Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

69sexsearch hijacker and other problems

Started by clatsop1 , Dec 21 2004 05:47 PM

  • Please log in to reply

#1
clatsop1
Posted 21 December 2004 - 05:47 PM

clatsop1

    New Member

  • Member
  • Pip
  • 3 posts
When I log on, multiple IE windows open to 69sexsearch url. If I try clsoing these it will launch multiples of 10+. I have installed and ran Ad-aware 6.0 and Spybot S&D. My system will not launch Hijack This (opens window and then quickly closes). I am including some reports to help:

Operating System: Microsoft Windows XP Home Edition,Version 2002
Operating System Version: 5.1.2600
Service Pack: 0.0
Location: C:\WINDOWS
PID: 55277-OEM-9911903-00102
Hot Fix: Q326830

Local Disk (partitioned) IC25N020ATCS04-0
Installed Capacity - 31.35 MB
None Used: Unknown
Free: Unknown
(C:) Capacity - 15.67 GB
Used: 10.11 GB
Free: 5.55 GB

Display
Type: AIM 3.0 Part 01 Codec Driver VCH-A
Color: True Color (32 Bit)
Resolution: 1024 x 768
Screen Saver: Active

Display
Type: Default Monitor
Color: True Color (32 Bit)
Resolution: 1024 x 768
Screen Saver: Active

Modem
Manufacturer: Unknown
Model: Actiontec MD56ORD V92 MDC Modem
Driver: Unknown

USB Controller
Manufacturer: Intel
Model: Intel® 82801CA/CAM USB Universal Host Controller - 2482
Driver: usbuhci.sys
Saturday, October 26, 2002
Supported

USB Controller
Manufacturer: Intel
Model: Intel® 82801CA/CAM USB Universal Host Controller - 2484
Driver: usbuhci.sys
Saturday, October 26, 2002
Supported

CD-ROM Drive (D:)
Manufacturer: (Standard CD-ROM drives)
Model: HL-DT-ST RW/DVD GCC-4240N
Driver: cdrom.sys
Friday, August 17, 2001
Supported

Video Card
Model: Intel® 830M Graphics Controller-0
Driver: ialmnt5.sys
Monday, December 31, 1979
Supported

Video Card
Model: Intel® 830M Graphics Controller-1
Driver: ialmnt5.sys
Monday, December 31, 1979
Supported

Sound Card
Manufacturer: SigmaTel
Model: Intel® AC'97 Audio Controller - SigmaTel Codec
Driver: stac97.sys
Monday, December 31, 1979
Supported

Network Card
Model: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible) - Packet Scheduler Miniport
Driver: el90xbc5.sys
Monday, December 31, 1979
Supported

Floppy Drive (A:)
Installed

Memory (RAM)
Capacity: 256 MB

Printers
Default Printer
Send with eFax Messenger Plus
Driver: efxsndkm.dll
Wednesday, March 05, 2003
Not Supported



Services

(Service Executable Status Startup)
WZCSVC svchost.ex e -k netsvcs Running Auto
wuauserv svchost.ex e -k netsvcs Stopped Disabled
WmiApSrv wmiapsrv.e xe Running Auto
WmdmPmSp svchost.ex e -k netsvcs Running Auto
winmgmt svchost.ex e -k netsvcs Running Auto
WebClient svchost.ex e -k LocalServi ce Running Auto
w32time svchost.ex e -k netsvcs Running Auto
VSS vssvc.exe Running Auto
UPS ups.exe Stopped Auto
upnphost svchost.ex e -k LocalServi ce Stopped Auto
uploadmgr svchost.ex e -k netsvcs Running Auto
TrkWks svchost.ex e -k netsvcs Running Auto
Themes svchost.ex e -k netsvcs Running Auto
TermServic e svchost.ex e -k netsvcs Running Auto
TapiSrv svchost.ex e -k netsvcs Running Auto
SysmonLog smlogsvc.e xe Stopped Auto
Symantec Core LC symlcsvc.e xe Running Auto
SwPrv dllhost.ex e /Processid :{422750EB -86AA-4173 -8A7E-FEBA DE226929} Running Auto
stisvc svchost.ex e -k imgsvc Running Auto
SSDPSRV svchost.ex e -k LocalServi ce Running Auto
srservice svchost.ex e -k netsvcs Running Auto
Spooler spoolsv.ex e Running Auto
ShellHWDet ection svchost.ex e -k netsvcs Running Auto
SharedAcce ss svchost.ex e -k netsvcs Running Auto
SENS svchost.ex e -k netsvcs Running Auto
seclogon svchost.ex e -k netsvcs Running Auto
Schedule svchost.ex e -k netsvcs Running Auto
SCardSvr SCardSvr.e xe Running Auto
SCardDrv SCardSvr.e xe Stopped Auto
SamSs lsass.exe Running Auto
RSVP rsvp.exe Stopped Auto
RpcSs svchost -k rpcss Running Auto
RpcLocator locator.ex e Running Auto
RemoteAcce ss svchost.ex e -k netsvcs Running Auto
RDSessMgr sessmgr.ex e Stopped Auto
RasMan svchost.ex e -k netsvcs Running Auto
RasAuto svchost.ex e -k netsvcs Running Auto
ProtectedS torage lsass.exe Running Auto
PolicyAgen t lsass.exe Running Auto
PlugPlay services.e xe Running Auto
NwSapAgent svchost.ex e -k netsvcs Running Auto
NtmsSvc svchost.ex e -k netsvcs Running Auto
ntlogin32 libsysmgr. exe Running Auto
NtLmSsp lsass.exe Running Auto
Nla svchost.ex e -k netsvcs Running Auto
Netman svchost.ex e -k netsvcs Running Auto
Netlogon lsass.exe Stopped Auto
NetDDEdsdm netdde.exe Running Auto
NetDDE netdde.exe Running Auto
MSIServer msiexec.ex e /V Stopped Auto
MSDTC msdtc.exe Running Auto
mnmsrvc mnmsrvc.ex e Stopped Auto
Messenger svchost.ex e -k netsvcs Stopped Disabled
LmHosts svchost.ex e -k LocalServi ce Running Auto
lanmanwork station svchost.ex e -k netsvcs Running Auto
lanmanserv er svchost.ex e -k netsvcs Running Auto
ISEXEng angelex.ex e Stopped Auto
Iomega Activity Disk2 ActivityDi sk.exe" Running Auto
ImapiServi ce imapi.exe Stopped Auto
HidServ svchost.ex e -k netsvcs Stopped Auto
helpsvc svchost.ex e -k netsvcs Running Auto
FastUserSw itchingCom patibility svchost.ex e -k netsvcs Running Auto
EventSyste m svchost.ex e -k netsvcs Running Auto
Eventlog services.e xe Running Auto
ERSvc svchost.ex e -k netsvcs Running Auto
Dnscache svchost.ex e -k NetworkSer vice Running Auto
dmserver svchost.ex e -k netsvcs Running Auto
dmadmin dmadmin.ex e /com Running Auto
Dhcp svchost.ex e -k netsvcs Running Auto
CryptSvc svchost.ex e -k netsvcs Running Auto
CPUCooLSer ver CooLSrv.ex e" Stopped Auto
COMSysApp dllhost.ex e /Processid :{02D4B3F1 -FD88-11D1 -960D-0080 5FC79235} Running Auto
ClipSrv clipsrv.ex e Running Auto
cisvc cisvc.exe Running Auto
cfgldr scvhost.ex e" -service Stopped Auto
Browser svchost.ex e -k netsvcs Running Auto
BITS svchost.ex e -k netsvcs Stopped Manual
AVWUpSrv AVWUPSRV.E XE" Stopped Auto
AudioSrv svchost.ex e -k netsvcs Running Auto
AppMgmt svchost.ex e -k netsvcs Stopped Disabled
AntiVirSer vice AVGUARD.EX E" Stopped Auto
ALG alg.exe Running Auto
Alerter svchost.ex e -k LocalServi ce Running Auto


Spybot S&D log 12/21/04 1:37:19 PM:

--- Search result list ---
Congratulations!: No immediate threats were found. ()

Windows Registry: NT Logging Service (Startup file does not exist, nothing done)

Common Dialogs: History ( (4 files)) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Internet Explorer: Cookies ( (2 cookies)) (Directory, nothing done)
C:\Documents and Settings\Daddio\cookies

Internet Explorer: Temporary internet files ( (1 entries)) (Empty cache, nothing done)

Log: Activity: SchedLgU.Txt (Backup file, nothing done)
C:\WINDOWS\SchedLgU.Txt

Log: Install: setupapi.log (Backup file, nothing done)
C:\WINDOWS\setupapi.log

Log: Shutdown: System32\wbem\logs\mofcomp.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\mofcomp.log

Log: Shutdown: System32\wbem\logs\wbemsnmp.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemsnmp.log

Log: Shutdown: System32\wbem\logs\winmgmt.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\winmgmt.log

Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log

Windows Explorer: Recently opened files ( (14 links)) (Directory, nothing done)
C:\Documents and Settings\Daddio\Recent


--- Spybot-S&D version: 1.2 ---
2003-03-16 Includes\Cookies.sbi
2003-03-16 Includes\Dialer.sbi
2003-03-16 Includes\Hijackers.sbi
2003-03-16 Includes\Keyloggers.sbi
2003-03-16 Includes\Malware.sbi
2003-03-16 Includes\plugin-ignore.ini
2003-03-16 Includes\Security.sbi
2003-03-16 Includes\Spybots.sbi
2003-03-16 Includes\Temporary.sbi
2003-03-16 Includes\Tracks.uti
2003-03-16 Includes\Trojans.sbi


--- System information ---
Windows XP (Build: 2600)
/ .NETFramework / 1.0: Microsoft .NET Framework Service Pack 2
/ DataAccess: Microsoft Data Access Components KB870669
/ DataAccess: Patch Available For XMLHTTP Vulnerability
/ DataAccess: Patch Available For XMLHTTP Vulnerability
/ Windows Media Player: Windows Media Update 320920
/ Windows Media Player: Windows Media Update 817787
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q306676 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q308677 for more information]
/ Windows XP / SP1 / Q308678: Windows XP Hotfix (SP1) [See Q308678 for more information]
/ Windows XP / SP1 / Q308928: Windows XP Hotfix (SP1) [See Q308928 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q309056 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q310051 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q310601 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q311542 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q311822 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q311889 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q311967 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q313596 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q314147 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q314862 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q315000 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q315403 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q316134 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q316253 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q317277 for more information]
/ Windows XP / SP1: Windows XP Application Compatibility Update[Q319580]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q323172 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q324380 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q326830 for more information]


--- Startup entries list ---
Spybot-S&D Startup list report, 12/21/2004 1:37:19 PM

Located: HK_CU:Run, SpywareGuard
file: C:\WINDOWS\system32\winmm64.exe
MD5: 185A627B316DE59687FD15E312DB8C5D

Located: HK_CU:Run, Windows Update Client
file: C:\WINDOWS\system32\wuclient.exe
MD5: A1F9866EAD3A3B2DDE0DEDDAA06C6572

Located: HK_CU:Run, FFA0D7CB
file: C:\WINDOWS\system32\ATKCNFG.exe
MD5: A496C47375FD962DB52CAA91CB98E26C

Located: HK_CU:Run, MsnMsgr
file: "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

Located: HK_LM:Run, Iomega Startup Options
file: c:\documents and settings\daddio\Common\ImgStart.exe
MD5: 1808F91FA578E8572BD1A9649FABB518

Located: HK_LM:Run, Iomega Drive Icons
file: c:\documents and settings\daddio\DriveIcons\ImgIcon.exe
MD5: DFDFD202F0C0A29088E043BBCD71002D

Located: HK_LM:Run, IgfxTray
file: C:\WINDOWS\System32\igfxtray.exe
MD5: 442F59FE670837B8F55F658485ABE3EF

Located: HK_LM:Run, HorngTech4D
file: C:\PROGRA~1\MOUSES~1\bally4d.exe
MD5: 6769B9C18B3717B24C25761783DC9977

