Options

Internet HELP!!!

Unknown
edited July 2004 in Spyware & Virus Removal
After receiving enough pop ups and system crashes to last a lifetime, I rebooted my entire system to start over. Things went great for six days, and on the seventh, my internet decided to take on a mind of its own.

I keep Yahoo! as my start up page, but now every time I log on I get a page (and pop-ups) that state res://vlogu.dll/index.html#96676. I have tried to simply reset Yahoo! as my start up, but this link above has now entered in as my default page and it resets itself every 30 seconds or so after I eliminate it.

I have run Ad-aware, Spybot, and Spyblocs, but they say everything's clear. Can anyone help me?????

Dazed and confused,
Nick

Comments

  • shwaipshwaip bluffin' with my muffin Icrontian
    edited July 2004
    that's the latest cws infection. please download and run hijackthis, available from the first link in my sig.
  • nickd61
    edited July 2004
    Thank you for the heads up. I did what you told me to, and Hijack This came up with the log below. Any suggestions on which one of these should be removed? Any help would be greatly appreciated.

    Thanks,
    Nick

    Logfile of HijackThis v1.98.0
    Scan saved at 10:03:47 AM, on 7/16/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\crec32.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\netmn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
    C:\Documents and Settings\Owner\Desktop\Spyware\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://your-searcher.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vlogu.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vlogu.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vlogu.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://vlogu.dll/index.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://your-searcher.com/sp.htm
    R3 - Default URLSearchHook is missing
    F0 - system.ini: Shell=
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
    O2 - BHO: (no name) - {E45ADC92-EFFB-E70A-720B-6D31772D3F3F} - C:\WINDOWS\netmn.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [netmn.exe] C:\WINDOWS\netmn.exe
    O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
    O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
    O4 - HKLM\..\RunOnce: [crec32.exe] C:\WINDOWS\system32\crec32.exe
    O4 - HKLM\..\RunOnce: [apiiu.exe] C:\WINDOWS\apiiu.exe
    O4 - HKLM\..\RunOnce: [sdkvd.exe] C:\WINDOWS\sdkvd.exe
    O4 - HKLM\..\RunOnce: [ipmx32.exe] C:\WINDOWS\ipmx32.exe
    O4 - HKLM\..\RunOnce: [msfz32.exe] C:\WINDOWS\msfz32.exe
    O4 - HKLM\..\RunOnce: [sysxh.exe] C:\WINDOWS\sysxh.exe
    O4 - HKLM\..\RunOnce: [mfcan.exe] C:\WINDOWS\mfcan.exe
    O4 - HKLM\..\RunOnce: [javaep32.exe] C:\WINDOWS\javaep32.exe
    O4 - HKLM\..\RunOnce: [addda32.exe] C:\WINDOWS\system32\addda32.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - Global Startup: Billminder.lnk = G:\QUICKENW\BILLMIND.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: Quicken Startup.lnk = G:\QUICKENW\QWDLLS.EXE
    O4 - Global Startup: winlgn.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\njjkqqds.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/07ea60b85e194be87505/netzip/RdxIE601.cab
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll
  • shwaipshwaip bluffin' with my muffin Icrontian
    edited July 2004
    try this remover:

    http://forums.spywareinfo.com/index.php?act=ST&f=18&t=12609
  • nickd61
    edited July 2004
    Try this too, but it didn't work. Anybody have a suggestion before I reboot the whole thing again??????
  • nickd61
    edited July 2004
    Anybody out there have any suggestions, before I reboot this thing again??? Please help!!!!!!!!!
  • DexterDexter Vancouver, BC Canada
    edited July 2004
    Reboot in SAFE MODE. Run HJT. FIX the following:


    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://your-searcher.com/sp.htm

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vlogu.dll/index.html#96676

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vlogu.dll/sp.html#96676

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vlogu.dll/sp.html#96676

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://vlogu.dll/index.html#96676

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://your-searcher.com/sp.htm

    R3 - Default URLSearchHook is missing


    O2 - BHO: (no name) - {E45ADC92-EFFB-E70A-720B-6D31772D3F3F} - C:\WINDOWS\netmn.dll


    O4 - HKLM\..\Run: [netmn.exe] C:\WINDOWS\netmn.exe
    O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
    O4 - HKLM\..\RunOnce: [crec32.exe] C:\WINDOWS\system32\crec32.exe
    O4 - HKLM\..\RunOnce: [apiiu.exe] C:\WINDOWS\apiiu.exe
    O4 - HKLM\..\RunOnce: [sdkvd.exe] C:\WINDOWS\sdkvd.exe
    O4 - HKLM\..\RunOnce: [ipmx32.exe] C:\WINDOWS\ipmx32.exe
    O4 - HKLM\..\RunOnce: [msfz32.exe] C:\WINDOWS\msfz32.exe
    O4 - HKLM\..\RunOnce: [sysxh.exe] C:\WINDOWS\sysxh.exe
    O4 - HKLM\..\RunOnce: [mfcan.exe] C:\WINDOWS\mfcan.exe
    O4 - HKLM\..\RunOnce: [javaep32.exe] C:\WINDOWS\javaep32.exe
    O4 - HKLM\..\RunOnce: [addda32.exe] C:\WINDOWS\system32\addda32.exe
    O4 - Global Startup: winlgn.exe

    O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\njjkqqds.exe

    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll[/QUOTE]

    Next, manually locate those .exe and .dll files I listed above. Then, create a new folder called :C:\Quarantine. Move the .exe's and .dll's into the Quarantine folder. Rename the .exe files to .xxx, and the .dll's to .ddd. That way you can always replace them if it somehow turns out that I am completely wrong and these are necessary files....which is not likely, but quarantining is safer than deleting them.

    Reboot normally, check things out, and see how it looks. Post a fresh log for further review.

    Dexter...
Sign In or Register to comment.