• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Kato

hijacked!

18 posts in this topic

hello, my computer knowledge is way limited. so please bear w/ me. i read ur rules and followed ur directions....although i don't know if i did them all correct? i know i was close though. my hompage gets hijacked w/ this....... res://bhspq.dll/index.html#96676. some pop ups. so, here is the next step as i understand them. :techsupport::techsupport::techsupport::techsupport: thanks for the help!

 

Logfile of HijackThis v1.97.7

Scan saved at 10:25:17 PM, on 6/26/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\alg.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\winon32.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\WINDOWS\netku.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\Program Files\SpyKiller\spykiller.exe

C:\Program Files\America Online 9.0\aoltray.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\K3NVUGXP\HijackThis[1].exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.191.139/search.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bhspq.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bhspq.dll/index.html#96676

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.50.191.139/search.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.139/search.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.50.191.139/search.php

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.191.139/search.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bhspq.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bhspq.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bhspq.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\bhspq.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.mchsi.com/

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://69.50.191.139/search.php

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://69.50.191.139/search.php

O2 - BHO: (no name) - {9E2E4271-626F-736B-1803-3519CCFD1DBE} - C:\WINDOWS\system32\crvq.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

O4 - HKLM\..\Run: [netku.exe] C:\WINDOWS\netku.exe

O4 - HKLM\..\Run: [spyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [spyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O4 - HKLM\..\RunOnce: [winon32.exe] C:\WINDOWS\winon32.exe

O4 - HKLM\..\RunOnce: [ierq.exe] C:\WINDOWS\ierq.exe

O4 - HKLM\..\RunOnce: [ntsz32.exe] C:\WINDOWS\system32\ntsz32.exe

O4 - HKLM\..\RunOnce: [d3kq.exe] C:\WINDOWS\d3kq.exe

O4 - HKLM\..\RunOnce: [winmj.exe] C:\WINDOWS\system32\winmj.exe

O4 - HKLM\..\RunOnce: [appga.exe] C:\WINDOWS\appga.exe

O4 - HKLM\..\RunOnce: [ipro.exe] C:\WINDOWS\system32\ipro.exe

O4 - HKLM\..\RunOnce: [ipvj.exe] C:\WINDOWS\ipvj.exe

O4 - HKLM\..\RunOnce: [apirg32.exe] C:\WINDOWS\apirg32.exe

O4 - HKLM\..\RunOnce: [mshs.exe] C:\WINDOWS\mshs.exe

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Real.com (HKLM)

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

Share this post


Link to post
Share on other sites

Hello Kato,

 

You have a few infections, and we'll have to clean it in a couple of steps.

 

 

Let's start out by putting HijackThis in a permanent folder.

Click My Computer, then C:\

In the menu bar, File->New->Folder.

That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.

This will allow backups to be made and saved By hijackthis in case something goes wrong!

Follow this link http://www.netstar.me.uk/hjt/hjt.html if you need help.

 

____

 

Now, please download About:Buster by RubbeR DuckY from:

 

http://www.atribune.org/downloads/AboutBuster.zip

 

Then Unzip it to your desktop. Do not run it yet.

 

Print these directions or paste them into a text document as you will be running with your internet explorer closed.

 

Restarting internet explorer may cause a reinfection.

 

 

Please Open Hijackthis, click Scan, then put a check next to the following entries:

(Only check the entries posted here, for now)

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.191.139/search.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.50.191.139/search.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.139/search.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.50.191.139/search.php

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.191.139/search.php

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

 

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://69.50.191.139/search.php

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://69.50.191.139/search.php

 

 

O2 - BHO: (no name) - {9E2E4271-626F-736B-1803-3519CCFD1DBE} - C:\WINDOWS\system32\crvq.dll

 

O4 - HKLM\..\Run: [netku.exe] C:\WINDOWS\netku.exe

 

O4 - HKLM\..\RunOnce: [winon32.exe] C:\WINDOWS\winon32.exe

O4 - HKLM\..\RunOnce: [ierq.exe] C:\WINDOWS\ierq.exe

O4 - HKLM\..\RunOnce: [ntsz32.exe] C:\WINDOWS\system32\ntsz32.exe

O4 - HKLM\..\RunOnce: [d3kq.exe] C:\WINDOWS\d3kq.exe

O4 - HKLM\..\RunOnce: [winmj.exe] C:\WINDOWS\system32\winmj.exe

O4 - HKLM\..\RunOnce: [appga.exe] C:\WINDOWS\appga.exe

O4 - HKLM\..\RunOnce: [ipro.exe] C:\WINDOWS\system32\ipro.exe

O4 - HKLM\..\RunOnce: [ipvj.exe] C:\WINDOWS\ipvj.exe

O4 - HKLM\..\RunOnce: [apirg32.exe] C:\WINDOWS\apirg32.exe

O4 - HKLM\..\RunOnce: [mshs.exe] C:\WINDOWS\mshs.exe

 

 

 

Next, Close all open Windows and Browsers (have only HJT open) and click "Fix Checked".

 

 

Now startup About:Buster.

 

Hit ok on the first prompt.

Then hit start.

Next hit ok.

 

Wait till the scan completes and copy the report and save it somewhere.

 

Rerun About:Buster to make sure everything was deleted.

 

Then restart your computer.

 

It is now safe to reopen Internet explorer. Please post a new hijack this log along with a report log.

Share this post


Link to post
Share on other sites

Autodad, thank alot for your help, it is very much appreciated, as well as what this board offers. anyway here is what you requested.

 

 

About:Buster Version 1.22

Removed! : C:\WINDOWS\apirg32.exe

Removed! : C:\WINDOWS\appga.exe

Removed! : C:\WINDOWS\d3kq.exe

Removed! : C:\WINDOWS\ierq.exe

Removed! : C:\WINDOWS\iplz.exe

Removed! : C:\WINDOWS\ipvj.exe

Removed! : C:\WINDOWS\mfcre32.exe

Removed! : C:\WINDOWS\mshs.exe

Removed! : C:\WINDOWS\msig32.exe

Removed! : C:\WINDOWS\sysgi32.exe

Removed! : C:\WINDOWS\sysog32.exe

Removed! : C:\WINDOWS\winon32.exe

Removed! : C:\WINDOWS\wfrft.dat

Removed! : C:\WINDOWS\System32\ipro.exe

Removed! : C:\WINDOWS\System32\ntsz32.exe

Removed! : C:\WINDOWS\System32\winmj.exe

Removed! : C:\WINDOWS\System32\bhspq.dll

Removed! : C:\WINDOWS\System32\dugjy.dat

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Removed __NS_Service_3 Key

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

 

About:Buster Version 1.22

Error Removing! : C:\WINDOWS\javamw32.exe

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

 

 

Logfile of HijackThis v1.97.7

Scan saved at 10:06:13 PM, on 6/27/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\alg.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\winon32.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\WINDOWS\netku.exe

C:\Program Files\SpyKiller\spykiller.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\Program Files\America Online 9.0\aoltray.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Documents and Settings\Nick\Local Settings\Temp\Temporary Directory 8 for hijackthis1977.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.191.139/search.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bhspq.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bhspq.dll/index.html#96676

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.50.191.139/search.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.139/search.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.50.191.139/search.php

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.191.139/search.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bhspq.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bhspq.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bhspq.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\bhspq.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.mchsi.com/

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://69.50.191.139/search.php

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://69.50.191.139/search.php

O2 - BHO: (no name) - {9E2E4271-626F-736B-1803-3519CCFD1DBE} - C:\WINDOWS\system32\crvq.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

O4 - HKLM\..\Run: [netku.exe] C:\WINDOWS\netku.exe

O4 - HKLM\..\Run: [spyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [spyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O4 - HKLM\..\RunOnce: [winon32.exe] C:\WINDOWS\winon32.exe

O4 - HKLM\..\RunOnce: [ierq.exe] C:\WINDOWS\ierq.exe

O4 - HKLM\..\RunOnce: [ntsz32.exe] C:\WINDOWS\system32\ntsz32.exe

O4 - HKLM\..\RunOnce: [d3kq.exe] C:\WINDOWS\d3kq.exe

O4 - HKLM\..\RunOnce: [winmj.exe] C:\WINDOWS\system32\winmj.exe

O4 - HKLM\..\RunOnce: [appga.exe] C:\WINDOWS\appga.exe

O4 - HKLM\..\RunOnce: [ipro.exe] C:\WINDOWS\system32\ipro.exe

O4 - HKLM\..\RunOnce: [ipvj.exe] C:\WINDOWS\ipvj.exe

O4 - HKLM\..\RunOnce: [apirg32.exe] C:\WINDOWS\apirg32.exe

O4 - HKLM\..\RunOnce: [mshs.exe] C:\WINDOWS\mshs.exe

O4 - HKLM\..\RunOnce: [mfcre32.exe] C:\WINDOWS\mfcre32.exe

O4 - HKLM\..\RunOnce: [sysog32.exe] C:\WINDOWS\sysog32.exe

O4 - HKLM\..\RunOnce: [msig32.exe] C:\WINDOWS\msig32.exe

O4 - HKLM\..\RunOnce: [iplz.exe] C:\WINDOWS\iplz.exe

O4 - HKLM\..\RunOnce: [sysgi32.exe] C:\WINDOWS\sysgi32.exe

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Real.com (HKLM)

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

 

 

 

now after i ran HijackThis a window popped up that asked "fix selected items, this will permenately delete &/or repair what you selected, unless you make a backup". i did not click either one. i did not click because you said nothin about clicking yes/no. i then ran about buster 2x's. then i restarted the comp and opened internet explorer and google was my hompage. then i shut it down and reopened it and i was back to my same problem. should i have clicked yes to fix selected problems the ran busta?

 

thanks again for your help. Kato

Share this post


Link to post
Share on other sites

Hello Kato,

 

The "Fix selected items? This will permanently delete and/or repair what you selected, unless you make a backup." is just an extra warning, letting you know that you are about to make the items you checked, deleted permanently, which is what we want to do.

That being said, it is very important to put HijackThis in a Permanent Folder, a folder that only contains HJT.exe, which you haven't done yet.

 

Click My Computer, then C:\

In the menu bar, go to File->New->Folder.

That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.

This will allow backups to be made and saved By hijackthis in case something goes wrong.

Follow this link http://www.netstar.me.uk/hjt/hjt.html if you need help.

 

Some of the files have changed, so please follow this:

 

 

Print these directions or paste them into a text document as you will be running with your internet explorer closed.

 

Restarting internet explorer may cause a reinfection.

 

After you put HijackThis in a permanent folder, open HJT, click Scan, then put a check next to the following entries:

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.191.139/search.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.50.191.139/search.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.139/search.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.50.191.139/search.php

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.191.139/search.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://69.50.191.139/search.php

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://69.50.191.139/search.php

 

(if you don't need these proxies, then fix these 2 entries:)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com

 

O2 - BHO: (no name) - {9E2E4271-626F-736B-1803-3519CCFD1DBE} - C:\WINDOWS\system32\crvq.dll

 

O4 - HKLM\..\Run: [netku.exe] C:\WINDOWS\netku.exe

 

O4 - HKLM\..\RunOnce: [winon32.exe] C:\WINDOWS\winon32.exe

O4 - HKLM\..\RunOnce: [ierq.exe] C:\WINDOWS\ierq.exe

O4 - HKLM\..\RunOnce: [ntsz32.exe] C:\WINDOWS\system32\ntsz32.exe

O4 - HKLM\..\RunOnce: [d3kq.exe] C:\WINDOWS\d3kq.exe

O4 - HKLM\..\RunOnce: [winmj.exe] C:\WINDOWS\system32\winmj.exe

O4 - HKLM\..\RunOnce: [appga.exe] C:\WINDOWS\appga.exe

O4 - HKLM\..\RunOnce: [ipro.exe] C:\WINDOWS\system32\ipro.exe

O4 - HKLM\..\RunOnce: [ipvj.exe] C:\WINDOWS\ipvj.exe

O4 - HKLM\..\RunOnce: [apirg32.exe] C:\WINDOWS\apirg32.exe

O4 - HKLM\..\RunOnce: [mshs.exe] C:\WINDOWS\mshs.exe

O4 - HKLM\..\RunOnce: [mfcre32.exe] C:\WINDOWS\mfcre32.exe

O4 - HKLM\..\RunOnce: [sysog32.exe] C:\WINDOWS\sysog32.exe

O4 - HKLM\..\RunOnce: [msig32.exe] C:\WINDOWS\msig32.exe

O4 - HKLM\..\RunOnce: [iplz.exe] C:\WINDOWS\iplz.exe

 

O4 - HKLM\..\RunOnce: [sysgi32.exe] C:\WINDOWS\sysgi32.exe

 

 

Now, Close all open Windows and Browsers (have only HJT open) and click "Fix Checked".

(When the pop up saying "Fix selected items? This will permanently delete and/or repair what you selected, unless you make a backup." Click Yes).

 

Next, startup About:Buster.

 

Hit ok on the first prompt.

Then hit start.

Next hit ok.

 

Wait till the scan completes and copy the report and save it somewhere.

 

Rerun About:Buster to make sure everything was deleted.

 

Then restart your computer.

 

It is now safe to reopen Internet explorer. Please post a new hijack this log along with a report log.

 

Also, fell free to post back if you have any questions. It's better to ask before doing something if you're not sure. :D

Edited by Autodad

Share this post


Link to post
Share on other sites

Autodad, my bad, i should have asked first. again thanks for the help.

 

couple things

1 on my desktop i have a folder w/ a zipper thru it and its titled hijack this 1977. whn i click it a window comes up with an icon that says hijackthis. when i open that HJT IS open to run a scan.

 

2. now in my local disk(c:) i created a new folder called HJT2...THE 2 REPS my secind attempt. when i open this i get a plank page.

 

3. i can also click my computer, then click files stored on this computer, then click kato's documents, then i click on the folder HijackThis2(which is now my 3rd hijack file, correct?), when i click that i get the icon w/ the dynamite.

 

 

NOW HERE IS THE FIRST PART OF UR DIRECTIONS

Let's start out by putting HijackThis in a permanent folder.

Click My Computer, then C:\

In the menu bar, File->New->Folder.

That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.

This will allow backups to be made and saved By hijackthis in case something goes wrong!

Follow this link http://www.netstar.me.uk/hjt/hjt.html if you need help.

 

OK NOW I THINK I HAVE 3 hijack folders, i have i have no idea in hell as to where to run it. or put the backup

 

I HAve no idea what a HijackThis.exe is?

 

Now most importantly, i have no idea as to how to save my HJT log and where and how to put it?

 

yes i followed the directions at netstar! still unsure

 

also this thing here

O4 - HKCU\..\Run: [spyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

came w/ the hijack. its a popup that opens wheni open IE. SO i ran it. i think it's not good and i would like to get rid of it. I THINK. plmk.

 

i have no idea what a proxy is, but hese 2 items

(if you don't need these proxies, then fix these 2 entries:)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com

are part of my email that came w/ my high speed cable internet. so i assume i should keep them. but if i don't need them plmk.

 

god i hope this post makes sense to you! thank you

Edited by Kato

Share this post


Link to post
Share on other sites

Hey Kato,

No problem, lets take this one step at a time.

 

Here is a different link that shows how to make a New (Permanent) Folder. It has some pictures that may make it easier to follow.

 

http://russelltexas.com/malware/createhjtfolder.htm

 

Once you have the New Folder called HJT, you then have to put the HijackThis.exe into it.

This is where you are running HijackThis.exe from now:

C:\Documents and Settings\Nick\Local Settings\Temp\Temporary Directory 8 for hijackthis1977.zip\HijackThis.exe.

This is not a good folder to have it in when running it.

 

Do this, first make the new folder and call it something you haven't called it yet, maybe HJT 4.

Then go here: http://www.spywareinfo.com/~merijn/files/HijackThis.exe and download it again.

When the box pops up that says: "Would you like to open the file or save it to your computer?, click on Save.

When the next box pops up (Save As) find the Folder you just made called HJT 4. You will have to look for it in C:\ by clicking the "down triangle" in the top box next to Save in:

Once you find it, double click on HJT 4 untill the folder HJT 4 is in the top box next to Save in: The area under the folder will be blank.

After you do that, the File name: will say Hijack This and the Save as type: will say Application.

Now click Save. After it downloads, the next pop up box will say Download Complete, Now click on Open Folder.

The HijackThis.exe will be there (the icon with the dynamite). Right click on the icon and Send to / Desktop (create shortcut)

 

Now close all the open Windows, and you will see your Desktop. Double click on the Hijackthis icon. That will run HJT.

(If you had sent any other Hijackthis shortcuts to your desktop before, please delete them and only have this new one there).

 

Next click Scan, then follow the above steps to start fixing.

 

 

As for O4 - HKCU\..\Run: [spyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

Yes, please remove it.

Click Start, click Control Panel, and then double-click Add or Remove Programs "Change or Remove Programs"

Then Remove/Delete SpyKiller.

 

Also don't fix those R1 proxies.

 

After you do the above, please post a new HJT log. I hope this helps you a bit.

Share this post


Link to post
Share on other sites

NOPE???????? WHEN I OPENED ie THE FIRST TIME THEIR was google. closed went back, same ol sh1t happening. man this is crazy.

 

 

About:Buster Version 1.22

Removed! : C:\WINDOWS\addrz.exe

Removed! : C:\WINDOWS\atlte.exe

Removed! : C:\WINDOWS\javamw32.exe

Removed! : C:\WINDOWS\wfrft.dat

Removed! : C:\WINDOWS\System32\bhspq.dll

Removed! : C:\WINDOWS\System32\dykvn.dat

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Removed __NS_Service_3 Key

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

 

bout:Buster Version 1.22

Removed! : C:\WINDOWS\System32\apitb32.exe

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

 

Logfile of HijackThis v1.98.0

Scan saved at 10:13:25 PM, on 6/30/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\alg.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\WINDOWS\wanmpsvc.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\atlqs.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\WINDOWS\netku.exe

C:\Program Files\SpyKiller\spykiller.exe

C:\Program Files\America Online 9.0\aoltray.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\wuauclt.exe

C:\HJT4\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xuimk.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xuimk.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xuimk.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xuimk.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xuimk.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xuimk.dll/index.html#96676

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mchsi.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com

R3 - Default URLSearchHook is missing

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,

O2 - BHO: (no name) - {629030A7-44B3-27E0-3C20-D6E0DCF53BDA} - C:\WINDOWS\apigu32.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

O4 - HKLM\..\Run: [spyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [netku.exe] C:\WINDOWS\netku.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [spyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O16 - DPF: {12589FA1-C456-11CE-BF01-10AA1055595A} - http://www.wsel.net/imcupdatefiles/whistlesilent610.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

 

 

could not find this w/ ur directions. it was not in there

As for O4 - HKCU\..\Run: [spyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

Yes, please remove it.

Click Start, click Control Panel, and then double-click Add or Remove Programs "Change or Remove Programs"

Then Remove/Delete SpyKiller.

 

 

coud not find any of these on the canO4 - HKLM\..\RunOnce: [winon32.exe] C:\WINDOWS\winon32.exe

O4 - HKLM\..\RunOnce: [ierq.exe] C:\WINDOWS\ierq.exe

O4 - HKLM\..\RunOnce: [ntsz32.exe] C:\WINDOWS\system32\ntsz32.exe

O4 - HKLM\..\RunOnce: [d3kq.exe] C:\WINDOWS\d3kq.exe

O4 - HKLM\..\RunOnce: [winmj.exe] C:\WINDOWS\system32\winmj.exe

O4 - HKLM\..\RunOnce: [appga.exe] C:\WINDOWS\appga.exe

O4 - HKLM\..\RunOnce: [ipro.exe] C:\WINDOWS\system32\ipro.exe

O4 - HKLM\..\RunOnce: [ipvj.exe] C:\WINDOWS\ipvj.exe

O4 - HKLM\..\RunOnce: [apirg32.exe] C:\WINDOWS\apirg32.exe

O4 - HKLM\..\RunOnce: [mshs.exe] C:\WINDOWS\mshs.exe

O4 - HKLM\..\RunOnce: [mfcre32.exe] C:\WINDOWS\mfcre32.exe

O4 - HKLM\..\RunOnce: [sysog32.exe] C:\WINDOWS\sysog32.exe

O4 - HKLM\..\RunOnce: [msig32.exe] C:\WINDOWS\msig32.exe

O4 - HKLM\..\RunOnce: [iplz.exe] C:\WINDOWS\iplz.exe

 

O4 - HKLM\..\RunOnce: [sysgi32.exe] C:\WINDOWS\sysgi32.exe

 

maybe i screwed up. thanks Kato

Edited by Kato

Share this post


Link to post
Share on other sites

Try doing this in Safe Mode (tap F8 while restarting to get to safe mode)

 

Open Hijackthis, click Scan, then put a check next to the following entries:

 

O2 - BHO: (no name) - {629030A7-44B3-27E0-3C20-D6E0DCF53BDA} - C:\WINDOWS\apigu32.dll

 

O4 - HKLM\..\Run: [netku.exe] C:\WINDOWS\netku.exe

 

Then, Close all windows, have only HJT open, and click "Fix Checked".

 

 

Next, startup About:Buster.

 

Hit ok on the first prompt.

Then hit start.

Next hit ok.

 

Wait till the scan completes and copy the report and save it somewhere.

 

Rerun About:Buster to make sure everything was deleted.

 

Then restart your computer.

 

Then, please post a new HJT and Buster log.

 

 

**BTW, good job getting HJT into a permanent folder :thumbsup:

Edited by Autodad

Share this post


Link to post
Share on other sites

nope

 

About:Buster Version 1.22

Removed! : C:\WINDOWS\atlqs.exe

Removed! : C:\WINDOWS\ntrh32.exe

Removed! : C:\WINDOWS\System32\dykvn.dat

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Removed __NS_Service_3 Key

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

 

About:Buster Version 1.22

Removed! : C:\WINDOWS\kvdof.dat

Error Removing! : C:\WINDOWS\System32\sysuc.exe

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

 

Logfile of HijackThis v1.98.0

Scan saved at 8:32:12 PM, on 7/1/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\alg.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\WINDOWS\wanmpsvc.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\ipht32.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\WINDOWS\netku.exe

C:\Program Files\SpyKiller\spykiller.exe

C:\Program Files\America Online 9.0\aoltray.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\HJT4\HijackThis.exe

