Author Topic: daosearch has completely taken over (Read 817 times)

seliseh · « **on:** April 11, 2005, 03:28:31 PM »

Is there anyway to get rid of the daosearch spyware without downloading anything? You see, I have to use a different computer because my laptop has become so infected with it.

I can't even get a browser open before my computer shuts down because of a "critical error". therefore, I can't download anything for it including the hijack thing. It's gotten worse and worse since last night when I got it.

Please help? I have all my work on there, and I really need it. Would it be safe to transfer files from the laptop to this computer (if I can)?

Thank you, and hopefully you day is better than mine.

guestolo · « **Reply #1 on:** April 11, 2005, 03:55:06 PM »

I need to see the hijackthis log

It's a small download
Can you transfer anything to the other computer?

Specifically, I don't want you to connect both computer together
But can you download Hijackthis from one computer and transfer it to the other computer, remember to make a permanent folder for Hijackthis
It's a small download, it will fit on a floppy

And/or

Also, can you download a different browser from one computer to the other
You can burn it to a CD and transfer the installer over
You can download the setup for Mozilla Firefox and transfer to the other computer
From this link
http://www.mozilla.org/
You will see the Free download at the top

seliseh · « **Reply #2 on:** April 11, 2005, 06:45:59 PM »

I can put it on a floppy. I'll do that as soon as I can.

I'll be sure to get a log as soon as I get HijackThis.

seliseh · « **Reply #3 on:** April 11, 2005, 08:10:20 PM »

Got it.

Logfile of HijackThis v1.99.1
Scan saved at 10:06:36 PM, on 4/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Atievxx.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Picasa\PicasaMediaDetector.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\temp\salm.exe
C:\WINDOWS\kjqxuzep.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows AdStatus\WinStat.exe
C:\Program Files\Sony Ericsson\Wireless Manager\GC75Manager.exe
C:\WINDOWS\System32\winldra.exe
C:\WINDOWS\System32\Services\{57AD0A40-E56E-4A1A-849F-E606E3BCA044}\SVCHOST.EXE
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\WINDOWS\System32\msgsvc.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\dumprep.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows AdStatus\WinStatKeep.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\XAUpdate.exe
C:\WINDOWS\System32\dwwin.exe
C:\WINDOWS\System32\dwwin.exe
C:\WINDOWS\System32\dwwin.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daosearch.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~2\SEARCH~1.DLL
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem302.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize311.exe"
O4 - HKLM\..\Run: [kjqxuzep] C:\WINDOWS\kjqxuzep.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [Corel Painter Essentials 21a] C:\Program Files\Corel\Corel Painter Essentials 2\registration.exe /title="Corel Painter Essentials 2" /date=042505 serial=PE02CBX-0000003-NMD lang=EN
O4 - HKLM\..\Run: [GC75-Manager-Class] "C:\Program Files\Sony Ericsson\Wireless Manager\GC75Manager.exe" -startup
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{57AD0A40-E56E-4A1A-849F-E606E3BCA044}\SVCHOST.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{57AD0A40-E56E-4A1A-849F-E606E3BCA044}\SECURITY.EXE
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O4 - HKCU\..\Run: [msgsvc] C:\WINDOWS\System32\msgsvc.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...11a0351cafa03db
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...76/mcinsctl.cab
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

guestolo · « **Reply #4 on:** April 11, 2005, 09:14:01 PM »

Try the following

Access your Add/Remove Programs and Remove if found
n-Case <--look for names with this in it

Internet Optimizer
180Search Assistant’ or ‘Zango’ <--If found, allow Internet connection
Follow the uninstall procedure closely, you should just have to keep pressing uninstall

Restart your computer afterwards

Back in Windows
Go back to Add/Remove programs
Remove if found
Windupdates Look for the exact name
BullsEye Network
Windows AdStatus

Restart your computer again afterwards

Post back a fresh hijackthis log, let me know what you were able to find and remove
We'll go from there

seliseh · « **Reply #5 on:** April 11, 2005, 09:57:57 PM »

Didn't find n-case or internet optimizer. I did uninstall "Uninstall 180searchAssistant". Did not find the next two.

Found windows adstatus. Did not uninstall, because my computer keep on shutting down before I get to it. I'll get it tomorrow, I have to get to bed now.

Thanks for your help so far!

guestolo · « **Reply #6 on:** April 11, 2005, 10:05:48 PM »

Do a new scan and
Post back a fresh Hijackthis log before you go to bed,
hopefully I'll have more instructions for you later to try when you have time

seliseh · « **Reply #7 on:** April 12, 2005, 04:11:16 PM »

Oops, a little late. I tried to get it this morning, but I couldn't get the computer on for enough time before it shut down. I found out I can uninstall stuff and get logs in safe mode though, so it's good now.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' /> Uninstalled Windows AdStatus. Here's the log.

