home search assistant spyware (please help!)

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by lapras53, Jun 19, 2004.

  1. lapras53

    lapras53 Private E-2

    hello, this is my first post...I really need some help...

    I can't figure out this board, so I apologize if this question has appeared one hundred times...but I somehow managed to get the home search assistant spyware...it keeps throwing popups at me that have "only the best" at the very top...sometimes I see pictures in the pop ups and sometimes they just have picture cannot be displayed 'x' on them...

    I have no idea what I'm doing with hijack this, but here is the log file, I was hoping someone might be able to tell me what I should fix...

    Logfile of HijackThis v1.97.7
    Scan saved at 3:52:22 PM, on 6/19/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)
    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\ATLXO32.EXE
    C:\WINDOWS\MFCRV32.EXE
    C:\WINDOWS\NETZT32.EXE
    C:\WINDOWS\SYSTEM\APPCG.EXE
    C:\WINDOWS\SYSWX.EXE
    C:\WINDOWS\ADDRC.EXE
    C:\WINDOWS\NTKB.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\NTKB.EXE
    C:\WINDOWS\NTVI32.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\NTVI32.EXE
    C:\WINDOWS\SYSBZ.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\NTKB.EXE
    C:\WINDOWS\SYSTEM\SYSWX.EXE
    C:\WINDOWS\SYSTEM\SYSWX.EXE
    C:\WINDOWS\SYSTEM\MFCCJ32.EXE
    C:\WINDOWS\NTVI32.EXE
    C:\WINDOWS\APIOK32.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\ATLIA.EXE
    C:\WINDOWS\ATLXO32.EXE
    C:\WINDOWS\ATLXO32.EXE
    C:\WINDOWS\CRHM.EXE
    C:\WINDOWS\SYSTEM\NETNO32.EXE
    C:\WINDOWS\NETZT32.EXE
    C:\WINDOWS\SYSTEM\IETI32.EXE
    C:\WINDOWS\ATLXO32.EXE
    C:\WINDOWS\SYSGH32.EXE
    C:\WINDOWS\SYSWX.EXE
    C:\WINDOWS\SYSTEM\SYSCO.EXE
    C:\WINDOWS\NTVI32.EXE
    C:\WINDOWS\D3FS.EXE
    C:\WINDOWS\D3FS.EXE
    C:\WINDOWS\D3FS.EXE
    C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\2DUZOXER\HIJACKTHIS[1].EXE
    C:\WINDOWS\NTKB.EXE
    C:\WINDOWS\IEOC.EXE
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\eontb.dll/sp.html#27859
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://eontb.dll/index.html#27859
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\eontb.dll/sp.html#27859
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://eontb.dll/index.html#27859
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\eontb.dll/sp.html#27859
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by P.D. Computers, Inc.
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    F1 - win.ini: run=hpfsched
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - (no file)
    O2 - BHO: (no name) - {FD0D7996-6B08-3544-63DE-B2D8F52A8043} - C:\WINDOWS\SYSTEM\ATLGR.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\EN-US\MSNTB.DLL
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL (file missing)
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [ATLIA.EXE] C:\WINDOWS\ATLIA.EXE
    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [APPCG.EXE] C:\WINDOWS\SYSTEM\APPCG.EXE
    O4 - HKLM\..\RunServices: [MFCRV32.EXE] C:\WINDOWS\MFCRV32.EXE
    O4 - HKLM\..\RunServices: [SYSWX.EXE] C:\WINDOWS\SYSWX.EXE
    O4 - HKLM\..\RunServices: [ATLXO32.EXE] C:\WINDOWS\ATLXO32.EXE
    O4 - HKLM\..\RunServices: [NTKB.EXE] C:\WINDOWS\NTKB.EXE
    O4 - HKLM\..\RunServices: [ADDRC.EXE] C:\WINDOWS\ADDRC.EXE
    O4 - HKLM\..\RunServices: [NETZT32.EXE] C:\WINDOWS\NETZT32.EXE
    O4 - HKLM\..\RunServices: [NTVI32.EXE] C:\WINDOWS\NTVI32.EXE
    O4 - HKLM\..\RunServices: [SYSBZ.EXE] C:\WINDOWS\SYSBZ.EXE
    O4 - HKLM\..\RunServices: [MFCCJ32.EXE] C:\WINDOWS\SYSTEM\MFCCJ32.EXE
    O4 - HKLM\..\RunServices: [APIOK32.EXE] C:\WINDOWS\APIOK32.EXE
    O4 - HKLM\..\RunServices: [CRHM.EXE] C:\WINDOWS\CRHM.EXE
    O4 - HKLM\..\RunServices: [NETNO32.EXE] C:\WINDOWS\SYSTEM\NETNO32.EXE
    O4 - HKLM\..\RunServices: [IETI32.EXE] C:\WINDOWS\SYSTEM\IETI32.EXE
    O4 - HKLM\..\RunServices: [SYSGH32.EXE] C:\WINDOWS\SYSGH32.EXE
    O4 - HKLM\..\RunServices: [SYSCO.EXE] C:\WINDOWS\SYSTEM\SYSCO.EXE
    O4 - HKLM\..\RunServices: [D3FS.EXE] C:\WINDOWS\D3FS.EXE
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.effingham.net
    O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
    O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cabI

    I'm running on windwos 98...any help would be greatly appreciated
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You are overflowing with mutations from this. Have you been playing around with using HijaakThis to try to fix this a few times?

    Can you check to see if this file is on your system: C:\WINDOWS\SYSTEM\ATLGR.EXE
    I know you have a ATLGR.dll. I want to see if there is also and EXE.
    You need to make sure you can view Hidden Files and Folders with Windows Explorer. See this: http://www.xtra.co.nz/help/0,,4155-1916458,00.html
     
  3. lapras53

    lapras53 Private E-2

    No, I haven't ever used hijack this before...

    I've ran ad aware and spybot a few times, but neither of them have fixed the problem...I've just checked in the windows system folder and I see altgr.dll but I do not see algr.exe
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you make sure of following this step:

    "You need to make sure you can view Hidden Files and Folders with Windows Explorer."
     
  5. lapras53

    lapras53 Private E-2

    yes, I can view hidden files...what's next?...do I need to get this file?
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! Just tell me can you see algr.exe now!
     
  7. lapras53

    lapras53 Private E-2

    Okay, so I've checked the system folder and have run a search to find the file atlgr.exe, but it turned up no results...I see atlgr.dll, but no atlgr.exe...what do I do next?
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please give me a new HijaakThis log first. Make sure no browsers or Win Explorer sessions are running when you run HijaakThis.
     
  9. lapras53

    lapras53 Private E-2

    AH!, man, my comp. is really starting to slow down...and the home page keeps going to home search...this sucks guys...please help...

    Here is another hijackthis scan...I didn't have any windows open besides the program when I did it...

    Logfile of HijackThis v1.97.7
    Scan saved at 6:18:10 PM, on 6/20/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)
    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\APPCG.EXE
    C:\WINDOWS\ATLXO32.EXE
    C:\WINDOWS\SYSWX.EXE
    C:\WINDOWS\NTVI32.EXE
    C:\WINDOWS\NTKB.EXE
    C:\WINDOWS\ADDRC.EXE
    C:\WINDOWS\SYSTEM\MFCCJ32.EXE
    C:\WINDOWS\NETZT32.EXE
    C:\WINDOWS\SYSBZ.EXE
    C:\WINDOWS\MFCRV32.EXE
    C:\WINDOWS\CRHM.EXE
    C:\WINDOWS\APIOK32.EXE
    C:\WINDOWS\SYSTEM\NETNO32.EXE
    C:\WINDOWS\SYSTEM\IETI32.EXE
    C:\WINDOWS\SYSGH32.EXE
    C:\WINDOWS\SYSTEM\SYSCO.EXE
    C:\WINDOWS\SYSTEM\IEPR.EXE
    C:\WINDOWS\IEOC.EXE
    C:\WINDOWS\D3FS.EXE
    C:\WINDOWS\SYSTEM\MFCHT32.EXE
    C:\WINDOWS\SYSTEM\CRZY.EXE
    C:\WINDOWS\SDKMS.EXE
    C:\WINDOWS\SYSTEM\MSWW.EXE
    C:\WINDOWS\JAVACK.EXE
    C:\WINDOWS\ADDXT32.EXE
    C:\WINDOWS\ATLCY.EXE
    C:\WINDOWS\SYSTEM\SYSVR32.EXE
    C:\WINDOWS\SYSTEM\NETUL32.EXE
    C:\WINDOWS\SYSTEM\ATLAY32.EXE
    C:\WINDOWS\SYSTEM\MSZB.EXE
    C:\WINDOWS\WINRP32.EXE
    C:\WINDOWS\IPUJ.EXE
    C:\WINDOWS\JAVAOI32.EXE
    C:\WINDOWS\NTVZ.EXE
    C:\WINDOWS\JAVABB.EXE
    C:\WINDOWS\IEBS.EXE
    C:\WINDOWS\SYSTEM\JAVAUJ32.EXE
    C:\WINDOWS\SYSWX.EXE
    C:\WINDOWS\IPNA32.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\IETI32.EXE
    C:\WINDOWS\SYSTEM\IEVX32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSBZ.EXE
    C:\WINDOWS\APIXT32.EXE
    C:\WINDOWS\APIXT32.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSCO.EXE
    C:\WINDOWS\APIOK32.EXE
    C:\WINDOWS\SYSTEM\IEPR.EXE
    C:\WINDOWS\APIXT32.EXE
    C:\WINDOWS\APIXT32.EXE
    C:\WINDOWS\ATLQX32.EXE
    C:\WINDOWS\DESKTOP\BRAD'S STUFF\HIJACKTHIS.EXE
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nyxbb.dll/sp.html#27859
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://nyxbb.dll/index.html#27859
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://nyxbb.dll/index.html#27859
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nyxbb.dll/sp.html#27859
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://nyxbb.dll/index.html#27859
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nyxbb.dll/sp.html#27859
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by P.D. Computers, Inc.
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    F1 - win.ini: run=hpfsched
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - (no file)
    O2 - BHO: (no name) - {FD0D7996-6B08-3544-63DE-B2D8F52A8043} - C:\WINDOWS\SYSTEM\ATLGR.DLL (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
    O2 - BHO: (no name) - {55930C53-29C9-B309-3DD8-E0C4843E91AD} - C:\WINDOWS\NETSH.DLL (file missing)
    O2 - BHO: (no name) - {8C37367A-2DD7-D628-3FE9-57A744A38DF9} - C:\WINDOWS\SYSTEM\ADDYZ32.DLL (file missing)
    O2 - BHO: (no name) - {46D4E454-70DA-2B3F-1D10-69C7CE8C375C} - C:\WINDOWS\SYSKO32.DLL (file missing)
    O2 - BHO: (no name) - {B4125912-A4AB-5995-5D36-AC2CEDD0FD1C} - C:\WINDOWS\CRYH32.DLL (file missing)
    O2 - BHO: (no name) - {BE166C01-C895-7DB1-E1E6-B6BD6196E91F} - C:\WINDOWS\NETYE32.DLL (file missing)
    O2 - BHO: (no name) - {9ABFF989-9ED7-3145-0593-2AEE710D89F0} - C:\WINDOWS\SYSTEM\NTMD32.DLL
    O2 - BHO: (no name) - {99CD36FC-5A1C-A22E-3D74-2B4A9C0E897C} - C:\WINDOWS\D3SF32.DLL (file missing)
    O2 - BHO: (no name) - {48535929-2907-F7C1-1E4F-AF3F6D02A932} - C:\WINDOWS\D3UK32.DLL (file missing)
    O2 - BHO: (no name) - {9A81ADE0-5E7F-0E4E-78B9-FD1D291D1B99} - C:\WINDOWS\ATLUG32.DLL (file missing)
    O2 - BHO: (no name) - {76EAC69B-36B3-EEBD-9936-906570715E75} - C:\WINDOWS\SYSTEM\APPRQ.DLL (file missing)
    O2 - BHO: (no name) - {EB7A1A2D-9C0D-C8D4-8A9B-F6E22A647B85} - C:\WINDOWS\MSVN32.DLL (file missing)
    O2 - BHO: (no name) - {94C91E70-B010-2BD0-9276-8B2FF4228804} - C:\WINDOWS\SYSTEM\NETBD.DLL (file missing)
    O2 - BHO: (no name) - {90B46B07-282D-8DDE-D296-452CDBB0603B} - C:\WINDOWS\APINH32.DLL (file missing)
    O2 - BHO: (no name) - {655D9CE4-1199-9A9A-0FBD-E8A5D9B1F5E2} - C:\WINDOWS\SYSCP.DLL (file missing)
    O2 - BHO: (no name) - {1819A5B6-F3D0-0680-3146-E5B7D824ED78} - C:\WINDOWS\SYSTEM\MSAR.DLL (file missing)
    O2 - BHO: (no name) - {9EFD529D-46F8-2CEA-E958-34254F447995} - C:\WINDOWS\SYSTEM\IPDS.DLL (file missing)
    O2 - BHO: (no name) - {1B033C73-3462-A181-4482-AF3DB2818C44} - C:\WINDOWS\SYSTEM\NTPD.DLL (file missing)
    O2 - BHO: (no name) - {B30AA243-095D-D488-E85E-01E95DF815DB} - C:\WINDOWS\APPFQ.DLL (file missing)
    O2 - BHO: (no name) - {8AF1C8F8-5F05-34F3-4344-BC61A74FCC50} - C:\WINDOWS\SYSTEM\MFCJX32.DLL (file missing)
    O2 - BHO: (no name) - {773BCC80-D9FF-7281-852F-435394A76511} - C:\WINDOWS\D3TB32.DLL
    O2 - BHO: (no name) - {D9F9BB90-41F0-23DB-5F55-74ED758D5652} - C:\WINDOWS\ADDHE32.DLL
    O2 - BHO: (no name) - {D6BCF46E-3B9F-432D-4764-F5D9935AD1D4} - C:\WINDOWS\SYSTEM\SYSGG32.DLL
    O2 - BHO: (no name) - {C3D0592A-E898-9364-DBD7-EC2ED69821AF} - C:\WINDOWS\MSQM32.DLL (file missing)
    O2 - BHO: (no name) - {9C16FA79-E202-5556-3FED-BB3A84A76390} - C:\WINDOWS\SYSTEM\MSWV32.DLL (file missing)
    O2 - BHO: (no name) - {FF8F3EAB-3991-A7D5-F170-5ED0347927A1} - C:\WINDOWS\APPGF.DLL
    O2 - BHO: (no name) - {5B9FD345-F3DE-D005-2ECE-CAB9FE8750CF} - C:\WINDOWS\NETGG32.DLL (file missing)
    O2 - BHO: (no name) - {FF3F316D-3A20-4593-E7A7-4A6A52D8F46F} - C:\WINDOWS\SYSTEM\CRTP32.DLL (file missing)
    O2 - BHO: (no name) - {FD286674-B409-A4AA-9816-759558773A17} - C:\WINDOWS\SYSTEM\APPKV.DLL (file missing)
    O2 - BHO: (no name) - {6BEACA14-DD48-CDE9-566D-05631A5E5DF9} - C:\WINDOWS\SYSTEM\NETPC.DLL (file missing)
    O2 - BHO: (no name) - {A0EAF1EC-2878-C620-F226-0939C22A423E} - C:\WINDOWS\SYSTEM\ADDWN32.DLL (file missing)
    O2 - BHO: (no name) - {C22D9ED6-EDCC-967A-DFB1-0043697AEF16} - C:\WINDOWS\SYSTEM\SYSMF32.DLL (file missing)
    O2 - BHO: (no name) - {8DD0E093-F203-A226-34B6-803644787EFF} - C:\WINDOWS\ADDYR32.DLL (file missing)
    O2 - BHO: (no name) - {2DAD5652-3FF5-FF26-8446-2EE69A7D486A} - C:\WINDOWS\SYSWV.DLL
    O2 - BHO: (no name) - {BD9B5942-DE20-0F3F-B80C-F71F7AB6EC47} - C:\WINDOWS\SYSTEM\IPRP.DLL (file missing)
    O2 - BHO: (no name) - {792E5EAE-8A79-E368-3772-122B30F2715E} - C:\WINDOWS\JAVAFO.DLL (file missing)
    O2 - BHO: (no name) - {9350B908-510A-7040-0081-64766EE64B4F} - C:\WINDOWS\SYSTEM\ADDKR.DLL (file missing)
    O2 - BHO: (no name) - {C4322B27-0B19-D263-F955-4B1DF8B80E2E} - C:\WINDOWS\NTUR.DLL (file missing)
    O2 - BHO: (no name) - {CF295B84-1F3D-A13C-944E-90632373707E} - C:\WINDOWS\MFCYY32.DLL (file missing)
    O2 - BHO: (no name) - {70AB792D-E2FE-36CE-A6EF-BD60E41F7B9C} - C:\WINDOWS\SYSTEM\NETMD32.DLL (file missing)
    O2 - BHO: (no name) - {51365430-633C-3E97-DEE5-CC369E4261D1} - C:\WINDOWS\APILV.DLL (file missing)
    O2 - BHO: (no name) - {CDA7057E-A543-553D-5E37-BBDF205DFD7B} - C:\WINDOWS\ADDLM32.DLL (file missing)
    O2 - BHO: (no name) - {9B261FA6-9B63-5063-797E-458D1EEA0124} - C:\WINDOWS\MSWD32.DLL (file missing)
    O2 - BHO: (no name) - {F460ED7A-B35F-3A16-BF66-77D8F480B2B6} - C:\WINDOWS\SYSTEM\WINNA32.DLL (file missing)
    O2 - BHO: (no name) - {EBC21DD1-18C4-74D7-C935-89E653731491} - C:\WINDOWS\IPNZ32.DLL (file missing)
    O2 - BHO: (no name) - {30944EFD-8C58-3721-9AD2-266F9E5DF50A} - C:\WINDOWS\SDKBU32.DLL (file missing)
    O2 - BHO: (no name) - {2284453A-6D78-BE4F-6C59-8D255DBFA2FB} - C:\WINDOWS\SYSTEM\CRQD.DLL
    O2 - BHO: (no name) - {84B595BB-1DC9-852C-6316-3392A8C5B814} - C:\WINDOWS\SYSTEM\NTHW.DLL (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\EN-US\MSNTB.DLL
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL (file missing)
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [APPCG.EXE] C:\WINDOWS\SYSTEM\APPCG.EXE
    O4 - HKLM\..\RunServices: [MFCRV32.EXE] C:\WINDOWS\MFCRV32.EXE
    O4 - HKLM\..\RunServices: [SYSWX.EXE] C:\WINDOWS\SYSWX.EXE
    O4 - HKLM\..\RunServices: [ATLXO32.EXE] C:\WINDOWS\ATLXO32.EXE
    O4 - HKLM\..\RunServices: [NTKB.EXE] C:\WINDOWS\NTKB.EXE
    O4 - HKLM\..\RunServices: [ADDRC.EXE] C:\WINDOWS\ADDRC.EXE
    O4 - HKLM\..\RunServices: [NETZT32.EXE] C:\WINDOWS\NETZT32.EXE
    O4 - HKLM\..\RunServices: [NTVI32.EXE] C:\WINDOWS\NTVI32.EXE
    O4 - HKLM\..\RunServices: [SYSBZ.EXE] C:\WINDOWS\SYSBZ.EXE
    O4 - HKLM\..\RunServices: [MFCCJ32.EXE] C:\WINDOWS\SYSTEM\MFCCJ32.EXE
    O4 - HKLM\..\RunServices: [APIOK32.EXE] C:\WINDOWS\APIOK32.EXE
    O4 - HKLM\..\RunServices: [CRHM.EXE] C:\WINDOWS\CRHM.EXE
    O4 - HKLM\..\RunServices: [NETNO32.EXE] C:\WINDOWS\SYSTEM\NETNO32.EXE
    O4 - HKLM\..\RunServices: [IETI32.EXE] C:\WINDOWS\SYSTEM\IETI32.EXE
    O4 - HKLM\..\RunServices: [SYSGH32.EXE] C:\WINDOWS\SYSGH32.EXE
    O4 - HKLM\..\RunServices: [SYSCO.EXE] C:\WINDOWS\SYSTEM\SYSCO.EXE
    O4 - HKLM\..\RunServices: [D3FS.EXE] C:\WINDOWS\D3FS.EXE
    O4 - HKLM\..\RunServices: [IEOC.EXE] C:\WINDOWS\IEOC.EXE
    O4 - HKLM\..\RunServices: [IEPR.EXE] C:\WINDOWS\SYSTEM\IEPR.EXE
    O4 - HKLM\..\RunServices: [MFCHT32.EXE] C:\WINDOWS\SYSTEM\MFCHT32.EXE
    O4 - HKLM\..\RunServices: [SDKMS.EXE] C:\WINDOWS\SDKMS.EXE
    O4 - HKLM\..\RunServices: [CRZY.EXE] C:\WINDOWS\SYSTEM\CRZY.EXE
    O4 - HKLM\..\RunServices: [MSWW.EXE] C:\WINDOWS\SYSTEM\MSWW.EXE
    O4 - HKLM\..\RunServices: [JAVACK.EXE] C:\WINDOWS\JAVACK.EXE
    O4 - HKLM\..\RunServices: [ADDXT32.EXE] C:\WINDOWS\ADDXT32.EXE
    O4 - HKLM\..\RunServices: [NETUL32.EXE] C:\WINDOWS\SYSTEM\NETUL32.EXE
    O4 - HKLM\..\RunServices: [ATLCY.EXE] C:\WINDOWS\ATLCY.EXE
    O4 - HKLM\..\RunServices: [ATLAY32.EXE] C:\WINDOWS\SYSTEM\ATLAY32.EXE
    O4 - HKLM\..\RunServices: [WINRP32.EXE] C:\WINDOWS\WINRP32.EXE
    O4 - HKLM\..\RunServices: [IPUJ.EXE] C:\WINDOWS\IPUJ.EXE
    O4 - HKLM\..\RunServices: [SYSVR32.EXE] C:\WINDOWS\SYSTEM\SYSVR32.EXE
    O4 - HKLM\..\RunServices: [MSZB.EXE] C:\WINDOWS\SYSTEM\MSZB.EXE
    O4 - HKLM\..\RunServices: [JAVAOI32.EXE] C:\WINDOWS\JAVAOI32.EXE
    O4 - HKLM\..\RunServices: [NTVZ.EXE] C:\WINDOWS\NTVZ.EXE
    O4 - HKLM\..\RunServices: [JAVABB.EXE] C:\WINDOWS\JAVABB.EXE
    O4 - HKLM\..\RunServices: [IEBS.EXE] C:\WINDOWS\IEBS.EXE
    O4 - HKLM\..\RunServices: [JAVAUJ32.EXE] C:\WINDOWS\SYSTEM\JAVAUJ32.EXE
    O4 - HKLM\..\RunServices: [IPNA32.EXE] C:\WINDOWS\IPNA32.EXE
    O4 - HKLM\..\RunServices: [IEVX32.EXE] C:\WINDOWS\SYSTEM\IEVX32.EXE
    O4 - HKLM\..\RunServices: [APIXT32.EXE] C:\WINDOWS\APIXT32.EXE
    O4 - HKLM\..\RunServices: [ATLQX32.EXE] C:\WINDOWS\ATLQX32.EXE
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.effingham.net
    O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
    O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Wow! This is getting bad. Have you been playing around with trying to fix things with HijaakThis or some other method? The problem is mutating into dozens of files. Don't touch anything else yet. You have to give me some time to absorb all this. But one thing I need you to do first is to open regedit (Click Start, Run, and enter regedit then click OK).

