Problems with Midaddle

If you have completed all the steps in READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Then you should read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

And then post a HijackThis log as a text document attachment to your message. To do this save the log file and select manage attachments in a new thread to upload it. All running programs should be closed, including your web browser, e-mail, items in the tray, anything you can close... Close before running Hijack This!

Do NOT run Hijack This from the Desktop, a temp folder or choose run from the download. Place it in its own folder, for example C:\Program Files\HJT

 

You have to save it to a .txt file instead of a .log file. .log file cannot be uploaded.

 

I did not say say it as a text file. The log file is always a text file. The filename extension must be .txt (that's DOT TXT) not .LOG. When you save with HijackThis change the save as type to All files *.* and then change the name from the default hijackthis.log to anything ending in .txt. For example hjt.txt Make sure you are not trying to upload hjt.txt.log that will not work.

 

No! I don't think she did. You can tell by looking at the HijackThis log. There is no evidence that the online scans were run. And there are a load of trojan type files in the log. Also the O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll line (for Coupon Deals), I would have expected that to get fixed. But maybe not.

Mariah, what else did you skip. You also did not follow directions for shutting down your browsers before scanning with HijackThis. You had two IE sessions open:
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

Also, next time, please name the log file properly. You have to put something in front of the period. Your file was call .txt[1]. Please name it something like hjtlog.txt or hjt1.txt. Each time you post a log, you will need to give it a new name. So using hjt1.txt then hjt2.txt (and so on) is a good example.

 

Is the below line a URL the you know and use:
http://findloss.com/home.html

 

You are supposed to run all steps of the tutorial (except as noted with the about:blank and HSA hijacker tools). Why didn't you run the online scans? And what do you mean Stinger did not work? Be specific.

Why didn't you run CCleaner?

 

Okay Mariah,

I'm going to try to get you started fixing this anyway. Please follow directions exactly and completely. I need you to do the below first before we do anything else with HijackThis.

Also, you have a bad file in the LSP chain. Download LSPFix (http://www.cexx.org/lspfix.htm) and run it.
Check the "I know what I am doing" box Click on cdlsp.dll on the left window and click on the
arrow pointing to the right. Click Finish and follow the prompts.

Now run Windows Explorer (click Start and select Explore). Locate and delete (if found):
c:\windows\system32\cdlsp.dll

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit ALL browser sessions including the one you are reading in right now:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://findloss.com/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://findloss.com/home.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.vrqlexkwjpvmtqjwrck.com/PGw6jia1baC_fdcy91SbQfFlkDVvb24eKAS6FriwX9KjJr6AEOkgfokrxVL/Q_On.jsp
O2 - BHO: (no name) - {000B7009-B5AA-1927-3BC8-499C4E4B6A3C} - C:\PROGRA~1\INTERN~2\EXIT BAGS.exe
O2 - BHO: (no name) - {5BC885AF-2874-1D7F-6DF1-527A8A9EF2F0} - C:\PROGRA~1\INTERN~2\EXIT BAGS.exe
O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\System32\Dtck1376.exe
O4 - HKLM\..\Run: [info program] C:\PROGRA~1\CREATI~1\Trans Tray.exe
O4 - HKLM\..\Run: [pFsk3nh] aclc32.exe
O4 - HKLM\..\Run: [Wipe book bird delete] C:\Documents and Settings\All Users\Application Data\FIVEWINDOWWIPEBOOK\InfoLoud.exe
O4 - HKLM\..\Run: [Download Platform Fast Setup] C:\Documents and Settings\All Users\Application Data\PHONE CAKE DOWNLOAD PLATFORM\Armyknob.exe
O4 - HKCU\..\Run: [Yo3qRhN7S] forcconf.exe

Boot in safe mode and run Windows Explorer (click Start and select Explore). Locate and delete (if found):
C:\PROGRA~1\INTERN~2\EXIT BAGS.exe <--- note this is a shortened filename path. It is really something beginning with C:\Program Files\
C:\WINDOWS\System32\Dtck1376.exe
C:\PROGRA~1\CREATI~1\Trans Tray.exe <--- note this is a shortened filename path. It is really something beginning with C:\Program Files\
c:\windows\system32\aclc32.exe
c:\windows\system32\forcconf.exe
c:\windows\system32\cdlsp.dll <--- just in case it did not delete above.
C:\Documents and Settings\All Users\Application Data\FIVEWINDOWWIPEBOOK <--- delete the whole directory
C:\Documents and Settings\All Users\Application Data\PHONE CAKE DOWNLOAD PLATFORM <--- delete the whole directory

Reboot in normal mode and post a new HJT log attachment (hjtlog2.txt) and tell us how these steps went.

 

No! You did not run the online scans either. Please follow my steps below. You just missed them.

 

Well not completely! There's still these to fix. Unless you know that findloss.com is okay, I would fix those two lines. The R0 line definitely has to be fixed.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://findloss.com/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://findloss.com/home.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.jgjwzuwmucuurivs.com/PGw6jia1baC_fdcy91SbQfFlkDVvb24eKAS6FriwX9L8Lp2TObwNBokrxVL/Q_On.jpg

Then post a new and hopefully final log.

 

Yes, and not only did the R0 line come back (morphed to something else) but the other items we cleaned up came back:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rhceenjursmusstfgpqkpvj.com/PGw6jia1baC_fdcy91SbQfFlkDVvb24eKAS6FriwX9IgdjI/sled4YkrxVL/Q_On.html
O2 - BHO: (no name) - {5BC885AF-2874-1D7F-6DF1-527A8A9EF2F0} - C:\PROGRA~1\INTERN~2\EXIT BAGS.exe
O4 - HKLM\..\Run: [info program] C:\PROGRA~1\CREATI~1\Trans Tray.exe
O4 - HKLM\..\Run: [Download Platform Fast Setup] C:\Documents and Settings\All Users\Application Data\PHONE CAKE DOWNLOAD PLATFORM\Tray Remote.exe

 

Yeah! They try to make it look like Internet Explorer.

Mariah, what is the real full directory name? This is a shortened (8 character file name).

 

Yes, you can repeat all the stuff I gave you last time in message #16

Make sure you get all the items in message #27.

Then post a new log.

 

iexplore.exe does not appear in your log. Where they actually opening still? Next time if you do not have any IE windows open do not attempt to close the iexplore.exe sessions.


Did you ever fix the below with HJT:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://findloss.com/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://findloss.com/home.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.jgjwzuwmucuurivs.com/PGw6jia1baC_fdcy91SbQfFlkDVvb24eKAS6FriwX9L8Lp2TObwNBokrxVL/Q_On.jpg

 

Please do a file search on your PC for iexpIore.exe. Tell me where it is found.
Do the same for explorer32.exe .

 

Did you have Advanced search options enable so you search hidden and system files/folders?

Also search for explorer.exe!

 

That does not setup search options. It only sets up options for what Windows Explorer displays.

Click Start, Search, All Files and Folder, More advanced options! And under that you will see options to enable you to:
- Search system folders
- Search hidden files and folders
- Search subfolders

Make sure those three are selected. Then do your searches.

 

These attachments are not text files. What exactly did you attach?

 

Mariah,

Forget about seaching for explorer32.exe.

I need the fullpath. For example you gave:
C:\Documents and Settings\Adm

That would appear to be incomplete. It is probably something like
C:\Documents and Settings\Administrator\Local Settings and maybe more

I need fullpath for all lines above. Also make sure the filename being match is really explorer.exe and iexplore.exe

But just a note, there should be no instances of explorer.exe or iexplore.exe in any directory under C:\Documents and Settings

 

Shut down all applications and please delete all files in this directory

C:\Documents and settings\Administrator\local setting\temp

After this post a new HJT log and tell me what our outstanding problems are now.

 

Those Prefetch file are ok. But what I still need you to do is run the online scans you never ran.
Please go back to the tutorial and run them. Also download the latest update (today) of Stinger and try running it too. Run them in safe mode. If you have a problem running in safe mode, then run in normal boot mode. Tell me what results you get. If you get any error messages, tell me the exact message.

Also go to the Alternative Scans section of the READ ME and run A-squared.

 

These lines came back again. You need to repeat the procedure from message # 16 and only insert these lines as the rest are gone. If you need me to spell out the exact steps, let me know.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mwmkzwqjgzlyxippaybhmc.com/PGw6jia1baC_fdcy91SbQfFlkDVvb24eKAS6FriwX9Kt6wMhwXz42IkrxVL/Q_On.asp
O2 - BHO: (no name) - {5BC885AF-2874-1D7F-6DF1-527A8A9EF2F0} - C:\PROGRA~1\INTERN~2\EXIT BAGS.exe
O4 - HKLM\..\Run: [info program] C:\PROGRA~1\CREATI~1\Trans Tray.exe
O4 - HKLM\..\Run: [Download Platform Fast Setup] C:\Documents and Settings\All Users\Application Data\PHONE CAKE DOWNLOAD PLATFORM\flag vga.exe