Logfile of HijackThis v1.95.1 Scan saved at 08:03:21, on 19/07/2003 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE C:\PROGRAM FILES\ISS\BLACKICE\BLACKD.EXE C:\WINDOWS\SYSTEM\MDM.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\SSDPSRV.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\LOADQM.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-WATCH.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE C:\PROGRAM FILES\SETI@HOME\SETI@HOME.EXE C:\WINDOWS\SYSTEM\OPTMOUSE.EXE D:\NOADS\NOADS.EXE C:\PROGRAM FILES\QUICK VIEW PLUS\PROGRAM\QVP32.EXE C:\PROGRAM FILES\ISS\BLACKICE\BLACKICE.EXE F:\TRANSPARENT42\TRANSPARENTB.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE E:\HIJACKTHIS\HIJACKTHIS.EXE R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pcadvisor.co.uk R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by PC Advisor R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.lycos.com/cgi-bin/pursuit?query=%s (obfuscated) R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.252.32.6:8080 R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - (no file) O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe O4 - HKLM\..\Run: [Ad-watch] C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\Ad-watch.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE O4 - HKLM\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min O4 - HKLM\..\Run: [Dimension4] C:\PROGRAM FILES\D4\D4.EXE O4 - HKLM\..\Run: [OPTMOUSEMOUSE] C:\WINDOWS\SYSTEM\optmouse.exe O4 - HKLM\..\Run: [Windows Millennium Edition Intro Video] C:\WINDOWS\Applic~1\Micros~1\Intro\content.hta O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg O4 - HKLM\..\RunServices: [LoadBlackD] "C:\PROGRAM FILES\ISS\BLACKICE\BLACKD.EXE" O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKCU\..\Run: [NoAds] "D:\NOADS\NOADS.EXE" O4 - Startup: Qvp32.exe.lnk = C:\Program Files\Quick View Plus\PROGRAM\QVP32.EXE O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe O4 - Startup: TransparentB.exe.lnk = F:\Transparent42\TransparentB.exe O4 - Startup: ENSMIX32.EXE.lnk = C:\WINDOWS\ENSMIX32.EXE O4 - User Startup: Qvp32.exe.lnk = C:\Program Files\Quick View Plus\PROGRAM\QVP32.EXE O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - User Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe O4 - User Startup: TransparentB.exe.lnk = F:\Transparent42\TransparentB.exe O4 - User Startup: ENSMIX32.EXE.lnk = C:\WINDOWS\ENSMIX32.EXE O9 - Extra button: AIM (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O14 - IERESET.INF: START_PAGE_URL=http://www.pcadvisor.co.uk O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37591.8198032407 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab O16 - DPF: {BB95299D-B65B-47E0-8DDB-697A66298C3A} (UniVoiceX Control) - http://www.webcamnow.com/voice/voice.cab O16 - DPF: ConferenceRoom Java Client (UniVoiceX Control) - http://198.64.183.19:8000/java/cr.cab ********************************************* The following are two posts I made to another forum,but which explain my problem: starting my browser the other day I got this in my address bar http://www.yoogee.com ,puzzled as to where it had come from I tried to "lose" it ,to no avail. It turned out to be linked to a program called "Internet Optimizer",which fortunately I was able to un-install,running Nortons syscheck cleared the shortcuts away and the now dead reg entries(or so I thought!). On restarting ,there it was again!,so tried Ad-Aware and BEHOLD its a browser hijack!(malware),so after much updating and running of ad-aware I have removed all trace(I think) of this pain-in-the-a**e.However,what started all this was searching from the address bar,which brought up yoogee.com. So now you would think all would be well!...oh no!despite checking the registry and confirming that "autosearch" has msn.com listed ,using the address bar results in page not found errors(for searching). Avenue Media who make internet optimizer keep sending me the same mail about how to remove it and I'm not getting anywhere fast!!. there is no reference to yoogee,avenue media,internet optimizer,or any of the dll's that it used(see http://www.doxdesk.com/parasite/InternetOptimizer.html )in the registry ,and yet I am stuck!(oh, search from the toolbar still works!)any clues? AND************************************* ok,so I have tried spybot and pest patrol(spybot worked better than pp)BUT I still cannot search from the address bar,I cannot repair I.E(6.0+sp1)because it says that thumbvw.dll is version 5.50.4134.100 and needs to be 5.50.4134.600...and although I can find a version of this in c:\windows\vcm I do not know whether this is the same dll.Microsoft.com is no help at all,other than telling me what this file does!.(clear as mud).I have even re-installed win me and that made no difference either!---I did a search on Google for the dll in question and found an updated version,BUT I cannot install it in the right folder,because when I try instead of replacing it Windows stores it somewhere else It should go in the C:\Windows\System dir but instead it gets put in the C:\WINDOWS\SYSTEM\sfp\archive, EVEN if I delete the dll from the first sys folder it gets replaced by the original file (as if by magic!)...way past hair ripping stage ...all I want is my search from the address bar back pleeease?
In Hijack This, check the following, then close all browser windows, and press "fix checked": R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.lycos.com/cgi-bin/pursuit?query=%s (obfuscated) R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - (no file) O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [Windows Millennium Edition Intro Video] C:\WINDOWS\Applic~1\Micros~1\Intro\content.hta Now restart your computer, and find and delete the content.hta file in that Application Data\Microsoft (? )\Intro folder. About the ENSMIX32.EXE file in your Startiup folder, I trust that's indeed a Sound card driver? Should your problem still exist after doing all of the above, download this regfile. It will restore the Windows defaults for practically everything Search-related. http://www.spywareinfoforum.com/downloads/tools/IEFIX.reg Save to disk, close all browser windows, double click the file and answer 'yes' when asked to merge. Restart your computer. Good luck,
About your thumbvw.dll version problem, you should be able to extract a copy from your Internet Explorer setup cabs, which will contain the version of the file that you need. If you have them, they'll probably be in a Windows update setup files folder. If no joy, you'll need to reinstall Internet Explorer.
ensmix32 is a sound card driver.have done what you suggested ,inluding the reg fix and guess what?,still no search from the address bar!.....oh yes the item listed as R3-URLSearchHook etc is still there ,when I check it and "fix it" I then get a box with a load of characters in it ,in various fonts ,is this right? ******************************** However I cannot exract the thumb dll from the folder,do I need to do it in dos?(running win me).
Hi fastdog 29, Try fixing the R3 items once more with HijackThis. Close all windows and as many programs as possible. Reboot after doing so. If ity still doesn't work could you make a screenshot of the box you get. About extracting files: http://www.duxcw.com/faq/win/extract.htm Regards, Pieter
...ALL HAIL TO THE CHIEFS!!!!!HALLELUJAH FINALLY I have my search back.....thanks to all who looked and gave me the benefit of their time and knowledge. ...err however I still cannot extract "thumbvw.dll as it says that it is protected from deletion/copying?(a minor point)
Hi fastdog29, Glad we could help you get rid of the hijack. Could you give me the exact error message you get and at what point in the process of trying to extract.? Regards, Pieter
Its ok,I managed to figure it out on my own(..crumbs!!) searching microsofts knowledge base using "copy/protected" as search terms I found exactly the right article. You have to disable "Statemgr" in the startup part of msconfig to allow the copying of protected files that "Windows System File Protection" would normally prevent. If I'm honest I do try to fix things myself,(using as much reference as possible),but the hijack thing had me stumped...any clues as to where Icould get a guide/help as to how to configure the "java permissions" part of I.E.(6.0)?
Hi fastdog 29, Have a look at the text I copied here: http://www.wilderssecurity.com/showthread.php?t=11861;start=msg77012#msg77012 That should put you on the right track. Regards, Pieter