Located: HK_LM:Run, DadApp
file: C:\Program Files\Dell\AccessDirect\dadapp.exe
MD5: 4D6937B5EA5DD1DF5C18286DD4BA209C

Located: HK_LM:Run, XPSP2 Firewall
file: C:\WINDOWS\system32\xpsp2fw.exe
MD5: C770B0F39D2B427CB7E38FF8ED2C4A68

Located: HK_LM:Run, FFA0D7CB
file: C:\WINDOWS\system32\ATKCNFG.exe
MD5: A496C47375FD962DB52CAA91CB98E26C

Located: HK_LM:Run, Microsoft System Checkup
file: libsysmgr.exe

Located: HK_LM:Run, Ad-aware
file: "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c

Located: HK_LM:Run, NT Logging Service
file: syslog32.exe

Located: HK_LM:Run,
file: C:\Program Files\Browser Hijack Blaster\bhblaster.exe
MD5: F47FC35E3E0BBEFF4BD4938559D39AE4

Located: HK_LM:Run, RealTray (DISABLED)
file: C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

Located: HK_LM:Run, AVSCHED32 (DISABLED)
file: C:\Program Files\AVPersonal\AVSched32.EXE /min

Located: HK_LM:Run, AVGCtrl (DISABLED)
file: "C:\Program Files\AVPersonal\AVGNT.EXE" /min

Located: HK_LM:Run, MBM 5 (DISABLED)
file: "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"

Located: HK_LM:Run, DwlClient (DISABLED)
file: C:\Program Files\Common Files\Dell\EUSW\Support.exe
MD5: 58CD30203DDB67FAD6A34AA624FA0141

Located: HK_LM:Run, sr1exe (DISABLED)
file: "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"

Located: HK_LM:Run, HotKeysCmds (DISABLED)
file: C:\WINDOWS\System32\hkcmd.exe
MD5: 36676939E4A77862652060F9140C1800

Located: HK_LM:Run, RunDLL (DISABLED)
file: rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load

Located: HK_LM:RunServices, Microsoft System Checkup
file: libsysmgr.exe

Located: Startup (common), Digital Line Detect.lnk
file: C:\Program Files\Digital Line Detect\DLG.exe
MD5: B8D929134CA364D6DBB6B4DFB48F4892



--- Browser helper object list ---
Spybot-S&D Browser helper object report, 12/21/2004 1:37:19 PM

{02478D38-C3F9-4efb-9B51-7695ECA05670}
Class file: ycomp5_1_5_0.dll
Attributes: archive
Date: 7/23/2003 9:14:34 AM
MD5: ABAF1AB69D46C80FDFEE6E269D33F359
Path: C:\Program Files\Yahoo!\Common\
Short name: YCOMP5~1.DLL
Size: 214216 bytes
Version: 7.211.0.5
Class name: Yahoo! Companion BHO

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

{4B5F2E08-6F39-479a-B547-B2026E4C7EDF}
Class file: PnEL.dll
Attributes: archive
Date: 8/15/2003 5:21:42 AM
MD5: 9358FA4519C566A5826776CF0D1A4690
Path: C:\Program Files\EarthLink TotalAccess\
Short name:
Size: 389120 bytes
Version: 7.212.0.0
Class name: PnIEBrowserHelperObj Class
CLSID database: legitimate software
Description: Earthlink Pop-Up blocker
Filename: Pnel.Dll
Name: EarthLink Popup Blocker

{53707962-6F74-2D53-2644-206D7942484F}
Class file: SDHelper.dll
Attributes: archive
Date: 3/16/2003 1:02:00 AM
MD5: 423CBD3CFAEEB62C5C97A9449567B474
Path: C:\PROGRA~1\SPYBOT~1\
Short name:
Size: 711168 bytes
Version: 255.255.255.255
CLSID database: legitimate software
Description: Spybot-S&D IE Browser plugin
Filename: SDHelper.dll

{7B55BB05-0B4D-44fd-81A6-B136188F5DEB}

{9EAC0102-5E61-2312-BC2D-4D54434D5443}
Name: Tubby

{A8FB8EB3-183B-4598-924D-86F0E5E37085}


--- ActiveX list ---
Spybot-S&D ActiveX report, 12/21/2004 1:37:19 PM

{556DDE35-E955-11D0-A707-000000521957}
Download location: http://www.xblock.co...clean_micro.exe
Last modified: Mon, 18 Oct 2004 19:42:39 GMT
Version: 0,0,0,1


--- Process list ---
Spybot-S&D process list report, 12/21/2004 1:37:20 PM

PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 504 ( 4) \SystemRoot\System32\smss.exe
PID: 544 ( 620) C:\WINDOWS\System32\libsysmgr.exe
PID: 552 ( 504) CSRSS.EXE
PID: 576 ( 504) \??\C:\WINDOWS\SYSTEM32\winlogon.exe
PID: 620 ( 576) C:\WINDOWS\system32\services.exe
PID: 632 ( 576) C:\WINDOWS\system32\lsass.exe
PID: 672 ( 620) C:\WINDOWS\System32\dllhost.exe
PID: 740 ( 620) C:\WINDOWS\System32\svchost.exe
PID: 804 ( 620) C:\WINDOWS\system32\svchost.exe
PID: 828 ( 620) C:\WINDOWS\System32\svchost.exe
PID: 972 ( 620) LOCATOR.EXE
PID: 1004 ( 620) SVCHOST.EXE
PID: 1028 ( 620) SVCHOST.EXE
PID: 1120 ( 620) C:\WINDOWS\system32\spoolsv.exe
PID: 1200 ( 620) SCARDSVR.EXE
PID: 1272 ( 620) C:\WINDOWS\system32\netdde.exe
PID: 1332 ( 620) C:\WINDOWS\System32\msdtc.exe
PID: 1376 ( 620) C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
PID: 1484 (1424) C:\WINDOWS\Explorer.EXE
PID: 1616 ( 620) ALG.EXE
PID: 1656 ( 620) C:\WINDOWS\System32\cisvc.exe
PID: 1672 ( 620) C:\WINDOWS\system32\clipsrv.exe
PID: 1688 ( 620) C:\WINDOWS\System32\dllhost.exe
PID: 1760 ( 620) C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
PID: 1904 (1484) C:\documents and settings\daddio\DriveIcons\ImgIcon.exe
PID: 1928 (1484) C:\Program Files\Dell\AccessDirect\dadapp.exe
PID: 1936 (1484) C:\WINDOWS\system32\xpsp2fw.exe
PID: 1944 (1484) C:\WINDOWS\system32\ATKCNFG.exe
PID: 1952 (1484) C:\WINDOWS\System32\libsysmgr.exe
PID: 1968 (1484) C:\Program Files\Browser Hijack Blaster\bhblaster.exe
PID: 1980 (1484) C:\WINDOWS\system32\winmm64.exe
PID: 2012 (1484) C:\Program Files\MSN Messenger\MsnMsgr.Exe
PID: 2028 ( 620) C:\WINDOWS\System32\vssvc.exe
PID: 2120 ( 620) C:\WINDOWS\System32\wbem\wmiapsrv.exe
PID: 2144 ( 620) C:\WINDOWS\System32\dmadmin.exe
PID: 2872 (1656) C:\WINDOWS\System32\cidaemon.exe
PID: 3188 (1484) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
PID: 3380 (1484) C:\WINDOWS\Explorer.EXE
PID: 3472 (1484) C:\WINDOWS\system32\NOTEPAD.EXE
PID: 3732 (1484) C:\Program Files\Browser Hijack Blaster\bhblaster.exe


--- Browser start & search pages list ---
Spybot-S&D browser pages report, 12/21/2004 1:37:20 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL
http://s-redirect.com/?a=2
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://s-redirect.com/?a=2
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://s-redirect.com/?a=2
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
www.google.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchURL
http://s-redirect.com/?a=2
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://s-redirect.com/?a=2
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar
http://s-redirect.com/?a=2
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
www.google.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
www.google.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
www.google.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://s-redirect.com/?a=2
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
www.google.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchUrl\@
http://www.google.com/


--- Winsock Layered Service Provider list ---
Spybot-S&D winsock LSP report, 12/21/2004 1:37:20 PM

NS Provider ( 1) Tcpip ({22059D40-7E9E-11CF-AE5A-00AA00A7112B})
NS Provider ( 2) NTDS ({3B2637EE-E580-11CF-A555-00C04FD8D4AC})
NS Provider ( 3) Network Location Awareness (NLA) Namespace ({6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83})
NS Provider ( 4) NWLink IPX/SPX/NetBIOS Compatible Transport Protocol ({E02DAAF0-7E9F-11CF-AE5A-00AA00A7112B})
Protocol ( 1) MSAFD Tcpip [TCP/IP] ({E70F1AA0-AB8B-11CF-8CA3-00805F48A192})
Protocol ( 2) MSAFD Tcpip [UDP/IP] ({E70F1AA0-AB8B-11CF-8CA3-00805F48A192})
Protocol ( 3) MSAFD Tcpip [RAW/IP] ({E70F1AA0-AB8B-11CF-8CA3-00805F48A192})
Protocol ( 4) RSVP UDP Service Provider ({9D60A9E0-337A-11D0-BD88-0000C082E69A})
Protocol ( 5) RSVP TCP Service Provider ({9D60A9E0-337A-11D0-BD88-0000C082E69A})
Protocol ( 6) MSAFD nwlnkipx [IPX] ({11058240-BE47-11CF-95C8-00805F48A192})
Protocol ( 7) MSAFD nwlnkspx [SPX] ({11058241-BE47-11CF-95C8-00805F48A192})
Protocol ( 8) MSAFD nwlnkspx [SPX] [Pseudo Stream] ({11058241-BE47-11CF-95C8-00805F48A192})
Protocol ( 9) MSAFD nwlnkspx [SPX II] ({11058241-BE47-11CF-95C8-00805F48A192})
Protocol (10) MSAFD nwlnkspx [SPX II] [Pseudo Stream] ({11058241-BE47-11CF-95C8-00805F48A192})
Protocol (11) MSAFD NetBIOS [\Device\NwlnkNb] SEQPACKET 5 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (12) MSAFD NetBIOS [\Device\NwlnkNb] DATAGRAM 5 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (13) MSAFD NetBIOS [\Device\NetBT_Tcpip_{18AC0050-7451-48C8-BBF5-2C52ECFD43F1}] SEQPACKET 0 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (14) MSAFD NetBIOS [\Device\NetBT_Tcpip_{18AC0050-7451-48C8-BBF5-2C52ECFD43F1}] DATAGRAM 0 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (15) MSAFD NetBIOS [\Device\NetBT_Tcpip_{0E155F04-F7CD-444B-B52B-9ECD7ADDECA6}] SEQPACKET 1 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (16) MSAFD NetBIOS [\Device\NetBT_Tcpip_{0E155F04-F7CD-444B-B52B-9ECD7ADDECA6}] DATAGRAM 1 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (17) MSAFD NetBIOS [\Device\NetBT_Tcpip_{8A2D5085-1208-46E7-A54E-97A0DA5D714E}] SEQPACKET 2 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (18) MSAFD NetBIOS [\Device\NetBT_Tcpip_{8A2D5085-1208-46E7-A54E-97A0DA5D714E}] DATAGRAM 2 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (19) MSAFD NetBIOS [\Device\NetBT_Tcpip_{E2F28260-12B3-4616-9A4B-97B709124402}] SEQPACKET 3 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (20) MSAFD NetBIOS [\Device\NetBT_Tcpip_{E2F28260-12B3-4616-9A4B-97B709124402}] DATAGRAM 3 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (21) MSAFD NetBIOS [\Device\NetBT_Tcpip_{A220956C-33EB-46D5-8BF4-2E3F84FEAD92}] SEQPACKET 4 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (22) MSAFD NetBIOS [\Device\NetBT_Tcpip_{A220956C-33EB-46D5-8BF4-2E3F84FEAD92}] DATAGRAM 4 ({8D5F1830-C273-11CF-95C8-00805F48A192})
  • 0

Advertisements

#2
Yarnouth
Posted 21 December 2004 - 06:04 PM

Yarnouth

    Visiting Staff

  • Member
  • PipPipPip
  • 508 posts
Hi clatstop1. Please go here and check this out:
http://www.geekstogo...?showtopic=2852
  • 0

#3
clatsop1
Posted 23 December 2004 - 07:56 PM

clatsop1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
I went to the forum and did these things as directed before posting. Sorry I did not says so. I have done a couple of things since my posting. After running the Adaware, Spybot S&D, and Shredder, I went to my System Configuration Utility (msconfig) and put it in Selective Startup mode. I have Process SYSTEM.INI File, Proces WIN.INI File, and Original BOOT.INI running with no problems. I have selectively loaded some of my System Services and Startup Items. These are also not causing any problems right now.

Some of the problems files and operations I have been having are:
http://69sexsearch.com/search.php (launches multiple IE windows)
htt://s-redirect.com/?a=2 (resets a number of my IE addresses to this)
htt://s-redirect.com (resets a number of my IE addresses to this)
BargainBuddy (appears continually in Ad Aware scans despite removal)


This is the HIJACK this log:

Logfile of HijackThis v1.98.2
Scan saved at 5:08:49 PM, on 12/21/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://s-redirect.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://s-redirect.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://s-redirect.com/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://s-redirect.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://s-redirect.com/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
R3 - URLSearchHook: (no name) - {7F0A023E-64A0-373A-26C1-A6766C65DB5C} - C:\WINDOWS\system32\ATKCNFG.exe
O1 - Hosts: 64.246.33.179 yahoo.com
O1 - Hosts: 64.246.33.179 www.yahoo.com
O1 - Hosts: 64.246.33.179 google.com
O1 - Hosts: 64.246.33.179 www.google.com
O1 - Hosts: 64.246.33.179 thenun.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll__SpybotSDDisabled (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll__SpybotSDDisabled (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - (no file)
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O3 - Toolbar: (no name) - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - (no file)
O4 - HKLM\..\Run: [Iomega Startup Options] c:\documents and settings\daddio\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] c:\documents and settings\daddio\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HorngTech4D] C:\PROGRA~1\MOUSES~1\bally4d.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [FFA0D7CB] C:\WINDOWS\system32\ATKCNFG.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [] C:\Program Files\Browser Hijack Blaster\bhblaster.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\1 SCAN FIRST\Cleaner41\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\1 SCAN FIRST\Cleaner41\The Cleaner\tcm.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe
O4 - HKCU\..\Run: [SpywareGuard] C:\WINDOWS\system32\winmm64.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [FFA0D7CB] C:\WINDOWS\system32\ATKCNFG.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Ad Hunter - C:\Program Files\MYIE2\config/blacklist.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab


Thanks for the help, all
  • 0

#4
admin
Posted 23 December 2004 - 10:51 PM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts

I went to my System Configuration Utility (msconfig) and put it in Selective Startup mode. I have Process SYSTEM.INI File, Proces WIN.INI File, and Original BOOT.INI running with no problems. I have selectively loaded some of my System Services and Startup Items.

Can you undo these changes so that we're completely able to completely remove everything from your system? At least the msconfig changes, post a new Hijack This log when finished.
  • 0

#5
clatsop1
Posted 25 December 2004 - 09:29 AM

clatsop1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts

Can you undo these changes so that we're completely able to completely remove everything from your system? At least the msconfig changes, post a new Hijack This log when finished.

View Post

If I undo the changes to msconfig, I cannot run Hijack This. Hijack This will launch and briefly open, then shuts down before I have time to hit any buttons or scan, etc. Same thing happens with other programs also. What next?
  • 0

#6
Metallica
Posted 25 December 2004 - 10:18 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Download CWShredder from http://www.intermute...r_download.html
Use the Fix button.

Then try again.

Regards,

Pieter
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP