Hijack This log Spyware removal and Windows XP error message

Hello JohnRamz =)

First of all copy two files from another WinXP system,,,, i.e Config.nt and Autoexec.NT
and paste them to ur C:\Windows\System32 folder

this shud solve ur 16-Bit MSDOS error !!!

Could it from and Windows XP pro system?. The PC with problems is Windows XP home

Turn Off ur System Restore, and fix the following entries !!!!!

========================================================
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\System32\cdsm32.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2 - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\System32\mskhhe.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: SDWin32 Class - {579F76BF-02FF-462C-8D08-A48DEBE87904} - C:\WINDOWS\System32\gpxti.dll
O2 - BHO: (no name) - {6AD84276-B417-59BA-8256-675578A3786F} - C:\WINDOWS\System32\kdtc.dll
O2 - BHO: CUrlCliObj Object - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\System32\msjfbl.dll
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
===============================================
then Disable messenger service if running >> http://www.itc.virginia.edu/desktop/docs/messagepopup/

then u have to Edit a registry entry >> F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,

goto Start>run>regedit
and navigate to the following key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

look in the right pane for a key called Userinit
right click it and click Modify
u can see the value data as >> C:\Windows\System32\wsaupdater.exe,

chnage it to >> C:\Windows\System32\userinit.exe,
(Note the comma following the file path information)

save the file and restart ur machine
after that then Download these tools and install Adaware and Spybot:
========================================================
AdAware ==> http://www.lavasoftusa.com/support/download/
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
ToolBar Cop >> http://www.mvps.org/sramesh2k/toolbarcop.htm
Stinger >> http://vil.nai.com/vil/stinger
========================================================
then....

1. Restart ur machine
2. Boot into safemode and Login as Administrator
3. Run the AntiVirus tool and delete all viruses it found
4. Run the Spyware Removal tools and delete everything they detect
5. Then goto MyComputer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
7. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
8. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here.
9. Reboot back in Normal Mode and check if problems are gone
10. If YES then Great, otherwise run the Hijakcthis scan, and post the LOG file here again.

>> Could it from and Windows XP pro system?. The PC with problems is Windows XP home

yes it can be,,,, coz the actual problem is u are missing some lines in one of these two files.... and replacing them with good files can solve the issue,,, u can also get one from XP CD.... but it will be hard to find in the cab files on the CD !!!!

check here for finding out the reason of this problem >> http://support.microsoft.com/default.aspx?scid=kb;EN-US;314106

Hi JohnRamz,

Coppyed this from link   http://support.microsoft.com/default.aspx?scid=kb;EN-US;314495
Many different 16-bit programs designed to run under Microsoft Windows 3.1 have been tested with Windows XP. When you troubleshoot a 16-bit Windows-based program that is not working properly under Windows XP, consider the following items:

    * If possible, verify that the program works correctly under Microsoft Windows 3.0 and Windows 3.1.
    * Note that if the program requires a virtual device driver (VxD), it will not work properly under Windows XP.
    * Ensure that a default printer has been selected in Control Panel. Some programs (such as Microsoft Word version 2.0 for Windows) do not function properly under Windows XP unless a default printer has been selected. Some older 16-bit programs require that you select a printer within the options of the program.
    * Make sure that any dynamic link libraries (DLLs) used by the program are both current and locatable by the program (either on the system path or explicitly defined within the program or working directory).
    * Make sure that the default items contained in the Config.nt and Autoexec.nt files are present and in the proper order.

      In Windows XP, Config.nt contains the following commands by default:

    dos=high, umb
    device=%SystemRoot%\system32\himem.sys
    files=40
                   

      Autoexec.nt contains the following commands by default:

    @echo off
    lh %SystemRoot%\system32\mscdexnt.exe
    lh %SystemRoot%\system32\redir
    lh %SystemRoot%\system32\dosx
    SET BLASTER=A220 I5 D1 P330 T3
                   

    * Any environment variables required by the Windows-based program should be located in the Autoexec.nt file; if they are, Windows will use them appropriately.

      Note that if any changes are made to variables related to the Windows 3.0 or Windows 3.1 subsystem (Wowexec.exe), you may have to restart the computer for these changes to be implemented.
    * Determine whether Windows has been installed as a stand-alone operating system or as an upgrade of a previous Windows 3.0 or Windows 3.1 installation. If it is an upgrade, information from the Win.ini and/or System.ini files may have not been correctly copied into the Windows Registry database.

      To resolve this issue, you may have to either migrate these settings again or reinstall the program that is not working.

      For help with migrating program information into the Windows Registry, query on the following reference words in the Microsoft Knowledge Base:

      migrate and Win.ini
    * Run the program in a separate memory space. To do this, edit the icon or shortcut properties: On the General tab, click the Advanced button, and then click to select the appropriate check box.

Cheers!

SheharyaarSaahil:

Why do I need to turn the System restore off? Wouldn't it be useful to keep it on to restore the system in case something do not go right with the instructions you gave me?

Thanks

hmmmmmmm but look, we turn off system restore coz spywares\viruses put their "agents files" in the stored restore points,,,,
and when we remove them, they use their agents and come back.... that's why we mostly Turn off system restore coz it deletes all previous restore points..... !!!!

u are right abt the idea, if something went wrong.... but we think it as a Restore help for malwares =|
but if u want u can keep it running for ur surety.... and can clean the system..... !!!!!
but if they will come back,,, then u will have to agree that its becoz of System Restore :)

Someone had a similar error and did this:

First, I openned the command prompt.
Click, Start, Run, type cmd

When the command prompt openned, I went to the root directory
type cd\

the prompt will change to
C:\>

Next, I made a new directory called "AUTOEXEC"
md autoexec

Put the Windows XP CD in. When it launches, click "Exit"
------------------
-------
Now, you're going to do the following from the command prompt.

Type d:
press <ENTER>

The prompt will change to
D:\>

Next, type cd\i386 and press <ENTER>

The prompt will change to
D:\i386>

Use this expand command to expand the autoexec.nt file from the CD to the
new directory..
expand autoexec.nt_ c:\autoexec\autoexec.nt

After you've done that, go to Windows Explorer, go to the autoexec folder.
If you see the autoexec.nt folder, you're cool so far.

Copy the autoexec.nt file to your C:\Windows\system32 folder

You should be able to launch that 16 Bit program now.

Now, I discovered another problem... Everytime I rebooted the computer, the
file would delete itself from the system32 folder... Wierd, huh? So the
last time I copied the autoexec.nt file to the system32 folder. I went into
the file's properties, and made it into a Read Only file. That way, rthe
file couldn't delete itself.

The error hasn't come back!


Source:http://www.computing.net/windowsxp/wwwboard/forum/111681.html

Maybe that could also help you.

Also someone posted a MS fix but I don't know what exact page they got it from just the fix for it they pasted. Here's what it was.

CAUSE

This behavior can occur if the following registry value has become corrupted:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers\VDD

This issue may occur after you install a 16-bit program, or a program that uses a 16-bit installation program, that is not Windows 2000 compliant.

RESOLUTION

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of
Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT or Windows 2000, you should also update your Emergency Repair Disk (ERD).

1.Start Registry Editor (Regedt32.exe).

2.Locate and click the following value:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers\VDD

3.On the Edit menu, click Delete.

4.On the Edit menu, click Add Value.

5.Type VDD in the Value Name box, click REG_MULTI_SZ for the Data Type, and then click OK.

6.The Multi-String editor appears. Leave this entry blank and click OK.

7.Quit Registry Editor.

STATUS

Microsoft has confirmed this to be a problem in the Microsoft products listed at the beginning of this article.

MORE INFORMATION

These error messages can also occur in Microsoft Windows NT 4.0 if this key is manually deleted for testing purposes.

Additional query words:

Keywords : kb3rdparty kberrmsg w2000apps
Issue type : kbprb
Technology : kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000S kbwin2000Ssearch kbwin2000Search kbwin2000ProSearch
kbwin2000Pro

Source:http://www.ntcompatible.com/thread12741-1.html

SheharyaarSaahil :

Regarding the 16 bit problem it was fixed copying those files over. But the Spyware problem still present. I am gonna try now with the restore service off but before I wanted to post 2 logs

1- HIJACK THIS log after first try:

Logfile of HijackThis v1.98.2
Scan saved at 1:57:51 PM, on 8/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\cvss.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us7.hpwis.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZPxdm182
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\WINDOWS\System32\mshpeb.dll

2- SpyBot Log. These five issues are supposedly fixed by Spybot by they keep reappearing every time I run the program:

DSO Exploit: Data source object exploit (Registry change, nothing done)
  HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
  HKEY_USERS\S-1-5-21-2080873505-4276184813-4260486767-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
  HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
  HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
  HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3


--- Spybot - Search && Destroy version: 1.3  ---
2004-08-11 Includes\Cookies.sbi
2004-08-11 Includes\Dialer.sbi
2004-08-11 Includes\Hijackers.sbi
2004-08-11 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-08-11 Includes\Malware.sbi
2004-08-11 Includes\Revision.sbi
2004-08-11 Includes\Security.sbi
2004-08-11 Includes\Spybots.sbi
2004-08-11 Includes\Tracks.uti
2004-08-11 Includes\Trojans.sbi


Thanks for your prompt replies. I'm very impressed!!

JohnRamz

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
===================================

fix these entries, adn then boot into safemode, adn delete the folder of WindUpdates from C:\Program Files
reboot back in Normal Mode and check again is it has not came again ??

the DSO Exploits from Spybot is a Common and Known bug in Spybot,,, u need to follow some instructions here to get rid of it >> O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe

Also one more thing,,,, when in regedit, u navigate to this key >> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

and check the Userinit value data, what is it ??

SheharyaarSaahil :

1- I cannot understand what you mean by "here" on this sentence"

",,, u need to follow some instructions here to get rid of it"

2- The value data is:

"C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\userinit.exe,"


Thanks

ufffff..... im soooo sorryyyy abt that, was a copy paste mistake =(
i meant to say, u need to follow some instructions here >> http://forums.net-integration.net/index.php?showtopic=15308&st=0&hl=dso+exploits


2. If im not mistaken,,,,, i asked to set the value data as >> C:\Windows\System32\userinit.exe,
i mean only one time,,, why it is set as two times, means >> C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\userinit.exe,

SheharyaarSaahil :

OK. So that's a known bug in Spybot. I will take care of that later.

I made sure the value in Userinit is only once

Now, let's take a look at the Hijack this log after following your last advice:

Logfile of HijackThis v1.98.2
Scan saved at 2:46:59 PM, on 8/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us7.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\System32\cvss.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: msoffice.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZPxdm182
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\WINDOWS\System32\mshpeb.dll

Even after this one those two entries are still there:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =


These are the ones that do not allow me to do a search on Google. They take over my search engine. PLeaseeeee, I think we are getting to the bottom of this.

thanks

ok fix thse three lines....

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZPxdm182

restart and check for the problem ??
to what site does it take u when u search on google ??

open C:\Windows\system32\drivers\etc
and open the Hosts File in Notepad
can u see any extra "#" entries for some websites here ??

No luck yet. the same two lines:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

Still stuck on there.

WHen I do a search in google it does not take me to another site. It just shows hit that has nothing to do with my search argument.
Whatever you can do, this is wearing me out.

Thanks

u mean to say,,, when u search in Google for..... experts exchange
it doesn't show u the proper results ??
only happens with Google or with yahoo and msn search also ??

try uninstalling that google toolbar.... !!!

The google toolbar came after the fact trying to stop Pop ups. It happens with msn and Yahoo too.

Are u sure u deleted the Temp Internet Files and Cookies as i suggested above ??
that's strange.... im listening for the first time that a search engine is not finding the correct results... mostly we come across the situation where when u hit Search and it takes to another search engine :-?

anywayzzzz now u can try a repair,,, coz really i cannot see any culprit entry in hijackthis LOG,,,, coz these two lines has no value for them....

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

try fixing this one also >> O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\WINDOWS\System32\mshpeb.dll
i dont think its REQUIRED !!!!

restart and check, if still no Luck then try...

Repair or Reinstall Internet Explorer in Windows XP:
http://www.theeldergeek.com/repair_ie6.htm
(First run the SFC scan, and then reinstall using ie.inf method)

if still no luck, then try running this tool:
http://www.mvps.org/sramesh2k/IEFIX.htm

If there would be a way to send you screenshots I would send you some.

cannot give my email address.... against the rules =|

ok John..... u can check my profile to know my email.... and and can mail me the pics u want to show me abt the google error !!!!

After all that clutter could you repost your new hijackthis log to be further analyzed.

After trying everything you told me, those two entries are still there on the hijackthis log. However I found something else, I ran the AVGsoft (Antivirus) and it found 3 viruses that were moved to the "virus vault" whatever that means. Then I ran a Panda Antivirus DOS based program(provided to me by the company since that's what we use in our office), the PC I'm troubleshooting is the Boss's personal PC. So I decided to go to PCpitstop.com that uses PANDA as a scanner and it gave me this report:

Scan Results: Virus Infection Found
Our scan of 53940 files found these viruses:
The Trj/Downloader.GK Virus was found in file C:\Documents and Settings\Owner\Local Settings\Temp\polmx3.cab
The Trj/Downloader.NG Virus was found in file C:\Documents and Settings\Owner\Local Settings\Temp\THI2047.tmp\twaintec.cab
The Trj/Downloader.GK Virus was found in file C:\Documents and Settings\Owner\Local Settings\Temp\THI2076.tmp\twaintec.cab
The Trj/Imk.A Virus was found in file C:\WINDOWS\system32\msnimk.gif
The Trj/Downloader.GK Virus was found in file C:\WINDOWS\system32\oibsmo.exe_
The Trj/Downloader.OU Virus was found in file C:\WINDOWS\wupdt.exe_


It's strange to me that the PANDA command based utility I got with the latest signature file did not clean those up when PCpitstop uses the same thing. Would those viruses have anything to do with the hijacking of the search engines(google, yahoo, msn)?

The latest hijackthis report is:

Logfile of HijackThis v1.98.2
Scan saved at 10:18:02 AM, on 8/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\cvss.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us7.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com/antivirus/PitPav.cab
O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\WINDOWS\System32\mshpeb.dll

THanks in advance

John

The Trj/Downloader.GK Virus was found in file C:\Documents and Settings\Owner\Local Settings\Temp\polmx3.cab
The Trj/Downloader.NG Virus was found in file C:\Documents and Settings\Owner\Local Settings\Temp\THI2047.tmp\twaintec.cab
The Trj/Downloader.GK Virus was found in file C:\Documents and Settings\Owner\Local Settings\Temp\THI2076.tmp\twaintec.cab
=========================

i asked to 6. Goto C:\Documents and Settings\ur username\Local Settings\Temp and delete all files present here

The Trj/Imk.A Virus was found in file C:\WINDOWS\system32\msnimk.gif
The Trj/Downloader.GK Virus was found in file C:\WINDOWS\system32\oibsmo.exe_
The Trj/Downloader.OU Virus was found in file C:\WINDOWS\wupdt.exe_
==========================

can u find these files on ur system, delete them in safemode if they are there !!!!!

If I were you, I would create a batch file that did this

Attrib %file1 -s -h -r
Attrib %file2 -s -h -r
Attrib %file3 -s -h -r
Attrib %file4 -s -h -r
Attrib %file5 -s -h -r
ect  ect.... and then
Del %file1
Del %file2
Del %file3
Del %file4
Del %file5

then boot to dos and run that file to remove all those files listed as a virus. I found it easy to cut and paste those files in a batch file then run it rather than track each one down manually.

Of course replace %file# with the actual path and file name.

SheharyaarSaahil :

I deleted the files but those two lines are still on the log:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

Search engines are still hijacked


Now, I went to the registry and looked for "SearchAssistant" and found several entries for it. Can I delete those values? is there anyway to extract just those lines to show them to you?

I would run Spybot S&D also to help clean out spyware.

http://www.download.com/redir?pid=10289035&merid=104443&mfgid=104443&lop=link&edId=3&siteId=4&oId=3002-8022-10289035&ontId=8022&destUrl=ftp%3A%2F%2Fftp.download.com%2Fpub%2Fwin95%2Futilities%2Fspybotsd13.exe

Very sorry , please ignore that post. (Is your Spybot updated?)

>> Now, I went to the registry and looked for "SearchAssistant" and found several entries for it. Can I delete those values? is there anyway to extract just those lines to show them to you?

just tell me one thing,,,,, are they present in HKEY_Local_Machine or in HKEY_Current_User ??

also try one more thing now.... create a new user, and connect to internet, use google and other search engines to check if same problem happens there ??
post back results and i will tell u what to do next :)

ok, DoTheDew335:

1- I find those entries in HKey_Local_Machine and HKEY_CLASSES_ROOT

2- This a Home Edition XP pc. I created the other account and the browser still hijacked(msn, yahoo, google)



That's it

SheharyaarSaahil:

Well I wanted to thank you for your help to troubleshoot the adware/spyware problem on this PC. I learned some computer stuffs in the process.

What ended up solving the problem was the program SpySweeper from webroot.com. However because of your willingness to help me, leading me in the right direction, giving your time, your efforts and helping me to resolve completely Issue #1("16 bit Windows Subsystem") I will award you the 500 points.

Thanks and God bless you,

Johnny

lol..... its amazing,,, coz on some machines spysweeper dont do anything but create more problems,,,,, and for u it was the Final solution..... we can never guess abt computers :D

anywayzzzzz i must thank u for bearing me and even awarding me with those kind points... ^_^

!! Happy Computing !!