[osu90]

Logfile of HijackThis v1.99.0
Scan saved at 1:53:19 AM, on 1/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\msupd4.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\wpntract.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\bundles\adl_mteststub.exe
C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\utig6.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\Program Files\OpenOffice.org1.1.2\program\soffice.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\geekstogo\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper101.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {124E4719-E87A-FD4B-0EF6-D7A01BAA4C4B} - (no file)
O2 - BHO: SDWin32 Class - {1F158CBC-9390-4454-A1FB-043C0D1B5FED} - C:\WINDOWS\System32\ejvrg.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SDWin32 Class - {5A2055A0-13A0-4735-84FA-37C6FE397C78} - C:\WINDOWS\System32\rjxyq.dll
O2 - BHO: SDWin32 Class - {7D9C3F8D-8493-4256-9607-4A2AB678A5FE} - C:\WINDOWS\System32\ndksc.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FC741B6B-D0F3-D476-D11D-891D8A1140E4} - C:\WINDOWS\System32\vwbe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [outer] C:\WINDOWS\System32\outer.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [ndkscc] C:\WINDOWS\System32\ndkscc.exe
O4 - HKLM\..\Run: [ejvrgc] C:\WINDOWS\System32\ejvrgc.exe
O4 - HKLM\..\Run: [53oV38O] wpntract.exe
O4 - HKLM\..\Run: [vcmpin] C:\windows\bundles\adl_mteststub.exe
O4 - HKLM\..\Run: [rjxyqc] C:\WINDOWS\System32\rjxyqc.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [Comedy-Planet] C:\Program Files\Comedy-Planet\comedy-planet.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [K079RUi8j] utig6.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Startup: OpenOffice.org 1.1.2.lnk = C:\Program Files\OpenOffice.org1.1.2\program\quickstart.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernet...urferplugin.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shop.intu...bles/ie/IDA.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Miscrosoft Updates Service 4 - Unknown - C:\WINDOWS\System32\msupd4.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

[Advertisements]

Hi osu90

You might like to print these instructions out or copy and paste them into Notepad so you have the details available when you aren't on the internet and working in safe mode.

Open HijackThis and click on "Open Misc Tools Section" and "Open Process Manager"

Find this processes in the list, select each one and click on "Kill Process". You need to do each one separately. Read the names very carefully as there may be some names that are similar but that are genuine files.

msupd4.exe
wpntract.exe
adl_mteststub.exe
wsxsvc.exe
utig6.exe

Then click on Back which will open the HijackThis Scan Screen. Click on Scan. When the scan is complete check all the following items. Then disconnect from the internet and close all open windows including this browser window and click on Fix checked.

R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper101.dll
O2 - BHO: (no name) - {124E4719-E87A-FD4B-0EF6-D7A01BAA4C4B} - (no file)
O2 - BHO: SDWin32 Class - {1F158CBC-9390-4454-A1FB-043C0D1B5FED} - C:\WINDOWS\System32\ejvrg.dll
O2 - BHO: SDWin32 Class - {5A2055A0-13A0-4735-84FA-37C6FE397C78} - C:\WINDOWS\System32\rjxyq.dll
O2 - BHO: SDWin32 Class - {7D9C3F8D-8493-4256-9607-4A2AB678A5FE} - C:\WINDOWS\System32\ndksc.dll
O2 - BHO: (no name) - {FC741B6B-D0F3-D476-D11D-891D8A1140E4} - C:\WINDOWS\System32\vwbe.dll
O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O4 - HKLM\..\Run: [outer] C:\WINDOWS\System32\outer.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [ndkscc] C:\WINDOWS\System32\ndkscc.exe
O4 - HKLM\..\Run: [ejvrgc] C:\WINDOWS\System32\ejvrgc.exe
O4 - HKLM\..\Run: [53oV38O] wpntract.exe
O4 - HKLM\..\Run: [vcmpin] C:\windows\bundles\adl_mteststub.exe
O4 - HKLM\..\Run: [rjxyqc] C:\WINDOWS\System32\rjxyqc.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [Comedy-Planet] C:\Program Files\Comedy-Planet\comedy-planet.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKCU\..\Run: [K079RUi8j] utig6.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernet...urferplugin.ocx
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O23 - Service: Miscrosoft Updates Service 4 - Unknown - C:\WINDOWS\System32\msupd4.exe


Reboot into Safe Mode by continually tapping the F8 key as soon as the computer starts to boot up. When the Windows XP Safe Mode menu comes up - Choose Safe Mode. You don't need any networking. Choose Windows XP as the operating system.

Open Windows Explorer and go to >Tools>Folder Options>View, select:*Show hidden files and folders
*Display the contents of system folders
Uncheck:*Hide protected operating system files
Set search options
Next go to Search > All files and folders > More advanced options and click.

Be sure the first three boxes are selected:*Search System folders
*Search Hidden Files and folders
*Search SubFolders
Delete all the files and folders noted in bold below. Some may not be there but use the search function in Windows Explorer to make sure.

Deletions


C:\Program Files\ MySearch\bar\1.bin\S4BAR.DLL - Delete entire folder
C:\WINDOWS\System32\ outer.exe
C:\Program Files\ CSBB\CSv10P070.exe - Delete entire folder
C:\WINDOWS\System32\ msupd4.exe - file only
C:\WINDOWS\System32\ wpntract.exe - file only
C:\windows\bundles\ adl_mteststub.exe - file only
C:\WINDOWS\System32\ wsxsvc\wsxsvc.exe - Delete entire folder
C:\WINDOWS\System32\ utig6.exe - file only
C:\WINDOWS\ Helper101.dll - file only
C:\WINDOWS\System32\ ejvrg.dll file only
C:\WINDOWS\System32\ rjxyq.dll - file only
C:\WINDOWS\System32\ ndksc.dll - file only
C:\WINDOWS\System32\ vwbe.dll - file only
C:\windows\ bundles\adl_mteststub.exe - Delete entire folder
C:\WINDOWS\System32\ rjxyqc.exe - file only
C:\PROGRA~1\ VBouncer\VirtualBouncer.exe - Delete entire folder
C:\Program Files\ Comedy-Planet\comedy-planet.exe Delete entire folder
C:\WINDOWS\web\ related.htm - file onlly
C:\Program Files\ Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm - Delete entire folder

Navigate to c:\documents and settings\<your user name>\local settings

Delete the files in your temp folder and the temporary internet folder. You will need to do this for any other users of your computer.

Reboot into normal mode and do a fresh HijackThis log and post it for further checking.

Edited by ilago, 16 January 2005 - 12:31 AM.

[ilago]

Hi osu90

You might like to print these instructions out or copy and paste them into Notepad so you have the details available when you aren't on the internet and working in safe mode.

Open HijackThis and click on "Open Misc Tools Section" and "Open Process Manager"

Find this processes in the list, select each one and click on "Kill Process". You need to do each one separately. Read the names very carefully as there may be some names that are similar but that are genuine files.

msupd4.exe
wpntract.exe
adl_mteststub.exe
wsxsvc.exe
utig6.exe

Then click on Back which will open the HijackThis Scan Screen. Click on Scan. When the scan is complete check all the following items. Then disconnect from the internet and close all open windows including this browser window and click on Fix checked.

R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper101.dll
O2 - BHO: (no name) - {124E4719-E87A-FD4B-0EF6-D7A01BAA4C4B} - (no file)
O2 - BHO: SDWin32 Class - {1F158CBC-9390-4454-A1FB-043C0D1B5FED} - C:\WINDOWS\System32\ejvrg.dll
O2 - BHO: SDWin32 Class - {5A2055A0-13A0-4735-84FA-37C6FE397C78} - C:\WINDOWS\System32\rjxyq.dll
O2 - BHO: SDWin32 Class - {7D9C3F8D-8493-4256-9607-4A2AB678A5FE} - C:\WINDOWS\System32\ndksc.dll
O2 - BHO: (no name) - {FC741B6B-D0F3-D476-D11D-891D8A1140E4} - C:\WINDOWS\System32\vwbe.dll
O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O4 - HKLM\..\Run: [outer] C:\WINDOWS\System32\outer.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [ndkscc] C:\WINDOWS\System32\ndkscc.exe
O4 - HKLM\..\Run: [ejvrgc] C:\WINDOWS\System32\ejvrgc.exe
O4 - HKLM\..\Run: [53oV38O] wpntract.exe
O4 - HKLM\..\Run: [vcmpin] C:\windows\bundles\adl_mteststub.exe
O4 - HKLM\..\Run: [rjxyqc] C:\WINDOWS\System32\rjxyqc.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [Comedy-Planet] C:\Program Files\Comedy-Planet\comedy-planet.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKCU\..\Run: [K079RUi8j] utig6.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernet...urferplugin.ocx
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O23 - Service: Miscrosoft Updates Service 4 - Unknown - C:\WINDOWS\System32\msupd4.exe


Reboot into Safe Mode by continually tapping the F8 key as soon as the computer starts to boot up. When the Windows XP Safe Mode menu comes up - Choose Safe Mode. You don't need any networking. Choose Windows XP as the operating system.

Open Windows Explorer and go to >Tools>Folder Options>View, select:*Show hidden files and folders
*Display the contents of system folders
Uncheck:*Hide protected operating system files
Set search options
Next go to Search > All files and folders > More advanced options and click.

Be sure the first three boxes are selected:*Search System folders
*Search Hidden Files and folders
*Search SubFolders
Delete all the files and folders noted in bold below. Some may not be there but use the search function in Windows Explorer to make sure.

Deletions


C:\Program Files\ MySearch\bar\1.bin\S4BAR.DLL - Delete entire folder
C:\WINDOWS\System32\ outer.exe
C:\Program Files\ CSBB\CSv10P070.exe - Delete entire folder
C:\WINDOWS\System32\ msupd4.exe - file only
C:\WINDOWS\System32\ wpntract.exe - file only
C:\windows\bundles\ adl_mteststub.exe - file only
C:\WINDOWS\System32\ wsxsvc\wsxsvc.exe - Delete entire folder
C:\WINDOWS\System32\ utig6.exe - file only
C:\WINDOWS\ Helper101.dll - file only
C:\WINDOWS\System32\ ejvrg.dll file only
C:\WINDOWS\System32\ rjxyq.dll - file only
C:\WINDOWS\System32\ ndksc.dll - file only
C:\WINDOWS\System32\ vwbe.dll - file only
C:\windows\ bundles\adl_mteststub.exe - Delete entire folder
C:\WINDOWS\System32\ rjxyqc.exe - file only
C:\PROGRA~1\ VBouncer\VirtualBouncer.exe - Delete entire folder
C:\Program Files\ Comedy-Planet\comedy-planet.exe Delete entire folder
C:\WINDOWS\web\ related.htm - file onlly
C:\Program Files\ Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm - Delete entire folder

Navigate to c:\documents and settings\<your user name>\local settings

Delete the files in your temp folder and the temporary internet folder. You will need to do this for any other users of your computer.

Reboot into normal mode and do a fresh HijackThis log and post it for further checking.

Edited by ilago, 16 January 2005 - 12:31 AM.

[osu90]

Ilago - thanks so much for your help. I posted with better description later and got the problems solved/improved. I REALLY appreciate you taking the time to help.