Logfile of HijackThis v1.99.1
Scan saved at 7:09:07 PM, on 4/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daosearch.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~2\SEARCH~1.DLL
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem302.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize311.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Corel Painter Essentials 21a] C:\Program Files\Corel\Corel Painter Essentials 2\registration.exe /title="Corel Painter Essentials 2" /date=042505 serial=PE02CBX-0000003-NMD lang=EN
O4 - HKLM\..\Run: [GC75-Manager-Class] "C:\Program Files\Sony Ericsson\Wireless Manager\GC75Manager.exe" -startup
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{57AD0A40-E56E-4A1A-849F-E606E3BCA044}\SVCHOST.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{57AD0A40-E56E-4A1A-849F-E606E3BCA044}\SECURITY.EXE
O4 - HKLM\..\Run: [secboot] C:\WINDOWS\System32\mszx23.exe !!
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O4 - HKCU\..\Run: [msgsvc] C:\WINDOWS\System32\msgsvc.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...11a0351cafa03db
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...76/mcinsctl.cab
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

guestolo · « **Reply #8 on:** April 12, 2005, 05:09:49 PM »

I need you too download a tool please

==Download and UNZIP to a folder
HSFIX.zip
HSFix directory will be created
We'll need this later

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Go back to Safe mode
Print this out or save too a notepad file and then disconnect from the Internet

Find and delete these files or folder if you can and if found
Only delete them if they have the exact name, not because they look similiar

C:\WINDOWS\System32\msgsvc.exe <-file
C:\WINDOWS\System32\mszx23.exe <-file
C:\WINDOWS\System32\winldra.exe <-file
C:\WINDOWS\SYSTEM32\drct16.dll <-file
C:\WINDOWS\System32\spoolsrv32.exe <-file
C:\WINDOWS\kjqxuzep.exe <-file
C:\WINDOWS\wsem302.dll <-file
C:\WINDOWS\zeta.exe <-file

C:\Program Files\Windows AdStatus <-folder
C:\Program Files\BullsEye Network <-folder
C:\WINDOWS\System32\Services\{57AD0A40-E56E-4A1A-849F-E606E3BCA044} <-folder
C:\Program Files\SearchRelev~ <not the exact folder name, but should start with searchrele
C:\Program Files\Internet Optimizer <-folder
c:\program files\180Solutions folder or similiar

Navigate to your temp folders and delete the Whole contents, including subfolders, don't delete the Temp folders themselves
# C:\Windows\Temp\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\

Stay in safe mode
Do another scan with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daosearch.com/

O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~2\SEARCH~1.DLL
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem302.dll

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize311.exe"

O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe

O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{57AD0A40-E56E-4A1A-849F-E606E3BCA044}\SVCHOST.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{57AD0A40-E56E-4A1A-849F-E606E3BCA044}\SECURITY.EXE
O4 - HKLM\..\Run: [secboot] C:\WINDOWS\System32\mszx23.exe !!
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

O4 - HKCU\..\Run: [msgsvc] C:\WINDOWS\System32\msgsvc.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Startup: PowerReg SchedulerV2.exe

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...11a0351cafa03db

O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll

O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

===Navigate to the HSFix directory>>Open the folder, ensure you unzipped this
and double-click on HSFix.bat.
* It will produce a log file, located here: C:\hslog.txt <--we'll need this later

RESTART back to Normal mode

Do another scan with Hijackthis and post the log
Also post the log produced by hsfix.bat>>C:\hslog.txt

I would like to see a log from normal mode with hijackthis so I can see the running processes, please supply one if you can

Can you also let me know what other files and folder you find in this folder
C:\WINDOWS\System32\Services

NOTE: If your still shutting down in Normal mode after we have tried the above
Right click "MyComputer"
Left click properties
Advanced tab
Under Startup and Recovery click SETTINGS
Uncheck Automatically Restart under System Failure
OK out of there

seliseh · « **Reply #9 on:** April 14, 2005, 07:05:08 PM »

