MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Please help remove CoolSearch
November 14, 2019, 05:05:18 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
November 14, 2019, 05:05:18 AM

Login with username, password and session length
 Featured Sites:
News
Welcome to MyTechSupport.ca! - Registration is FREE, so why not join our friendly community today?
  0 Members and 1 Guest are viewing this topic.
Pages: [1] 2  All Go Down Print
Author Topic: Please help remove CoolSearch  (Read 7684 times)
yellowclaw
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 36


Bookmark and Share

View Profile
« on: September 03, 2004, 05:53:41 PM »

I'm having problem with a pc.  Don't know where to start. Lots of pop ups, casino, about:blank, coolsearch, and very slow.  I've ran the most updated Adaware and Spybot, then PeperFix, after reboot, I created a folder for Hijack This in C:\HJT and ran it.  Please have a look at my log and let me know which to remove.

Logfile of HijackThis v1.98.1
Scan saved at 11:32:34 AM, on 9/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\services\wmplayer.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\docume~1\owner\locals~1\temp\WonAqd.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\Program Files\WindowsSA\omniscient.exe
C:\Program Files\CasinoOnline\CsRemnd.exe
C:\documents and settings\owner\local settings\temp\q1Jw.exe
C:\Program Files\WindUpdates\WinUpdt.exe
C:\documents and settings\owner\local settings\temp\43KeeWTOd.exe
C:\WINDOWS\System32\srftku.exe
C:\Program Files\WindUpdates\WinKA.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\services\wow.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Application Data\ttuh.exe
C:\WINDOWS\System32\cvgx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bdcedd.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bdcedd.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.grlcnnckqyipncyacvimu.com/DGrDZxK/0DgVi//adNYuwfzNOFO00tdIp3RbHO4WhoQF602bgCzOK/FqORCti7OV.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - (no file)
O2 - BHO: (no name) - {05946986-7715-4BFA-981F-D2BBC1A13536} - C:\WINDOWS\system32\age.dll (disabled by BHODemon)
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\system32\mskhhe.dll (disabled by BHODemon)
O2 - BHO: (no name) - {11668D4D-8554-44A5-A778-A6203F457AC5} - C:\WINDOWS\system32\age.dll (disabled by BHODemon)
O2 - BHO: (no name) - {1DF93758-ED67-40BC-800F-665578A12843} - C:\WINDOWS\system32\qkse.dll (disabled by BHODemon)
O2 - BHO: (no name) - {438E884F-7944-4F02-A06B-9B957B087FDE} - C:\WINDOWS\system32\age.dll (disabled by BHODemon)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll (disabled by BHODemon)
O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\System32\services\2.01.00.dll (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (disabled by BHODemon)
O2 - BHO: (no name) - {572C3D88-5DCA-4F56-B506-9AE62B0C9D95} - C:\WINDOWS\system32\age.dll (disabled by BHODemon)
O2 - BHO: (no name) - {6815279F-8AA0-71F1-E103-95EE213694C5} - C:\Program Files\error****memo\Barb window.exe (disabled by BHODemon)
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll (disabled by BHODemon)
O2 - BHO: CUrlCliObj Object - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\system32\msjfbl.dll (disabled by BHODemon)
O2 - BHO: (no name) - {98A022C6-0A1B-46D1-89A1-818C54D57DAA} - C:\WINDOWS\system32\age.dll (disabled by BHODemon)
O2 - BHO: (no name) - {9ED0A3E2-E7A0-42F2-B054-ADD8B3073E74} - C:\WINDOWS\system32\bdcedd.dll (file missing)
O2 - BHO: (no name) - {A4C72D16-A3BB-4D55-BE1D-276E08716903} - C:\WINDOWS\system32\age.dll (disabled by BHODemon)
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll (disabled by BHODemon)
O2 - BHO: (no name) - {B78994DA-DA47-45DF-8654-74F1F9E3A282} - C:\WINDOWS\system32\age.dll (disabled by BHODemon)
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\system32\mscb.dll (disabled by BHODemon)
O2 - BHO: (no name) - {D6DEB83C-9652-424E-B486-64D342EB3B21} - C:\WINDOWS\system32\age.dll (disabled by BHODemon)
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Owner\Local Settings\Temp\zbLfc6S.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll (disabled by BHODemon)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adult Links - {965E6B07-6832-4738-BDBE-25F226BA2AB0} - C:\WINDOWS\Downloaded Program Files\QaBar.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\wmplayer.exe
O4 - HKLM\..\Run: [Bodyfour] C:\PROGRA~1\SEEKSI~1\data gram.exe
O4 - HKLM\..\Run: [WonAqd] C:\docume~1\owner\locals~1\temp\WonAqd.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Dqk6Z.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKLM\..\Run: [q1Jw] C:\documents and settings\owner\local settings\temp\q1Jw.exe
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [43KeeWTOd] C:\documents and settings\owner\local settings\temp\43KeeWTOd.exe
O4 - HKLM\..\Run: [Burn Junk Browse Ace] C:\Documents and Settings\All Users\Application Data\Multiopenburnjunk\oozecash.exe
O4 - HKLM\..\Run: [qoydtrfihtj] C:\WINDOWS\System32\srftku.exe
O4 - HKLM\..\Run: [WebSavingsfromEbates] javaw -cp "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"
O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\System32\services\wow.exe /u
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\wmplayer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Owner\Application Data\ttuh.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - HKCU\..\Run: [Yxj] C:\WINDOWS\System32\cvgx.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O9 - Extra button: Microsoft
Logged

 
Geekgirl
Global Moderator
Hero Member
*****

Karma: +25/-1
Offline Offline

Gender: Female
Posts: 3175



Bookmark and Share

View Profile
« Reply #1 on: September 03, 2004, 06:16:31 PM »

First run LSPFix  http://www.cexx.org/lspfix.htm
... then delete your current version of HJT and

Please Download the newer version of HiJackThis   http://www.majorgeeks.com/download3155.html and post a new logfile.

(Always create a Folder for HiJackThis anywhere but your Temp/Temporary Internet Folders. A good place to make a folder would be in My Documents,
as this is where it will save the backup files needed if there's a problem.)

Logged




Girlz Rule ...Boyz Drool
____________________________
ALWAYS BACKUP YOUR REGISTRY BEFORE EDITING
yellowclaw
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 36


Bookmark and Share

View Profile
« Reply #2 on: September 03, 2004, 07:02:43 PM »

Thank you for your quick respond!  I'm following you instructions as we speak.  The PC is extremly slow.  I will post the new log soon.
Logged

 
yellowclaw
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 36


Bookmark and Share

View Profile
« Reply #3 on: September 03, 2004, 07:19:58 PM »

Thank you!  Here's the updated Log.

Logfile of HijackThis v1.98.2
Scan saved at 3:17:01 PM, on 9/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\docume~1\owner\locals~1\temp\WonAqd.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\Program Files\WindowsSA\omniscient.exe
C:\Program Files\CasinoOnline\CsRemnd.exe
C:\documents and settings\owner\local settings\temp\q1Jw.exe
C:\Program Files\WindUpdates\WinUpdt.exe
C:\documents and settings\owner\local settings\temp\43KeeWTOd.exe
C:\Program Files\WindUpdates\WinKA.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Application Data\ttuh.exe
C:\WINDOWS\System32\cvgx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\dllcache\IExplore.exe
C:\WINDOWS\System32\dllcache\IExplore.exe
C:\WINDOWS\System32\dllcache\IExplore.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\MULTIO~1\oozecash.exe
C:\Documents and Settings\Owner\My Documents\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bdcedd.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bdcedd.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.grlcnnckqyipncyacvimu.com/DGrDZxK/0DgVi//adNYuwfzNOFO00tdIp3RbHO4WhoQF602bgCzOK/FqORCti7OV.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F3 - REG:win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - (no file)
O2 - BHO: (no name) - {05946986-7715-4BFA-981F-D2BBC1A13536} - C:\WINDOWS\system32\age.dll (disabled by BHODemon)
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\system32\mskhhe.dll (disabled by BHODemon)
O2 - BHO: (no name) - {11668D4D-8554-44A5-A778-A6203F457AC5} - C:\WINDOWS\system32\age.dll (disabled by BHODemon)
O2 - BHO: (no name) - {1DF93758-ED67-40BC-800F-665578A12843} - C:\WINDOWS\system32\qkse.dll (disabled by BHODemon)
O2 - BHO: (no name) - {438E884F-7944-4F02-A06B-9B957B087FDE} - C:\WINDOWS\system32\age.dll (disabled by BHODemon)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll (disabled by BHODemon)
O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\System32\services\2.01.00.dll (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (disabled by BHODemon)
O2 - BHO: (no name) - {572C3D88-5DCA-4F56-B506-9AE62B0C9D95} - C:\WINDOWS\system32\age.dll (disabled by BHODemon)
O2 - BHO: (no name) - {6815279F-8AA0-71F1-E103-95EE213694C5} - C:\Program Files\error****memo\Barb window.exe (disabled by BHODemon)
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll (disabled by BHODemon)
O2 - BHO: CUrlCliObj Object - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\system32\msjfbl.dll (disabled by BHODemon)
O2 - BHO: (no name) - {98A022C6-0A1B-46D1-89A1-818C54D57DAA} - C:\WINDOWS\system32\age.dll (disabled by BHODemon)
O2 - BHO: (no name) - {9ED0A3E2-E7A0-42F2-B054-ADD8B3073E74} - C:\WINDOWS\system32\bdcedd.dll (file missing)
O2 - BHO: (no name) - {A4C72D16-A3BB-4D55-BE1D-276E08716903} - C:\WINDOWS\system32\age.dll (disabled by BHODemon)
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll (disabled by BHODemon)
O2 - BHO: (no name) - {B78994DA-DA47-45DF-8654-74F1F9E3A282} - C:\WINDOWS\system32\age.dll (disabled by BHODemon)
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\system32\mscb.dll (disabled by BHODemon)
O2 - BHO: (no name) - {D6DEB83C-9652-424E-B486-64D342EB3B21} - C:\WINDOWS\system32\age.dll (disabled by BHODemon)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Owner\Local Settings\Temp\xGwB.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll (disabled by BHODemon)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adult Links - {965E6B07-6832-4738-BDBE-25F226BA2AB0} - C:\WINDOWS\Downloaded Program Files\QaBar.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\wmplayer.exe
O4 - HKLM\..\Run: [Bodyfour] C:\PROGRA~1\SEEKSI~1\data gram.exe
O4 - HKLM\..\Run: [WonAqd] C:\docume~1\owner\locals~1\temp\WonAqd.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Dqk6Z.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKLM\..\Run: [q1Jw] C:\documents and settings\owner\local settings\temp\q1Jw.exe
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [43KeeWTOd] C:\documents and settings\owner\local settings\temp\43KeeWTOd.exe
O4 - HKLM\..\Run: [Burn Junk Browse Ace] C:\Documents and Settings\All Users\Application Data\Multiopenburnjunk\oozecash.exe
O4 - HKLM\..\Run: [qoydtrfihtj] C:\WINDOWS\System32\srftku.exe
O4 - HKLM\..\Run: [WebSavingsfromEbates] javaw -cp "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"
O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\System32\services\wow.exe /u
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\wmplayer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Owner\Application Data\ttuh.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - HKCU\..\Run: [Yxj] C:\WINDOWS\System32\cvgx.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O9 - Extra button: Microsoft
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #4 on: September 04, 2004, 05:14:14 AM »

Your computer has many problems, we'll try this in steps

This will take a few times restarting your computer but eventually it
should get quicker if everything goes well

Familiarize yourself with System Restore
START>>>All Programs>>>Accessories>>>>>System Tools>>>System Restore
I want you to know where to find it if you run into big problems, don't use it if you are just getting error messages.....
We will be clearing your restore points at a later time

Make sure that you have downloaded LSP FIX from Geekgirls link

Next: Download and Save to desktop CWShredder
We'll run this later

I see you have run the Peper Fix, but just in case I'm supplying links
to a couple possible newer uninstallers

Newuninst.exe
and this one
Peper Fix

Save them to desktop
Double click on Newuninst.exe and press Uninstall. Let it run and when When it's completed press Close. You must be online to have this work and do not block any attempts for the program to connect to internet through
any firewall
RESTART your computer

Next: Double click to run Peper Fix
Click Find and Fix--follow the prompts to remove files
which will require you to RESTART your computer one more time

After RESTARTING, we are going to need LSP fix
Open it
Check the box next to "I know what I'm doing".
Click on all instances of 'inetadpt.dll'. (and nothing else)
Then click the right-pointing arrows ( >> ) to send inetadpt.dll to the Remove pane.
Next, click Finish
Then reboot.

After you Restart

Open up Just CWShredder---With CWShredder open and nothing else
let it FIX all problems
RESTART once again

Enter your Task Manager(Hold down the CTRL+SHIFT keys and tap ESC)
End process on these if still running
C:\Program Files\CasinoOnline\CsRemnd.exe
C:\Program Files\WindowsSA\omniscient.exe
C:\Program Files\WindUpdates\WinKA.exe

Access your Add/Remove Programs and Remove these if found
CasinoOnline
WindowsSA
WindUpdates
WebSavingsfromEbates
WebRebates

RESTART if anything Removed

Post back with a Fresh hijackthis log......

Could you also download this GetServices.zip
Unzip it to a folder,
Double click on the Getservice.bat file to run it. This will create and open a text file named getservice.txt in the same folder.
getservice.txt will list all active Services
Could you include the GetService.txt but Insert it as an attachment
Simply click "Insert File Attachment" use the browse button to navigate too the txt file, right click and select it and then upload the file
« Last Edit: September 04, 2004, 05:20:43 AM by benditup » Logged

 
yellowclaw
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 36


Bookmark and Share

View Profile
« Reply #5 on: September 07, 2004, 01:42:52 PM »

Good Morning Friends,

We lost power for a few days as Frances passed by.  A few trees up-rooted and some cleaning up to do, but all is fine.  Back to the PC!  Thanks so much for your help, I will follow you instruction and post the new log here soon.
Logged

 
yellowclaw
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 36


Bookmark and Share

View Profile
« Reply #6 on: September 07, 2004, 04:04:31 PM »

Here is the recent log and txt file per your instructions.
Once again, thank you for all your help.

Logfile of HijackThis v1.98.2
Scan saved at 11:54:40 AM, on 9/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\docume~1\owner\locals~1\temp\WonAqd.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\Program Files\CasinoOnline\CsRemnd.exe
C:\documents and settings\owner\local settings\temp\q1Jw.exe
C:\documents and settings\owner\local settings\temp\43KeeWTOd.exe
C:\Documents and Settings\All Users\Application Data\Multiopenburnjunk\oozecash.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\MULTIO~1\oozecash.exe
C:\WINDOWS\System32\srftku.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\services\wow.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Application Data\ttuh.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\cvgx.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\My Documents\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://martfinder.com/index.htm?aff=6600
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.juxzmignydkzmeiccnw.info/DGrDZxK/0DgVi//adNYuwfzNOFO00tdIp3RbHO4WhoRFL/DLKsRfbPFqORCti7OV.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
F3 - REG:win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - (no file)
O2 - BHO: (no name) - {1DF93758-ED67-40BC-800F-665578A12843} - C:\WINDOWS\system32\qkse.dll (disabled by BHODemon)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (disabled by BHODemon)
O2 - BHO: (no name) - {6815279F-8AA0-71F1-E103-95EE213694C5} - C:\Program Files\error****memo\Barb window.exe (disabled by BHODemon)
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll (disabled by BHODemon)
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll (disabled by BHODemon)
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\system32\mscb.dll (disabled by BHODemon)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Owner\Local Settings\Temp\78qqBPp.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll (disabled by BHODemon)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adult Links - {965E6B07-6832-4738-BDBE-25F226BA2AB0} - C:\WINDOWS\Downloaded Program Files\QaBar.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [Bodyfour] C:\PROGRA~1\SEEKSI~1\data gram.exe
O4 - HKLM\..\Run: [WonAqd] C:\docume~1\owner\locals~1\temp\WonAqd.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKLM\..\Run: [q1Jw] C:\documents and settings\owner\local settings\temp\q1Jw.exe
O4 - HKLM\..\Run: [43KeeWTOd] C:\documents and settings\owner\local settings\temp\43KeeWTOd.exe
O4 - HKLM\..\Run: [Burn Junk Browse Ace] C:\Documents and Settings\All Users\Application Data\Multiopenburnjunk\oozecash.exe
O4 - HKLM\..\Run: [qoydtrfihtj] C:\WINDOWS\System32\srftku.exe
O4 - HKLM\..\Run: [WebSavingsfromEbates] javaw -cp "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"
O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\System32\services\wow.exe /u
O4 - HKLM\..\Run: [SVCHOST.EXE] C:\WINDOWS\SVCHOST.EXE start
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Owner\Application Data\ttuh.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - HKCU\..\Run: [Yxj] C:\WINDOWS\System32\cvgx.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O13 - Home Prefix: c:\searchpage.html?page=
O13 - Mosaic Prefix: c:\searchpage.html?page=
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=0c8af29cad1529a0c2f12262efe492244d317f6ab2c86bff7585b7e883263ddf35912dd813dee463c744961d2b31add589650eef4d876c0fc2a2f745d64562:c31e3730b38c174130e1e2729109a237
O16 - DPF: {52D7DDE4-F150-4D82-AAB5-6EED6AB7C708} (my printer) - http://www.hpphoto.com/downloads/HPPrint.cab
O16 - DPF: {94F5DCB7-816C-4B94-A2C1-856C6E323C5B} - http://akamai.downloadv3.com/binaries/LiveService/LiveService_4_EN_XP.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} (EPlugin Control) - http://66.230.146.53/EPlugin_US.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\sqle.dll


Download Attachment: getservice.txt 41.59 KB
Right click and select Save Target As... then rename the file as shown here and save.
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #7 on: September 07, 2004, 06:58:04 PM »

You may want to print this, I need you start in safe mode

Set Windows to Show Hidden Files and Folders

RESTART your Computer in SAFE MODE

Try to uninstall any of those programs mentioned earlier, if they exist in Add/Remove Programs

Find and delete these files or folders if they exist, you may have to end process on them in Task Manager (Hold down the CTRL+SHIFT keys and tap the ESC key)

You may have to search for some, when searching click the Advanced options and ensure that Hidden Files and Folders is checked

c:\searchpage.html <--this file
C:\WINDOWS\System32\services\wmplayer.exe <--this file
C:\WINDOWS\win32.exe <--file
C:\WINDOWS\System32\srftku.exe <--file
C:\WINDOWS\System32\services\wow.exe <--file
C:\Documents and Settings\Owner\Application Data\ttuh.exe <--file
C:\documents and settings\owner\local settings\temp\q1Jw.exe <--file
C:\docume~1\owner\locals~1\temp\WonAqd.exe <--file
C:\WINDOWS\System32\cvgx.exe <--file
C:\documents and settings\owner\local settings\temp\43KeeWTOd.exe <--file
C:\WINDOWS\System32\sqle.dll <--file
C:\WINDOWS\SVCHOST.EXE <--file, DON'T delete the legitimate svchost.exe in the System32 folder

C:\Program Files\CasinoOnline <--this folder
C:\Program Files\Common Files\Dpi <--folder
C:\Documents and Settings\All Users\Application Data\Multiopenburnjunk <--folder
C:\Program Files\WebSavingsfromEbates <--folder
C:\Program Files\Web_Rebates <--folder
C:\Program Files\SEP <--folder
C:\WINDOWS\system32\pcs <--folder

===Stay in safe Mode
Do another Scan with Hijackthis and put a check next to these entries
and then FIX CHECKED when ALL other windows are closed

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://martfinder.com/index.htm?aff=6600
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.juxzmignydkzmeiccnw.info/DGrDZxK/0DgVi//adNYuwfzNOFO00tdIp3RbHO4WhoRFL/DLKsRfbPFqORCti7OV.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
F3 - REG:win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - (no file)
O2 - BHO: (no name) - {1DF93758-ED67-40BC-800F-665578A12843} - C:\WINDOWS\system32\qkse.dll (disabled by BHODemon)

O2 - BHO: (no name) - {6815279F-8AA0-71F1-E103-95EE213694C5} - C:\Program Files\error****memo\Barb window.exe (disabled by BHODemon)
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll (disabled by BHODemon)
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll (disabled by BHODemon)
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\system32\mscb.dll (disabled by BHODemon)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Owner\Local Settings\Temp\78qqBPp.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll (disabled by BHODemon)

O3 - Toolbar: Adult Links - {965E6B07-6832-4738-BDBE-25F226BA2AB0} - C:\WINDOWS\Downloaded Program Files\QaBar.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [Bodyfour] C:\PROGRA~1\SEEKSI~1\data gram.exe
O4 - HKLM\..\Run: [WonAqd] C:\docume~1\owner\locals~1\temp\WonAqd.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKLM\..\Run: [q1Jw] C:\documents and settings\owner\local settings\temp\q1Jw.exe
O4 - HKLM\..\Run: [43KeeWTOd] C:\documents and settings\owner\local settings\temp\43KeeWTOd.exe
O4 - HKLM\..\Run: [Burn Junk Browse Ace] C:\Documents and Settings\All Users\Application Data\Multiopenburnjunk\oozecash.exe
O4 - HKLM\..\Run: [qoydtrfihtj] C:\WINDOWS\System32\srftku.exe
O4 - HKLM\..\Run: [WebSavingsfromEbates] javaw -cp "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"
O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe

O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\System32\services\wow.exe /u
O4 - HKLM\..\Run: [SVCHOST.EXE] C:\WINDOWS\SVCHOST.EXE start

O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Owner\Application Data\ttuh.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - HKCU\..\Run: [Yxj] C:\WINDOWS\System32\cvgx.exe

O13 - Home Prefix: c:\searchpage.html?page=
O13 - Mosaic Prefix: c:\searchpage.html?page=
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=0c8af29cad1529a0c2f12262efe492244d317f6ab2c86bff7585b7e883263ddf35912dd813dee463c744961d2b31add589650eef4d876c0fc2a2f745d64562:c31e3730b38c174130e1e2729109a237

O16 - DPF: {94F5DCB7-816C-4B94-A2C1-856C6E323C5B} - http://akamai.downloadv3.com/binaries/LiveService/LiveService_4_EN_XP.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} (EPlugin Control) - http://66.230.146.53/EPlugin_US.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\sqle.dll


AFTER you have FIX CHECKED and close hijackthis
Open JUST CWShredder and let it FIX all problems

Next Navigate to About:Buster again and run another Scan

Do a DiskCleanup>>START>>>RUN>>type in cleanmgr
Ensure that Temp and Temporary Internet files are checked

RESTART back in Normal Mode
Run Scans With Ad-Aware SE Personal and Spybot
RESTART again if bad guys found

Post back with a Fresh hijackthis Log and About:buster logs

Could you also download DLLCompare


Save the program to its own folder and double click on it.
Press the 'Run Locate.com' button

That should finish quickly, then:
Press the 'Compare' button.

That will run for a while longer.

When it is finished, press the 'Make A Log of What was Found' button
and post the log in this thread.

Press 'Exit' to quit program.


EDIT---Can you also look for this bolded folder and delete if found
Not sure of the exact name but it should be in your ProgramFiles folder
C:\PROGRA~1\SEEKSI~1\data gram.exe
« Last Edit: September 07, 2004, 07:03:33 PM by benditup » Logged

 
yellowclaw
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 36


Bookmark and Share

View Profile
« Reply #8 on: September 08, 2004, 08:16:32 PM »

Computer no longer has the CoolSearch and is a little faster but still slow.  About:Buster is having trouble removing sqle.dll the message is "Error Removing: C:\WINDOWS\System32\sqle.dll" this message repeats itself endlessly.  I have tried reboot several time and starting your instruction from the begining but still come to this error at the end.  Any suggestions?  I will post the new hijackthis log and the dllcompare log soon.
Logged

 
yellowclaw
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 36


Bookmark and Share

View Profile
« Reply #9 on: September 08, 2004, 08:29:28 PM »

This is the new hijackthis log and the error message I receiced when running DLLCompare.

Logfile of HijackThis v1.98.2
Scan saved at 4:15:42 PM, on 9/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\WINDOWS\System32\EyosnN3.exe
C:\WINDOWS\System32\EyosnN3.exe
C:\Documents and Settings\Owner\Desktop\VirusFixSoftware\HJT\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aaqkcmrsqwdqevvbblt.com/DGrDZxK/0DhcmXDXCobIEFYQd6hxwgo/_GZv_/hj4yA.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (disabled by BHODemon)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Owner\Local Settings\Temp\qJ8JCW.dll (disabled by BHODemon)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AaC4N] C:\documents and settings\owner\local settings\temp\AaC4N.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\JqvGme.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {52D7DDE4-F150-4D82-AAB5-6EED6AB7C708} (my printer) - http://www.hpphoto.com/downloads/HPPrint.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\sqle.dll
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\System32\mssaru.dll



Download Attachment: dllcompare.JPG 42.53 KB
Right click and select Save Target As... then rename the file as shown here and save.
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #10 on: September 08, 2004, 09:03:05 PM »

Do as much of this as you can

Access your Add/Remove Programs and Remove TV MEDIA and MIDADLE if there

Did you download these uninstallers?
You may have to disable system restore before running these
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
Newuninst.exe
and
PeperFix

Save them to desktop
Double click on Newuninst.exe and press Uninstall. Let it run and when When it's completed press Close. You must be online to have this work and do not block any attempts for the program to connect to internet through
any firewall
RESTART your computer

Next: Double click to run Peper Fix
Click Find and Fix--follow the prompts to remove files
which will require you to RESTART your computer one more time

On the last RESTART could you
RESTART your Computer in SAFE MODE

Ensure you have set windows to show hidden files and folders
Find and delete these files or folders if they exist
C:\WINDOWS\System32\sqle.dll <--file
C:\WINDOWS\System32\mssaru.dll <--file
C:\documents and settings\owner\local settings\temp\AaC4N.exe <--file
C:\Program Files\TV Media <--this folder

Stay in safe mode
Do another Scan with Hijackthis and put a check next to these entries
and then FIX CHECKED when ALL other windows are closed

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aaqkcmrsqwdqevvbblt.com/DGrDZxK/0DhcmXDXCobIEFYQd6hxwgo/_GZv_/hj4yA.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll

O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Owner\Local Settings\Temp\qJ8JCW.dll (disabled by BHODemon)

O4 - HKLM\..\Run: [AaC4N] C:\documents and settings\owner\local settings\temp\AaC4N.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\JqvGme.exe

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)

O20 - AppInit_DLLs: C:\WINDOWS\System32\sqle.dll
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\System32\mssaru.dll


After you have fix checked try running About:buster again

RESTART back in Normal Mode
Don't open a browser yet, instead access Internet Options via Control
Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page
Do a Disk Cleanup

Open up Notepad (START, run, enter NOTEPAD
Copy the CONTENTS of the Quote box to notepad
Now in Notepad select file, save as and enter in the filename box "Appinit.bat"  and save it on the desktop.

quote:
Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
chkntfs c: > windows.txt
type windows1.hiv >> windows.txt


Double click on Appinit.bat
This will create a file on the desktop named windows.txt

Post back with the Windows.txt file and a Fresh hijackthis log
« Last Edit: September 08, 2004, 09:05:05 PM by benditup » Logged

 
yellowclaw
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 36


Bookmark and Share

View Profile
« Reply #11 on: September 08, 2004, 10:49:30 PM »

Yes,Newuninst.exe and PeperFix were downloaded and ran.  Here is the latest hijackthis log and the Windows.txt file:  Thanks again for all your time and help.  Things are starting to look better.

Logfile of HijackThis v1.98.2
Scan saved at 6:38:08 PM, on 9/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\My Documents\VirusFixSoftware\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (disabled by BHODemon)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {52D7DDE4-F150-4D82-AAB5-6EED6AB7C708} (my printer) - http://www.hpphoto.com/downloads/HPPrint.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\sqle.dll



Download Attachment: windows.txt 8.71 KB
Right click and select Save Target As... then rename the file as shown here and save.
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #12 on: September 08, 2004, 10:57:38 PM »

What OS are you using? XP Pro or Home
If your not sure go to Start----Run---type in "WINVER" without quotes
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #13 on: September 08, 2004, 11:27:50 PM »

Let's try this yellowclaw, ensure you have windows set to show hidden files and folders

Download this zip filehiving_154.zip

Now sign off of the Internet and stay off until you have completed these steps

===Extract the batch filehiving.bat and run it
If you have script blocking enabled you will get a warning. Please allow this to run. The script is just producing a message box.

RESTART your computer into Safe Mode
If you have XP Pro
Open Windows Explorer>>>>Folder Options>>>View
Scroll to the bottom of the list to find the box labeled:
Use Simple File Sharing(Recommended)
Remove the check from that box and press ok.
If you have XP Home you won't have this option

Navigate to this file
C : \ W I N D O W S \ S y s t e m 3 2 \ s q l e . d l l
You should see it now...

Right click and use the security tab on sqle.dll and take ownership.
Change the 'everyone special' to
'you> with Admin rights-> FULL control
Then try to delete it, if that fails try to rename
it first to different name+ext.

Example:
sqle.dll>bleh.txt
bleh.txt > badfile.111

Stay in Safe Mode
Do another Scan with Hijackthis and put a check next to these entries
and then FIX CHECKED when ALL other windows are closed

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\System32\sqle.dll


After you have fix checked and close Hijackthis
Open up CWShredder and let it FIX all problems

RESTART back in Normal mode
Don't open a browser yet, instead access Internet Options via Control
Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page
Do a Disk Cleanup

Do another scan with Ad-Aware and Spybot
If bad guys found--Remove them and RESTART your computer

Post back with a fresh hijackthis log


Logged

 
yellowclaw
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 36


Bookmark and Share

View Profile
« Reply #14 on: September 09, 2004, 02:14:19 PM »

The computer is running XP Home Edition.  I ran Hijackthis in Safe Mode but did not se the listed:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\System32\sqle.dll


After restarting in Normal Mode, Ad-Aware and Spybot did not find anything.  I ran HiJackThis again and found:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll (file missing)

I checked them and FIX CHECKED, then ran CWShredder and HiJackThis.  I'm also installing XP SP2.  Here is the new HiJackThis Log:

Once again, THANK YOU so much for your help.

Logfile of HijackThis v1.98.2
Scan saved at 9:57:52 AM, on 9/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8b5e9cdb91dddbb342695fbdc36fe0e4\update\update.exe
C:\Documents and Settings\Owner\My Documents\VirusFixSoftware\HJT\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (disabled by BHODemon)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {52D7DDE4-F150-4D82-AAB5-6EED6AB7C708} (my printer) - http://www.hpphoto.com/downloads/HPPrint.cab

Logged

 
Pages: [1] 2  All Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page October 02, 2017, 05:48:13 AM