iq454

You have to unmount that image and mount the new image(game). If you had something like "Alcohol 120%", you can make many virtual drives without taking any resources from the system. Though, you don't want to do that now do you

Your browser isn't being hijacked, but you can bet you sitll have the stuff on your system sending out info ... If a file won't delete, all you have to do is go to safe mode to delete it... And also make sure if you have xp to turn off system restore, clean everything, make sure it's clean, then turn system restore back on and create new restore point. Then guard yourself like Alec§taar said, and even try those new browsers, they're safer. You might only need IE for special cases. iq

After you get Hijack this, scan then save the log file to desktop and post it here so we can fix it.

there is no option to save as jpeg, because the file youre downloadnig is a bitmap file...if the file is a jpeg, then it can be saved as either, but if its a bmp then it can only be saved as that and edited later. IE doesn't handle uncompreesed-compressed, bmp-jpeg, only jpeg-bmp. bmp is an uncompressed file, jepg is compressed, meaning it can be both, and IE can handle that..that's why jpeg's can be saved as bmp also, because all it does is uncompress it.

A shot in the dark here....what's your systems date?

Get ExWatcher from HERE, once extracted, open the read me file and read what it's all about, and it will find the unknown file that's causing the raised exception. Then go HERE, and read up on how you can write your own exception handler if needed, so it doesn't get called up again if you can't find the troublesome file raising the exeception.

Good Job in resolving your own issuse. If you can take the time to explain exactly how and what you did to resolve this it would be much appreciated incase another case like yours ever turns up. You might want to check HERE for reasons how it could've happend, so as to be aware of the main thing(s)causing it, incase it happens again. And it also explains procedures to use to narrow the problem down also, and may even resolve future cases you may have.

Google is a good place to find out what eroror codes mean. In your case "Error Code : 88780078". Give him your sound cards model, if this is too technical for you to find, then try and find what sound card brand it is atleast, he would then be able to direct you in the right direction. The more information you can give, the easier it would be for him (or anyone that knows) to fix your problem in timely manner, and will be less confusing for everybody who responds. PS: If you're totally new to computers, say that you're a total "newbie" in your posts so we can atleast know what your knowledge is and how technical to be with you.

Edit: corrections.. "write protected"..

Yeah, could've been working for microsoft and making millions, or creating his own programs that maybe saves lives, pilots, controlled or anything. I guess he/she has nothing better to do, and gets a rush from it. Thanks for that acknowledgment though.

Ahh sorry, I missed your update, okay, so then you fixed machine 4? Nevermind about the log then. Although I'm sure it would be an active x control that's the cause, and then maybe created a hybird for notepad to send info off, which isn't really infected, because I found one file that was write protected "jlkopi.log". It seems that the main ocx file created dll's and dats first off, and if anyone of those files got deleted and we missed one, because all files are exactly the same thing, even though the extentions were different, (because I checked the javascripts) it was still the same file, just many variations of it. And notepad might have been infected to enable it to plant a log file for feedback on everything that was happening on the system and to the files it created. Now that log file would've created a hybrid link which talks to notepad evertime it's open to record info for the log, and when you hit the net it sends the info back to the creator, and the hybrid change will happen everytime you hit the net or change its routined files, it will enable it to tell the main dll to do the redirecting. And if all were deleted and the ocx was left, then that ocx would've created alternate files of different sizes with random names, sorta like a stage 2 infection. So, stage 1, ocx creates dll and dats, dats get deleted. stage 2, ocx creates dll. dll gets deleted, ocx creates new dll, and exe's to match. dll gets deleted, exe's can't find active dll, exe's tell ocx that dll can't be found, ocx then creates a new dll with another random name, and exe's to match, ocx finally gets found and deleted, dll can't find ocx and creates more exe's of itself incaase it's found, exe's recreate ocx incase both are found, dll gets deleted, exe's create another dll, exe's get deleted, dll creates more exe's with another dll that deletes itself. Restarts stage 2 with new instructions. ocx creates dll's and exe's with different file names and splits the files into smaller pieces changing the files size also. And ends there. Then starts all over again if any are left behind. Either of the files left behind(which have all got the same instuctions) will create what it needs again to start the process all over Log files link to the main ocx, dat, dll, exe's has been severed, notepads link to log file has been severed, log file goes ape shit and creates more dll's with random names but always the same size from now on, dll's get deleted, BHO turns the dll off, ocx can't find dll, ocx creates new dll, and so on and so forth... stage 1 dat=56kB x 1 dll x 1 dll(deleted itself) = 19kB =94kB stage 2 exe=32kB x 3 = 96kB...exe's are right protected. exe=32kB x 1 dll = 64kB = 96kB....exe and dll are right protected. txt=96kB...txt is right protected. dll=96kB...dll is right protected. ocx=96kB...ocx is right protected. Main point? ocx created 2 versions of itself in the beginning, then once tha tversion was found and defeated, it would then create another 6 versions of itself. Even though they are different extentions and different file sizes, they're still the same exact file combined.

Tick this also O2 - BHO: (no name) - {50B880E0-130E-F77B-46BB-0062598D56CC} -C:\WINDOWS\system32\mfced.dll Then boot into safe mode, and then delete these. *C:\WINDOWS\yyali.txt:mdvpi *C:\WINDOWS\netuy.exe Then clean these DIRECTORY CONTENTS (Dont Delete The Folder itself) *C:\Windows\Temp\ *C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <-This will delete all your cached internet content including cookies. *C:\Documents and Settings\<Your Profile>\Local Settings\Temp\ *C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\ *C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\ Empty your "Recycle Bin" and restart and post a fresh log. *Note* Next time you post your log, move hijack this to its own folder, don't place it in your documnets or your desktop C:\Documents and Settings\Christophe Lebreton\Desktop\HijackThis.exe<-Incorrect put it on your root C: Example: C:\HJT\HijackThis.exe<-Correct. This is just to make sure we can restore the back ups it creates if needed.

Originally posted by AlecStaar: Bet they wouldn't think it was so funny if one of their "monsters" pulled a Frankenstein monster on them & wrecked their own work, or the work for say a crucial deadline @ school or on the job for a relative either! ROF, that's classic HHH.... Hijacker got Hijacked from his own Hijack

no probs , I need you to run it so I can check to log to see if I can run you through it so we don't have to format their machine. It's just easier for me to read the log rather than post back and forth on theories. IQ

Ahhhhh, so that's why when I used notepad it would close down the pad I was reading or using ATT. Good call Andy'. How did you figure that one out? Can you post me a hijack this log on the 4th machine?

Cool, funny that, that was the way I was doing it originally. But, I found that, I had more files then just one, "I had over 90 files to delete" so I thought to order them by date, but because I had forgotten when I got this and all those dll's that I deleted a few weeks ago, I would be looking for files I have no idea when they were created, so I couldn't order by date. But the new files I could keep track of were created at the same time "cause I seen them created on the fly", but what's funny is, their dates didn't match, so I wasen't sure if they were part of the hijack, as the programmer probably thought of this too. So I done it by file size, because this is what I knew for certain.

Or, you can go to the registry and delete the entries. Open start\run type in regedit. Be careful here, it's not to be messed with, if you get confused, just use tweak xp or something. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall Scroll the list to find < "Serach Extender" "ShoppingWizard" "Home Search Assistant" then right click that folder and delete. Hijack has been destroyed Mission Accomplished Game Over. end of line

Hey, I found the main programs, they're called "Serach Extender", "ShoppingWizard" and "Home Search Assistant" go remove it in your add remove programs If you've done the procedure I just explained, then it wont find them and it will leave the garbage there, you need something like Tweak XP to delete the entry. They are harmless now though, as the main threat is taken care of. rundll32 url.dll,FileProtocolHandler http://looking-for.cc/uninstall/SearchExtender.html rundll32 url.dll,FileProtocolHandler http://looking-for.cc/uninstall/ShoppingWizard.html rundll32 url.dll,FileProtocolHandler http://looking-for.cc/uninstall/HomeSearchAssistant.html Maybe it was hooked into the url.dll?Maybe someone from BHO can examine how I defeated it, so we can know what exactly was the main program and how it replicated and why.

I have solved this HERE, read it carefully.

Yes, IT WORKED. I'll run you through the procedure exactly. I'll try to explain as best I can. Open your Windows folder and your Windows\system32 folder at the same time and order them both by size. Now, because the files name might be different for all of us(or even the size for that matter), we have to work off the files size...If yours is different, you can see what to do anyways. These are the sizes to look for(In my case anyway). 19, 56 and 91 and 96 kB in your windows folder AND 32, 64 and 96 kB in your system32 folder. The way to find these files is it to check by hovering your mouse over each and every one. If it's part of this hijack, it will not display its type, description or who made it(microsoft or whoever). So, start in your system32 folder and find all the files that are 96kB, hold the "ctrl" key and hover the mouse over it, if no type, description or who made it is displayed, then highlight it, while still holding the "ctrl" key, go up to the next file and check it also, if it has a type, description, and who made it, then DON'T highlight it and move on like this until you get all files 96kB in size. DONT DELETE THEM YET. Keep going up until you find all files that are 64kB also, and do exactly the same thing, then do the same for the files that are 32kB. Once you have them all highlighted, go to your windows folder that should already be opened and find the file that BHOdemon reported,(it will take 30 seconds to create a new dll) so this is enough time, because all the files we need to delete are already highlighted. ;)The only one we have to take a few seconds to get to is the file in windows folder that BHO reported. Now delete all them files you highlighted in your system 32 folder, it will then say "this is a system file, if you delete it, blahblahblah" just delete it as this might be the main program that started it all, if it really is a system file we need, then it will say who made it(microsft or whoever) when we hover the mouse over it, but if it didn't, then it belongs to this hijack(Because all legit files have a description and who made it). Then quickly go into your windows folder and delete that file BHO reported. That's it. Hijack defeated. You see the pattern this hijack made? The person who made it was so smart, that if someone like me found the files to delete, then the main program (in system32 folder) would make the same hijack, only in another type of file and maybe location too, but it only goes between windows folder and system32 folder(like exe's, dll or txt), and if we found those exe's or whetever and deleted them, it would then make a main dll of 64kB and an exe or 32kB equaling 96 kB, or an "ocx" of 64kB and a "exe" of 32kB equaling 96kB, and if we found those dll's, ocx's, txt's, or exe, it would then make another dll or exe or txt equaling 96kB, the program or hijack actually does have and end thank god. All of this was to throw us of course, and anything that scanned it. But now we can see that the whole hijack was in a main file of 96kB, don't know which one, but we know what its size is. Again, if we leave the exe's and delete the 96kB dll file only, those 3 exe's would then make either, another dll of 96kB, or make 3 exe's(because remember, each exe is 32kB 3x32 is 96, then those 3 exe's "might" make more exe's of itself incase we found the pattern, and found out how to look for it would be by the file size(like I did)because remember I found 11 once?. This might be because I was deleting dll's before all this, and it just kept creating extra exe's. May be confusing, but that's that pattern and how I defeated it. And no virus, spyware or even BHO program can detect this, because the main one(s) are turned off, until the one that is active is deleted, which is the one BHO or spyware programs will detect, which is uselss in ths case. Have a nice day. PS: If you have problems, you can reach me @ neobot@the-pentagon.com

OKAY guys, I think this is it....for real this time okay, the new dll found by bho was "javatm.dll", and the new exe fies created were. javacm.exe javadp32.exe javalb.exe javaqp32.exe javatn32.exe javaug32.exe javaut32.exe javavd32.exe javawe32.exe javaww.exe javayr.exe all are 19 kB in size, even all the others with different names to the dll's previous to this new one I got are this size, so we have got the bastards. You see, it makes exes of the dll, or, the previous dll deleted made these first, then the dll, either way, we gotta delete these. OH, and if you delete the exe's and not the dll, the dll will make a new set of exe's for itself, incase you delete the dll(sneaky), and if you delete the dll first without deleting the corresponding exe's, then those exe's will make a new dll(sneaky) with a random name, and then that dll will create another set of exe's to match. So you have to delete the dll and the exe's together, otherwise it will just go on and on. If you have been deleting the dll's and not these exe's, then then you will either have to remember those dll's names you dleleted so we can find them, or just use the 19kB file size to judge, then just see if there's 11 of them, and you need to get all of them together, dll's and exe's. Hope this helps. I'm in the process now of testing this, I'll post back soon on the results. PS: This is why BHO doesn't work for some of you, because BHO only picks up one file at a time,(the active one)and not the rest, because the rest are turned off and BHO thinks that their harmless. So again, as soon as you delete the actve one(whatever BHO picks up), it will then turn on the others, and they will start all over again. So again, we need to dlelete them all together. [Edited by iq454 on 2004-09-08 08:07:12]

Hey, I think I narrowed it down now :)again..lol I just thought of something, these exe files I found, well, I found more of them, only in another name, but same file size, I think that these exe files are replicating 11 exe files alphabetically. ajkl.exe bstsl.exe cfe32.exe and so on. Instead of creating them when we delete the dll as I said before, its creating them as we speak from the previous exe's left behind, so if we delete them as well, then they will load the others. I think I have it, all the files are already on the system recreating themselves all the way to "z" So I think we have to find all of them and delete them all at the same time. Maybe I'm wrong, but I'll check. Be Back

I think I got it. Remember them 11 exe's I said it creates? well, it doesnt create them first if we delete the dll, it makes dat's, if we delete the dat's it makes exe's, I believe this is to through us off course. But 11x19=190kB, if you remember I have left the other exe files that the other dll created on my pc also (because I wasent sure to delete them), if we go back to the top, we'll see that the total file size of them 4 dat's and 1 dll = 455kB> The total for those 11 exe's =11x19=190, but because I never deleted the other exe's that were made from the previous dll that was deleted, it will be two sets of exes to each dll now making it total 380kB. I think we're looking for a file that is 75 kB/s in size, I think this is the main program that's the cause of all the re-creations. I think that if we delete these files, it makes the same files, but with dfferent sizes, names and extentions. Ill be back to post more if I'm right

Okay, I ran BHODemon, it found, cfe32.exe, it fixed it. I reloaded BHODemon, it then changed that file to cfe32.dll, I then deleted it myself, ran it again, then it changed to ntxj32.dll, at this point, I went back into windows folder to find its file size,I found these files also, keoqrv.dat 91kB, ljxgrj.dat 91kB, psstrh.dat 91kB, xdyroe.dat 91kB. SO that would make this new army as follows, ntxj32.dll 91kB keoqrv.dat 91kB ljxgrj.dat 91kB psstrh.dat 91kB xdyroe.dat 91kB I'm really not sure what's going on, but I do know that BHODemon, is not picking up the main program that's recreating these files, but, do you see the pattern? After the main exe was found and fixed, it then on the fly, created 5 different files again, renamed and this time, the extention has changed also. I think I figured it out. Each time we delete what's picked up, it then creates 11 exe files, I'll explain here. Obviously, we can't keep deelting it this way.So do this. When BHO detects a change after it removes the dll, lets say, ntxj32.dll, don't delete or let it fix it, what we have to do is look for the exe files it created when we deleted the previous dll, so in this case it would be ntar32.exe all these files are 19kB/s in size. ntan.exe ntdg.exe ntjb32.exe <AND SO ON, SHOULD BE 11 OF THEM>. or any files that have "nt" at the beginning, just like the dll, and that are the same files size, if it's a different file size, don't delete it. But, Im sure there wont be. Now this makes it easier, because, not only can we find these files by it's file size being the same, but now, we also know that it creates exe files with the same 2 letters as the dll, and these exe files are also the same file size, just not the same as the previous post and previous files I deleted.(This guy is smart)So either, order the windows folder to file size, or by name. And find them that way. I think I'm getting closer to what it's actually doing, and how to catch it before it makes these files again in another name, size and extention. But now, atleast we can identify it easier as this is the pattern. Once you delete the dll BHO picks up, it wil then make another dll in another name and another size as the previous dll we delete, with 11 exe files with the first two letters of that dll it creates. It creates 11 exe files, and lets any spyware detector find the dll, because it doesn't matter if you delete it, the programmer that made this knows, that these arent the files we gotta delete. So if I have a theory on this, if I delete these 11 exe files before I delete the dll, then I think it wont occure, if it does, then it is another program that hes got as backup incase someone like me found the pattern, if so, I think I'm (or we're) shit outta luck until some expert can figure this pattern out and find the main program to fix. Even though others have fixed this, there are others that haven't, even after using BHOdemon and everything else possible. Be back if I see something new.

