Jephree,

This is in response to ealier request regarding about blank. The following is per your instruction.

Thank you for your assistance

Logfile of HijackThis v1.99.0
Scan saved at 2:01:15 PM, on 1/1/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPDCLNT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\SKW2\REMIND.EXE
C:\SCANNER\EXE16\AM.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\EXTENDED KEYBOARD\HPMMKBD.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\SMARTDSK\FLASH\FLSHSTAT.EXE
C:\QUICKENW\QWDLLS.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\0PQF0PUB\HIJACKTHIS[1].EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://rootsearch.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://rootsearch.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://rootsearch.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://rootsearch.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.coslink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cherryland Online Service
F1 - win.ini: load=C:\SKW2\remind.exe
F1 - win.ini: run=C:\SCANNER\EXE16\AM.EXE hpfsched
O2 - BHO: (no name) - {DF09C684-1161-11D9-B74A-00609B00390E} - C:\WINDOWS\SYSTEM\DGEELI.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: msidntud - {6C614AB5-8F9E-ADB5-3619-7B9A836A0194} - C:\WINDOWS\SYSTEM\MSIDNTUD.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Welcome] c:\windows\welcome.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HpMmKbd] "C:\Program Files\Hewlett-Packard\Extended Keyboard\HpMmKbd.exe"
O4 - HKLM\..\Run: [Alogserv] c:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
O4 - HKLM\..\Run: [XupiterToolbarLoader] C:\Program Files\Xupiter\\XupiterToolbarLoader.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
O4 - HKCU\..\Run: [Csmd] C:\WINDOWS\Application Data\saaw.exe
O4 - Startup: Flashpath Status.lnk = C:\SMARTDSK\FLASH\FLSHSTAT.EXE
O4 - Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\PLUS!\MICROS~1\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O16 - DPF: {5F03EAB4-1AD5-11D4-AE99-0050DAC24E8F} - http://www.iwon.com/ct/in_wn/iwonslot1,0,1,5.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://64.68.234.141/activex/AxisCamControl.cab
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.187.110/winsearchie32.c...searchie32.exe
O16 - DPF: {1A24796D-A600-5D41-C6E0-283A166B275B} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {30A02CC1-7B52-5F08-B4B1-406866DF18DC} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {1914127E-285D-2139-6004-13123103D43F} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {5067DA0C-8485-1DAF-C2C2-0C536A39B270} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {4BD773D7-1738-5743-7C38-10F7144D9A5D} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {2F5D1E8B-2368-36CE-0C16-71EF647FFAB0} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {11117711-1111-1711-7121-111177111157} - ms-its:mhtml:file://c:\bebe.mht!http://www.alarm-works.com/tx.chm::/ai.exe
O16 - DPF: {56A8D01A-2AB7-5145-671A-6ADF4AB44A8D} - http://69.50.177.100/1/rdgUS780.exe
O16 - DPF: {1063F118-FF92-5E7F-414F-315D7F3028EE} - http://69.50.177.100/1/rdgUS780.exe
O16 - DPF: {03E3F1DC-7650-48F4-94EB-3630530014C7} - http://69.50.177.100/1/rdgUS780.exe
O18 - Filter: text/html - {1CCD92E3-5BD0-11D9-B74A-0060E246AD90} - C:\WINDOWS\SYSTEM\DGEELI.DLL
O18 - Filter: text/plain - {1CCD92E3-5BD0-11D9-B74A-0060E246AD90} - C:\WINDOWS\SYSTEM\DGEELI.DLL

Hello,
Please download and install APM from here. Also download and install Ad-aware from here.

Once you have installed Ad-aware, run the program and in the bottom right hand corner click Check For Updates. Update Ad-aware following the prompts and then close the program, we will use it later.

Now disconnect from the internet, restart Hijack This and put a checkmark next to the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://rootsearch.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://rootsearch.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://rootsearch.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://rootsearch.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.coslink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cherryland Online Service
O2 - BHO: (no name) - {DF09C684-1161-11D9-B74A-00609B00390E} - C:\WINDOWS\SYSTEM\DGEELI.DLL
O13 - WWW. Prefix: http://
O16 - DPF: {5F03EAB4-1AD5-11D4-AE99-0050DAC24E8F} - http://www.iwon.com/ct/in_wn/iwonslot1,0,1,5.cab
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.187.110/winsearchie32....nsearchie32.exe
O16 - DPF: {1A24796D-A600-5D41-C6E0-283A166B275B} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {30A02CC1-7B52-5F08-B4B1-406866DF18DC} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {1914127E-285D-2139-6004-13123103D43F} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {5067DA0C-8485-1DAF-C2C2-0C536A39B270} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {4BD773D7-1738-5743-7C38-10F7144D9A5D} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {2F5D1E8B-2368-36CE-0C16-71EF647FFAB0} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {11117711-1111-1711-7121-111177111157} - ms-its:mhtml:file://c:\bebe.mht!http://www.alarm-works.com/tx.chm::/ai.exe
O16 - DPF: {56A8D01A-2AB7-5145-671A-6ADF4AB44A8D} - http://69.50.177.100/1/rdgUS780.exe
O16 - DPF: {1063F118-FF92-5E7F-414F-315D7F3028EE} - http://69.50.177.100/1/rdgUS780.exe
O16 - DPF: {03E3F1DC-7650-48F4-94EB-3630530014C7} - http://69.50.177.100/1/rdgUS780.exe
O18 - Filter: text/html - {1CCD92E3-5BD0-11D9-B74A-0060E246AD90} - C:\WINDOWS\SYSTEM\DGEELI.DLL
O18 - Filter: text/plain - {1CCD92E3-5BD0-11D9-B74A-0060E246AD90} - C:\WINDOWS\SYSTEM\DGEELI.DLL

Now click Fix Checked

After you have done that, start APM.

In the top Window select explorer.exe
After this, in the bottom Windows find DGEELI.DLL.dll
Right click DGEELI.DLL.dll and choose Unload.
Click OK

Now Start Ad-aware

We need to configure Ad-aware for a full scan.

Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:

• Automatically save log-file
• Automatically quarantine objects prior to removal
• Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :

• Scan Within Archives
• Scan Active Processes
• Scan Registry
• Deep Scan Registry
• Scan my IE favorites for banned URL’s
• Scan my Hosts file
• Under Click here to select drives + folders, choose:
• All of your hard drives

Click on the Advanced button on the left and select:

• Include additional process information
• Include additional file information
• Include environment information

Click the Tweak button and select:

• Under the Scanning Engine:
  • Unload recognized processes & modules during scan
  • Include additional Ad-aware settings in logfile
• Under the Cleaning Engine:
  • Let Windows remove files in use at next reboot

Click on Proceed to save the settings.

Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:

• Use Custom Scanning Options

Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

Save the log file when it asks and then click Finish

When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Reboot your computer and post a fresh Hijack This log

owen,

After running ad-aware and running hijack this as per your instuctions not the items to check off in hijack this are the same as you listed.

follow is new hijack this info:

Logfile of HijackThis v1.99.0
Scan saved at 4:59:41 PM, on 1/1/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPDCLNT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\SKW2\REMIND.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\EXTENDED KEYBOARD\HPMMKBD.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\SMARTDSK\FLASH\FLSHSTAT.EXE
C:\QUICKENW\QWDLLS.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\HIJACK THIS\HIJACKTHIS[1].EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://rootsearch.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://rootsearch.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://rootsearch.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://rootsearch.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.coslink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cherryland Online Service
F1 - win.ini: load=C:\SKW2\remind.exe
F1 - win.ini: run=C:\SCANNER\EXE16\AM.EXE hpfsched
O2 - BHO: (no name) - {DF09C684-1161-11D9-B74A-00609B00390E} - C:\WINDOWS\SYSTEM\DGEELI.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: msidntud - {6C614AB5-8F9E-ADB5-3619-7B9A836A0194} - C:\WINDOWS\SYSTEM\MSIDNTUD.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Welcome] c:\windows\welcome.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HpMmKbd] "C:\Program Files\Hewlett-Packard\Extended Keyboard\HpMmKbd.exe"
O4 - HKLM\..\Run: [Alogserv] c:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
O4 - HKLM\..\Run: [XupiterToolbarLoader] C:\Program Files\Xupiter\\XupiterToolbarLoader.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
O4 - HKCU\..\Run: [Csmd] C:\WINDOWS\Application Data\saaw.exe
O4 - Startup: Flashpath Status.lnk = C:\SMARTDSK\FLASH\FLSHSTAT.EXE
O4 - Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\PLUS!\MICROS~1\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O16 - DPF: {5F03EAB4-1AD5-11D4-AE99-0050DAC24E8F} - http://www.iwon.com/ct/in_wn/iwonslot1,0,1,5.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://64.68.234.141/activex/AxisCamControl.cab
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.187.110/winsearchie32.c...searchie32.exe
O16 - DPF: {1A24796D-A600-5D41-C6E0-283A166B275B} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {30A02CC1-7B52-5F08-B4B1-406866DF18DC} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {1914127E-285D-2139-6004-13123103D43F} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {5067DA0C-8485-1DAF-C2C2-0C536A39B270} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {4BD773D7-1738-5743-7C38-10F7144D9A5D} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {2F5D1E8B-2368-36CE-0C16-71EF647FFAB0} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {11117711-1111-1711-7121-111177111157} - ms-its:mhtml:file://c:\bebe.mht!http://www.alarm-works.com/tx.chm::/ai.exe
O16 - DPF: {56A8D01A-2AB7-5145-671A-6ADF4AB44A8D} - http://69.50.177.100/1/rdgUS780.exe
O16 - DPF: {1063F118-FF92-5E7F-414F-315D7F3028EE} - http://69.50.177.100/1/rdgUS780.exe
O16 - DPF: {03E3F1DC-7650-48F4-94EB-3630530014C7} - http://69.50.177.100/1/rdgUS780.exe

Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://rootsearch.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://rootsearch.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://rootsearch.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://rootsearch.biz/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cherryland Online Service
O2 - BHO: (no name) - {DF09C684-1161-11D9-B74A-00609B00390E} - C:\WINDOWS\SYSTEM\DGEELI.DLL
O2 - BHO: msidntud - {6C614AB5-8F9E-ADB5-3619-7B9A836A0194} - C:\WINDOWS\SYSTEM\MSIDNTUD.DLL
O4 - HKCU\..\Run: [Csmd] C:\WINDOWS\Application Data\saaw.exe
O13 - WWW. Prefix: http://
O16 - DPF: {5F03EAB4-1AD5-11D4-AE99-0050DAC24E8F} - http://www.iwon.com/ct/in_wn/iwonslot1,0,1,5.cab
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.187.110/winsearchie32....nsearchie32.exe
O16 - DPF: {1A24796D-A600-5D41-C6E0-283A166B275B} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {30A02CC1-7B52-5F08-B4B1-406866DF18DC} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {1914127E-285D-2139-6004-13123103D43F} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {5067DA0C-8485-1DAF-C2C2-0C536A39B270} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {4BD773D7-1738-5743-7C38-10F7144D9A5D} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {2F5D1E8B-2368-36CE-0C16-71EF647FFAB0} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {11117711-1111-1711-7121-111177111157} - ms-its:mhtml:file://c:\bebe.mht!http://www.alarm-works.com/tx.chm::/ai.exe
O16 - DPF: {56A8D01A-2AB7-5145-671A-6ADF4AB44A8D} - http://69.50.177.100/1/rdgUS780.exe
O16 - DPF: {1063F118-FF92-5E7F-414F-315D7F3028EE} - http://69.50.177.100/1/rdgUS780.exe
O16 - DPF: {03E3F1DC-7650-48F4-94EB-3630530014C7} - http://69.50.177.100/1/rdgUS780.exe

Click Fix Checked

Then boot into Safe Mode and ensure that you are showing Hidden Files and Folders.

Delete the following files and folders:
C:\WINDOWS\Application Data\saaw.exe

Reboot and post a fresh log

owen,

Just re-ran hijack this and it is all different again from your list. I have listed it below. I will not close it this time and wait for your reply.

Jeff B

Logfile of HijackThis v1.99.0
Scan saved at 1:00:08 PM, on 1/3/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPDCLNT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\SKW2\REMIND.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\EXTENDED KEYBOARD\HPMMKBD.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\SMARTDSK\FLASH\FLSHSTAT.EXE
C:\QUICKENW\QWDLLS.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HIJACK THIS\HIJACKTHIS[1].EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://rootsearch.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://rootsearch.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://rootsearch.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://rootsearch.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.coslink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cherryland Online Service
F1 - win.ini: load=C:\SKW2\remind.exe
F1 - win.ini: run=C:\SCANNER\EXE16\AM.EXE hpfsched
O2 - BHO: (no name) - {DF09C684-1161-11D9-B74A-00609B00390E} - C:\WINDOWS\SYSTEM\DGEELI.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: msidntud - {6C614AB5-8F9E-ADB5-3619-7B9A836A0194} - C:\WINDOWS\SYSTEM\MSIDNTUD.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Welcome] c:\windows\welcome.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HpMmKbd] "C:\Program Files\Hewlett-Packard\Extended Keyboard\HpMmKbd.exe"
O4 - HKLM\..\Run: [Alogserv] c:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
O4 - HKLM\..\Run: [XupiterToolbarLoader] C:\Program Files\Xupiter\\XupiterToolbarLoader.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
O4 - HKCU\..\Run: [Csmd] C:\WINDOWS\Application Data\saaw.exe
O4 - Startup: Flashpath Status.lnk = C:\SMARTDSK\FLASH\FLSHSTAT.EXE
O4 - Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\PLUS!\MICROS~1\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O16 - DPF: {5F03EAB4-1AD5-11D4-AE99-0050DAC24E8F} - http://www.iwon.com/ct/in_wn/iwonslot1,0,1,5.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://64.68.234.141/activex/AxisCamControl.cab
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.187.110/winsearchie32.c...searchie32.exe
O16 - DPF: {1A24796D-A600-5D41-C6E0-283A166B275B} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {30A02CC1-7B52-5F08-B4B1-406866DF18DC} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {1914127E-285D-2139-6004-13123103D43F} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {5067DA0C-8485-1DAF-C2C2-0C536A39B270} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {4BD773D7-1738-5743-7C38-10F7144D9A5D} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {2F5D1E8B-2368-36CE-0C16-71EF647FFAB0} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {11117711-1111-1711-7121-111177111157} - ms-its:mhtml:file://c:\bebe.mht!http://www.alarm-works.com/tx.chm::/ai.exe
O16 - DPF: {56A8D01A-2AB7-5145-671A-6ADF4AB44A8D} - http://69.50.177.100/1/rdgUS780.exe
O16 - DPF: {1063F118-FF92-5E7F-414F-315D7F3028EE} - http://69.50.177.100/1/rdgUS780.exe
O16 - DPF: {03E3F1DC-7650-48F4-94EB-3630530014C7} - http://69.50.177.100/1/rdgUS780.exe
O18 - Filter: text/html - {39AB8763-5C97-11D9-B74A-00602A07ABDD} - C:\WINDOWS\SYSTEM\DGEELI.DLL
O18 - Filter: text/plain - {39AB8763-5C97-11D9-B74A-00602A07ABDD} - C:\WINDOWS\SYSTEM\DGEELI.DLL

Owen,

will this hijack this be different everytime and I should be checking the items off or should we see the same thing before I start checking these things off for repair.

Depends on the malware, sometimes it can morph, other times it doesn't. It has morphed again, so we need to start here:

Please download and install APM from here. Also download and install Ad-aware from here.

Once you have installed Ad-aware, run the program and in the bottom right hand corner click Check For Updates. Update Ad-aware following the prompts and then close the program, we will use it later.

Now disconnect from the internet, restart Hijack This and put a checkmark next to the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://rootsearch.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://rootsearch.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://rootsearch.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://rootsearch.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.coslink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cherryland Online Service
O2 - BHO: (no name) - {DF09C684-1161-11D9-B74A-00609B00390E} - C:\WINDOWS\SYSTEM\DGEELI.DLL
O2 - BHO: msidntud - {6C614AB5-8F9E-ADB5-3619-7B9A836A0194} - C:\WINDOWS\SYSTEM\MSIDNTUD.DLL
O4 - HKLM\..\Run: [XupiterToolbarLoader] C:\Program Files\Xupiter\\XupiterToolbarLoader.exe
O4 - HKCU\..\Run: [Csmd] C:\WINDOWS\Application Data\saaw.exe
O13 - WWW. Prefix: http://
O16 - DPF: {5F03EAB4-1AD5-11D4-AE99-0050DAC24E8F} - http://www.iwon.com/ct/in_wn/iwonslot1,0,1,5.cab
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.187.110/winsearchie32....nsearchie32.exe
O16 - DPF: {1A24796D-A600-5D41-C6E0-283A166B275B} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {30A02CC1-7B52-5F08-B4B1-406866DF18DC} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {1914127E-285D-2139-6004-13123103D43F} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {5067DA0C-8485-1DAF-C2C2-0C536A39B270} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {4BD773D7-1738-5743-7C38-10F7144D9A5D} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {2F5D1E8B-2368-36CE-0C16-71EF647FFAB0} - http://64.237.41.215/1/rdgUS780.exe
O16 - DPF: {11117711-1111-1711-7121-111177111157} - ms-its:mhtml:file://c:\bebe.mht!http://www.alarm-works.com/tx.chm::/ai.exe
O16 - DPF: {56A8D01A-2AB7-5145-671A-6ADF4AB44A8D} - http://69.50.177.100/1/rdgUS780.exe
O16 - DPF: {1063F118-FF92-5E7F-414F-315D7F3028EE} - http://69.50.177.100/1/rdgUS780.exe
O16 - DPF: {03E3F1DC-7650-48F4-94EB-3630530014C7} - http://69.50.177.100/1/rdgUS780.exe
O18 - Filter: text/html - {39AB8763-5C97-11D9-B74A-00602A07ABDD} - C:\WINDOWS\SYSTEM\DGEELI.DLL
O18 - Filter: text/plain - {39AB8763-5C97-11D9-B74A-00602A07ABDD} - C:\WINDOWS\SYSTEM\DGEELI.DLL

Now click Fix Checked

After you have done that, start APM.

In the top Window select explorer.exe
After this, in the bottom Windows find DGEELI.DLL
Right click DGEELI.DLL and choose Unload.
Click OK

Now Start Ad-aware

We need to configure Ad-aware for a full scan.

Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:

• Automatically save log-file
• Automatically quarantine objects prior to removal
• Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :

• Scan Within Archives
• Scan Active Processes
• Scan Registry
• Deep Scan Registry
• Scan my IE favorites for banned URL’s
• Scan my Hosts file
• Under Click here to select drives + folders, choose:
• All of your hard drives

Click on the Advanced button on the left and select:

• Include additional process information
• Include additional file information
• Include environment information

Click the Tweak button and select:

• Under the Scanning Engine:
  • Unload recognized processes & modules during scan
  • Include additional Ad-aware settings in logfile
• Under the Cleaning Engine:
  • Let Windows remove files in use at next reboot

Click on Proceed to save the settings.

Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:

• Use Custom Scanning Options

Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

Save the log file when it asks and then click Finish

When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Boot into Safe Mode and delete the following files and folders:

C:\Program Files\Xupiter
C:\WINDOWS\Application Data\saaw.exe
C:\WINDOWS\SYSTEM\DGEELI.DLL
C:\WINDOWS\SYSTEM\MSIDNTUD.DLL

Reboot your computer and post a fresh Hijack This log

owen,

After clicking fix checked. Starting APM says this program has performed an illegal operation and will be shut down

following details:
APM executed an invalid instruction in module <unknown> at 0000:00000000.
Registers:
EAX=004226dc CS=015f EIP=00000000 EFLGS=00010202
EBX=004226dc SS=0167 ESP=0064f368 KBP=0064f8f4
ECX=00000000 DS=0167 ESI=00000000 FS=60cf
EDX=00000000 ES=0167 EDI=00000000 GS=3916
Bytes at CS:EIP:
ff ff ff ff 65 04 70 00 16 00 b5 d0 65 04 70 00
Stack dump:
00402cfe 004226dc 00000064 0064f4a4 00000000
00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000
00000000

Sorry, my MASSIVE mistake. It only works for 2000 and XP. Instead of killing the file using APM, do the rest but replace that section with these instructions:

Download the Pocket Killbox from here.

Unzip it and run the program.

Put a check in the Delete on Reboot box.

Enter each of these lines into the white box one by one and then press the red X button. If firsts asks to confirm the deletion after each entry is added and the red X is pressed, you need to click yes, but it also asks if you want to Reboot. Click No each time until the last entries been entered.

C:\WINDOWS\SYSTEM\DGEELI.DLL