homepage hijacked - http://xysearch.biz/?wmid=3301

Hi, everyone
I have been looking through these forums for assistance and I think I have tried most of the options, but still cannot get rid of this re-direction on my IE homepage.

http://xysearch.biz/?wmid=3301

below is my hijackthis log.

I would really appreciate some of your expert guidance.


Logfile of HijackThis v1.98.2
Scan saved at 14:47:14, on 11/11/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\DOCUME~1\OFFICE11\OUTLOOK.EXE
C:\Documents and Settings\OFFICE11\WINWORD.EXE
c:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Alistair\My Documents\downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.co.uk
F2 - REG:system.ini: UserInit=Userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe "
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Documents and Settings\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\DOCUME~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095530257638
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C089D9A-F9BE-4BD9-ADDD-A734B2C02C78}: NameServer = 194.168.4.100 194.168.8.100
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)

 

Welcome to windows BBS

Start Hijackthis and place a check next to these items,
Close all browser windows and shut down all other programs that show in the taskbar. (even Folders) Then Hit fix checked.
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)
====================
Download FxAgentB.exe close all browsers then run the tool.
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.agent.b.removal.tool.html
Simpy fallow the prompts then reboot

===================

Make a new Folder for example C:\Dllconpare
http://download.broadbandmedic.com/DllCompare.exe
Download DllCompare.exe to that folder


Start Program and Click the Run Locate.com and wait a few seconds til the scan says complete.
(default settings usually are sufficient)

Click the Compare button to start the sorting process.

Files in the upper portion have been verified to "exist" as where Files in the bottom section have some form of problem being accessed.
There will be only minimal, if any files listed there... once that Compare scan is complete, and you find you have a few files listed in the lower box.

Click on any of the listed entries to select it.. Right click the mouse and use the Option Rescan Like This

This will run the file through the standard Windows Find and if it does exist, will be removed from the list (to further filter the found objects) Like This

After that if you are left with files that are still not found, click the Make a Log of what was found button, and post that log.
===============

Post a new Hijackthis log the dllcompare log and the fixagenb log to

 

Hi, Lonny
Thanks for responding.

I ran the FxAgentB.exe and nothing was found.

I tried to run the Dllcompare.exe, but got the following error:

C:\DLLCOM~1\locate.com
C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The systemfile is not suitable for running MS-DOS and Microsoft Windows applications.

Any ideas?

 

Hi

Provided hidden files are set to be shown
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Search the PC for
Autoexec.nt
Command.com
This article might apply >
http://support.microsoft.com/default.aspx?kbid=305521

 

ok, I have autoexec.nt - it is located in C:\WINDOWS\I386

I'm a little unsure how to use the command prompt as described in the Microsoft Support doc...

 

Also try this program (link below) if Spybot or Adaware dont work. I mainly use Spybot to remove adware but a few it cant properly, and chiefly they are variants of coolwebsearch of which there are many. Yours may be a varient covered by this program. It is safe to use and i have many times, and is also easy to understand.

Anyway heres the link if you are interested

http://www.softpedia.com/public/cat/10/17/10-17-150.shtml

 

I have run CWShredder and it does not find any coolwebsearch files.

For the record I use Adaware too.

 

Ok we will get back t that in a moment

Click here to download Pocket Killbox by Option^Explicit. Extract it from the zip file

close all browsers

then double-click on Killbox.exe to run it.

Select the Delete on reboot option.

In the 'Full Path of File to Delete' box, copy and paste the following, clicking the 'Delete File' button (red circle with a white X) after pasting:

C:\WINDOWS\System32\TGBRFV_.exe

It will prompt you to reboot, press the NO button. Instead, copy and paste the following and click the 'Delete File' button again:

C:\Windows\System32\TGBRFV_5.dll

When it prompts you to reboot this time, press the YES button.

After restarting, with only HijackThis running, scan and when complete, remove the following entry by checking the box to the left and clicking 'fixed checked':

F2 - REG:system.ini: UserInit=Userinit.exe,
Reboot again when done, when here at the forum make and post a new log.

You should have a copy of autoexec.nt
in C:\windows\repair if so place a copy in the C:\windows\system32 folder