Options
help required removing search extender hijacker
Hello all, I have tried to remove the search extender/shopping wizard browser hijacker with no success. I have tried to follow some instructions posted but it is a bit beyond me and I am asking for help from any knowledgable persons out there willing to help. I wil post a hijackthis log if thats of any help and hope it wil lead somewhere. Thanks.. Ed
Logfile of HijackThis v1.98.2
Scan saved at 10:37:23 PM, on 08/25/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
F:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\D3EC.EXE
C:\Tools_95\Register\REMIND.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
F:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\DIAMOND\INCONTROL TOOLS 99\DMHKEY.EXE
C:\WINDOWS\FSSCRCTL.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\aewpj.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aewpj.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\aewpj.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\aewpj.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aewpj.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\aewpj.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\aewpj.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://your-searcher.com/sp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - Default URLSearchHook is missing
F1 - win.ini: load=C:\TOOLS_95\REGISTER\remind.exe
O2 - BHO: Class - {57031518-1EF5-9E36-92EF-3E4E0944F8D1} - C:\WINDOWS\NTML32.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\SYSTEM\pc32.exe bg
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG_CC] F:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Avgserv9.exe] F:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [D3EC.EXE] C:\WINDOWS\SYSTEM\D3EC.EXE
O4 - HKCU\..\Run: [RealJukeboxSystray] C:\Program Files\Real\RealJukebox\tsystray.exe
O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00127\GD-DIAL.EXE -remove
O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe
O4 - HKCU\..\Run: [dllhelp] c:\windows
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: InControl Desktop Manager.lnk = C:\Program Files\Diamond\InControl Tools 99\DMHKEY.EXE
O4 - Startup: Shortcut to FSScrCtl.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Liatro SWF Decoder Catch - G:\PROGRAM FILES\LIATRO\LIATRO SWF DECODER 4.5\swfcatch.htm
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O13 - WWW. Prefix: http://
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.scoobidoo.com
O16 - DPF: Yahoo! PagerLite - http://jpager.yahoo.com/m6/msgr.cab
O16 - DPF: {430DDE24-C051-11CF-95BE-0020AFF75E4F} (ichat xchat Control) - http://www.rsvp.com.au:4080/chat/data/html/user/msie/msichat.ocx
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c371/chat.cab
O16 - DPF: {18000D07-72C4-11D4-B4BD-004026422A29} (Hot_net Control) - http://www.wakibara.com/Hot_net.CAB
O16 - DPF: {AE775D48-49AA-11D1-8F1C-00C04FB67063} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v5/ticker.cab
O16 - DPF: {1D7532CE-995B-40F2-8C17-2E01AF16FFAC} (XChoco.XChocoCtl) - http://www.eromax.com/cab/XChoco.CAB
O16 - DPF: {B15108AA-D8D0-480D-B535-07E18D6549A8} (XBurger.XBurgerCtl) - http://www.eromax.com/cab/XBurger.CAB
O16 - DPF: {41770406-8D8B-4E77-81BD-459F191F4347} (XEng003.XEng003Ctl) - http://cutygirls.net/pink/003/XEng003.CAB
O16 - DPF: {A5E3B21E-CCBB-450E-9D0C-EEF06076B856} (XEng026.XEng026Ctl) - http://iii.tv/pink/026/XEng026.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {25835E8C-225A-46F0-898A-3A96E43D7929} (XJp.XJpCtl) - http://fever.18x.cx/exe/j0082.CAB
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_7.cab
O16 - DPF: {DCF96DA0-ED33-40FF-B83E-AB7011C2BA7E} (Dialer Class) - http://blizzard.isprime.com/dialers/1339.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//paxan/main.chm::/load.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9076A11F-5EA6-4A67-BDE9-8D3C7C453DAC} - http://www.fizzlewizzle.com/installfiles/powertools.cab
O16 - DPF: {92F02779-6D88-4958-8AD3-83C12D86ADC7} - file://C:\WINDOWS\SYSTEM\SearchBar\popblocker.exe
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = ozemail
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 210.80.58.34,210.80.58.42
O21 - SSODL: System - {B0ED6A40-F195-11D8-BC7E-000D88E3219C} - C:\WINDOWS\system32\system32.dll (file missing)
Logfile of HijackThis v1.98.2
Scan saved at 10:37:23 PM, on 08/25/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
F:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\D3EC.EXE
C:\Tools_95\Register\REMIND.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
F:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\DIAMOND\INCONTROL TOOLS 99\DMHKEY.EXE
C:\WINDOWS\FSSCRCTL.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\aewpj.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aewpj.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\aewpj.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\aewpj.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aewpj.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\aewpj.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\aewpj.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://your-searcher.com/sp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - Default URLSearchHook is missing
F1 - win.ini: load=C:\TOOLS_95\REGISTER\remind.exe
O2 - BHO: Class - {57031518-1EF5-9E36-92EF-3E4E0944F8D1} - C:\WINDOWS\NTML32.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\SYSTEM\pc32.exe bg
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG_CC] F:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Avgserv9.exe] F:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [D3EC.EXE] C:\WINDOWS\SYSTEM\D3EC.EXE
O4 - HKCU\..\Run: [RealJukeboxSystray] C:\Program Files\Real\RealJukebox\tsystray.exe
O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00127\GD-DIAL.EXE -remove
O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe
O4 - HKCU\..\Run: [dllhelp] c:\windows
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: InControl Desktop Manager.lnk = C:\Program Files\Diamond\InControl Tools 99\DMHKEY.EXE
O4 - Startup: Shortcut to FSScrCtl.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Liatro SWF Decoder Catch - G:\PROGRAM FILES\LIATRO\LIATRO SWF DECODER 4.5\swfcatch.htm
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O13 - WWW. Prefix: http://
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.scoobidoo.com
O16 - DPF: Yahoo! PagerLite - http://jpager.yahoo.com/m6/msgr.cab
O16 - DPF: {430DDE24-C051-11CF-95BE-0020AFF75E4F} (ichat xchat Control) - http://www.rsvp.com.au:4080/chat/data/html/user/msie/msichat.ocx
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c371/chat.cab
O16 - DPF: {18000D07-72C4-11D4-B4BD-004026422A29} (Hot_net Control) - http://www.wakibara.com/Hot_net.CAB
O16 - DPF: {AE775D48-49AA-11D1-8F1C-00C04FB67063} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v5/ticker.cab
O16 - DPF: {1D7532CE-995B-40F2-8C17-2E01AF16FFAC} (XChoco.XChocoCtl) - http://www.eromax.com/cab/XChoco.CAB
O16 - DPF: {B15108AA-D8D0-480D-B535-07E18D6549A8} (XBurger.XBurgerCtl) - http://www.eromax.com/cab/XBurger.CAB
O16 - DPF: {41770406-8D8B-4E77-81BD-459F191F4347} (XEng003.XEng003Ctl) - http://cutygirls.net/pink/003/XEng003.CAB
O16 - DPF: {A5E3B21E-CCBB-450E-9D0C-EEF06076B856} (XEng026.XEng026Ctl) - http://iii.tv/pink/026/XEng026.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {25835E8C-225A-46F0-898A-3A96E43D7929} (XJp.XJpCtl) - http://fever.18x.cx/exe/j0082.CAB
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_7.cab
O16 - DPF: {DCF96DA0-ED33-40FF-B83E-AB7011C2BA7E} (Dialer Class) - http://blizzard.isprime.com/dialers/1339.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//paxan/main.chm::/load.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9076A11F-5EA6-4A67-BDE9-8D3C7C453DAC} - http://www.fizzlewizzle.com/installfiles/powertools.cab
O16 - DPF: {92F02779-6D88-4958-8AD3-83C12D86ADC7} - file://C:\WINDOWS\SYSTEM\SearchBar\popblocker.exe
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = ozemail
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 210.80.58.34,210.80.58.42
O21 - SSODL: System - {B0ED6A40-F195-11D8-BC7E-000D88E3219C} - C:\WINDOWS\system32\system32.dll (file missing)
0
Comments
Dexter...
I tried to generate the active services list but the indicated file to generate it wouldnt work on my pc
Dexter...
Thanks for putting up with me. I did a big cleanup with a slightly more knowledgable friend and it seemed that problem looked good to be finished. But although the browser is hijacked the interminable exe files that generated before do not seem to have come back. Although I noticed there were many many DLL files that still litter the windows and windows/system folders. ALL are created abt the time the problem started and all are 5 charcater dll files with 56K file size. Are there causing a problem and should I remove them - I think I can tell the difference between them and necessary dll files due to size and date and title? Maybe just move them to a quarantine folder and see if the pc works..!
Here is the start up list for your perusal as an attachment and a recent hijack log in case that also helps. Thanks again.
HIJACK LOG LATEST
Logfile of HijackThis v1.98.2
Scan saved at 4:57:23 PM, on 08/30/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
F:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
F:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
C:\PROGRAM FILES\DIAMOND\INCONTROL TOOLS 99\DMHKEY.EXE
C:\WINDOWS\FSSCRCTL.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SDKAN.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\NOTEPAD.EXE
E:\PROGRAM FILES\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\klijd.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\klijd.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\klijd.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\klijd.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\klijd.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\klijd.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\klijd.dll/sp.html#29126
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {85389C19-9846-3EB7-FED8-ECFDDEB7598A} - C:\WINDOWS\APPOH.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG_CC] F:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Avgserv9.exe] F:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [SDKAN.EXE] C:\WINDOWS\SYSTEM\SDKAN.EXE
O4 - HKCU\..\Run: [RealJukeboxSystray] C:\Program Files\Real\RealJukebox\tsystray.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: InControl Desktop Manager.lnk = C:\Program Files\Diamond\InControl Tools 99\DMHKEY.EXE
O4 - Startup: Shortcut to FSScrCtl.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Liatro SWF Decoder Catch - G:\PROGRAM FILES\LIATRO\LIATRO SWF DECODER 4.5\swfcatch.htm
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = ozemail
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 210.80.58.34,210.80.58.42
with Win 98, you can't access the services through Services.msc. When 98 uses a different method of starting it's services. So, you need to do a different method of killing the service.
Download the program Killbox that I have attached to this post. Unzip it to it's own folder. Run the program. In the bottom right hand corner you will see a drop-down box labelled (System Process.) Drop that down, and select the active process that is likely to be your main infection reloader. In your case, that will be: SDKAN.EXE. Once you have selected that file name, click the yellow triangle with the ! inside it to end that process.
Next, at the top of the window, use the folder icon to browse to: C:\WINDOWS\SYSTEM\SDKAN.EXE.
Press the red X button to delete that file.
Then browse to C:\WINDOWS\system\klijd.dll, and select it. Turn on the option "unregister dll before deleting." Then delete it.
Do this in regular mode first. If it does not work, try it in Safe Mode, except that the exe will probably not be running as a system process in safe mode, so all you will need to do is delete them.
As for your question about the many suspicious dll's, yes, go ahead and quaratine them. Just remeber where they came from, so that if you ever get an error message in another program that says "missing xxxxx.dll" you can replace it. Maybe make directories in your Quarantine folder that tell you where they came from, ie: From Windows, From Windows System, etc.
Please come back and tell me how this works for you, and exactly what you did.
Dexter...
The attachment wasnt there - too many choices on google to know which one you meant me to use.
Cheers
MC
I am reluctant to say it appears things are fixed, but after your instructions I have logged onto the net twice and rebooted once and so far the browser had not been redirected or the home page changed. No pop ups either.
What I did was find the killbox download - persistance in getting rid of this spurred me on - installed it and ran it and searched for the exe file and the dll file you referred to. I was able to delete them using the program. It helped to set my file type to show all hidden and system files, one problem I had before in finding things. No need to delete them in safe mode, worked first time. The sdkan.exe file was backed up but isnt needed.
Next I searched for all dll and exe files created in the past 6 days, the duration of the infection, that I felt were suspect from the experience I gained from the remove posts here and your information above, all had 5 character names some with a 32 suffix. I found about 250 files all up, all created the same time and 56kb in size. Moved them from windows and windows\system folders to a hold folder a lot were hidden files and so far all programs etc seem to work fine without them. Hopefully the problem wont recur and the system is clear. A hijack this run showed a few lines which I fixed but only about 5 from the many previously.
I thank you for all your patience and assistance in helping me get rid of this truly distressing problem. I have also learnt more about pc's and next thing I do is to get some firewall protection update and regularly run scanning software to keep my system clear. I really hope I wont need to be asking more help....!
Thanks again - will monitor this for a few days more
MC
So...Success! Great to hear. As soon as I get a chance, I will post this information in the guide as a Windows 95/98 alternative to using the servcices control panel.
Please post another HJT log in this thread for us to review just to make sure all is clean.
Please read our article on Defeating Spyware for tips on how to improve your Internet Explorer security, or to learn how to switch to a different browser. For more general information about spyware read this page.
Finally, if you have not already done so, please take the time to find out more about Folding For a Cure, a good cause by which your computer uses it's spare power to help search for cures to diseases. We would love to have you on our Team.
Dexter...
Hope the kids are well.
Well a full day on and off broadband and no problems, though just running hijack this and i see that the dastardly klijd.dll is still sitting there. Thought I deleted it. See for yourself how its quite apparent. Maybe its just a remnant I dont know. I can try deleting it again and also clicking fix on HJT, but i did that before and it seems to sit there back again. Hopefully its not a sign of bad things.
I wonder what you make of it - and I hope my experience can help others. I am already offering my experience to some people I know who are worried abt their pc's
MC
First - try Killbox again to delete the klijd.dll, but also check off "end Explore shell while killing file." Then run HJt and remove the entries. Reboot and see if it gone.
Second - if that does not delete it, run Killbox again, and mark the file for "delete on reboot" (make sure to still check the option to unregister the dll.) Reboot, check HJT, fix the entries. Reboot and see if it is gone.
Let us know how that goes.
Dexter...