Jump to content


Photo

Help me please


  • Please log in to reply
6 replies to this topic

#1 texaslawyer

texaslawyer

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 26 June 2004 - 04:38 PM

any help is greatly apprciated

thank you


Logfile of HijackThis v1.97.7
Scan saved at 4:39:11 PM, on 6/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\WINDOWS\system32\applx32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\adam.JWTCC\Local Settings\Temp\Temporary Directory 9 for hijackthis1977.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ujcfr.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ujcfr.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ujcfr.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ujcfr.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ujcfr.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ujcfr.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://FS1:8080
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7FFCC75E-5674-7B6F-24F8-13B92DA42ADF} - C:\WINDOWS\mssb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [javajq32.exe] C:\WINDOWS\system32\javajq32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [a] "C:\Program Files\a2\a2guard.exe"
O4 - HKLM\..\RunOnce: [applx32.exe] C:\WINDOWS\system32\applx32.exe
O4 - HKLM\..\RunOnce: [mfcgq32.exe] C:\WINDOWS\system32\mfcgq32.exe
O4 - HKLM\..\RunOnce: [javawx.exe] C:\WINDOWS\system32\javawx.exe
O4 - HKLM\..\RunOnce: [atlgk.exe] C:\WINDOWS\atlgk.exe
O4 - HKLM\..\RunOnce: [d3rq.exe] C:\WINDOWS\d3rq.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7862.3166782407
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...es/abasetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jwtcc.jwtinder.com
O17 - HKLM\Software\..\Telephony: DomainName = jwtcc.jwtinder.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jwtcc.jwtinder.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jwtcc.jwtinder.com

#2 Subratam

Subratam

    Silent Assasinator

  • Retired Staff
  • PipPipPipPip
  • 284 posts

Posted 26 June 2004 - 04:43 PM

Please download this tool called About:Buster from:

http://www.downloads...AboutBuster.zip

Unzip it to your desktop but don't run it yet.

Now start Hijackthis and tick the boxes next to these items:

O2 - BHO: (no name) - {7FFCC75E-5674-7B6F-24F8-13B92DA42ADF} - C:\WINDOWS\mssb.dll
O4 - HKLM\..\Run: [javajq32.exe] C:\WINDOWS\system32\javajq32.exe
O4 - HKLM\..\RunOnce: [applx32.exe] C:\WINDOWS\system32\applx32.exe
O4 - HKLM\..\RunOnce: [mfcgq32.exe] C:\WINDOWS\system32\mfcgq32.exe
O4 - HKLM\..\RunOnce: [javawx.exe] C:\WINDOWS\system32\javawx.exe
O4 - HKLM\..\RunOnce: [atlgk.exe] C:\WINDOWS\atlgk.exe
O4 - HKLM\..\RunOnce: [d3rq.exe] C:\WINDOWS\d3rq.exe

Now close ALL windows and hit fix checked.
Do not open internet explorer to come back here until after running the tool.

Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

Once the tool is done scanning, copy the log and paste it into your thread.

Restart your computer and post the report and a new Hijack this log.
http://blog.emsisoft.com
www.Emsisoft.com

#3 texaslawyer

texaslawyer

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 26 June 2004 - 05:08 PM

Error Removing! : C:\WINDOWS\wovucr.dat
Error Removing! : C:\WINDOWS\wsyjt.dat
Error Removing! : C:\WINDOWS\wsyjtk.dat
Error Removing! : C:\WINDOWS\wvopcf.dat
Error Removing! : C:\WINDOWS\xdddd.dat
Error Removing! : C:\WINDOWS\xghlxm.dat
Error Removing! : C:\WINDOWS\xsoqx.dat
Error Removing! : C:\WINDOWS\zbuzxc.dat
Error Removing! : C:\WINDOWS\mssb.dll
Error Removing! : C:\WINDOWS\System32\applx32.exe
Error Removing! : C:\WINDOWS\System32\javawx.exe
Error Removing! : C:\WINDOWS\System32\mfcgq32.exe
Error Removing! : C:\WINDOWS\System32\ujcfr.dll
Error Removing! : C:\WINDOWS\System32\hudgr.dat
Error Removing! : C:\WINDOWS\System32\issbv.dat
Error Removing! : C:\WINDOWS\System32\rpsle.dat
Error Removing! : C:\WINDOWS\System32\uxwwj.dat
Error Removing! : C:\WINDOWS\System32\wovuc.dat
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed __NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

Logfile of HijackThis v1.97.7
Scan saved at 5:08:15 PM, on 6/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\adam.JWTCC\Local Settings\Temp\Temporary Directory 12 for hijackthis1977.zip\HijackThis.exe
C:\Documents and Settings\adam.JWTCC\Local Settings\Temp\Temporary Directory 2 for AboutBuster.zip\AboutBuster.exe
C:\Documents and Settings\adam.JWTCC\Local Settings\Temp\Temporary Directory 11 for hijackthis1977.zip\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ujcfr.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ujcfr.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ujcfr.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ujcfr.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://FS1:8080
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7FFCC75E-5674-7B6F-24F8-13B92DA42ADF} - C:\WINDOWS\mssb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [javajq32.exe] C:\WINDOWS\system32\javajq32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [a] "C:\Program Files\a2\a2guard.exe"
O4 - HKLM\..\RunOnce: [applx32.exe] C:\WINDOWS\system32\applx32.exe
O4 - HKLM\..\RunOnce: [mfcgq32.exe] C:\WINDOWS\system32\mfcgq32.exe
O4 - HKLM\..\RunOnce: [javawx.exe] C:\WINDOWS\system32\javawx.exe
O4 - HKLM\..\RunOnce: [atlgk.exe] C:\WINDOWS\atlgk.exe
O4 - HKLM\..\RunOnce: [d3rq.exe] C:\WINDOWS\d3rq.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7862.3166782407
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...es/abasetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jwtcc.jwtinder.com
O17 - HKLM\Software\..\Telephony: DomainName = jwtcc.jwtinder.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jwtcc.jwtinder.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jwtcc.jwtinder.com

#4 texaslawyer

texaslawyer

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 26 June 2004 - 05:11 PM

new log afer restarting:

Logfile of HijackThis v1.97.7
Scan saved at 5:12:12 PM, on 6/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\applx32.exe
C:\Documents and Settings\adam.JWTCC\Local Settings\Temp\Temporary Directory 11 for hijackthis1977.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ujcfr.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ujcfr.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ujcfr.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ujcfr.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ujcfr.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ujcfr.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://FS1:8080
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7FFCC75E-5674-7B6F-24F8-13B92DA42ADF} - C:\WINDOWS\mssb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [javajq32.exe] C:\WINDOWS\system32\javajq32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [a] "C:\Program Files\a2\a2guard.exe"
O4 - HKLM\..\RunOnce: [applx32.exe] C:\WINDOWS\system32\applx32.exe
O4 - HKLM\..\RunOnce: [mfcgq32.exe] C:\WINDOWS\system32\mfcgq32.exe
O4 - HKLM\..\RunOnce: [javawx.exe] C:\WINDOWS\system32\javawx.exe
O4 - HKLM\..\RunOnce: [atlgk.exe] C:\WINDOWS\atlgk.exe
O4 - HKLM\..\RunOnce: [d3rq.exe] C:\WINDOWS\d3rq.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7862.3166782407
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...es/abasetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jwtcc.jwtinder.com
O17 - HKLM\Software\..\Telephony: DomainName = jwtcc.jwtinder.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jwtcc.jwtinder.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jwtcc.jwtinder.com

#5 Subratam

Subratam

    Silent Assasinator

  • Retired Staff
  • PipPipPipPip
  • 284 posts

Posted 26 June 2004 - 05:31 PM

Start Hijack this and tick the boxes next to these items..

O2 - BHO: (no name) - {7FFCC75E-5674-7B6F-24F8-13B92DA42ADF} - C:\WINDOWS\mssb.dll
O4 - HKLM\..\Run: [javajq32.exe] C:\WINDOWS\system32\javajq32.exe
O4 - HKLM\..\RunOnce: [applx32.exe] C:\WINDOWS\system32\applx32.exe
O4 - HKLM\..\RunOnce: [mfcgq32.exe] C:\WINDOWS\system32\mfcgq32.exe
O4 - HKLM\..\RunOnce: [javawx.exe] C:\WINDOWS\system32\javawx.exe
O4 - HKLM\..\RunOnce: [atlgk.exe] C:\WINDOWS\atlgk.exe
O4 - HKLM\..\RunOnce: [d3rq.exe] C:\WINDOWS\d3rq.exe

Now close ALL windows except HijackThis and hit fix checked.

Do not open Internet Explorer to come back here until after running the AboutBuster tool.

Double click aboutbuster.exe, click OK, click Start, then click OK , If there are any . Error Removing. Find the file yourself and delete it.

Then startup Hijack this and tick the box next to the random 02 (dll) if still present.

Restart your computer and post the report and a new Hijack this log.
http://blog.emsisoft.com
www.Emsisoft.com

#6 texaslawyer

texaslawyer

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 26 June 2004 - 06:13 PM

About:Buster Version 1.21
Removed! : C:\WINDOWS\atlgk.exe
Removed! : C:\WINDOWS\d3rq.exe
Removed! : C:\WINDOWS\adrqws.dat
Removed! : C:\WINDOWS\bbcfk.dat
Removed! : C:\WINDOWS\fafbfl.dat
Removed! : C:\WINDOWS\fyfhux.dat
Removed! : C:\WINDOWS\fykdkv.dat
Removed! : C:\WINDOWS\gbyep.dat
Removed! : C:\WINDOWS\gbyepe.dat
Removed! : C:\WINDOWS\hdncg.dat
Removed! : C:\WINDOWS\hlqxss.dat
Removed! : C:\WINDOWS\jlxeg.dat
Removed! : C:\WINDOWS\kleosp.dat
Removed! : C:\WINDOWS\lphati.dat
Removed! : C:\WINDOWS\nasxg.dat
Removed! : C:\WINDOWS\nasxgo.dat
Removed! : C:\WINDOWS\nqcyu.dat
Removed! : C:\WINDOWS\ofczgk.dat
Removed! : C:\WINDOWS\oijpzn.dat
Removed! : C:\WINDOWS\qltmuu.dat
Removed! : C:\WINDOWS\qqvwtq.dat
Removed! : C:\WINDOWS\rimsfi.dat
Removed! : C:\WINDOWS\tkuyn.dat
Removed! : C:\WINDOWS\tuezwk.dat
Removed! : C:\WINDOWS\uxlcep.dat
Removed! : C:\WINDOWS\uxwwjr.dat
Removed! : C:\WINDOWS\uyhotc.dat
Removed! : C:\WINDOWS\vavzyw.dat
Removed! : C:\WINDOWS\vdlxpl.dat
Removed! : C:\WINDOWS\vhnnge.dat
Removed! : C:\WINDOWS\wsyjt.dat
Removed! : C:\WINDOWS\wsyjtk.dat
Removed! : C:\WINDOWS\wvopcf.dat
Removed! : C:\WINDOWS\xdddd.dat
Removed! : C:\WINDOWS\xghlxm.dat
Removed! : C:\WINDOWS\xsoqx.dat
Removed! : C:\WINDOWS\zbuzxc.dat
Removed! : C:\WINDOWS\System32\appgl.exe
Removed! : C:\WINDOWS\System32\applx32.exe
Removed! : C:\WINDOWS\System32\atldp.exe
Removed! : C:\WINDOWS\System32\javawx.exe
Removed! : C:\WINDOWS\System32\mfcgq32.exe
Removed! : C:\WINDOWS\System32\ntjg32.exe
Removed! : C:\WINDOWS\System32\sdkpz32.exe
Removed! : C:\WINDOWS\System32\sysxx.exe
Removed! : C:\WINDOWS\System32\ujcfr.dll
Removed! : C:\WINDOWS\System32\frhvh.dat
Removed! : C:\WINDOWS\System32\hudgr.dat
Removed! : C:\WINDOWS\System32\issbv.dat
Removed! : C:\WINDOWS\System32\rpsle.dat
Removed! : C:\WINDOWS\System32\uxwwj.dat
Removed! : C:\WINDOWS\System32\wovuc.dat
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed __NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

Logfile of HijackThis v1.97.7
Scan saved at 6:14:17 PM, on 6/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NavNT\rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\d3gm32.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\WINDOWS\winwj.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hnftf.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hnftf.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hnftf.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hnftf.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hnftf.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hnftf.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://fs1:8080
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3E9069D4-143B-69CE-D321-D9147D14D774} - C:\WINDOWS\system32\msug32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [winwj.exe] C:\WINDOWS\winwj.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7862.3166782407
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...es/abasetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jwtcc.jwtinder.com
O17 - HKLM\Software\..\Telephony: DomainName = jwtcc.jwtinder.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jwtcc.jwtinder.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jwtcc.jwtinder.com

#7 Subratam

Subratam

    Silent Assasinator

  • Retired Staff
  • PipPipPipPip
  • 284 posts

Posted 26 June 2004 - 06:39 PM

Now start Hijack this and tick the boxes next to these items..

O2 - BHO: (no name) - {3E9069D4-143B-69CE-D321-D9147D14D774} - C:\WINDOWS\system32\msug32.dll
O4 - HKLM\..\Run: [winwj.exe] C:\WINDOWS\winwj.exe

Now close ALL windows and hit fix checked.
Do not open internet explorer to come back here until after running my tool.

Start about:buster and hit start. In the first white box input this - starting with
res://

Now hit ok. If there are any . Error Removing. Find the file yourself and delete it.

Then startup Hijack this and tick the box next to the random 02 (dll)

Restart your computer and post the report and a new Hijack this log.

Edited by Subratam, 26 June 2004 - 06:40 PM.

http://blog.emsisoft.com
www.Emsisoft.com




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button