http ://xysearch.biz/?wmid=3301 will not go away

I've noticed a few others have had this problem, I cannot change http://xysearch.biz/?wmid=3301 from my homepage. Please help me remove this. I downloaded HJT and scaned my system, here are the results:

Logfile of HijackThis v1.97.7
Scan saved at 7:07:22 PM, on 11/17/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

edit note: remainder of hjt log removed. Newt

 

Hi wolfy810 and welcome to the forum.

We aren't quite ready to see the HJT log file. Several things to do first.

- get the latest version of Hijackthis. You have 1.97.x and you need 1.98.2 which will do a much better job of finding baddies than the older one you have. I think all the download sites should have the current one so check the links from my signature.

- when you get the updated version, put it in a folder of it's own and not in desktop as you had it or in a temp folder. I suggest making a new c:\hjt folder and using that.

- you have a variety of things that need to be dealt with but I think you can improve your situation some and greatly reduce the clutter that was in the first log if you download, update, and run first ad-aware and then spybot. Also available from the link in my signature. Let both programs remove everything they find.

When you've gotten all of that, post back with a new HJT log.

 

EDIT NOTE
I see Newt posted while I was working on a response. Posted it anyway, just because.

Welcome to WindowsBBS wolfy810

You may want to print this out, or save it to text where you can access it in safe mode.

Download and install both Spybot and Ad-aware from the links in my signature. Open and update both. Close for now.

Right click the desktop and choose new>folder. Name it HJT. Cut and paste HijackThis.exe to that folder. That will keep backup files from scattering all over the desktop.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\WINDOWS\System32\msacmx.dll
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.ex e "
O4 - HKLM\..\Run: [WhenUSearchWHSE] C:\PROGRA~1\WHENUS~1\whse.exe
O4 - HKLM\..\Run: [wxefhqpozowfe] C:\WINDOWS\System32\vgltjeme.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.5.1.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINDOWS\System32\msvcmm32.exe
O4 - HKLM\..\Run: [Homeland Network] "C:\Program Files\HomelandNetwork\HomelandNetwork.exe "
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll ",cdaEngineMain
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [dllhostxp.exe] dllhostxp.exe
O4 - HKLM\..\Run: [clfmon.exe] clfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: OfferCompanion.lnk = C:\RECYCLER\NPROTECT\00026027.exe
O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m
O9 - Extra button: MktBrowser (HKLM)
O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
O9 - Extra button: Ebates (HKCU)
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {3B02AAA2-327C-40ED-A849-4BE819AE5385} (ImgSizer Control) - file://C:\Documents and Settings\Owner\Local Settings\Temp\~DlfnTmp0\imgSizer.ocx
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/08556026be5e87...ip/RdxIE601.cab


Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

Go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and OK. Yes to restart. This will restart your computer in safe mode. Logon to you user account.


Now in safe mode, you will need to show hidden files and folders, as well as system files.

Search the drive for and delete the files dllhostxp.exe and clfmon.exe.
Open C:\WINDOWS\system32 and delete the file vgltjeme.exe.
Open C:\Program Files and delete the folders MySearch, Ebates_MoeMoneyMaker, WhenUSearch, WildTangent,Hotbar and HomelandNetwork.
Open C:\Program Files\Common Files\Real\Update_OB and rename realsched.exe to realsched.old
Open C:\Temp if present, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Documents and settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
Open C:\Windows\Prefetch, select all and delete.

Open Spybot and run. Delete all it finds and prechecks. Open Ad-aware and run in full scan mode. Delete all it finds.

Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and OK.
Uncheck the /safeboot box in msconfig and ok to reboot.

Back in Windows, scan your PC with RAV. If any files are infected, click the report button then copy and paste it here, along with a new HijackThis log.

You are behind on Windows Updates, which leaves your computer open to quite a few vulnerabilities. When you get this all cleaned up, you need to go there and get all available critical updates. It will most likely take several visits.

