Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hjt log-cindylou


  • This topic is locked This topic is locked
2 replies to this topic

#1 yellowvalley

yellowvalley

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 10 January 2005 - 05:45 PM

having problems with coolwwwsearch changing my browser pages. both ad-aware and Spybot S&D have caught it, but the files keep replicating and it's starting to tick me off!! please help!

i have windows xp but not the service pack 2 because when i tried to download it, it ruined my computer and i had to re-install xp and then spend 2 hours on the phone with tech support.... yeah not a good week for my computer.

my log :thumbsup:


Logfile of HijackThis v1.99.0
Scan saved at 5:40:26 PM, on 1/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\rlxfv397f1h.exe
C:\WINDOWS\System32\taskmgr.exe
C:\hjt\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {B3E5BE81-2399-8B69-75ED-2BC41BFA264C} - (no file)
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\p4durap5sx1w.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - (no file)
O3 - Toolbar: (no name) - {00000000-0000-0000-0000-000000000001} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [notepad ml710e] "C:\Program Files\wndows\notepad.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HZ] C:\documents and settings\aaron's\local settings\temp\HZ.exe
O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\Aaron's\LOCALS~1\Temp\app5.tmp
O4 - HKLM\..\Run: [Network Security Guard] C:\WINDOWS\System32\rlxfv397f1h.exe
O4 - HKLM\..\Run: [cleaner] C:\WINDOWS\System32\cvtpfc7e7c.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Aaron's\Application Data\DownloadPlus.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: winlogin.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: ConferenceRoom Java Client - http://webmaster.webmaster.com:8000/java/cr.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.activation.rr.com/install/download/tgctlcm.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100182902359
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {D9EA64B2-B966-E177-332C-78B69886526D} - http://download.newaol.com/bkpromo/downloa...formerSetup.cab
O20 - AppInit_DLLs: 4p1s5urlijy.tlb cxiz0l2t62jlnz.tlb njmagnc706iad.tlb 5z22t2ox2ufy81.tlb xd0b88e82fg3l.tlb hkycxhbx7rjz.tlb uyj874kdjbocun.tlb f73p4losjb5.tlb 1gstan8lyy0od.tlb aelvl0m2fazp8.tlb dbkpbnf1mnx7l1.tlb mrw8zdp07o.tlb v04s19e3n7m.tlb 6bs9vihk48ji41.tlb jnf8pcflciwo.tlb exv0klecc3ai.tlb 2ttdusy7um1b.tlb 6r6s0jvp7mz03c.tlb oj7te4dbaroc.tlb nkzvwhj2w5b.tlb iury6w7h7s.tlb kmw9mtkwhc.tlb ye8537lagi3x.tlb dfpwbbkl1gr6e.tlb 7at09bfud7d3n.tlb h80ia0xfkj9lj.tlb jh0p5xiygs46o.tlb x5p58dhyb7oxu.tlb 2is5p25t8gdr97.tlb 7veo02a7zsrp.tlb jjay2v3h3akpt.tlb
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Gear Security Service - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:03:42 AM

Posted 11 January 2005 - 03:05 PM

Hi :thumbsup:

Please follow these instructions to remove RapidBlaster: http://www.wilderssecurity.net/specialinfo/rapidblaster.html


Download System Security Suite here:
System Security Suite Download & Tutorial. Unzip it to your desktop.
Install the program. Don't use it yet.

Please print or copy these instructions because you are not able to access the Internet in SafeMode.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Run HijackThis!, press Scan, and put a check mark next to all these:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {B3E5BE81-2399-8B69-75ED-2BC41BFA264C} - (no file)

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\p4durap5sx1w.dll

O3 - Toolbar: (no name) - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - (no file)
O3 - Toolbar: (no name) - {00000000-0000-0000-0000-000000000001} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [HZ] C:\documents and settings\aaron's\local settings\temp\HZ.exe
O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\Aaron's\LOCALS~1\Temp\app5.tmp
O4 - HKLM\..\Run: [Network Security Guard] C:\WINDOWS\System32\rlxfv397f1h.exe
O4 - HKLM\..\Run: [cleaner] C:\WINDOWS\System32\cvtpfc7e7c.exe
O4 - Global Startup: winlogin.exe

O20 - AppInit_DLLs: 4p1s5urlijy.tlb cxiz0l2t62jlnz.tlb njmagnc706iad.tlb 5z22t2ox2ufy81.tlb xd0b88e82fg3l.tlb hkycxhbx7rjz.tlb uyj874kdjbocun.tlb f73p4losjb5.tlb 1gstan8lyy0od.tlb aelvl0m2fazp8.tlb dbkpbnf1mnx7l1.tlb mrw8zdp07o.tlb v04s19e3n7m.tlb 6bs9vihk48ji41.tlb jnf8pcflciwo.tlb exv0klecc3ai.tlb 2ttdusy7um1b.tlb 6r6s0jvp7mz03c.tlb oj7te4dbaroc.tlb nkzvwhj2w5b.tlb iury6w7h7s.tlb kmw9mtkwhc.tlb ye8537lagi3x.tlb dfpwbbkl1gr6e.tlb 7at09bfud7d3n.tlb h80ia0xfkj9lj.tlb jh0p5xiygs46o.tlb x5p58dhyb7oxu.tlb 2is5p25t8gdr97.tlb 7veo02a7zsrp.tlb jjay2v3h3akpt.tlb



Close all other windows and browsers, and press the Fix Checked button.

Search for these files and delete them if present:
C:\WINDOWS\System32\p4durap5sx1w.dll <-- this file
C:\WINDOWS\System32\rlxfv397f1h.exe <-- this file
C:\WINDOWS\System32\cvtpfc7e7c.exe <-- this file
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe <-- this file

and these files, in this folder C:\WINDOWS\System32\:
4p1s5urlijy.tlb
cxiz0l2t62jlnz.tlb
njmagnc706iad.tlb
5z22t2ox2ufy81.tlb
xd0b88e82fg3l.tlb
hkycxhbx7rjz.tlb
uyj874kdjbocun.tlb
f73p4losjb5.tlb
1gstan8lyy0od.tlb
aelvl0m2fazp8.tlb
dbkpbnf1mnx7l1.tlb
mrw8zdp07o.tlb
v04s19e3n7m.tlb
6bs9vihk48ji41.tlb
jnf8pcflciwo.tlb
exv0klecc3ai.tlb
2ttdusy7um1b.tlb
6r6s0jvp7mz03c.tlb
oj7te4dbaroc.tlb
nkzvwhj2w5b.tlb
iury6w7h7s.tlb
kmw9mtkwhc.tlb
ye8537lagi3x.tlb
dfpwbbkl1gr6e.tlb
7at09bfud7d3n.tlb
h80ia0xfkj9lj.tlb
jh0p5xiygs46o.tlb
x5p58dhyb7oxu.tlb
2is5p25t8gdr97.tlb
7veo02a7zsrp.tlb
jjay2v3h3akpt.tlb

Please note there are other legitimate TLB files, you can easy recognise the bad files: filename = [random letters].TLB

With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

REBOOT normally.

Run HijackThis! again and post a new log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:03:42 AM

Posted 31 January 2005 - 02:46 AM

Due to the lack of feedback this topic is closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users