Author Topic: daosearch (Read 867 times)

GaretJax · « **on:** April 11, 2005, 12:20:05 PM »

Need help fixing this thing. It's more aggrivating than anything else, but it's got to go.

Logfile of HijackThis v1.99.1
Scan saved at 1:06:13 PM, on 4/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\Services\{1CFE94E5-2E1C-41DA-A824-D086759385D0}\SVCHOST.EXE
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yfrtz.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daosearch.com/index.php?id=585&said=nicket_m
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\yfrtz.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\yfrtz.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yfrtz.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\yfrtz.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0ADD30AF-3ADB-2FB2-CD10-1A1456A683C7} - blank (file missing)
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{1CFE94E5-2E1C-41DA-A824-D086759385D0}\SVCHOST.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Microsoft AntiSpyware helper - {148C6A9B-DF27-4B05-9F6A-954D1630CD78} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {148C6A9B-DF27-4B05-9F6A-954D1630CD78} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {D6D10EFA-9EEF-41BB-B4BB-B6219B223FEF} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D6D10EFA-9EEF-41BB-B4BB-B6219B223FEF} - (no file) (HKCU)
O16 - DPF: {02242C1C-EF7C-69B1-2FA7-18D74595DFD5} - http://69.50.182.94/1/rdgUS1882.exe
O16 - DPF: {2DD14AE0-E3CE-134F-2914-56A83F36117A} - http://69.50.182.94/1/rdgUS1882.exe
O16 - DPF: {34A0760E-192D-0A0B-E71D-0CED7140BE0D} - http://69.50.182.94/1/rdgUS1882.exe
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apptv.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

GaretJax · « **Reply #1 on:** April 11, 2005, 08:29:25 PM »

guestolo · « **Reply #2 on:** April 11, 2005, 09:31:27 PM »

You have a couple different problems on your computer

Let's try the following

First could you download and save to Desktop CWShredder.exe from my signature below
Don't run it yet

===Download to desktop About:Buster.zip
by RubbeR Ducky
Unzip the contents to desktop, a folder will be placed on your desktop
Open it and run About:buster.exe
Click the Update Button and check for updates, if any, download them
Then close it for now, we'll need this later

===Download and UNZIP to desktop Cwsserviceremove.zip
So you have cwsserviceremove.reg on the desktop
Cwsserviceremove.zip

===Could you next
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Please save these instructions to a Notepad file and save it to your Desktop
for easy access
RESTART your Computer in SAFE MODE

Next: Go to START>>>RUN>>>type in services.msc
and hit Enter
In the next window, look on the right hand side for this service
name---- Network Security Service

Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled

===Stay in safe mode and navigate to these files or folders and delete them if they exist
c:\windows\system\BHOmod.dll <-file
C:\WINDOWS\system32\apptv.exe <-file
C:\WINDOWS\system32\wldr.dll <-file

C:\WINDOWS\System32\Services\{1CFE94E5-2E1C-41DA-A824-D086759385D0} <-folder

In safe mode
Do another Scan with Hijackthis and put a check next to these entries
Not all may be found, but fix what you find

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yfrtz.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daosearch.com/index.php?id=585&said=nicket_m
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\yfrtz.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\yfrtz.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yfrtz.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\yfrtz.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0ADD30AF-3ADB-2FB2-CD10-1A1456A683C7} - blank (file missing)
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll

O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{1CFE94E5-2E1C-41DA-A824-D086759385D0}\SVCHOST.EXE

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {148C6A9B-DF27-4B05-9F6A-954D1630CD78} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {D6D10EFA-9EEF-41BB-B4BB-B6219B223FEF} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D6D10EFA-9EEF-41BB-B4BB-B6219B223FEF} - (no file) (HKCU)
O16 - DPF: {02242C1C-EF7C-69B1-2FA7-18D74595DFD5} - http://69.50.182.94/1/rdgUS1882.exe
O16 - DPF: {2DD14AE0-E3CE-134F-2914-56A83F36117A} - http://69.50.182.94/1/rdgUS1882.exe
O16 - DPF: {34A0760E-192D-0A0B-E71D-0CED7140BE0D} - http://69.50.182.94/1/rdgUS1882.exe
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apptv.exe (file missing)

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Navigate to About:buster you unzipped and updated earlier
===Start About:Buster and hit ok. Now for the scanning part. Hit Start and then Ok. The program should start scanning.Scan a Second time. Save the log... Then hit exit
You may have to scan more than twice, try 3 or 4 times until no files or Data Streams are found

===Double click on cwsserviceremove.reg and allow it to merge to the registry

===Run CWShredder.exe, click the FIX button and let it fix what it finds

===RESTART back in Normal mode

===Look for a file called shell.dll in your C:\Windows\system32 folder
If it is not there, Go into System32\dllcache folder
Find shell.dll
Right click on shell.dll and choose copy from the menu. Then paste it into the
system32 folder

===Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

=== Under the Security tab | Custom Level
Check ActiveX security settings:
Make sure that the following settings are correct:
o Download signed ActiveX controls (Prompt)
o Download unsigned ActiveX controls (Disable)
o Initialize and script ActiveX controls not marked as safe (Disable)
o Run ActiveX controls and plug-ins (Enabled)
o Script ActiveX controls marked safe for scripting (Prompt)

===Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process

==Post back a fresh Hijackthis log
Also the logs from About:Buster

===Open Hijackthis>>Open Misc tools section>>Open Hosts file manager
Click the "Open in Notepad"
Copy and paste back the whole contents of this notepad file too

Could you also let me know if you have Spybot 1.3 installed
I'm just checking

GaretJax · « **Reply #3 on:** April 11, 2005, 10:05:29 PM »

do not have spybot installed

GaretJax · « **Reply #4 on:** April 12, 2005, 12:26:28 AM »

Hope this looks good now. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 1:21:26 AM, on 4/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Microsoft AntiSpyware helper - {148C6A9B-DF27-4B05-9F6A-954D1630CD78} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {148C6A9B-DF27-4B05-9F6A-954D1630CD78} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {D6D10EFA-9EEF-41BB-B4BB-B6219B223FEF} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D6D10EFA-9EEF-41BB-B4BB-B6219B223FEF} - (no file) (HKCU)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Scanned at: 1:06:28 AM on: 4/12/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Removed 4 Random Key Entries
Removed! : C:\WINDOWS\cdydq.dat
Removed! : C:\WINDOWS\dpcev.dat
Removed! : C:\WINDOWS\lryoo.dat
Removed! : C:\WINDOWS\oqzda.dat
Removed! : C:\WINDOWS\voggx.dat
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

guestolo · « **Reply #5 on:** April 12, 2005, 12:32:05 AM »

Go back and Hide hidden files and folders

Do another scan with Hijackthis and put a check next to these entries:

R3 - Default URLSearchHook is missing

O9 - Extra button: Microsoft AntiSpyware helper - {148C6A9B-DF27-4B05-9F6A-954D1630CD78} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {148C6A9B-DF27-4B05-9F6A-954D1630CD78} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {D6D10EFA-9EEF-41BB-B4BB-B6219B223FEF} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D6D10EFA-9EEF-41BB-B4BB-B6219B223FEF} - (no file) (HKCU)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer

I asked about Spybot because one hijacker you had deletes a file of Spybots'
It's another great spyware remover that's free also
I use Ad-Aware and Spybot
Hold onto both of them

If you would like to check it out I recommend it
Download and Install Spybot S&D 1.3
After installation--Click the Update button on the left
ThenSEARCH FOR UPDATES
Check and Download all updates
Afterwards, click the Search and Destroy button
Check for Problems---Let it complete it's scan
FIX everything in RED>>Should be checked by default

Restart the computer again to finish the cleaning process

Afterwards, post back a fresh hijackthis log

Could you also do the following I asked before
===Open Hijackthis>>Open Misc tools section>>Open Hosts file manager
Click the "Open in Notepad"
Copy and paste back the whole contents of the hosts notepad file also

GaretJax · « **Reply #6 on:** April 12, 2005, 01:18:48 AM »

ok, here's the rest. also, I was running norton and it found something it's calling adware that I can't seem to find. Two files, mhdywody.exe and mhdywody.exe.js . I tried to find the files in the folder they were supposed to be in, but they weren't there.

Logfile of HijackThis v1.99.1
Scan saved at 2:13:24 AM, on 4/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\HJT\HijackThis.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\imapi.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

guestolo · « **Reply #7 on:** April 12, 2005, 01:24:30 AM »

Hosts file looks ok, what is the Adware called
What folder is norton's finding these files in??

Try running Spybot through your system

EDIT>>Could you also let me know what other files or folders you find in this folder
C:\WINDOWS\System32\Services

GaretJax · « **Reply #8 on:** April 12, 2005, 01:39:22 AM »

I ran spybot and it didn't catch what norton had found. The files were found in c:\windows\downloaded_program_files . Norton says there are 8 files in that folder two of which are the ones I mentioned before. When I open the folder, there's nothing in there.

guestolo · « **Reply #9 on:** April 12, 2005, 01:42:23 AM »

Download and UNZIP to desktop
DPF.zip so you have DPF.bat on your desktop

Double click on DPF.bat
A text file will open, can you copy and paste that back here

GaretJax · « **Reply #10 on:** April 12, 2005, 01:47:50 AM »

here you go

Volume in drive C has no label.
Volume Serial Number is 6405-4313

Directory of C:\WINDOWS\Downloaded Program Files

04/06/2005 10:54 PM <DIR> BUILTIN\Administrators .
04/06/2005 10:54 PM <DIR> BUILTIN\Administrators ..
03/31/2005 06:53 PM 65 BUILTIN\Administrators desktop.ini
10/14/1997 07:52 PM 697 BUILTIN\Administrators DirectAnimation Java Classes.osd
04/06/2005 09:26 PM 9,800 SPORT\Corky mhdywody.exe
04/06/2005 09:26 PM 264 SPORT\Corky mhdywody.exe.js
01/20/2000 04:25 PM 1,162 BUILTIN\Administrators Microsoft XML Parser for Java.osd
12/08/2003 02:58 PM 3,759 SPORT\Corky swflash.inf
04/06/2005 08:58 PM 9,216 SPORT\Corky update.exe
08/11/2004 03:22 AM 3,036 SPORT\Corky wmv9dmo.inf
8 File(s) 27,999 bytes
2 Dir(s) 37,591,851,008 bytes free

guestolo · « **Reply #11 on:** April 12, 2005, 01:56:30 AM »

Can you do the following for me
Go to START>>RUN>>type in
cmd
Hit OK

You'll be at a command prompt
At the prompt type in the below in bold>>(Enter) indicates hitting Enter on your keyboard
Notice the single space after cd and del

cd C:\WINDOWS\Downloaded Program Files (Enter)
del mhdywody.exe (Enter)
del mhdywody.exe.js (Enter)
del update.exe (Enter)
exit (Enter)

I won't see how things went until tomorrow, but in the mean time

Could you
disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Let me know how everything's running

guestolo · « **Reply #12 on:** April 12, 2005, 02:01:07 AM »

By the way, I added this to my post, a couple before last
could you still let me know that

Quote

Could you also let me know what other files or folders you find in this folder
C:\WINDOWS\System32\Services

GaretJax · « **Reply #13 on:** April 12, 2005, 02:17:49 AM »

dl'ed those protect programs you put up. going through the command prompt worked. it seems I don't have a services folder in my system32 folder, though. I have my view set up to show everything, it's just not there.

guestolo · « **Reply #14 on:** April 12, 2005, 10:08:06 AM »

Looks and sounds good

If you find this file you can delete it now, just a leftover
C:\dpflist.txt

Stay safe

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

GaretJax · « **Reply #15 on:** April 12, 2005, 02:40:08 PM »

thanks a lot questolo. I really appreciate your help.

guestolo · « **Reply #16 on:** April 12, 2005, 03:05:39 PM »

Glad to help, I'll lock this topic as your problems appear resolved
If you need it reopened, please PM myself or another Mod or the site Admin and supply a link to this thread

Take care

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

TheTechGuide Forum

News:

Author Topic: daosearch (Read 867 times)

GaretJax

daosearch

GaretJax

daosearch

guestolo

daosearch

GaretJax

daosearch

GaretJax

daosearch

guestolo

daosearch

GaretJax

daosearch

guestolo

daosearch

GaretJax

daosearch

guestolo

daosearch

GaretJax

daosearch

guestolo

daosearch

guestolo

daosearch

GaretJax

daosearch

guestolo

daosearch

GaretJax

daosearch

guestolo

daosearch