 

RAV Report and HJT scan

First off, thanks for all your help. I used both of your responses and here are my results:

RAV Scan Results

Scan started at 11/18/2004 7:26:20 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\125237.exe - ToolornDialer.BP -> Infected
C:\Documents and Settings\Owner\Local Settings\Temp\alchem.cab->alchem.exe - TrojanDownloader:Win32/Alchemic.A -> Infected
C:\Documents and Settings\Owner\Local Settings\Temp\alchem.exe - TrojanDownloader:Win32/Alchemic.A -> Infected
C:\Documents and Settings\Owner\Local Settings\Temp\conscorr.cab->conscorr.exe - TrojanDownloader:Win32/Stubby.C -> Infected
C:\Documents and Settings\Owner\Local Settings\Temp\MSView.cab->MSView.dll - Trojan:Win32/KeyHost.E -> Infected
C:\Documents and Settings\Owner\Local Settings\Temp\MSView.dll - Trojan:Win32/KeyHost.E -> Infected
C:\Documents and Settings\Owner\Local Settings\Temp\polall1m.exe->(CExe) - TrojanDownloader:Win32/Agent.AE -> Infected
C:\Documents and Settings\Owner\Local Settings\Temp\polmx.cab->polmx.exe - TrojanDownloader:Win32/Agent.AE -> Infected
C:\Documents and Settings\Owner\Local Settings\Temp\polmx.exe - TrojanDownloader:Win32/Agent.AE -> Infected
C:\Documents and Settings\Owner\Local Settings\Temp\twaintec.cab->polall1m.exe->(CExe) - TrojanDownloader:Win32/Agent.AE -> Infected
C:\Documents and Settings\Owner\Local Settings\Temp\wupdt.exe - TrojanDownloader:Win32/Intexp.A -> Infected
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\SNWP0B49\exitpoplight[1].htm->(SCRIPT0000) - JS/Noclose.C* -> Suspicious
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\SNWP0B49\exitpoplight[1].htm->(SCRIPT0001) - JS/Noclose* -> Infected
C:\Documents and Settings\Owner\Local Settings\Temp\THI3B85.tmp\wupdt.exe - TrojanDownloader:Win32/Intexp.A -> Infected
C:\Documents and Settings\Owner\Local Settings\Temp\THI42D6.tmp\localNrd.cab->polall1l.exe - TrojanDownloader:Win32/Agent.AE -> Infected
C:\Documents and Settings\Owner\Local Settings\Temp\THI42D6.tmp\polall1l.exe - TrojanDownloader:Win32/Agent.AE -> Infected
C:\Documents and Settings\Owner\Local Settings\Temp\THI69A4.tmp\localNrd.cab->polall1l.exe - TrojanDownloader:Win32/Agent.AE -> Infected
C:\Documents and Settings\Owner\Local Settings\Temp\THI69A4.tmp\polall1l.exe - TrojanDownloader:Win32/Agent.AE -> Infected
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\177B1H4E\connect[1]->(GZip)->(OBJECT0000) - HTML/CodeBaseExec* -> Infected
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\C9QV8PAR\updall1m[1].exe - TrojanDownloader:Win32/Agent.AB -> Infected
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CLAZWHEB\stc[1].htm->(OBJECT0000) - HTML/CodeBaseExec* -> Infected
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QPSNEDCL\KeyActivexTest[1].ocx - TrojanDownloader:Win32/Small.GZ -> Infected
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QX1IFA5G\TRACK[1].CHM->/track.htm->(SCRIPT0001)->(EncScript) - JS/Psyme.gen* -> Infected
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\U5RW9GBA\HelperInstaller[1].exe - TrojanDropper:Win32/Delf -> Infected
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W9YJ27G1\IdleUI[1].dll - TrojanSpy/Win32.Idly.C -> Infected
C:\Program Files\Free Downloads Accelerator\stopinst.exe - TrojanDownloader:Win32/Wren.D -> Infected
C:\WINDOWS\polmx.exe - TrojanDownloader:Win32/Agent.AE -> Infected
C:\WINDOWS\polmx3.exe - TrojanDownloader:Win32/Agent.AE -> Infected
C:\WINDOWS\twaintec(2).dll - Trojan:Win32/Spy.BiSpy.C -> Infected
C:\WINDOWS\bundles\HelperInstaller.exe - TrojanDropper:Win32/Delf -> Infected
C:\WINDOWS\Downloaded Program Files\file1.exe - TrojanDownloader:Win32/Nex.B -> Infected
C:\WINDOWS\SYSTEM32\attnvg.exe - Backdoor:Win32/Bmail.C -> Infected
C:\WINDOWS\SYSTEM32\driverpg.exe - Backdoor:Win32/Bmail.C -> Infected