    Navigate down to:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
    and give me a list of what you see under this key.
    Also look at:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    and give me a list of what you see under this key.

    I'm going to be out for awhile now for a couple hours! I'll catch up when I get back in.
     
  11. lapras53

    lapras53 Private E-2

    Thanks again for the help...the only things I've done to the system so far is to run the ad aware and spybot programs...here is a list of what is in my HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

    (Default)
    ADDBL32.EXE
    ADDRC.EXE
    ADDXT32.EXE
    APILQ.EXE
    APIOK32.EXE
    APIXT32.EXE
    APPCG.EXE
    ATLAY32.EXE
    ATLCY.EXE
    ATLQX32.EXE
    ATLXO32.EXE
    CREE.EXE
    CRHM.EXE
    CRZY.EXE
    D3FS.EXE
    IEBS.EXE
    IEOC.EXE
    IEPR.EXE
    IETI32.EXE
    IEVX32.EXE
    IEXD.EXE
    IEYU32.EXE
    IPNA32.EXE
    IPUJ.EXE
    JAVABB.EXE
    JAVACK.EXE
    JAVAOI32.EXE
    JAVAQZ32.EXE
    JAVAUJ32.EXE
    LOADPOWERPROFILE
    MFCCJ32.EXE
    MFCHT32.EXE
    MFCRV32.EXE
    MSWW.EXE
    MSZB.EXE
    NETNO32.EXE
    NETUL32.EXE
    NETZT32.EXE
    NTKB.EXE
    NTVI32.EXE
    NTVZ.EXE
    SCHEDULINGAGENT
    SDKMS.EXE
    SYSBZ.EXE
    SYSCO.EXE
    SYSGH32.EXE
    SYSVR32.EXE
    SYSWX.EXE
    WINGE.EXE
    WINMODEM
    WINRP32.EXE

    As far as the other list in
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    All that it said was (Default), so I'm guessing it's empty
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    All right lets try to get started on this. Look for any of the below EXE's to be running in Task Manager (CTRL-ALT-DEL). It you see any of them, shut them down.


    EXE Name Process Path
    ===============================================
    ADDBL32.EXE
    ADDRC.EXE C:\WINDOWS\ADDRC.EXE
    ADDXT32.EXE C:\WINDOWS\ADDXT32.EXE
    APILQ.EXE
    APIOK32.EXE C:\WINDOWS\APIOK32.EXE
    APIXT32.EXE C:\WINDOWS\APIXT32.EXE
    APPCG.EXE C:\WINDOWS\SYSTEM\APPCG.EXE
    ATLAY32.EXE C:\WINDOWS\SYSTEM\ATLAY32.EXE
    ATLCY.EXE C:\WINDOWS\ATLCY.EXE
    ATLQX32.EXE C:\WINDOWS\ATLQX32.EXE
    ATLXO32.EXE C:\WINDOWS\ATLXO32.EXE
    CREE.EXE
    CRHM.EXE C:\WINDOWS\CRHM.EXE
    CRZY.EXE C:\WINDOWS\SYSTEM\CRZY.EXE
    D3FS.EXE C:\WINDOWS\D3FS.EXE
    IEBS.EXE C:\WINDOWS\IEBS.EXE
    IEOC.EXE C:\WINDOWS\IEOC.EXE
    IEPR.EXE C:\WINDOWS\SYSTEM\IEPR.EXE
    IETI32.EXE C:\WINDOWS\SYSTEM\IETI32.EXE
    IEVX32.EXE C:\WINDOWS\SYSTEM\IEVX32.EXE
    IEXD.EXE
    IEYU32.EXE
    IPNA32.EXE C:\WINDOWS\IPNA32.EXE
    IPUJ.EXE C:\WINDOWS\IPUJ.EXE
    JAVABB.EXE C:\WINDOWS\JAVABB.EXE
    JAVACK.EXE C:\WINDOWS\JAVACK.EXE
    JAVAOI32.EXE C:\WINDOWS\JAVAOI32.EXE
    JAVAQZ32.EXE
    JAVAUJ32.EXE C:\WINDOWS\SYSTEM\JAVAUJ32.EXE
    MFCCJ32.EXE C:\WINDOWS\SYSTEM\MFCCJ32.EXE
    MFCHT32.EXE C:\WINDOWS\SYSTEM\MFCHT32.EXE
    MFCRV32.EXE C:\WINDOWS\MFCRV32.EXE
    MSWW.EXE C:\WINDOWS\SYSTEM\MSWW.EXE
    MSZB.EXE C:\WINDOWS\SYSTEM\MSZB.EXE
    NETNO32.EXE C:\WINDOWS\SYSTEM\NETNO32.EXE
    NETUL32.EXE C:\WINDOWS\SYSTEM\NETUL32.EXE
    NETZT32.EXE C:\WINDOWS\NETZT32.EXE
    NTKB.EXE C:\WINDOWS\NTKB.EXE
    NTVI32.EXE C:\WINDOWS\NTVI32.EXE
    NTVZ.EXE C:\WINDOWS\NTVZ.EXE
    SDKMS.EXE C:\WINDOWS\SDKMS.EXE
    SYSBZ.EXE C:\WINDOWS\SYSBZ.EXE
    SYSCO.EXE C:\WINDOWS\SYSTEM\SYSCO.EXE
    SYSGH32.EXE C:\WINDOWS\SYSGH32.EXE
    SYSVR32.EXE C:\WINDOWS\SYSTEM\SYSVR32.EXE
    SYSWX.EXE C:\WINDOWS\SYSWX.EXE
    WINGE.EXE
    WINRP32.EXE C:\WINDOWS\WINRP32.EXE


    Now click Start, Run, and enter the following command notepad C:\WINDOWS\system32\nyxbb.dll file and click OK. Now use CTRL-A to select all lines of the file and then hit the delete key to delete all the lines and save it (yes as an empty file).

    Now using Windows Explorer right click on nyxbb.dll and select Properties and change the attributes to Read Only and click OK.

    Make sure you have enabled view of hidden files: http://www.xtra.co.nz/help/0,,4155-1916458,00.html and then try to find each of the EXE's listed above and delete them. Also look at the same time for a possible exact matching name DLL file (for example SYSCO.EXE and SYSCO.DLL). Some/all of these may not exist and some may not be deleteable (keep track of which ones). If they do not delete now come back and try them later after we reboot in safe mode.
    Try using file search to find any that you cannot locate to make sure that they are not located somewhere else.

    Now reboot in safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

    Run HijaakThis and have it fix the following:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nyxbb.dll/sp.html#27859
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://nyxbb.dll/index.html#27859
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://nyxbb.dll/index.html#27859
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nyxbb.dll/sp.html#27859
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://nyxbb.dll/index.html#27859
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nyxbb.dll/sp.html#27859

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL (file missing)
    O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - (no file)
    O2 - BHO: (no name) - {FD0D7996-6B08-3544-63DE-B2D8F52A8043} - C:\WINDOWS\SYSTEM\ATLGR.DLL (file missing)
    O2 - BHO: (no name) - {55930C53-29C9-B309-3DD8-E0C4843E91AD} - C:\WINDOWS\NETSH.DLL (file missing)
    O2 - BHO: (no name) - {8C37367A-2DD7-D628-3FE9-57A744A38DF9} - C:\WINDOWS\SYSTEM\ADDYZ32.DLL (file missing)
    O2 - BHO: (no name) - {46D4E454-70DA-2B3F-1D10-69C7CE8C375C} - C:\WINDOWS\SYSKO32.DLL (file missing)
    O2 - BHO: (no name) - {B4125912-A4AB-5995-5D36-AC2CEDD0FD1C} - C:\WINDOWS\CRYH32.DLL (file missing)
    O2 - BHO: (no name) - {BE166C01-C895-7DB1-E1E6-B6BD6196E91F} - C:\WINDOWS\NETYE32.DLL (file missing)
    O2 - BHO: (no name) - {9ABFF989-9ED7-3145-0593-2AEE710D89F0} - C:\WINDOWS\SYSTEM\NTMD32.DLL
    O2 - BHO: (no name) - {99CD36FC-5A1C-A22E-3D74-2B4A9C0E897C} - C:\WINDOWS\D3SF32.DLL (file missing)
    O2 - BHO: (no name) - {48535929-2907-F7C1-1E4F-AF3F6D02A932} - C:\WINDOWS\D3UK32.DLL (file missing)
    O2 - BHO: (no name) - {9A81ADE0-5E7F-0E4E-78B9-FD1D291D1B99} - C:\WINDOWS\ATLUG32.DLL (file missing)
    O2 - BHO: (no name) - {76EAC69B-36B3-EEBD-9936-906570715E75} - C:\WINDOWS\SYSTEM\APPRQ.DLL (file missing)
    O2 - BHO: (no name) - {EB7A1A2D-9C0D-C8D4-8A9B-F6E22A647B85} - C:\WINDOWS\MSVN32.DLL (file missing)
    O2 - BHO: (no name) - {94C91E70-B010-2BD0-9276-8B2FF4228804} - C:\WINDOWS\SYSTEM\NETBD.DLL (file missing)
    O2 - BHO: (no name) - {90B46B07-282D-8DDE-D296-452CDBB0603B} - C:\WINDOWS\APINH32.DLL (file missing)
    O2 - BHO: (no name) - {655D9CE4-1199-9A9A-0FBD-E8A5D9B1F5E2} - C:\WINDOWS\SYSCP.DLL (file missing)
    O2 - BHO: (no name) - {1819A5B6-F3D0-0680-3146-E5B7D824ED78} - C:\WINDOWS\SYSTEM\MSAR.DLL (file missing)
    O2 - BHO: (no name) - {9EFD529D-46F8-2CEA-E958-34254F447995} - C:\WINDOWS\SYSTEM\IPDS.DLL (file missing)
    O2 - BHO: (no name) - {1B033C73-3462-A181-4482-AF3DB2818C44} - C:\WINDOWS\SYSTEM\NTPD.DLL (file missing)
    O2 - BHO: (no name) - {B30AA243-095D-D488-E85E-01E95DF815DB} - C:\WINDOWS\APPFQ.DLL (file missing)
    O2 - BHO: (no name) - {8AF1C8F8-5F05-34F3-4344-BC61A74FCC50} - C:\WINDOWS\SYSTEM\MFCJX32.DLL (file missing)
    O2 - BHO: (no name) - {773BCC80-D9FF-7281-852F-435394A76511} - C:\WINDOWS\D3TB32.DLL
    O2 - BHO: (no name) - {D9F9BB90-41F0-23DB-5F55-74ED758D5652} - C:\WINDOWS\ADDHE32.DLL
    O2 - BHO: (no name) - {D6BCF46E-3B9F-432D-4764-F5D9935AD1D4} - C:\WINDOWS\SYSTEM\SYSGG32.DLL
    O2 - BHO: (no name) - {C3D0592A-E898-9364-DBD7-EC2ED69821AF} - C:\WINDOWS\MSQM32.DLL (file missing)
    O2 - BHO: (no name) - {9C16FA79-E202-5556-3FED-BB3A84A76390} - C:\WINDOWS\SYSTEM\MSWV32.DLL (file missing)
    O2 - BHO: (no name) - {FF8F3EAB-3991-A7D5-F170-5ED0347927A1} - C:\WINDOWS\APPGF.DLL
    O2 - BHO: (no name) - {5B9FD345-F3DE-D005-2ECE-CAB9FE8750CF} - C:\WINDOWS\NETGG32.DLL (file missing)
    O2 - BHO: (no name) - {FF3F316D-3A20-4593-E7A7-4A6A52D8F46F} - C:\WINDOWS\SYSTEM\CRTP32.DLL (file missing)
    O2 - BHO: (no name) - {FD286674-B409-A4AA-9816-759558773A17} - C:\WINDOWS\SYSTEM\APPKV.DLL (file missing)
    O2 - BHO: (no name) - {6BEACA14-DD48-CDE9-566D-05631A5E5DF9} - C:\WINDOWS\SYSTEM\NETPC.DLL (file missing)
    O2 - BHO: (no name) - {A0EAF1EC-2878-C620-F226-0939C22A423E} - C:\WINDOWS\SYSTEM\ADDWN32.DLL (file missing)
    O2 - BHO: (no name) - {C22D9ED6-EDCC-967A-DFB1-0043697AEF16} - C:\WINDOWS\SYSTEM\SYSMF32.DLL (file missing)
    O2 - BHO: (no name) - {8DD0E093-F203-A226-34B6-803644787EFF} - C:\WINDOWS\ADDYR32.DLL (file missing)
    O2 - BHO: (no name) - {2DAD5652-3FF5-FF26-8446-2EE69A7D486A} - C:\WINDOWS\SYSWV.DLL
    O2 - BHO: (no name) - {BD9B5942-DE20-0F3F-B80C-F71F7AB6EC47} - C:\WINDOWS\SYSTEM\IPRP.DLL (file missing)
    O2 - BHO: (no name) - {792E5EAE-8A79-E368-3772-122B30F2715E} - C:\WINDOWS\JAVAFO.DLL (file missing)
    O2 - BHO: (no name) - {9350B908-510A-7040-0081-64766EE64B4F} - C:\WINDOWS\SYSTEM\ADDKR.DLL (file missing)
    O2 - BHO: (no name) - {C4322B27-0B19-D263-F955-4B1DF8B80E2E} - C:\WINDOWS\NTUR.DLL (file missing)
    O2 - BHO: (no name) - {CF295B84-1F3D-A13C-944E-90632373707E} - C:\WINDOWS\MFCYY32.DLL (file missing)
    O2 - BHO: (no name) - {70AB792D-E2FE-36CE-A6EF-BD60E41F7B9C} - C:\WINDOWS\SYSTEM\NETMD32.DLL (file missing)
    O2 - BHO: (no name) - {51365430-633C-3E97-DEE5-CC369E4261D1} - C:\WINDOWS\APILV.DLL (file missing)
    O2 - BHO: (no name) - {CDA7057E-A543-553D-5E37-BBDF205DFD7B} - C:\WINDOWS\ADDLM32.DLL (file missing)
    O2 - BHO: (no name) - {9B261FA6-9B63-5063-797E-458D1EEA0124} - C:\WINDOWS\MSWD32.DLL (file missing)
    O2 - BHO: (no name) - {F460ED7A-B35F-3A16-BF66-77D8F480B2B6} - C:\WINDOWS\SYSTEM\WINNA32.DLL (file missing)
    O2 - BHO: (no name) - {EBC21DD1-18C4-74D7-C935-89E653731491} - C:\WINDOWS\IPNZ32.DLL (file missing)
    O2 - BHO: (no name) - {30944EFD-8C58-3721-9AD2-266F9E5DF50A} - C:\WINDOWS\SDKBU32.DLL (file missing)
    O2 - BHO: (no name) - {2284453A-6D78-BE4F-6C59-8D255DBFA2FB} - C:\WINDOWS\SYSTEM\CRQD.DLL
    O2 - BHO: (no name) - {84B595BB-1DC9-852C-6316-3392A8C5B814} - C:\WINDOWS\SYSTEM\NTHW.DLL (file missing)

    O4 - HKLM\..\RunServices: [APPCG.EXE] C:\WINDOWS\SYSTEM\APPCG.EXE
    O4 - HKLM\..\RunServices: [MFCRV32.EXE] C:\WINDOWS\MFCRV32.EXE
    O4 - HKLM\..\RunServices: [SYSWX.EXE] C:\WINDOWS\SYSWX.EXE
    O4 - HKLM\..\RunServices: [ATLXO32.EXE] C:\WINDOWS\ATLXO32.EXE
    O4 - HKLM\..\RunServices: [NTKB.EXE] C:\WINDOWS\NTKB.EXE
    O4 - HKLM\..\RunServices: [ADDRC.EXE] C:\WINDOWS\ADDRC.EXE
    O4 - HKLM\..\RunServices: [NETZT32.EXE] C:\WINDOWS\NETZT32.EXE
    O4 - HKLM\..\RunServices: [NTVI32.EXE] C:\WINDOWS\NTVI32.EXE
    O4 - HKLM\..\RunServices: [SYSBZ.EXE] C:\WINDOWS\SYSBZ.EXE
    O4 - HKLM\..\RunServices: [MFCCJ32.EXE] C:\WINDOWS\SYSTEM\MFCCJ32.EXE
    O4 - HKLM\..\RunServices: [APIOK32.EXE] C:\WINDOWS\APIOK32.EXE
    O4 - HKLM\..\RunServices: [CRHM.EXE] C:\WINDOWS\CRHM.EXE
    O4 - HKLM\..\RunServices: [NETNO32.EXE] C:\WINDOWS\SYSTEM\NETNO32.EXE
    O4 - HKLM\..\RunServices: [IETI32.EXE] C:\WINDOWS\SYSTEM\IETI32.EXE
    O4 - HKLM\..\RunServices: [SYSGH32.EXE] C:\WINDOWS\SYSGH32.EXE
    O4 - HKLM\..\RunServices: [SYSCO.EXE] C:\WINDOWS\SYSTEM\SYSCO.EXE
    O4 - HKLM\..\RunServices: [D3FS.EXE] C:\WINDOWS\D3FS.EXE
    O4 - HKLM\..\RunServices: [IEOC.EXE] C:\WINDOWS\IEOC.EXE
    O4 - HKLM\..\RunServices: [IEPR.EXE] C:\WINDOWS\SYSTEM\IEPR.EXE
    O4 - HKLM\..\RunServices: [MFCHT32.EXE] C:\WINDOWS\SYSTEM\MFCHT32.EXE
    O4 - HKLM\..\RunServices: [SDKMS.EXE] C:\WINDOWS\SDKMS.EXE
    O4 - HKLM\..\RunServices: [CRZY.EXE] C:\WINDOWS\SYSTEM\CRZY.EXE
    O4 - HKLM\..\RunServices: [MSWW.EXE] C:\WINDOWS\SYSTEM\MSWW.EXE
    O4 - HKLM\..\RunServices: [JAVACK.EXE] C:\WINDOWS\JAVACK.EXE
    O4 - HKLM\..\RunServices: [ADDXT32.EXE] C:\WINDOWS\ADDXT32.EXE
    O4 - HKLM\..\RunServices: [NETUL32.EXE] C:\WINDOWS\SYSTEM\NETUL32.EXE
    O4 - HKLM\..\RunServices: [ATLCY.EXE] C:\WINDOWS\ATLCY.EXE
    O4 - HKLM\..\RunServices: [ATLAY32.EXE] C:\WINDOWS\SYSTEM\ATLAY32.EXE
    O4 - HKLM\..\RunServices: [WINRP32.EXE] C:\WINDOWS\WINRP32.EXE
    O4 - HKLM\..\RunServices: [IPUJ.EXE] C:\WINDOWS\IPUJ.EXE
    O4 - HKLM\..\RunServices: [SYSVR32.EXE] C:\WINDOWS\SYSTEM\SYSVR32.EXE
    O4 - HKLM\..\RunServices: [MSZB.EXE] C:\WINDOWS\SYSTEM\MSZB.EXE
    O4 - HKLM\..\RunServices: [JAVAOI32.EXE] C:\WINDOWS\JAVAOI32.EXE
    O4 - HKLM\..\RunServices: [NTVZ.EXE] C:\WINDOWS\NTVZ.EXE
    O4 - HKLM\..\RunServices: [JAVABB.EXE] C:\WINDOWS\JAVABB.EXE
    O4 - HKLM\..\RunServices: [IEBS.EXE] C:\WINDOWS\IEBS.EXE
    O4 - HKLM\..\RunServices: [JAVAUJ32.EXE] C:\WINDOWS\SYSTEM\JAVAUJ32.EXE
    O4 - HKLM\..\RunServices: [IPNA32.EXE] C:\WINDOWS\IPNA32.EXE
    O4 - HKLM\..\RunServices: [IEVX32.EXE] C:\WINDOWS\SYSTEM\IEVX32.EXE
    O4 - HKLM\..\RunServices: [APIXT32.EXE] C:\WINDOWS\APIXT32.EXE
    O4 - HKLM\..\RunServices: [ATLQX32.EXE] C:\WINDOWS\ATLQX32.EXE

    Try to delete any of those EXEs that would not delete before.

    Right click on your Internet Explorer icon and select Properties. Set you home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Clcik Delete Files select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now run Ad-aware & SpyBot S&D and clean what they find (MAKE SURE YOU UPDATE FIRST. Ad-aware updated just today)

    Go to Start > Run > regedit > Open HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall. Click the [+] next to uninstall. Scroll down until you see the NAMES of programs, not the numbers in {,}. Find (if they exist):

    HSA = Home Search Agent or Home_Search_Assistent (yes, the spelling of assistant is wrong)
    SA = Search Assistant
    SW = Shopping Wizzard

    To double check, on the left pane, it will say what they are. Highlight one at a time, and hit your delete key. Once you delete all three, you may exit.

    Now reboot normal mode. Check HijaakThis log.
     
  13. lapras53

    lapras53 Private E-2

    Alright, so i've followed the instructions as closely as I could...

    It's feeling better...four hundred megs of space has been freed from my hard drive since I restarted...but i'm still getting the only the best pop up ads...

    here is my latest hijackthis scan

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\MFCNG32.EXE
    C:\WINDOWS\SDKTR32.EXE
    C:\WINDOWS\MFCWJ32.EXE
    C:\WINDOWS\APPLW32.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
    C:\WINDOWS\DESKTOP\BRAD'S STUFF\HIJACKTHIS\HIJACKTHIS.EXE
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.majorgeeks.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by P.D. Computers, Inc.
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    F1 - win.ini: run=hpfsched
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
    O2 - BHO: (no name) - {EAE93A50-B566-8AE6-4CF2-7070B758A27C} - C:\WINDOWS\WINXW.DLL (file missing)
    O2 - BHO: (no name) - {7E72B2B4-7AE5-BB09-3BA7-1D12564CA011} - C:\WINDOWS\APPBK32.DLL (file missing)
    O2 - BHO: (no name) - {70BB8727-300B-1A42-4786-61E94EB4FBA5} - C:\WINDOWS\NETQS32.DLL (file missing)
    O2 - BHO: (no name) - {64DB3205-CF7B-15DD-E402-9DCF486A44CC} - C:\WINDOWS\NETOV.DLL (file missing)
    O2 - BHO: (no name) - {F538B067-5A0F-89FE-6A09-3F46EAC2A99E} - C:\WINDOWS\SYSTEM\MFCEW32.DLL (file missing)
    O2 - BHO: (no name) - {21D07119-4AC8-37EE-70B3-0FC88D4CBAAD} - C:\WINDOWS\MFCEQ32.DLL (file missing)
    O2 - BHO: (no name) - {3643DD64-94B4-5743-9B71-A41AC1605F6F} - C:\WINDOWS\IPZQ.DLL (file missing)
    O2 - BHO: (no name) - {081758B8-1464-68B8-A672-5A257F23165E} - C:\WINDOWS\SYSTEM\MFCIR.DLL (file missing)
    O2 - BHO: (no name) - {BAECFF6A-2CC0-095A-0883-1BA36541C515} - C:\WINDOWS\SDKUR.DLL (file missing)
    O2 - BHO: (no name) - {ED9E1188-DD79-D9A6-01FD-CC124FC74649} - C:\WINDOWS\APPBP.DLL (file missing)
    O2 - BHO: (no name) - {6188C804-214C-769B-78B0-F99F8BA5FC4E} - C:\WINDOWS\SYSTEM\D3RY32.DLL (file missing)
    O2 - BHO: (no name) - {A8BFD3DC-9F9D-1255-4C88-0ABE6CF3DC96} - C:\WINDOWS\JAVAED32.DLL
    O2 - BHO: (no name) - {205A2410-9903-A47C-0AA3-C0CDF769FFCD} - C:\WINDOWS\SYSTEM\MFCSK32.DLL (file missing)
    O2 - BHO: (no name) - {07DB5A4B-4CB8-D84D-1C60-26C669A0FA49} - C:\WINDOWS\SYSTEM\ATLQD.DLL (file missing)
    O2 - BHO: (no name) - {C50C3867-EF0D-F996-B6E2-672B60D6ED50} - C:\WINDOWS\APIYI32.DLL (file missing)
    O2 - BHO: (no name) - {800B9048-A1BD-B338-E9D4-71396483AE60} - C:\WINDOWS\SYSTEM\JAVAFI32.DLL (file missing)
    O2 - BHO: (no name) - {7D81A509-957B-37CD-4EAB-426C5E934317} - C:\WINDOWS\SYSTEM\D3TK.DLL (file missing)
    O2 - BHO: (no name) - {E5A0EFED-3062-8A6A-0BA8-B76566990BAF} - C:\WINDOWS\APPVQ32.DLL (file missing)
    O2 - BHO: (no name) - {0F9A97E5-963E-75DB-23F4-3897CEC6B584} - C:\WINDOWS\D3VW32.DLL (file missing)
    O2 - BHO: (no name) - {A3EB6D3E-AA14-D7C6-C5B4-18038105F49F} - C:\WINDOWS\SYSTEM\IPSI32.DLL (file missing)
    O2 - BHO: (no name) - {41A479FD-DD33-B009-16B2-96EAC6B01DEE} - C:\WINDOWS\SYSTEM\NETJG32.DLL (file missing)
    O2 - BHO: (no name) - {241F754F-D197-D0E0-52C1-75E57DCB764D} - C:\WINDOWS\MSWM32.DLL
    O2 - BHO: (no name) - {7B86C9AF-492C-5E59-4ECE-88EB61C7342A} - C:\WINDOWS\IEUC32.DLL
    O2 - BHO: (no name) - {2CEAB828-38BD-3C29-5BB0-E50A8BB04255} - C:\WINDOWS\SYSTEM\MSUB.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\EN-US\MSNTB.DLL
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL (file missing)
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [JAVAQZ32.EXE] C:\WINDOWS\SYSTEM\JAVAQZ32.EXE
    O4 - HKLM\..\RunServices: [IEYU32.EXE] C:\WINDOWS\SYSTEM\IEYU32.EXE
    O4 - HKLM\..\RunServices: [IEXD.EXE] C:\WINDOWS\SYSTEM\IEXD.EXE
    O4 - HKLM\..\RunServices: [WINGE.EXE] C:\WINDOWS\SYSTEM\WINGE.EXE
    O4 - HKLM\..\RunServices: [ADDBL32.EXE] C:\WINDOWS\SYSTEM\ADDBL32.EXE
    O4 - HKLM\..\RunServices: [CREE.EXE] C:\WINDOWS\SYSTEM\CREE.EXE
    O4 - HKLM\..\RunServices: [APILQ.EXE] C:\WINDOWS\SYSTEM\APILQ.EXE
    O4 - HKLM\..\RunServices: [APPLW32.EXE] C:\WINDOWS\APPLW32.EXE
    O4 - HKLM\..\RunServices: [MFCWJ32.EXE] C:\WINDOWS\MFCWJ32.EXE
    O4 - HKLM\..\RunServices: [MFCNG32.EXE] C:\WINDOWS\SYSTEM\MFCNG32.EXE
    O4 - HKLM\..\RunServices: [SDKTR32.EXE] C:\WINDOWS\SDKTR32.EXE
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.effingham.net
    O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
    O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
     
