Requested hijack log

My pleasure

Ok, lets remove some stuff. Uninstall WinTools & WeatherBug for now before starting this. Better yet, go to add\remove programs and uninstall anything relating to weather, porn, casinos, shopping that you do not recognize. If any of the 016 lines look familiar, please leave them. I notice some things like VPN that you probably use and some game sites that are fine, but just check the 016's before you delete. WOW, this is my toughest logfile yet, I will probably have Chaslang come in for backup here. Please read my notes at the bottom. Again, close your browser and everything else running first. Let us know how it goes.

C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
C:\WINDOWS\IETY.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE
C:\WINDOWS\WINVM.EXE
C:\WINDOWS\RUNDLL32.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\adndj.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\adndj.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\adndj.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\adndj.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\adndj.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {D1925125-6350-05C5-9A71-85A9722D9F11} - C:\WINDOWS\SYSTEM\ADDOX32.DLL
O4 - HKLM\..\Run: [Real-Tens] "C:\Program Files\Real-Tens\Real-Tens.exe" /H
O4 - HKLM\..\Run: [WINVM.EXE] C:\WINDOWS\WINVM.EXE
O4 - HKLM\..\Run: [Tray Temperature] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHERBUG.EXE 1
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\SYSTEM\idctup20.exe
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServices: [IETY.EXE] C:\WINDOWS\IETY.EXE
O4 - HKLM\..\RunServicesOnce: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE /boot
O8 - Extra context menu item: Get Flash by FlashKeeper - C:\Program Files\FlashKeeper\GetFlash.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmtrans.html
O9 - Extra button: FlashKeeper - {86301D40-94C1-4a5e-843B-7F43965E364A} - C:\Program Files\FlashKeeper\GetFlash.htm (file missing)
O9 - Extra button: Dell Home - {63D9F689-FA15-4ECF-91BC-C4D0734E14EA} - http://business.dellnet.com/ (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O16 - DPF: {89122070-4199-11D4-8BAF-0050045B552C} - http://download.rocketpipe.com/bundles/77.cab
O16 - DPF: {9771C160-AD19-11D5-91BE-0048546CB511} - http://www.escorcher.com/webtwo/download.exe
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetupml.cab
O16 - DPF: {26FD5192-A97C-4B48-A5D7-2420CFDCFDF2} - http://new.tnc4u.com/MCInst.cab
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildtangent.com/cda/islandrally/ActiveLauncher/ActiveLauncherSetup.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1015_EN.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)
O19 - User stylesheet: (file missing)

Ok, our problem besides just a ton of crap here is that you were unable to scan. I need you to run the tutorial after this rebooting into safe mode. If you cant do it all fine, but I have important areas you can not miss. CCleaner, Ad-Aware, Stinger AND a virus scan all from safe mode. Do everything you can, hopefully anything that did not work now will. Dont be frustrated if its not all good yet, your computer is a real mess, theres going to be crap still around.

 

Agreed MA! And there is an about:blank and/or HSA hijack embedded in there that will most likely not go away during this either.

So Kate, make sure you do run About:Buster in hopes that it may alleviate some about:blank issues (at least some of the file may clean up). Save the logs from About:Buster and post them back here as attachments too.

 

Ok, thanks for the back-up, it was much longer then usual, more problems = more chances for mistakes and wanted to get this right for her. You rock.

 

Just complete the steps MA gave you before worrying about anything else. Wintools is not part of Windows. It is spyware. Don't assume something is safe (or bad for that matter) just by reading a name.

 

Look for "Wintools" in Add/Remove programs

016's, delete them as above with everything else I specified.

NEVER, EVER use an unsubscribe email link. You just told the spammers its a good email address and your mail will now be sold in bulk email lists. Expect more spam

Make sure your browser and other things are closed, let me know how it goes.

 

The Hijack This log file above, need to remove all those 016 refers to the section at the bottom.

I would get to Windows if you removed everything in that and resca to see if you can get Ad-Aware, etc to remove any traces of these stubborn programs. The Monster Truck Madness thing has me stumped.

So, remove all those lines, scan again from safe mode and tell me where were at.

 

MA & Kate,

I was right about the HSA hijack being imbedded as one of your problems. See the below. They are all part of an HSA hijack. It would be best to clean everything else up first and save this for last as it is typically more difficult to fix when other problems are also present.

Home search Assistant
Search Extender~ won't uninstall
Search assistant~ won't uninstall
Shopping wizard~ can't find file to uninstall

 

You need to let SpyBot fix those items. And you need to get your updates from Microsoft. Are you using a high-speed connection or dial-up?

There is work to do in your log especially on the HSA hijack but first run SpyBot and fix what it finds.
Then do the below:

Make sure you have updated to Ad-Aware SE 1.05. And double check for Reference updates. Now also make sure you have the VX2 Cleaner plugin for Ad-aware SE installed. Print this instructions or save them locally because you need to be offline the rest of the way thru and do not open any browser windows until told to.
1. Reboot into safe mode without networking support
2. Disable your Anti Virus (hmmm looks like you don't have one. You need to get one.)
3. Open Adaware SE and click Scan now and then select Scan volume for ADS. Click the underlined word 'Select' and put a check mark on your C drive ( C:\ ) and uncheck the Search for negligible risk entries. Now perform the scan.
4. Save the log to log1.txt
5. Check any objects found and quarantine them
6. Now using Ad-Aware SE again choose 'Perform a full scan' and have it fix what it finds.
7. Now in Ad-Aware SE click Add-ons, and double click the VX2 Cleaner to run it. If anything is found, clean it.
8. Shut down Ad-Aware
9. Run HijackThis and have it fix the below lines
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\SYSTEM\idctup20.exe
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\TEMP\WTUNINST.EXE /remove
O9 - Extra button: Dell Home - {63D9F689-FA15-4ECF-91BC-C4D0734E14EA} - http://business.dellnet.com/ (file missing) (HKCU)
18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)
O19 - User stylesheet: (file missing)

10. Re-enable your virus scanner and perform a full scan. Make note of anything found (save exact names). In your case you need to download one (like Avast) after finishing these steps and install and run it.
11. Reboot normal mode (still do not open any browsers)
12. Run Ad-Aware SE again choose 'Perform a full scan' fix anything found.
13. Run HijackThis and save a new log
14. Come back here and post all the Ad-Aware log and the HJT log (as text attachments)

Note: I have not started working on items related to the HSA hijack yet that appear in your log.

 

I gave you a lot more steps to run. You need to complete all of them sequentially. So go back to my previous message and work thru all the steps.

Do not post HijackThis logs from safe mode unless we request them that way. Many problems may only show during normal boot.

 

Since your getting botted, I will give you the lines to remove, try and virus scan online, you have not done that I assume because your getting knocked offline Check add\remove programs as well for anything like shopping, search, casinos and look for Real-Tens especially.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\adndj.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\adndj.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.rr.com/v5/home/0,1793,135,00.html
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {149E0B62-F53C-DC8F-8A0A-C09F8001C3BE} - C:\WINDOWS\SYSTEM\WINBC32.DLL
O4 - HKLM\..\Run: [Real-Tens] "C:\Program Files\Real-Tens\Real-Tens.exe" /H
O4 - HKLM\..\RunServices: [IETY.EXE] C:\WINDOWS\IETY.EXE
O9 - Extra button: FlashKeeper - {86301D40-94C1-4a5e-843B-7F43965E364A} - C:\Program Files\FlashKeeper\GetFlash.htm (file missing)

 

MA, There's some more in there.

O4 - HKLM\..\Run: [WINVM.EXE] C:\WINDOWS\WINVM.EXE

I'm not absolutely positive about this SMARTSMS.DLL but I don't like the looks of it.
O9 - Extra button: SMS - {F08E1604-39FA-48b0-AE59-DF5BCD1646FA} - C:\WINDOWS\SYSTEM\SMARTSMS.DLL
O9 - Extra 'Tools' menuitem: SMS versenden... - {F08E1604-39FA-48b0-AE59-DF5BCD1646FA} - C:\WINDOWS\SYSTEM\SMARTSMS.DLL
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
O16 - DPF: ConferenceRoom Java Client - http://irc.theamateurchat.com/java/cr.cab


The problem here though is that C:\WINDOWS\WINVM.EXE and the R0, R1, O2, & O4 lines you gave are part of the HSA hijack and are going to come back mutated. We need to find a StreamingDeviceSetup. (It hides a DLL sort of like AppInit_DLLs did for Win 2K & XP).

Kate, here is what you need to do:
I want you to download the following two programs
Win98Fix - http://www10.brinkster.com/expl0ite...last/pvtool.htm
StartDreck - http://members.blackbox.net/hp_link.../startdreck.htm

Unzip them to a place where you can find them later to run. We are only going to run StartDreck right now.

This step is very important - you need to be completely disconnected from the internet (physically disconnecting the line to your analog modem or ethernet cable from your computer is best way to be positive).
What we are going to try to do is identify the hidden file that is causing the problem. So now we are ready.

- Run StartDreck.exe
- Click on: Config
- Click on: Unmark all
- Check only the following boxes:
- Registry | run keys
- System/drivers | Running processes
- Click on OK

Post the log of results AS A TEXT ATTACHMENT.

 

Okay this is an unusual one. You do not have the StreamingDeviceSetup that I was expecting. So lets do the following some of which MA and I had already requested. I don't think you did them yet. Also I hope you log has not change (these hijackers often change on the fly after reboots).

Okay! Make sure system restore is disabled and viewing of hidden files is enabled.

Make sure you have download About:Buster: http://www.majorgeeks.com/download4289.html
Just extract it to a folder and run it and do the update but do not scan yet. Just shut it down after updating.

You need to print the directions below or save them locally because I need you to shutdown all browsers (IE, FireFox, etc) and do not run them again until told to. Also, you MUST physically disconnect from the Internet. Unplug your analog modem or ethernet cable (for ADSL or Cable modem) from your PC to guarantee there is no access to your PC.

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below processes and End them (tell me if you have any problems doing this):
WINVM.EXE
IETY.EXE

Now we are going to use notepad to erase the contents of the C:\WINDOWS\adndj.dll file shown in the R1 lines of your HijaakThis log. To do this click Start, Run, and enter the following command "notepad C:\WINDOWS\adndj.dll" (without the quotes) and click OK.

Now in the notepad window, hit CTRL-A to select all contents of the file then hit the Delete key to delete all lines of the file. Now save the file (yes as an empty file). Now using Windows Explorer, locate the file C:\WINDOWS\adndj.dll and right click on it and select Properties and change the attributes to Read Only and click OK. Let me know how this all proceeds.


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\adndj.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\adndj.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.rr.com/v5/home/0,1793,135,00.html
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {149E0B62-F53C-DC8F-8A0A-C09F8001C3BE} - C:\WINDOWS\SYSTEM\WINBC32.DLL
O4 - HKLM\..\Run: [Real-Tens] "C:\Program Files\Real-Tens\Real-Tens.exe" /H
O4 - HKLM\..\RunServices: [IETY.EXE] C:\WINDOWS\IETY.EXE
O4 - HKLM\..\Run: [WINVM.EXE] C:\WINDOWS\WINVM.EXE
O9 - Extra button: FlashKeeper - {86301D40-94C1-4a5e-843B-7F43965E364A} - C:\Program Files\FlashKeeper\GetFlash.htm (file missing)
O9 - Extra button: SMS - {F08E1604-39FA-48b0-AE59-DF5BCD1646FA} - C:\WINDOWS\SYSTEM\SMARTSMS.DLL
O9 - Extra 'Tools' menuitem: SMS versenden... - {F08E1604-39FA-48b0-AE59-DF5BCD1646FA} - C:\WINDOWS\SYSTEM\SMARTSMS.DLL
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptem...iveSecurity.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/gam...aploader_v5.cab
O16 - DPF: ConferenceRoom Java Client - http://irc.theamateurchat.com/java/cr.cab

Run About:Buster and save the log to ablog1.txt

Now boot in safe mode and use Windows Explorer to delete:
C:\WINDOWS\adndj.dll
C:\WINDOWS\SYSTEM\WINBC32.DLL and look for C:\WINDOWS\SYSTEM\WINBC32.EXE or C:\WINDOWS\SYSTEM\WINBC32.DAT and delete too
C:\WINDOWS\IETY.EXE and look for C:\WINDOWS\IETY.DAT or C:\WINDOWS\IETY.DLL and delete too
C:\WINDOWS\WINVM.EXE and look for C:\WINDOWS\WINVM.DAT or C:\WINDOWS\WINVM.DLL and delete too
C:\Program Files\Real-Tens <---- the whole directory

Reset Web Settings by clicking Start, Control Panel (for some systems it may be Start, Settings, Control Panel) and select Internet Options. Then click Programs and click the Reset Web Settings button. Then go back to the General tab and set your home page back to what you like (i.e., www.majorgeeks.com). Click Apply. Now click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now run About:Buster again and save the log to ablog2.txt

Now reboot in normal mode with your internet connection plugged in and come back here and tell me how everything above went. Also post the two About:Buster logs as attachments. The open & close a few Windows Explorer sessions. And the get a new HijackThis log and post it.

 

I forgot you are using WinMe. Task Manager in WinMe did not show the .exe. It probably would be a good idea to use ProcessExplorer instead. I gave that link in the Generic Solution thread but here it is anyway. http://www.sysinternals.com/files/procexp9x.zip

Extract it someplace you can find it and use it from now on instead of Task Manager. It will show the .exe and will show many things that Task Manager will not. Also it does a better job ending processes.

The reason you could not find c:\windows\adndj.dll is probably because the hijacker has already mutated. You need to stop rebooting or shutting down your computer after posting a HijackThis log so the directions I supply will still be correct. You still have signs of the hijacker in your log. So get ProcessExplorer ready to go and post a new HijackThis log. Do not edit or fix anything on your own. Wait for me. Also, you must not shut down or reboot you computer after posting your log. You can disconnect your internet connection and shut off your monitor but do not shutdown the CPU.

Also double check to make sure you still have viewing of hidden files enabled. You have to be able to locate the DLL that we need to edit (later). If that does not work (i.e., you cannot find the file), the fix will not work. In some cases it may be necessary to locate the file using Windows Explorer and to right click on it and change its attributes so that it is not hidden and not a system file.

And make sure you have your system restore disabled too.

 

Hmmm! Right now a full blown infection does not seem to exist. So I'm not sure we can do a full fix. So let's just try the following.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {8A21261B-1D1C-3E80-0116-95C04A8233EA} - C:\WINDOWS\APIWJ32.DLL

Then boot in safe mode and locate the below file and delete it:
C:\WINDOWS\APIWJ32.DLL

Make sure you find this file. Let me know if you run into a problem locating this and deleting it.

Run About:Buster and save the log to ablog3.txt

Reset Web Settings by clicking Start, Control Panel (for some systems it may be Start, Settings, Control Panel) and select Internet Options. Then click Programs and click the Reset Web Settings button. Then go back to the General tab and set your home page back to what you like (i.e., www.majorgeeks.com).

No reboot in normal mode. Open & close a few internet explorer sessions. Then reboot again.
Now get a new HJT log and post it here along with the ablog3.txt file (as attachments).

 

You're welcome! You look clean now!

 

You're welcome but what error did you get?

You only need to run HJT when requested. But you should run a scan with Ad-Aware SE & SpyBot S&D at least once a month. More frequently if you do lots of surfing. It would not hurt to run CCleaner at the same time too. But you may want to configure it to not clean certain cookies that you want to save.

 

You're welcome! Safe surfing!