I posted a log a while back, but fear of info sharing made me delete it. Heck someones already in my computer, so there is nothing more to lose.

I have tried just about every spyware to no avail. I am not knowlegable enough to safley delete programs on my own. I have a nasty browser hijack that sends anti-spyware ads and some inappropriate sites. I am close to destroying my PC and starting over.

Logfile of HijackThis v1.99.1
Scan saved at 8:39:58 AM, on 5/30/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\9AGISIOBE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETSCAPE INTERNET SERVICE\DIALER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\NETSCAPE INTERNET SERVICE\NETSCAPE WEB ACCELERATOR\NSACCEL.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\NETSCP.EXE
C:\PROGRAM FILES\NETSCAPE INTERNET SERVICE\CSS.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRAM FILES\NETSCAPE INTERNET SERVICE\NETSCAPE WEB ACCELERATOR\PBHELPER.DLL
O2 - BHO: (no name) - {78701C17-94F8-4CA1-B455-B0F420FD6AA9} - C:\WINDOWS\SYSTEM\HIHHCA.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [A2CFA25E] C:\WINDOWS\SYSTEM\9AGISIOBE.EXE
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - HKCU\..\Run: [A2CFA25E] C:\WINDOWS\SYSTEM\9AGISIOBE.EXE
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O8 - Extra context menu item: Show Original Image - res://C:\PROGRAM FILES\NETSCAPE INTERNET SERVICE\NETSCAPE WEB ACCELERATOR\NSACCEL.EXE/227
O8 - Extra context menu item: Show All Original Images - res://C:\PROGRAM FILES\NETSCAPE INTERNET SERVICE\NETSCAPE WEB ACCELERATOR\NSACCEL.EXE/250
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O15 - Trusted Zone: http://*.qck.cc
O15 - Trusted Zone: http://*.topresearch.info
O18 - Filter: text/html - {DE70605C-FD24-443B-AC89-2C9C555EAFC7} - C:\WINDOWS\SYSTEM\HIHHCA.DLL
O18 - Filter: text/plain - {DE70605C-FD24-443B-AC89-2C9C555EAFC7} - C:\WINDOWS\SYSTEM\HIHHCA.DLL

:confused:

Did you check out the "Sticky" posted by Shifty at the top of this page? That may be the direction to take since he is out of town. Good luck.

Ok from what I see you need ot fix the following;

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O2 - BHO: (no name) - {78701C17-94F8-4CA1-B455-B0F420FD6AA9} - C:\WINDOWS\SYSTEM\HIHHCA.DLL
O15 - Trusted Zone: http://*.qck.cc
O15 - Trusted Zone: http://*.topresearch.info
O18 - Filter: text/html - {DE70605C-FD24-443B-AC89-2C9C555EAFC7} - C:\WINDOWS\SYSTEM\HIHHCA.DLL
O18 - Filter: text/plain - {DE70605C-FD24-443B-AC89-2C9C555EAFC7} - C:\WINDOWS\SYSTEM\HIHHCA.DLL

There may be a few others but I'm unfamiliar with windows ME and not sure of what all runs on it ussually... Also go to http://housecall.trendmicro.com/ and run the new Beta scanner, and fix everything. Once all that is done, repost your HiJack This! logfile.

Josh

Not sure how (or if) I fixed it. The virus is either gone or dwelling the depths of my PC waiting to strike. Thanks for the help!!

Logfile of HijackThis v1.99.1
Scan saved at 12:00:27 PM, on 5/31/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETSCAPE INTERNET SERVICE\DIALER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\NETSCAPE INTERNET SERVICE\NETSCAPE WEB ACCELERATOR\NSACCEL.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\NETSCP.EXE
C:\PROGRAM FILES\NETSCAPE INTERNET SERVICE\CSS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: (no name) - {CB691C62-7F95-4180-A816-5D3AB3B1E73E} - C:\WINDOWS\SYSTEM\HIHHCA.DLL
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O8 - Extra context menu item: Show Original Image - res://C:\PROGRAM FILES\NETSCAPE INTERNET SERVICE\NETSCAPE WEB ACCELERATOR\NSACCEL.EXE/227
O8 - Extra context menu item: Show All Original Images - res://C:\PROGRAM FILES\NETSCAPE INTERNET SERVICE\NETSCAPE WEB ACCELERATOR\NSACCEL.EXE/250
O18 - Filter: text/html - {B5338660-2125-49A6-95E2-36763A254572} - C:\WINDOWS\SYSTEM\HIHHCA.DLL
O18 - Filter: text/plain - {B5338660-2125-49A6-95E2-36763A254572} - C:\WINDOWS\SYSTEM\HIHHCA.DLL

Oops...guess I was too late. :( I sent a PM to you telling you how to fix the old log, but I've been gone for almost two weeks in Vegas.

It's cool that you think it's clean, but ... you're still infected.

You need to go to C:\Windows\Temp\ and rename the file se.dll ( make it se.dll.old )
You need to go to C:\WINDOWS\SYSTEM and rename the file HIHHCA.DLL ( make it HIHHCA.DLL.old )

Next, close all of your open program windows, scan with HijackThis and fix these lines:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html

O2 - BHO: (no name) - {CB691C62-7F95-4180-A816-5D3AB3B1E73E} - C:\WINDOWS\SYSTEM\HIHHCA.DLL

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

O18 - Filter: text/html - {B5338660-2125-49A6-95E2-36763A254572} - C:\WINDOWS\SYSTEM\HIHHCA.DLL
O18 - Oops...guess I was too late. :( I sent a PM to you telling you how to fix the old log, but I've been gone for almost two weeks in Vegas.

It's cool that you think it's clean, but ... you're still infected.

You need to go to C:\Windows\Temp\ and rename the file se.dll ( make it se.dll.old )
You need to go to C:\WINDOWS\SYSTEM and rename the file HIHHCA.DLL ( make it HIHHCA.DLL.old )

Next, close all of your open program windows, scan with HijackThis and fix these lines:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html

O2 - BHO: (no name) - {CB691C62-7F95-4180-A816-5D3AB3B1E73E} - C:\WINDOWS\SYSTEM\HIHHCA.DLL

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

O18 - Filter: text/html - {B5338660-2125-49A6-95E2-36763A254572} - C:\WINDOWS\SYSTEM\HIHHCA.DLL
O18 - Filter: text/plain - {B5338660-2125-49A6-95E2-36763A254572} - C:\WINDOWS\SYSTEM\HIHHCA.DLL
- {B5338660-2125-49A6-95E2-36763A254572} - C:\WINDOWS\SYSTEM\HIHHCA.DLL


Reboot, scan again and make sure the "se.dll" lines did not come back. Also, make look for the "Filter: text/html" line and find the random DLL name in that line - remove any lines containing that.

shifty

what are these anyway I read up a bit but everyone seems to have a diff opinion on em? none good ;) but curious i be now

O18 - Filter: text/html - {B5338660-2125-49A6-95E2-36763A254572} - C:\WINDOWS\SYSTEM\HIHHCA.DLL
O18 - Filter: text/plain - {B5338660-2125-49A6-95E2-36763A254572} - C:\WINDOWS\SYSTEM\HIHHCA.DLL
__________________

They're malicious. Every time you try to remove them, they re-add themselves with a random six-letter filename.

Example: The first log S.O.M. gave me they were:

O18 - Filter: text/html - {BAD75D07-B12E-4E9C-A737-D97F5FAF7837} - C:\WINDOWS\SYSTEM\CGNCCA.DLL
O18 - Filter: text/plain - {BAD75D07-B12E-4E9C-A737-D97F5FAF7837} - C:\WINDOWS\SYSTEM\CGNCCA.DLL


With the one he just posted above, they are:

18 - Filter: text/html - {B5338660-2125-49A6-95E2-36763A254572} - C:\WINDOWS\SYSTEM\HIHHCA.DLL
O18 - Filter: text/plain - {B5338660-2125-49A6-95E2-36763A254572} - C:\WINDOWS\SYSTEM\HIHHCA.DLL


I'm sorry, but there isn't a legitimate file on the planet that will re-integrate itself into windows using random filenames. It's spyware. There is no way it couldn't be. If I had the DLL, I could probably crack it open and look at the hooks and other things to see what it does or allows.

The worst part is I looked up the CLSID ({B5338660-2125-49A6-95E2-36763A254572}) and can't find jack on the web anywhere about it. Maybe it generates the CLSID randomly based on hardware? I can't figure that one out.

/geek mode off TMI :lol: