IE Redirection. Please help and see my Hijack this log

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Can someone assist me? I am running Win98 and my IE has
been Hijacked. I have run Ad-Aware,Spy-bot,Zone-Alarm
and Aluria and I can not stop the browser from
redirecting itself. IE will launch all by itself if I
leave the machine running. Any ideas would be
appreciated!

Logfile of HijackThis v1.99.1
Scan saved at 9:29:29 PM, on 2/16/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\N20050308.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ALURIA SECURITY CENTER\SECURITYCENTER.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACK EXE\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL
= about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://red.clientapps.yahoo.com/customize/ycomp/defaults/s
p/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.yahoo.com/old
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) =
http://red.clientapps.yahoo.com/customize/ycomp/defaults/s
u/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Window Title = Microsoft Internet Explorer
provided by Comcast High-Speed Internet
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,AutoConfigURL = http://proxsrv.ext.ray.com/proxy
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = http=192.168.0.1
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-
00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-
70EB5BE2F076} - (no file)
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-
70EB5BE2F076} - C:\PROGRAM FILES\SURFSIDEKICK 2
\SSKBHO.DLL (file missing)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-
0050FC5441CB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-
0090271D4F88} - C:\PROGRAM FILES\YAHOO!
\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft
Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton
Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [ntechin] C:\N20050308.EXE
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ScanRegistry]
C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program
Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [StillImageMonitor]
C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Aluria Security Center] C:\PROGRAM
FILES\ALURIA SECURITY CENTER\SecurityCenter.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program
Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\NORTON~1
\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~1
\defwatch.exe
O4 - HKLM\..\RunServices: [CVPND] "C:\Program Files\Cisco
Systems\VPN Client\cvpnd.exe" start
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program
Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [TrueVector]
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Office Startup.lnk = C:\Program
Files\Microsoft Office\Office\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet
Explorer\Control Panel present
O10 - Unknown file in Winsock LSP:
c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\aklsp.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1
\Plugins\NPDocBox.dll
O12 - Plugin for .exe: C:\PROGRA~1\INTERN~1
\PLUGINS\nppdf32.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX
ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68}
(InstallShield International Setup Player) -
http://www.installengine.com/engine/isetup.cab
O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95}
(Windows Media Player) -
http://activex.microsoft.com/activex/controls/mplayer/en/n
smp2inf.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C}
(ContentAuditX Control) -
http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch
..com/audit/includes/ContentAuditControl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB}
(YInstStarter Class) -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yins
t20040510.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE
Class) -
http://207.188.7.150/05b30587c5b6af3d2116/netzip/RdxIE601.
cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove
Control) -
http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782}
(Uploader Class) -
http://photo.walmart.com/photo/uploads/WebUploadClient.cab
O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000}
(Surround Video V3.0 Control Object) -
http://secure.sunterra.com/europe/downloads/svideo3.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C}
(Loader2 Control) -
http://static.topconverting.com/activex/loader2.ocx
 
Download lspfix.exe first (read about it and run it).
Then try loading Microsoft Antispyware and take all the
defaults when installing.

-----Original Message-----
Can someone assist me? I am running Win98 and my IE has
been Hijacked. I have run Ad-Aware,Spy-bot,Zone-Alarm
and Aluria and I can not stop the browser from
redirecting itself. IE will launch all by itself if I
leave the machine running. Any ideas would be
appreciated!

Logfile of HijackThis v1.99.1
Scan saved at 9:29:29 PM, on 2/16/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\N20050308.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ALURIA SECURITY CENTER\SECURITYCENTER.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACK EXE\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL
= about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://red.clientapps.yahoo.com/customize/ycomp/defaults/s
p/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.yahoo.com/old
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) =
http://red.clientapps.yahoo.com/customize/ycomp/defaults/s
u/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Window Title = Microsoft Internet Explorer
provided by Comcast High-Speed Internet
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,AutoConfigURL = http://proxsrv.ext.ray.com/proxy
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = http=192.168.0.1
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-
00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-
70EB5BE2F076} - (no file)
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-
70EB5BE2F076} - C:\PROGRAM FILES\SURFSIDEKICK 2
\SSKBHO.DLL (file missing)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-
0050FC5441CB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-
0090271D4F88} - C:\PROGRAM FILES\YAHOO!
\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft
Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton
Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [ntechin] C:\N20050308.EXE
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ScanRegistry]
C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program
Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [StillImageMonitor]
C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Aluria Security Center] C:\PROGRAM
FILES\ALURIA SECURITY CENTER\SecurityCenter.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program
Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\NORTON~1
\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~1
\defwatch.exe
O4 - HKLM\..\RunServices: [CVPND] "C:\Program Files\Cisco
Systems\VPN Client\cvpnd.exe" start
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program
Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [TrueVector]
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Office Startup.lnk = C:\Program
Files\Microsoft Office\Office\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet
Explorer\Control Panel present
O10 - Unknown file in Winsock LSP:
c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\aklsp.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1
\Plugins\NPDocBox.dll
O12 - Plugin for .exe: C:\PROGRA~1\INTERN~1
\PLUGINS\nppdf32.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX
ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68}
(InstallShield International Setup Player) -
http://www.installengine.com/engine/isetup.cab
O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95}
(Windows Media Player) -
http://activex.microsoft.com/activex/controls/mplayer/en/n
smp2inf.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C}
(ContentAuditX Control) -
http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch
..com/audit/includes/ContentAuditControl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB}
(YInstStarter Class) -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yins
t20040510.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE
Class) -
http://207.188.7.150/05b30587c5b6af3d2116/netzip/RdxIE601.
cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove
Control) -
http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782}
(Uploader Class) -
http://photo.walmart.com/photo/uploads/WebUploadClient.cab
O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000}
(Surround Video V3.0 Control Object) -
http://secure.sunterra.com/europe/downloads/svideo3.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C}
(Loader2 Control) -
http://static.topconverting.com/activex/loader2.ocx


.
Click to expand...
 
Call Bill Gates on the phone. Or better yet, send him an
email. I think he still receives them.
-----Original Message-----
Can someone assist me? I am running Win98 and my IE has
been Hijacked. I have run Ad-Aware,Spy-bot,Zone-Alarm
and Aluria and I can not stop the browser from
redirecting itself. IE will launch all by itself if I
leave the machine running. Any ideas would be
appreciated!

Logfile of HijackThis v1.99.1
Scan saved at 9:29:29 PM, on 2/16/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\N20050308.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ALURIA SECURITY CENTER\SECURITYCENTER.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACK EXE\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL
= about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://red.clientapps.yahoo.com/customize/ycomp/defaults/s
p/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.yahoo.com/old
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) =
http://red.clientapps.yahoo.com/customize/ycomp/defaults/s
u/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Window Title = Microsoft Internet Explorer
provided by Comcast High-Speed Internet
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,AutoConfigURL = http://proxsrv.ext.ray.com/proxy
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = http=192.168.0.1
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-
00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-
70EB5BE2F076} - (no file)
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-
70EB5BE2F076} - C:\PROGRAM FILES\SURFSIDEKICK 2
\SSKBHO.DLL (file missing)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-
0050FC5441CB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-
0090271D4F88} - C:\PROGRAM FILES\YAHOO!
\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft
Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton
Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [ntechin] C:\N20050308.EXE
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ScanRegistry]
C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program
Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [StillImageMonitor]
C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Aluria Security Center] C:\PROGRAM
FILES\ALURIA SECURITY CENTER\SecurityCenter.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program
Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\NORTON~1
\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~1
\defwatch.exe
O4 - HKLM\..\RunServices: [CVPND] "C:\Program Files\Cisco
Systems\VPN Client\cvpnd.exe" start
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program
Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [TrueVector]
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Office Startup.lnk = C:\Program
Files\Microsoft Office\Office\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet
Explorer\Control Panel present
O10 - Unknown file in Winsock LSP:
c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\aklsp.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1
\Plugins\NPDocBox.dll
O12 - Plugin for .exe: C:\PROGRA~1\INTERN~1
\PLUGINS\nppdf32.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX
ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68}
(InstallShield International Setup Player) -
http://www.installengine.com/engine/isetup.cab
O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95}
(Windows Media Player) -
http://activex.microsoft.com/activex/controls/mplayer/en/n
smp2inf.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C}
(ContentAuditX Control) -
http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch
..com/audit/includes/ContentAuditControl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB}
(YInstStarter Class) -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yins
t20040510.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE
Class) -
http://207.188.7.150/05b30587c5b6af3d2116/netzip/RdxIE601.
cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove
Control) -
http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782}
(Uploader Class) -
http://photo.walmart.com/photo/uploads/WebUploadClient.cab
O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000}
(Surround Video V3.0 Control Object) -
http://secure.sunterra.com/europe/downloads/svideo3.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C}
(Loader2 Control) -
http://static.topconverting.com/activex/loader2.ocx


.
Click to expand...
 
Have you tried running those 3rd party utilities in Safe Mode? MS
AntiSpyware does not run Windows 98 anymore, unless you can acquire an older
version that was supported by GIANT.

--

Andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Can someone assist me? I am running Win98 and my IE has
been Hijacked. I have run Ad-Aware,Spy-bot,Zone-Alarm
and Aluria and I can not stop the browser from
redirecting itself. IE will launch all by itself if I
leave the machine running. Any ideas would be
appreciated!

Logfile of HijackThis v1.99.1
Scan saved at 9:29:29 PM, on 2/16/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\N20050308.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ALURIA SECURITY CENTER\SECURITYCENTER.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACK EXE\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL
= about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://red.clientapps.yahoo.com/customize/ycomp/defaults/s
p/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.yahoo.com/old
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) =
http://red.clientapps.yahoo.com/customize/ycomp/defaults/s
u/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Window Title = Microsoft Internet Explorer
provided by Comcast High-Speed Internet
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,AutoConfigURL = http://proxsrv.ext.ray.com/proxy
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = http=192.168.0.1
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-
00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-
70EB5BE2F076} - (no file)
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-
70EB5BE2F076} - C:\PROGRAM FILES\SURFSIDEKICK 2
\SSKBHO.DLL (file missing)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-
0050FC5441CB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-
0090271D4F88} - C:\PROGRAM FILES\YAHOO!
\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft
Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton
Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [ntechin] C:\N20050308.EXE
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ScanRegistry]
C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program
Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [StillImageMonitor]
C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Aluria Security Center] C:\PROGRAM
FILES\ALURIA SECURITY CENTER\SecurityCenter.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program
Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\NORTON~1
\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~1
\defwatch.exe
O4 - HKLM\..\RunServices: [CVPND] "C:\Program Files\Cisco
Systems\VPN Client\cvpnd.exe" start
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program
Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [TrueVector]
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Office Startup.lnk = C:\Program
Files\Microsoft Office\Office\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet
Explorer\Control Panel present
O10 - Unknown file in Winsock LSP:
c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP:
c:\windows\system\aklsp.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1
\Plugins\NPDocBox.dll
O12 - Plugin for .exe: C:\PROGRA~1\INTERN~1
\PLUGINS\nppdf32.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX
ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68}
(InstallShield International Setup Player) -
http://www.installengine.com/engine/isetup.cab
O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95}
(Windows Media Player) -
http://activex.microsoft.com/activex/controls/mplayer/en/n
smp2inf.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C}
(ContentAuditX Control) -
http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch
.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB}
(YInstStarter Class) -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yins
t20040510.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE
Class) -
http://207.188.7.150/05b30587c5b6af3d2116/netzip/RdxIE601.
cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove
Control) -
http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782}
(Uploader Class) -
http://photo.walmart.com/photo/uploads/WebUploadClient.cab
O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000}
(Surround Video V3.0 Control Object) -
http://secure.sunterra.com/europe/downloads/svideo3.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C}
(Loader2 Control) -
http://static.topconverting.com/activex/loader2.ocx
Click to expand...
 
Without going into your hijack this log to much i can see
your browser is being hijacked

About:this is a adware parasite also know as CWS Aboutthis

First step would be to run

http://cwshredder.net/bin/CWShredder.exe

and see what it finds then download,install update and
run

spybot search & destroy
http://www.download.com/Spybot-Search-Destroy/3000-8022-
10122137.html?part=dl-spybot&subj=dl&tag=but

Then Adaware se also with adaware get the VX Cleaner
plugin available from lavasofts site for peace of mind as
they are all free,

http://www.download.com/3000-2144-10045910.html?
part=69274&subj=dlpage&tag=button

Then get spyware blaster.
http://majorgeeks.com/downloadget.php?
id=2859&file=9&evp=61b0e8ad41924a03c37615f4682b4cef

Next disable your system restore as these Worms/Viruses
like to hide in the protected windows files which make
them hard to remove or be detected.

Then boot into safe mode (On the bios screen keep tapping
F8 untill you get the option screen) then choose safe
mode

Run cws shredder,spybot s&d and adaware(on adaware choose
the plugins and also run the vx cleaner) and remove
anything it finds.

Reboot your pc then go to any of these and run a online
scan (best to go for at least 2 different ones)

http://uk.trendmicro-
europe.com/consumer/products/housecall_pre.php
http://www.pandasoftware.com/activescan/com/activescan_pri
ncipal.htm
http://www.bitdefender.com/scan/licence.php
http://www.ravantivirus.com/scan/
www.symantec.com/cgi-bin/securitycheck.cgi

Then run spyware blaster and enable all protection

Then if the problems are not solved reply again and i
will look into your log abit deeper

Regards Andy
 
Should of put about:blank rather than about:this
apologies for that thats what i get for watching tv while
type :) I just noticed my mistake Anyway Mate follow them
tips and see how you go
 
Hi again Where do we start?? You have mutiple
spyware,Adware,Hijackers and probably a few
trojans/Viruses.

You may need to be in safe mode for some of this or even
decide its easier to format and start again,But if you
follow all this your system will be clean(I dont think MS
Antispy has the ability to sort all your problems or any
other one program to be honest so i'm going for over kill
to remove all the nasties)

I've been reviewing your log and you have some nasty
problems and can understand why your PC has a mind of its
own,The quick solution is to back up your important files
and reformat the partition but thats no fun and you lose
all your work so the other option is to find every nasty
and destroy it

So Lets begin and hope this provides some use to you and
other users.

First try all the stuff i advised in my other post Ad-
aware(with VX Cleaner),Spybot S&D & CWShredder

Download AboutBuster (New CWS Variation Removal tool)

http://www.malwarebytes.biz/AboutBuster.zip

Now double click AboutBuster.exe
Click Start then click OK. This will scan your computer
for the bad files and delete them. Save the report

Now from the add/remove screen delete (If shown)

Viewpoint
TIS
SurfSideKick 2

Reboot into Safe Mode (hit F8 key until menu shows up).
Make sure to close any open browsers. Go into HijackThis-
Config->Misc. Tools->Open process manager. Select the
Click to expand...
following and click Kill process for each one if they are
still listed (they shouldn't be - but double check it):

C:\WINDOWS\system32\yurukw.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\n20050308.exe


Then remove these if you find them (You can search for
them by going to start,search then choose tools on the
top bar and go to folder options,then go to the second
page which is view and make sure there is a tick next to
show hidden files and folders)Then back to the search bar
and choose to look in my computer and look for the
following

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\morgn32.exe
C:\WINDOWS\System32\mgmtok.exe
C:\Documents and Settings\me.D54P7051\Local
Settings\Temp\TIS\Setup\pcc.exe
C:\WINDOWS\System32\winupdt.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\SurfSideKick 2\SskBho.dll
C:\WINDOWS\bxxs5.dll
C:\WINDOWS\multimpp.dll
C:\WINDOWS\localNRD.dll
C:\WINDOWS\Helper100.dll
C:\WINDOWS\Zzhltycf.dll
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\Pribi.dll
C:\WINDOWS\System32\ubbkp.dll
C:\WINDOWS\Zzhltycf.dll
C:\WINDOWS\System32\winupdtl.exe
C:\WINDOWS\System32\ubbkpc.exe
C:\WINDOWS\System32\urobkb.exe
C:\WINDOWS\wupdt.exe

Run a scan in HijackThis. Check each of the following and
hit 'Fix checked' (after checking them) if they still
exist (make sure not to miss any):

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [ViewMgr] C:\Program
Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [DeskAd Service] C:\Program
Files\DeskAd Service\DeskAdServ.exe
O4 - HKLM\..\Run: [ntechin] C:\WINDOWS\system32
\n20050308.exe

Run AboutBuster Again and follow the prompts to scan
(choose Yes/OK for all). It will ask you if you want a
second scan, choose Yes.

Delete the following Files/Folders (delete folders if no
filename is specified) according to their directory (if
none, just do a search for them) and delete them if they
exist:

C:\WINDOWS\system32\yurukw.exe
C:\Program Files\Viewpoint\
C:\WINDOWS\system32\n20050308.exe
C:\WINDOWS\ozhpz.dll
C:\Program Files\DeskAd Service\

Round one to us :) Now for the look2me infection that you
have

For all having problems with the 69.20.16.183 ip address,
you'll want to run a virus scan with updated definitions
of your
javacache. I think the Look2Me somehow uses the a
java.byteverifier trojan to execute code in the .dlls.

if you have the following in your Hosts file x, you are
infected with
Look2Me, a particularly nasty malware.

Hosts: 69.20.16.183 ieautosearch
Hosts: 69.20.16.183 search.netscape.com
Hosts: 69.20.16.183 auto.search.msn.com

To check the Hosts file, either scan with Hijack This or
open the
Host file with Notepad. The Host file is typically at
C:\WINDOWS\SYSTEM32\DRIVERS\etc\HOSTS.

Also:

When Look2Me runs, it does the following:

1. Adds the registry keys:

HKEY_CLASSES_ROOT\CLSID\{DDFFA75A-E81D-4454-89FC-
B9FD0631E726}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\ShellExtensions\Approved\{DDFFA-E81D-4454-89FC-
B9FD0631E726}
HKEY_CURRENT_USER\Software\Look2Me

This doesnt work for everyone but theres 2 ways to deal
with it so heres the first

Look2me removal Tool

http://www.pchell.com/downloads/removel2me.vbs

Save it to c:\

This is a Visual Basic Scripting file, so you'll have to
have the Windows Scripting Host installed. If needed, you
can download the following file to disable/enable the
Windows Scripting Host.

Click here to download noscript.exe

http://www.symantec.com/avcenter/noscript.exe

Also save it to c:\

In Windows 95/98/ME, Press CTRL+ATL+DEL.
In Windows NT/2000/XP, Press CTRL+ALT+DEL, Select the
Task Manager if needed, and click on the Processes tab.

3. In the list of programs, click on EXPLORER.EXE and
select End Task or End Process. Repeat this procedure
until no explorer.exe process is running (The Start Menu,
Task Bar, and System Tray will disappear).

4. Click the green Start button, click the Run button,
and type the path to the script you saved.

c:\removel2me.vbs

(If it doesn't run, run the noscript.exe program you also
downloaded.)


5. Click Ok.

6. Click Shutdown on the Task Manager toolbar and scroll
down to Restart your computer.

Removing Look2Me From registry (Carefull!! & skip if you
do not feel confident using regedit)

1. Click Start, and then click Run. (The Run dialog box
appears.)
2. Type regedit

Then click OK. (The Registry Editor opens.)

3. In the right pane, delete the registry keys:

HKEY_CLASSES_ROOT\CLSID\{DDFFA75A-E81D-4454-89FC-
B9FD0631E726}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\ShellExtensions\Approved\{DDFFA-E81D-4454-89FC-
B9FD0631E726}

HKEY_CURRENT_USER\Software\Look2Me

4. Exit the Registry Editor.

As already suggested my one of this forums members
Download LSPFix and run it.

http://www.greyknight17.com/spy/LSPFix.exe

Click on cdlsp.dll on the left window and click on the
arrow pointing to the right. Click Finish and follow the
prompts.

Next Problem to deal with AutoUpdate.exe (AproposMedia)

Type: Adware

Related files: sysmonn.exe,
sysmono.exe, monpop.exe, AutoUpdate.exe,
popsrv184.exe, popsrv185.exe, popsrv205.exe, POP205.DLL

search for all and delete any found

Next Problem ak-networks.com (AKLSP.DLL)

Company
ak-networks.com

Description
AKLSP.DLL

Adware applications, toolbars and browser extensions may
serve advertisements even while you are not surfing the
Internet.

This application may serve various types of advertising,
not limited to pop-up ads.

Search for it again and delete if found

Download and run trojan hunter (30 day trial)

http://www.misec.net/products/TrojanHunter.exe

Next for VX

VX FINDER

http://www.greyknight17.com/spy/VX2Finder.exe

1: Shut off all open programs including printer and
anything in the System Tray (virus scan, popup blocker,
etc.).
2: Double click the VX2FinderNT.exe/VX2Finder.exe to
launch the utility.
3: Click on Find VX2.BetterInternet button. The utility
will display the bugs if they're there.
4. Click on make log

Run VX2FinderNT.exe/VX2Finder.exe again and click the
Click to Find VX2.BetterInternet button again. Place
checkmarks next to each file and click the Delete these
Files button. Click OK to each confirmation message.

Click the Open regedit button. Look for a Guardian...
line in the left column.

If it is there, then highlight the Guardian... line in
the left column, right click it and choose
Security/permissions. You'll get another window with
advanced. Uncheck the lower box with inheritable
permissions. Click Ok and then choose remove on the
following security prompt. Restart computer.

After a restart, double click
VX2FinderNT.exe/VX2Finder.exe again, click the Click to
Find Vx2.BetterInternet button again. Place a checkmark
next to the remaining file(s) and click the Delete these
Files button. Then click the User Agent$ button to remove
the registry entry.

Click the Open regedit button again. Highlight the
Guardian... line in the left column, right click it and
choose Security/permissions. You'll get another window
with advanced. Place a checkmark in the lower box with
inheritable permissions. Close the registry editor Click
the Guardian.reg key and Yes to the confirmation. This
deletes that Guardian Key in the registry.

Click the 'Click to Find Vx2.BetterInternet' button again
and you should get a clean log of blank values. If it
looks different than this, then click the Make Log

A clean log looks like this:

Files Found---

Guardian Key--- is called:

User Agent String---

Then click the Restore Policy button to restore the Debug
policy altered in the look2Me installation. Reboot your
computer when prompted to.

If your still with me and havent just gone and bought a
new pc in the time this takes to write then we are nearly
there and your system should be looking better

RdxIE601.cab is also spyware have hijack this delete it

Loader2 (Another problem and probably where Look2me came
from)

TopConverting is an ActiveX downloader control
distributed by topconverting.com/crazywinnings.com, with
the filename loader2.ocx or mp3.ocx.

It is not a threat in itself, as once it has been
installed it cannot be re-used, but having it is a sign
that is was used to install other parasites.

TopConverting has been seen to install at least the
following parasites:

nCase/180ax
Huntbar/WinTools
BargainBuddy
InternetOptimizer
TVMedia/SSK
Look2Me/v3
It may also install some a desktop game from
CrazyWinnings.

Also known as
CrazyWinnings. Loader2, after the ActiveX control name.

Distribution
Installed by an 'aggressive' ActiveX drive-by-downloader
(reloading until the download is accepted) on unrelated
web pages.

Also installed by using IE security holes, lowering
security settings so that the software installs
automatically, from CoolWebSearch exploits.

Removal
Open the Downloaded Program Files folder
(which you can find inside the Windows
folder.C/drive,windows then downloaded program files).
Right-click and Remove the entry 'Loader2 Control'.


If you are still having problems then download TDS-3

http://www.diamondcs.com.au/tds/downloads/tds3setup.exe

Instructions can be found here:

http://tds.diamondcs.com.au/index.php?page=easytouse


After downloading TDS, don't forget
to update to the latest database

After update ,when you launch the program ,it will scan
your memory running programs ,and after 20 to 30 seconds
(u ll see this message :trace scan finished) ,it s not
finished yet ,you MUST click on SYSTEM TESTING ,a tab
opens then CLICK SCAN FULL SYSTEM .

If it finds trojans right click on each in the lower
half ,and delete each one of them ?

Then finally

Del Domains

http://www.mvps.org/winhelp2002/DelDomains.inf

Download this file to your desktop.

Right-click on the deldomains.inf file and
select 'Install'

Once it is finished your Zones will be reset.


Now its clean up Time ;o)

You might need to reset registry keys so if you have your
xp disk place it in the drive then go to
start then to run and type SFC /SCANNOW (Remember the
space after SFC)

Then to Start,Run and type %temp%
Delete everything you can from here as temporary files
are not needed,dont worry if you cant remove them all
just take as much as you can

And if that doesnt sort all your problems then before
posting another hijack this log go to:

Microworlds Escan (Virus scanner will not remove them
though only say where they are)

http://www.mwti.net/antivirus/free_utilities.asp


A nice little program for checking suspicious files is:
http://virusscan.jotti.org/
Which uses 12 virus search engines to check any files you
upload and only takes a couple of seconds to display the
results


And to prevent similar attacks get the spyware blaster
from the other post i made and spyware guard below

Spyware Guard

http://www.javacoolsoftware.net/downloads/spywareguardsetu
p.exe

Fast Real-Time Scanning engine - catch and block spyware
before it is executed (EXE and CAB files supported) with
signature-based scanning for known spyware and
heuristic/generic detection capabilities to catch
new/mutated spyware

Then finally go to start,Run again and then type in
cleanmgr to perform disk cleanup

I think i have gone abit over kill here but you have that
many problems i dont think any one program will sort them
for you.Like i say it might be easier to do a fresh
install and start again with protection to prevent
similar attacks.But whichever sites you used to get them
if you visit them again the problems will come
back.Enable the spybot immunize and spyware blasters
protection and that will help you alot in the future

Good luck Andy
 
Back
Top