search200 Hijack

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

Please do not post .doc files. Use either .log or .txt as I requested. There is no reason that it has to be uploaded as a .doc file. Also browsers must be closed be fore using HJT.

If you are getting DSO Exploit messages from Spybot, you missed at least one step in the READ ME FIRST procedure.

 

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.isuczilgmwciczkgmvqzphxw.com/VNfp5JW7_9cGheVPW2NhU6g2Lof6C6_q843pLfflchRj5quNeMLz6Gm_Ya9P/7w4.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://realguide.real.com/redir/?cd=rpbrowserhome
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {F6DE0E22-36B4-40E6-B721-1A5E46937190} - (no file)
O2 - BHO: (no name) - {67079121-3C26-0336-118D-D51BF641CDF4} - C:\WINDOWS\APPLICATION DATA\MULTI PART ROAM\OBJVC.EXE
O4 - HKLM\..\Run: [list size pop gpl] C:\WINDOWS\All Users\Application Data\Byte rect list size\newwait.exe
O4 - HKCU\..\Run: [LINK OWNS] C:\WINDOWS\APPLIC~1\STOPWA~1\Balm Intra 4.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/032bd690d0598a358521/netzip/RdxIE601.cab


After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\APPLICATION DATA\MULTI PART ROAM\OBJVC.EXE
C:\WINDOWS\All Users\Application Data\Byte rect list size\newwait.exe
C:\WINDOWS\APPLICATION DATA\STOPWA~1\Balm Intra 4.exe


Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

That was my cut and paste mistake. You had no processes to kill anyway.

You look all clean now. How are things working?

 

I'm going to repeat this again! It is very important that you follow this direction! All browsers must ALWAYS be shutdown before running HijackThis. If you do not do this, you will make it difficult to fix your problem. In your current log, you had:

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

Having these open can make it impossible to fix lines using HijackThis.

You also must provide feedback on any instructions I give. Like whether work or don't work. Like deleting files. I noted some items I asked you to fix last time are still in your HJT log and still on your computer.


If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\ALL USERS\APPLICATION DATA\BYTE RECT LIST SIZE\EACH BEND.EXE

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vczbbfspax.com/VNfp5JW7_9cGheVPW2NhU6g2Lof6C6_q843pLfflchQpXcH8LpH0t2m_Ya9P/7w4.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ogkewcexajfu.com/VNfp5JW7_9cJNmd_9OeYR/WamGoNAzY2OOug0wHVuoQ.htm
O2 - BHO: (no name) - {67079121-3C26-0336-118D-D51BF641CDF4} - C:\WINDOWS\APPLICATION DATA\MULTI PART ROAM\OBJVC.EXE
O4 - HKLM\..\Run:[list size pop gpl] C:\WINDOWS\All Users\Application Data\Byte rect list size\Itch Hold.exe
O4 - HKCU\..\Run: [LINK OWNS] C:\WINDOWS\APPLIC~1\STOPWA~1\Balm Intra 4.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\ALL USERS\APPLICATION DATA\BYTE RECT LIST SIZE\EACH BEND.EXE
C:\WINDOWS\APPLICATION DATA\MULTI PART ROAM\OBJVC.EXE
C:\WINDOWS\All Users\Application Data\Byte rect list size\Itch Hold.exe
C:\WINDOWS\APPLICATION DATA\STOPWA~1\Balm Intra 4.exe

I don't know what the fullpath is to the STOPWA~1 folder. That is a shortened name. You will have to figure that out yourself. You must let me know if you cannot find any of these files or if you find them and cannot delete.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Okay! It appears like you have something that runs IE on its own. Yes, Kill those processes and do the rest of the steps I gave you. The post a new log! Do not shut down or reboot after posting your log. I have a feeling things are mutating each time.

 

Okay! You must have some form of malware that is running these on you! Post a new HJT log and do not reboot or shutdown. If you do the names of files and processes could change making my instructions useless.

 

Make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Now print these instructions or save them locally because in the starting with then next step and thru to the end where I tell you to post a new log, YOU MUST be physically disconnected from the internet (unplug your cable) and have no browsers (that you ran) running.

Okay shut down all browsers (this one too) and physically disconnect from the internet NOW!

Now reboot into safe mode!

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.eidgqrkungkgyb.com/VNfp5JW7_9cGheVPW2NhU6g2Lof6C6_q843pLfflchTmpb6p57Hm7nm_Ya9P/7w4.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ogkewcexajfu.com/VNfp5JW7_9cJNmd_9OeYR/WamGoNAzY2OOug0wHVuoQ.htm
O2 - BHO: (no name) - {67079121-3C26-0336-118D-D51BF641CDF4} - C:\WINDOWS\APPLICATION DATA\MULTI PART ROAM\OBJVC.EXE
O4 - HKLM\..\Run:[list size pop gpl] C:\WINDOWS\All Users\Application Data\Byte rect list size\Itch Hold.exe
O4 - HKCU\..\Run: [LINK OWNS] C:\WINDOWS\APPLIC~1\STOPWA~1\Balm Intra 4.exe

After clicking Fix, exit HJT. (Tell me if any of the lines were not there are look different. By now you should be able to tell the good from the bad and choose which to fix if their names changed.)

Now use Windows Explorer to delete:
C:\WINDOWS\APPLICATION DATA\MULTI PART ROAM\OBJVC.EXE
C:\WINDOWS\All Users\Application Data\Byte rect list size\Itch Hold.exe
C:\WINDOWS\APPLICATION DATA\STOPWA~1\Balm Intra 4.exe

I don't know what the fullpath is to the STOPWA~1 folder. That is a shortened name. You will have to figure that out yourself. You must let me know if you cannot find any of these files or if you find them and cannot delete them. If you get an error when deleting a file. Try Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

Empty your Recycle Bin now

Now reboot in normal mode, save a new HJT log, reconnect to the internet and post the new HJT log. And tell us how things are working.

 

If my previous messag's procedure still did not remove those bad items, please do the following:

- download ProcessExplorer from: ProcessExplorer for Win 9x/Me
- Unzip it to its own folder. I recommend c:\SysInternals becausethey have a lot of useful tools that can be downloaded and this is a good place to keep them.

Let's configure some options in Process Explorer:
Run it and click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked. Now click on explorer.exe. Now also under the View menu choose "Select columns" and put a check mark on "Image Path".
Now click on File and then Save As. And save the process list. Post it back here as an attachment. Also, from now on if I say to kill a process, use ProcessExplorer instead of Task Manager. Sometimes ProcessExplorer can kill things that Task Manager cannot.

 

You should go back and delete the below folders (if found) and anything in them:

C:WINDOWS\APPLICATION DATA\STOPWARNBAGS
C:\WINDOWS\ALL USERS\APPLICATION DATA\BYTE RECT LIST SIZE
C:\WINDOWS\APPLICATION DATA\MULTI PART ROAM.)

You log was clean.

 

Make sure you empty your Recylce Bin too and it may be a good idea to post a new HJT log as BJ suggested.

 

Your clean! Time to enable system restore. You should also follow the steps in the below thread:

How to Protect yourself from malware!