  14. lapras53

    lapras53 Private E-2

    I just checked and it still lists home search assistent as a removable program...does that mean I did something wrong?...I tried to add/remove it, but it said that the uninstall file couldn't be found
     
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Ignore that for now. We need to fix things in your log. Run HijaakThis again and fix ONLY these that say (file missing)

    O2 - BHO: (no name) - {EAE93A50-B566-8AE6-4CF2-7070B758A27C} - C:\WINDOWS\WINXW.DLL (file missing)
    O2 - BHO: (no name) - {7E72B2B4-7AE5-BB09-3BA7-1D12564CA011} - C:\WINDOWS\APPBK32.DLL (file missing)
    O2 - BHO: (no name) - {70BB8727-300B-1A42-4786-61E94EB4FBA5} - C:\WINDOWS\NETQS32.DLL (file missing)
    O2 - BHO: (no name) - {64DB3205-CF7B-15DD-E402-9DCF486A44CC} - C:\WINDOWS\NETOV.DLL (file missing)
    O2 - BHO: (no name) - {F538B067-5A0F-89FE-6A09-3F46EAC2A99E} - C:\WINDOWS\SYSTEM\MFCEW32.DLL (file missing)
    O2 - BHO: (no name) - {21D07119-4AC8-37EE-70B3-0FC88D4CBAAD} - C:\WINDOWS\MFCEQ32.DLL (file missing)
    O2 - BHO: (no name) - {3643DD64-94B4-5743-9B71-A41AC1605F6F} - C:\WINDOWS\IPZQ.DLL (file missing)
    O2 - BHO: (no name) - {081758B8-1464-68B8-A672-5A257F23165E} - C:\WINDOWS\SYSTEM\MFCIR.DLL (file missing)
    O2 - BHO: (no name) - {BAECFF6A-2CC0-095A-0883-1BA36541C515} - C:\WINDOWS\SDKUR.DLL (file missing)
    O2 - BHO: (no name) - {ED9E1188-DD79-D9A6-01FD-CC124FC74649} - C:\WINDOWS\APPBP.DLL (file missing)
    O2 - BHO: (no name) - {6188C804-214C-769B-78B0-F99F8BA5FC4E} - C:\WINDOWS\SYSTEM\D3RY32.DLL (file missing)
    O2 - BHO: (no name) - {205A2410-9903-A47C-0AA3-C0CDF769FFCD} - C:\WINDOWS\SYSTEM\MFCSK32.DLL (file missing)
    O2 - BHO: (no name) - {07DB5A4B-4CB8-D84D-1C60-26C669A0FA49} - C:\WINDOWS\SYSTEM\ATLQD.DLL (file missing)
    O2 - BHO: (no name) - {C50C3867-EF0D-F996-B6E2-672B60D6ED50} - C:\WINDOWS\APIYI32.DLL (file missing)
    O2 - BHO: (no name) - {800B9048-A1BD-B338-E9D4-71396483AE60} - C:\WINDOWS\SYSTEM\JAVAFI32.DLL (file missing)
    O2 - BHO: (no name) - {7D81A509-957B-37CD-4EAB-426C5E934317} - C:\WINDOWS\SYSTEM\D3TK.DLL (file missing)
    O2 - BHO: (no name) - {E5A0EFED-3062-8A6A-0BA8-B76566990BAF} - C:\WINDOWS\APPVQ32.DLL (file missing)
    O2 - BHO: (no name) - {0F9A97E5-963E-75DB-23F4-3897CEC6B584} - C:\WINDOWS\D3VW32.DLL (file missing)
    O2 - BHO: (no name) - {A3EB6D3E-AA14-D7C6-C5B4-18038105F49F} - C:\WINDOWS\SYSTEM\IPSI32.DLL (file missing)
    O2 - BHO: (no name) - {41A479FD-DD33-B009-16B2-96EAC6B01DEE} - C:\WINDOWS\SYSTEM\NETJG32.DLL (file missing)


    Then search for the files below and any possible matching EXE (lile MSWM32.DLL and MSWM32.EXE) and delete them. Remember to follow previous instructions for finding hidden files. And you may have to boot in safe mode to delete them.
    O2 - BHO: (no name) - {A8BFD3DC-9F9D-1255-4C88-0ABE6CF3DC96} - C:\WINDOWS\JAVAED32.DLL
    O2 - BHO: (no name) - {241F754F-D197-D0E0-52C1-75E57DCB764D} - C:\WINDOWS\MSWM32.DLL
    O2 - BHO: (no name) - {7B86C9AF-492C-5E59-4ECE-88EB61C7342A} - C:\WINDOWS\IEUC32.DLL
    O2 - BHO: (no name) - {2CEAB828-38BD-3C29-5BB0-E50A8BB04255} - C:\WINDOWS\SYSTEM\MSUB.DLL

    Later you are going to have to un-install SpyBot & then re-install. This hijacker broke it.
     
  16. lapras53

    lapras53 Private E-2

    Okay, I deleted javaed32.dll, mswm32.dll, mswm32.exe, ieuc32.dll, and msub.dll

    When I restarted in regular mode the home page had been changed again : res://qtdbo.dll/index.html#27859

    I fixed all the lines that said (file missing)

    Here is my newest scan

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\MFCNG32.EXE
    C:\WINDOWS\SDKTR32.EXE
    C:\WINDOWS\SYSTEM\NETIM.EXE
    C:\WINDOWS\APIXX32.EXE
    C:\WINDOWS\MFCWJ32.EXE
    C:\WINDOWS\SYSTEM\ADDTV32.EXE
    C:\WINDOWS\APPLW32.EXE
    C:\WINDOWS\NTAU.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\MSQM32.EXE
    C:\WINDOWS\NTAU.EXE
    C:\WINDOWS\NTAU.EXE
    C:\WINDOWS\APIXH32.EXE
    C:\WINDOWS\SYSTEM\SYSBA.EXE
    C:\WINDOWS\SYSTEM\SYSBA.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\DESKTOP\BRAD'S STUFF\HIJACKTHIS\HIJACKTHIS.EXE
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qtdbo.dll/sp.html#27859
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qtdbo.dll/index.html#27859
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qtdbo.dll/index.html#27859
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qtdbo.dll/sp.html#27859
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qtdbo.dll/index.html#27859
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qtdbo.dll/sp.html#27859
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by P.D. Computers, Inc.
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    F1 - win.ini: run=hpfsched
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
    O2 - BHO: (no name) - {A8BFD3DC-9F9D-1255-4C88-0ABE6CF3DC96} - C:\WINDOWS\JAVAED32.DLL (file missing)
    O2 - BHO: (no name) - {241F754F-D197-D0E0-52C1-75E57DCB764D} - C:\WINDOWS\MSWM32.DLL (file missing)
    O2 - BHO: (no name) - {7B86C9AF-492C-5E59-4ECE-88EB61C7342A} - C:\WINDOWS\IEUC32.DLL (file missing)
    O2 - BHO: (no name) - {2CEAB828-38BD-3C29-5BB0-E50A8BB04255} - C:\WINDOWS\SYSTEM\MSUB.DLL (file missing)
    O2 - BHO: (no name) - {42627D9A-45AE-1F18-1F44-711C59336529} - C:\WINDOWS\SYSTEM\ADDCS32.DLL
    O2 - BHO: (no name) - {A5B223E5-0E73-9AC9-758C-41988A18DD24} - C:\WINDOWS\SYSTEM\APIHJ.DLL (file missing)
    O2 - BHO: (no name) - {F5432123-A425-19BB-F479-E2AD4CAC2E04} - C:\WINDOWS\SYSTEM\JAVAEO.DLL (file missing)
    O2 - BHO: (no name) - {9094044E-D64B-52BF-2293-CE35E7D82337} - C:\WINDOWS\SYSTEM\ADDRK.DLL (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\EN-US\MSNTB.DLL
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL (file missing)
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [JAVAQZ32.EXE] C:\WINDOWS\SYSTEM\JAVAQZ32.EXE
    O4 - HKLM\..\RunServices: [IEYU32.EXE] C:\WINDOWS\SYSTEM\IEYU32.EXE
    O4 - HKLM\..\RunServices: [IEXD.EXE] C:\WINDOWS\SYSTEM\IEXD.EXE
    O4 - HKLM\..\RunServices: [WINGE.EXE] C:\WINDOWS\SYSTEM\WINGE.EXE
    O4 - HKLM\..\RunServices: [ADDBL32.EXE] C:\WINDOWS\SYSTEM\ADDBL32.EXE
    O4 - HKLM\..\RunServices: [CREE.EXE] C:\WINDOWS\SYSTEM\CREE.EXE
    O4 - HKLM\..\RunServices: [APILQ.EXE] C:\WINDOWS\SYSTEM\APILQ.EXE
    O4 - HKLM\..\RunServices: [APPLW32.EXE] C:\WINDOWS\APPLW32.EXE
    O4 - HKLM\..\RunServices: [MFCWJ32.EXE] C:\WINDOWS\MFCWJ32.EXE
    O4 - HKLM\..\RunServices: [MFCNG32.EXE] C:\WINDOWS\SYSTEM\MFCNG32.EXE
    O4 - HKLM\..\RunServices: [SDKTR32.EXE] C:\WINDOWS\SDKTR32.EXE
    O4 - HKLM\..\RunServices: [ADDTV32.EXE] C:\WINDOWS\SYSTEM\ADDTV32.EXE
    O4 - HKLM\..\RunServices: [APIXX32.EXE] C:\WINDOWS\APIXX32.EXE
    O4 - HKLM\..\RunServices: [NTAU.EXE] C:\WINDOWS\NTAU.EXE
    O4 - HKLM\..\RunServices: [NETIM.EXE] C:\WINDOWS\SYSTEM\NETIM.EXE
    O4 - HKLM\..\RunServices: [APIXH32.EXE] C:\WINDOWS\APIXH32.EXE
    O4 - HKLM\..\RunServices: [SYSBA.EXE] C:\WINDOWS\SYSTEM\SYSBA.EXE
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.effingham.net
    O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
    O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
     
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Damn! We have to find the root program that is re-spawning this stuff. We need to go back to regedit again and do what I said before but this time we need to get info for:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    From your previous and current logs the only items that below under RunServices are:
    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe

    All of these running processes need to be killed and files deleted (but something may re-spawn them)
    C:\WINDOWS\SYSTEM\MFCNG32.EXE
    C:\WINDOWS\SDKTR32.EXE
    C:\WINDOWS\SYSTEM\NETIM.EXE
    C:\WINDOWS\APIXX32.EXE
    C:\WINDOWS\MFCWJ32.EXE
    C:\WINDOWS\SYSTEM\ADDTV32.EXE
    C:\WINDOWS\APPLW32.EXE
    C:\WINDOWS\NTAU.EXE
    C:\WINDOWS\MSQM32.EXE
    C:\WINDOWS\NTAU.EXE
    C:\WINDOWS\NTAU.EXE
    C:\WINDOWS\APIXH32.EXE
    C:\WINDOWS\SYSTEM\SYSBA.EXE
    C:\WINDOWS\SYSTEM\SYSBA.EXE

    Also like before we need to erase the contents of the problem DLL. Now click Start, Run, and enter the following command notepad C:\WINDOWS\system32\qtdbo.dll file and click OK. Now use CTRL-A to select all lines of the file and then hit the delete key to delete all the lines and save it (yes as an empty file). Repeat this for possible other occurrences of this file like:
    C:\WINDOWS\system\qtdbo.dll file
    C:\WINDOWS\qtdbo.dll file
    C:\qtdbo.dll file

    Right click on your Internet Explorer icon and select Properties. Set you home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Clcik Delete Files select Delete all Offline content too, Click OK. When it finishes Click OK.


    Let me know when you finish this.
     
  18. lapras53

    lapras53 Private E-2

    Okay,

    Here's a list of which files were in the \Run
    MSQM32.EXE (I deleted it)
    Quicktime Task
    System Tray
    TkBell.EXE

    It only said (default) in the \RunOnce

    here's a list of which files were in the \RunServices
    ADDBL32.EXE
    ADDTV32.EXE (DELETED IT)
    APILQ.EXE
    APIXH32.EXE (DELETED IT)
    APIXX32.EXE (DELETED IT)
    APPLW32.EXE (DELETED IT)
    CREE.EXE
    D3FE.EXE
    IEXD.EXE
    IEYU32.EXE
    JAVAQZ32.EXE
    LOADPOWERPROFILE
    MFCWJ32.EXE (DELETED IT)
    MFCNG32.EXE (DELETED IT)
    NETIM.EXE (DELETED IT)
    NTAU.EXE (DELETED IT)
    SCHEDULING AGENT
    SDKTR32.EXE (DELETED IT)
    SYSBA.EXE (DELETED IT)
    WINGE.EXE
    WINMODEM

    It only said (default) under the \RunServicesOnce

    I saved the qtdbo.dll file as an empty file, i also deleted a file of the same name that appeared to be a sound.

    here is a new hijackthis scan

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\D3FE.EXE
    C:\WINDOWS\NETQK.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\DESKTOP\BRAD'S STUFF\HIJACKTHIS\HIJACKTHIS.EXE
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qtdbo.dll/sp.html#27859
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qtdbo.dll/index.html#27859
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qtdbo.dll/index.html#27859
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qtdbo.dll/sp.html#27859
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qtdbo.dll/index.html#27859
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qtdbo.dll/sp.html#27859
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by P.D. Computers, Inc.
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    F1 - win.ini: run=hpfsched
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
    O2 - BHO: (no name) - {A8BFD3DC-9F9D-1255-4C88-0ABE6CF3DC96} - C:\WINDOWS\JAVAED32.DLL (file missing)
    O2 - BHO: (no name) - {241F754F-D197-D0E0-52C1-75E57DCB764D} - C:\WINDOWS\MSWM32.DLL (file missing)
    O2 - BHO: (no name) - {7B86C9AF-492C-5E59-4ECE-88EB61C7342A} - C:\WINDOWS\IEUC32.DLL (file missing)
    O2 - BHO: (no name) - {2CEAB828-38BD-3C29-5BB0-E50A8BB04255} - C:\WINDOWS\SYSTEM\MSUB.DLL (file missing)
    O2 - BHO: (no name) - {42627D9A-45AE-1F18-1F44-711C59336529} - C:\WINDOWS\SYSTEM\ADDCS32.DLL
    O2 - BHO: (no name) - {A5B223E5-0E73-9AC9-758C-41988A18DD24} - C:\WINDOWS\SYSTEM\APIHJ.DLL (file missing)
    O2 - BHO: (no name) - {F5432123-A425-19BB-F479-E2AD4CAC2E04} - C:\WINDOWS\SYSTEM\JAVAEO.DLL (file missing)
    O2 - BHO: (no name) - {9094044E-D64B-52BF-2293-CE35E7D82337} - C:\WINDOWS\SYSTEM\ADDRK.DLL (file missing)
    O2 - BHO: (no name) - {BEFF97AA-0AB0-303A-35AD-40AE9A0149B3} - C:\WINDOWS\SYSTEM\D3GE32.DLL (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\EN-US\MSNTB.DLL
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL (file missing)
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [JAVAQZ32.EXE] C:\WINDOWS\SYSTEM\JAVAQZ32.EXE
    O4 - HKLM\..\RunServices: [IEYU32.EXE] C:\WINDOWS\SYSTEM\IEYU32.EXE
    O4 - HKLM\..\RunServices: [IEXD.EXE] C:\WINDOWS\SYSTEM\IEXD.EXE
    O4 - HKLM\..\RunServices: [WINGE.EXE] C:\WINDOWS\SYSTEM\WINGE.EXE
    O4 - HKLM\..\RunServices: [ADDBL32.EXE] C:\WINDOWS\SYSTEM\ADDBL32.EXE
    O4 - HKLM\..\RunServices: [CREE.EXE] C:\WINDOWS\SYSTEM\CREE.EXE
    O4 - HKLM\..\RunServices: [APILQ.EXE] C:\WINDOWS\SYSTEM\APILQ.EXE
    O4 - HKLM\..\RunServices: [APPLW32.EXE] C:\WINDOWS\APPLW32.EXE
    O4 - HKLM\..\RunServices: [MFCWJ32.EXE] C:\WINDOWS\MFCWJ32.EXE
    O4 - HKLM\..\RunServices: [MFCNG32.EXE] C:\WINDOWS\SYSTEM\MFCNG32.EXE
    O4 - HKLM\..\RunServices: [SDKTR32.EXE] C:\WINDOWS\SDKTR32.EXE
    O4 - HKLM\..\RunServices: [ADDTV32.EXE] C:\WINDOWS\SYSTEM\ADDTV32.EXE
    O4 - HKLM\..\RunServices: [APIXX32.EXE] C:\WINDOWS\APIXX32.EXE
    O4 - HKLM\..\RunServices: [NTAU.EXE] C:\WINDOWS\NTAU.EXE
    O4 - HKLM\..\RunServices: [NETIM.EXE] C:\WINDOWS\SYSTEM\NETIM.EXE
    O4 - HKLM\..\RunServices: [APIXH32.EXE] C:\WINDOWS\APIXH32.EXE
    O4 - HKLM\..\RunServices: [SYSBA.EXE] C:\WINDOWS\SYSTEM\SYSBA.EXE
    O4 - HKLM\..\RunServices: [D3FE.EXE] C:\WINDOWS\SYSTEM\D3FE.EXE
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.effingham.net
    O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
    O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
     
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    In \RunServices delete these too:
    ADDBL32.EXE
    APILQ.EXE
    CREE.EXE
    D3FE.EXE
    IEXD.EXE
    IEYU32.EXE
    JAVAQZ32.EXE
    WINGE.EXE
     
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Take a look in your c:\windows, c:\windows\system, and c:\windows\system32 directories to see if there are any file names like these EXEs and DLLs but have the extension .DAT.
     
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    In fact when looking around in those directories have Win Explorer set to sort by modification date and see if you find other files too with the same time frame as these baddies. There may be more then in your logs and registry. Look for .DAT, .EXE, and .DLL files
     
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Before continuing make sure Ad-aware is upto date. Do not scan yet!
    And then shut Ad-aware down.

    Disconnect your connection from the Internet (analog modem, ethernet, etc)
    and do the following:

    Have HijaakThis fix these entries:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qtdbo.dll/sp.html#27859
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qtdbo.dll/index.html#27859
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qtdbo.dll/index.html#27859
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qtdbo.dll/sp.html#27859
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qtdbo.dll/index.html#27859
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qtdbo.dll/sp.html#27859
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by P.D. Computers, Inc.
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
    O2 - BHO: (no name) - {A8BFD3DC-9F9D-1255-4C88-0ABE6CF3DC96} - C:\WINDOWS\JAVAED32.DLL (file missing)
    O2 - BHO: (no name) - {241F754F-D197-D0E0-52C1-75E57DCB764D} - C:\WINDOWS\MSWM32.DLL (file missing)
    O2 - BHO: (no name) - {7B86C9AF-492C-5E59-4ECE-88EB61C7342A} - C:\WINDOWS\IEUC32.DLL (file missing)
    O2 - BHO: (no name) - {2CEAB828-38BD-3C29-5BB0-E50A8BB04255} - C:\WINDOWS\SYSTEM\MSUB.DLL (file missing)
    O2 - BHO: (no name) - {42627D9A-45AE-1F18-1F44-711C59336529} - C:\WINDOWS\SYSTEM\ADDCS32.DLL
    O2 - BHO: (no name) - {A5B223E5-0E73-9AC9-758C-41988A18DD24} - C:\WINDOWS\SYSTEM\APIHJ.DLL (file missing)
    O2 - BHO: (no name) - {F5432123-A425-19BB-F479-E2AD4CAC2E04} - C:\WINDOWS\SYSTEM\JAVAEO.DLL (file missing)
    O2 - BHO: (no name) - {9094044E-D64B-52BF-2293-CE35E7D82337} - C:\WINDOWS\SYSTEM\ADDRK.DLL (file missing)
    O2 - BHO: (no name) - {BEFF97AA-0AB0-303A-35AD-40AE9A0149B3} - C:\WINDOWS\SYSTEM\D3GE32.DLL (file missing)
    O4 - HKLM\..\RunServices: [JAVAQZ32.EXE] C:\WINDOWS\SYSTEM\JAVAQZ32.EXE
    O4 - HKLM\..\RunServices: [IEYU32.EXE] C:\WINDOWS\SYSTEM\IEYU32.EXE
    O4 - HKLM\..\RunServices: [IEXD.EXE] C:\WINDOWS\SYSTEM\IEXD.EXE
    O4 - HKLM\..\RunServices: [WINGE.EXE] C:\WINDOWS\SYSTEM\WINGE.EXE
    O4 - HKLM\..\RunServices: [ADDBL32.EXE] C:\WINDOWS\SYSTEM\ADDBL32.EXE
    O4 - HKLM\..\RunServices: [CREE.EXE] C:\WINDOWS\SYSTEM\CREE.EXE
    O4 - HKLM\..\RunServices: [APILQ.EXE] C:\WINDOWS\SYSTEM\APILQ.EXE
    O4 - HKLM\..\RunServices: [APPLW32.EXE] C:\WINDOWS\APPLW32.EXE
    O4 - HKLM\..\RunServices: [MFCWJ32.EXE] C:\WINDOWS\MFCWJ32.EXE
    O4 - HKLM\..\RunServices: [MFCNG32.EXE] C:\WINDOWS\SYSTEM\MFCNG32.EXE
    O4 - HKLM\..\RunServices: [SDKTR32.EXE] C:\WINDOWS\SDKTR32.EXE
    O4 - HKLM\..\RunServices: [ADDTV32.EXE] C:\WINDOWS\SYSTEM\ADDTV32.EXE
    O4 - HKLM\..\RunServices: [APIXX32.EXE] C:\WINDOWS\APIXX32.EXE
    O4 - HKLM\..\RunServices: [NTAU.EXE] C:\WINDOWS\NTAU.EXE
    O4 - HKLM\..\RunServices: [NETIM.EXE] C:\WINDOWS\SYSTEM\NETIM.EXE
    O4 - HKLM\..\RunServices: [APIXH32.EXE] C:\WINDOWS\APIXH32.EXE
    O4 - HKLM\..\RunServices: [SYSBA.EXE] C:\WINDOWS\SYSTEM\SYSBA.EXE
    O4 - HKLM\..\RunServices: [D3FE.EXE] C:\WINDOWS\SYSTEM\D3FE.EXE



    If you found anymore files like these while doing what I asked (looking for similar
    modification dates, delete them too (or even you could move them to a temporary folder
    like c:\junk if you're not sure that the files are bad or good.


    Reset your Web settings again. The set you home page to something useful like www.majorgeeks.com

    Now reboot in safe mode and run:
    Ad-aware and SpyBot S&D

    Reboot in normal mode.
     
  23. lapras53

    lapras53 Private E-2

    Okay, finished this step...

    I began arranging the c:\windows and c:\windows\system and c:\windows\system32 folders from date created like you said and I noticed that there were literally hundreds of *.exe, *.dll, *.dat files in each folder...

    so I just started deleting everything that fit that category

    I fixed the hijackthis log exactly as you instructed, all of this with my cable connection disconnected...

    When I restarted windows in normal mode it said that there were files missing (whoops!), so it used a recent backup of the files to start again...i haven't hurt the cpu have I?..will it be okay from here?

    When I turned my connection back on, I went to the add/remove programs and home search assistent was gone!..does that mean the problem has been solved?...if so, could you recommend downloads that would help prevent this type of thing from happening in the future?..firewalls etc?

    here is a scan i did after I finished everything:

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\DESKTOP\BRAD'S STUFF\HIJACKTHIS\HIJACKTHIS.EXE
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmyrequest.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmyrequest.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmyrequest.com/sp.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmyrequest.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by P.D. Computers, Inc.
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://searchmyrequest.com/hp.php
    F1 - win.ini: run=hpfsched
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\EN-US\MSNTB.DLL
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL (file missing)
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.effingham.net
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38117.609212963
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
    O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17a43ae170cc8b4d2905/netzip/RdxIE601.cab
     
  24. BadMojo

    BadMojo Private E-2

    Do We know what the Root Program is file name? do we know what web pages this is comming from? I would like to write a removal tool but can't seem to find any information on what the root program files are.
     
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Root name constantly changes? One thing you need to look at is the name of the application in Network Security Service on XP and 2K systems. On Win9x systems it's a whole different ball games. It seems to use the typical Run, RunOnce, RunService, and RunServicesOnce registry keys but many of them wind up running with constantly mutating files names. The key is probably in the contents of DLL filename you see in the R0 and R1 parameters of HijaakThis logs. Also, the BHO DLL is key. But sometime there are many BHO's too.
     
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yeah! You've got to be careful what you delete in those directories or you can really mess up windows. Hopefully you got everything back okay.

    This looks promising. Log is clean! Hope it stays that way! To help keep it that way, I'll borrow some lines from my friend Xflat who so nicely wrote:

    How to protect yourself and things to have:
    Anti Virus
    http://majorgeeks.com/download1968.html Avast
    http://majorgeeks.com/download886.html AVG
    The top two hands down. Beat the heck out of Norton or McAfee (garbage)
    Only run ONE AV!!!!!

    Firewall
    Don't care if your on dial up or High Speed....you must have a firewall
    http://majorgeeks.com/download738.html Kerio
    http://majorgeeks.com/download3356.html Sygate

    Temp File/Cookies/index.dat cleaner
    http://majorgeeks.com/download4191.html
    Let em follow themselves around

    SpyWare Prevention Notice I did not say scanner...yet
    http://majorgeeks.com/download2859.html SpyWare Blaster...
    http://majorgeeks.com/download3045.html SpyWare Guard.....

    SpyWare Scanners/Removers
    http://majorgeeks.com/download2471.html SpyBot ( I don't activate the TeaTimer)
    http://majorgeeks.com/download506.html AdAware
     
  27. lapras53

    lapras53 Private E-2

    Thank you so much for your help

    i've been running explorer for around two hours now and have had no pop ups or home page changes...I really appreciate it

    I'll be sure and get ahold of you if anything else pops up...i downloaded a firewall and spyware blaster to go along with my ad aware and spybot downloads so i don't anticipate any problems in the future, but you never know
     
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your welcome! Make sure you use SpyBot's Immunize feature too.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds