Jump to content


Photo

hijacked!


  • Please log in to reply
17 replies to this topic

#1 Kato

Kato

    Member

  • Full Member
  • Pip
  • 35 posts

Posted 26 June 2004 - 10:35 PM

hello, my computer knowledge is way limited. so please bear w/ me. i read ur rules and followed ur directions....although i don't know if i did them all correct? i know i was close though. my hompage gets hijacked w/ this....... res://bhspq.dll/index.html#96676. some pop ups. so, here is the next step as i understand them. :techsupport: :techsupport: :techsupport: :techsupport: thanks for the help!

Logfile of HijackThis v1.97.7
Scan saved at 10:25:17 PM, on 6/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\winon32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\netku.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\SpyKiller\spykiller.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\K3NVUGXP\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.191.139/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bhspq.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bhspq.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.50.191.139/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.139/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.50.191.139/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.191.139/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bhspq.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bhspq.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bhspq.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\bhspq.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.mchsi.com/
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://69.50.191.139/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://69.50.191.139/search.php
O2 - BHO: (no name) - {9E2E4271-626F-736B-1803-3519CCFD1DBE} - C:\WINDOWS\system32\crvq.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [netku.exe] C:\WINDOWS\netku.exe
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKLM\..\RunOnce: [winon32.exe] C:\WINDOWS\winon32.exe
O4 - HKLM\..\RunOnce: [ierq.exe] C:\WINDOWS\ierq.exe
O4 - HKLM\..\RunOnce: [ntsz32.exe] C:\WINDOWS\system32\ntsz32.exe
O4 - HKLM\..\RunOnce: [d3kq.exe] C:\WINDOWS\d3kq.exe
O4 - HKLM\..\RunOnce: [winmj.exe] C:\WINDOWS\system32\winmj.exe
O4 - HKLM\..\RunOnce: [appga.exe] C:\WINDOWS\appga.exe
O4 - HKLM\..\RunOnce: [ipro.exe] C:\WINDOWS\system32\ipro.exe
O4 - HKLM\..\RunOnce: [ipvj.exe] C:\WINDOWS\ipvj.exe
O4 - HKLM\..\RunOnce: [apirg32.exe] C:\WINDOWS\apirg32.exe
O4 - HKLM\..\RunOnce: [mshs.exe] C:\WINDOWS\mshs.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell...t/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

#2 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 27 June 2004 - 10:27 AM

Hello Kato,

You have a few infections, and we'll have to clean it in a couple of steps.


Let's start out by putting HijackThis in a permanent folder.
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.
This will allow backups to be made and saved By hijackthis in case something goes wrong!
Follow this link http://www.netstar.me.uk/hjt/hjt.html if you need help.

____

Now, please download About:Buster by RubbeR DuckY from:

http://www.atribune....AboutBuster.zip

Then Unzip it to your desktop. Do not run it yet.

Print these directions or paste them into a text document as you will be running with your internet explorer closed.

Restarting internet explorer may cause a reinfection.


Please Open Hijackthis, click Scan, then put a check next to the following entries:
(Only check the entries posted here, for now)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.191.139/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.50.191.139/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.139/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.50.191.139/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.191.139/search.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://69.50.191.139/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://69.50.191.139/search.php


O2 - BHO: (no name) - {9E2E4271-626F-736B-1803-3519CCFD1DBE} - C:\WINDOWS\system32\crvq.dll

O4 - HKLM\..\Run: [netku.exe] C:\WINDOWS\netku.exe

O4 - HKLM\..\RunOnce: [winon32.exe] C:\WINDOWS\winon32.exe
O4 - HKLM\..\RunOnce: [ierq.exe] C:\WINDOWS\ierq.exe
O4 - HKLM\..\RunOnce: [ntsz32.exe] C:\WINDOWS\system32\ntsz32.exe
O4 - HKLM\..\RunOnce: [d3kq.exe] C:\WINDOWS\d3kq.exe
O4 - HKLM\..\RunOnce: [winmj.exe] C:\WINDOWS\system32\winmj.exe
O4 - HKLM\..\RunOnce: [appga.exe] C:\WINDOWS\appga.exe
O4 - HKLM\..\RunOnce: [ipro.exe] C:\WINDOWS\system32\ipro.exe
O4 - HKLM\..\RunOnce: [ipvj.exe] C:\WINDOWS\ipvj.exe
O4 - HKLM\..\RunOnce: [apirg32.exe] C:\WINDOWS\apirg32.exe
O4 - HKLM\..\RunOnce: [mshs.exe] C:\WINDOWS\mshs.exe



Next, Close all open Windows and Browsers (have only HJT open) and click "Fix Checked".


Now startup About:Buster.

Hit ok on the first prompt.
Then hit start.
Next hit ok.

Wait till the scan completes and copy the report and save it somewhere.

Rerun About:Buster to make sure everything was deleted.

Then restart your computer.

It is now safe to reopen Internet explorer. Please post a new hijack this log along with a report log.

#3 Kato

Kato

    Member

  • Full Member
  • Pip
  • 35 posts

Posted 28 June 2004 - 10:32 PM

Autodad, thank alot for your help, it is very much appreciated, as well as what this board offers. anyway here is what you requested.


About:Buster Version 1.22
Removed! : C:\WINDOWS\apirg32.exe
Removed! : C:\WINDOWS\appga.exe
Removed! : C:\WINDOWS\d3kq.exe
Removed! : C:\WINDOWS\ierq.exe
Removed! : C:\WINDOWS\iplz.exe
Removed! : C:\WINDOWS\ipvj.exe
Removed! : C:\WINDOWS\mfcre32.exe
Removed! : C:\WINDOWS\mshs.exe
Removed! : C:\WINDOWS\msig32.exe
Removed! : C:\WINDOWS\sysgi32.exe
Removed! : C:\WINDOWS\sysog32.exe
Removed! : C:\WINDOWS\winon32.exe
Removed! : C:\WINDOWS\wfrft.dat
Removed! : C:\WINDOWS\System32\ipro.exe
Removed! : C:\WINDOWS\System32\ntsz32.exe
Removed! : C:\WINDOWS\System32\winmj.exe
Removed! : C:\WINDOWS\System32\bhspq.dll
Removed! : C:\WINDOWS\System32\dugjy.dat
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed __NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!


About:Buster Version 1.22
Error Removing! : C:\WINDOWS\javamw32.exe
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!



Logfile of HijackThis v1.97.7
Scan saved at 10:06:13 PM, on 6/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\winon32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\netku.exe
C:\Program Files\SpyKiller\spykiller.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Nick\Local Settings\Temp\Temporary Directory 8 for hijackthis1977.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.191.139/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bhspq.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bhspq.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.50.191.139/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.139/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.50.191.139/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.191.139/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bhspq.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bhspq.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bhspq.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\bhspq.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.mchsi.com/
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://69.50.191.139/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://69.50.191.139/search.php
O2 - BHO: (no name) - {9E2E4271-626F-736B-1803-3519CCFD1DBE} - C:\WINDOWS\system32\crvq.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [netku.exe] C:\WINDOWS\netku.exe
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKLM\..\RunOnce: [winon32.exe] C:\WINDOWS\winon32.exe
O4 - HKLM\..\RunOnce: [ierq.exe] C:\WINDOWS\ierq.exe
O4 - HKLM\..\RunOnce: [ntsz32.exe] C:\WINDOWS\system32\ntsz32.exe
O4 - HKLM\..\RunOnce: [d3kq.exe] C:\WINDOWS\d3kq.exe
O4 - HKLM\..\RunOnce: [winmj.exe] C:\WINDOWS\system32\winmj.exe
O4 - HKLM\..\RunOnce: [appga.exe] C:\WINDOWS\appga.exe
O4 - HKLM\..\RunOnce: [ipro.exe] C:\WINDOWS\system32\ipro.exe
O4 - HKLM\..\RunOnce: [ipvj.exe] C:\WINDOWS\ipvj.exe
O4 - HKLM\..\RunOnce: [apirg32.exe] C:\WINDOWS\apirg32.exe
O4 - HKLM\..\RunOnce: [mshs.exe] C:\WINDOWS\mshs.exe
O4 - HKLM\..\RunOnce: [mfcre32.exe] C:\WINDOWS\mfcre32.exe
O4 - HKLM\..\RunOnce: [sysog32.exe] C:\WINDOWS\sysog32.exe
O4 - HKLM\..\RunOnce: [msig32.exe] C:\WINDOWS\msig32.exe
O4 - HKLM\..\RunOnce: [iplz.exe] C:\WINDOWS\iplz.exe
O4 - HKLM\..\RunOnce: [sysgi32.exe] C:\WINDOWS\sysgi32.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell...t/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab



now after i ran HijackThis a window popped up that asked "fix selected items, this will permenately delete &/or repair what you selected, unless you make a backup". i did not click either one. i did not click because you said nothin about clicking yes/no. i then ran about buster 2x's. then i restarted the comp and opened internet explorer and google was my hompage. then i shut it down and reopened it and i was back to my same problem. should i have clicked yes to fix selected problems the ran busta?

thanks again for your help. Kato

#4 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 28 June 2004 - 11:44 PM

Hello Kato,

The "Fix selected items? This will permanently delete and/or repair what you selected, unless you make a backup." is just an extra warning, letting you know that you are about to make the items you checked, deleted permanently, which is what we want to do.
That being said, it is very important to put HijackThis in a Permanent Folder, a folder that only contains HJT.exe, which you haven't done yet.

Click My Computer, then C:\
In the menu bar, go to File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.
This will allow backups to be made and saved By hijackthis in case something goes wrong.
Follow this link http://www.netstar.me.uk/hjt/hjt.html if you need help.

Some of the files have changed, so please follow this:


Print these directions or paste them into a text document as you will be running with your internet explorer closed.

Restarting internet explorer may cause a reinfection.

After you put HijackThis in a permanent folder, open HJT, click Scan, then put a check next to the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.191.139/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.50.191.139/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.139/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.50.191.139/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.191.139/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://69.50.191.139/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://69.50.191.139/search.php

(if you don't need these proxies, then fix these 2 entries:)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com

O2 - BHO: (no name) - {9E2E4271-626F-736B-1803-3519CCFD1DBE} - C:\WINDOWS\system32\crvq.dll

O4 - HKLM\..\Run: [netku.exe] C:\WINDOWS\netku.exe

O4 - HKLM\..\RunOnce: [winon32.exe] C:\WINDOWS\winon32.exe
O4 - HKLM\..\RunOnce: [ierq.exe] C:\WINDOWS\ierq.exe
O4 - HKLM\..\RunOnce: [ntsz32.exe] C:\WINDOWS\system32\ntsz32.exe
O4 - HKLM\..\RunOnce: [d3kq.exe] C:\WINDOWS\d3kq.exe
O4 - HKLM\..\RunOnce: [winmj.exe] C:\WINDOWS\system32\winmj.exe
O4 - HKLM\..\RunOnce: [appga.exe] C:\WINDOWS\appga.exe
O4 - HKLM\..\RunOnce: [ipro.exe] C:\WINDOWS\system32\ipro.exe
O4 - HKLM\..\RunOnce: [ipvj.exe] C:\WINDOWS\ipvj.exe
O4 - HKLM\..\RunOnce: [apirg32.exe] C:\WINDOWS\apirg32.exe
O4 - HKLM\..\RunOnce: [mshs.exe] C:\WINDOWS\mshs.exe
O4 - HKLM\..\RunOnce: [mfcre32.exe] C:\WINDOWS\mfcre32.exe
O4 - HKLM\..\RunOnce: [sysog32.exe] C:\WINDOWS\sysog32.exe
O4 - HKLM\..\RunOnce: [msig32.exe] C:\WINDOWS\msig32.exe
O4 - HKLM\..\RunOnce: [iplz.exe] C:\WINDOWS\iplz.exe

O4 - HKLM\..\RunOnce: [sysgi32.exe] C:\WINDOWS\sysgi32.exe


Now, Close all open Windows and Browsers (have only HJT open) and click "Fix Checked".
(When the pop up saying "Fix selected items? This will permanently delete and/or repair what you selected, unless you make a backup." Click Yes).

Next, startup About:Buster.

Hit ok on the first prompt.
Then hit start.
Next hit ok.

Wait till the scan completes and copy the report and save it somewhere.

Rerun About:Buster to make sure everything was deleted.

Then restart your computer.

It is now safe to reopen Internet explorer. Please post a new hijack this log along with a report log.

Also, fell free to post back if you have any questions. It's better to ask before doing something if you're not sure. :D

Edited by Autodad, 28 June 2004 - 11:46 PM.


#5 Kato

Kato

    Member

  • Full Member
  • Pip
  • 35 posts

Posted 29 June 2004 - 09:05 PM

Autodad, my bad, i should have asked first. again thanks for the help.

couple things
1 on my desktop i have a folder w/ a zipper thru it and its titled hijack this 1977. whn i click it a window comes up with an icon that says hijackthis. when i open that HJT IS open to run a scan.

2. now in my local disk(c:) i created a new folder called HJT2...THE 2 REPS my secind attempt. when i open this i get a plank page.

3. i can also click my computer, then click files stored on this computer, then click kato's documents, then i click on the folder HijackThis2(which is now my 3rd hijack file, correct?), when i click that i get the icon w/ the dynamite.


NOW HERE IS THE FIRST PART OF UR DIRECTIONS
Let's start out by putting HijackThis in a permanent folder.
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.
This will allow backups to be made and saved By hijackthis in case something goes wrong!
Follow this link http://www.netstar.me.uk/hjt/hjt.html if you need help.

OK NOW I THINK I HAVE 3 hijack folders, i have i have no idea in hell as to where to run it. or put the backup

I HAve no idea what a HijackThis.exe is?

Now most importantly, i have no idea as to how to save my HJT log and where and how to put it?

yes i followed the directions at netstar! still unsure

also this thing here
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
came w/ the hijack. its a popup that opens wheni open IE. SO i ran it. i think it's not good and i would like to get rid of it. I THINK. plmk.

i have no idea what a proxy is, but hese 2 items
(if you don't need these proxies, then fix these 2 entries:)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com
are part of my email that came w/ my high speed cable internet. so i assume i should keep them. but if i don't need them plmk.

god i hope this post makes sense to you! thank you

Edited by Kato, 29 June 2004 - 09:07 PM.


#6 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 30 June 2004 - 01:00 AM

Hey Kato,
No problem, lets take this one step at a time.

Here is a different link that shows how to make a New (Permanent) Folder. It has some pictures that may make it easier to follow.

http://russelltexas....tehjtfolder.htm

Once you have the New Folder called HJT, you then have to put the HijackThis.exe into it.
This is where you are running HijackThis.exe from now:
C:\Documents and Settings\Nick\Local Settings\Temp\Temporary Directory 8 for hijackthis1977.zip\HijackThis.exe.
This is not a good folder to have it in when running it.

Do this, first make the new folder and call it something you haven't called it yet, maybe HJT 4.
Then go here: http://www.spywarein.../HijackThis.exe and download it again.
When the box pops up that says: "Would you like to open the file or save it to your computer?, click on Save.
When the next box pops up (Save As) find the Folder you just made called HJT 4. You will have to look for it in C:\ by clicking the "down triangle" in the top box next to Save in:
Once you find it, double click on HJT 4 untill the folder HJT 4 is in the top box next to Save in: The area under the folder will be blank.
After you do that, the File name: will say Hijack This and the Save as type: will say Application.
Now click Save. After it downloads, the next pop up box will say Download Complete, Now click on Open Folder.
The HijackThis.exe will be there (the icon with the dynamite). Right click on the icon and Send to / Desktop (create shortcut)

Now close all the open Windows, and you will see your Desktop. Double click on the Hijackthis icon. That will run HJT.
(If you had sent any other Hijackthis shortcuts to your desktop before, please delete them and only have this new one there).

