koo9
asked on
annoying korean search page in my IE :(
hi all
I have some kind of trojan app running on the backgroup, it hooks (windows hook) Internet explorer, so whenever there is an unreachable url, it set the url text and search with its appointed search engine, now I wonder if it hook my keyboard and monitoring what I type. the virus scan doesn't pick this up(Mcafee).
the search engine name is http://search.digitalnames.net
does anyone has any info on how to get rid of that?
thx
I have some kind of trojan app running on the backgroup, it hooks (windows hook) Internet explorer, so whenever there is an unreachable url, it set the url text and search with its appointed search engine, now I wonder if it hook my keyboard and monitoring what I type. the virus scan doesn't pick this up(Mcafee).
the search engine name is http://search.digitalnames.net
does anyone has any info on how to get rid of that?
thx
try deleting C:\WINDOWS\System32\Digita lNamesStar t.exe
if it's already running, try deleting it in safe mode, or end task it before deleting
definitely give your pc a spyware scan...it probably isn't a virus (self-replicating) but is definitely malware.
scan with grblades above links with ad-aware and spybot (REMEMBER TO UPDATE BEFORE SCANNING!) , reboot..then post a hijackthis log.
if it's already running, try deleting it in safe mode, or end task it before deleting
definitely give your pc a spyware scan...it probably isn't a virus (self-replicating) but is definitely malware.
scan with grblades above links with ad-aware and spybot (REMEMBER TO UPDATE BEFORE SCANNING!) , reboot..then post a hijackthis log.
I have had a lot of success with Ad-Aware from Lavasoft. It is offered for free on their site, http://www.lavasoft.de/
Don't forget to update the definition file before running it.
Don't forget to update the definition file before running it.
ASKER
I did spybot and adawere, but didn't catch anything, there used to be a mykeyword.exe on c:\ then i delete it and also delete the key in the registry and corrected the default search engine keys etc, but still won't get rid of it.
download hijackthis and post the log
ASKER
here's the log from hijackthis
Logfile of HijackThis v1.97.7
Scan saved at 1:07:04 PM, on 8/26/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\System32\Ati2ev xx.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\System32\cisvc. exe
C:\PROGRA~1\Symantec\NORTO N~1\GHOSTS ~2.EXE
C:\WINDOWS\System32\inetsr v\inetinfo .exe
C:\Program Files\Network Associates\Common Framework\FrameworkService .exe
C:\Program Files\Network Associates\VirusScan\Mcshi eld.exe
C:\Program Files\Network Associates\VirusScan\VsTsk Mgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MI6841~1\MSSQL \binn\sqls ervr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINDOWS\system32\Ati2ev xx.exe
C:\EPOAgent\naimas32.exe
C:\WINDOWS\System32\snmp.e xe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
C:\WINDOWS\system32\ZoneLa bs\vsmon.e xe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTA T.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP. exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Say the Time\SayTime.exe
C:\WINDOWS\system32\dla\tf swctrl.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex e
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\LightSurf\Common\Ico nMgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma ngr.exe
C:\Program Files\LightSurf\Colorific\ hgcctl95.e xe
C:\Program Files\LightSurf\Color Indicator\TICIcon.exe
C:\WINDOWS\System32\MsPMSP Sv.exe
C:\WINDOWS\system32\cidaem on.exe
C:\WINDOWS\system32\cidaem on.exe
C:\Program Files\Microsoft Office 2003\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\msagent\AgentSv r.exe
C:\Program Files\Microsoft Office 2003\OFFICE11\WINWORD.EXE
C:\Documents and Settings\kyu\Desktop\Hijac kThis.exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page_bak = http://www.google.ca/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH elper.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B 2214AD57A4 9} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-0 0123456789 0} - C:\WINDOWS\system32\dla\tf swshx.dll
O2 - BHO: (no name) - {C18517DA-CA70-46CE-86F4-8 82F6B62E97 5} - C:\WINDOWS\system32\driver s\user\bms .dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-6 4B5B4FF55D 0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us \msntb.dll (file missing)
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTA T.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP. exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe " /tray
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IM JPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IME KRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PI NTLGNT\ImS cInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TI NTLGNT\TIN TSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TI NTLGNT\TIN TSETP.EXE /IMEName
O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Say the Time] C:\Program Files\Say the Time\SayTime.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tf swctrl.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex e"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.ex e" /nosplash /minimized
O4 - Startup: VICQ.lnk = C:\Program Files\VICQ\vicq.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad obe Gamma Loader.exe
O4 - Global Startup: LightSurf.lnk = C:\Program Files\LightSurf\Common\Ico nMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma ngr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: Subscribe in Desktop Sidebar (HKLM)
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-9 63509EAE56 B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2 407B42F57C 9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1093276093324
O16 - DPF: {3E68E405-C6DE-49FF-83AE-4 1EE9F4C36C E} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0 050DA18DE7 1} (RdxIE Class) - http://software-dl.real.com/29d646b3344fd45ee114/netzip/RdxIE601.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-0 0609423508 4} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D 6AABA6D385 0} (Microsoft RDP Client Control (redist)) - http://24.66.89.24/tsweb/msrdp.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0 000F8773BF 0} (DLC Class) - http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0 040963251E 5} (XML DOM Document 4.0) - file://C:\Documents and Settings\Administrator\Loc al Settings\Temp\EI40_\msxml4 .cab
O16 - DPF: {94B82441-A413-4E43-8422-D 49930E6976 4} (TLIEFlashObj Class) - http://rtc3.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB
O16 - DPF: {9BFC2253-B9D9-477E-9488-C A450232620 D} (BinAg1 Class) - https://merlin.telus.net/wizlet/Qualifier/static/controls/WebflowActiveX.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-4 7A8489BB47 F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37970.5372222222
O16 - DPF: {A1CCCFF4-0DF9-4FFC-99A3-A 37A0F3D8E1 8} (p3bgset Class) - http://player.bugs.co.kr/install/bugsLoader20040811.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-6 71F82AA73F 7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0 F47A330807 8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DFB64246-00EA-4996-8C31-1 F0855BECDD B} (P3WLoader Class) - http://player.bugs.co.kr/player/cab/bugsLoader.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7 C6C9569B8C 7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-5 87CAF3EE8C 6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
Logfile of HijackThis v1.97.7
Scan saved at 1:07:04 PM, on 8/26/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\System32\Ati2ev
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\WINDOWS\System32\cisvc.
C:\PROGRA~1\Symantec\NORTO
C:\WINDOWS\System32\inetsr
C:\Program Files\Network Associates\Common Framework\FrameworkService
C:\Program Files\Network Associates\VirusScan\Mcshi
C:\Program Files\Network Associates\VirusScan\VsTsk
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MI6841~1\MSSQL
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINDOWS\system32\Ati2ev
C:\EPOAgent\naimas32.exe
C:\WINDOWS\System32\snmp.e
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
C:\WINDOWS\system32\ZoneLa
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTA
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Say the Time\SayTime.exe
C:\WINDOWS\system32\dla\tf
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex
C:\WINDOWS\system32\ctfmon
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\LightSurf\Common\Ico
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma
C:\Program Files\LightSurf\Colorific\
C:\Program Files\LightSurf\Color Indicator\TICIcon.exe
C:\WINDOWS\System32\MsPMSP
C:\WINDOWS\system32\cidaem
C:\WINDOWS\system32\cidaem
C:\Program Files\Microsoft Office 2003\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\msagent\AgentSv
C:\Program Files\Microsoft Office 2003\OFFICE11\WINWORD.EXE
C:\Documents and Settings\kyu\Desktop\Hijac
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-0
O2 - BHO: (no name) - {C18517DA-CA70-46CE-86F4-8
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-6
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTA
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IM
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IME
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PI
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TI
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TI
O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Say the Time] C:\Program Files\Say the Time\SayTime.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tf
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.ex
O4 - Startup: VICQ.lnk = C:\Program Files\VICQ\vicq.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad
O4 - Global Startup: LightSurf.lnk = C:\Program Files\LightSurf\Common\Ico
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4
O9 - Extra button: Subscribe in Desktop Sidebar (HKLM)
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-9
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2
O16 - DPF: {3E68E405-C6DE-49FF-83AE-4
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0
O16 - DPF: {74FFE28D-2378-11D5-990C-0
O16 - DPF: {7584C670-2274-4EFB-B00B-D
O16 - DPF: {82774781-8F4E-11D1-AB1C-0
O16 - DPF: {88D969C0-F192-11D4-A65F-0
O16 - DPF: {94B82441-A413-4E43-8422-D
O16 - DPF: {9BFC2253-B9D9-477E-9488-C
O16 - DPF: {9F1C11AA-197B-4942-BA54-4
O16 - DPF: {A1CCCFF4-0DF9-4FFC-99A3-A
O16 - DPF: {CB50428B-657F-47DF-9B32-6
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {DFB64246-00EA-4996-8C31-1
O16 - DPF: {E77C0D62-882A-456F-AD8F-7
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-5
i'd remove...
R3 - Default URLSearchHook is missing
O2 - BHO: Idea2 SidebarBrowserMonitor Class
O9 - Extra button: Subscribe in Desktop Sidebar (HKLM)
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar (HKLM)
O16 - DPF: {A1CCCFF4-0DF9-4FFC-99A3-A
O16 - DPF: {DFB64246-00EA-4996-8C31-1
and these two look suspicious...i dont know why a driver .dll needs to be installed as a browser helper object
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-0
O2 - BHO: (no name) - {C18517DA-CA70-46CE-86F4-8
you sure do have a lot running! see if any of that helps
The following entry is safe:
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-0 0123456789 0} - C:\WINDOWS\system32\dla\tf swshx.dll
It's part of Hewlett-Packard/Veritas DLA software - digital line access software
RF
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-0
It's part of Hewlett-Packard/Veritas DLA software - digital line access software
RF
thanks for the clarification rossfingal ... missed that one
ASKER
hmm. i think it's the two entries here
O16 - DPF: {A1CCCFF4-0DF9-4FFC-99A3-A 37A0F3D8E1 8} (p3bgset Class) - http://player.bugs.co.kr/install/bugsLoader20040811.cab
O16 - DPF: {DFB64246-00EA-4996-8C31-1 F0855BECDD B} (P3WLoader Class) - http://player.bugs.co.kr/player/cab/bugsLoader.cab
cost problem, I will get rid of them.
O16 - DPF: {A1CCCFF4-0DF9-4FFC-99A3-A
O16 - DPF: {DFB64246-00EA-4996-8C31-1
cost problem, I will get rid of them.
koo9
Yes, those two entries are bad.
However, the other entries that DVation191 suggested to fix - should be fixed.
(except for the one I pointed out above)
One thing you should do is move HijackThis to a permanent folder of it's own -
something like C:\Program Files\HJT\HijackThis.exe
Also, after you have HijackThis fix whatever you have selected -
search your entire computer for bms.dll and delete any instances you find.
Particularly, check in the prefetch, dllcache, and ALL temp folders.
Clean out all your temp folders:
# C:\Windows\Temp - delete ALL of the CONTENTS of the folder - Not the "temp" folder itself!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents)
<=This will delete all your cached internet content including cookies.
This is recommended and strongly suggested!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)
# Empty your "Recycle Bin".
Reboot your computer.
Post a new HijackThis log here.
Good luck!
RF
Yes, those two entries are bad.
However, the other entries that DVation191 suggested to fix - should be fixed.
(except for the one I pointed out above)
One thing you should do is move HijackThis to a permanent folder of it's own -
something like C:\Program Files\HJT\HijackThis.exe
Also, after you have HijackThis fix whatever you have selected -
search your entire computer for bms.dll and delete any instances you find.
Particularly, check in the prefetch, dllcache, and ALL temp folders.
Clean out all your temp folders:
# C:\Windows\Temp - delete ALL of the CONTENTS of the folder - Not the "temp" folder itself!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents)
<=This will delete all your cached internet content including cookies.
This is recommended and strongly suggested!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)
# Empty your "Recycle Bin".
Reboot your computer.
Post a new HijackThis log here.
Good luck!
RF
ASKER
what problem does bms.dll cause?
Why do you need a device driver in a browser helper object in IE? I can't think of any reason...and I can't find any references to it anywhere on the net...i marked it as suspicious.
Hi! koo9
bms.dll is a search hijacker, of Korean origin.
Regards...
RF
bms.dll is a search hijacker, of Korean origin.
Regards...
RF
i advised what components to remove in my above post...after you removed them do you still have the same problem?
ASKER
thx RF, I will get rid of the bms.dll
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Mcafee Stinger - http://vil.nai.com/vil/stinger/
What is spyware - http://www.spychecker.com/spyware.html
SpywareBlaster - http://www.snapfiles.com/get/spywareblaster.html
Ad-aware - http://www.lavasoftusa.com/support/download/
Spybot S&D - http://www.snapfiles.com/get/spybot.html
HijactThis - http://www.snapfiles.com/get/hijackthis.html
Spy Sweeper - http://www.webroot.com/wb/products/spysweeper/index.php
CWShredder - http://www.spywareinfo.com/~merijn/downloads.html