New Hijack this Log For Review

Discussion in 'adware, spyware & hijack cleaning' started by Loozer, Jun 27, 2004.

Thread Status:
Not open for further replies.
  1. Loozer

    Loozer Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    7
    Hello. Please take a look at this Hijckthis Log for any abnormalities. I have already run Spybot S&D, Adware and CWShredder, along with BHO demon. Currently I am being redirected constantly while online to various pop-up web sites. Also one website comes up only as "loading" and then dissappers. I located the wab address and blocked the website within security settings. In addition Adware had one thing it could not remove until restart, but upon restart the item was still found and the same message was displayed "will remove upon restart".
    Thanks in advance for all the assistance.
    Here is the Hijackthis Log:

    Logfile of HijackThis v1.97.7
    Scan saved at 2:44:37 PM, on 6/27/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\program files\mcafee.com\vso\mcvsshld.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    c:\program files\mcafee.com\agent\mcagent.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Home Theater\My Documents\Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
    O3 - Toolbar: time cash army - {04BC8F77-5C2E-E7C4-DB9B-75CC87C0C2E7} - C:\PROGRA~1\MPEGBO~1\GLOBAL ACTIVE.dll (file missing)
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
    O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
     
  2. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
  3. Loozer

    Loozer Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    7
    Followed your link to uninstall huntbar. However could not find huntbar or it's alias in add/remove programs. So i followed manual uninstall procedure, for huntbar and powersearch. I am still getting the same pop-ups. Here is the new Hijackthis Log. Also on startup i am getting error reports for MM_tray and logitech stating that they will have to close.
    Thanks for your assistance.

    Logfile of HijackThis v1.97.7
    Scan saved at 9:18:40 AM, on 6/29/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Home Theater\My Documents\Downloads\HijackThis.exe
    C:\Program Files\My Daily Horoscope\MyDailyHoroscope.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    O1 - Hosts: 69.20.16.183 ieautosearch
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: time cash army - {04BC8F77-5C2E-E7C4-DB9B-75CC87C0C2E7} - C:\PROGRA~1\MPEGBO~1\GLOBAL ACTIVE.dll (file missing)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
     
  4. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Run HijackThis again, push Scan and place a check mark next to the following items using your mouse.
    Not all of these entries will still be present - but make sure you get the ones that are.
    Next, close all browser Windows, and push the 'Fix checked' button in HijackThis
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    O1 - Hosts: 69.20.16.183 ieautosearch
    O3 - Toolbar: time cash army - {04BC8F77-5C2E-E7C4-DB9B-75CC87C0C2E7} - C:\PROGRA~1\MPEGBO~1\GLOBAL ACTIVE.dll (file missing)


    Empty the TIF (Temporary Internet Files)
    To do so use Control Panel > Internet Options(or right click the IE icon on the desktop and choose Properties)
    Click Delete Files on the General Tab - place a check in the Delete all offline content box and then press OK

    Delete all the files in (and any subfolders of) the C:\Windows\Temp\ folder

    Set your Explorer up using the info in this link so that hidden and System files are visible
    Also Uncheck the "Hide extensions for known file types" box

    Reboot to SAFE mode
    How to start the computer in Safe mode

    Delete the following folder(s) completely
    C:\PROGRA~1\Toolbar\


    Reboot to normal mode

    -----------
    Download the latest version of Ad-Aware at http://www.lavasoftusa.com/support/download/
    After installing AAW, and before running the program, you NEED to FIRST update the reference file following these instructions.
    Now do the following:
    - Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
    check: "Unload recognized processes during scanning."
    - Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
    Check: "Let Windows remove files in use after reboot."

    Press "Scan Now"
    - Check option "Use Custom scanning options"
    - Check option "Activate In-Depth Scan"
    - Press "Select drives\folders to scan"
    - Select the active partition which is usually C:

    Now press "Next" to let Ad-aware scan your drives...
    It will find a number of "bad" files and registry keys.
    Right-click in that pane and choose "select all"

    Now press "Next" again.
    It will ask you whether you'd like to remove all checked items. Click OK.

    Finally, close Ad-Aware, and reboot.

    Post another log - I'll need to see if the coupons LSP survives adaware
     
  5. Loozer

    Loozer Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    7
    Hello,
    I followed all your directions as written and this is my new hijackthis log. Also, I am "encountering problems" on startup of various programs, MM_tray logitech etc. Also as I am Writing his two more webpages popped open.
    Hope there's something to see in this log and the problems a relatively easy fix. Thanks for all your help,
    Jeff



    Logfile of HijackThis v1.97.7
    Scan saved at 2:09:18 PM, on 7/3/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Documents and Settings\Home Theater\My Documents\Downloads\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
     
  6. Loozer

    Loozer Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    7
    Still Having trouble. Reloaded windows and that resolved problem with no quick launch toolbar being available. Also Before windows reload I had @ 70% of processor power being used by SVCHOST.EXE LOCAL SERVICE in task manager. After reload that full upper case version has gone. However I am still having IE open to web pages on it's own and trying to load http://69.20.62.53/yyy2.html or http://69.20.62.53/yyy4.html. I placed both websites in my restricted sites area. So the window still opens but goes no further.
    Any help would be greatly appriciated.
    Loozer
     
  7. Loozer

    Loozer Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    7
    Here is a new hijack this log


    Logfile of HijackThis v1.97.7
    Scan saved at 2:59:03 PM, on 7/4/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Documents and Settings\Home Theater\My Documents\Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    O1 - Hosts: 69.20.16.183 ieautosearch
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
     
  8. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Download LSPfix here: http://www.cexx.org/lspfix.htm
    It's something you may well need if your internet connection breaks

    Run HijackThis again, push Scan and place a check mark next to the following items using your mouse.
    Next, close all browser Windows, and push the 'Fix checked' button in HijackThis
    O1 - Hosts: 69.20.16.183 ieautosearch

    You have a look2me infection
    Try downloading http://download.broadbandmedic.com/VX2Finder(126).exe
    and running it

    Show me the logs before attempting the fix with it tho'
    AdAware now has a VX2\BetterInternet (look2me) plugin available for download


    If, after you've removed it, the cdlsp BHO remains then

    1.Unzip and run LSPFix.
    2.Check 'I know what I'm doing'.
    3.Select cdlsp.dll.
    4.Click the right-pointing 'arrows' and move all instances of inetadpt.dll and nothing else to the Remove (RHS) side
    5.Click the 'Finished' button. (if you exit with the X at top right nothing happens)

    ------ some info (older so may be different from what you have)
    http://www.kephyr.com/spywarescanner/library/look2me/index.phtml
     
  9. Loozer

    Loozer Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    7
    Hello IMM,
    Followed your directions, ran hijackthis and removed above mentioned entry. Ran VX2 finder and it returned this log;

    Log for VX2.BetterInternet File Finder (msg126)

    Files Found---
    C:\WINDOWS\System32\6bO4SVC.DLL
    C:\WINDOWS\System32\6eO4SVC.DLL
    C:\WINDOWS\System32\6hO4SVC.DLL
    C:\WINDOWS\System32\6jO4SVC.DLL
    C:\WINDOWS\System32\6mO4SVC.DLL
    C:\WINDOWS\System32\6qO4SVC.DLL
    C:\WINDOWS\System32\6rO4SVC.DLL
    C:\WINDOWS\System32\6yO4SVC.DLL
    C:\WINDOWS\System32\6zO4SVC.DLL
    C:\WINDOWS\System32\AeAAMON.DLL
    C:\WINDOWS\System32\AeMPARSE.DLL
    C:\WINDOWS\System32\Amd.dll
    C:\WINDOWS\System32\And.dll
    C:\WINDOWS\System32\ApAAMON.DLL
    C:\WINDOWS\System32\AqLEDIT.DLL
    C:\WINDOWS\System32\AxTIVEDS.DLL

    Additional Files---
    C:\WINDOWS\System32\spOrder.dll

    Keys Under Notify---AtiExtEvent
    Keys Under Notify---crypt32chain
    Keys Under Notify---cryptnet
    Keys Under Notify---cscdll
    Keys Under Notify---igfxcui
    Keys Under Notify---ScCertProp
    Keys Under Notify---Schedule
    Keys Under Notify---sclgntfy
    Keys Under Notify---SensLogn
    Keys Under Notify---termsrv
    Keys Under Notify---wlballoon


    Guardian Key--- is called:

    User Agent String---
    {39895B6C-3429-4238-B87E-BD02FB6B9643}

    From here though I do not understand your directions. I believe you wanted me to post this log before correcting anything with VX2 finder. But you went on to another step if VX2 Finder did not remove what you expected it to remove. I will stop here and await further instructions.
    Again thank you for all the help.
     
  10. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Sorry about the confusion - I sometimes worry that valid files get into the list.
    Use vx2finder to delete these files and 'Make a host' file as well

    C:\WINDOWS\System32\6bO4SVC.DLL
    C:\WINDOWS\System32\6eO4SVC.DLL
    C:\WINDOWS\System32\6hO4SVC.DLL
    C:\WINDOWS\System32\6jO4SVC.DLL
    C:\WINDOWS\System32\6mO4SVC.DLL
    C:\WINDOWS\System32\6qO4SVC.DLL
    C:\WINDOWS\System32\6rO4SVC.DLL
    C:\WINDOWS\System32\6yO4SVC.DLL
    C:\WINDOWS\System32\6zO4SVC.DLL
    C:\WINDOWS\System32\AeAAMON.DLL
    C:\WINDOWS\System32\AeMPARSE.DLL
    C:\WINDOWS\System32\Amd.dll
    C:\WINDOWS\System32\And.dll
    C:\WINDOWS\System32\ApAAMON.DLL
    C:\WINDOWS\System32\AqLEDIT.DLL
    C:\WINDOWS\System32\AxTIVEDS.DLL

    (spOrder.dll is optional)

    I'm afraid we might not get it all until this tool is updated in the next few days :(
    There are some newer registry entries which need to be dealt with

    Reboot

    Run VX2Finder again and click on
    - user agent
    - Guardian.reg
    - restore policy

    - Exit and reboot.

    At this point what I'd like you to do is to:
    -----------
    Download the latest version of Ad-Aware at http://www.lavasoftusa.com/support/download/
    While you are there - download the VX2 finder plugin as well - install it after installing Adaware and before updating.
    (it wouldn't hurt to get the LSP explorer plugin as well)
    After installing AAW, and before running the program, you NEED to FIRST update the reference file following these instructions.
    Now do the following:
    - Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
    check: "Unload recognized processes during scanning."
    - Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
    Check: "Let Windows remove files in use after reboot."

    Press "Scan Now"
    - Check option "Use Custom scanning options"
    - Check option "Activate In-Depth Scan"
    - Press "Select drives\folders to scan"
    - Select the active partition which is usually C:

    Now press "Next" to let Ad-aware scan your drives...
    It will find a number of "bad" files and registry keys.
    Right-click in that pane and choose "select all"

    Now press "Next" again.
    It will ask you whether you'd like to remove all checked items. Click OK.

    Run the VX2 finder plugin to see if it locates anything

    Finally, close Ad-Aware, and reboot.
    ----------

    If cdlsp.dll still exists in a fresh HJT log then fix it according to the instructions above using LSPFix
    (It might also be a good idea to have this winsock fix as well http://www.iup.edu/house/resnet/winfix.shtm)

    I'll warn you that removing an LSP improperly will break your internet connection - so get the tools on hand first

    Post a fresh HijackThis log - but please use the newer 1.98 version of HJT
    HijackThis
     
    Last edited: Jul 6, 2004
  11. Loozer

    Loozer Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    7
    Dear IMM,
    I followed all your directions as printed. I even ran the winsoxfix as well. Here is my new hijackthis log using version 1.98. No more pop-ups noticed but i still recieve ati desktop error on startup. I'm Assuming I will just have to reload that device.
    Thanks again for all the help,
    Jeff


    Logfile of HijackThis v1.98.0
    Scan saved at 5:16:43 PM, on 7/6/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Documents and Settings\Home Theater\My Documents\Downloads\dell\HijackThis.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O20 - AppInit_DLLs: C:\DOCUME~1\HOMETH~1\LOCALS~1\Temp\drv14.tmp.dll
     
  12. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Make sure you remove this one with HJT
    O20 - AppInit_DLLs: C:\DOCUME~1\HOMETH~1\LOCALS~1\Temp\drv14.tmp.dll
    reboot an make sure that the file it refers to in
    C:\Documents and Settings\<youruserprofilename>\Local Settings\Temp
    no longer exists (Local Settings is a hidden folder)
    Set your Explorer up using the info in this link so that hidden and System files are visible
    Also Uncheck the "Hide extensions for known file types" box


    Re the ATI stuff - you could remove
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    and access the functions with control panel perhaps - but you'll likely end up removing and reinstalling
     
    Last edited: Jul 7, 2004
Thread Status:
Not open for further replies.