Bloody Home Search Assistant!!
Hello there. This is the first time that I have used this forum. I'm wondering if anyone could help me on this matter?
It's familiar stuff - HSA, Shopping Wizard, Search Assistant.
I decided to tread with caution and provide a HJT log.
Here it is.
Logfile of HijackThis v1.97.7
Scan saved at 14:48:39, on 18/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\CPLBY27.EXE
C:\Program Files\CRW\shwicon.exe
C:\Program Files\Acer\Notebook Manager\almxptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\WINDOWS\system32\netbk.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fcfog.dll/sp.html#37680
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fcfog.dll/sp.html#37680
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fcfog.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fcfog.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fcfog.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fcfog.dll/sp.html#37680
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fcfog.dll/sp.html#37680
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2EE72B4F-E40E-EFB8-15AA-4EB5AE709679} - C:\WINDOWS\system32\atldq32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLBY27.EXE
O4 - HKLM\..\Run: [ShowIcon_Chander_CRW Series Driver v1.17r019] "C:\Program Files\CRW\shwicon.exe" -t"Chander\CRW Series Driver v1.17r019"
O4 - HKLM\..\Run: [AcerNotebookManager] C:\Program Files\Acer\Notebook Manager\almxptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [netbk.exe] C:\WINDOWS\system32\netbk.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\[my full name]\Application Data\DownloadPlus.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Researcher (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{903E4ACF-8A16-4A7F-9FEA-663103D94F25}: NameServer = 169.254.100.1
I don't know if C:/windows/msre32.exe was malicious, but instead of putting it into quarantine on Ad-aware, I decided to delete it straight from the registry.
There is some other queries that have been bugging me. When you get into safe mode, what is it you do exactly, especially with the C:/HJT folder?
Please help me get rid of these b****rds!
Thank you.
Rowser
It's familiar stuff - HSA, Shopping Wizard, Search Assistant.
I decided to tread with caution and provide a HJT log.
Here it is.
Logfile of HijackThis v1.97.7
Scan saved at 14:48:39, on 18/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\CPLBY27.EXE
C:\Program Files\CRW\shwicon.exe
C:\Program Files\Acer\Notebook Manager\almxptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\WINDOWS\system32\netbk.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fcfog.dll/sp.html#37680
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fcfog.dll/sp.html#37680
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fcfog.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fcfog.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fcfog.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fcfog.dll/sp.html#37680
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fcfog.dll/sp.html#37680
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2EE72B4F-E40E-EFB8-15AA-4EB5AE709679} - C:\WINDOWS\system32\atldq32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLBY27.EXE
O4 - HKLM\..\Run: [ShowIcon_Chander_CRW Series Driver v1.17r019] "C:\Program Files\CRW\shwicon.exe" -t"Chander\CRW Series Driver v1.17r019"
O4 - HKLM\..\Run: [AcerNotebookManager] C:\Program Files\Acer\Notebook Manager\almxptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [netbk.exe] C:\WINDOWS\system32\netbk.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\[my full name]\Application Data\DownloadPlus.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Researcher (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{903E4ACF-8A16-4A7F-9FEA-663103D94F25}: NameServer = 169.254.100.1
I don't know if C:/windows/msre32.exe was malicious, but instead of putting it into quarantine on Ad-aware, I decided to delete it straight from the registry.
There is some other queries that have been bugging me. When you get into safe mode, what is it you do exactly, especially with the C:/HJT folder?
Please help me get rid of these b****rds!
Thank you.
Rowser
0
This discussion has been closed.
Comments
Dexter...
I don't understand what you mean by this.
Dexter...
Can you wait till tomorrow?
Rowser
Dexter...
Logfile of HijackThis v1.97.7
Scan saved at 01:41:11, on 19/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\CPLBY27.EXE
C:\Program Files\CRW\shwicon.exe
C:\Program Files\Acer\Notebook Manager\almxptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fcfog.dll/sp.html#37680
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fcfog.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fcfog.dll/sp.html#37680
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLBY27.EXE
O4 - HKLM\..\Run: [ShowIcon_Chander_CRW Series Driver v1.17r019] "C:\Program Files\CRW\shwicon.exe" -t"Chander\CRW Series Driver v1.17r019"
O4 - HKLM\..\Run: [AcerNotebookManager] C:\Program Files\Acer\Notebook Manager\almxptray.exe
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Ravi Choudhary\Application Data\DownloadPlus.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Researcher (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{903E4ACF-8A16-4A7F-9FEA-663103D94F25}: NameServer = 169.254.100.1
I also have some stuff in Quarantine.
appzx32.ddd
atlvh32.ddd
ckdvj.ggg (for .log)
crzo32.ddd
dskjl.ttt
exdl.xxx
exul.xxx
fcfog.ddd
fchhx.ttt
ieco32.xxx
mshz32.xxx
mslagent.xxx
realsched.xxx
wsaupdater.xxx
wtdwf.ggg
ycomp5_3_19_0.ddd
zzolu.ggg
My queries are:
What are the good and bad stuff from this list?
When is best to get rid of the bad stuff and put back the good stuff? During or not during safe mode?
Please help me, experts!
Rowser
So Dexter if you're there please reply.
Thanks.
Dexter (and everyone else here) has a full-time real-world job and family. This is what we do in our spare time. Notice that some people have been waiting two days for a response? That's because there are 50-100 people needing help at any given moment and only 3-5 people helping. I suggest being patient and not expecting people to help you for fun and free on the time scale you demand
I'm fixing my computer to as best to Dexter's advice as I could possibly can, and all I'm asking is for Dexter or any other expert to look at the log and the quarantine list. Especially the quarantine list, cos I don't know what to keep and get rid, and when I should proceed with getting rid/keep with those I do need/don't need.
Just so you know, when I log into the forum, I almost always start at the bottom of PAGE 2. I scan the posts which are not close, to find ones that have:
- no replies
- last reply by the original topic starter
- last reply by someone other than the topic starter or one of the SVT SWAT Team members.
Certain exceptions apply, such as first-posters who just need to be pointed to a guide, application or another post.
When people get impatient and bump their threads back to the top of page 1....I don't usually do not answer their posts until after I have dealt with all of Page 2 from the bottom up, then Page 1 from the bottom up. The higher you are in the list, the longer you will usually wait, at least for a response from me.
So, I've worked my way, on my spare time as has been pointed out (this kind of process would cost you around $100 if you were a paying customer, and if you took it to most PC repair shops they would be clueless and re-install your OS....), so now I will review your post and reply.....
Dexter...
Good stuff:
ycomp5_3_19_0.ddd (Yahoo companion toolbar)
realsched.xxx (Real Player auto-updater, not a bad item, unquarantine it but leave it removed from yoru HJT log, because it is unneccessary at startup and is a resource hog.)
Safe mode is always best for this kind of work, because it does not allow many processes, services and executable applications to start up.
You still seem to have HSA problems though, so the removal process was not complete. Did you identify what bogus service you had running in Step 6? If not, please see post 2 of the removal guide:
http://www.short-media.com/forum/showpost.php?p=174924&postcount=2
Use the program attached there to generate a log of your active services, and post the log here (preferably as a file attachment) so we can determine what service is running.
Cheers,
Dexter...
Other than that, the hijacking of my home page appears to have ceased.
However, I can't seem to access my Hotmaill account. Keep getting a page saying "too busy".
Hotmail often has problems like that, especially when they are doing server maintenance.
Would you like to post a fresh HJT log to make sure it is clean? Or are you confident you have solved the problem....?
Dexter...
Logfile of HijackThis v1.97.7
Scan saved at 20:18:38, on 20/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\CPLBY27.EXE
C:\Program Files\CRW\shwicon.exe
C:\Program Files\Acer\Notebook Manager\almxptray.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fcfog.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fcfog.dll/sp.html#37680
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLBY27.EXE
O4 - HKLM\..\Run: [ShowIcon_Chander_CRW Series Driver v1.17r019] "C:\Program Files\CRW\shwicon.exe" -t"Chander\CRW Series Driver v1.17r019"
O4 - HKLM\..\Run: [AcerNotebookManager] C:\Program Files\Acer\Notebook Manager\almxptray.exe
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\[my full name]\Application Data\DownloadPlus.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Researcher (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{903E4ACF-8A16-4A7F-9FEA-663103D94F25}: NameServer = 169.254.100.1
Also, there is a list of stuff that I put into quarantine, this time files derived from C:\window\system32.
ckdvj.ggg
crzo32.ddd
dskjl.ttt
fchhx.ttt
ieco32.xxx
mshz32.xxx
wtdwf.ggg
zzolu.ggg
This time, I'll wait and stay patient.
Thank you.
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fcfog.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fcfog.dll/sp.html#37680
Fix those 2 entries in SAFE MODE, quarantine the dll, and you should be okay.
Dexter...
Logfile of HijackThis v1.97.7
Scan saved at 23:11:03, on 21/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\CPLBY27.EXE
C:\Program Files\CRW\shwicon.exe
C:\Program Files\Acer\Notebook Manager\almxptray.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLBY27.EXE
O4 - HKLM\..\Run: [ShowIcon_Chander_CRW Series Driver v1.17r019] "C:\Program Files\CRW\shwicon.exe" -t"Chander\CRW Series Driver v1.17r019"
O4 - HKLM\..\Run: [AcerNotebookManager] C:\Program Files\Acer\Notebook Manager\almxptray.exe
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Ravi Choudhary\Application Data\DownloadPlus.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Researcher (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{903E4ACF-8A16-4A7F-9FEA-663103D94F25}: NameServer = 169.254.100.1
However, I'm still worried about a few things:
1. The O17, because I read on HJT that this a domain hijack.
2. DownloadPlus.exe. I'm not sure whether to get rid of it or not, and if the former, then I can't get to it, despite taking off the hidden filters.
3. The blanks that follow after the "local page" equals sign in the R0 entries.
4. When I run SS&D, it brings up these DSO's that I can't seem to shake off, either in Safe mode or normal mode.
5. The new list of stuff that I put into quarantine:
From C:/windows
e.xxx
epvmxd.ggg
mfcxu.ddd
From C:/windows/system32
nettb.ddd
winum.ddd
winum.xxx
Did what you ask for in your reply. I like to be certain that the computer is 100% clean, but I'm still a bit paranoid.
What I was thinking is: Would it be wise to fix the O9 entries containing messenger, so that I'm able to access into my Hotmail account on my computer?
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLBY27.EXE
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
Fix them and quarantine them.
1. The O17, because I read on HJT that this a domain hijack.
That's a hard coded DNS entry. I have them too, if you have manually entered TCPIP settings as opposed to DHCP, this is what you see. But...I did just try to ping that address, and it was not responding. Check your TCPIP properties, contact your ISP to see if that address is a legit value for their service.
2. DownloadPlus.exe. I'm not sure whether to get rid of it or not, and if the former, then I can't get to it, despite taking off the hidden filters.
Check Add/Remove Programs control panel.
3. The blanks that follow after the "local page" equals sign in the R0 entries.
No worries, just no info at that entry. It's not a problem.
4. When I run SS&D, it brings up these DSO's that I can't seem to shake off, either in Safe mode or normal mode.
The DSO reports are indicators that potential exploits exist in IE. So long as you are using a firewall, you are likely not going to have a problem with these. If you are concerened, there is a program that will patch these:
http://www.nsclean.com/dsostop.html
Dexter...
I still have problems getting into my Hotmail account on my computer. I think you're right about the fact that it may be coming from a server rather from the actual computer.
Nonetheless, I can't get to it. One difference that I found when accessing my account on my computer and accessing it from another computer is that the block which you type in the email address goes into a yellowish-brown colour, which is apparent on my computer and not on anyone else's.
Also, here is my recent HJT log.
Logfile of HijackThis v1.97.7
Scan saved at 20:11:04, on 23/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CRW\shwicon.exe
C:\Program Files\Acer\Notebook Manager\almxptray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ShowIcon_Chander_CRW Series Driver v1.17r019] "C:\Program Files\CRW\shwicon.exe" -t"Chander\CRW Series Driver v1.17r019"
O4 - HKLM\..\Run: [AcerNotebookManager] C:\Program Files\Acer\Notebook Manager\almxptray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Ravi Choudhary\Application Data\DownloadPlus.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Researcher (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093127184078
O17 - HKLM\System\CCS\Services\Tcpip\..\{903E4ACF-8A16-4A7F-9FEA-663103D94F25}: NameServer = 169.254.100.1
With Inetdctr, I had to get rid of that manually in the registry. And I put the specified items into quarantine. What do you want to do with them now?
With hotmail, I haven't tried the suggestion that I put out, but I finding this just as annoying than the HSA trash offload on my computer.
Thank you very much, Dexter!!
Rowser
Dexter...
*On the address bar, I get something like sdid?box=1&t= followed by roughly 30 characters, all random. When it fails to get in, the characters change.
*What I get is a web page by MSN, telling me that I'm on an unknown passport site.
There was another thing that I happened to stumble upon. In C:\Program Files\Internet Explorer, I found 23 applications, mode of which is 7k. All these applications have existed from 1st July to yesterday, consisting of 8 random letters in the name. They also seem to be modified 2 seconds after being created. My gut instinct is that they are all tosh and should be rid of, but I wanted to be sure.
Hope this knowledge could be helpful in anyway.
Rowser
Can't help you on the Hotmail thing, I know they have been having busy server times lately, as I have heard from others.
Dexter...
Sorry it took too long to respond, but I wanted to say this: Home Search Assistant has cleared of my computer.
But I'm still having problem getting into my Hotmail account. Do you know who or where I could speak to someone in regards to this on Short Media?
And this is also I wanted to say: a million thanks for helping out in sorting out my computer.
Thank you ever so much, Dexter!
In the words of Michael Moore:
"I'd like to thank the Canadians. If you weren't there, we'd have no idea what was wrong with us"
Bear in mind though that I'm Scottish, not American. A bit peeved there isn't a smiley waving a Scottish flag.
Also, is it ok by you that I could help out whenever I can?
Thank you!!
glad we could help
Remember to re-enable your system restore and set a new restore point if you have not done so already.
There are a couple of users who have reported problems accessing Hotmail after being infected. We re still working on an easy nswer for that. However,the problem should go away if you either re-install Internet Explorer, or in your case update to Windows XP Service Pack 2. Upgrade to XP Service Pack 2 here, courtesy of Short-Media's downloads section. One user has done this and overcome the Hotmail problem.
Please read our article on Defeating Spyware for tips on how to improve your Internet Explorer security, or to learn how to switch to a different browser. For more general information about spyware read this page.
You are welcome to hang around here and help out in any way you are able. We always welcome newcomers. If you want to help out here in the SVT forum, there is a bit of a learning curve, but we can point you in the right direction as to reading material, etc. Send me a PM if you are interested.
Finally, if you have not already done so, please take the time to find out more about Folding For a Cure, a good cause by which your computer uses it's spare power to help search for cures to diseases. We would love to have you on our Team.
Dexter...