"Only the Best" pop-ups. Please help!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by urS6, Jul 18, 2004.

  1. urS6

    urS6 Private E-2

    I have been trying to get ride of these "Only the best" pop-ups for the past few days. I have read many of the posts here, but I still can't get get rid of them.

    I have run Ad-aware (just downloaded yesterday, so it should be up-to-date), CWShredder and HSRemove (ran it in Safe Mode)

    HSRemove seemed to work (it redirected my homepage and got rid of te pop-ups), but after a few hours, the pop-ups came back and the homepage went back to res://yoepr.dll/index.html#96676.

    A few of the posts mentioned disabling system-restore. I looked around, but I don't seem to have that function (I'm running Windows 2000 NT). The only thing that I found that was similar to System-restore was Last Known Good Configuration. I ran this from the setup menu (F8), but it didn't seem to change anything.

    Below are my two HijiackThis logs. The first one is from right after running HSRemove in Safe Mode (no pop-ups). The second log is after the pop-ups started returning.

    Log #1 (no pop-ups in safe mode)

    Logfile of HijackThis v1.98.0
    Scan saved at 11:11:27 AM, on 7/18/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Documents and Settings\ccc\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {115E872C-0ABD-1DFA-3161-A30E4569D3C2} - C:\WINNT\sdkxx32.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
    O4 - HKLM\..\Run: [RxUser] C:\Program Files\Dell\Resolution Assistant\common\bin\RxUser.exe
    O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
    O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [WinUpdate] C:\windows\p385.hta
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
    O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Highlight - C:\WINNT\WEB\highlight.htm
    O8 - Extra context menu item: &Links List - C:\WINNT\WEB\urllist.htm
    O8 - Extra context menu item: &Web Search - C:\WINNT\WEB\selsearch.htm
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: I&mages List - C:\WINNT\Web\imglist.htm
    O8 - Extra context menu item: Open Frame in &New Window - C:\WINNT\WEB\frm2new.htm
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Zoom &In - C:\WINNT\WEB\zoomin.htm
    O8 - Extra context menu item: Zoom O&ut - C:\WINNT\WEB\zoomout.htm
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://download.richfx.com/player/mediaversion/005/latest/twophase.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by17fd.bay17.hotmail.msn.com/activex/HMAtchmt.ocx
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINNT\msopt.dll


    LOG #2 (with pop-ups in regular mode)
    Logfile of HijackThis v1.98.0
    Scan saved at 11:36:59 AM, on 7/18/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\Navnt\navapsvc.exe
    C:\PROGRA~1\Navnt\npssvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\crjo.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\Navnt\alertsvc.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Dell\Resolution Assistant\common\bin\RxUser.exe
    C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\WINNT\System32\carpserv.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Navnt\navapw32.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
    C:\WINNT\netut.exe
    C:\Documents and Settings\ccc\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\yoepr.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://yoepr.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://yoepr.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\yoepr.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\yoepr.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://yoepr.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {115E872C-0ABD-1DFA-3161-A30E4569D3C2} - C:\WINNT\sdkxx32.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
    O4 - HKLM\..\Run: [RxUser] C:\Program Files\Dell\Resolution Assistant\common\bin\RxUser.exe
    O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
    O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [WinUpdate] C:\windows\p385.hta
    O4 - HKLM\..\Run: [netut.exe] C:\WINNT\netut.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
    O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Highlight - C:\WINNT\WEB\highlight.htm
    O8 - Extra context menu item: &Links List - C:\WINNT\WEB\urllist.htm
    O8 - Extra context menu item: &Web Search - C:\WINNT\WEB\selsearch.htm
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: I&mages List - C:\WINNT\Web\imglist.htm
    O8 - Extra context menu item: Open Frame in &New Window - C:\WINNT\WEB\frm2new.htm
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Zoom &In - C:\WINNT\WEB\zoomin.htm
    O8 - Extra context menu item: Zoom O&ut - C:\WINNT\WEB\zoomout.htm
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://download.richfx.com/player/mediaversion/005/latest/twophase.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by17fd.bay17.hotmail.msn.com/activex/HMAtchmt.ocx
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINNT\msopt.dll
     
    urS6, Jul 18, 2004
    #1
  2. TheLastMessenger

    TheLastMessenger Private E-2


    You definitely have lots of stuff in your HJT logs...

    I would recommend going through these instructions first then repost a HJT log:

    Run TrendMicro and Panda online scans so we some of the thingys you got and then you can delete them:
    http://housecall.trendmicro.com/housecall/start_corp.asp
    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    Showing hidden files; follow step by step:
    http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    Disable System Restore:
    http://www.pchell.com/virus/systemrestore.shtml
    Since you have 2000 you'll be booting in safe mode NOT using LastKnownGoodConfig
    http://www.cts.duq.edu/content_pages/students/s_virus/s_virus_xprestore.html

    Boot in safe mode: http://service1.symantec.com/SUPPOR...src=sec_doc_nam

    Try running AdAware in safe mode -- Make sure you have the latest UPDATES (Open, then press the Check for Updates button) and with the following settings:
    http://www.majorgeeks.com/download506.html
    Click on Start -- custom scanning options -- Customize.
    Check the following settings:
    Scan within archives
    Scan active processes
    Scan registry
    Deep scan registry
    Scan my IE Favorites for banned URL
    Scan my host-file
    Click on Tweak -- Select scanning engine and click on "Unload recognized processes during scanning"
    Select cleaning engine --click on "Automatically try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot"
    Then click "proceed" to save your settings.
    Click on Next then scan. Everything AdAware finds is safe to delete.

    Run SpyBot Search and Destroy --- Make sure you have the latest UPDATES (Open, then Search for Updates button)
    http://www.majorgeeks.com/download2471.html

    Empty your Temporary Internet Files and history in Internet Options. And clean out your
    %Userprofile%\Local Settings\Temp
    folder. You can also use crapcleaner to help you clear out some stuff: http://www.majorgeeks.com/download4191.html

    Reboot

    Enable System Restore

    Run HJT and POST log --- Make sure you have the latest UPDATES (Open, Config, then MiscTools, and Check for Updates Online)
    http://www.majorgeeks.com/download3155.html

    There are also many other programs here that are very useful
    http://forums.majorgeeks.com/index.php?
     
    TheLastMessenger, Jul 18, 2004
    #2
  3. TheLastMessenger

    TheLastMessenger Private E-2

    TheLastMessenger, Jul 18, 2004
    #3
  4. urS6

    urS6 Private E-2

    OK, I did everything you told me to do.

    Panda scan found some kind of Trojan virus, so I was able to delete that one, but I still have this "only the best" pop up problem.

    Any ideas?

    Here is my latest HJT log:

    Logfile of HijackThis v1.98.0
    Scan saved at 6:11:10 PM, on 7/20/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\Navnt\navapsvc.exe
    C:\PROGRA~1\Navnt\npssvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\crjo.exe
    C:\PROGRA~1\Navnt\alertsvc.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Dell\Resolution Assistant\common\bin\RxUser.exe
    C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\WINNT\System32\carpserv.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\WINNT\netut.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Navnt\navapw32.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
    C:\WINNT\System32\wuauclt.exe
    C:\Documents and Settings\ccc\Desktop\New Folder\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\yoepr.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://yoepr.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://yoepr.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\yoepr.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\yoepr.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://yoepr.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {115E872C-0ABD-1DFA-3161-A30E4569D3C2} - C:\WINNT\sdkxx32.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
    O4 - HKLM\..\Run: [RxUser] C:\Program Files\Dell\Resolution Assistant\common\bin\RxUser.exe
    O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
    O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [WinUpdate] C:\windows\p385.hta
    O4 - HKLM\..\Run: [netut.exe] C:\WINNT\netut.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
    O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Highlight - C:\WINNT\WEB\highlight.htm
    O8 - Extra context menu item: &Links List - C:\WINNT\WEB\urllist.htm
    O8 - Extra context menu item: &Web Search - C:\WINNT\WEB\selsearch.htm
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: I&mages List - C:\WINNT\Web\imglist.htm
    O8 - Extra context menu item: Open Frame in &New Window - C:\WINNT\WEB\frm2new.htm
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Zoom &In - C:\WINNT\WEB\zoomin.htm
    O8 - Extra context menu item: Zoom O&ut - C:\WINNT\WEB\zoomout.htm
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://download.richfx.com/player/mediaversion/005/latest/twophase.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by17fd.bay17.hotmail.msn.com/activex/HMAtchmt.ocx
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINNT\msopt.dll
     
    urS6, Jul 20, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    TheLastMessenger,

    Nice of you to pitch in here but a couple of notes:
    - Win2k does not have a system restore capability (only WinMe & WinXP)
    - neither Ad-aware or SpyBot S&D will fix HSA/Only the Best hijacks. They do help with other stuff but they will not fix these problems.
    - HSremove and About:Buster are two useful tools in this area but they do not work perfectly either as experience by urS6 (and many others) . You can get better results sometimes by following a specific set of steps. Sometimes multiple tries are need and some slight variations in the steps too.

    Do some searches in this forum, you will see no shortage of threads where we have fixed these problems and there are many still being worked. My feeling is that the two types of hijacks (HSA and about:blank) have mutated or new ones were created that have become tougher to fix. The problems grow more difficult too as inadequate or incomplete fixes are attempted because that definitely causes mutation and re-spawning of many more processes and hidden files. Any of which can keep causing the problems to re-occur.

    Two important items to look for:
    - Network Security Service running (This is always bad). Most frequently associated with HSA
    - AppInit_DLLs with a particular path to a problem DLL (not all of these are bad either). Most frequently associated with about:blank

    Search AppInit_DLLs and Network Security Service too.
     
    chaslang, Jul 21, 2004
    #5
  6. TheLastMessenger

    TheLastMessenger Private E-2

    I realize 2K doesn't have restore except throught LKGC... I have 2 links for restore.

    I knew adaware and spybot were probably not going to fix his problems but they are a necessity to run regardless and I like to prepare them to battle future spyware on their own... I thought he should get a2 then move on with some more processes... I know in the end it will probably be a search for a bogus DLL but I always hope otherwise. I won't overstep my bounds here because it seems I already have. You probably have a better way of doing things so I will step aside... just don't let his problems or this thread go to the wayside and I will read what you have mentioned.
     
    TheLastMessenger, Jul 21, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You are not overstepping any bounds. You are doing just fine. You don't need to step aside. Any help in these problems is appreciated. My comments were not meant to be taken as anything but for educational purposes only and to guide you a little on this. There are several problems in the HijackThis log. Obviously the HSA problems stands out with these lines:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\yoepr.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://yoepr.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://yoepr.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\yoepr.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\yoepr.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://yoepr.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {115E872C-0ABD-1DFA-3161-A30E4569D3C2} - C:\WINNT\sdkxx32.dll

    The not so obvious lines are:
    C:\WINNT\system32\crjo.exe
    C:\WINNT\netut.exe
    O4 - HKLM\..\Run: [netut.exe] C:\WINNT\netut.exe
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINNT\msopt.dll

    The non-obvious items are also typically in files that are hidden from normal view and they are typically read only files. Thus making it more difficult to fix but not impossible.
    The msopt.dll is going to be hidden in the registry and has to be deleted manually. Just fixing the HijackThis line will not work. After deleting the registry entry and fixing the HijackThis line and doing a reboot, you should be able to delete the file. My guess is that you will find the msopt.dll in:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4A8DADD4-5A25-4d41-8599-CB7458766220}\InprocServer32

    Which will have to be deleted?

    The remaining pieces of HSA problem (which has been increasingly more difficult to remove lately) will also have to been fixed via a mix of manual procedures and using the HSremove program (possibly about:Buster too).

    I can continue here with directing this but perhaps you would like to try to work thru this one. Leave a message here or PM me if you want some help. See some of those other threads I mentioned you will get an idea of what types of procedures have been used.

    EDIT: For those wondering what LKGC is. It is Last Known Good Configuration. The system saves one each time you have successful boot. Not much use in resolving these problems because you always boot succesfully. So going back to the LKGC will not fix anything.
     
    chaslang, Jul 21, 2004
    #7
  8. urS6

    urS6 Private E-2

    OK, basic question.....how do I delete the msopt.dll file from the registry? How do I access the registry?

    Is that the only file that I need to delete?
     
    urS6, Jul 21, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You can use the Windows Registry Editor. Be careful what you are doing here. You must make absolutely sure you know what you are selecting and deleting. You can really break your PC by doing the wrong thing. Okay the warning is out of the way. Sometimes it is necessary for you to edit the registry, like now. But first download, install, and run Erunt to backup your registry first.

    Using the Windows Registry Editor:
    click Start, Run, and in the Open box type:
    regedit
    and click OK

    First you need to select Edit and then Find, to look for the items I as mentioning. Then first tell me what you get before editing/deleting. However, a better tool to use for this is Registrar Lite: http://www.majorgeeks.com/download469.html
    It makes copy & pasting of info into and out of the registry a lot easier. Searching is faster too. Try it out.
     
    chaslang, Jul 22, 2004
    #9
  10. TheLastMessenger

    TheLastMessenger Private E-2

    Sorry, had to step out for a day and a little... got kinda busy. Chaslang, thanks for the tips and I appreciate the direction and help.. I will keep working.
     
    TheLastMessenger, Jul 22, 2004
    #10
  11. urS6

    urS6 Private E-2

    OK, I used Registrar Lite and located msopt.dll.

    it is located here: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4A8DADD4-5A25-4d41-8599-CB7458766220}\InprocServer32

    Should I delete it? If so, can you walk me through how to delete it?

    Thanks for your help.

    -Adam
     
    urS6, Aug 1, 2004
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try downloading the latest HijackThis:
    and have it fix that O18 line with msopt.dll. Then run a new scan and see if it actually deleted this time.

    Then reboot in safe mode and delete:
    C:\WINNT\msopt.dll
     
    chaslang, Aug 1, 2004
    #12
  13. urS6

    urS6 Private E-2

    It looks like msopt.dll is gone; I couldn't find it when I searched for it using my computer's search function.

    Also, I can't see it in the HijackThis file (below). I'm using version 1.98. Is there a newer version?

    However, I still have the spyware.


    Edit by chaslang: change log into an attachment
     

    Attached Files:

    Last edited by a moderator: Aug 1, 2004
    urS6, Aug 1, 2004
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes, there is a new version that just came out today. Get it here.

    By the way you are no longer allowed to put logs in your message as text. You must attach a text file log. See this: http://forums.majorgeeks.com/showthread.php?t=35407

    Delete the O18 line again. It did not work. If you had downloaded the correct HijackThis as I asked, you would not have had this problem.
     
    chaslang, Aug 1, 2004
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please try using the step by step Generic Solution I just put up as a sticky.
    http://forums.majorgeeks.com/showthread.php?t=38772

    Let me know if you have any questions on using this. This has been my old faithful method in the past and I've updated the Generic Solution to make use of some new tools and new information. Yes it is long but I have had great success using this when all else has failed.
     
    chaslang, Aug 1, 2004
    #15
  16. hithere

    hithere Staff Sergeant

    Allow me to interrupt u guys for a sec... :)
    But i find the new HijackThis the same as the old one... :confused:
     
    hithere, Aug 2, 2004
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes, for some reason it has changed back. I need to find out why. I was starting to suspect a problem with it too because I was having some problems with getting things to fix with some users I'm working with. It could be a HijackThis problem or it could be something the users are doing.

    I have to figure out why the new version links to the old version now.
     
    chaslang, Aug 2, 2004
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    FALSE ALARM!!! The correct 1.98.1 version is there. Perhaps we both need to clear out our cache (refresh). But it seems okay now to me. There are no known bugs in the 1.98.1 version.
     
    chaslang, Aug 2, 2004
    #18
  19. hithere

    hithere Staff Sergeant

    i downloaded again and it says version 1.98.0.1..... is that the new one?
     
    hithere, Aug 2, 2004
    #19
  20. hithere

    hithere Staff Sergeant

    Hold on... it says version 1.98.1 on top...
     
    hithere, Aug 2, 2004
    #20

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds