I need help. My browser has been hijacked by dr.webservicehosts.com

The browser also sometimes gets hijacked by blazefind.

I have read a number of posts on fixing these issues with hijack this, but my computer knowledge is limited and I want to make sure that I don't delete or do anything that's not correct. Can someone help? Thanks in advance.

jfkayler

Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 5:47:35 PM, on 3/31/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\PROGRA~1\mcafee.com\agent\McDash.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\James Kayler\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?uid=135815410&id=5.0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?uid=135815410&id=5.0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?uid=135815410&id=5.0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?uid=135815410&id=5.0
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.blazefind.com/search_page.php?account_id=3004
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
R3 - URLSearchHook: AutoSearch Class - {1E432263-6841-4653-8F02-366A2F77E339} - C:\PROGRA~1\WIACA5~1\WinSB1.DLL
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINDOWS\enhtb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4A25D449-2BAA-4426-A992-D18CA70CF5A9} - C:\WINDOWS\SYSTEM32\z04g0.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\d65y.dll
O2 - BHO: EventHandler Class - {9FB534E3-67CB-4307-AE0A-9E8B5581BE2C} - C:\PROGRA~1\WIACA5~1\WinSB1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Enh Win Updt] C:\WINDOWS\enhupdt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKLM\..\RunOnce: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe /k
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\RunOnce: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe /k
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://bba.bloomberg.net/Citrix/ICAWEB/en/ica32/wficat.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Hello James and welcome to the forum. Did you install this: C:\Program Files\AdwareAlert\AdwareAlert.Exe see this information: http://castlecops.com/startuplist-9265.html
If you did not install it or don't know if it is the latest version, please use Add Remove programs to uninstall it. You have a lot of nasty junk, please follow these directions and in the posted order.

1) Download, update, configure and run these two programs: http://tomcoyote.org/aawsb.php
The newest version of Ad-aware is 1.06 and Spybot 1.04. Even if you have these programs, use the link to get the newest version, update and configure them as in the link. Run Spybot first, reboot then run Ad-aware. Both programs back up what they remove so delete anything the programs say should be removed.

2) ewido scan:
Please download Ewido Security Suite (http://www.ewido.net/en/download/) it is a trial version of the program.
Install ewido security suite
Launch ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update
Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates (http://www.ewido.net/en/download/updates/)

Once the updates are installed do the following:
Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.**
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidese...5815410&id=5.0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidese...5815410&id=5.0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidese...5815410&id=5.0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidese...5815410&id=5.0
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.blazefind.com/search_page...ccount_id=3004
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
R3 - URLSearchHook: AutoSearch Class - {1E432263-6841-4653-8F02-366A2F77E339} - C:\PROGRA~1\WIACA5~1\WinSB1.DLL
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINDOWS\enhtb.dll
O2 - BHO: (no name) - {4A25D449-2BAA-4426-A992-D18CA70CF5A9} - C:\WINDOWS\SYSTEM32\z04g0.dll (file missing)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\d65y.dll
O2 - BHO: EventHandler Class - {9FB534E3-67CB-4307-AE0A-9E8B5581BE2C} - C:\PROGRA~1\WIACA5~1\WinSB1.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
O4 - HKLM\..\Run: [Enh Win Updt] C:\WINDOWS\enhupdt.exe
(leave the next if you bought it and know it is safe)
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/mini...ansporter.cab?

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\enhupdt.exe >>> file

C:\Program Files\AdwareAlert\ >>> folder (same as above)

C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

If you don't have a good cleaner, use this free one with these instructions:
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

Restart the computer and post the ewido scan results, a new HJT log and any comments you think will help. How is the computer running now?

Thanks...pskelley
Safer Networking Forums

pskelly:

I just completed your fix and my IE browser seems to be working great. All the sites where I would get redirected before now work. I can't thank you enough!

Do you have a recommendation for any firewalls or other software to prevent this stuff in the future? Thanks again. My ewido and new HJT logs are posted below.

James

ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:59:27 PM, 3/31/2006
+ Report-Checksum: DCAC466A

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{4A25D449-2BAA-4426-A992-D18CA70CF5A9} -> Trojan.Kolweb.b : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} -> Trojan.Kolweb.b : Cleaned with backup
HKLM\SOFTWARE\Classes\WindowsSB.Band -> Adware.BlazeFind : Cleaned with backup
HKLM\SOFTWARE\Classes\WindowsSB.Band\CLSID -> Adware.BlazeFind : Cleaned with backup
HKLM\SOFTWARE\Classes\WindowsSB.Band\CurVer -> Adware.BlazeFind : Cleaned with backup
HKLM\SOFTWARE\Classes\WindowsSB.Band.1 -> Adware.BlazeFind : Cleaned with backup
HKLM\SOFTWARE\Classes\WindowsSB.EventHandler -> Adware.BlazeFind : Cleaned with backup
HKLM\SOFTWARE\Classes\WindowsSB.EventHandler\CLSID -> Adware.BlazeFind : Cleaned with backup
HKLM\SOFTWARE\Classes\WindowsSB.EventHandler\CurVer -> Adware.BlazeFind : Cleaned with backup
HKLM\SOFTWARE\Classes\WindowsSB.EventHandler.1 -> Adware.BlazeFind : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bargain Buddy -> Adware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A25D449-2BAA-4426-A992-D18CA70CF5A9} -> Trojan.Kolweb.b : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} -> Trojan.Kolweb.b : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\unebmm350 -> Adware.MoneyMaker : Cleaned with backup
[3940] C:\WINDOWS\enhtb.dll -> Adware.NoName : Cleaned with backup
C:\command.exe -> Dropper.Delf.ev : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@abetterinternet[2].txt -> TrackingCookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@ads18.bpath[1].txt -> TrackingCookie.Bpath : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@data1.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@e-2dj6wjkoegdpkko.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@e-2dj6wjkysidzwfp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@e-2dj6wjl4wncpwco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@e-2dj6wjloagdjabo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@eztracks.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@h.starware[2].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@hypertracker[2].txt -> TrackingCookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@kohler.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@master.mx-targeting[2].txt -> TrackingCookie.Mx-targeting : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@paidmarketingpanel.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@primediabusiness.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@sento.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@stpetersburgtimes.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@yadro[2].txt -> TrackingCookie.Yadro : Cleaned with backup
C:\Documents and Settings\James Kayler\Cookies\james kayler@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\James Kayler\Local Settings\Temp\ADa01860\enhupdt.exe -> Downloader.OneClickNetSearch.h : Cleaned with backup
C:\Documents and Settings\James Kayler\Local Settings\Temp\atiupdate.exe -> Downloader.Delf.go : Cleaned with backup
C:\Documents and Settings\James Kayler\Local Settings\Temp\M0a02760\enhupdt.exe -> Downloader.Intexp.c : Cleaned with backup
C:\Documents and Settings\James Kayler\Local Settings\Temp\mdc.sys -> Trojan.Kolweb.g : Cleaned with backup
C:\Documents and Settings\James Kayler\Local Settings\Temp\mynut2.exe/enhupdt.exe -> Downloader.Intexp.c : Error during cleaning
C:\Documents and Settings\James Kayler\Local Settings\Temp\randreco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\James Kayler\Local Settings\Temp\temp.fr6D61 -> Trojan.Kolweb.a : Cleaned with backup
C:\Documents and Settings\James Kayler\Local Settings\Temp\temp.frC588 -> Trojan.Kolweb.a : Cleaned with backup
C:\Documents and Settings\James Kayler\Local Settings\Temp\THI2FB4.tmp\WSEbate1.exe -> Adware.HelpExpress : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\james kayler@abetterinternet[1].txt -> TrackingCookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\james kayler@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\james kayler@cliks[1].txt -> TrackingCookie.Cliks : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\james kayler@master.mx-targeting[2].txt -> TrackingCookie.Mx-targeting : Cleaned with backup
C:\Program Files\MBKWBar\IEToolBar.dll -> Adware.MBKWBar : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP206\A0006273.exe -> Trojan.Kolweb.g : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP206\A0006274.exe -> Trojan.Kolweb.g : Cleaned with backup
C:\WINDOWS\enhtb.dll -> Adware.NoName : Cleaned with backup
C:\WINDOWS\enhtb.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\enhuninstall.exe -> Adware.NoName : Cleaned with backup
C:\WINDOWS\enhupdt.exe -> Downloader.Intexp.c : Cleaned with backup
C:\WINDOWS\mdc.sys -> Trojan.Kolweb.g : Cleaned with backup
C:\WINDOWS\SYSTEM32\axuninstall.exe -> Adware.BlazeFind : Cleaned with backup
C:\WINDOWS\SYSTEM32\btf.exe -> Trojan.Kolweb.g : Cleaned with backup
C:\WINDOWS\SYSTEM32\e0d1g.exe -> Trojan.Kolweb.g : Cleaned with backup
C:\WINDOWS\SYSTEM32\mdc.sys -> Trojan.Kolweb.g : Cleaned with backup
C:\WINDOWS\SYSTEM32\msshed32.exe -> Downloader.Delf.go : Cleaned with backup
C:\WINDOWS\SYSTEM32\o2y.dll -> Trojan.Kolweb.f : Cleaned with backup
C:\WINDOWS\SYSTEM32\__delete_on_reboot__d65y.dll -> Trojan.Kolweb.f : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 10:48:12 PM, on 3/31/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\James Kayler\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://bba.bloomberg.net/Citrix/ICAWEB/en/ica32/wficat.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Hello James, sounds good, let's look at the logs and make sure we got it all, you had a nasty infection. I will post links to expert advice before we finish.

C:\Documents and Settings\James Kayler\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe <<< You are running HJT.exe from a .zip file in a Temporary Directory. This is unsafe as we will have no backups. That is why you received this message when you used HJT: http://russelltexas.com/malware/images/unsafefolder.gif
Please use the information in the following link to place HJT in a permanent, safe folder, I prefer C:\HJT\HijackThis.exe. If you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm
I checked and the HJT log was fine where you had it, I do not know why you moved it, but chances are you lost your backups. I would follow these directions.

ewido anti-malware - Scan report Created on: 9:59:27 PM, 3/31/2006
Appears you were able to remove everything ewido located, and I see no surprises. I will post this information for you now: ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

Logfile of HijackThis v1.99.1 Scan saved at 10:48:12 PM, on 3/31/2006
Your HJT log is clean and you are good to go, take this information with you: Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Once you review the above information, if any questions are not answered, please let me know.

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

Safe surfing...Phil:bigthumb:

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

As the problem appears to be resolved this topic will be archived.
If you need it re-opened please send me a pm and provide a link to the thread.

Glad we could help. :bigthumb: Thanks Phil.