This fixed my home page problem, but I still get pop ups, I'm working on this though. And services in admin tools is turned disabled, so it's not the messenger service for. My system is XP, but maybe others with other OS's can get a picture of what to do. I can give in detail what files and how many are created for XP, maybe thios will help one of you experts out in finding the actual execution file re-creating these dll's. Firstly, open this location for testing and keep it open for this procedure. Keep an eye on the Search Bar or Search Page. It should have the location of our "dll" to delete first. HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main In my case the file was "kvypu.dll" (this wil be different for everybody I think). res\\Windows\"kvypu.dll"/sp.html#29126 is what's displayed in the registry. The "dll" might or will differ, but the sp.html should be there, as all of you are talking about it. This should be easy to identify because of the "sp.html#?????" so just look for it and the "dll" will be before it. What I done. I opened it in notepad to see if I could change anything or find what it was pointing to, to see what was executing the re-creation of the "dll's", but couldn't find anything. Then I tried deleting info from that file, to no avail, "can't overwrite" I then just tried deleting the actual "dll" itself,it worked(as I knew it would, because I knew it would re-create into another file or another file would re-creat another random name) while keeping the registry open to see the changes, surely enough,it was re-created to another random set of letters "dsgat.dll", still the same size though, so all future creations will be easy to indentify if it decides to change name again. res\\Windows\"dsgat.dll"/sp.html#29126 is what's displayed in the registry after you refresh it. Now, I opened it and tried to delete stuff from this file also, to my supprise, it let me make changes this time, so I deleted the path where it finds the server just to see if it would let me change something,(I don't think modifying it's contents is going to make a difference to the re-creation of it) this is just the link that displays when you open your IE homepage that got hijacked (this is also how I identified the rest of the "dll's" that you will see if you read on) whatever link it takes you to, is what I deleted, I'm not sure if it would make a difference, I just done it out of curiosity, you don't have to do this though, just check to see if the links in there, to identify it as a "dll" to be deleted. Now, after I deleted the link it was pointing to, and then closed that "dsgat.dll",I had a look at the registry again to see if it changed again, it did get re-create to yet another name "rnozl.dll" res\\"rnozl.dll/sp.html#29126" on the fly. Now, I also done the same for this "dll"(deleted the link it was pointing to), but then, no more on the fly changing in the reg string. I think deleting that first "dll", made these two extra files in one go or they were always on the pc ready to hijack if that file was deleted, and probably didn't have anything to do with me changing the files or deleting the link it was pointing to, it just probably had only this amount of files or that's how many files the programmer told his spyware to create. Anyway, after that, I was to find antoher 2 that I found only by checking with notepad, because these names weren't getting re-created in the registry like the others did. (sneaky)I also found a "log" file that had the exact same content as all the "dll's". This maybe the file that's creating the random "dll's" if they get deleted, or it's the first file I deleted. Again, the name may differ. So, search for these files on your PC. In my case, kvypu.dll 56kB was write protected, but let me delete it. dsgat.dll 56kB wasen't write protected rnozl.dll 56kB wasen't write protected unqob.dll 56kB wasen't write protected qoocf.dll 56kB wasen't write protected wqkmpi.log 56kB wasen't write protected Then go to the Search Bar and Search Page in the registry, right click and modify, replace it with the page of your choice, make sure you empty the recycle bin, Homepage linking defeated. Because these files may be named differently on your guys pc's,(which I'm sure they will be)a way to check is by the file size(they may not be the same size as mine either), so check like this, again go to the Search Bar or Page In the registry there should be the "dll" we're looking for. HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main - Search Bar or Page example: res windows\kvypu,dll/sp.html#29126 For me the first one was "kvypu.dll",(might or will differ) simply go to that location, check it's file size, and then order your windows folder to show all files by file size to make them easier to find. There shouldn't be many legit dll's in ther ethe same size as these, so it should be easy to find them. Then check all the "dll's" that are the same size(random letters and same file size should give it away), check them by opening in notepad just to be sure it's not a legit "dll", and see if the link has anything regarding your homepages forwarding link(the hijackers link), it should be something like http://www.looksearch.com.blahblah - this was mine, it's just the link that your hijacker takes you to when you visit your home page or make a search, this is what we're looking for, if it is in there, that's a "dll" to delete. Just keep doing that for the rest and delete them all, and stay in the windows folder and keep refreshing and see if anymore get created. And don't forget that log file, it should display the same content as the "dll's", you don't need to use "open with" as it is already a text file, so just click it. If it's the first time you've deleted the "dll" you found at the begining, then it should make a few more on the fly, just keep this registry location open, and it should tell you what the new "dll's" that get created are, do it one at a time, if it changes, search for it in windows folder, and delete, then check back to the registry to see if it creats another. There should be a total of 6 files, 5 dll's and 1 log file. A couple "dll's" mingt already be on the PC as explained before, so you can either use the registry to identify them, or, you can use the file size and opening in notepad method. If you refresh the registry, it should change to what "dll" is currently in use. And this way we don't have to do guess work or open them up to check in notepad. (maybe I should've said this up earlier, or did I?) Oh heck, I'm tired, give me a break I'll be back to post the popup data and the redirecting issue you still may have, if you ever did have that problem. Remember, this only fixes the homepage chaniging itself back to the redirected link the spyware has palced on the system. If you have google as your homepage, or you just go to google and you search for something, a few secnods later, it will redirect you, so, this is what I'm trying to solve, if I find anything I'll be back.