Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

About:Search spyware/adware [CLOSED]


  • This topic is locked This topic is locked

#1
count81

count81

    New Member

  • Member
  • Pip
  • 8 posts
Recently, I started getting a about:search website replacing my homepage. Since this occurred my computer has run sluggishly and windows mediaplayer has continuously crashed. I ran CWShredder.exe but that did not correct the problem. Then I tried Hijackthis. But nothing seems to be abnormal within the log.

I spent a better part of the last few months helping friends with similar problems using Hijackthis.

I am posting my log. Hopefully someone can help me out.

Logfile of HijackThis v1.97.7
Scan saved at 12:39:38 AM, on 6/26/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\DownloadWare\dw.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackhis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1D3BD8A1-7DA3-4661-A4F3-77B9C2667197} - C:\WINDOWS\System32\ojogd.dll
O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\MediaLoads Enhanced\ME2.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1014.dll,InstantAccess
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} (EGEGAUTH Class) - http://akamai.downlo..._1014_EN_XP.cab
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downlo...es/IA/ia_XP.cab
O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downlo...04a_pack_XP.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downlo...tpe32_EN_XP.cab
  • 0

Advertisements


#2
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts
You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
O2 - BHO: (no name) - {1D3BD8A1-7DA3-4661-A4F3-77B9C2667197} - C:\WINDOWS\System32\ojogd.dll

Download and install APM from: http://www.geekstogo...=download&id=27

In the upper window select explorer.exe
In the lower window find and rightclick C:\WINDOWS\System32\ojogd.dll
Select Unload DLL and click OK on the prompts that follow.

Reboot your PC.

Download the latest version of Ad-Aware from here (if you already have Ad-Aware installed, make sure that it is the latest version and always go online and update it before you run it).

After installing AAW, and before running the program, you must FIRST update the reference file following these instuctions. (and you must always do this before you run the program at any later date).

Now do the following:

Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."

Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."

Press "Scan Now"

- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:

Now press "Next" to let Ad-aware scan your drives. It will find a number of spyware files and registry keys. Right-click in that pane and choose "select all"

Now press "Next" again. It will ask you whether you'd like to remove all checked items. Click OK.

Finally, close Ad-Aware, and reboot.

Run Hijack This again and post back a fresh log. <_<
  • 0

#3
count81

count81

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Followed the instructions ... here is the new log ... is there anything else I need to do ?

Thank you so far

Logfile of HijackThis v1.97.7
Scan saved at 3:55:12 PM, on 6/28/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\hijackhis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1014.dll,InstantAccess
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downlo..._1014_EN_XP.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} - http://akamai.downlo...04a_pack_XP.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downlo...tpe32_EN_XP.cab
  • 0

#4
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts
Looking much better <_<

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1014.dll,InstantAccess
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downlo..._1014_EN_XP.cab
O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} - http://akamai.downlo...04a_pack_XP.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downlo...tpe32_EN_XP.cab

Items in blue are optional, but will improve system performance.

Reboot in safe mode (by tapping F8 at startup and select safe mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):
C:\Windows\System32\p2esocks_1014.dll

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log, and let us know how your system's working. :D
  • 0

#5
count81

count81

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Okay ... so I have done everything. Now after I log in and the windows starts up I get: Error Loading P2esocks-1014.dll Specific module could not be found.

and to couple with this ... I keep getting messages that I am low on virtual memory. :D

Is this because I am running to many programs or it is this an effect of a virus ?

Here is the new log:

Logfile of HijackThis v1.97.7
Scan saved at 1:02:16 PM, on 6/30/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackhis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1014.dll,InstantAccess
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downlo..._1014_EN_XP.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} - http://akamai.downlo...04a_pack_XP.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downlo...tpe32_EN_XP.cab


Thank You,
Jason <_<
  • 0

#6
Smokey

Smokey

    Member 1K

  • Retired Staff
  • 1,423 posts
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1014.dll,InstantAccess
O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} - http://akamai.downlo...04a_pack_XP.cab

The following are optional and not required. Fix the ones you don't use, they're taking up your RAM:
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe" (Winamp Tray Icon)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Quicktime Tray Icon)
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (MSN Messenger)

If you haven't purposely set our hamepgae to blank. Fix these as well:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

About your virtual memory problem. Let's make sure it's set correctly:

1. Right-click on "My Computer", and choose "Properties"
2. Click the "Advanced" tab
3. Click on on the first "Settings" button (the one under "Performance")
4. Then choose that "Advanced" tab
5. Under "Virtual Memory", click "Change"
6. Choose "Custom Size" (if not chosen already)
7. Set the first number ("Initial Size") to 150% of your system's RAM
8. Set the second number, ("Maximum Size") to twice the previous number)
9. Click ""Set", then "OK"

For example, if your RAM is 128 MB, set the first number to 192 MB and the second number to 384 MB.

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log. <_<
  • 0

#7
count81

count81

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I am having a reoccurrance with the about:blank problem ... It reappears few hours after I fix the problem ... here is my log ... I am highlighting the line I think is the problem ... where could this virus be planted that it keeps reactivating ?

Logfile of HijackThis v1.97.7
Scan saved at 11:47:18 AM, on 7/2/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\hijackhis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {450A15E6-B2F8-4941-8C3C-97FCE8D154E7} - C:\WINDOWS\System32\jlda.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downlo..._1014_EN_XP.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downlo...tpe32_EN_XP.cab

This is really frustrating <_<
  • 0

#8
count81

count81

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I am having a reoccurrance with the about:blank problem ... It reappears few hours after I fix the problem ... here is my log ... I am highlighting the line I think is the problem ... where could this virus be planted that it keeps reactivating ?

Logfile of HijackThis v1.97.7
Scan saved at 11:47:18 AM, on 7/2/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\hijackhis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {450A15E6-B2F8-4941-8C3C-97FCE8D154E7} - C:\WINDOWS\System32\jlda.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downlo..._1014_EN_XP.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downlo...tpe32_EN_XP.cab

This is really frustrating <_<
  • 0

#9
Smokey

Smokey

    Member 1K

  • Retired Staff
  • 1,423 posts
You will want to print this page to following these instructions offline. Let's be extra careful this timeto stay offline until the very end of these instructions:

1. Reboot in safe mode (by tapping F8 at startup and select safe mode from the menu). Then, run APM again:

In the upper window select explorer.exe
In the lower window find and rightclick C:\WINDOWS\System32\jlda.dll
Select Unload DLL and click OK on the prompts that follow.

2. Next, let's delete that file. Be sure you're able to view hidden files and folders, and remove the following files in bold:

C:\WINDOWS\System32\jlda.dll

3. After that, don't go online yet, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {450A15E6-B2F8-4941-8C3C-97FCE8D154E7} - C:\WINDOWS\System32\jlda.dll
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downlo..._1014_EN_XP.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downlo...tpe32_EN_XP.cab

4. Reboot your PC.

5. If you would please, rescan with HijackThis and save your log (Do not go online yet).

6. Immediately download SpywareBlaster before you go anywhere online. Download, run, check for updates, download updates, then "Enable All Protection".

7. Then finally, go online to this thread and post you HJT log. <_<
  • 0

#10
count81

count81

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here is the new log, however I now have a new problem entirely. Now I can't get spyblaster to open. I keep getting

Error: This program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it.

Coupled with that VShield keeps shutting down ... <_<

Logfile of HijackThis v1.97.7
Scan saved at 1:16:36 AM, on 7/3/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hijackhis\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Thank you for your time :D
  • 0

#11
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP