Can somebody please help me

Discussion in 'adware, spyware & hijack cleaning' started by Dixster, Jul 18, 2004.

Thread Status:
Not open for further replies.
  1. Dixster

    Dixster Registered Member

    Joined:
    Jul 18, 2004
    Posts:
    2
    Hi,

    I'm new to all this sort of stuff (I use to just hand it over to my old IT guy at work) so am fairly naive.

    I have however, been plagued with the res://dfoyq.dll/index.html#28129 and numerous pop ups.

    I have tried installing a pop up blocker through the googlebar and have also tried cleaning any "bugs?" through ad aware and Webroot's Spy Sweeper.

    I then found yourselves through google (your page https://www.wilderssecurity.com/showthread.php?t=15913) and have followed the proceedures from one of this thread accordingly to the best of my abaility.

    I have swept(?) the hard disk with ad aware 6 with the settings as described in the thread & then run hijackthis as per the link.

    Here is the log file from that.

    Logfile of HijackThis v1.97.7
    Scan saved at 10:44:33, on 18/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\addfh.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\LVComS.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\mfcfe.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Richard\Local Settings\Temporary Internet Files\Content.IE5\651MVE5G\HijackThis[1].exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dfoyq.dll/sp.html#28129
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://dfoyq.dll/index.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://dfoyq.dll/index.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dfoyq.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://dfoyq.dll/index.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\dfoyq.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
    O1 - Hosts: 81.211.105.69 lender-search.com
    O1 - Hosts: 81.211.105.68 hot-searches.com
    O2 - BHO: (no name) - {56474FA3-EE2A-DC66-C8A6-35AC8A3C5C6C} - C:\WINDOWS\system32\addut32.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [MSZTCE] C:\WINDOWS\System32\MSZTCE.EXE
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [mfcfe.exe] C:\WINDOWS\mfcfe.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKLM\..\RunOnce: [addfh.exe] C:\WINDOWS\system32\addfh.exe
    O4 - HKLM\..\RunOnce: [sysjj.exe] C:\WINDOWS\system32\sysjj.exe
    O4 - HKLM\..\RunOnce: [atlep32.exe] C:\WINDOWS\atlep32.exe
    O4 - HKLM\..\RunOnce: [sysxb32.exe] C:\WINDOWS\sysxb32.exe
    O4 - HKLM\..\RunOnce: [d3ex.exe] C:\WINDOWS\d3ex.exe
    O4 - HKLM\..\RunOnce: [crpf.exe] C:\WINDOWS\crpf.exe
    O4 - HKLM\..\RunOnce: [sdknu.exe] C:\WINDOWS\system32\sdknu.exe
    O4 - HKLM\..\RunOnce: [ipiw.exe] C:\WINDOWS\system32\ipiw.exe
    O4 - HKLM\..\RunOnce: [ierf32.exe] C:\WINDOWS\ierf32.exe
    O4 - HKLM\..\RunOnce: [iehy32.exe] C:\WINDOWS\system32\iehy32.exe
    O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://access.gamesplayground.com/output/011259/uk/fullgames/fullgames.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/nike/nikefz4/install.cab
    O16 - DPF: {C56CE781-A6FC-4706-8B32-6EB4622155DF} (MediaConnect Control) - http://plugin.euro-infomedia.com/mpv0.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    If someone could be so kind as to advise me what to do in idiot proof english I would be MOST grateful.

    Yours in anticipation

    Dixster
     
  2. FBJ

    FBJ Spyware Fighter

    Joined:
    Jan 28, 2004
    Posts:
    49
    Hi Dixster

    You need to make a folder for HijackThis (ie C:\HJT) and move HijackThis.exe to this, to ensure that you can find back-up files should anything go wrong.

    Disable System restore ( http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm )

    Then I need you to search in the C:\Windows directory and see if you find a random numbered or series of random numbered .EXE files something like 70000045.exe. If you do, write down their names and location for now. If you don't find those files, let us know.

    Now, I'll have to ask you not to open Internet Explorer (IE) during the following fix (from step 2.) - print these instructions or copy the instructions to Notepad, so that you have them available without having to open IE.

    1. Please download this tool called AboutBuster here:

    http://www.malwarebytes.biz/AboutBuster.zip

    Unzip it to your desktop but don't run it yet.

    2. Press CTRL+ALT+DEL, find and rightclick these processes:

    addfh.exe
    mfcfe.exe

    ... and "End proces".

    3. Run HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking "Fix checked":

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
    O1 - Hosts: 81.211.105.69 lender-search.com
    O1 - Hosts: 81.211.105.68 hot-searches.com
    O2 - BHO: (no name) - {56474FA3-EE2A-DC66-C8A6-35AC8A3C5C6C} - C:\WINDOWS\system32\addut32.dll
    O4 - HKLM\..\Run: [MSZTCE] C:\WINDOWS\System32\MSZTCE.EXE
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [mfcfe.exe] C:\WINDOWS\mfcfe.exe
    O4 - HKLM\..\RunOnce: [addfh.exe] C:\WINDOWS\system32\addfh.exe
    O4 - HKLM\..\RunOnce: [sysjj.exe] C:\WINDOWS\system32\sysjj.exe
    O4 - HKLM\..\RunOnce: [atlep32.exe] C:\WINDOWS\atlep32.exe
    O4 - HKLM\..\RunOnce: [sysxb32.exe] C:\WINDOWS\sysxb32.exe
    O4 - HKLM\..\RunOnce: [d3ex.exe] C:\WINDOWS\d3ex.exe
    O4 - HKLM\..\RunOnce: [crpf.exe] C:\WINDOWS\crpf.exe
    O4 - HKLM\..\RunOnce: [sdknu.exe] C:\WINDOWS\system32\sdknu.exe
    O4 - HKLM\..\RunOnce: [ipiw.exe] C:\WINDOWS\system32\ipiw.exe
    O4 - HKLM\..\RunOnce: [ierf32.exe] C:\WINDOWS\ierf32.exe
    O4 - HKLM\..\RunOnce: [iehy32.exe] C:\WINDOWS\system32\iehy32.exe
    O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://access.gamesplayground.com/o...s/fullgames.exe
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/...fz4/install.cab
    O16 - DPF: {C56CE781-A6FC-4706-8B32-6EB4622155DF} (MediaConnect Control) - http://plugin.euro-infomedia.com/mpv0.cab

    4. Be sure you are configured to SHOW ALL FILES AND FOLDERS, including System and Hidden Files. If you don't know how to do that, follow this link http://www.xtra.co.nz/help/0,,4155-1916458,00.html and follow the step-by-step directions for your Windows version.

    Find and delete:

    C:\PROGRAM FILES\Toolbar\<<-- entire folder
    C:\WINDOWS\system32\addut32.dll
    C:\WINDOWS\System32\MSZTCE.EXE
    C:\Program Files\WildTangent\<<-- entire folder
    C:\WINDOWS\mfcfe.exe
    C:\WINDOWS\system32\addfh.exe
    C:\WINDOWS\system32\sysjj.exe
    C:\WINDOWS\atlep32.exe
    C:\WINDOWS\sysxb32.exe
    C:\WINDOWS\d3ex.exe
    C:\WINDOWS\crpf.exe
    C:\WINDOWS\system32\sdknu.exe
    C:\WINDOWS\system32\ipiw.exe
    C:\WINDOWS\ierf32.exe
    C:\WINDOWS\system32\iehy32.exe

    5. Run AboutBuster (the program you downloaded earlier) - click OK, click Start, then click OK - let it work.

    6. Reboot to Safe Mode

    Find and delete the files you noted down before (random numbered) and if you had any problems deleting the files in step 4 try and delete them now in safe mode.

    7. Reboot to Normal mode, run HijackThis - click Config -> Misc Tools and Check for updates. Once updated, scan and post a fresh log here (you can open IE now).
     
  3. Dixster

    Dixster Registered Member

    Joined:
    Jul 18, 2004
    Posts:
    2
    FBJ,

    Thank you, thank you, thank you !

    I managed to get as far as step 4, but could not find the files/folders that you listed.

    I managed to go ahead & carry on anyway. (Don't know if I should have or not, but I figured I couldnt do that much damage, could I?)

    Anyway, here is the latest log from hijackthis as you said to do.

    Logfile of HijackThis v1.98.0
    Scan saved at 21:21:06, on 20/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\addsq32.exe
    C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\System32\LVComS.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\BHODemon\BHODemon.exe
    C:\Documents and Settings\Richard\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\RunOnce: [addsq32.exe] C:\WINDOWS\system32\addsq32.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

    Oh, almost forgot to say, thanks

    Dixster
     
  4. FBJ

    FBJ Spyware Fighter

    Joined:
    Jan 28, 2004
    Posts:
    49
    You STILL need to make a folder for HijackThis (ie C:\HJT) and move HijackThis.exe to this, to ensure that you can find back-up files should anything go wrong.

    Press CTRL+ALT+DEL, find and rightclick this process:

    addsq32.exe

    ... and "End proces".

    Run HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking "Fix checked":

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
    R3 - Default URLSearchHook is missing
    O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
    O4 - HKLM\..\RunOnce: [addsq32.exe] C:\WINDOWS\system32\addsq32.exe

    4. Be sure you are configured to SHOW ALL FILES AND FOLDERS, including System and Hidden Files. If you don't know how to do that, follow this link http://www.xtra.co.nz/help/0,,4155-1916458,00.html and follow the step-by-step directions for your Windows version.

    Find and delete:

    C:\WINDOWS\system32\addsq32.exe

    In case you're unable to delete it, pls reboot in to Safe Mode and try it again.

    Reboot, run HijackThis, scan and post a fresh log here. Could you please open C:\WINDOWS\nsdb\hosts an copy its contents to your next post.
     
Thread Status:
Not open for further replies.