Jump to content


Photo

Hijack Log Review


  • Please log in to reply
4 replies to this topic

#1 dan76

dan76

    Member

  • New Member
  • Pip
  • 3 posts

Posted 26 June 2004 - 11:14 AM

Hi,

May someone please take a few minutes to review this Hijackthis Log file. I have run Spybot and still having trouble with these Search toolbars and pop ups, and browser changing my start page. Any help would be greatly appreciated.

Thanks, Dan

Logfile of HijackThis v1.97.7
Scan saved at 12:05:54 PM, on 6/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\system32\nttn32.exe
C:\WINDOWS\system32\mfcch32.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\system32\sfpsvr.exe
C:\WINDOWS\System32\ttjacfr.exe
C:\WINDOWS\System32\NDrv.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dan Whetstine\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hlktt.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hlktt.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hlktt.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hlktt.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hlktt.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hlktt.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://store.presari...&c=1c02&lc=0409
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {ADF54594-1676-88BD-8C13-3AC13F52D75B} - C:\WINDOWS\system32\msyn.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll (file missing)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [sfpsvr] C:\WINDOWS\system32\sfpsvr.exe
O4 - HKLM\..\Run: [jqxbshovisbm] C:\WINDOWS\System32\ttjacfr.exe
O4 - HKLM\..\Run: [addzi.exe] C:\WINDOWS\system32\addzi.exe
O4 - HKLM\..\Run: [mfcch32.exe] C:\WINDOWS\system32\mfcch32.exe
O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKLM\..\RunOnce: [iepz.exe] C:\WINDOWS\system32\iepz.exe
O4 - HKLM\..\RunOnce: [criy32.exe] C:\WINDOWS\system32\criy32.exe
O4 - HKLM\..\RunOnce: [javagk32.exe] C:\WINDOWS\system32\javagk32.exe
O4 - HKLM\..\RunOnce: [crsu.exe] C:\WINDOWS\system32\crsu.exe
O4 - HKLM\..\RunOnce: [appsd32.exe] C:\WINDOWS\appsd32.exe
O4 - HKLM\..\RunOnce: [ipqt.exe] C:\WINDOWS\ipqt.exe
O4 - HKLM\..\RunOnce: [netve32.exe] C:\WINDOWS\system32\netve32.exe
O4 - HKLM\..\RunOnce: [addvz.exe] C:\WINDOWS\addvz.exe
O4 - HKLM\..\RunOnce: [sdkwn.exe] C:\WINDOWS\system32\sdkwn.exe
O4 - HKLM\..\RunOnce: [javakh.exe] C:\WINDOWS\javakh.exe
O4 - HKLM\..\RunOnce: [netpl32.exe] C:\WINDOWS\system32\netpl32.exe
O4 - HKLM\..\RunOnce: [netui32.exe] C:\WINDOWS\system32\netui32.exe
O4 - HKLM\..\RunOnce: [iplk32.exe] C:\WINDOWS\system32\iplk32.exe
O4 - HKLM\..\RunOnce: [netdu32.exe] C:\WINDOWS\system32\netdu32.exe
O4 - HKLM\..\RunOnce: [ieco.exe] C:\WINDOWS\system32\ieco.exe
O4 - HKLM\..\RunOnce: [ntgj32.exe] C:\WINDOWS\system32\ntgj32.exe
O4 - HKLM\..\RunOnce: [d3wy.exe] C:\WINDOWS\d3wy.exe
O4 - HKLM\..\RunOnce: [sdkft32.exe] C:\WINDOWS\sdkft32.exe
O4 - HKLM\..\RunOnce: [atlim.exe] C:\WINDOWS\atlim.exe
O4 - HKLM\..\RunOnce: [addji.exe] C:\WINDOWS\addji.exe
O4 - HKLM\..\RunOnce: [javaoz32.exe] C:\WINDOWS\system32\javaoz32.exe
O4 - HKLM\..\RunOnce: [mfcrs.exe] C:\WINDOWS\mfcrs.exe
O4 - HKLM\..\RunOnce: [syseb.exe] C:\WINDOWS\system32\syseb.exe
O4 - HKLM\..\RunOnce: [crdp.exe] C:\WINDOWS\crdp.exe
O4 - HKLM\..\RunOnce: [netwh32.exe] C:\WINDOWS\netwh32.exe
O4 - HKLM\..\RunOnce: [mfcba.exe] C:\WINDOWS\system32\mfcba.exe
O4 - HKLM\..\RunOnce: [sdkaa.exe] C:\WINDOWS\sdkaa.exe
O4 - HKLM\..\RunOnce: [iejb32.exe] C:\WINDOWS\system32\iejb32.exe
O4 - HKLM\..\RunOnce: [apixa32.exe] C:\WINDOWS\system32\apixa32.exe
O4 - HKLM\..\RunOnce: [ipvu32.exe] C:\WINDOWS\ipvu32.exe
O4 - HKLM\..\RunOnce: [winju.exe] C:\WINDOWS\system32\winju.exe
O4 - HKLM\..\RunOnce: [mfclo.exe] C:\WINDOWS\system32\mfclo.exe
O4 - HKLM\..\RunOnce: [sdksa.exe] C:\WINDOWS\sdksa.exe
O4 - HKLM\..\RunOnce: [iedc32.exe] C:\WINDOWS\system32\iedc32.exe
O4 - HKLM\..\RunOnce: [mfcnk32.exe] C:\WINDOWS\mfcnk32.exe
O4 - HKLM\..\RunOnce: [d3sl.exe] C:\WINDOWS\d3sl.exe
O4 - HKLM\..\RunOnce: [apiic32.exe] C:\WINDOWS\system32\apiic32.exe
O4 - HKLM\..\RunOnce: [iexc.exe] C:\WINDOWS\iexc.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Advisor (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: Mah Jong Garden by pogo - http://mahjong2.pogo...g-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.po...l-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://flinger.pogo....r-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.po...s-ob-assets.cab
O16 - DPF: Tornado 21 - http://download.game...s/y/t21t0_x.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.co...s-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo...s-ob-assets.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: {11111111-1111-1111-1111-111555555555} - ms-its:mhtml:file://C:\document.mhtml!http://www.ultra-gal....chm::/init.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {A27AD582-5BE5-4C2D-82F0-48B24FE02040} - http://www.adshooter...00/SYSsfitb.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk....ViewerSetup.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://ipgweb.cce.hp...er/SysQuery.cab

#2 dan76

dan76

    Member

  • New Member
  • Pip
  • 3 posts

Posted 02 July 2004 - 06:02 PM

Bump,

Thanks, Dan

#3 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 05 July 2004 - 03:52 AM

Hello dan76,

Sorry for the long wait. If you still have your concern, please try this:

Please download About:Buster and unzip it to your desktop.
Start it, hit Ok, Start, And Ok to start the scan. It will generate a log. Post that log along with a new Hijack this log here.


There is a newer version of HJT. You can get it here

You also don't have Hijackthis in a permanent folder.
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.
This will allow backups to be made and saved By hijackthis in case something goes wrong.
Follow this link http://www.netstar.me.uk/hjt/hjt.html if you need help.


Let's also see if you have a Look2Me infection.
A tool has been made by Option^Explicit and freeatlast to find and remove it.
Please download VX2Finder from this link, and save it to your Desktop.

http://www.downloads...g/VX2Finder.exe

Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*.
Copy and paste the contents of the log into your next reply here, along with the new HJT, and About:Buster log.

#4 dan76

dan76

    Member

  • New Member
  • Pip
  • 3 posts

Posted 05 July 2004 - 09:28 AM

Hi,

Thanks for the response, here are the new log files:

About:Buster Version 1.24
Removed! : C:\WINDOWS\hyahc.dll
Removed! : C:\WINDOWS\ietu32.exe
Removed! : C:\WINDOWS\neypaq.dat
Removed! : C:\WINDOWS\n_afjpfs.dat
Removed! : C:\WINDOWS\System32\gfvnz.dat
Removed! : C:\WINDOWS\System32\gprln.dat
Removed! : C:\WINDOWS\System32\hsjhi.dat
Error Removing! : C:\WINDOWS\System32\sysvw32.dll
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!


HIJACKTHIS

Logfile of HijackThis v1.98.0
Scan saved at 10:15:43 AM, on 7/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\inetdata\services.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\system32\sfpsvr.exe
C:\WINDOWS\System32\ttjacfr.exe
C:\WINDOWS\system32\addzi.exe
C:\documents and settings\mary whetstine\local settings\temp\2d40kHK1.exe
C:\WINDOWS\System32\IEHost.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Save\Save.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\NDrv.exe
C:\WINDOWS\System32\Pelur4.exe
C:\WINDOWS\System32\Ufmmw.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\xenastore.exe
C:\WINDOWS\System32\xpgsccp.exe
C:\Program Files\SysAI\SysAI.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\WINDOWS\system32\netdu32.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32/left.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\owxeu.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://owxeu.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://owxeu.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\owxeu.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.sma...earch/?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\owxeu.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://owxeu.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotf...count_id=123938
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = res://klkay.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presari...&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - Default URLSearchHook is missing
O2 - BHO: TwaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {9E8E0A99-F676-A5C0-282E-F3D8F486BFA4} - C:\WINDOWS\apizh32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll (file missing)
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll (file missing)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [sfpsvr] C:\WINDOWS\system32\sfpsvr.exe
O4 - HKLM\..\Run: [jqxbshovisbm] C:\WINDOWS\System32\ttjacfr.exe
O4 - HKLM\..\Run: [addzi.exe] C:\WINDOWS\system32\addzi.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
O4 - HKLM\..\Run: [2d40kHK1] C:\documents and settings\mary whetstine\local settings\temp\2d40kHK1.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\System32\Eqtz6w9.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
O4 - HKLM\..\Run: [WhenUSearch] C:\Program Files\WhenUSearch\Search.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Rundll32_8] rundll32.exe C:\WINDOWS\System32\inetp60.dll,DllRunServer
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [AutoLoaderpApy1RdfXJXN] "C:\WINDOWS\System32\upsmr.exe" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [pp6O3Fg] xenastore.exe
O4 - HKLM\..\RunOnce: [1] C:\WINDOWS\system32\cmd.exe /c erase "C:\DOCUME~1\DANWHE~1\LOCALS~1\Temp\AcsInstall.dll"
O4 - HKLM\..\RunOnce: [2] C:\WINDOWS\system32\cmd.exe /c erase "C:\DOCUME~1\DANWHE~1\LOCALS~1\Temp\insmac2k.dll"
O4 - HKLM\..\RunOnce: [winur32.exe] C:\WINDOWS\system32\winur32.exe
O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
O4 - HKCU\..\Run: [YEpERPMtg] xpgsccp.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Sidesearch - {000007C6-17DF-4438-92A4-DE5537471BA3} - C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Advisor - {5894DB8C-67C1-416F-95C0-AFAF266A4D16} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O15 - Trusted Zone: www.mt-download.com
O15 - Trusted Zone: install.xxxtoolbar.com
O16 - DPF: Mah Jong Garden by pogo - http://mahjong2.pogo...g-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.po...l-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://flinger.pogo....r-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.po...s-ob-assets.cab
O16 - DPF: Tornado 21 - http://download.game...s/y/t21t0_x.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.co...s-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo...s-ob-assets.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: {11111111-1111-1111-1111-111555555555} - ms-its:mhtml:file://C:\document.mhtml!http://www.ultra-gal....chm::/init.exe
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolba...006_regular.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {A27AD582-5BE5-4C2D-82F0-48B24FE02040} - http://www.adshooter...00/SYSsfitb.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk....ViewerSetup.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://ipgweb.cce.hp...er/SysQuery.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll



Log for VX2.BetterInternet File Finder

Files Found---


Guardian Key--- is called:

User Agent String---

Thanks,
Dan

#5 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 05 July 2004 - 12:15 PM

Hi dan76,

Looks like your log grew a few infections. :gasp:

There appears to be some CoolWeb infection. Please download the latest version of CWShredder here:
http://www.downloads.../CWShredder.exe
Run it, then click "Fix" (not Scan only) and let it fix all the variants it finds.
Then Reboot.
________

Then, download the PeperFix.exe, a tool made by Option^Explicit, from here:
http://downloads.sub...rg/PeperFix.exe
Click on the PeperFix.exe to launch it.
Click the Find and Fix button.
You will be prompted to reboot.

Reboot and it will delete the files.
________

Download a Free Trial of Trojan Hunter at http://www.misec.net...rojanHunter.exe first.
Next, take a free Online Virus scan at http://housecall.trendmicro.com or http://www3.ca.com/v.../virusscan.aspx.
________

Click Start, click Control Panel, and then double-click Add or Remove Programs "Change or Remove Programs"
and Remove 'TwainTech' if it's there.
While you're in there, follow this link to remove POP
________

Open Hijackthis, click Scan, then put a check next to the following entries:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32/left.html

R3 - Default URLSearchHook is missing

O2 - BHO: TwaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O4 - HKLM\..\Run: [2d40kHK1] C:\documents and settings\mary whetstine\local settings\temp\2d40kHK1.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\System32\Eqtz6w9.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
O4 - HKLM\..\Run: [WhenUSearch] C:\Program Files\WhenUSearch\Search.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Rundll32_8] rundll32.exe C:\WINDOWS\System32\inetp60.dll,DllRunServer
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [AutoLoaderpApy1RdfXJXN] "C:\WINDOWS\System32\upsmr.exe" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\RunOnce: [1] C:\WINDOWS\system32\cmd.exe /c erase "C:\DOCUME~1\DANWHE~1\LOCALS~1\Temp\AcsInstall.dll"
O4 - HKLM\..\RunOnce: [2] C:\WINDOWS\system32\cmd.exe /c erase "C:\DOCUME~1\DANWHE~1\LOCALS~1\Temp\insmac2k.dll"
O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe

O9 - Extra button: Sidesearch - {000007C6-17DF-4438-92A4-DE5537471BA3} - C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe

O15 - Trusted Zone: www.mt-download.com
O15 - Trusted Zone: install.xxxtoolbar.com

O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolba...006_regular.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {A27AD582-5BE5-4C2D-82F0-48B24FE02040} - http://www.adshooter...00/SYSsfitb.cab
O16 - DPF: {11111111-1111-1111-1111-111555555555} - ms-its:mhtml:file://C:\document.mhtml!http://www.ultra-gal....chm::/init.exe

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll



Then, Close all open Windows and Browsers (have only HJT open) and click "Fix Checked".

Now, reboot to Safe Mode (tap f8 while restarting) and Delete these Folders:

C:\Program Files\ClearSearch\
C:\Program Files\Save\
C:\Program Files\WhenUSearch\
C:\Program Files\AutoUpdate\
C:\Program Files\Common Files\Dpi\
C:\Program Files\Lycos\Sidesearch\

And these Files:

C:\WINDOWS\System32\IEHost.exe
C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
C:\WINDOWS\System32\dp-him.exe
C:\WINDOWS\System32\inetp60.dll,DllRunServer
C:\WINDOWS\System32\upsmr.exe" /PC="AM.WILD" /HideUninstall
C:\WINDOWS\System32\ms.exe

You may have to show hidden files:

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Then browse to the C:\documents and settings\<mary whetstine> (repeat for all users)\local settings\temp folder and delete all files and folders in it.
Then browse to the C:\Windows\Temp folder and delete all files in it.
This will delete all your cached internet content including cookies

Then in internet explorer click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

After you do the above, reboot normally, and rerun About:Buster.
Start it, hit Ok, Start, And Ok to start the scan. It will generate a log. Post that log along with a new Hijack this log here.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button