Sorry about the delay! I've been busy. But I need to get rid of all the spyware now, because I need the laptop when I go out of town this weekend.

~~~

Deleted msgsvc.exe.

Couldn't delete mszx23.exe because the computer said it was being used by another person or program.

Deleted winldra.exe.

Couldn't delete drct16.dll because it says access is denied.

Deleted spoolsrv32.exe.

Couldn't find kjqxuzep.exe.

Deleted wsem302.dll and zeta.exe.

Couldn't find Windows AdStatus or BullsEye Network.

Deleted SearchRelevancy, SearchRelevant, {57AD0A40-E56E-4A1A-849F-E606E3BCA044}, and Internet Optimizer.

Couldn't find 180Solutions.

Deleted all the stuff in the C:\Windows\Temp\ folders. Deleted all Temporary Internet Files except a few that didn't want to go. I recognize them from sites I know though, so I don't think they're bad.

Couldn't delete the teporary directories.

"O4 - HKLM\..\Run: [secboot] C:\WINDOWS\System32\mszx23.exe !!" wasn't there.

~hijackthis log~

Logfile of HijackThis v1.99.1
Scan saved at 9:54:08 PM, on 4/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Atievxx.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Picasa\PicasaMediaDetector.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sony Ericsson\Wireless Manager\GC75Manager.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem302.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Corel Painter Essentials 21a] C:\Program Files\Corel\Corel Painter Essentials 2\registration.exe /title="Corel Painter Essentials 2" /date=042505 serial=PE02CBX-0000003-NMD lang=EN
O4 - HKLM\..\Run: [GC75-Manager-Class] "C:\Program Files\Sony Ericsson\Wireless Manager\GC75Manager.exe" -startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...76/mcinsctl.cab
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

~hslog~

Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
WINLOW
[SC] DeleteService SUCCESS
vdmt16
[SC] DeleteService SUCCESS
vdnt32
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

-
3. Finding files Located on system
-
klogini.dll
p2.ini
ps.a3d
vdnt32.sys
vdmt16.sys
winlow.sys
drct16.dll
mszx23.exe
cz.dll
w32tm.exe
-
4. Deleting files that were found.
-
unable to remove vdmt16.sys
unable to remove drct16.dll
unable to remove mszx23.exe
-
5. Checking for and Removing Winupdate
-
-
-

~~~

Found two folders in services. {57AD0A40-E56E-4A1A-849F-E606E3BCA044} and {F75FD4E8-9D6A-4F9E-9909-A3B7E7D06D78}.

guestolo · « **Reply #10 on:** April 14, 2005, 08:01:49 PM »

Not quite there yet
Go ahead right now and delete this log
C:\hslog.txt

Can you please do the following if you want to ensure we get you clean

==Download the Pocket Killbox
UNZIP it to a folder of your choice

==Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
When installing, Ad-Aware may check for updates, allow it, but don't run a scan yet
Double check to ensure Ad-Aware is fully updated
Afterwards

==Please open and empty notepad file and copy and paste these instructions to it and save it to desktop

==Close down all browser windows, including this one and just have the notepad file open for reference

==Do another scan with Hijackthis and put a check next to these entries:

O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem302.dll (file missing)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Run Pocket KillBox>>Now killbox and this notepad file is open
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in

C:\WINDOWS\SYSTEM32\drct16.dll

Select the radio button to
Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
If prompted to Reboot Now, Click NO

Do the same for these paths to the file names

C:\WINDOWS\System32\mszx23.exe
C:\WINDOWS\System32\vdmt16.sys

Allow the computer to Reboot
or Restart anyways when you've entered the last full path to the file name
Please Restart your computer into safe mode
You can do this by tapping the F8 key as the system is booting up on restart

In safe mode do the following

Find and delete this folder
C:\WINDOWS\System32\Services <-this folder

Run HSFix.bat in safe mode again, here the instructions again
===Navigate to the HSFix directory>>Open the folder, ensure you unzipped this
and double-click on HSFix.bat.
* It will produce a log file, located here: C:\hslog.txt <--we'll need this later

Stay in safe mode
Open Ad-Aware
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer back to Normal mode

Back in Normal mode
I don't see any Anti-Virus software running on your computer
This is not safe
If I'm mistaken and you have yours disabled, enable it now and update it and run a full system scan
If you don't have your own AV and need a free solution
I highly recommend that you Download and install the free version of AVG 7
from the link below, includes free updates for the life of the product

http://free.grisoft.com/doc/2/lng/us/tpl/v5

Scroll down and click on
AVG Free Edition installation files
File Version
avg70free_308a468.exe <-this link, or similiar

Save the installer to desktop
Double click on the Installer and follow the prompts to install
After installation restart the computer if prompted
And then Check for updates and download all updates

Run a Full System scan afterwards, let AVG fix whatever it finds
Restart the computer again after the scan is finished

Come back here and post a fresh Hijackthis log and again the log from hsfix.bat
C:\hslog.txt <-this log

TheTechGuide Forum

News:

Author Topic: daosearch has completely taken over (Read 817 times)

seliseh

daosearch has completely taken over

guestolo

daosearch has completely taken over

seliseh

daosearch has completely taken over

seliseh

daosearch has completely taken over

guestolo

daosearch has completely taken over

seliseh

daosearch has completely taken over

guestolo

daosearch has completely taken over

seliseh

daosearch has completely taken over

guestolo

daosearch has completely taken over

seliseh

daosearch has completely taken over

guestolo

daosearch has completely taken over