Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

IE [CLOSED]

Started by mspetite1 , May 26 2005 09:12 AM

  • This topic is locked This topic is locked

#1
mspetite1
Posted 26 May 2005 - 09:12 AM

mspetite1

    New Member

  • Member
  • Pip
  • 7 posts
My desktop has a blue screen and dipslys a message that reads:
"Fatal error in IE has occured at 0028:c0011e36 in VXD VMM (01)+00010e36
Error caused by Trojan-Spy.HTML.Smitfraud.c"
When I click on IE I get the hour glass to wait, but nothing happens. HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:19:56 PM, on 5/25/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Comcast\Security Manager\app\Prism.exe
c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\Explorer.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINNT\System32\3x5ern3ih6thd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\systemdll.exe
C:\wp.exe
C:\Program Files\Weatherscope\Weatherscope.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\UltimateZip\uzqkst.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINNT\system32\ntvdm.exe
C:\PROGRA~1\ULTIMA~1\uzip.exe
C:\DOCUME~1\LIK~1.6RR\LOCALS~1\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com...=31130123321003
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchalot.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchalot.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com...=31130123321003
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com...=31130123321003
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com...=31130123321003
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com...=31130123321003
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.MyJoi.net/MyJoi.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://letgohome.com...=31130123321003
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchalot.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchalot.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchalot.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Joi Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: UserInit=C:\WINNT\System32\AUserInit.exe
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\7UY5EU~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Security Manager Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Tsshk] C:\Program Files\Rbdkmk\Qupuqlb.exe
O4 - HKLM\..\Run: [Control handler] C:\WINNT\System32\3x5ern3ih6thd.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [systemdll] C:\WINNT\systemdll.exe
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: UltimateZip Quick Start.lnk = C:\Program Files\UltimateZip\uzqkst.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: Weatherscope.lnk = C:\Program Files\Weatherscope\Weatherscope.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {307D80B7-6553-42FB-9C99-19841353B4F0} - http://www.searchalot.com (file missing)
O9 - Extra 'Tools' menuitem: Search the Internet - {307D80B7-6553-42FB-9C99-19841353B4F0} - http://www.searchalot.com (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra button: (no name) - {C21AE3DD-2E97-406B-8C87-A9AD5BBD49D1} - http://www.downloadalot.com (file missing)
O9 - Extra 'Tools' menuitem: Free Software Downloads - {C21AE3DD-2E97-406B-8C87-A9AD5BBD49D1} - http://www.downloadalot.com (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {1FF5C246-BD5A-4F8D-8976-0F4DF6D6CBC1} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1FF5C246-BD5A-4F8D-8976-0F4DF6D6CBC1} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {21347AFC-B91D-4E16-8D8B-D6661C783A14} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {21347AFC-B91D-4E16-8D8B-D6661C783A14} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {5A92371F-7841-414A-8E14-F7DF2919210B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {5A92371F-7841-414A-8E14-F7DF2919210B} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {8D1703C2-2C9C-433D-B8F2-DE7D13D832BE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8D1703C2-2C9C-433D-B8F2-DE7D13D832BE} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {B6C17B4B-6D80-4B56-A660-3161B5EC9615} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B6C17B4B-6D80-4B56-A660-3161B5EC9615} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {D2AC59A7-4851-47B0-98A3-0F9E6A00D0E2} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D2AC59A7-4851-47B0-98A3-0F9E6A00D0E2} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {ECDDA003-D37C-470A-AEBA-F883CBF72B46} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {ECDDA003-D37C-470A-AEBA-F883CBF72B46} - (no file) (HKCU)
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://vparivalka.co...::/ieloader.exe
O16 - DPF: {11111111-2222-3333-4444-555555555555} - https://www.taxsimpl...rix/federal.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarest...es2/Install.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.c...ebio5_1_5_0.cab
O20 - AppInit_DLLs: 8hhshm1oz6yuvull.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
  • 0

Advertisements

#2
greyknight17
Posted 26 May 2005 - 09:34 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Temp folder. This is required because HijackThis will create backups and we don't want them to be deleted.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Right click on this link -> http://www.bleepingc...g/smitfraud.reg and save that file. Double click on it and click on Yes when it asks you if you want to merge it into the registry. Once that's done, right click on your Desktop and go to Properties. Next go to Desktop tab->Customize Desktop button->Web tab. Uncheck everything listed there. Then delete all the entries listed except for 'My Current Home Page'. Click OK and OK.

Go to Start->-Control Panel->Add or Remove Programs and remove/uninstall the following programs, if found:

Security iGuard
Virtual Maid
Search Maid
GMT
PrecisionTime
WeatherScope

Exit Add/Remove Programs.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with red circle with a white X. Confirm to delete and when asked if you want to reboot now, say no:

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\system32\ole32vbs.exe
C:\WINNT\System32\3x5ern3ih6thd.exe
C:\WINNT\systemdll.exe

See if you can locate this file -> 8hhshm1oz6yuvull.dll and delete it. It might have a double .dll extension.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Delete these folders if they exist:

C:\Program Files\Search Maid\
C:\Program Files\Virtual Maid\
C:\Windows\System32\Log Files\
C:\Program Files\Security iGuard\
C:\WINNT\System32\7UY5EU~1.DLL
C:\Program Files\Common Files\CMEII\
C:\Program Files\Rbdkmk\
C:\freescan\
C:\Program Files\Common Files\GMT\
C:\Program Files\PrecisionTime\
C:\Program Files\Weatherscope\

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com...=31130123321003
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchalot.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchalot.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com...=31130123321003
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com...=31130123321003
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com...=31130123321003
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com...=31130123321003
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.MyJoi.net/MyJoi.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://letgohome.com...=31130123321003
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchalot.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchalot.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchalot.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\7UY5EU~1.DLL
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [Tsshk] C:\Program Files\Rbdkmk\Qupuqlb.exe
O4 - HKLM\..\Run: [Control handler] C:\WINNT\System32\3x5ern3ih6thd.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKCU\..\Run: [systemdll] C:\WINNT\systemdll.exe
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: Weatherscope.lnk = C:\Program Files\Weatherscope\Weatherscope.exe
O9 - Extra button: (no name) - {307D80B7-6553-42FB-9C99-19841353B4F0} - http://www.searchalot.com (file missing)
O9 - Extra 'Tools' menuitem: Search the Internet - {307D80B7-6553-42FB-9C99-19841353B4F0} - http://www.searchalot.com (file missing)
O9 - Extra button: (no name) - {C21AE3DD-2E97-406B-8C87-A9AD5BBD49D1} - http://www.downloadalot.com (file missing)
O9 - Extra 'Tools' menuitem: Free Software Downloads - {C21AE3DD-2E97-406B-8C87-A9AD5BBD49D1} - http://www.downloadalot.com (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {1FF5C246-BD5A-4F8D-8976-0F4DF6D6CBC1} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1FF5C246-BD5A-4F8D-8976-0F4DF6D6CBC1} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {21347AFC-B91D-4E16-8D8B-D6661C783A14} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {21347AFC-B91D-4E16-8D8B-D6661C783A14} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {5A92371F-7841-414A-8E14-F7DF2919210B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {5A92371F-7841-414A-8E14-F7DF2919210B} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {8D1703C2-2C9C-433D-B8F2-DE7D13D832BE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8D1703C2-2C9C-433D-B8F2-DE7D13D832BE} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {B6C17B4B-6D80-4B56-A660-3161B5EC9615} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B6C17B4B-6D80-4B56-A660-3161B5EC9615} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {D2AC59A7-4851-47B0-98A3-0F9E6A00D0E2} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D2AC59A7-4851-47B0-98A3-0F9E6A00D0E2} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {ECDDA003-D37C-470A-AEBA-F883CBF72B46} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {ECDDA003-D37C-470A-AEBA-F883CBF72B46} - (no file) (HKCU)
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://vparivalka.co...::/ieloader.exe
O16 - DPF: {11111111-2222-3333-4444-555555555555} - https://www.taxsimpl...rix/federal.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarest...es2/Install.cab
O20 - AppInit_DLLs: 8hhshm1oz6yuvull.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

Close HijackThis.

Restart your computer.

1. Download Hoster http://www.greyknigh.../spy/Hoster.exe and run it. Choose the 'Restore Original Hosts' button and press OK. Close the program.

2. Right click on this link -> http://mvps.org/winh.../DelDomains.inf and select Save As to download WinHelp2002's DelDomains.inf. Save the file to the Desktop. To run the inf file, right click on it and select Install. Note: This will remove all entries in the 'Trusted Zone' and 'Ranges' also.

3. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

4. Run an online scan at http://www.pandasoft...com/activescan/ and save the results from the scan!

Restart and post a new HijackThis log along with the results from ActiveScan.
  • 0

#3
mspetite1
Posted 27 May 2005 - 08:25 AM

mspetite1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
The smitfraud message that was on the desktop is gone, thanks.
When I went to Control Panel to remove Weatherscope, I got a message that said "Could not open install.log file".
Then, on killbox, I looked for c:\WINNT\systemdll.exe the message said "doesn't exist".
on cleanup.exe it said "application error failed to initialize properly".
But I still can't get on the internet. I click the internet explorer icon and I get the hour glass, but nothing happens. I have DSL with Comcast and I have to go to another computer to retrieve your messages. Is there another way to conect to the internet on my computer while trying to correct these issues?

Logfile of HijackThis v1.99.1
Scan saved at 9:57:16 PM, on 5/26/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Comcast\Security Manager\app\Prism.exe
C:\WINNT\system32\spoolsv.exe
c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\Explorer.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\UltimateZip\uzqkst.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com...=31130123321003
F2 - REG:system.ini: UserInit=C:\WINNT\System32\AUserInit.exe
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\W8C6S4~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Security Manager Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: UltimateZip Quick Start.lnk = C:\Program Files\UltimateZip\uzqkst.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.c...ebio5_1_5_0.cab
O20 - AppInit_DLLs: 8hhshm1oz6yuvull.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
  • 0

#4
greyknight17
Posted 27 May 2005 - 08:36 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Where's the Panda report?

Were you able to locate that file with the double dll extension? I still see it here (O23 entry in HijackThis).

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com...=31130123321003
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\W8C6S4~1.DLL
O20 - AppInit_DLLs: 8hhshm1oz6yuvull.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dl
l.dll

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

8hhshm1oz6yuvull.dll.dll
C:\WINNT\System32\W8C6S4~1.DLL
C:\Program Files\Weatherscope\ - delete this folder if you haven't done so already

Reboot into Normal Mode run a new HijackThis scan. Save the log file and post it here.
  • 0

#5
mspetite1
Posted 28 May 2005 - 06:55 AM

mspetite1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Since I can't get online at home, I have to download everything to a disk and then load when I get home. When I tried to load Panda, it does the same thing the internet does, attempts to load and nothing. As far as the items you told me to delete in Hi Jack This, they wouldn't delete, but I was able to click "ignore". The message that I got when I tried to delete was: Unexpected error has occurred at procedure:ModBackup_MakeBackup(sItem=O20-AppInit_DLLS:8hhshm1026yuvull.dll.dll
Error#5-Invalid procedure call or argument.

Logfile of HijackThis v1.99.1
Scan saved at 7:27:03 PM, on 5/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Comcast\Security Manager\app\Prism.exe
C:\WINNT\system32\spoolsv.exe
c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\Explorer.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\UltimateZip\uzqkst.exe
C:\HJT\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINNT\System32\AUserInit.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
O3 - Toolbar: Security Manager Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: UltimateZip Quick Start.lnk = C:\Program Files\UltimateZip\uzqkst.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.c...ebio5_1_5_0.cab
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
  • 0

#6
greyknight17
Posted 28 May 2005 - 08:31 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
You didn't hit that Add Checked to IgnoreList button, did you? Take it out it if you did, because you shouldn't add it there. That option should not be used unless you know what you are doing with it. In this case, your adding a bad entry in there.

So if you did that, go back to HijackThis and click on the Config button and go to IgnoreList tab on top. Delete that O23 entry so it takes it out. Restart and run a new HijackThis scan. Is that O23 entry back? Try fixing it again and look for that dll file to delete.

If you did that and it's gone, then:

Your log is clean.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#7
mspetite1
Posted 31 May 2005 - 07:40 AM

mspetite1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
The O23 file wasn't there. I did everything that you advised me to do and it cleaned up the desktop and I don't get all those weird error boxes, but when I click the IE icon, nothing happens.

Logfile of HijackThis v1.99.1
Scan saved at 7:27:03 PM, on 5/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Comcast\Security Manager\app\Prism.exe
C:\WINNT\system32\spoolsv.exe
c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\Explorer.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\UltimateZip\uzqkst.exe
C:\HJT\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINNT\System32\AUserInit.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
O3 - Toolbar: Security Manager Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: UltimateZip Quick Start.lnk = C:\Program Files\UltimateZip\uzqkst.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.c...ebio5_1_5_0.cab
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
  • 0

#8
greyknight17
Posted 31 May 2005 - 11:40 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
What do you mean nothing happened in IE? Does it open up at least?

Not sure if this did it, but go back to HijackThis->Config button->Backups or restore backups. Does it allow you to restore this entry:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

or only the whole backup file since you last did the fixes?
  • 0

#9
mspetite1
Posted 01 June 2005 - 06:28 AM

mspetite1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Sorry, it takes a while to respond, I only have access to another computer at work. No, nothing happens when I click the IE icon. I'll try this tonight and see what happens. Thanks.
  • 0

#10
mspetite1
Posted 02 June 2005 - 07:24 AM

mspetite1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
This path isn't there. I called my DSL provider (Comcast) and he said that it sounds like something is wrong with my browser, and that I may need to reinstall my Windows disk. I don't have a Windows disk. Any suggestions?
  • 0

#11
greyknight17
Posted 02 June 2005 - 08:49 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Go to the WindowsUpdate site and get SP1a. See if that will repair IE.

Is that doesn't work: Search for ie.inf and then right click on that file and select Install. See if that will repair IE.

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

@echo off
if exist %SYSTEMDRIVE%\baddlllist.txt del %SYSTEMDRIVE%\baddlllist.txt
dir %SYSTEMROOT%\System32\*.dll.dll > %SYSTEMDRIVE%\baddlllist.txt
notepad %SYSTEMDRIVE%\baddlllist.txt
cls
exit

Save the file as "bad.bat". Make sure to save it with the quotes. Double click on it and it should open up a notepad file. Copy and paste that here.
  • 0

#12
greyknight17
Posted 23 June 2005 - 03:58 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP