Hijacked for over a month... can't stand it any longer!!!

  1. 09-09-2004  #1
    AutoXer
    AutoXer is offline Newbie

    Hijacked for over a month... can't stand it any longer!!!

    HELP


    Logfile of HijackThis v1.98.1
    Scan saved at 10:19:43 PM, on 9/8/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\msdtc.exe
    C:\WINNT\System32\tcpsvcs.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\llssrv.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\wins.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\Dfssvc.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\BHODemon 2\BHODemon.exe
    C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
    c:\progra~1\intern~1\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Documents and Settings\All Users\Application Data\Lite default sign bleh\Refidle.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\All Users\Application Data\Lite default sign bleh\Refidle.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\IrfanView\i_view32.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\WinZip\winzip32.exe
    C:\DOCUME~1\ROBBIE~1.TON\LOCALS~1\Temp\HijackThis. exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ROBBIE~1.TON\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ROBBIE~1.TON\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hlumdwolzkzm.com/q4pDvGTo...hFJ8Q6AUiE.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
    O2 - BHO: (no name) - {AB4B5FD6-2E7F-4599-BCE9-9CFE35C48E78} - C:\WINNT\system32\mlddp.dll (disabled by BHODemon)
    O2 - BHO: (no name) - {B64EC686-AD97-F562-B265-5614338402ED} - C:\Program Files\Info Way Style\idlecool.exe (disabled by BHODemon)
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
    O4 - HKLM\..\Run: [CornBurn] C:\PROGRA~1\CASTDV~1\SiteLocks.exe
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~2\CreateCD\CreateCD.exe -r
    O4 - HKLM\..\Run: [SignBlehProgramHeart] C:\Documents and Settings\All Users\Application Data\Lite default sign bleh\Third Anti.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
    O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
    O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/u...lorer1_8us.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS....viewpoint.com
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
    O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.yorkphoto.com/YorkUpload.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...trol_v1-32.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.walmartphotocenter.com/ph...ad/XUpload.ocx
    O18 - Filter: text/html - {B010D97E-05F7-4C94-9FAF-22AB550D7CAD} - C:\WINNT\system32\mlddp.dll
    O18 - Filter: text/plain - {B010D97E-05F7-4C94-9FAF-22AB550D7CAD} - C:\WINNT\system32\mlddp.dll

  3. 09-09-2004  #2
    owen
    owen is offline D-A-L Team Member (UK)
    Save 20% on AVG Internet Security 2012 Suite!
    Hello,
    Download and install APM from http://www.diamondcs.com.au/index.php?page=apm
    Download Ad-aware SE from: http://www.lavasoft.de/support/download/

    Install the program. We will use it later. After you have done the above, keep Internet Explorer closed throughout this process. This means you may want to print these instructions.

    Close all browser windows, restart Hijack This and put a checkmark next to the following entries:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ROBBIE~1.TON\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ROBBIE~1.TON\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hlumdwolzkzm.com/q4pDvGT...jhFJ8Q6AUiE.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {AB4B5FD6-2E7F-4599-BCE9-9CFE35C48E78} - C:\WINNT\system32\mlddp.dll (disabled by BHODemon)
    O2 - BHO: (no name) - {B64EC686-AD97-F562-B265-5614338402ED} - C:\Program Files\Info Way Style\idlecool.exe (disabled by BHODemon)
    O4 - HKLM\..\Run: [CornBurn] C:\PROGRA~1\CASTDV~1\SiteLocks.exe
    O4 - HKLM\..\Run: [SignBlehProgramHeart] C:\Documents and Settings\All Users\Application Data\Lite default sign bleh\Third Anti.exe
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...r.viewpoint.com
    O18 - Filter: text/html - {B010D97E-05F7-4C94-9FAF-22AB550D7CAD} - C:\WINNT\system32\mlddp.dll
    O18 - Filter: text/plain - {B010D97E-05F7-4C94-9FAF-22AB550D7CAD} - C:\WINNT\system32\mlddp.dll

    Now start APM
    In the top window select explorer.exe
    In the bottom window select mlddp.dll
    Right click mlddp.dll and choose Unload
    Click OK

    Now start Ad-aware
    First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

    Next, we need to configure Ad-aware for a full scan.

    Click on the Gear icon (second from the left) to access the preferences/settings window

    1. In the General window make sure the following are selected:
    • Automatically save log-file
    • Automatically quarantine objects prior to removal
    • Safe Mode (always request confirmation)
    2. Click on the Scanning button on the left and select :
    • Scan Within Archives
    • Scan Active Processes
    • Scan Registry
    • Deep Scan Registry
    • Scan my IE favorites for banned URL’s
    • Scan my Hosts file
    • Under Click here to select drives + folders, choose:
    • All of your hard drives
    Click on the Advanced button on the left and select:
    • Include additional process information
    • Include additional file information
    • Include environment information
    Click the Tweak button and select:
    • Under the Scanning Engine:
      • Unload recognized processes & modules during scan
      • Include additional Ad-aware settings in logfile
    • Under the Cleaning Engine:
      • Let Windows remove files in use at next reboot
    Click on Proceed to save the settings.

    Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
    • Use Custom Scanning Options
    Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

    Save the log file when it asks and then click Finish

    When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

    Then boot into Safe Mode and ensure that you are showing Hidden Files and Folders.

    Delete the following folders:
    C:\Program Files\Info Way Style
    C:\Documents and Settings\All Users\Application Data\Lite default sign bleh
    C:\Program Files\CASTDV.......begins with these letters

    Reboot your computer and post a fresh log
+ Reply to Thread
« got hijacking & start-up problems, need help! | take a look at my hijack this log, please »