Solved

please help me.. another cws problem

Posted on 2004-09-17
27
339 Views
Last Modified: 2012-06-21
i seem to have a problem with cws, if not some other things, i have tried spysweeper, cwshredder, adaware, and hijackthis, and they have done nothing.. and if it seems anything was done, it comes back anyway as soon as i reboot.. spysweeper keeps giving me alerts about things being added to my favorites, and my homepage being reset.. i have tried deleting lines in hijackthis, and even trying to mess with the registry, although im not an expert, so i try not to mess with what i dont know too much.. but no matter what i have done nothing has worked.. i noticed everyone posting their hijackthis log, so here is mine if it helps

Logfile of HijackThis v1.97.7
Scan saved at 3:50:39 AM, on 8/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\win\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0535E11F-7B5D-4870-A581-F62B5F95837D} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {70769496-CA68-4ABD-B7D8-5569E6D64A32} - C:\WINDOWS\1090272128.dll
O2 - BHO: (no name) - {EB456EF6-2F9B-4160-B5D7-1EFBCDFFD205} - C:\WINDOWS\System32\mfi.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\TIADSL~1\BIN\WIN2K\tidslmon.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - Global Startup: winlgn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Control Pad (HKLM)
O9 - Extra 'Tools' menuitem: Control Pad (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0889DC97-8499-7EC4-DB55-02B0610AC043} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {0C79B913-0193-7D2C-54C9-37E3698410AA} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {11111111-1111-1111-1111-111111111111} - file://C:\Windows\e.exe
O16 - DPF: {14E8DC30-8960-24F0-8979-59C15A7F3A16} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {1579E6FA-2CF4-0D97-F76F-7B0041A407A3} - http://69.31.87.70/1/rdgUS208.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=4532735100030c99da9ee18274076591321e8833f80ab91636fd51037d3ffa27b48b2691f3b04343f15db41e9440fa97f25e05813280d97d:b0cf57d56ddd1008b8819d33c3794247
O16 - DPF: {190A45A5-1EE1-456A-0E85-65683C1EE17D} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {1AF64D39-9508-05C0-1375-68367F960E8C} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {377ADB94-7718-7C11-EEC9-7E7756C53B17} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {44C2361F-0CAA-2397-B214-5EB5432E0C2E} - http://69.31.87.70/1/rdgUS208.exe
O16 - DPF: {558E3B3B-60AB-7B57-E9B7-4ECB52D80207} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {59A5EEAD-707C-2714-174D-064079096D03} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {59F8080A-01F8-208E-06A5-143C77EE84F9} - http://66.117.42.151/1/rdgUS243.exe
O16 - DPF: {5D41942D-2D55-0F68-6C5F-6E8D37B95B82} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {5E4B2A1F-016B-5E49-EC68-51360C518905} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {71DD9757-4DAB-1EF0-5B20-2E5D1555C0D9} - http://69.31.87.70/1/rdgUS208.exe
O16 - DPF: {7BCCAAFA-406D-0FB0-E488-41046F71A57A} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DB28EAC-64FE-44C8-80FC-64A89114AC94}: NameServer = 192.168.1.1

i am running windows xp, i have ie6, and i am working from a laptop.. any help is appreciated..

ps. i have tried to install aim and kazaa and am not able to, could it be due to this problem?
0
Comment
Question by:drmuneca
  • 13
  • 12
  • 2
27 Comments
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
Hello drmuneca =)

First of all u are using the old version of hijakchtis, soDownload HijackThis v1.98.2 from here, run it and Save the LOG file:
http://tools.radiosplace.com/HijackThis.exe

Then Post it at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix everything which it asks u to delete :)

and if still u cannot get it working, then Post here that LOG file, and we will tell u that what is BAD in it and how to remove them :)

!! GOOD LUCK !!
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
After u done the Hijackthis fixing,,,, u can follow these instructions to cleanup ur system from every junk :)

Download these tools and install them:
========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
SpySweeper >> http://www.spychecker.com/program/spysweeper.html
SpywareBlaster >> http://www.spychecker.com/program/spywareblaster.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
Stinger >> http://vil.nai.com/vil/stinger
========================================================

Then Disable ur Messenger Service if its running >> http://www.itc.virginia.edu/desktop/docs/messagepopup/
After that Follow these Instructions:

1. Restart ur machine in safemode and Login as Administrator
2. Run the AntiVirus tool and delete all viruses it found
3. Run the Spyware Removal tools and delete everything they detect
4. Then goto My Computer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
5. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
7. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here.
8. Goto C:\Windows\Temp and delete all files present here
9. Reboot back in Normal Mode and check if problems are gone or not
10. Post Back and Good Luck :)
0
 

Author Comment

by:drmuneca
Comment Utility
hi,
i tried what you said.. i deleted everything in hijackthis that the analysis said to delete, then i went into safe mode and ran all the programs, and cleaned up all the temp files and cookies too.. as soon as i went back into normal mode, spysweeper popped up with the same alert as always.. i ran hijackthis, and all the problems are still there.. here is the log from hijackthis, although i dont see the point because whatever i delete comes back.. any other suggestions?

Logfile of HijackThis v1.98.2
Scan saved at 5:40:53 AM, on 8/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\win\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://bigbr.cc (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\TIADSL~1\BIN\WIN2K\tidslmon.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - Global Startup: winlgn.exe
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DB28EAC-64FE-44C8-80FC-64A89114AC94}: NameServer = 192.168.1.1
O18 - Filter: text/html - {9238E4BE-FABD-4879-8F7A-EAEF5D785332} - C:\WINDOWS\System32\mfi.dll
O18 - Filter: text/plain - {9238E4BE-FABD-4879-8F7A-EAEF5D785332} - C:\WINDOWS\System32\mfi.dll

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
>> C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe

what is this process, do u know it ??
if NO then delete it !!

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://bigbr.cc (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc (obfuscated)
O4 - Global Startup: Free WebSite Tools.lnk = ? ==> if u dont know abt it
O4 - Global Startup: winlgn.exe ==> if u dont know abt it
O18 - Filter: text/html - {9238E4BE-FABD-4879-8F7A-EAEF5D785332} - C:\WINDOWS\System32\mfi.dll
O18 - Filter: text/plain - {9238E4BE-FABD-4879-8F7A-EAEF5D785332} - C:\WINDOWS\System32\mfi.dll
==========================================

U still have to Fix these entires !!
and btw Did u turn off System Restore before doing the cleaning ??
0
 

Author Comment

by:drmuneca
Comment Utility
no i didn't turn off system restore.. how would i go about doing that?
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
How to turn on and turn off System Restore in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405
0
 

Author Comment

by:drmuneca
Comment Utility
hi
sorry i took so long to get back.. i tried what u said.. i turned off  system restore, went into safe mode, ran all the spyware programs, did what they told me to do, after that i ran hijackthis and this is the log i got from it

Logfile of HijackThis v1.98.2
Scan saved at 3:27:39 PM, on 8/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\win\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\TIADSL~1\BIN\WIN2K\tidslmon.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - Global Startup: winlgn.exe
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DB28EAC-64FE-44C8-80FC-64A89114AC94}: NameServer = 192.168.1.1

but as soon as i rebooted normally, and i ran the spyware programs, everything was still there.. and actually adaware found 11 items in safe mode, and 28 after i rebooted.. this is the log i got from hijackthis after the normal reboot

Logfile of HijackThis v1.98.2
Scan saved at 3:54:11 PM, on 8/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\win\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {79401695-A20B-41F2-8C2E-2359FAAE5CEF} - C:\WINDOWS\System32\moclba.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\TIADSL~1\BIN\WIN2K\tidslmon.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - Global Startup: winlgn.exe
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DB28EAC-64FE-44C8-80FC-64A89114AC94}: NameServer = 192.168.1.1
O18 - Filter: text/html - {F45C4DDD-10B3-43DB-8630-01768832D8B5} - C:\WINDOWS\System32\moclba.dll
O18 - Filter: text/plain - {F45C4DDD-10B3-43DB-8630-01768832D8B5} - C:\WINDOWS\System32\moclba.dll

i was really hoping that it would work.. what else do u think i could do?
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
can u tell me one thing plzz.... have u put this .exe file urself, means do u know it ??
>> C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
0
 
LVL 12

Expert Comment

by:rossfingal
Comment Utility
Hi!
Try this -
First, go to the following and download Dllcompare:
http://download.broadbandmedic.com/DllCompare.exe
or -
http://www10.brinkster.com/expl0iter/freeatlast/FNF/DllCompare.zip
Place it on your Desktop, but do not run it yet.

Various parts of the following instructions may have already been stated by other experts.
However, I'm posting my "canned" set of instructions for dealing with "mypoiskovik.com" -
so, everone please bear with me!  :)
"mypoiskovik.com" is a "nasty" that can infect your system in a variety of ways.  
Use the following procedure to attempt a removal:

Make sure your settings allow you to view "Hidden files".  
Open up any explorer window and click on "Tools" => "Folder Options" => "View" -
and be sure to check off "Show Hidden Files and Folders".

Run HijackHhis and put a check next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {79401695-A20B-41F2-8C2E-2359FAAE5CEF} - C:\WINDOWS\System32\moclba.dll (file missing)
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: winlgn.exe
018 - Filter: text/html - {F45C4DDD-10B3-43DB-8630-01768832D8B5} - C:\WINDOWS\System32\moclba.dll
O18 - Filter: text/plain - {F45C4DDD-10B3-43DB-8630-01768832D8B5} - C:\WINDOWS\System32\moclba.dll
 
and then click "FIX checked" after ALL other windows are closed (including this one):

RESTART your computer in Safe Mode -

Search your entire computer and delete these files or folders (if present):
C:\Program Files\Internet Explorer\IEengine.exe <= delete IEengine.exe
C:\WINDOWS\system32\winlgn.exe <= This file,"winlgn.exe" - NOTICE the spelling:
both "o's" are missing.  
Please watch that you do not delete winlogon.exe (that is a legitimate file in the same directory!!)
winlogon.exe in any location other than c:\windows\system32 - is considered "suspicious"!
(windows may be winnt. win98 etc, depending on your operating system)
c:\windows\system32\winlogon.exe is a legitimate, system file that MUST NOT be deleted.  
One of the more common places for winlgn.exe to hide is -
C:\Documents and Settings\All Users\Start Menu\Programs <= Be sure to check this location.
Search for and delete any instances of these files (if present):
m.exe
dlltemp.exe  
dllhelp.exe
Search for this file:
moclba.dll
Make a note of it's size, creation date, etc.
Then delete all instances you find.

While still in safe mode would you please run CoolWeb Shredder one more time and
let it FIX all problems it finds.

Quite often Windows O/S's may not be able to see hidden DLL files that may be spyware related.  
Option^Explicit has come up with a way to scan any version of Windows for these files.

   1. Double-click on DllCompare.exe to run it.
   2. When you execute dllcompare.exe, by default the c:\windows\system32 is selected.  
       Leave this selected
       and check off the box labelled "Include SubDirectories"
   3. Click on "Locate.com" and allow the scan to complete.
   4. After the scan has finished click on "Compare" to scan for the files that Windows does not see.  
       This step will take a few minutes to run.
   5. If the box at the bottom of the screen contains any files, these are the ones that are hidden -
       Click on "Make a Log of what was Found".
   6. When prompted to "View Log File" click on "Yes".
   7. Notepad will open with the log file contents.
   8. In Notepad, click on "Edit" => "Select All" => "Edit" = "Copy" and post the contents as a reply to this message.
   9. If any files show up it the bottom pane, search your computer for them and
       check their properties.
       If their size and creation date (Particularly Size - the time on the creation date may be off!) match the properties of moclba.dll
       (the properties of which you noted above):
       Delete them
If you are unsure or feel uncomfortable about what to delete - do not delete them!

There are no functions in the program to alter the O/S as it is just a scanner at this point.

Clean out all your temp files:
# C:\Windows\Temp - delete ALL of the CONTENTS of the folder - Not the "temp" folder itself!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents)
  <=This will delete all your cached internet content including cookies.
  This is recommended and strongly suggested!
    However, if you delete all your cookies - this can affect your stored Internet passwords
    and your ability to logon automatically to various sites.
    So, consider deleting all your cookies - OPTIONAL!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)
# Empty your "Recycle Bin".

RESTART back in Normal mode.  
Don't open a browser yet.
Instead, access your "Internet options" via "Control Panel" and under the "Programs" tab,
"Reset Web Settings".
Under the "General" tab => "Delete files" and "Reset home page".

Post back a new HijackThis log here and the DllCompare log.

Good luck!
RF
0
 

Author Comment

by:drmuneca
Comment Utility
when i clicked on fix checked, there was a message about that winlgn.exe file.. it  says it cannot delete the file because it is in use.. i dont know what program is using it to close it.. i didn't go into safe mode yet because i was wondering what to do about the winlgn.exe first..
0
 
LVL 12

Expert Comment

by:rossfingal
Comment Utility
Hi!

I'm not surprised that you couldn't delete it!  :)
Follow my instructions and go into safe mode.
Delete it there.

RF
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
there u gooooooooo.....

now goto Start>Run>msconfig>Startup
and here u can see the winlgn entry, untick it
then boot into safemode and delete this file from  C:\Documents and Settings\All Users\Start Menu\Programs\Startup
in safemode it will be not running in background.... so u will be able to kick it out !!

then reboot back, run hijackthis, and fix these entries,

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {79401695-A20B-41F2-8C2E-2359FAAE5CEF} - C:\WINDOWS\System32\moclba.dll (file missing)
O18 - Filter: text/html - {F45C4DDD-10B3-43DB-8630-01768832D8B5} - C:\WINDOWS\System32\moclba.dll
O18 - Filter: text/plain - {F45C4DDD-10B3-43DB-8630-01768832D8B5} - C:\WINDOWS\System32\moclba.dll
0
 

Author Comment

by:drmuneca
Comment Utility
shehar... i tried what u said, the winlgn.exe disappeared, but the mypoiskovik.com website keeps coming back..

rf.. here is the hijackthis log

Logfile of HijackThis v1.98.2
Scan saved at 8:01:53 PM, on 8/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\win\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\TIADSL~1\BIN\WIN2K\tidslmon.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DB28EAC-64FE-44C8-80FC-64A89114AC94}: NameServer = 192.168.1.1

and here is the .dll log

*    DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\d3dgbp.dll     Sat Jul 31 2004   4:46:44p  A...R         57,344    56.00 K
________________________________________________

2,882 items found:  2,882 files, 0 directories.
Total of file sizes:  545,422,672 bytes    520.15 M

Administrator Account =  True

--------------------End log---------------------
i looked for this d3dgbp.dll file to delete it but i couldn't find it

how do i get rid of this thing!?
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
It's clean than before..... only remainents are left,,,,,, so now do this !!

boot ur system in safemode, run hijackthis and fix those http://mypoiskovik.com/sp.htm entries !!
then delete temp internet files, local settings\temp folder !!

reboot abck in normal mode, dont connect to internet, just right clcik Internet Explorer on desktop>Properties>Programs> and click on Reset Web Settings
apply and close
now connect to internet and open IE to check if this darn thing has gone or not !!  :-/
0
 

Author Comment

by:drmuneca
Comment Utility
hi shehar,
bad news.. i tried what u said.. twice, and still when i reboot normally, the entries are always there.. at least getting rid of the winlgn.exe has stopped adding things to my favorites list, but my webpage keeps getting reset.. i noticed something though i dont know if it means anything, but there is a file in the c:\windows\temp folder that is there when i reboot normally and if i try to delete it, it says it is in use by another program.. i noticed that in safe mode, this file is not present at all, so i cant delete it in safe mode.. its not a hidden file.. its a .dat file the name is "Perflib_Perfdata_600".. when i reboot back normally its there again.. just wanted to let u know in case it helps.. btw thanks for all the help so far, i really hope this problem can be fixed =0\ so do u have any other suggestions?? oh another thing, i also notice that in safe mode there is only one entry for mypoiskovik.com, and in nomal mode there are 2.. depending on how i am logged on, hijackthis always gives me a slightly different log.. does that mean anything??
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
hmmmmmmmm, guess what,,,, here i found some information abt that winlgn.exe >> http://www.pestpatrol.com/pestinfo/t/trojan_win32_bizten.asp#Detection%20and%20Removal

so are u having its other variants on ur system as mentioned in the above link :-?
0
 

Author Comment

by:drmuneca
Comment Utility
actually no the only thing that relates to me on that page is the winlgn.exe =0\
0
 

Author Comment

by:drmuneca
Comment Utility
i was just browsing the net and i was just sent here.. http://296f8.ilxt.info/index.php?aid=20038   this is one of the pages i keep being sent to...
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
I was researching on these redirected sites,,,,, and i think all these sites have About:Blank headings..... have they ??
if Yes then run this tool in safemode to check if its picking anything >> http://www.atribune.org/downloads/AboutBuster.zip
Post Back !!
0
 

Author Comment

by:drmuneca
Comment Utility
u know what? i disconnected from the internet and ran all the spy programs, and after running hijackthis, it looked like my computer was clean, i restarted and it still looked clean, but as soon as i connected the wire to the internet and ran hijackthis it was all there again.. i was actually happy there for a moment.. i still cant delete that file i told u about in c:\windows\temp and its never there in safe mode, and when i restart normally and look at it, the name changes.. its still "perflib_perfdata" but the ending is different.. it will be 600 or 5f0 or something else.. and when i check the properties, on date created it always says today.. do u think this file is the root of the problem? oh i also noticed that if i leave c:\windows\temp open on the desktop i can actually see things being added to it without even being connected to the internet, or doing anything.. i can delete all these things though.. all except the perflib_perfdata crap.. just wanted to let u know in case it helps u help me =0)

ill post back as soon as i try that program u just mentiones.. lets keep our fingers crossed
0
 

Author Comment

by:drmuneca
Comment Utility
oh another thing.. what is win min? everytime i shut down my pc it doesn't let me shut down without ending it first...does that have anything to do with it? and i also keep getting an activex window almost everytime i open up a webpage.. about my security controls not letting the page be viewed properly.. but my setting it set to medium.. do u think this is all related in some way? i also cant check my email on msn, download kazaa, or aim... i always get a blank page saying how the page cannot be viewed blah blah.. are these all different problems or just one big one?
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
Win Min is realted to winlgn.exe, means its still hiding in ur system somewhere :-?
did u find in ur regedit for this file ??

and abt security dialogs,,,, have they started after this problem ??
if NO then try going to IE>Tools>Security>and select each zone one by one and click on Default Level
then in Advanced section, click on Restore defaults
apply and close ie, reopen to check now ??

and are u getting a page cannot be displayed error while trying to visit secure sites ??
0
 

Author Comment

by:drmuneca
Comment Utility
hi shar,
sorry i took so long to get back, but im actually not going to be able to try ur suggestion today.. i cant stay on too long.. ive been having problems coming online often cause of my man, but thats a whole different problem i dont think anyone on experts exchange can help me with..  =0\

so win min has to do with winlgn.exe i didn't know that... i  have to make sure im still getting the message.. i ill check when i turn off the computer today..
 no i haven't found that in my registry.. where do u think it could be if it is there??

the security dialogs started after the problem yes.. but ill still try clicking on the defaults.. and the page cannot be displayed error i get when i go on msn, try to download aim, or try to install kazaa... i dont know if these are secure sites or not, but so far these are the pages i have been having problems with.. im not sure if it has to do with security..

i also just wanted to thank u for all ur help so far, uve been great.. =0)

ill get back to u monday cause i dont usually come online on the weekends so ill let u know if ur suggestion helped then.. bye for now..
0
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 500 total points
Comment Utility
No problem abt the late reply,,, i can understand the home issues also :)

>> no i haven't found that in my registry
when u will open regedit, hit F3 and enter the word winlgn.exe, hit enter and keep searching for it, until u get the message no record was found !!
and then search aagin for "Win Min"
come back and tell me if it found these entries anywhere in regedit ??

>> and the page cannot be displayed error i get when i go on msn, try to download aim, or try to install kazaa
Check the following article and go as suggested to sort out this problem !!

How to troubleshoot situations where you cannot complete MSN sign-up or connect to SSL secured (128-Bit) Web sites by using Internet Explorer in Windows XP
http://support.microsoft.com/?kbid=813444

Post back and Good Luck :)
0
 

Author Comment

by:drmuneca
Comment Utility
i searched the registry and found winlgn.exe under a startup menu.. i haven't deleted it yet though.. there are other things there too.. some im not familiar with.. windllsys32.exe.. i thought i deleted that.. are these things active or just in the startup menu?
when i searched for win min the same results with the winlgn.exe came up..
thanks so much for that page.. my user profile must have been corrupted.. i never knew things like that happened, but as soon as i created a new profile, everything worked, msn, aim, kazaa.. my time was also messed up, i dont know if that had something to do with it too.. but thanks a bunch for that..

now if i could just remove that mypoiskovik.com crap, ill be set.. =0)

ps there used to be a way where u could add more points to a question but i dont see it anymore.. how do i go about doing that? cause uve worked with me awhile, and helped me with other stuff, u deserve some more points for ur help.. especially since were still dealing with that mypoiskovik.com..

w/b
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
1. the files u have mentioned are not legal.... so u can delete them from registry... boot into safemode and delete all traces of winlgn.exe and win min, and delete that windllsys32.exe entry also !!
remember to backup the registry first before playing around with it !! :)

2. great news,,, glad it worked for u :)

3. at EE the maximum points value for a question is 500 points,,, and this question is already worth of 500. and that's why u cannot increase points,,,, and i dont need more also ;-)
the way u have appreciated my help... is more valueable than the points value..... ^_^
0
 

Author Comment

by:drmuneca
Comment Utility
hi sheharyaar,
hey guess what? i think it worked.. at least im hoping that it worked.. i looked in the registry for mypoiskovik and i dont see it anywhere.. or winlgn.exe, or windllsys32.exe... does it matter that im using that new profile i created? i think the registry is just the registry right? i haven't gone on the other profile for a bit because ive been using this one that works.. can i delete the infected profile? its called admin.. not administrator.. i didn't delete it because im not sure if its safe to do so..

when i run spysweeper i find some spyware due to kazaa.. i dont really like all those programs that come with kazaa but what can i do? i still find a cws spyware but its not the mypoiskovik thing so its not the problem i needed help with.. anyway, what i wanted in the first place was to stop those items being added to my favorites folder and thats gone now.. so im good.. just let me know if u think it has anything to do with the profile.. is everything still in the other prof?

i have a few other problems which i will post questions for so hopefully ull be around maybe to help me again =0)

and thanks so much for all ur help and patience.. i wish i could have given u some more points though, i think u deserve them with all the time u took to help me out.. but im not a computer expert, so ill be back with more questions..  

thanks so much again.. =-)
bye for now..
mari
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now