homesearch hijacker delets spybot .dll's

tbabe80 · #1 (**permalink**) 18-01-2005, 04:41 AM

I'm geting a ton pop up. Home Assistants and Info Search are now my home. I have tried spybot and Adware for a few days now. This is my first post. I know almost nothing about computers. Please help. This is my hijack log.
Logfile of HijackThis v1.99.0
Scan saved at 9:11:29 PM, on 1/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\sdkuu32.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\wincr32.exe
C:\Program Files\Admanager Controller\AdManCtl.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Admanager Controller\AdManKeep.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\install programs\HijackThis.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\WINDOWS\system32\SPOOL\DRIVERS\W32X86\3\LXBLPSW X.EXE
C:\Documents and Settings\Paula\Local Settings\Temporary Internet Files\Content.IE5\OT6BOPQF\hijackthis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\oibla.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\oibla.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\oibla.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\oibla.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\oibla.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\oibla.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\oibla.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = htttp://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E4410E41-BFC6-F741-B0FA-9FF5146F9091} - C:\WINDOWS\apiuh.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0. dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRA~1\ISTbar\istbar.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [3.tmp] C:\DOCUME~1\Paula\LOCALS~1\Temp\3.tmp.exe 0 28129
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetm\winlogon.exe
O4 - HKLM\..\Run: [wincr32.exe] C:\WINDOWS\wincr32.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [6.tmp] C:\DOCUME~1\Paula\LOCALS~1\Temp\6.tmp.exe 0 28129
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [6.tmp.exe] C:\DOCUME~1\Paula\LOCALS~1\Temp\6.tmp.exe 0 28129
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\RunOnce: [sdkuu32.exe] C:\WINDOWS\system32\sdkuu32.exe
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\Paula\LOCALS~1\Temp\djtopr1150.ex e"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CD...bridge-c46.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovio...affiliate=WFMS
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab28578.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minib...ansporter.cab?
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwa...0006_adult.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1096043116578
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab28578.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\system32\wingc.exe (file missing)

HJM · #2 (**permalink**) 18-01-2005, 12:28 PM

Please put HijackThis in it's own folder on your C: drive.
This is Very Important for the safety of your own computer.
Go to My Computer (Windows key+e)
Double click on C:
then right click and select New > Folder
Name it HJT and unzip/move your copy of HJT to it for future use.
This will ensure any backups HijackThis makes will be safely saved in their own folder.

Please download the following programs:
About:Buster
KILLBOX
Crap Cleaner
Ad-Aware SE
(for best results, please configure Ad-Aware as per tutorial link in my signature).

Click Start > Run > type services.msc, then click OK
Scroll down and right click on 'ZESOFT'
Select 'Properties' and set the "Service Status" option to "Stop"
Set "Startup type" to "Disabled", click Apply, then OK.

Please make a note of the file name I've highlighted red in the 'R1' and '02' entries below as they can sometimes 'morph' during reboot and may not be the same when you come to fix them. You'll need the new file names later when using the Killbox utility (if they have changed).

Close all windows and browsers, run HJT again and checkmark the boxes next to the following:-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\oibla.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\oibla.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\oibla.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\oibla.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\oibla.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\oibla.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\oibla.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {E4410E41-BFC6-F741-B0FA-9FF5146F9091} - C:\WINDOWS\apiuh.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRA~1\ISTbar\istbar.dll
O4 - HKLM\..\Run: [3.tmp] C:\DOCUME~1\Paula\LOCALS~1\Temp\3.tmp.exe 0 28129
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetm\winlogon.exe
O4 - HKLM\..\Run: [wincr32.exe] C:\WINDOWS\wincr32.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [6.tmp] C:\DOCUME~1\Paula\LOCALS~1\Temp\6.tmp.exe 0 28129
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [6.tmp.exe] C:\DOCUME~1\Paula\LOCALS~1\Temp\6.tmp.exe 0 28129
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\RunOnce: [sdkuu32.exe] C:\WINDOWS\system32\sdkuu32.exe
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\Paula\LOCALS~1\Temp\djtopr1150.ex e"

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
The blue 06 entry above should only be present if you/your Administrator set it or an Internet Explorer 'lockdown' feature of a security program such as Spybot has been used. If this isn't the case which I suspect, fix with HJT.

O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/C.../bridge-c46.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/mini...ransporter.cab?
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softw.../0006_adult.cab
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\system32\wingc.exe (file missing)

Click FIX CHECKED

Reboot into Safe Mode.
Tap F8 repeatedly when your machine starts to boot up.
Select 'Safe Mode' from the options that appear.

Set Windows to 'Show all files & folders'.
Click Start > My Computer> Tools> Folder Options>
On the View tab make sure that you:-
Select 'Show Hidden Files & Folders'
Uncheck 'Hide file extensions for known file types'.
Uncheck 'Hide protected operating system files'.
Click OK.

Run About:Buster
Close ALL windows and browsers. This is a very important step!!
When the scan has finished let it scan again.
Please save the report it produces to notepad and post it's contents in your next reply.

Delete the following folders in bold:

C:\PROGRA~1\YOURSI~1
C:\PROGRA~1\ISTbar
C:\WINDOWS\inetm
C:\Program Files\Admanager Controller
C:\Program Files\ISTsvc
c:\program files\180solutions
C:\Program Files\BullsEye Network
C:\Program Files\Web_Rebates

Run Ad-Aware SE. Remove everything it finds.

Run Crap Cleaner to clean out your cache, temp files, temp internet files, cookies and recycle bin.

1. Open KILLBOX
2. Choose "Delete on Reboot"
3. Paste these files into the top "Full Path of File to Delete" box.

C:\WINDOWS\oibla.dll <--or whatever it may have morphed to.

4. Click Yes when asked to confirm the deletion
5. Click No when asked if you want to reboot.
6. Repeat the same steps for the files below.

C:\WINDOWS\apiuh.dll <--or whatever it may have morphed to
C:\WINDOWS\wincr32.exe
C:\WINDOWS\system32\sdkuu32.exe
C:\WINDOWS\zeta.exe

6. When the last file above has been entered, click Yes when asked to confirm the deletion.
7. Click Yes when asked if you want to reboot.

Let Killbox reboot your system into normal mode.

Then run an online virus scan at TrendMicro and an online Trojan Scan. Let them fix anything they find.

Then post a fresh HJT log and About Buster report.

tbabe80 · #3 (**permalink**) 22-01-2005, 09:08 PM

Scanned at: 1

38 PM on: 1/22/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 16

No ADS found on system
Removed 4 Random Key Entries
Removed! : C:\WINDOWS\system32\lgipx.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 16

No ADS found on system
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
Logfile of HijackThis v1.99.0
Scan saved at 1:03:11 PM, on 1/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\ntpy.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\atlvs32.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\eeaot.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\eeaot.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\eeaot.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\eeaot.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\eeaot.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\eeaot.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\eeaot.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = htttp://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {38D535E7-72D4-DD46-13C5-9089C149112E} - C:\WINDOWS\netou32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0. dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKLM\..\Run: [atlvs32.exe] C:\WINDOWS\atlvs32.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\system32\tibs3.exe
O4 - HKLM\..\RunOnce: [ntpy.exe] C:\WINDOWS\system32\ntpy.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1096043116578
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab28578.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\iewy.exe (file missing)

Sorry that it has taken me so long to get this to you. I'm not every good at this computer stuff, so I had to call on a friend to help me. I'm still having troble with my homepage. Sometimes it says about blank. Other times it has been Google.com . I'm also still get a bunch of crap when I run the Ad aware. Hopefully this will help you in helping me get back oin track with this computer. Thanks so much Tara

HJM · #4 (**permalink**) 23-01-2005, 03:42 PM

Ok, we'll tackle this another way. Just take your time and follow the instructions in the order they're posted.

Download APM from here.

Don't start it yet, we'll come back to that.

Also download DelDomains.zip and unzip it to your desktop.

Right click the DelDomains.inf file inside and click Install, making sure Internet Explorer is closed. You won't see anything happen, this is normal.

Note, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.

