Hijacked browser2

Hi Eleanor,

You say your browser is still hijacked. Is it by one of the R1 entries you chosen to leave? If so, check them to be fixed with HijackThis, along with the following. (When I said they were optional to fix, it was in case you had intentionally set one of them to be your homepage.)

O1 - Hosts: 69.20.16.183 ieautosearch

Open C:\WINNT\System32 and click tools>folder options>view tab. Uncheck the box to hide extensions for known file types and hide prtected OS files. Apply and OK. Scroll down to the exe section and delete the infected files. If you still cannot see them, download and install Agent Ransack. It is a search tool that many folks here have used to replace the default XP search tool, as it is far superior. Use it to search for the files and delete them from there.

If you cannot open the backups and delete the infected files, I suggest you delete those backups.

After deleting the infected files, empty the recycle bin and turn off system restore, then reboot.

Then stay off the internet until the entire procedure below is complete.

Open VX2Finder and click on the *click to find VX2.BetterInternet* button.

Then select the *Delete these files* button.
You will be left with notice about one to be deleted on reboot.
It will ask to reboot on deletion of the last file. Reboot.

Once back in Windows, open VX2Finder again and click on the *click to find VX2.BetterInternet* button. Then click on these buttons in the right pane:

user agent, Guardian.reg, restore policy

Exit and reboot.

Run Vx2Finder once more and click on the *click to find VX2.BetterInternet* button. Then click *make log*.
Post it here with a fresh HijackThis log. Please recheck everything you have unchecked in msconfig before making a new HijackThis log.

I'm unsure at this point what has happened to your quick launch, but I suspect foul play. It appears from your log that something has damaged the IE Spell toolbar files and Java toolbar files as well. I looked back through my previous instructions to make sure it wasn't something I had done and it wasn't. Feel free to wait for someone to verify that. Lets get the viri out and then we can fix whatever needs fixing.

 

Hijacked browser 2

Part 1 of 2

Hi Dave,
Deleting Hosts: 69.20.16.183 ieautosearch fixed the hijacking problem. Wonde why this wasn’t recommended previously? Didn’t it show up previously? At any rate, the problem seems to be resolved.

BTW, my husband sheepishly admitted to allowing download and install of something called Tools for Internet Explorer about the time this problem started. Wonder what web site offered this? Had he told me this earlier, the problem could have been resolved much earlier?

I think I may have learned enough about the use of HJT to go solo next time. Where can I find detailed instruction on interpreting the HJT log?

I did not delete the Outlook backup files. When I did that yesterday I lost the Address Book MY ISP server, Yahoo, and NAV have both been finding multiple emails with viri in, especially Netsky and Beagle.. I can’t believe I still have some infected Outlook files. Wish I knew who has those viri on their HD that keeps sending them to me. Is there any know to find that out?

Now for the other things you recommended:

Agent Ransack found all the .exe files except Fvf0Khe.exe Is it OK to ignore that one?

Ran Vx2Finder several times; did not find Guardian.reg. OK to ignore that?

Log for VX2.BetterInternet File Finder
Files Found---
Guardian Key--- is called:
User Agent String---

Log file of HijackThis v1.98.0
Scan saved at 5:24:12 PM, on 7/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.contracostatimes.com/mld/cctimes
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bayarea.com/mld/cctimes/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue: "Keyboard Preload Check "
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINNT\System32\taskswitch.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKCU\..\Run: [Weather] C:\Program Files\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ForbesMarkets] C:\Program Files\ForbesMarkets\ForbesMarketsAlerts.exe
O4 - HKCU\..\Run: [ForbesLifestyle] C:\Program Files\ForbesLifestyle\ForbesLifestyleAlerts.exe
O4 - HKCU\..\Run: [Forbes] C:\Program Files\Forbes\ForbesAlerts.exe
O4 - Startup: Direct CD.lnk = C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
O4 - Startup: Directcd.lnk = C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
O4 - Startup: My DSL.lnk = ?
O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
End of Part 1

 

Hijacked browser 2

Part 2 of 2
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM (file missing)
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM (file missing)
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM (file missing)
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdq/downloads/sysinfo.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/OAS/ActiveX/winrep.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312
O17 - HKLM\System\CCS\Services\Tcpip\..\{66094A7E-ACEE-4F0C-9A6F-3FACA371C221}: NameServer = 206.13.28.12 206.13.29.12

I still have multiple items (checked) in msconfig. Want to get rid of those I don’t want to autostart. Is that the purpose behind deleting them from HJT log?
Occasionally, run32.dll shows up either in msconfig or Task Manager. What is that?

My Daily Horoscope has been installed several times in spite of the denying download. Where is this coming from?

Awaiting your reply.

End of Part 2 of 2
End of post Hijacked browser 2

 

Hi Eleanor.

No, it didn't show up until your previous log.

Doubtful. We still have to take the same steps to see what all is present, and then remove it.

Google.com It's more complicated than it looks.

Then your computer is still infected. Try running Stinger and/or a free trial of Trojan Hunter. Maybe one of them can clean the files. Send everyone in your address book a link to RAV and a plea to use it. They can always post here for help if they need it.

Only if it doesn't come up as an infected file with RAV. If RAV finds it, it is there. Let me know. There are other ways to get to it.

Perfect. That nasty is gone now too.

Are there more than what I see in this log? Fixing an 04 Run entry with HijackThis removes it from the registry, disabling it from autostarting. When you remove the registry entry, you will no longer have it in msconfig. Some things have an autostart option within the program and can be disabled from there. Some will return after fixing, especially bad ones. There are often other components on the PC that replace the run entry when deleted, hence the importance of removing the proper files when fixing.

In addition to fixing the 04 entries you want, fix this one too.
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

And all of the 09's that say file missing.
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
Probably need to reinstall Sun Java, Weatherbug and IESpell if you want to access them from the IE toolbar.

Run32.dll Still does the same thing in XP.

Most likely drive-bys. Install Spybot Version 1.3. Allow it to load SD Helper. Open it up and update, then click immunize in the left pane, then immunize again, this time from above with the green + beside it. Click the link below that for SpywareBlaster, download, install and update.
Then download and install IESpyads.

That will give you an added layer of protection against unwanted parasites.

 

Hijacked browser 2

Dave, I very much appreciate your help with resolving my problem with a hijacked browser. Due to your patience and courtesy I have cleaned up more problems than that one. This is a wonderful forum and I'm sure I'll come back here frequently to solve problems with my pc and those of friends whom I help.

Again, many thanks.

 

You're very welcome Eleanor. Glad to have helped. Is everything working OK now? Quicklaunch? Did you rescan with RAV? Did you run either one of the trojan scanners? And were they successful?

I just hate the thought of stopping before everything gets cleaned up! Obsessive Compulsive Computer Cleanup Disorder or something.

 

Hi again Eleanor.

I just ran HijackThis Version 1.98 on my system to play with it a bit, and I noticed a glitch. Did you do as I suggested here?

The new version, including the updated 'HOT FIX' version available today falsely reported this. I reran version 1.97 to double check.

 

Ran Rav and the trojan hunters. Rav still ‘claims’ there are 2 infected Outlook files. None of the other scans (SpySweeper, Rav, Computer Associates scan NAV, Trend, Vx2Finder) found them so I choose to to go with the majority and ignore the Rav findings. The trojan scanners found nothing.

Haven’t solved the problem yet with loss of quick launch toolbar, but I’m working on it.
I’m disappointed that MS doesn’t have an extensive knowledge base on W XP as it does all other versions.

Yes, I did follow your suggestion on Hijack and did run V 1.98. I always search for updates before running any of the scans.

How do you have time for 14 children when you are so Obsessive Compulsive Computer Cleanup challenged? <;-}

 

I meant did you fix the 09 entries that said (file missing)? If so, you can open HijackThis, click the config button, then backup, locate those entries and restore them. It is a false reporting.

Multi-tasking.

 

Just came accross a possible fix for your quick launch in the XP forum.

http://www.kellys-korner-xp.com/taskbarplus!.htm

 

Hi Guys

the vx2 bug nastie uses the quicklaunch, after you use vx2finder correctly
you'l simply have to put it back, and place it where ever you want.

but first did you use the buttons in the order dave suggested ?
after deleting the files rebooting--