Scanned
============================
Objects: 50115
Directories: 4296
Archives: 6731
Size(Kb): -1127647
Infected files: 32

Found
============================
Viruses found: 17
Suspicious files: 1
Disinfected files: 0
Mail files: 92

HJT Results:

Logfile of HijackThis v1.98.2
Scan saved at 8:22:30 PM, on 11/18/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Movielink\MovielinkManager\Movielink Manager.exe
C:\Program Files\Sonique\sqstart.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\msvcmm32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Free Downloads Accelerator\fdaagent.exe
C:\WINDOWS\System32\saie.exe
C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\System32\vgltjeme.exe
C:\PROGRA~1\ADDEST~1\ADDEST~1.EXE
C:\WINDOWS\System32\vbstrol.exe
C:\WINDOWS\System32\upnmodem.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Virus Protectors\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll
F2 - REG:system.ini: UserInit=Userinit.exe,
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper100.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: IE 4.x-6.x BHO for Free Downloads Accelerator - {98DE779A-2364-4293-AB71-2B97C61C4640} - C:\PROGRA~1\FREEDO~1\fdahlp99.dll
O2 - BHO: SDWin32 Class - {B3624FBF-AB22-400C-85E8-AD83629683D4} - C:\WINDOWS\System32\iscck.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\fdabar99.dll
O3 - Toolbar: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [M3Tray] C:\Program Files\Movielink\MovielinkManager\Movielink Manager.exe /WNDSTART /Tray
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe "
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [saie] c:\windows\system32\saie.exe
O4 - HKLM\..\Run: [iscckc] C:\WINDOWS\System32\iscckc.exe
O4 - HKLM\..\Run: [nqbjqyiydrjy] C:\WINDOWS\System32\vgltjeme.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [3sFg34j] upnmodem.exe
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\Owner\LOCALS~1\Temp\djtopr1150.exe "
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" "+b1 "
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKCU\..\Run: [IBwmRQHqR] vbstrol.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0d\aoltray.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_7.cab

What to do now...

wolfy810

 

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper100.dll
O2 - BHO: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll
O2 - BHO: SDWin32 Class - {B3624FBF-AB22-400C-85E8-AD83629683D4} - C:\WINDOWS\System32\iscck.dll
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.ex e "
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [saie] c:\windows\system32\saie.exe
O4 - HKLM\..\Run: [iscckc] C:\WINDOWS\System32\iscckc.exe
O4 - HKLM\..\Run: [nqbjqyiydrjy] C:\WINDOWS\System32\vgltjeme.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [3sFg34j] upnmodem.exe
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\Owner\LOCALS~1\Temp\djtopr1150.exe "
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKCU\..\Run: [IBwmRQHqR] vbstrol.exe

Reboot to safe mode, this time logging on to the Administrator account.


Open C:\Documents and Settings\Owner\Local Settings\Temp, select all and delete.

Open C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5, select all and delete.

Open C: and delete the file 125237.exe

Open C:\WINDOWS and delete the files polmx.exe, polmx3.exe and twaintec(2).dll

C:\WINDOWS\bundles and delete the file HelperInstaller.exe If there is nothing else in the bundles folder, delete the entire folder. If it has other files, please post the names.

Open C:\WINDOWS\Downloaded Program Files and delete the file file1.exe

Open C:\WINDOWS\SYSTEM32 and delete the files attnvg.exe, driverpg.exe, winupdtl.exe, saie.exe, iscckc.exe, upnmodem.exe, vbstrol.exe and vgltjeme.exe

Open C:\Program Files and delete the folders CxtPls, SurfSideKick 2, VBouncer and Ebates_MoeMoneyMaker if present.
Open C:\Program Files\Free Downloads Accelerator and delete the file stopinst.exe

Open C:\Windows\Prefetch, select all and delete.

Open My Computer, right click Local disk C: and choose properties, then disk cleanup.

Reboot back into Windows and Visit Windows update. Accept all critical updates.
Reboot and go back to Windows Update until there are no more criticals offered.

Scan with RAV again and post the log, as well as a new HJT log.

Let us know if you are unable to locate or delete any of the files.

 

Looking good...

I am able to change my homepage at this point but I want to make sure that I'm totally clean. Here are some results from the last post (I will post my HJT log and RAV report seperately):

Files that I couldn't find:

O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll
O2 - BHO: SDWin32 Class - {B3624FBF-AB22-400C-85E8-AD83629683D4} - C:\WINDOWS\System32\iscck.dll
O4 - HKLM\..\Run: [3sFg34j] upnmodem.exe
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\Owner\LOCALS~1\Temp\djtopr1150.exe "
O4 - HKCU\..\Run: [IBwmRQHqR] vbstrol.exe

Could not find C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5 in owner folder, found it in Administrator folder, Default Folder, and Guest folder, and deleted all three folders. Should I re-create folders called Content.IE5 in all of my folders?
125237.exe
C:\WINDOWS\Downloaded Program Files and delete the file file1.exe
upnmodem.exe, vbstrol.exe
CxtPls would not delete untill I opened the folder and deleted each file individually, then I was able to delete the folder.
Can not delete the file ~DF7081.tmp from C:\Documents and Settings\Owner\Local Settings\Temp folder

Bundles Folder contains:
-2517041105
-adv0ltc0m
-bs5-tsrkqn
-CSV7P070
-cxt_big
-Decade
-james_dh
-optimizejames
-runsearch
-saie1101
-setup_silent_26221
-shopinst
-snackman
-SSK_B5
-stlb2_seed
-thin-8-1-x-x
-vl_ezstub
-WebRebates_Auto_InstallSilent

I'm about to run RAV and HJT and will post soon. Thanks again for all your help!

wolfy

 

Rav & Hjt

**I restored my Content.IE5 to my Guest Local Settings folder and just deleted all of the content. That is currently the only folder with a Content.IE5 folder at this point. Is this OK?

RAV:

Scan started at 11/20/2004 4:39:20 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\177B1H4E\connect[1]->(GZip)->(OBJECT0000) - HTML/CodeBaseExec* -> Infected
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\C9QV8PAR\updall1m[1].exe - TrojanDownloader:Win32/Agent.AB -> Infected
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CLAZWHEB\stc[1].htm->(OBJECT0000) - HTML/CodeBaseExec* -> Infected
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QPSNEDCL\KeyActivexTest[1].ocx - TrojanDownloader:Win32/Small.GZ -> Infected
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QX1IFA5G\TRACK[1].CHM->/track.htm->(SCRIPT0001)->(EncScript) - JS/Psyme.gen* -> Infected
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\U5RW9GBA\HelperInstaller[1].exe - TrojanDropper:Win32/Delf -> Infected
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W9YJ27G1\IdleUI[1].dll - TrojanSpy:Win32/Idly.C -> Infected
C:\RECYCLER\S-1-5-21-400550780-1943663836-840360825-1003\Dc222.cab->polall1m.exe->(CExe) - TrojanDownloader:Win32/Agent.AE -> Infected
C:\RECYCLER\S-1-5-21-400550780-1943663836-840360825-1003\Dc350.exe - TrojanDownloader:Win32/Intexp.A -> Infected
C:\RECYCLER\S-1-5-21-400550780-1943663836-840360825-1003\Dc369.cab->MSView.dll - Trojan:Win32/KeyHost.E -> Infected
C:\RECYCLER\S-1-5-21-400550780-1943663836-840360825-1003\Dc372.dll - Trojan:Win32/KeyHost.E -> Infected
C:\RECYCLER\S-1-5-21-400550780-1943663836-840360825-1003\Dc409.exe->(CExe) - TrojanDownloader:Win32/Agent.AE -> Infected
C:\RECYCLER\S-1-5-21-400550780-1943663836-840360825-1003\Dc41.exe - ToolornDialer.BP -> Infected
C:\RECYCLER\S-1-5-21-400550780-1943663836-840360825-1003\Dc410.cab->polmx.exe - TrojanDownloader:Win32/Agent.AE -> Infected
C:\RECYCLER\S-1-5-21-400550780-1943663836-840360825-1003\Dc411.exe - TrojanDownloader:Win32/Agent.AE -> Infected
C:\RECYCLER\S-1-5-21-400550780-1943663836-840360825-1003\Dc523.cab->alchem.exe - TrojanDownloader:Win32/Alchemic.A -> Infected
C:\RECYCLER\S-1-5-21-400550780-1943663836-840360825-1003\Dc524.exe - TrojanDownloader:Win32/Alchemic.A -> Infected
C:\RECYCLER\S-1-5-21-400550780-1943663836-840360825-1003\Dc536.cab->conscorr.exe - TrojanDownloader:Win32/Stubby.C -> Infected
C:\RECYCLER\S-1-5-21-400550780-1943663836-840360825-1003\Dc80\Content.IE5\SNWP0B49\exitpoplight[1].htm->(SCRIPT0000) - JS/Noclose.C* -> Suspicious
C:\RECYCLER\S-1-5-21-400550780-1943663836-840360825-1003\Dc80\Content.IE5\SNWP0B49\exitpoplight[1].htm->(SCRIPT0001) - JS/Noclose* -> Infected
C:\RECYCLER\S-1-5-21-400550780-1943663836-840360825-1003\Dc84.tmp\wupdt.exe - TrojanDownloader:Win32/Intexp.A -> Infected
C:\RECYCLER\S-1-5-21-400550780-1943663836-840360825-1003\Dc92.tmp\localNrd.cab->polall1l.exe - TrojanDownloader:Win32/Agent.AE -> Infected
C:\RECYCLER\S-1-5-21-400550780-1943663836-840360825-1003\Dc92.tmp\polall1l.exe - TrojanDownloader:Win32/Agent.AE -> Infected
C:\RECYCLER\S-1-5-21-400550780-1943663836-840360825-1003\Dc94.tmp\localNrd.cab->polall1l.exe - TrojanDownloader:Win32/Agent.AE -> Infected
C:\RECYCLER\S-1-5-21-400550780-1943663836-840360825-1003\Dc94.tmp\polall1l.exe - TrojanDownloader:Win32/Agent.AE -> Infected
C:\WINDOWS\Downloaded Program Files\file1.exe - TrojanDownloader:Win32/Nex.B -> Infected
C:\WINDOWS\Downloaded Program Files\ISTactivex.dll - TrojanDownloader:Win32/IstBar.FZ -> Infected
C:\WINDOWS\SYSTEM32\3w3ykwy7krnyl.bak - Trojan:Win32/Krepper.Q -> Infected
C:\WINDOWS\SYSTEM32\vgltjeme.exe - TrojanDownloader:Win32/Agent.AE -> Infected


HJT:

Logfile of HijackThis v1.98.2
Scan saved at 5:45:44 PM, on 11/20/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\wscntfy.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Movielink\MovielinkManager\Movielink Manager.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\system32\notavi32.exe
C:\Program Files\Sonique\sqstart.exe
C:\WINDOWS\system32\msnsit.exe
C:\WINDOWS\SYSTEM32\msvcmm32.exe
C:\Program Files\AdDestroyer\AdDestroyer.exe
C:\Program Files\Free Downloads Accelerator\fdaagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://xysearch.biz?wmid=3301
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll (file missing)
F2 - REG:system.ini: UserInit=Userinit.exe,TGBRFV_
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: IE 4.x-6.x BHO for Free Downloads Accelerator - {98DE779A-2364-4293-AB71-2B97C61C4640} - C:\PROGRA~1\FREEDO~1\fdahlp99.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\fdabar99.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [M3Tray] C:\Program Files\Movielink\MovielinkManager\Movielink Manager.exe /WNDSTART /Tray
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe "
O4 - HKLM\..\Run: [3sFg34j] notavi32.exe
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - HKCU\..\Run: [IBwmRQHqR] msnsit.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0d\aoltray.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1100980968827
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_7.cab

**I restored my Content.IE5 to my Guest Local Settings folder and just deleted all of the content. That is currently the only folder with a Content.IE5 folder at this point. Is this OK?

 

The directory C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5 was a typo on my part. Sorry! The proper path is as shown in the RAV scan. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5

Reboot to safe mode, logon to the Administrator and delete the contents of the ContentIE5 folder, and the contents of C:\Documents and Settings\Owner\Local Settings\Temp. Open the control panel and then internet options, then click the settings button under temporary internet files section. Click view objects button and delete everything found. They are ActiveX controls and will be reinstalled as needed when you revisit a site requiring them, such as Windows Update. Then empty the recycle bin. In the mean time, I will again check your HJT log and RAV scan.

While in safe mode, click start, then run and type regedit, then hit enter. BE VERY CAUTIOUS HERE! Click the plus sign next to HKEY_Local_Machine, then Software, Microsoft, Windows, CurrentVersion, then if present, right click on the key named Ms4Hd and select export. Save it as Ms4Hd to the desktop. Close the registry editor. Right click the Ms4Hd.reg file on the desktop and choose rename, then change only the .reg extension to .txt.....open and copy/paste it here when back in Windows.

 

Its back

I can't change my homepage again. Also, I can't access my Owner folder in safemode and I still can't find Content.IE5 in the Owner folder even in normal mode. I also couldn't open my recyc bin in safe mode and I've deleted everything from it back in normal mode. Unfortunately, I can't work on this anymore tonight but will try to tomm'. Here is the registry key info:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\Files]
"service.exe "=" "
"msacmx.dll "=" "
"d3dxov.dll "=" "
"winsrv32.dll "=" "
"ie4unit.exe "=" "
"ipxroutex.exe "=" "
"rdshost32.exe "=" "
"rshe.exe "=" "
"net2.exe "=" "
"mqsvch.exe "=" "
"dllhostxp.exe "=" "
"extrac16.exe "=" "
"mqbckup.exe "=" "
"pxhping.exe "=" "
"rdpnr.exe "=" "
"slservc.exe "=" "
"clfmon.exe "=" "
"hdr.dll "=" "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\Processes]
"ie4unit.exe "=" "
"ipxroutex.exe "=" "
"service.exe "=" "
"rdshost32.exe "=" "
"rshe.exe "=" "
"net2.exe "=" "
"mqsvch.exe "=" "
"dllhostxp.exe "=" "
"extrac16.exe "=" "
"mqbckup.exe "=" "
"pxhping.exe "=" "
"rdpnr.exe "=" "
"slservc.exe "=" "
"clfmon.exe "=" "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\RegKeys]
"{98DBBF16-CA43-4c33-BE80-99E6694468A4} "=" "
"{A5366673-E8CA-11D3-9CD9-0090271D075B} "=" "
"Files "=" "
"Ms4Hd "=" "
"Processes "=" "
"RegKeys "=" "
"RegValues "=" "
"Vendor "=" "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\RegValues]
"clfmon.exe "=" "
"dllhostxp.exe "=" "
"pxhping.exe "=" "
"service.exe "=" "

~DF12E1.tmp will not delete from temp folder

 

You should print this out and/or save it to text where you can access it in safe mode. Saving to text allows for copy/pasting when needed. It's very important to follow the instructions completely, and in the order given.

Download CWShredder from here. Save it to the desktop. Double click to install.

Update Ad-aware.

Download the text files attached to this post, saving to the desktop. Rename with a .reg extension.

Download and install Move-on-Boot.

Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://xysearch.biz?wmid=3301
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll (file missing)
F2 - REG:system.ini: UserInit=Userinit.exe,TGBRFV_
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe "
O4 - HKLM\..\Run: [3sFg34j] notavi32.exe
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKCU\..\Run: [IBwmRQHqR] msnsit.exe
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe

Go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and OK. Yes to restart. This will restart your computer in safe mode. Logon to the Owner account.

Now in safe mode, you will need to show hidden files and folders, as well as system files.

Double click the new CWShredder shortcut on the desktop to open, close all other windows and click fix.

Double click the Ms4HdRem.reg and SSH.reb files to merge to the registry.

Open C:\Windows\System32 and delete the following files. If any files are not found or undeletable, use the Killbox method outlined below.

3w3ykwy7krnyl.bak
vgltjeme.exe
notavi32.exe
msnsit.exe
service.exe
msacmx.dll
d3dxov.dll
winsrv32.dll
ie4unit.exe
ipxroutex.exe
rdshost32.exe
rshe.exe
net2.exe
mqsvch.exe
dllhostxp.exe
extrac16.exe
mqbckup.exe
pxhping.exe
rdpnr.exe
slservc.exe
clfmon.exe
hdr.dll

Search also for tgbrfv_, tgbrfv_5.dll, tgbrfv_.exe and tgbrfv_5.exe. Delete if found anywhere on the drive.

Killbox
Download The Killbox from here: http://tools.zerosrealm.com/killbox.zip
Unzip the files to a folder, then open and double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, type or copy and paste the following:

C:\WINDOWS\SYSTEM32\3w3ykwy7krnyl.bak

Don't click any of the buttons though, instead click on the Action menu and choose "Delete on Reboot ". On the next screen, PendingFileRenameOperations, click File on the menu and choose "Add File ". The filename and path should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot ". Click cancel on the Reboot Needed popup, then OK to the next. Leave that window open and paste this filename and path into the first window.

C:\WINDOWS\SYSTEM32\vgltjeme.exe

Click action, delete on reboot, add & process, repeat with

C:\WINDOWS\system32\notavi32.exe

and

C:\WINDOWS\system32\msnsit.exe

Repeat process for each filename and close all windows. Don't reboot yet!

Open C:\Program Files and delete the folders AutoUpdater and SurfSideKick 2.
Again, empty ALL Temp folders. If any files will not delete in them, right click and select Delete on next Boot.
Open C:\Windows\Prefetch, select all and delete.

Open Ad-aware and run in full scan mode. Delete all it finds.

Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and OK.
Uncheck the /safeboot box in msconfig and ok to reboot.

Run another RAV scan and post a new HJT log.

 

Cant login as owner...

I can't login (to safe mode) as Owner, only options are Administrator or Everyone. Should I just login as Admin?

 

Yes, but in that case make sure you open C:\Docs and Settings\Owner\Local Settings\Temp and C:\Docs and Settings\Owner\Local Settings\Temporary Internet Files\ContentIE5 and delete all before doing disk cleanup.

 

Can't open Owner folder in safe mode

Is it OK to do this in normal mode? ...or is there something I can do to gain access to that folder? What should I do??

Also could not find R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://xysearch.biz?wmid=3301 in my HJT log.

-How do I show hidden files and folders and system files in safe mode? A lot of my desktop items are missing.

 

Yes. Use move-on-boot for any files that can't be deleted.

Good. Don't worry about it.

Open My Computer, on the toolbar click tools, then folder options, then the view tab and check the box to show hidden files and folders. Uncheck the box to hide protected operating system files and click apply, then OK.

Such as? Is this within Windows or in safe mode on the Admin account?

 

Missing Desktop Items

This happens in safe mode on the Admin account, I was just assuming that it was how safe mode ran. Maybe once I show hidden files they will re-appear?? I can access them by doing a search but I was just wondering why they just don't show up on my desktop.

I also noticed that I can't access internet in safe mode. I know you stressed the importance of doing everything in order. Will I mess things up when I have to reboot in normal mode from safe mode to download Killbox? Should I just download it before I go into safe mode originally?

Thank you for dealing with my ignorance with this, I'm sure it can get stressful.

 

The Admin account, being separate from the account you logon to in Windows, will not have the same set of icons on the desktop. Perfectly normal.

No, you will not have internet access in safe mode and will need to get any/all downloads prior to rebooting to safe mode. For future reference, safe mode with networking, another option achieved by also checking the network box after checking the /safeboot box, should allow for internet access while in safe mode. Please make sure you uncheck the /safeboot box before attempting to restart when done in safemode, otherwise it will not leave the safe mode bootup.

No problem. Everyone has to start somewhere, just as I did. The only stupid question is the one not asked.

 

Can I just delete all?

In my Owner Folder - Temporary Internet Files - can I just delete everything? There is a lot of stuff there and I can't find the Content.IE5 folder.

I can't find SSH.reb on my desktop in safe mode. What do I do? Just to clarify, you said that I can do this all in normal mode? I am logged in as "everyone "...will this be OK?

I found services.exe instead of service.exe but did not delete it yet.
I also found ie4uinit.exe instead of ie4unit.exe but did not delete it yet.
I also found ipxroute.exe rather than ipxroutex.exe but did not delete it yet.
I also found rdshost.exe rather than rdshost32.exe
rsh.exe rather than rshe.exe
slserv.exe instead of slservc.exe

Are any of these typos? I found a few others but I think they are not the bad ones. I can't make that call with those listed above.
Do I need to delete the files in the exact order listed?

I will post more as I find them

wolfy

 

Error message when I tried to run RAV

Nevermind this one - I didn't have the ActiveX installed. Reports coming soon.

I got this message when I tried to scan with RAV:

Failed to load ActiveX control!
-- You must have administrative rights on this computer;
you also must have the Internet Explorer security settings to the Medium level.

What do I need to do?

wolfy

PS - I figured out how to do all the stuff in safe mode. I am still wondering if there were any typos in the list of things to delete.

 

Log on with an account that has admin rights. Set IE security to Medium.


Re: the files you found - right-click on each of them and check properties. Any that clearly identify themselves as Microsoft Corp. files are fine. In general, any files that identify themselves as belonging to a legit company should be fine as long as they are part of something you intended to install.

I looked over Dave's list of 'delete if you find' files and there aren't any typos. Files on that list need to be gone.

 

The spelling is VERY important. Make sure you delete only the ones found with exact spelling of what I posted. Order of deletion doesn't matter. You most likely will not find them all. This infection will use whichever of those files is present. Does not mean they all are.

Were you logged to the everyone account when you saved the SSH.reg? If not, you will need to go to C:\Docs and Settings\username(that you were logged to)\desktop to find it.