View Full Version : Here4search
Wierman
01-22-2005, 06:46 PM
my hijack this log doesnt have nearly as many items as a lot of these (including the ones you've told to delete in previous cases) so ive started a new thread...hope its ok. right so i've tried thekillbox method for this one and it didnt help either, so heres my log file....i set it as an attachment so it wont clutter things up. THANKS!
ES
nightowl
01-22-2005, 07:47 PM
Please Copy and Paste log to the message board thanks..........Jim
Wierman
01-22-2005, 07:50 PM
here ya go..sorry.
Logfile of HijackThis v1.99.0
Scan saved at 9:29:46 PM, on 1/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Eric\Desktop\Eric's Stuff\AntiSpyware\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=11225
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=11225
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=11225
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=11225
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=11225
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\5626K1~1.DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - AppInit_DLLs: 1lywlsx8zc3ryrll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
nightowl
01-22-2005, 08:36 PM
I was expecting a huge log. LOL
Reboot To Safe Mode (tap F8 on Startup)
Place a check next to each of these and click Fix Checked.
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=11225
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=11225
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=11225
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=11225
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=11225
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\5626K1~1.DLL
O20 - AppInit_DLLs: 1lywlsx8zc3ryrll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll
Still In Safe Mode Delete all Temporary Internet Files, Cookies, Do a Defrag on your C Drive, Empty recycle bin.
Start/All Programs/Accessories/System Tools/Disc Defragment
Then Reboot and post a new log..........Jim
Wierman
01-23-2005, 12:18 AM
not all of those items that you said to fix were there upon the scan in diagnostic mode, but i fixed which ones that WERE there, then did the rest. here's the next log.
Logfile of HijackThis v1.99.0
Scan saved at 3:04:39 AM, on 1/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Eric\Desktop\Eric's Stuff\AntiSpyware\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=11225
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=11225
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=11225
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=11225
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\W8C6S4~2.DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - AppInit_DLLs: zw8jks8w5hfv5rll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
thanks,
ES
nightowl
01-23-2005, 10:35 AM
Reboot To Safe Mode (tap F8 on Startup)
Place a check next to each of these and click Fix Checked.
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=11225
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=11225
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=11225
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=11225
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\W8C6S4~2.DLL
O20 - AppInit_DLLs: zw8jks8w5hfv5rll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
Should be able to fix these in Safe Mode, If you cant fix them in normal mode...........Jim
Wierman
01-23-2005, 10:55 AM
Well again they werent all there in safe mode, so i did the scan in regular mode and fixed them, rebooted, and heres the next log...
Logfile of HijackThis v1.99.0
Scan saved at 1:41:27 PM, on 1/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Eric\Desktop\Eric's Stuff\AntiSpyware\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=11225
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\W8C6S4~2.DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - AppInit_DLLs: xkg7zxfb72e4p7ll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
its gettin smaller!!!
lol thanks as always,
ES
nightowl
01-23-2005, 11:07 AM
I dont understand why you cant kill these in safe mode, never heard of that problem before.
The main problem is still there.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=11225
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\W8C6S4~2.DLL
O20 - AppInit_DLLs: xkg7zxfb72e4p7ll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll
Give it another try in Safe mode, Delete all Temporary Internet Files, Cookies, Empty recycle bin.
Wierman
01-23-2005, 11:51 AM
Ok good news and bad news......
good news is i figured out the safe mode issue.....like the dummy i am i was using the admin account instead of my own when running in safe mode.....so i remedied this last time and all of the right files showed up in hijack this, so i fixed them...well "fixed" them.
bad news.... in safe mode it was able to get rid of all the files except the O2 and the O20 files, they kept returning. I deleted the cookies and temp files before hijack....after hijack....in every concivable order....didnt work though. And once back in regular mode the R1's and R0 returned. ok ill post both logs from safe mode and regular mode....
heres safe mode log:
Logfile of HijackThis v1.99.0
Scan saved at 2:28:24 PM, on 1/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Eric\Desktop\Eric's Stuff\AntiSpyware\HijackThis.exe
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\W8C6S4~2.DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - AppInit_DLLs: emtjboroc9y4b9ll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
heres reg. mode log:
Logfile of HijackThis v1.99.0
Scan saved at 2:37:17 PM, on 1/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Eric\Desktop\Eric's Stuff\AntiSpyware\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=11225
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=11225
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=11225
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\W8C6S4~2.DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - AppInit_DLLs: emtjboroc9y4b9ll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
nightowl
01-23-2005, 01:04 PM
This is the bad guy
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\W8C6S4~2.DLL
something is making it reload, I'll show this to ECA, Maybe he can spot something.........Jim
http://www.windowsstartup.com/wso/search.php
I think thats it..