Run HJT again and checkmark the boxes next to the following:-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\eeaot.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\eeaot.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\eeaot.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\eeaot.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\eeaot.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\eeaot.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\eeaot.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {38D535E7-72D4-DD46-13C5-9089C149112E} - C:\WINDOWS\netou32.dll
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKLM\..\Run: [atlvs32.exe] C:\WINDOWS\atlvs32.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\system32\tibs3.exe
O4 - HKLM\..\RunOnce: [ntpy.exe] C:\WINDOWS\system32\ntpy.exe
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)

Now close ALL windows & browsers and click FIX CHECKED

Boot up in Safe Mode again and delete the following files & folders in bold:

C:\WINDOWS\System32\tibs3.exe
C:\WINDOWS\System32\ntpy.exe
C:\WINDOWS\atlvs32.exe
C:\Program Files\Admanager Controller<--Folder
C:\Program Files\AdStatus Service<--Folder

Now, start APM.
In the upper window select explorer.exe
In the lower window find and rightclick C:\WINDOWS\eeaot.dll

Select Unload DLL and
click OK on the prompts that follow.

Repeat the above steps for C:\WINDOWS\netou32.dll

Exit APM.

Run About Buster again.

Scan with Ad-Aware SE to automatically remove the txt and html protocol associations and clean up the remnants of the hijack.

Reboot and post a fresh log.

tbabe80 · #5 (**permalink**) 23-01-2005, 08:19 PM

I have tried to do what you told me to do. But my computer froze up. And by the 4th time I got really mad at it. My friend says that I need to take it somewhere to get fixed. What do you think? I really don't want to have to do that. To much money. Maybe you have other idea's. Thanks Tara

HJM · #6 (**permalink**) 23-01-2005, 09:21 PM

At what point during the last set of instructions did it freeze?

As far as taking the machine to a shop to fix is concerned, that is of course your choice. You should be aware though that it's more than likely they will charge you for basically reformatting the hard drive. Any data that isn't backed up to a removal storage device will be lost. You will also have to reinstall all your programs and hardware again. If you're lucky, you might get a shop technician who has an interest in malware and posts your log on a forum like this!!!

Your infection is a common one and something I've fixed on numerous occassions with both of the procedures we've used so far. Unfortunately, malware is a begger to clean sometimes and resists all attempts to remove it. If the procedures we've attempted so far prove unsuccesful, we can try manually removing the infection.

I'm sure with a little patience though we'll have you clean again.

The balls in your court Tara. If you decide to stay with me for a little while longer, I'll need to see a new log from you.

tbabe80 · #7 (**permalink**) 23-01-2005, 09:52 PM

I truly understand you. But my friend (who is my ex) hates helping me do this. I WILL try again with you. I feel that we are getting somewhere. I do have a question. My sons where on here all weekend playing a online game. Does that make it any worse for my computer? Now remember I'm not very good at this and almost all the time I was calling on my ex to help me. So now it just might be me doing it all. Thanks for being so understanding. Tara

HJM · #8 (**permalink**) 23-01-2005, 11:31 PM

Playing online games won't make much difference. You have a browser hijacking which as you'll be aware, makes surfing the net a nightmare. Can you post a fresh log for me please Tara and tell me at what point the computer froze while carrying out my last set of instructions.

tbabe80 · #9 (**permalink**) 23-01-2005, 11:34 PM

Sorry I forgot to tell you when it froze. Let's see, Almost all the time half way threw your help. I would get to the point of , Boot up in safe mode and delete the following files and folders in bold. I think that was the first time. I did get past that point but couldn't find Systems32\tibs3.exe and a couple other ones. The next time was when I got to now start APM. I think that was the last time, because my ex said he wasn't going to help any more because we had to start all over and he was tired of this crap.
Sorry, Tara

HJM · #10 (**permalink**) 24-01-2005, 12:22 AM

Your ex sounds like a patient guy

Ok, before going any further with the infection, lets see if the crashes are Windows related.

Scandisk For Windows 2000/XP

You can use the Error-checking tool to check for file system errors and bad sectors on your hard disk.

* Restart Windows in Safe Mode. Click here for a guide on how to do this.
* Open My Computer by double-clicking on the My Computer icon on your desktop.
* Right click on the disk drive you want to check (C: drive in your case)
* On the drop down menu, left click Properties.
* Select the Tools tab.
* In the Error-Checking section, click the Check Now button.
* In the Check Disk Options section, tick the Automatically Fix File System Errors and the Scan for and Attempt Recovery of Bad Sectors check box.

* Click the Start button in the Check Disk window.

Scandisk will then run through the selected Hard Drive checking for fixable disk errors.

Then post a fresh log!!!