list they said to potentially delete. I deleted it, but of course".

    Which file was found? Was it the jeired.dll?
     
    chaslang, Jun 14, 2004
    #7
  8. alisa

    alisa Private E-2

    The file I deleted was: HKEY_CLASSES_ROOT\clsid\{707e6f76-9ffb-4920-a976-ea101271bc25}. Apparently this is related to the CleverIEHooker. When I did a search of my whole registry for .jeired.dll, a whole list came up including two .jeired files (the others were for my DSL connection and some other programs). But but it gave no information about them, so I was afraid to delete them.

    My computer is running much better this morning - no pop ups so far. But based on the spyware/adware I know they're not gone....

    Thanks again.
     
    alisa, Jun 14, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure you have setup Windows Explorer to show hidden files and the extension. Most installations of Windows default to not showing hidden or protected files. Similarly, extensions for known file types, such as .exe and .txt, are not shown by default either. The steps below assume that you can see all files and their extensions. If you do not know how to do this, see this link from Symantec:

    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339

    Now shutdown all applications especially browsers and Win Explorer. Run HijaakThis again and have it fix:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\SearchBar.htm
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
    O2 - BHO: (no name) - {0B90AA1B-F649-44C3-9FD3-736C332CBBCF} - (no file)
    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
    O4 - HKLM\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\TVM.EXE
    O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\SYSTEM\Adstartup.exe
    Reboot your computer in safe mode and delete the following (if you do not know how to boot in safe mode go here and select your OS: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)

    C:\PROGRAM FILES\TV MEDIA <=== The whole directory
    C:\WINDOWS\SYSTEM\Adstartup.exe
    c:\installer\id53.exe


    I'm suspicous about the following line but I don't know what it is for so do not touch it.
    Perhaps you can find it with Windows Explorer and right click on it an select Properties.
    Get the Version information on it and who it belongs to.
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD0.DLL
    ===========================================================
    Now we need to edit the registry. Before performing the following registry edits, you should backup your registry. Your can use this small batch file utility to do that:
    RegBack Revision 2: http://www.majorgeeks.com/download2746.html

    1) Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)
    2) Navigate to and delete the following registry keys if they exist:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ {707E6F76-9FFB-4920-A976-EA101271BC25}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{707E6F76-9FFB-4920-A976-EA101271BC25}
    3) Exit the registry editor.
    4) Restart your computer.
    5) Run Windows Explorer and delete: c:\windows\jeired.dll (if it still exists)
    6) Run Microsoft Internet Explorer and click Tools -> Internet Options.
    7) Click the Programs tab -> Reset Web Settings.
     
    chaslang, Jun 14, 2004
    #9
  10. alisa

    alisa Private E-2

    Ok, I followed all the instructions. Here are some notes. I did a search for C:\WINDOWS\SYSTEM\Adstartup.exe, c:\installer\id53.exe, and jeired and could not find any of them. So hopefully they disappeared when I ran the Hijack fixes.

    You also asked about a suspicious file that ends with c:\WINDOWS\SYSTEM\NZDD0.DLL. I right clicked on it and it says it is an application extension for RealDownload. I assume that's fine to keep?

    I went back into safe mode and ran AdAware and Spybot again to be safe. AdAware came back with 4 cookies, and Spybot came back with one DSO Exploit, as it has before. The really good news is that the IEHooker.jeired file did NOT appear as usual. But what about the DSO Exploit? And are those cookies inevitable? Here is my new Hijack This file:

    Logfile of HijackThis v1.97.7
    Scan saved at 7:38:40 PM, on 6/14/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\DELAYRUN.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\WINDOWS\PRODSL.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
    C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    C:\WINDOWS\RunDLL.exe
    C:\HJT\HIJACKTHIS.EXE
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winsearch.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.com/home/winsearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.msn.com"); (C:\Program Files\Netscape\Users\cmountain\prefs.js)
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD0.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
    O4 - HKLM\..\Run: [ProDsl] C:\WINDOWS\ProDsl.exe /P
    O4 - HKLM\..\Run: [bpcpost.exe] C:\WINDOWS\SYSTEM\bpcpost.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
    O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Real.com (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {B75522A5-65BB-473C-8878-6C35035F26C5} (TourSenderX Control) - http://www.ilookabout.com/TourSenderXControl.ocx
    O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify214.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021017/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -
    O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38062.7762731481
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
     
    alisa, Jun 14, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay, that's good. Sound like we fixed the Clever IE Hooker.Jeirud problem.

    Yes leave the c:\WINDOWS\SYSTEM\NZDD0.DLL. for RealDownload. I believe it is used in conjunction with Netscape.

    For the DS0 Exploit problem, many people have been having that problem with SpyBot. They have it fix the problem but when they run it again the problem is back. See this link for info on this: http://forums.net-integration.net/index.php?showtopic=15308

    Your log looks okay now!
     
    chaslang, Jun 14, 2004
    #11
  12. alisa

    alisa Private E-2

    Excellent, thank you.

    One other problem you may or may not be familiar with: After I sent my hijack log last night I remembered I had not hit my Reset Web Settings as you asked. So I did that, and now I can't get into Internet Explorer, Outlook or Netscape! Didn't seem like a big deal to reset those settings.

    I talked for 2 1/2 hrs to my web provider and they say it is not an internet problem as I am connected fine, but this is a computer problem connecting to my browser. (I am writing from another location) Have you heard of this before? He even mentioned it could be connected to a virus...but I know we cleared those. Any ideas...or know where I can go to get help? Now I can't get online at all! Thanks.
     
    alisa, Jun 15, 2004
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Check your Internet Properties again in internet explorer. They should look something like this however they may be different applications for you (i.e., if you use Netscape for E-mail etc)
     

    Attached Files:

    chaslang, Jun 15, 2004
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also did you have Internet Explorer set as your default browser before?
     
    chaslang, Jun 15, 2004
    #14
  15. alisa

    alisa Private E-2

    I'm not at my home computer, but the Internet Properties look just as I remember it. I examined it many times this morning. I'm not sure if I had Internet Explorer as my default browser...how do I know? However, Netscape won't open either. My DSL provider guy says he doesn't think it's related to setting the web settings, but that's the only change I made prior to this happening.
     
    alisa, Jun 15, 2004
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run another Hijaak This log and lets look to see if anything shows up in the O10 section about broken LSP chains.
     
    chaslang, Jun 15, 2004
    #16
  17. alisa

    alisa Private E-2

    Ok, here is my new Hijack This file. Thanks.

    Logfile of HijackThis v1.97.7
    Scan saved at 7:15:39 PM, on 6/15/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
    C:\WINDOWS\PRODSL.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
    C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
    C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSFTSN.EXE
    C:\HJT\HIJACKTHIS.EXE
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.msn.com"); (C:\Program Files\Netscape\Users\cmountain\prefs.js)
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD0.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
    O4 - HKLM\..\Run: [ProDsl] C:\WINDOWS\ProDsl.exe /P
    O4 - HKLM\..\Run: [bpcpost.exe] C:\WINDOWS\SYSTEM\bpcpost.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
    O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - Startup: WinPopup.lnk = C:\WINDOWS\WINPOPUP.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {B75522A5-65BB-473C-8878-6C35035F26C5} (TourSenderX Control) - http://www.ilookabout.com/TourSenderXControl.ocx
    O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify214.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021017/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -
    O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38062.7762731481
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
     
    alisa, Jun 16, 2004
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I don't see anything bad in your log. Are you still having problems with IE, Outlook, and Netscape?
    Is your network connection setup properly?
     
    chaslang, Jun 16, 2004
    #18
  19. alisa

    alisa Private E-2

    Good to know it's not another virus. Yes, I am still unable to get on any one of them. My network connection should be fine as I was on the phone with my DSL provider for 2 1/2 hours troubleshooting the Internet part of it. I can even get online to some ip addresses, though nothing else. He says it is a computer problem recognizing the browser.

    Since I saved my registry the other day, should I restore my registry? Or does the computer automatically resave your registry throughout the day? I'm at my wits end. Thanks.
     
    alisa, Jun 16, 2004
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do a file search for "hosts" (without the quotes). I foreget where it is with WinMe. It could be c:\windows\hosts (or hosts.sam is what it was in Win98). If it only has one none comment line in it which reads 127.0.0.1 localhost, just tell me it is okay. Otherwise cut and paste it back here.
     
    chaslang, Jun 16, 2004
    #20
  21. alisa

    alisa Private E-2

    I searched for "hosts" and there were two, LMhosts and hosts.sam. Hosts.sam (opened in Notepad) did have a line at the bottom called 127.0.0.1 local host, just as you asked for. Is this what you were looking for?

    Also, I went back and checked my Internet Properties under Programs and the box called "Internet Explorer should check to see if it is the default browser" was not checked as yours was. Should I check that box?
     
    alisa, Jun 17, 2004
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes, thats it. This is okay!


    Only if you want it to be your default browser. You did say you used Netscape too. Which one do you want to be default.

    I don't think this has anything to do with why you cannot get to the internet. How do you connect to the internet? Do you have a router? Are you sure things are still provisioned correctly? If using a router, are you using static IP addresses or DHCP? Can you ping the router from your PC? If this is over your head, let me know in the next message and we'll take it slower.
     
    chaslang, Jun 17, 2004
    #22
  23. alisa

    alisa Private E-2

    Yeah, unfortunately some of that was over my little head! Not sure what a router is...? I can tell you I have DSL and when I login, that works fine. When online with the DSL guy we did ping some ip addresses (yahoo was one I think) and I could open those right up in Internet Explorer. But no "normal www.etc." web sites - I get the "Error: This page can not be displayed" message. So I am online but there's a problem connecting anywhere.
     
    alisa, Jun 17, 2004
    #23
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jun 17, 2004
    #24
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jun 17, 2004
    #25
  26. alisa

    alisa Private E-2

    I will check this all out on my computer when I get home tonight. Question: The Microsoft pages suggest backing up your registry because I will have to remove registry files. But I'm wondering if that will erase the registry backup I did a few days ago before removing the spyware registry files? Will restoring that registry will bring me back to where I was when I could get online? Or is that even possible since time as passed? Sorry, the registry scares me...! thanks.
     
    alisa, Jun 17, 2004
    #26
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Depends on how and what you used to back it up the last time. Backups do not necessarily have to over write previous ones. They can be time/date oriented. If you restore your old one, chances are that you may resolve this problem (can't be sure though). But you may bring back other issues that will have to get fixed again.

    Try the very first item I gave you first. It does not require any registry touching.
     
    chaslang, Jun 17, 2004
    #27
  28. alisa

    alisa Private E-2

    Well, after many frustrating hours deleting cookies, calling my isp, etc. I broke down and deleted those registry keys in the instructions you gave me. This is the one that involved deleting then restoring, I believe, the winsock2. And it worked!!! I am back online. Crossing my fingers this is permanent. I can't thank you enough for all your help.
     
    alisa, Jun 18, 2004
    #28
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Congrats! Good work! I happy we finally got this worked out. :)
     
    chaslang, Jun 18, 2004
    #29

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds