Search200 Is Driving Me Crazy

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by spaziz, Jul 1, 2004.

  1. spaziz

    spaziz Private E-2

    i think I know what I am doing now. I am confused about how to get rid of this
    I have ran Hijackthis fixed the things I could saved the log and than I ran spybot adware spybot and cwshredder and nothing is working I am in need of some help.
    heres my Log
    ogfile of HijackThis v1.97.7
    Scan saved at 12:12:00 PM, on 6/30/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\TEXTBR~1\Bin\INSTAN~1.EXE
    C:\WINNT\system32\rundll32.exe
    C:\PROGRA~1\DVDABO~1\Maillocks.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINNT\system32\twbaut.exe
    C:\WINNT\system32\ASSAPIR.exe
    C:\WINNT\system32\iz15f.exe
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
    O2 - BHO: (no name) - {000000DA-0786-4633-87C6-1AA7A4429EF1} - C:\WINNT\System32\emesx.dll
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
    O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {643626BE-7930-CD87-14A8-A4B3EEBCC776} - C:\PROGRA~1\COALSE~1\setupcurb.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44B} - (no file)
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O3 - Toolbar: The software phone - {55894567-9396-3F4C-7F29-DAE5D96F4A14} - C:\PROGRA~1\COALSE~1\setupcurb.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1\Bin\INSTAN~1.EXE /h
    O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1\Bin\REGIST~1.EXE
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe C:\WINNT\System32\stlbupdt.DLL,DllRunMain
    O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TB_ANI~1.EXE /dcheck
    O4 - HKLM\..\Run: [mags lite] C:\PROGRA~1\DVDABO~1\Maillocks.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [iwfgsekqd] C:\WINNT\system32\twbaut.exe
    O4 - HKLM\..\Run: [ASSAPIR] C:\WINNT\system32\ASSAPIR.exe
    O4 - HKLM\..\Run: [iz15f] C:\WINNT\system32\iz15f.exe
    O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1\Bin\REGIST~1.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37623.4684259259
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    spaziz, Jul 1, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jul 1, 2004
    #2
  3. spaziz

    spaziz Private E-2

     
    spaziz, Jul 6, 2004
    #3
  4. spaziz

    spaziz Private E-2

    I Did That But It Only Works Temporarily It Goes Back To Search200 As Son As I Go To The Internet....i Ran Adware And Spybot And Cw Shredder But Nothing Is Helping
     
    spaziz, Jul 6, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have the ClearSearch hijacker. Let's try Spy Sweeper to remove this (manual remove of ClearSearch can be difficult). Are you Symantec virus definitions up to date. They imply that they fix this. See this link: http://securityresponse.symantec.com/avcenter/venc/data/adware.clearsearch.html

    Please download the free version of Spy Sweeper from here: http://www.majorgeeks.com/download3263.html

    Install it an do the one time free update. Then scan your system and have it clean what it finds.
    If that does not work or has a problem, scan again after booting in safe mode. Here is how to boot in safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

    Select the plus sign by Windows 2000 to expand the info.

    See this info on ClearSearch from the SpySweeper people:
    - http://www.spysweeper.com/remove-clearsearch.html

    There are more things in your log to fix but let's see if we can fix ClearSearch first.
    After doing this tell me your results and post a new log.
     
    chaslang, Jul 6, 2004
    #5
  6. spaziz

    spaziz Private E-2

    ok I ran spysweeper and i ran in safe mode heres my log
    Logfile of HijackThis v1.97.7
    Scan saved at 4:01:24 PM, on 7/6/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\TEXTBR~1\Bin\INSTAN~1.EXE
    C:\PROGRA~1\DVDABO~1\Maillocks.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINNT\system32\twbaut.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {643626BE-7930-CD87-14A8-A4B3EEBCC776} - C:\PROGRA~1\COALSE~1\setupcurb.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44B} - (no file)
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O3 - Toolbar: The software phone - {55894567-9396-3F4C-7F29-DAE5D96F4A14} - C:\PROGRA~1\COALSE~1\setupcurb.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1\Bin\INSTAN~1.EXE /h
    O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1\Bin\REGIST~1.EXE
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe C:\WINNT\System32\stlbupdt.DLL,DllRunMain
    O4 - HKLM\..\Run: [mags lite] C:\PROGRA~1\DVDABO~1\Maillocks.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [iwfgsekqd] C:\WINNT\system32\twbaut.exe
    O4 - HKLM\..\Run: [epeersi] C:\WINNT\system32\epeersi.exe
    O4 - HKLM\..\Run: [fallsfreemsw] C:\WINNT\system32\fallsfreemsw.exe
    O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1\Bin\REGIST~1.EXE
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37623.4684259259
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    spaziz, Jul 6, 2004
    #6
  7. spaziz

    spaziz Private E-2

    I want to say thanks for all of your time in this.....I am learning a whole lot I did everything you said to do
    but nothing
     
    spaziz, Jul 6, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    ???? but nothing ????

    Did you run SpySweeper in regular mode and in safe mode? Is this the 3.0 version of SpySweeper?

    The ClearSearch stuff looks gone to me!
     
    chaslang, Jul 6, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    By the way, you need to update HijaakThis: http://www.majorgeeks.com/download3155.html

    And where did these come from:
    O4 - HKLM\..\Run: [epeersi] C:\WINNT\system32\epeersi.exe
    O4 - HKLM\..\Run: [fallsfreemsw] C:\WINNT\system32\fallsfreemsw.exe
     
    chaslang, Jul 6, 2004
    #9
  10. spaziz

    spaziz Private E-2

    yes i think its working i do not see the search200 and i also don't have my home page hijacked but i still have this annoying tool bar on the top
    its blue search Norton Internet Explorer AOL search Microsoft Office Internet
    but i think we did it thanks Chas
     
    spaziz, Jul 6, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Maybe this line is the problem:
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe C:\WINNT\System32\stlbupdt.DLL,DllRunMain

    Looks like that is from BrowserAid:
    http://www.pestpatrol.com/pestinfo/b/browseraid.asp

    See if you can follow along with there info on removing it. You won't necessarily see everything they show.

    Again I still wonder (and I'm adding one more) what these are:
    O4 - HKLM\..\Run: [iwfgsekqd] C:\WINNT\system32\twbaut.exe
    O4 - HKLM\..\Run: [epeersi] C:\WINNT\system32\epeersi.exe
    O4 - HKLM\..\Run: [fallsfreemsw] C:\WINNT\system32\fallsfreemsw.exe

    Also have HijaakThis (get new version) fix these:
    O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44B} - (no file)
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
     
    chaslang, Jul 6, 2004
    #11
  12. spaziz

    spaziz Private E-2

    Ok I fixed what I could and I am continuing to use spysweeper wish me luck its getting better but I still see 200 once in a while and i have to change my start up page in tools..Chas thanks for everything.
     
    spaziz, Jul 7, 2004
    #12
  13. spaziz

    spaziz Private E-2

    I for got the log sorry
    Logfile of HijackThis v1.97.7
    Scan saved at 11:59:39 AM, on 7/7/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\TEXTBR~1\Bin\INSTAN~1.EXE
    C:\PROGRA~1\DVDABO~1\Maillocks.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINNT\system32\twbaut.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINNT\system32\ernoncei.exe
    C:\WINNT\system32\etups.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.detnews.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.detnews.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {643626BE-7930-CD87-14A8-A4B3EEBCC776} - C:\PROGRA~1\COALSE~1\setupcurb.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: The software phone - {55894567-9396-3F4C-7F29-DAE5D96F4A14} - C:\PROGRA~1\COALSE~1\setupcurb.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1\Bin\INSTAN~1.EXE /h
    O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1\Bin\REGIST~1.EXE
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe C:\WINNT\System32\stlbupdt.DLL,DllRunMain
    O4 - HKLM\..\Run: [mags lite] C:\PROGRA~1\DVDABO~1\Maillocks.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ernoncei] C:\WINNT\system32\ernoncei.exe
    O4 - HKLM\..\Run: [etups] C:\WINNT\system32\etups.exe
    O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1\Bin\REGIST~1.EXE
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37623.4684259259
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    spaziz, Jul 7, 2004
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If it changes your home page again, do not change it back. First run a HijaakThis log so I can see what it is changing to. If SpySweeper is protecting your home page, then just tell it you want to allow the home page change.


    By the way you need to get the current HijaakThis. You are out of date. Get it here: http://www.majorgeeks.com/download3155.html

    Some of the EXE files I was concerned about in your previous logs are mutating. Now you have:
    C:\WINNT\system32\twbaut.exe <--- Same as before
    C:\WINNT\system32\ernoncei.exe <--- New Name
    C:\WINNT\system32\etups.exe <--- New Name

    I want you to run this: http://www.memorywatcher.com/uninst.exe
    Then run this online scan and make sure you select Auto Clean: http://housecall.trendmicro.com/housecall/start_corp.asp


    Check Task Manager to see if your can find any of the three EXE files mentioned above running. (You bring up Task Manager but hitting CTRL-ALT-DEL, select Task Manager, then click on Processes). If you find any of them, click on it then click the End Process button. (Let me know if you did see them.)

    Now we need to unregister some DLL files. The method used to do this is by clicking Start and the Run. In the Open box enter the following commands (one at a time you will repeat for each one):

    regsrv32 /u C:\WINNT\System32\stlbupdt.DLL
    regsrv32 /u C:\WINNT\System\stlbupdt.DLL
    regsrv32 /u C:\WINNT\System32\broweraidtoolbar.dll
    regsrv32 /u C:\WINNT\System\broweraidtoolbar.dll

    Note for the last three above you may get an error saying they are not found. I just double checking to make sure they are not there.


    Now run HijaakThis and have it fix these lines:
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe C:\WINNT\System32\stlbupdt.DLL,DllRunMain
    O4 - HKLM\..\Run: [ernoncei] C:\WINNT\system32\ernoncei.exe
    O4 - HKLM\..\Run: [etups] C:\WINNT\system32\etups.exe


    Reboot in safe mode. Here is how to do that:
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

    The delete the following directories if found:
    c:\Program Files\browser pal
    c:\Program Files\letssearch

    I don't quite know how your system is provision or your user login names some I guess a little on these next ones. You'll have to try to find them and delete them if found:
    c:\Documents and Settings\administrator\Application Data\browser pal
    c:\Documents and Settings\All Users\Application Data\browser pal
    c:\Documents and Settings\All Users.WINNT\Application Data\browser pal
    c:\Documents and Settings\username\Application Data\browser pal

    replace username with actual user login name (or names)

    Now delete these files:

    C:\WINNT\System32\stlbupdt.dll
    C:\WINNT\system32\twbaut.exe
    C:\WINNT\system32\ernoncei.exe
    C:\WINNT\system32\etups.exe


    Reboot normal mode and let me know how things are working. Also post (using new HijaakThis) a new log.
     
    Last edited: Jul 7, 2004
    chaslang, Jul 7, 2004
    #14
  15. spaziz

    spaziz Private E-2

    Sorry it took so long to respond...I can't load the new Hijack Its a zip and I can't open....still having a problem hers my log see if this helps

    Logfile of HijackThis v1.97.7
    Scan saved at 2:16:46 PM, on 7/12/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\TEXTBR~1\Bin\INSTAN~1.EXE
    C:\PROGRA~1\DVDABO~1\Maillocks.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINNT\system32\scriptj.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINNT\system32\mintfd.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.detnews.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {643626BE-7930-CD87-14A8-A4B3EEBCC776} - C:\PROGRA~1\COALSE~1\setupcurb.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: The software phone - {55894567-9396-3F4C-7F29-DAE5D96F4A14} - C:\PROGRA~1\COALSE~1\setupcurb.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1\Bin\INSTAN~1.EXE /h
    O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1\Bin\REGIST~1.EXE
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe C:\WINNT\System32\stlbupdt.DLL,DllRunMain
    O4 - HKLM\..\Run: [mags lite] C:\PROGRA~1\DVDABO~1\Maillocks.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [scriptj] C:\WINNT\system32\scriptj.exe
    O4 - HKLM\..\Run: [mintfd] C:\WINNT\system32\mintfd.exe
    O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1\Bin\REGIST~1.EXE
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37623.4684259259
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    spaziz, Jul 12, 2004
    #15
  16. spaziz

    spaziz Private E-2

    i DID EVERYTHING YOU SAID AND HERES MY NEW LOG
    Logfile of HijackThis v1.97.7
    Scan saved at 3:38:21 PM, on 7/12/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\TEXTBR~1\Bin\INSTAN~1.EXE
    C:\PROGRA~1\DVDABO~1\Maillocks.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINNT\system32\scriptj.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINNT\system32\mintfd.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
    C:\Program Files\Real\RealOne Player\RealPlay.exe
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.detnews.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {643626BE-7930-CD87-14A8-A4B3EEBCC776} - C:\PROGRA~1\COALSE~1\setupcurb.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: The software phone - {55894567-9396-3F4C-7F29-DAE5D96F4A14} - C:\PROGRA~1\COALSE~1\setupcurb.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1\Bin\INSTAN~1.EXE /h
    O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1\Bin\REGIST~1.EXE
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [mags lite] C:\PROGRA~1\DVDABO~1\Maillocks.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [scriptj] C:\WINNT\system32\scriptj.exe
    O4 - HKLM\..\Run: [mintfd] C:\WINNT\system32\mintfd.exe
    O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1\Bin\REGIST~1.EXE
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37623.4684259259
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    spaziz, Jul 12, 2004
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to use the new HijaakThis. Get WinZip and install it: http://www.majorgeeks.com/download525.html
     
    chaslang, Jul 12, 2004
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First a few important facts. You must shutdown (not minimize actually stop them) all un-necessary applications before running HijaakThis especially browsers like IE. Look at these items from your log. All should be shutdown.

    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\Program Files\Real\RealOne Player\RealPlay.exe

    You had 3 browser sessions open, 1 winword open, and RealPlay running. Having browsers open is the biggest problem. It can prevent certain HijaakThis fixes from working.

    Now to continue with your problem. It has morphed again, either you are not deleting the files correctly or it is changing at each boot. You need to let me know if you find the exact items I tell you to fix each time. Something is allowing these to keep showing up.

    See the two new lines below which have now replaced some previous lines.
    C:\WINNT\system32\scriptj.exe
    C:\WINNT\system32\mintfd.exe
    Here are the two associated lines in HijaakThis where they load:
    O4 - HKLM\..\Run: [scriptj] C:\WINNT\system32\scriptj.exe
    O4 - HKLM\..\Run: [mintfd] C:\WINNT\system32\mintfd.exe

    Run Task Manager (CTRL-ALT-DEL) and kill those two processes (tell me if you cannot find them).
    Then fix the two O4 HijaakThis lines.
    Now reboot in safe mode and delete (tell me if you do not find them):
    C:\WINNT\system32\scriptj.exe
    C:\WINNT\system32\mintfd.exe

    Do you have any idea what the below applications are:
    O2 - BHO: (no name) - {643626BE-7930-CD87-14A8-A4B3EEBCC776} - C:\PROGRA~1\COALSE~1\setupcurb.dll
    O3 - Toolbar: The software phone - {55894567-9396-3F4C-7F29-DAE5D96F4A14} - C:\PROGRA~1\COALSE~1\setupcurb.dll
    O4 - HKLM\..\Run: [mags lite] C:\PROGRA~1\DVDABO~1\Maillocks.exe
     
    chaslang, Jul 12, 2004
    #18
  19. spaziz

    spaziz Private E-2

    I installed new Hijack couldn't find 04 C WINNIT SYSTEMS 32 scriptj.exe or mintfd.exe

    I have no idea on the below applications there were three

    02 BHO NO NAME
    03 TOOLBAR SETUPCURB DLL
    04 HKLM MAILLOCKS.EXE
    NEW LOG
    Logfile of HijackThis v1.98.0
    Scan saved at 10:38:39 AM, on 7/13/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\TEXTBR~1\Bin\INSTAN~1.EXE
    C:\PROGRA~1\DVDABO~1\Maillocks.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINNT\system32\iskcopyd.exe
    C:\WINNT\system32\swstr10m.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINNT\system32\wuauclt.exe
    C:\PROGRA~1\WINZIP\wzqkpick.exe
    C:\WINNT\system32\rundll32.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\unzipped\hijackthis\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: rulemessbone - {643626BE-7930-CD87-14A8-A4B3EEBCC776} - C:\PROGRA~1\COALSE~1\setupcurb.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: The software phone - {55894567-9396-3F4C-7F29-DAE5D96F4A14} - C:\PROGRA~1\COALSE~1\setupcurb.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1\Bin\INSTAN~1.EXE /h
    O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1\Bin\REGIST~1.EXE
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [mags lite] C:\PROGRA~1\DVDABO~1\Maillocks.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [swstr10m] C:\WINNT\system32\swstr10m.exe
    O4 - HKLM\..\Run: [iskcopyd] C:\WINNT\system32\iskcopyd.exe
    O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1\Bin\REGIST~1.EXE
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
     
    spaziz, Jul 13, 2004
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's because the mutated to new names after your last reboot. You are going to have to leave your PC running without rebooting and wait for a post back from me telling you what to reboot. They are now:

    O4 - HKLM\..\Run: [swstr10m] C:\WINNT\system32\swstr10m.exe
    O4 - HKLM\..\Run: [iskcopyd] C:\WINNT\system32\iskcopyd.exe


    BUT first you need to follow directions. In my last post I said:

    "First a few important facts. You must shutdown (not minimize actually stop them) all un-necessary applications before running HijaakThis especially browsers like IE. Look at these items from your log. All should be shutdown."

    Notice you are running WinExplorer and WinZip. Why?
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\winzip32.exe

    Also answer my previous questions:
    Do you have any idea what the below applications are:
    O2 - BHO: (no name) - {643626BE-7930-CD87-14A8-A4B3EEBCC776} - C:\PROGRA~1\COALSE~1\setupcurb.dll
    O3 - Toolbar: The software phone - {55894567-9396-3F4C-7F29-DAE5D96F4A14} - C:\PROGRA~1\COALSE~1\setupcurb.dll
    O4 - HKLM\..\Run: [mags lite] C:\PROGRA~1\DVDABO~1\Maillocks.exe
     
    chaslang, Jul 13, 2004
    #20

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds