search2web help me my comps messed!

Tinker · #1 (**permalink**) 22-07-2005, 12:25 AM

My computer infected with search2web, i did a search with the latest hijackthis and i got this.
Logfile of HijackThis v1.99.1
Scan saved at 00:24:10, on 22/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 5.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Caere\OmniPagePro90\EREG\REMIND32.EXE
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\craig\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.jkhmfeehiqwcjfppldkeyjlns.net/aE0odAOq0Yb3z1AURGOa7IgJ5lz6R9tgs6e7Hph8wFXEpIaCKM SP5wPrKJT7i0BO.cgi
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xrdnljpuogaqy.com/aE0odAOq0YaKiyjKLgcYQ9TNNxYfsbI5qwEFT611Ec0.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ntlworld.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ntl:home
O2 - BHO: (no name) - {0B3BD32F-1D0D-339C-EE2A-288C3756718A} - C:\DOCUME~1\craig\APPLIC~1\MATHST~1\Frag Scr.exe
O2 - BHO: (no name) - {50F82689-80D3-37C4-B813-336AF383E946} - C:\DOCUME~1\craig\APPLIC~1\MATHST~1\Frag Scr.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: C:\WINDOWS\lbbho.dll - {55C5123A-1760-417D-9279-A5607ED27121} - C:\WINDOWS\lbbho.dll
O2 - BHO: - {7E573506-7EFF-4C98-9D24-AE8FCB1672EA} - C:\WINDOWS\lbbho.dll
O2 - BHO: C:\WINDOWS\lbbho.dll - {92D0E778-DC38-48B8-846A-43224A25A2FA} - C:\WINDOWS\lbbho.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: - {CA0A8449-481F-4EBB-9E5D-3ED55E5FA26F} - C:\WINDOWS\lbbho.dll
O2 - BHO: - {DD90FD60-F054-4BF5-9FE3-B2BAD2FB6188} - C:\WINDOWS\lbbho.dll
O2 - BHO: - {EBF812C9-DF94-4E5B-BE69-A59D92A07819} - C:\WINDOWS\lbbho.dll
O2 - BHO: - {F84AF90D-B446-49CD-BC75-4CF877CF1F57} - C:\WINDOWS\lbbho.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O2 - BHO: - {FFAD0D76-C9F3-41A7-BBBC-178D61B85C7C} - C:\WINDOWS\lbbho.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 5.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DeskMateAutoUpdate] C:\PROGRA~1\DESKMA~1\DeskMateAutoUpdate.exe
O4 - HKLM\..\Run: [Mail Bags Second 1] C:\Documents and Settings\All Users\Application Data\aboutsupportmailbags\filmmath.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [FSWebServer] C:\Program Files\Easy File Sharing Web Server\fsws.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Extra Roam Vga Bike] C:\Documents and Settings\All Users\Application Data\Remote user extra roam\logo media.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [nvrtbr] C:\WINDOWS\System32\nvrtbr.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LIES RDR] C:\DOCUME~1\craig\APPLIC~1\THEDEN~1\hecklicense.ex e
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\Caere\OmniPagePro90\EREG\REMIND32.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm41447US
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.ntlworld.com/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/10.20.0002/OCI/setup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/26dee30deb219a71b621/netzip/RdxIE601.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O20 - Winlogon Notify: hobbix - hobbix.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

What do i do?

HJThis · #2 (**permalink**) 22-07-2005, 02:42 AM

Hello,Tinker & Welcome

First thing i need for you to do is move HijackThis from the Desktop
to a folder in C:\Drive like so C:\HJT

Download the LOP uninstaller from here:
http://lop.com/new_uninstall.exe
or here: http://www.thespykiller.co.uk/files/lopremover.exe
When its done,re-start your computer.

Press control-alt-delete to get into the task manager and end the follow processes if they exist:
media.exe
nvrtbr.exe
hecklicense.ex e

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.jkhmfeehiqwcjfppldkeyjlns...Hph8wFXEpIaCKM SP5wPrKJT7i0BO.cgi
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xrdnljpuogaqy.com/aE0odAO...EFT611Ec0.html

O2 - BHO: (no name) - {0B3BD32F-1D0D-339C-EE2A-288C3756718A} - C:\DOCUME~1\craig\APPLIC~1\MATHST~1\Frag Scr.exe
O2 - BHO: (no name) - {50F82689-80D3-37C4-B813-336AF383E946} - C:\DOCUME~1\craig\APPLIC~1\MATHST~1\Frag Scr.exe
O2 - BHO: C:\WINDOWS\lbbho.dll - {55C5123A-1760-417D-9279-A5607ED27121} - C:\WINDOWS\lbbho.dll
O2 - BHO: - {7E573506-7EFF-4C98-9D24-AE8FCB1672EA} - C:\WINDOWS\lbbho.dll
O2 - BHO: C:\WINDOWS\lbbho.dll - {92D0E778-DC38-48B8-846A-43224A25A2FA} - C:\WINDOWS\lbbho.dll
O2 - BHO: - {CA0A8449-481F-4EBB-9E5D-3ED55E5FA26F} - C:\WINDOWS\lbbho.dll
O2 - BHO: - {DD90FD60-F054-4BF5-9FE3-B2BAD2FB6188} - C:\WINDOWS\lbbho.dll
O2 - BHO: - {EBF812C9-DF94-4E5B-BE69-A59D92A07819} - C:\WINDOWS\lbbho.dll
O2 - BHO: - {F84AF90D-B446-49CD-BC75-4CF877CF1F57} - C:\WINDOWS\lbbho.dll
O2 - BHO: - {FFAD0D76-C9F3-41A7-BBBC-178D61B85C7C} - C:\WINDOWS\lbbho.dll

O4 - HKLM\..\Run: [Extra Roam Vga Bike] C:\Documents and Settings\All Users\Application Data\Remote user extra roam\logo media.exe
O4 - HKCU\..\Run: [nvrtbr] C:\WINDOWS\System32\nvrtbr.exe
O4 - HKCU\..\Run: [LIES RDR] C:\DOCUME~1\craig\APPLIC~1\THEDEN~1\hecklicense.ex e

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZNxdm41447US

O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/Cl.../OCI/setup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/26dee30d...p/RdxIE601.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cab

O20 - Winlogon Notify: hobbix - hobbix.dll (file missing)

Make sure you can view hidden and system files: Instructions here

Then Boot to safe mode: Instructions here

Delete the following files\folders IF still present:
C:\Documents and Settings\All Users\Application Data\Remote user extra roam\<--This folder
C:\WINDOWS\System32\nvrtbr.exe<---This file
C:\DOCUME~1\craig\APPLIC~1\THEDEN~1\<--This folder the name maybe longer then this
C:\WINDOWS\lbbho.dll<---This file

Still in Safe Mode do a file Search for this file if found delete it
hobbix.dll

Then do a reboot till us how it is running & show us new logfile.

HGD