Ya keep forgeting about the top section.. Its supposed to be in another dir...NOT there.
try it..
http://www.liutilities.com/products/wintaskspro/processlibrary/smss/
FORGET that...its not correct..
Added as a result of the FLOOD.F VIRUS! Note - this is not the legitimate Smss.exe system file should normally NOT figure in Msconfig/Startup!
USE spybot, and tools...Startup...IF its LISTED there...Its NOT the CORRECT SMSS.exe..
Its not PART of startup..
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
AND i would kill these, HERE...they dont need to be run at startup..and without them, we can see if something ELSE is running.. It wont hurt niothing as the FILES are still there.
Ummm,
did you get,
Spybot
Adaware
Spywareblaster, and RUN them yet...
I see that Adaware is supposed to kill this...now..
http://castlecops.com/postlite99884-here4search.html
Found a solution...
check it out Nightowl...ITS MEAN...
This is BAD...
Use above listed programs in SAFE MODE, tap f8 when starting...
Wierman
01-23-2005, 04:15 PM
so am i doing that stuff said on the castlecopts site?
it comes down to:
do it in safe mode..REMOVE them with Hijack..
THEn search for them and delete the files.
Search ALL files, and sub directories..
W8C6S4~2.DLL
AND
*.dll.dll.* Any file that has ALLOT of dll.dll.dll stuff at the end... Files are NAME.EXT(a file name and extention) that s ALL...
Then reset back to Normal mode..And pray..
nightowl
01-23-2005, 09:17 PM
Yes this looks like a mean one. Give ECAs fix a try. It keeps reloading.
Whoever developed this Spyware should be thrown in Jail.........Jim
Wierman
01-25-2005, 11:05 AM
ok i did hijackthis in safe mode and it kept reappearing (the multi .dll one and w8c6s4 one) so i searched them with a regular search and found nothing so i went into regedit and searched and deleted anything with multiple .dll's and w8c8s4 in it....and even with the registry cleared of it (the search wouldnt turn up anything else) it kept appearing in hijackthis, and itsstill on the system....yeah this one looks bad. just for kicks heres the log file....but you already know wahts in it lol
Logfile of HijackThis v1.99.0
Scan saved at 1:52:54 PM, on 1/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Eric\Desktop\Eric's Stuff\AntiSpyware\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=11225
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=11225
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=11225
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\W8C6S4~1.DLL
O4 - Global Startup: winlogin.exe
O20 - AppInit_DLLs: j62rv66i55ukccll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll
ES
Wierman
01-25-2005, 11:07 AM
p.s. praying didnt seem to help either :cool:
This is fun,
OK,
Bring up search window..
at the top..
tools
folder options
VIEW
CLICK...SHOW hidden files and folders.
UNCLICK Hide extentions known..
UNCLICK HIDE protected op sys files
I HATE this, its an automatic settings, THING...
NOW try your search..
Wierman
01-25-2005, 12:14 PM
ok i search .dll.dll first and 5 came up...i was able to delete all but the j62rv66... one thats been coming up in the hijackthis log. It gives the "cannot delete cuz in use or write protected blah blah" message (and this was in safe mode also as always). So then i searched w8c6s4 and a file came up called w8c6s4xcm66.dll but i couldnt delete it with the same error message. is there anyway i can get around this error and delete them? either way....i feel like im starting to see a light at the end of the tunnel! :)
ES
thats the FUN PART...
Do you know HOW to use REGEDIT...
CAN you HIT, CTRL, ALT, DEL, and Use task manager and SEE the problem??
thats the FUN PART...
Do you know HOW to use REGEDIT...
CAN you HIT, CTRL, ALT, DEL, and Use task manager and SEE the problem??
Wierman
01-25-2005, 01:18 PM
well iknow how to open regedit and search for files but as i delete them they keep reappearing, as for task manager i dont know how to find the problem within there no.
WELL, we could use a boot disk about NOW...Do you have one??
vBulletin® v3.8.1, Copyright ©2000-2009, Jelsoft Enterprises Ltd.