Author Topic: Daosearch - HijackThis Help NEEDED, Please! (Read 2897 times)

flora · « **on:** March 26, 2005, 03:26:48 PM »

Please help.....I would be extremely grateful if someone could take the time to reply with advice. I have been trying to get rid of this for 2 days straight now It is driving me crazy!!! It has included:

1 - SmartSecurity virus-thing

2 - Taking over my desktop. I can't change my Background (still) - When Igo into Display Settings. - (I can't select any of the default pictures or select "Browse" or anything???)

3 - The Daosearch thing with PopUps and taking over webpages with certain words in them, and redirecting to www.daosearch.com/...

4 - Also, I can no longer Right-Click on a file in any Explorer browser window (to Open, or Open With..., or Cut, Copy, Paste, etc...) or even right click in the window itself (to "View", "Arrange Icons", or create a "New" File, etc.). I haven't seen anything on this anywhere.....which really makes me nervous.

?

Since it started, I've updated Norton System Works to 2005, downloaded and installed Ad-Aware and SpyWareBlaster, and run everthing several times, including HJT.

I still have all of the problems, even though Norton and all the others have made several corrections, deletions, quaratines, etc. Now, Norton finds Backdoor.Haxdoor.D everytime I restart the computer.

I know there's a lot wrong in the HJT log, I just don't know what to do. I'm almost begging at this point for some help....

Thank you in advance for your advice!!!

Flora

Logfile of HijackThis v1.99.1
Scan saved at 3:05:40 PM, on 3/26/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\qttask.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINNT\System32\Services\{B575DF10-2D02-46AA-8785-2AE5949C8319}\SVCHOST.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\r?gsvr32.exe
C:\WINNT\System32\dcet.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A20D0D39-B5D1-C151-AD2F-C8C9DEB03FE0} - C:\WINNT\System32\icnvnjct.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Service Host] C:\WINNT\System32\Services\{B575DF10-2D02-46AA-8785-2AE5949C8319}\SVCHOST.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PayTime] C:\WINNT\System32\paytime.exe
O4 - HKCU\..\Run: [Sonp] C:\WINNT\System32\rror.exe
O4 - HKCU\..\Run: [Ptyygs] C:\WINNT\System32\r?gsvr32.exe
O4 - HKCU\..\Run: [gwotRTNsh] mpg2fw95.exe
O4 - HKCU\..\Run: [Mta] C:\WINNT\System32\Uao.exe
O4 - HKCU\..\Run: [Sav] C:\WINNT\Bfo.exe
O4 - HKCU\..\Run: [Sbv] C:\WINNT\System32\Efg.exe
O4 - HKCU\..\Run: [Jjk] C:\WINNT\System32\Lvg.exe
O4 - HKCU\..\Run: [Suh] C:\WINNT\System32\Mov.exe
O4 - HKCU\..\Run: [Cmv] C:\WINNT\Gli.exe
O4 - HKCU\..\Run: [Ajp] C:\WINNT\Agr.exe
O4 - HKCU\..\Run: [Etl] C:\WINNT\Jve.exe
O4 - HKCU\..\Run: [Oau] C:\WINNT\System32\Tbr.exe
O4 - HKCU\..\Run: [Jfp] C:\WINNT\System32\Ubd.exe
O4 - HKCU\..\Run: [Jef] C:\WINNT\System32\Vqf.exe
O4 - HKCU\..\Run: [Lhb] C:\WINNT\System32\Bjp.exe
O4 - HKCU\..\Run: [Tnp] C:\WINNT\Qts.exe
O4 - HKCU\..\Run: [Vpt] C:\WINNT\System32\Tld.exe
O4 - HKCU\..\Run: [Tqr] C:\WINNT\System32\Lqm.exe
O4 - HKCU\..\Run: [Jvq] C:\WINNT\System32\Ojm.exe
O4 - HKCU\..\Run: [Tcst] C:\WINNT\System32\dcet.exe
O4 - HKCU\..\Run: [Hufsu] C:\WINNT\System32\??plorer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://iframedollars.biz/tb/loader2.ocx
O16 - DPF: {AD5F3C4B-BD73-11D5-838B-0050042DF1E4} (HOOPS 3D Stream Control Class) - http://www.hoops3d.com/downloads/hoopsatlcontrol.cab
O16 - DPF: {D3D53657-4115-11D2-B73A-00805F85736F} (HOOPS 3D Stream Control) - http://www.hoops3d.com/downloads/hoops3daf.cab
O20 - Winlogon Notify: drct16 - C:\WINNT\SYSTEM32\drct16.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINNT\zeta.exe (file missing)

guestolo · « **Reply #1 on:** March 26, 2005, 04:30:40 PM »

Your not being ignored, just don't have time to check your log right now

I'll be back later too take a look
Please be patient, thanks

guestolo · « **Reply #2 on:** March 27, 2005, 12:10:52 AM »

Sorry for the delay,

===Download and Install this small program
to help clean your temp folders,cookies,prefetch folder, recylebin
Windows Cleanup
Install for now, don't run a scan yet

===Download and UNZIP to desktop
HSFIX.zip
HSFix directory will be created
We'll need this later

===Download and save to deskop
DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf
We'll need this later>>If using a Mozilla browser, right click on that link and SAVE Link As, save it to desktop

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Restart your computer into SAFE MODE

Find and delete these files or folders if found
C:\WINNT\SYSTEM32\drct16.dll <-file
C:\WINNT\System32\icnvnjct.dll
C:\WINNT\System32\paytime.exe
C:\WINNT\System32\rror.exe
C:\WINNT\System32\r?gsvr32.exe
mpg2fw95.exe
C:\WINNT\System32\Uao.exe
C:\WINNT\Bfo.exe
C:\WINNT\System32\Efg.exe
C:\WINNT\System32\Lvg.exe
C:\WINNT\System32\Mov.exe
C:\WINNT\Gli.exe
C:\WINNT\Agr.exe
C:\WINNT\Jve.exe
C:\WINNT\System32\Tbr.exe
C:\WINNT\System32\Ubd.exe
C:\WINNT\System32\Vqf.exe
C:\WINNT\System32\Bjp.exe
C:\WINNT\Qts.exe
C:\WINNT\System32\Tld.exe
C:\WINNT\System32\Lqm.exe
C:\WINNT\System32\Ojm.exe
C:\WINNT\System32\dcet.exe
C:\WINNT\zeta.exe

C:\WINNT\System32\Services\{B575DF10-2D02-46AA-8785-2AE5949C8319} <-folder

Look for these next ones too, delete files in bold if found
Let me know if you find any of them
•C:\WINDOWS\desktop.html '
-C:\WINDOWS\Web\desktop.html
•C:\WINDOWS\SSICO.ICO
•C:\Documents and Settings\<current user>\Desktop\! Protect Your Data.url
•C:\Documents and Settings\<current user>\Favorites\! Smart Security.url
• C:\Documents and Settings\<current user>\Recent\! Smart Security.url
• C:\Documents and Settings\<current user>\Start Menu\! Secure Yourself.url

Note* <current user>= user name having a problem with the desktop issue

Stay in safe mode
Do another scan with Hijackthis and put a check next to these entries:

O2 - BHO: (no name) - {A20D0D39-B5D1-C151-AD2F-C8C9DEB03FE0} - C:\WINNT\System32\icnvnjct.dll

O4 - HKLM\..\Run: [Service Host] C:\WINNT\System32\Services\{B575DF10-2D02-46AA-8785-2AE5949C8319}\SVCHOST.EXE

O4 - HKCU\..\Run: [PayTime] C:\WINNT\System32\paytime.exe
O4 - HKCU\..\Run: [Sonp] C:\WINNT\System32\rror.exe
O4 - HKCU\..\Run: [Ptyygs] C:\WINNT\System32\r?gsvr32.exe
O4 - HKCU\..\Run: [gwotRTNsh] mpg2fw95.exe
O4 - HKCU\..\Run: [Mta] C:\WINNT\System32\Uao.exe
O4 - HKCU\..\Run: [Sav] C:\WINNT\Bfo.exe
O4 - HKCU\..\Run: [Sbv] C:\WINNT\System32\Efg.exe
O4 - HKCU\..\Run: [Jjk] C:\WINNT\System32\Lvg.exe
O4 - HKCU\..\Run: [Suh] C:\WINNT\System32\Mov.exe
O4 - HKCU\..\Run: [Cmv] C:\WINNT\Gli.exe
O4 - HKCU\..\Run: [Ajp] C:\WINNT\Agr.exe
O4 - HKCU\..\Run: [Etl] C:\WINNT\Jve.exe
O4 - HKCU\..\Run: [Oau] C:\WINNT\System32\Tbr.exe
O4 - HKCU\..\Run: [Jfp] C:\WINNT\System32\Ubd.exe

O4 - HKCU\..\Run: [Jef] C:\WINNT\System32\Vqf.exe
O4 - HKCU\..\Run: [Lhb] C:\WINNT\System32\Bjp.exe
O4 - HKCU\..\Run: [Tnp] C:\WINNT\Qts.exe
O4 - HKCU\..\Run: [Vpt] C:\WINNT\System32\Tld.exe
O4 - HKCU\..\Run: [Tqr] C:\WINNT\System32\Lqm.exe
O4 - HKCU\..\Run: [Jvq] C:\WINNT\System32\Ojm.exe
O4 - HKCU\..\Run: [Tcst] C:\WINNT\System32\dcet.exe
O4 - HKCU\..\Run: [Hufsu] C:\WINNT\System32\??plorer.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 213.159.117.202

O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://iframedollars.biz/tb/loader2.ocx

O20 - Winlogon Notify: drct16 - C:\WINNT\SYSTEM32\drct16.dll

O23 - Service: ZESOFT - Unknown owner - C:\WINNT\zeta.exe (file missing)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

===Open Hijackthis>>Open Misc Tools Section>>Open "Delete an NT Service"
Copy and Paste the next entry in bold to the blank box and hit OK

ZESOFT

===Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries

Open Windows CleanUp!>>START>>All programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DON'T log off or restart yet

Instead
===Navigate to the HSFix directory>>Open the folder, ensure you unzipped this
and double-click on HSFix.bat.
* It will produce a log file, located here: C:\hslog.txt. <--we'll need this later

Restart your computer back to Normal mode

Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Reset home page,

Afterwards post back a fresh Hijackthis log,
Could you also post the log from HSFix.bat>>C:\hslog.txt <-this log
Could you also let me know what else you see in the following folder
C:\WINNT\System32\Services <-folder

flora · « **Reply #3 on:** March 27, 2005, 08:55:32 AM »

Not a problem about the delay. Thanks for getting to me.

I deleted all of the files I found. I wasn't able to delete the first one listed:
C:\WINNT\SYSTEM32\drct16.dll <-file

It was in-use. Also, I didn't find any that were listed in the "Look for these next ones too, delete files in bold if found" section.

HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 8:42:19 AM, on 3/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\qttask.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A20D0D39-B5D1-C151-AD2F-C8C9DEB03FE0} - C:\WINNT\System32\icnvnjct.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Service Host] C:\WINNT\System32\Services\{B575DF10-2D02-46AA-8785-2AE5949C8319}\SVCHOST.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {AD5F3C4B-BD73-11D5-838B-0050042DF1E4} (HOOPS 3D Stream Control Class) - http://www.hoops3d.com/downloads/hoopsatlcontrol.cab
O16 - DPF: {D3D53657-4115-11D2-B73A-00805F85736F} (HOOPS 3D Stream Control) - http://www.hoops3d.com/downloads/hoops3daf.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

HSLOG.TXT

Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
WINLOW
[SC] DeleteService SUCCESS
vdmt16
[SC] DeleteService SUCCESS
-
3. Finding files Located on system
-
klogini.dll
p2.ini
ps.a3d
vdmt16.sys
winlow.sys
drct16.dll
mszx23.exe
cz.dll
w32tm.exe
-
4. Deleting files that were found.
-
unable to remove drct16.dll
unable to remove mszx23.exe
-
5. Checking for and Removing Winupdate
-
-
-

In the following (C:\WINNT\System32\Services) folder, I found the (4) files below.

These were all created at the time I downloaded all of this.....stuff.

{1CCF6605-BBCE-4103-9262-03B16E5A9030}
{10FF35E4-42EF-47EB-8A19-F148EC20E6B5}
{73BBEE32-B23C-431A-B12A-CC226D15BB67}
{87C05DD0-B0FA-4FE3-BA7E-62607262AE75}

I'm guessing these should all be deleted? Also, I'm still not able to right-click on files or in folders - have you heard of this before?

Thanks again!

guestolo · « **Reply #4 on:** March 27, 2005, 01:36:44 PM »

Let's try the following,
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the CODE box to notepad
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop, well need this later, don't run it yet

Code: [Select]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoViewContextMenu"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoViewContextMenu"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSetTaskbar"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSaveSettings"=dword:00000000

Download the Pocket Killbox
UNZIP it to a folder of your choice

Save these instructions to a Notepad file on your desktop
Disconnect from the Internet (Close down all browser windows) and all unnecessary programs running in the background

Run Pocket KillBox>>Now you have Killbox and this notepad file open
click on Tools --> Select Delete Temp Files. Click OK.

In the Full Path of File to Delete box, copy and paste the entire line directly below in bold

C:\WINNT\SYSTEM32\mszx23.exe

Select the radio button to
Replace on Reboot
Additionally, select the "Use Dummy" option
Click The Red circle and a white X
When prompted to Replace on Reboot, click YES
If prompted to Reboot Now, Click NO

Do the same for this file
C:\WINNT\SYSTEM32\drct16.dll

But this time allow the computer to Reboot
or reboot anyways
Try and restart into safe mode, you can do this by tapping the F8 key as the system is first booting up

In safe mode

Delete these subfolders inside the Services folder
{1CCF6605-BBCE-4103-9262-03B16E5A9030}
{10FF35E4-42EF-47EB-8A19-F148EC20E6B5}
{73BBEE32-B23C-431A-B12A-CC226D15BB67}
{87C05DD0-B0FA-4FE3-BA7E-62607262AE75}
Also ensure you removed this folder
C:\WINNT\System32\Services\{B575DF10-2D02-46AA-8785-2AE5949C8319} <-folder

Do another scan with Hijackthis and put a check next to these entries:

O2 - BHO: (no name) - {A20D0D39-B5D1-C151-AD2F-C8C9DEB03FE0} - C:\WINNT\System32\icnvnjct.dll (file missing)

O4 - HKLM\..\Run: [Service Host] C:\WINNT\System32\Services\{B575DF10-2D02-46AA-8785-2AE5949C8319}\SVCHOST.EXE

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Double click on fix.reg
Allow it to merge to the Registry

Run HSFIX.bat again

Restart back to Normal mode

Post back a fresh Hijackthis log and the hsfix.bat log>>C:\hslog.txt

Could you also
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the CODE box to notepad
In Notepad click FILE>>SAVE AS

Name the file as Export.bat

Code: [Select]

dir C:\WINNT\System32\r?gsvr32.exe /a h > files.txt
notepad files.txt

Save this file on the desktop
Double click on Export.bat, a text file will open, can you copy and paste that info back here too, thanks

flora · « **Reply #5 on:** March 27, 2005, 08:52:58 PM »

I did everything, and here are the results......how's it looking?

......and thank you...again!

Logfile of HijackThis v1.99.1
Scan saved at 8:39:57 PM, on 3/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\qttask.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {AD5F3C4B-BD73-11D5-838B-0050042DF1E4} (HOOPS 3D Stream Control Class) - http://www.hoops3d.com/downloads/hoopsatlcontrol.cab
O16 - DPF: {D3D53657-4115-11D2-B73A-00805F85736F} (HOOPS 3D Stream Control) - http://www.hoops3d.com/downloads/hoops3daf.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

HSLOG

Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
klogini.dll
p2.ini
ps.a3d
drct16.dll
mszx23.exe
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
-
-

NOTEPAD FILE

Volume in drive C is Local Disk
Volume Serial Number is 801B-4ECE

Directory of C:\WINNT\System32

08/23/2001 07:00 AM 9,728 regsvr32.exe
1 File(s) 9,728 bytes

Directory of C:\Desktop

guestolo · « **Reply #6 on:** March 27, 2005, 10:12:52 PM »

Looks good

If everything is running better

You should clear your System Restore points
disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Why so far behind on Windows Updates?
This is important in keeping your system secure online too...

Can you also let me know if you can access your options in
Control Panel>>Display

Also let me know if duplicate Icons are being displayed on the Desktop
Create a new shortcut icon to the desktop and see if it duplicates

Guest · « **Reply #7 on:** March 29, 2005, 09:07:45 PM »

I was finally able to get around to the final changes that you suggested.

I'm far behind on Windows updates because I actually reinstalled Windows after this first started (after I updated Norton and ran several virus checks/spyware programs) - but before you started helping. Not sure that was smart?

I'm not able to access the options in Control Panel - Display. Is there any simple fix ?

But, it's not creating double Shortcuts on the Desktop.

Once again, thank you very much for your help!! I'm amazed by the extensive knowledge in something this complicated.

Out of curiosity, is there something I had to have clicked on/okayed to download that started all of this SmartSecurity stuff - or was it simply clicking on a website that allowed it to install everything?

Thanks again!

guestolo · « **Reply #8 on:** March 29, 2005, 10:08:23 PM »

Could you also do the following
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Code box to notepad
In Notepad click FILE>>SAVE AS

Name the file as Export.bat

Save this file to Desktop

Code: [Select]

regedit /e Export.reg "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies"
Double click on Export.bat and a file should be placed on the Desktop
Export.reg
Right click on Export.reg and select EDIT
Copy and paste back the findings

Guest · « **Reply #9 on:** April 02, 2005, 07:27:56 AM »

Is there a specific section or sections I should be looking for and pasting in? The file is a 60 MB text file that can't possibly all be posted.

Thanks

guestolo · « **Reply #10 on:** April 02, 2005, 05:30:08 PM »

Flora, is that you?

Could you log in when responding, so I'm sure who I'm taking too, thanks

60 mb, woah, something went wrong

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Can you do the following for me please

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the CODE box to notepad
In Notepad click FILE>>SAVE AS

Name the file as Export.bat

Code: [Select]

@echo off
regedit /e C:\temp.reg "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies"
more C:\temp.reg >> C:\Display.txt
notepad C:\Display.txt
del /q c:\temp.reg
del /q C:\Display.txt

Double click Export.bat and copy and paste back the findings

flora · « **Reply #11 on:** April 02, 2005, 05:54:29 PM »

Sorry, yeah that was me (and so was the previous post

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' /> ) I thought it was logging me in automatically....

Anyways, here's what I got back this time:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallpaper"=dword:00000000
"NoComponents"=dword:00000000
"NoAddingComponents"=dword:00000000
"NoDeletingComponents"=dword:00000000
"NoEditingComponents"=dword:00000000
"NoHTMLWallPaper"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000001
"NoViewContextMenu"=dword:00000000
"NoSetTaskbar"=dword:00000000
"NoSaveSettings"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"Wallpaper"="C:\\WINNT\\desktop.html"

(This "Wallpaper" file no longer exists....)

guestolo · « **Reply #12 on:** April 02, 2005, 06:12:12 PM »

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the CODE box to notepad
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop

Code: [Select]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"ForceActiveDesktopOn"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"Wallpaper"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"Custom Desktop"=-

Double click on fix.reg and allow to merge to your registry

Restart your computer and let me know if you can Access your display options and change your background on the desktop

Could you also

In Display.
Click on the "Desktop" tab then click the "Customize Desktop" button.
Click on the "Web" tab.
Uncheck everything

Log off and back on again if you had to uncheck anything

flora · « **Reply #13 on:** April 02, 2005, 07:25:18 PM »

Success!!!!!!

I have a restored desktop! No more pop-ups!! No more modified website links, or anything!!!!!

Thank you a ton!!

guestolo · « **Reply #14 on:** April 02, 2005, 10:53:02 PM »

Glad to hear everything is running well, thanks for posting back

I would make sure you get your Windows Updates and install SpywareBlaster and IE-Spyad

EDIT>>I'm locking this topic as your problems appear resolved, If you need it reopened
Please PM a Mod or the site Admin and supply a link to this thread

Stay safe

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

TheTechGuide Forum

News:

Author Topic: Daosearch - HijackThis Help NEEDED, Please! (Read 2897 times)

flora

Daosearch - HijackThis Help NEEDED, Please!

guestolo

Daosearch - HijackThis Help NEEDED, Please!

guestolo

Daosearch - HijackThis Help NEEDED, Please!

flora

Daosearch - HijackThis Help NEEDED, Please!

guestolo

Daosearch - HijackThis Help NEEDED, Please!

flora

Daosearch - HijackThis Help NEEDED, Please!

guestolo

Daosearch - HijackThis Help NEEDED, Please!

Guest

Daosearch - HijackThis Help NEEDED, Please!

guestolo

Daosearch - HijackThis Help NEEDED, Please!

Guest

Daosearch - HijackThis Help NEEDED, Please!

guestolo

Daosearch - HijackThis Help NEEDED, Please!

flora

Daosearch - HijackThis Help NEEDED, Please!

guestolo

Daosearch - HijackThis Help NEEDED, Please!

flora

Daosearch - HijackThis Help NEEDED, Please!

guestolo

Daosearch - HijackThis Help NEEDED, Please!