Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Home Search Assistant Removal


  • Please log in to reply
38 replies to this topic

#1 Guest_knoxvillejag_*

Guest_knoxvillejag_*

  • Guests
  • OFFLINE
  •  

Posted 19 January 2005 - 11:23 AM

Please help--I have been infected by the Home Search Assistant. I am running Norton antivirus and "Alert Spy"--any help is greatly appreciated. By the way, this is a work computer.

Here is my most recent HJT LOG

Logfile of HijackThis v1.99.0
Scan saved at 2:06:41 PM, on 1/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\NavNT\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\Rtvscan.exe
C:\oracle\Ora_Client\bin\omtsreco.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\WINDOWS\System32\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\AClient\Bin\XCDiffCache.exe
C:\windows\system32\YmZ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Documents and Settings\Nizinski\Application Data\lsne.exe
C:\WINDOWS\System32\wuauboot.exe
C:\Program Files\Mobile Connection Manager\Wnex7DO.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\FRU\Remind32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\YmZ.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinZip\WINZIP32.EXE
C:\Documents and Settings\Nizinski\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Merck & Co., Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://fsnetprd.merck.com/proxy/uszo/fsconfig.ins
R3 - Default URLSearchHook is missing
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Middadle\Clicks10017.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ZDialupFix] C:\Core\Install\Ras\DialUpFix.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [Afaria Client File Differencing] C:\Program Files\AClient\Bin\XCDiffCache.exe
O4 - HKLM\..\Run: [MSVBVM60ReReg] regsvr32 /s C:\Windows\System32\msvbvm60.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] c:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [YmZ.exe] C:\windows\system32\YmZ.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Uisi] C:\Documents and Settings\Nizinski\Application Data\lsne.exe
O4 - HKCU\..\Run: [Tttzoog] C:\WINDOWS\System32\wuauboot.exe
O4 - HKCU\..\RunOnce: [My Computer] C:\core\install\apps\MYComputer\MYComputer.EXE
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\FRU\Remind32.exe
O4 - Global Startup: Mobile Connection Manager-WatchDog.lnk = C:\Program Files\Mobile Connection Manager\Wnex7DO.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://my.merck.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: brdocpr1.merck.com
O15 - Trusted Zone: cdpdev1.merck.com
O15 - Trusted Zone: cdptrl1.merck.com
O15 - Trusted Zone: ecd.merck.com
O15 - Trusted Zone: finance.merck.com
O15 - Trusted Zone: finance2.merck.com
O15 - Trusted Zone: financedev.merck.com
O15 - Trusted Zone: home.merck.com
O15 - Trusted Zone: my.merck.com
O15 - Trusted Zone: mytest.merck.com
O15 - Trusted Zone: uxwspr03.merck.com
O15 - Trusted Zone: xmy.merck.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: brdocpr1.merck.com (HKLM)
O15 - Trusted Zone: cdpdev1.merck.com (HKLM)
O15 - Trusted Zone: cdptrl1.merck.com (HKLM)
O15 - Trusted Zone: ecd.merck.com (HKLM)
O15 - Trusted Zone: finance.merck.com (HKLM)
O15 - Trusted Zone: finance2.merck.com (HKLM)
O15 - Trusted Zone: financedev.merck.com (HKLM)
O15 - Trusted Zone: home.merck.com (HKLM)
O15 - Trusted Zone: my.merck.com (HKLM)
O15 - Trusted Zone: mytest.merck.com (HKLM)
O15 - Trusted Zone: uxwspr03.merck.com (HKLM)
O15 - Trusted Zone: xmy.merck.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O16 - DPF: icXpertFORMS Client - file://C:\Program Files\lexign\lexign flow client\program\icXpertFORMS.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\DefWatch.exe
O23 - Service: IBM PM Service - Unknown - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\Rtvscan.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\Ora_Client\bin\omtsreco.exe
O23 - Service: OracleOra_Client_HomeClientCache - Unknown - C:\oracle\Ora_Client\bin\ONRSD.EXE
O23 - Service: Check Point SecuRemote Service - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe


Thanks in advance
Lance

Edited by knoxvillejag, 19 January 2005 - 02:07 PM.


