Hijacked for over a month... can't stand it any longer!!!

HELP


Logfile of HijackThis v1.98.1
Scan saved at 10:19:43 PM, on 9/8/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\All Users\Application Data\Lite default sign bleh\Refidle.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\All Users\Application Data\Lite default sign bleh\Refidle.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\IrfanView\i_view32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\ROBBIE~1.TON\LOCALS~1\Temp\HijackThis. exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ROBBIE~1.TON\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ROBBIE~1.TON\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hlumdwolzkzm.com/q4pDvGTo...hFJ8Q6AUiE.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {AB4B5FD6-2E7F-4599-BCE9-9CFE35C48E78} - C:\WINNT\system32\mlddp.dll (disabled by BHODemon)
O2 - BHO: (no name) - {B64EC686-AD97-F562-B265-5614338402ED} - C:\Program Files\Info Way Style\idlecool.exe (disabled by BHODemon)
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [CornBurn] C:\PROGRA~1\CASTDV~1\SiteLocks.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~2\CreateCD\CreateCD.exe -r
O4 - HKLM\..\Run: [SignBlehProgramHeart] C:\Documents and Settings\All Users\Application Data\Lite default sign bleh\Third Anti.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/u...lorer1_8us.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS....viewpoint.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.yorkphoto.com/YorkUpload.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...trol_v1-32.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.walmartphotocenter.com/ph...ad/XUpload.ocx
O18 - Filter: text/html - {B010D97E-05F7-4C94-9FAF-22AB550D7CAD} - C:\WINNT\system32\mlddp.dll
O18 - Filter: text/plain - {B010D97E-05F7-4C94-9FAF-22AB550D7CAD} - C:\WINNT\system32\mlddp.dll

Hello,
Download and install APM from http://www.diamondcs.com.au/index.php?page=apm
Download Ad-aware SE from: http://www.lavasoft.de/support/download/

Install the program. We will use it later. After you have done the above, keep Internet Explorer closed throughout this process. This means you may want to print these instructions.

Close all browser windows, restart Hijack This and put a checkmark next to the following entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ROBBIE~1.TON\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ROBBIE~1.TON\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hlumdwolzkzm.com/q4pDvGT...jhFJ8Q6AUiE.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {AB4B5FD6-2E7F-4599-BCE9-9CFE35C48E78} - C:\WINNT\system32\mlddp.dll (disabled by BHODemon)
O2 - BHO: (no name) - {B64EC686-AD97-F562-B265-5614338402ED} - C:\Program Files\Info Way Style\idlecool.exe (disabled by BHODemon)
O4 - HKLM\..\Run: [CornBurn] C:\PROGRA~1\CASTDV~1\SiteLocks.exe
O4 - HKLM\..\Run: [SignBlehProgramHeart] C:\Documents and Settings\All Users\Application Data\Lite default sign bleh\Third Anti.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...r.viewpoint.com
O18 - Filter: text/html - {B010D97E-05F7-4C94-9FAF-22AB550D7CAD} - C:\WINNT\system32\mlddp.dll
O18 - Filter: text/plain - {B010D97E-05F7-4C94-9FAF-22AB550D7CAD} - C:\WINNT\system32\mlddp.dll

Now start APM
In the top window select explorer.exe
In the bottom window select mlddp.dll
Right click mlddp.dll and choose Unload
Click OK

Now start Ad-aware
First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:

• Automatically save log-file
• Automatically quarantine objects prior to removal
• Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :

• Scan Within Archives
• Scan Active Processes
• Scan Registry
• Deep Scan Registry
• Scan my IE favorites for banned URL’s
• Scan my Hosts file
• Under Click here to select drives + folders, choose:
• All of your hard drives

Click on the Advanced button on the left and select:

• Include additional process information
• Include additional file information
• Include environment information

Click the Tweak button and select:

• Under the Scanning Engine:
  • Unload recognized processes & modules during scan
  • Include additional Ad-aware settings in logfile
• Under the Cleaning Engine:
  • Let Windows remove files in use at next reboot

Click on Proceed to save the settings.

Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:

• Use Custom Scanning Options

Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

Save the log file when it asks and then click Finish

When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Then boot into Safe Mode and ensure that you are showing Hidden Files and Folders.

Delete the following folders:
C:\Program Files\Info Way Style
C:\Documents and Settings\All Users\Application Data\Lite default sign bleh
C:\Program Files\CASTDV.......begins with these letters

Reboot your computer and post a fresh log

__________________
Owen,
My Website - I Security.org.uk

MALWARE: READ FIRST Procedures:
|_ SpyBot V1.4 _|_ Ad-Aware SE 1.06_|_ HijackThis Log __V1.99.1 _|

[*]Be patient and wait for a response, we'll do our best to help resolve your issue.
[*]When posting for help, start your own thread and stick to it. Don't start multiple threads or post in other peoples threads!

If we have helped you, please consider making a donation to help support the forum. All donations are greatly appreciated. You can also support the forum by placing a link to us on your personal website.

Useful Links:
Posting a Hijack This Log
Preposting and Prevention Info