C:\WINDOWS\System32\wuauclt.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mchsi.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com

R3 - Default URLSearchHook is missing

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,

O2 - BHO: (no name) - {35F1EB9B-2875-FC5F-C210-4FA3B45FC995} - C:\WINDOWS\system32\javaeh32.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

O4 - HKLM\..\Run: [spyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [netku.exe] C:\WINDOWS\netku.exe

O4 - HKLM\..\RunOnce: [sysuc.exe] C:\WINDOWS\system32\sysuc.exe

O4 - HKLM\..\RunOnce: [criq.exe] C:\WINDOWS\system32\criq.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [spyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O16 - DPF: {12589FA1-C456-11CE-BF01-10AA1055595A} - http://www.wsel.net/imcupdatefiles/whistlesilent610.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

 

 

could not find this w/ ur directions. it was not in there

As for O4 - HKCU\..\Run: [spyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

Yes, please remove it.

Click Start, click Control Panel, and then double-click Add or Remove Programs "Change or Remove Programs"

Then Remove/Delete SpyKiller.

 

 

**BTW, good job getting HJT into a permanent folder

thanks Auto, could not do any of this w/out ur help! this crap is like chinese to me!lol

Edited by Kato

Share this post


Link to post
Share on other sites

Hi Kato,

 

"Nope"? I don't see any signs of your hijack. Are you still getting hijacked?

 

Lets fix a few things in HJT.

 

Open Hijackthis, click Scan, then put a check next to the following entries:

 

O2 - BHO: (no name) - {35F1EB9B-2875-FC5F-C210-4FA3B45FC995} - C:\WINDOWS\system32\javaeh32.dll

 

O4 - HKLM\..\Run: [netku.exe] C:\WINDOWS\netku.exe

O4 - HKLM\..\RunOnce: [sysuc.exe] C:\WINDOWS\system32\sysuc.exe

O4 - HKLM\..\RunOnce: [criq.exe] C:\WINDOWS\system32\criq.exe

 

O4 - HKCU\..\Run: [spyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

 

 

Then, Close all open Windows and Browsers (have only HJT open) and click "Fix Checked".

 

Now reboot to safe mode (tap F8 while restarting) and look again for Spykiller in:

 

C:\Program Files\SpyKiller\

 

Then, reboot and please post a new log, and let us know what problems you are still having.

 

You're doing good so far--Hang in there ;)

Share this post


Link to post
Share on other sites

homepage still getting hujacked w/ this... res://gjnxe.dll/index.html#96676 and stupid pop ups. and when i typle in www.whatever.com it does not go to the site, instead it goes to a windows help center .....res://gjnxe.dll/url_error.html#hotmail.com. and says error: you have ebtered the wrong url into the address bar. probably you were trying to enter the following addy: http://hotmail.com. then i have to click on this to get into the site i want

 

got rid of spykiller! thanks.

 

:gah::gah::gah::gah:

 

 

Logfile of HijackThis v1.98.0

Scan saved at 9:47:30 PM, on 7/1/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\Program Files\America Online 9.0\aoltray.exe

C:\WINDOWS\System32\alg.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\ipht32.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\HJT4\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ezbfc.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ezbfc.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ezbfc.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ezbfc.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ezbfc.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ezbfc.dll/index.html#96676

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mchsi.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com

R3 - Default URLSearchHook is missing

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,

O2 - BHO: (no name) - {AC124343-1176-6B9A-8BCE-FD87B84CF219} - C:\WINDOWS\system32\addzz32.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

O4 - HKLM\..\Run: [spyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O16 - DPF: {12589FA1-C456-11CE-BF01-10AA1055595A} - http://www.wsel.net/imcupdatefiles/whistlesilent610.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

Edited by Kato

Share this post


Link to post
Share on other sites

Hi Kato,

 

This one is being a little stubborn. The start up entries are clean now, so lets try this.

 

1) Open My Computer and choose "Tools" in in the menu option, then choose "Folder Options".

 

2) Click the "View" tab and under Advanced Settings set it to show "Hidden files and folders"

 

3) Next press "Alt Ctrl Del" and choose the "Processes tab" to bring up a list of running processes.

 

4) Click the "Image Name" button to get the processes in alphabetical order. Scroll through the list of processes and end task on this:

 

ipht32.exe

 

5) Next, go to Start --> Run and type "Services.msc" (without quotes) then hit OK.

 

6) Scroll down in the right pane of the screen and find the service called "Network Security Service". Double click it.

 

7) In the next window that opens, click the Stop button, then change the Startup Type to Disabled. Now hit Apply and then OK and close any open windows.

 

8) Open HijackThis, click Scan, then put a check next to the following entries:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ezbfc.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ezbfc.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ezbfc.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ezbfc.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ezbfc.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ezbfc.dll/index.html#96676

 

R3 - Default URLSearchHook is missing

 

O2 - BHO: (no name) - {AC124343-1176-6B9A-8BCE-FD87B84CF219} - C:\WINDOWS\system32\addzz32.dll

 

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

 

Then, close all open Windows and Browsers (have only HJT open) and click "Fix Checked".

 

 

9) Reboot to Safe Mode (tap F8 while restarting) and delete these files:

 

C:\WINDOWS\ezbfc.dll

C:\WINDOWS\msopt.dll

C:\WINDOWS\ipht32.exe

C:\WINDOWS\system32\addzz32.dll

 

10) Go to Start, --> Run and type in "regedit" (without quotes) and press "Enter".

 

11) In the registry, navigate to the key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

In the left pane if you see something called "__NS_Service_3" right click on it and choose delete.

 

12) Next navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\

In the left pane if you see something called "LEGACY___NS_Service_3" right click on it and choose delete.

 

13) Exit regedit and reboot in Normal Mode.

 

Then, please post a new HJT log, and let us know if you still have any problems. We will fix this!

Share this post


Link to post
Share on other sites

Hey Auto, happy 4th.

 

for some reason i couln't get logged on to this board on friday?

 

thanks for the next step, but i looked around a bit and do not know how to deletes these items?

9) Reboot to Safe Mode (tap F8 while restarting) and delete these files:

 

C:\WINDOWS\ezbfc.dll

C:\WINDOWS\msopt.dll

C:\WINDOWS\ipht32.exe

C:\WINDOWS\system32\addzz32.dll

Share this post


Link to post
Share on other sites

Hi Kato,

 

Let's do this. About:Buster has been updated since your last post, so please follow this:

 

(So it won't be confusing, delete the current version of About:Buster that you have).

 

Then, download About:Buster and unzip it to your desktop.

Start it, hit Ok, Start, And Ok to start the scan. It will generate a log. Post that log along with a new Hijack this log here.

 

Happy 4th to you also!

Share this post


Link to post
Share on other sites

uh oh! i think we may have killed this sucker? check it out. i had some sites open. i ran the new about buster. saved it. then closed all windows ran about buster again. saved. then ran HJT. SAVED. then i opened IE and google was my homepage. then i set my hp to blank and opened it 3-4 times and it stayed blank! here is the info you requesteD!

 

 

out:Buster Version 1.24

Removed! : C:\WINDOWS\akhdfi.dat

Removed! : C:\WINDOWS\apigu32.dll

Removed! : C:\WINDOWS\bronmh.dat

Removed! : C:\WINDOWS\cvrzsp.dat

Removed! : C:\WINDOWS\dhvhnc.dat

Removed! : C:\WINDOWS\dptdjc.dat

Removed! : C:\WINDOWS\dugjyn.dat

Removed! : C:\WINDOWS\eerotu.dat

Removed! : C:\WINDOWS\ekndai.dat

Removed! : C:\WINDOWS\eslzei.dat

Removed! : C:\WINDOWS\ewwqdy.dat

Removed! : C:\WINDOWS\fpklgb.dat

Removed! : C:\WINDOWS\fvwvrp.dat

Removed! : C:\WINDOWS\gapnqe.dat

Removed! : C:\WINDOWS\gjnxe.dat

Removed! : C:\WINDOWS\gstsjo.dat

Removed! : C:\WINDOWS\hzfqiy.dat

Removed! : C:\WINDOWS\ijvrlq.dat

Removed! : C:\WINDOWS\ipht32.exe

Removed! : C:\WINDOWS\iveowu.dat

Removed! : C:\WINDOWS\jeigwv.dat

Removed! : C:\WINDOWS\jfnrss.dat

Removed! : C:\WINDOWS\jkxmdf.dat

Removed! : C:\WINDOWS\jnefsl.dat

Removed! : C:\WINDOWS\klfjev.dat

Removed! : C:\WINDOWS\kmgfyx.dat

Removed! : C:\WINDOWS\krobes.dat

Removed! : C:\WINDOWS\kvdof.dat

Removed! : C:\WINDOWS\lqfoez.dat

Removed! : C:\WINDOWS\lydmov.dat

Removed! : C:\WINDOWS\mbojbc.dat

Removed! : C:\WINDOWS\mxxrch.dat

Removed! : C:\WINDOWS\netku.exe

Removed! : C:\WINDOWS\n_ildmms.dat

Removed! : C:\WINDOWS\n_jeigwv.dat

Removed! : C:\WINDOWS\n_woalio.dat

Removed! : C:\WINDOWS\n_wvuryk.dat

Removed! : C:\WINDOWS\oaiooo.dat

Removed! : C:\WINDOWS\olnvhq.dat

Removed! : C:\WINDOWS\opkztu.dat

Removed! : C:\WINDOWS\poysux.dat

Removed! : C:\WINDOWS\qannjo.dat

Removed! : C:\WINDOWS\rhfojn.dat

Removed! : C:\WINDOWS\rqgyek.dat

Removed! : C:\WINDOWS\szkquq.dat

Removed! : C:\WINDOWS\tcdfgx.dat

Removed! : C:\WINDOWS\tghole.dat

Removed! : C:\WINDOWS\tlmfcv.dat

Removed! : C:\WINDOWS\tsplwu.dat

Removed! : C:\WINDOWS\turvzq.dat

Removed! : C:\WINDOWS\ujrlyl.dat

Removed! : C:\WINDOWS\uvihra.dat

Removed! : C:\WINDOWS\vdujyz.dat

Removed! : C:\WINDOWS\vesdgn.dat

Removed! : C:\WINDOWS\vmllpj.dat

Removed! : C:\WINDOWS\wfnyfs.dat

Removed! : C:\WINDOWS\whnfkg.dat

Removed! : C:\WINDOWS\xjyusz.dat

Removed! : C:\WINDOWS\xqehkp.dat

Removed! : C:\WINDOWS\zibipo.dat

Error Removing! : C:\WINDOWS\System32\addzz32.dll

Removed! : C:\WINDOWS\System32\criq.exe

Removed! : C:\WINDOWS\System32\crvq.dll

Removed! : C:\WINDOWS\System32\d3tz.exe

Removed! : C:\WINDOWS\System32\erpqp.dat

Removed! : C:\WINDOWS\System32\javaeh32.dll

Removed! : C:\WINDOWS\System32\knijp.dat

Removed! : C:\WINDOWS\System32\ntqc.exe

Removed! : C:\WINDOWS\System32\sysuc.exe

Removed! : C:\WINDOWS\System32\winpo32.exe

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Removed __NS_Service_3 Key

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

 

 

About:Buster Version 1.24

Removed! : C:\WINDOWS\cfrbpb.dat

Removed! : C:\WINDOWS\crxe.exe

Removed! : C:\WINDOWS\gjnxe.dat

Removed! : C:\WINDOWS\System32\addzz32.dll

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

 

 

Logfile of HijackThis v1.98.0

Scan saved at 10:08:38 AM, on 7/5/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\alg.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\WINDOWS\wanmpsvc.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\Program Files\America Online 9.0\aoltray.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\WINDOWS\System32\wuauclt.exe

C:\HJT4\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mchsi.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com

R3 - Default URLSearchHook is missing

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,

O2 - BHO: (no name) - {AC124343-1176-6B9A-8BCE-FD87B84CF219} - C:\WINDOWS\system32\addzz32.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

O4 - HKLM\..\Run: [spyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O16 - DPF: {12589FA1-C456-11CE-BF01-10AA1055595A} - http://www.wsel.net/imcupdatefiles/whistlesilent610.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

Edited by Kato

Share this post


Link to post
Share on other sites

Hey Kato,

 

Great job!! :D

It does look like you're rid of that nasty, and probably learned a few things about your PC on the way. ;)

 

Thanks to RubbeR DuckY for keeping AB up-to-date! :thumbsup:

 

Just 2 items to clean up in HJT.

 

Open Hijackthis, click Scan, then put a check next to the following entries:

 

O2 - BHO: (no name) - {AC124343-1176-6B9A-8BCE-FD87B84CF219} - C:\WINDOWS\system32\addzz32.dll (file missing)

 

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

 

Then, Close all open Windows and Browsers (have only HJT open) and click "Fix Checked".

 

Here is some free protection you should consider:

Download and install:

 

SpywareBlaster will block bad ActiveX and malevolent cookies.

 

IESPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

 

Check for updates occaisionally.

 

And also see So how did I get infected in the first place?

Share this post


Link to post
Share on other sites

unnnnnnnnnh! i feel like i actually did somethin on this. and i owe all the credit to you! i gotta give you props for ur skills! i envy the knowledge that you and ur peers posess! gotta give you props for ur patience w/ clowns like me who have no skills! lmao plus i give you my vote for modship! I can not thank you enough!

 

also i gotta kick some cash somewhere? the board, RubbeR DuckY, both? plmk. cuz w/out this board i would be paying some high priced tech.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0