BC AdBot (Login to Remove)

 


m

#2 Guest_knoxvillejag_*

Guest_knoxvillejag_*

  • Guests
  • OFFLINE
  •  

Posted 19 January 2005 - 02:52 PM

Sorry about a new log being posted, but I got booted from the laptop (battery died).

Logfile of HijackThis v1.99.0
Scan saved at 4:43:53 PM, on 1/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\NavNT\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\Rtvscan.exe
C:\oracle\Ora_Client\bin\omtsreco.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\WINDOWS\System32\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\AClient\Bin\XCDiffCache.exe
C:\windows\system32\YmZ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Documents and Settings\Nizinski\Application Data\lsne.exe
C:\Program Files\Mobile Connection Manager\Wnex7DO.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\FRU\Remind32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\YmZ.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINDOWS\system32\wuauboot.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinZip\WINZIP32.EXE
C:\Documents and Settings\Nizinski\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Nizinski\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my.merck.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Nizinski\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Merck & Co., Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://fsnetprd.merck.com/proxy/uszo/fsconfig.ins
O2 - BHO: (no name) - {34AD0614-422D-4713-9F7D-3989F99B4023} - C:\WINDOWS\System32\copbmb.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Middadle\Clicks10017.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [Afaria Client File Differencing] C:\Program Files\AClient\Bin\XCDiffCache.exe
O4 - HKLM\..\Run: [MSVBVM60ReReg] regsvr32 /s C:\Windows\System32\msvbvm60.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] c:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [YmZ.exe] C:\windows\system32\YmZ.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Uisi] C:\Documents and Settings\Nizinski\Application Data\lsne.exe
O4 - HKCU\..\Run: [Tttzoog] C:\WINDOWS\System32\wuauboot.exe
O4 - HKCU\..\RunOnce: [My Computer] C:\core\install\apps\MYComputer\MYComputer.EXE
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\FRU\Remind32.exe
O4 - Global Startup: Mobile Connection Manager-WatchDog.lnk = C:\Program Files\Mobile Connection Manager\Wnex7DO.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://my.merck.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: brdocpr1.merck.com
O15 - Trusted Zone: cdpdev1.merck.com
O15 - Trusted Zone: cdptrl1.merck.com
O15 - Trusted Zone: ecd.merck.com
O15 - Trusted Zone: finance.merck.com
O15 - Trusted Zone: finance2.merck.com
O15 - Trusted Zone: financedev.merck.com
O15 - Trusted Zone: home.merck.com
O15 - Trusted Zone: my.merck.com
O15 - Trusted Zone: mytest.merck.com
O15 - Trusted Zone: uxwspr03.merck.com
O15 - Trusted Zone: xmy.merck.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: brdocpr1.merck.com (HKLM)
O15 - Trusted Zone: cdpdev1.merck.com (HKLM)
O15 - Trusted Zone: cdptrl1.merck.com (HKLM)
O15 - Trusted Zone: ecd.merck.com (HKLM)
O15 - Trusted Zone: finance.merck.com (HKLM)
O15 - Trusted Zone: finance2.merck.com (HKLM)
O15 - Trusted Zone: financedev.merck.com (HKLM)
O15 - Trusted Zone: home.merck.com (HKLM)
O15 - Trusted Zone: my.merck.com (HKLM)
O15 - Trusted Zone: mytest.merck.com (HKLM)
O15 - Trusted Zone: uxwspr03.merck.com (HKLM)
O15 - Trusted Zone: xmy.merck.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O16 - DPF: icXpertFORMS Client - file://C:\Program Files\lexign\lexign flow client\program\icXpertFORMS.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O18 - Filter: text/html - {57581D42-DB6D-446C-ADE3-72E41BC7628D} - C:\WINDOWS\System32\copbmb.dll
O18 - Filter: text/plain - {57581D42-DB6D-446C-ADE3-72E41BC7628D} - C:\WINDOWS\System32\copbmb.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\DefWatch.exe
O23 - Service: IBM PM Service - Unknown - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\Rtvscan.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\Ora_Client\bin\omtsreco.exe
O23 - Service: OracleOra_Client_HomeClientCache - Unknown - C:\oracle\Ora_Client\bin\ONRSD.EXE
O23 - Service: Check Point SecuRemote Service - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe

Thanks in advance

Lance

Edited by knoxvillejag, 19 January 2005 - 04:44 PM.


#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,392 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA

Posted 19 January 2005 - 05:51 PM

I need to get samples of some of your files. Please create a folder called c:\submit. Now copy the following files into that directory:

C:\core\install\apps\MYComputer\MYComputer.EXE

To copy the files simply navigate to the directory they are in and right click on them and then click on copy. Then paste these files into the c:\submit directory. Once the files are all copied I need you to zip the folder. If you are using XP or ME right-click on the folder and click on the Send To option and then send it to a compressed folder. You will now see a file called submit.zip. If you are using another version of Windows, please download a program called Winzip and zip it using that. Then go to http://www.bleepingcomputer.com, fill in the required fields, and browse to the file. Then click on the Send File button.

Please download this tool to your desktop.
http://securityresponse.symantec.com/avcenter/FxAgentB.exe When it is done downloading, run the program and let it scan your computer.

Download the attached zip file and unzip it to your desktop.

http://www.mvps.org/winhelp2002/DelDomains.inf

Right-click on the deldomains.inf file and select 'Install'

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Nizinski\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Nizinski\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {34AD0614-422D-4713-9F7D-3989F99B4023} - C:\WINDOWS\System32\copbmb.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Middadle\Clicks10017.dll
O4 - HKLM\..\Run: [MSVBVM60ReReg] regsvr32 /s C:\Windows\System32\msvbvm60.dll
O4 - HKLM\..\Run: [YmZ.exe] C:\windows\system32\YmZ.exe
O4 - HKCU\..\Run: [Uisi] C:\Documents and Settings\Nizinski\Application Data\lsne.exe
O4 - HKCU\..\Run: [Tttzoog] C:\WINDOWS\System32\wuauboot.exe
O4 - HKCU\..\RunOnce: [My Computer] C:\core\install\apps\MYComputer\MYComputer.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: brdocpr1.merck.com
O15 - Trusted Zone: cdpdev1.merck.com
O15 - Trusted Zone: cdptrl1.merck.com
O15 - Trusted Zone: ecd.merck.com
O15 - Trusted Zone: finance.merck.com
O15 - Trusted Zone: finance2.merck.com
O15 - Trusted Zone: financedev.merck.com
O15 - Trusted Zone: home.merck.com
O15 - Trusted Zone: my.merck.com
O15 - Trusted Zone: mytest.merck.com
O15 - Trusted Zone: uxwspr03.merck.com
O15 - Trusted Zone: xmy.merck.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: brdocpr1.merck.com (HKLM)
O15 - Trusted Zone: cdpdev1.merck.com (HKLM)
O15 - Trusted Zone: cdptrl1.merck.com (HKLM)
O15 - Trusted Zone: ecd.merck.com (HKLM)
O15 - Trusted Zone: finance.merck.com (HKLM)
O15 - Trusted Zone: finance2.merck.com (HKLM)
O15 - Trusted Zone: financedev.merck.com (HKLM)
O15 - Trusted Zone: home.merck.com (HKLM)
O15 - Trusted Zone: my.merck.com (HKLM)
O15 - Trusted Zone: mytest.merck.com (HKLM)
O15 - Trusted Zone: uxwspr03.merck.com (HKLM)
O15 - Trusted Zone: xmy.merck.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O18 - Filter: text/html - {57581D42-DB6D-446C-ADE3-72E41BC7628D} - C:\WINDOWS\System32\copbmb.dll
O18 - Filter: text/plain - {57581D42-DB6D-446C-ADE3-72E41BC7628D} - C:\WINDOWS\System32\copbmb.dll

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\System32\copbmb.dll
C:\Program Files\Middadle\Clicks10017.dll
C:\windows\system32\YmZ.exe
C:\Documents and Settings\Nizinski\Application Data\lsne.exe
C:\WINDOWS\System32\wuauboot.exe
C:\WINDOWS\System32\copbmb.dll

Reboot your computer to go back to normal mode and post a new log.

#4 Guest_knoxvillejag_*

Guest_knoxvillejag_*

  • Guests
  • OFFLINE
  •  

Posted 19 January 2005 - 06:18 PM

I hope the attachment is what you are looking for, please advise.

I am unable to open in SAFE mode as we discussed earlier. I am alos UNABLE to delete the files/directories you listed:


Here is the updated HJT Log. (My antivirus keeps telling me I have a TROJAN virus, this just started, any ideas?)


Logfile of HijackThis v1.99.0
Scan saved at 7:25:30 PM, on 1/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\NavNT\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\NavNT\Rtvscan.exe
C:\oracle\Ora_Client\bin\omtsreco.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\WINDOWS\System32\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\AClient\Bin\XCDiffCache.exe
C:\windows\system32\YmZ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\YmZ.exe
C:\Program Files\Mobile Connection Manager\Wnex7DO.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\FRU\Remind32.exe
c:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinZip\WINZIP32.EXE
C:\Documents and Settings\Nizinski\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Merck & Co., Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://fsnetprd.merck.com/proxy/uszo/fsconfig.ins
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [Afaria Client File Differencing] C:\Program Files\AClient\Bin\XCDiffCache.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] c:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [YmZ.exe] C:\windows\system32\YmZ.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\FRU\Remind32.exe
O4 - Global Startup: Mobile Connection Manager-WatchDog.lnk = C:\Program Files\Mobile Connection Manager\Wnex7DO.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://my.merck.com
O16 - DPF: icXpertFORMS Client - file://C:\Program Files\lexign\lexign flow client\program\icXpertFORMS.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\DefWatch.exe
O23 - Service: IBM PM Service - Unknown - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\Rtvscan.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\Ora_Client\bin\omtsreco.exe
O23 - Service: OracleOra_Client_HomeClientCache - Unknown - C:\oracle\Ora_Client\bin\ONRSD.EXE
O23 - Service: Check Point SecuRemote Service - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe

Edited by Grinler, 19 January 2005 - 07:32 PM.


#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,392 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA

Posted 19 January 2005 - 07:33 PM

I removed tha attachment so people wont get infected.

Fix this entry in hijackthis:

O4 - HKLM\..\Run: [YmZ.exe] C:\windows\system32\YmZ.exe


Reboot and post a new log

#6 Guest_knoxvillejag_*

Guest_knoxvillejag_*

  • Guests
  • OFFLINE
  •  

Posted 19 January 2005 - 08:19 PM

Logfile of HijackThis v1.99.0
Scan saved at 8:17:29 PM, on 1/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\NavNT\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\Rtvscan.exe
C:\WINDOWS\System32\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\AClient\Bin\XCDiffCache.exe
C:\windows\system32\YmZ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Mobile Connection Manager\Wnex7DO.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\FRU\Remind32.exe
C:\WINDOWS\system32\YmZ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\oracle\Ora_Client\bin\omtsreco.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
c:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Documents and Settings\Nizinski\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Nizinski\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Nizinski\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Merck & Co., Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://fsnetprd.merck.com/proxy/uszo/fsconfig.ins
O2 - BHO: (no name) - {E50B9D1A-7C45-4A11-A758-2520F403139B} - C:\WINDOWS\System32\copbmb.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Middadle\Clicks10017.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [Afaria Client File Differencing] C:\Program Files\AClient\Bin\XCDiffCache.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] c:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [YmZ.exe] C:\windows\system32\YmZ.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\FRU\Remind32.exe
O4 - Global Startup: Mobile Connection Manager-WatchDog.lnk = C:\Program Files\Mobile Connection Manager\Wnex7DO.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://my.merck.com
O16 - DPF: icXpertFORMS Client - file://C:\Program Files\lexign\lexign flow client\program\icXpertFORMS.cab
O18 - Filter: text/html - {53868F65-6254-49D6-9D1B-1A70B3899001} - C:\WINDOWS\System32\copbmb.dll
O18 - Filter: text/plain - {53868F65-6254-49D6-9D1B-1A70B3899001} - C:\WINDOWS\System32\copbmb.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\DefWatch.exe
O23 - Service: IBM PM Service - Unknown - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\Rtvscan.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\Ora_Client\bin\omtsreco.exe
O23 - Service: OracleOra_Client_HomeClientCache - Unknown - C:\oracle\Ora_Client\bin\ONRSD.EXE
O23 - Service: Check Point SecuRemote Service - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe

The virus appears to be in my TEMP folder (sp.dll) "Trojan.Start page", but I am unable to delete it.

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,392 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:11 PM

Posted 20 January 2005 - 12:49 AM

Hi. Please download and install the program Registry Lite from here:

http://www.resplendence.com/reglite

Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under programs portion of the Start Menu.

Once it is opened, copy and paste the below line, into the address field of Registrar Lite.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

And press enter. You will now be presented with new information in the bottom right and left sections and on the right section, the name AppInit_DLLs should be highlighted. Double-click on the AppInit_DLLs entry and copy and paste the text found in the value field in your next reply to this post.

#8 Guest_knoxvillejag_*

Guest_knoxvillejag_*

  • Guests
  • OFFLINE
  •  

Posted 20 January 2005 - 08:21 AM

THanks again for your assistance Grinler-

I installed and ran registrarlite as you suggested, but did not find the entry you are looking for. This is what appeared after entering the address you requested:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\(default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\DeviceNotSelectedTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\GDIProcessHandleQuota
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\Spooler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\swapdisk
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\TransmissionRetryTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\USERProcessHandleQuota

Please advise

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,392 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA

Posted 20 January 2005 - 05:40 PM

Download cwshredder 2.12 from here:

http://cwshredder.net/bin/CWShredder.exe

Run the file after it is downloaded and click on the fix button. Let it do its thing and when its done, even if it crashes.

When its done run hijackthis again post a new log

#10 Guest_knoxvillejag_*

Guest_knoxvillejag_*

  • Guests
  • OFFLINE
  •  

Posted 20 January 2005 - 06:25 PM

Logfile of HijackThis v1.99.0
Scan saved at 6:25:16 PM, on 1/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\NavNT\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\NavNT\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\oracle\Ora_Client\bin\omtsreco.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINDOWS\System32\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\AClient\Bin\XCDiffCache.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\windows\system32\YmZ.exe
C:\WINDOWS\system32\YmZ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Mobile Connection Manager\Wnex7DO.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\FRU\Remind32.exe
c:\windows\system32\taskmgn.exe
C:\Documents and Settings\Nizinski\Local Settings\Temp\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://fsnet.merck.com/menu/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.merck.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Merck & Co., Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://fsnetprd.merck.com/proxy/uszo/fsconfig.ins
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Middadle\Clicks10017.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [Afaria Client File Differencing] C:\Program Files\AClient\Bin\XCDiffCache.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] c:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [YmZ.exe] C:\windows\system32\YmZ.exe
O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmgn.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\FRU\Remind32.exe
O4 - Global Startup: Mobile Connection Manager-WatchDog.lnk = C:\Program Files\Mobile Connection Manager\Wnex7DO.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://my.merck.com
O16 - DPF: icXpertFORMS Client - file://C:\Program Files\lexign\lexign flow client\program\icXpertFORMS.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\DefWatch.exe
O23 - Service: IBM PM Service - Unknown - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\Rtvscan.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\Ora_Client\bin\omtsreco.exe
O23 - Service: OracleOra_Client_HomeClientCache - Unknown - C:\oracle\Ora_Client\bin\ONRSD.EXE
O23 - Service: Check Point SecuRemote Service - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe


Waitnng on your instructions--thanks.

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,392 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:11 PM

Posted 20 January 2005 - 07:30 PM

Fix these lines:

O4 - HKLM\..\Run: [YmZ.exe] C:\windows\system32\YmZ.exe
O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmgn.exe

Reboot and delete:

C:\windows\system32\YmZ.exe
c:\windows\system32\taskmgn.exe

Reboot and post a last log

#12 Guest_knoxvillejag_*

Guest_knoxvillejag_*

  • Guests
  • OFFLINE
  •  

Posted 21 January 2005 - 01:38 PM

Logfile of HijackThis v1.99.0
Scan saved at 5:52:32 PM, on 1/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\oracle\Ora_Client\bin\omtsreco.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINDOWS\System32\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\AClient\Bin\XCDiffCache.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Mobile Connection Manager\Wnex7DO.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\FRU\Remind32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\YmZ.exe
C:\WINDOWS\system32\YmZ.exe
C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
C:\WINDOWS\System32\vmss\vmss.exe
c:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\NavNT\Rtvscan.exe
C:\Program Files\NavNT\DefWatch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinZip\WINZIP32.EXE
C:\Documents and Settings\Nizinski\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Merck & Co., Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://fsnetprd.merck.com/proxy/uszo/fsconfig.ins
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {F75774D0-A6A1-3C78-5DFE-9E0AFFDE9675} - (no file)
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [Afaria Client File Differencing] C:\Program Files\AClient\Bin\XCDiffCache.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] c:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [YmZ.exe] C:\WINDOWS\system32\YmZ.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\FRU\Remind32.exe
O4 - Global Startup: Mobile Connection Manager-WatchDog.lnk = C:\Program Files\Mobile Connection Manager\Wnex7DO.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://my.merck.com
O16 - DPF: icXpertFORMS Client - file://C:\Program Files\lexign\lexign flow client\program\icXpertFORMS.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\DefWatch.exe
O23 - Service: IBM PM Service - Unknown - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\Rtvscan.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\Ora_Client\bin\omtsreco.exe
O23 - Service: OracleOra_Client_HomeClientCache - Unknown - C:\oracle\Ora_Client\bin\ONRSD.EXE
O23 - Service: Check Point SecuRemote Service - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe

Edited by knoxvillejag, 21 January 2005 - 05:53 PM.


#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,392 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA

Posted 22 January 2005 - 05:00 PM

Now please Download LSPFix from:

LSP-Fix

Disconnect from the Internet and close all Internet Explorer Windows. Run then program and check the "I know what I'm doing" Button and place all listings of c:\windows\system32\inetadpt.dll into the remove section by clicking on the button that points to the right. When all instances of this dll are in the Remove section. Press the finish button.

Then Reboot.

Download killbox here:

KillBox


Unzip the folder to your desktop.

Start Killbox.exe

When it is open, enter C:\WINDOWS\system32\YmZ.exe into the field labeled "Full path of file to delete".

Select the Delete on reboot option.

Then press the button that looks like a red circle with a white X in it.

Your computer will reboot and check to see if the file is gone.


Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [YmZ.exe] C:\WINDOWS\system32\YmZ.exe

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [YmZ.exe] C:\WINDOWS\system32\YmZ.exe

Reboot your computer to go back to normal mode and post a new log.

#14 Guest_knoxvillejag_*

Guest_knoxvillejag_*

  • Guests
  • OFFLINE
  •  

Posted 23 January 2005 - 06:21 PM

Grinler,

The laptop we were trying to repair will not connect to internet. I have tried rebooting several times, but it doesn't appear to be getting any data. Is there anything I can try to get this working? I can't download the fixes mentioned in your post until I can connect on that computer.

Thanks

Lance

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,392 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:11 PM

Posted 23 January 2005 - 11:04 PM

You will need to transfer this file from another computer:

Now please Download LSPFix from:

LSP-Fix

Extract it and double-click on lspfix.exe. When it opens, click on the finish button.

Then Reboot. Tell me if it works then.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users