[norman101]

This seems to be a popular virus around here. My home page has been hijacked to http://www.all-websearch.com/10039/

I have followed similar threads and implemented suggested solutions but still have the virus . Please help.

Here is my hijack log:

Logfile of HijackThis v1.99.0
Scan saved at 12:10:25 AM, on 1/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\inetdata\winlogon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\VirusKillers\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.all-websearch.com/10039/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F3 - REG:win.ini: run=C:\WINDOWS\inetdata\winlogon.exe
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inetdata\1.02.08.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted IP range: 213.159.118.226
O16 - DPF: {11111111-1111-1111-1111-111111111147} - file://C:\Program Files\Internet Explorer\3674.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[Advertisements]

Please Download CoolWebShredder, from http://www.geekstogo...=download&id=17 , Extract it & run the program. Click the Next Button & let it scan. Make sure you let it fix all CWS Remnants.

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).

Open Task Manager Ctrl>>Alt>>Del and stop inetdata

Be sure you're able to view hidden files, and remove the following files in bold (if found):

C:\WINDOWS\inetdata\

Is this your ISP? 213.159.118.226

Look it up here:

Arins


If it isn't, get rid of it (the 015) when you run Hijack this:

Reboot.

You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.all-websearch.com/10039/

F3 - REG:win.ini: run=C:\WINDOWS\inetdata\winlogon.exe

O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inetdata\1.02.08.dll

O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O16 - DPF: {11111111-1111-1111-1111-111111111147} - file://C:\Program Files\Internet Explorer\3674.exe

Please delete your temporary files. Double Click My Computer (WinXP: Navigate to Start --->My Computer)
You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the
bottom of the fly out window. One the very first tab (General) you will see a button labeled "Disk Cleanup"...click that button.
Make sure the following are checked:
Downloaded Program Files
Temporary Internet Files and
Recycle Bin
Click OK and Disk Cleanup will delete those files for you.

REboot

Download Ad-aware from: http://www.geekstogo...n=download&id=5

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

-> Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:

• Automatically save log-file
• Automatically quarantine objects prior to removal
• Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :

• Scan Within Archives
• Scan Active Processes
• Scan Registry
• Deep Scan Registry
• Scan my IE favorites for banned URL’s
• Scan my Hosts file
• Under Click here to select drives + folders, choose:
• All of your hard drives

-> Click on the Advanced button on the left and select:

• Include additional process information
• Include additional file information
• Include environment information
• Include additional object details

-> Click the Tweak button and select:

• Under the Scanning Engine:
  • Unload recognized processes during scanning
  • Include basic Ad-aware settings in logfile
  • Include additional Ad-aware settings in logfile
• Under the Cleaning Engine:
  • Let Windows remove files in use at next reboot

-> Click on Proceed to save the settings.

-> Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:

• Use Custom Scanning Options

-> Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

-> Save the log file when it asks and then click Finish

-> When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

-> Reboot your computer.

If you would please, rescan with HijackThis and post a fresh log in this same topic.

[coachwife6]

Please Download CoolWebShredder, from http://www.geekstogo...=download&id=17 , Extract it & run the program. Click the Next Button & let it scan. Make sure you let it fix all CWS Remnants.

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).

Open Task Manager Ctrl>>Alt>>Del and stop inetdata

Be sure you're able to view hidden files, and remove the following files in bold (if found):

C:\WINDOWS\inetdata\

Is this your ISP? 213.159.118.226

Look it up here:

Arins


If it isn't, get rid of it (the 015) when you run Hijack this:

Reboot.

You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.all-websearch.com/10039/

F3 - REG:win.ini: run=C:\WINDOWS\inetdata\winlogon.exe

O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inetdata\1.02.08.dll

O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O16 - DPF: {11111111-1111-1111-1111-111111111147} - file://C:\Program Files\Internet Explorer\3674.exe

Please delete your temporary files. Double Click My Computer (WinXP: Navigate to Start --->My Computer)
You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the
bottom of the fly out window. One the very first tab (General) you will see a button labeled "Disk Cleanup"...click that button.
Make sure the following are checked:
Downloaded Program Files
Temporary Internet Files and
Recycle Bin
Click OK and Disk Cleanup will delete those files for you.

REboot

Download Ad-aware from: http://www.geekstogo...n=download&id=5

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

-> Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:

• Automatically save log-file
• Automatically quarantine objects prior to removal
• Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :

• Scan Within Archives
• Scan Active Processes
• Scan Registry
• Deep Scan Registry
• Scan my IE favorites for banned URL’s
• Scan my Hosts file
• Under Click here to select drives + folders, choose:
• All of your hard drives

-> Click on the Advanced button on the left and select:

• Include additional process information
• Include additional file information
• Include environment information
• Include additional object details

-> Click the Tweak button and select:

• Under the Scanning Engine:
  • Unload recognized processes during scanning
  • Include basic Ad-aware settings in logfile
  • Include additional Ad-aware settings in logfile
• Under the Cleaning Engine:
  • Let Windows remove files in use at next reboot

-> Click on Proceed to save the settings.

-> Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:

• Use Custom Scanning Options

-> Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

-> Save the log file when it asks and then click Finish

-> When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

-> Reboot your computer.

If you would please, rescan with HijackThis and post a fresh log in this same topic.

[norman101]

Coachwife6, thanks very much for your reply.

Yesterday I found someone with a problem very similar to mine on another forum.
http://forums.thetec...ead.php?t=13090

I followed the steps outlined therein and it seems to have fixed everything. I did go through your reply below however and removed a few more items using hijack this (items beginning with O6).

Here is an updated version of my log if you feel like looking it over one more time.

I think it's great that there are people in this world who still go out of their way to help others...

Logfile of HijackThis v1.99.0
Scan saved at 11:06:55 PM, on 1/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Elaborate Bytes\CloneDVD2\CloneDVD2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\VirusKillers\HijackThis.exe

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Internet Explorer Updater] C:\WINDOWS\system32\lexbac.exe
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

[coachwife6]

You have some trojans.

Please run a free online virus scan here (tick the "Auto Clean" checkbox):
http://housecall.antivirus.com/

And a free trojan scan here:
http://www.moosoft.com/

Clean out your temp. files.

Reboot your PC.

You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

O4 - HKLM\..\Run: [Internet Explorer Updater] C:\WINDOWS\system32\lexbac.exe
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):

C:\PROGRA~1\COMETS~1
C:\WINDOWS\system32\lexbac.exe

Reboot your PC.

Run Adaware again according to the directions I gave you earlier. Reboot.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working.