New strain of your-searcher hijacker help please

The thing has been kicking my *** for a week. I tried some of the solutions posted here and other places but they dont work for me! This version seem to have changed names and variations to it. Please help! CWS Shredder, Spybot, Command Antivirus, SG, SpywareBlaster and AdAware all failed !! Thanks!


Logfile of HijackThis v1.97.7
Scan saved at 11:26:27 AM, on 20/06/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Command Software\Command AntiVirus\schscnt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
C:\windows\temp\zG.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\GetRight\getright.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jack\Desktop\Unused Desktop Shortcuts\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = URL
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = URL
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = URL
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = URL
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = URL
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = URL
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\COMMAN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [untray] C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zG.exe] C:\windows\temp\zG.exe
O4 - HKLM\..\Run: [33THXMW2QQE9YT] C:\WINDOWS\System32\XdkC.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Shortcut to BIGPOND.lnk = C:\Program Files\Big Pond Advance\BIGPOND.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: winlgn.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - URL
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - URL
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - URL
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - URL
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - URL
O16 - DPF: {69432678-2906-2705-1128-068943397621} -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - URL
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - URL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au

I have had the same since the 1st of July, also with same lack of results from Cleaners, and special procedures for re-naming the file in Control Console when explorer.exe is not running, along with re-naming procedures and regedit tricks to keep the thing from re-loading in Registry (AppiInit_Dlls Key) and system32 as an ever-changing DLL file that is almost 4 Kb in size, and contains the same content, with the keyword mutex in it.

I don't know how to fix, but if you have the same as i do, it may be because there is a common CLSID number involved:
{69432678-2906-2705-1128-068943397621}This number is also found on Computer Cops Posted as: URL Trend Micro Scan, and other cleaners have error "closing xxx.exe" and Dump application compatibilty Report Send/No Send message pops up, then application still runs. If you set all permissions for Registry Key associated with AppiInit_Dlls to deny, then this does keep the registry entry from being written into after re-boot, but a dll stil drops into the system32 folder. No process found that is running; and files are not dropped when booting into Safe Mode, but return after normal boot. Boot again with Dll reference in the registry and System32 folder, and you get more errors affecting a number of programs like SpyWareGuard, Trend Micro Scan/Damage repair Engine TSC.exe, TMO.exe, and Dell Support. I am going to try to run with registry Key blocked, and see if anything has problems. Let me know if anybody has any other ideas or needs a screenshot of Error Message or my HijackThis! Log. Regards, and Good Luck! Doc P.S. Have not found the above CLSID on and lists yet; if someone does, then please post back!

I finally fixed it!
It was three files and one process causing the re-load and dropping of
error-inducing and Browser Pop-ups to X.CB.Kount "Adaware Removal" or
similar. All processes and associated Modules had to be removed prior to
Normal Boot, or the AppiInit_Dll Key would be reloaded.

Here's the follow-up details on a solution that I finally worked up using a
number of tools and special procedures.
If you would like a copy of the offending "Mprocessor.exe" and it's
associated Dll and Dat files, let me know. Mprocessor.exe itself was not
deleted; just the Start-Up reference, as I do not know if this is used
elsewhere for valid programs. Do you have any idea where this comes from?

I have had the same since the 1st of July, also with same lack of results
from Cleaners, and special procedures for re-naming the file in Control
Console when explorer.exe is not running, along with re-naming procedures
and regedit tricks to keep the thing from re-loading in Registry
(AppiInit_Dlls Key) and system32 as an ever-changing DLL file that is almost
4 Kb in size, and contains the same content, with the keyword mutex in it.
---------------------------------
***Update -Found it!
Mprocessor.exe process found that was running; this one restored the
AppiInit_Dll file in Registry Key and had two files (a 6 KB and a 96 KB
size) associated with it that did not show up in registry! These always
appeared when Registry key shown by using HijackThis1980 -
as:
O20 - AppInit_DLLs: C:\WINDOWS\System32\DNSAPI597o.dll

Procedures for removal:
1) Turn Restore off, Disable any network connections, locate 3 last files
that were dropped into System32 by showing hidden files.
2) With Networking and all IE windows closed, Ran HijackThis1980 and got in
log :
Logfile of HijackThis v1.98.0 (HijackThisHF1980b.txt)
O20 - AppInit_DLLs: C:\WINDOWS\System32\DNSAPI597o.dll

This value ****.Dll (recurring Mutex Dll ) was deleted using RegLite, and
the processes using the dropped Dll were located using Process Explorer
v8.41 (C.R. by Mark Russinovich)
Find Dll and show processes using this module (Dll renames itself at
startup-attaches to valid processes like Spyware Guard, TaskManager, SpyBot
ResidentTeaTimer, TMO.exe etc.)
3) After the processes were killed, the system32 AppiInit_Dll can be
deleted after Booting in Safe Mode, and or re-named to a Junk Folder and
deleted by setting User Permissions to Full Control -Allow.
4) A similar approach was used to find the offending reload process
"Mprocessor.exe" where two files in System 32 were dropped at the same time
as the AppiInit_Dll Registry file.
Once Mprocessor.exe was killed, the 6Kb Dll and 96 Kb Dat files. These files
did not have a registry entry, but were deleted in Safe Mode prior to
re-start in Regular Mode. Mprocessor.exe itself was not deleted; just the
Start-Up reference, as I do not know if this is used elsewhere for valid
programs. While in Safe Mode, additional "No=Name" BHO's and Memory-Hog
startup references like O4 - HKLM\..\Run:... QuickTime\qttask.exe and O4 -
Global Startup: Microsoft Office.lnk were fixed using HijackThis1980.
5) After Normal Boot, No errors were generated for the associated Host
processes, and no popups referring to X.CB.Kount.com or jumps to "Adware
Removal" occurred.
System Restore and restore point made after second clean boot, (Re-checks
with HijackThis1980 were made before and after enabling LAN and opening any
InternetExplorer windows.

If you want more details, post and I;ll follow thread for awhile

Doc

I am not having any luck with this. I have deleted the registry keys, I have deleted the last 3 files dropped in the system 32 folder, I have killed the processes using the Process Explorer and I still get the stupid mprocessor sypware on bootup. Please help.

Thanks

I also got no results from Spysweeper; and had to use a different version of
Hijack This! to find the real active file that contained the reloader for
the registry and the Dlls that change their names every time you reboot.

I got similar instructions to remove from Dev Shed, but it did not identify
the real culprit, which was mprocessor.exe

You will need to Run Hijack This! (download a copy of HijackThis v1.98.0
and Follow the procedure below:
----------------------------------------------------------------------------
------
You might want to print these instructions. Logoff your internet connection.
Close all browsers and other windows except HijackThis. For even more
effectiveness, reboot in safe mode; if you think you might have other
problems, this is also where you should run Adaware (freshly updated), but
do so after running Hijack This to get a before and after Log file.

Run HijackThis, place a checkmark next to the following items. Click "fix
checked".


O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
----------------------------------------------------------------------------
-------
Before booting up, I also looked at the folder Mprocessor that was located
in C:/ Program Files/ (yours may be elsewhere) and found the following
related files:



data.dat 138 kb

first.awp 64 kb

initial.cfg 1 kb

main.cfg 5 kb

MProcessor.exe 102 kb

replacer.exe 3 kb

second.awp 45 kb


Quarantine or delete them, and then also delete the AppiInit Dlls files in
the registry with the Mprocessor reference again.

Reboot and check to see if the registry keys and other sys32 files show up
again, if they do, make sure you have updated Hijack This!
Reset permissions to Deny for Windows Key AppiInit_DLLs (Set as far as
allowed to set to Deny-some special permissions cannot set to Deny -Owner



"AppInit_DLLs" located in
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\"

and repeat the above procedure.
This should do it; You can also run Trend Micro HouseCall; I think they have
updated their scan data files to find this one ( and the residual pieces and
dll's left) now.

Hope this helps-
Good Luck!

Doc