Next click Scan, then follow the above steps to start fixing.


As for O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
Yes, please remove it.
Click Start, click Control Panel, and then double-click Add or Remove Programs "Change or Remove Programs"
Then Remove/Delete SpyKiller.

Also don't fix those R1 proxies.

After you do the above, please post a new HJT log. I hope this helps you a bit.

#7 Kato

Kato

    Member

  • Full Member
  • Pip
  • 35 posts

Posted 30 June 2004 - 10:16 PM

NOPE???????? WHEN I OPENED ie THE FIRST TIME THEIR was google. closed went back, same ol sh1t happening. man this is crazy.


About:Buster Version 1.22
Removed! : C:\WINDOWS\addrz.exe
Removed! : C:\WINDOWS\atlte.exe
Removed! : C:\WINDOWS\javamw32.exe
Removed! : C:\WINDOWS\wfrft.dat
Removed! : C:\WINDOWS\System32\bhspq.dll
Removed! : C:\WINDOWS\System32\dykvn.dat
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed __NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!


bout:Buster Version 1.22
Removed! : C:\WINDOWS\System32\apitb32.exe
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!


Logfile of HijackThis v1.98.0
Scan saved at 10:13:25 PM, on 6/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\atlqs.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\netku.exe
C:\Program Files\SpyKiller\spykiller.exe
C:\Program Files\America Online 9.0\aoltray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT4\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xuimk.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xuimk.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xuimk.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xuimk.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xuimk.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xuimk.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mchsi.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: (no name) - {629030A7-44B3-27E0-3C20-D6E0DCF53BDA} - C:\WINDOWS\apigu32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [netku.exe] C:\WINDOWS\netku.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {12589FA1-C456-11CE-BF01-10AA1055595A} - http://www.wsel.net/...lesilent610.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell...t/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll


could not find this w/ ur directions. it was not in there
As for O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
Yes, please remove it.
Click Start, click Control Panel, and then double-click Add or Remove Programs "Change or Remove Programs"
Then Remove/Delete SpyKiller.


coud not find any of these on the canO4 - HKLM\..\RunOnce: [winon32.exe] C:\WINDOWS\winon32.exe
O4 - HKLM\..\RunOnce: [ierq.exe] C:\WINDOWS\ierq.exe
O4 - HKLM\..\RunOnce: [ntsz32.exe] C:\WINDOWS\system32\ntsz32.exe
O4 - HKLM\..\RunOnce: [d3kq.exe] C:\WINDOWS\d3kq.exe
O4 - HKLM\..\RunOnce: [winmj.exe] C:\WINDOWS\system32\winmj.exe
O4 - HKLM\..\RunOnce: [appga.exe] C:\WINDOWS\appga.exe
O4 - HKLM\..\RunOnce: [ipro.exe] C:\WINDOWS\system32\ipro.exe
O4 - HKLM\..\RunOnce: [ipvj.exe] C:\WINDOWS\ipvj.exe
O4 - HKLM\..\RunOnce: [apirg32.exe] C:\WINDOWS\apirg32.exe
O4 - HKLM\..\RunOnce: [mshs.exe] C:\WINDOWS\mshs.exe
O4 - HKLM\..\RunOnce: [mfcre32.exe] C:\WINDOWS\mfcre32.exe
O4 - HKLM\..\RunOnce: [sysog32.exe] C:\WINDOWS\sysog32.exe
O4 - HKLM\..\RunOnce: [msig32.exe] C:\WINDOWS\msig32.exe
O4 - HKLM\..\RunOnce: [iplz.exe] C:\WINDOWS\iplz.exe

O4 - HKLM\..\RunOnce: [sysgi32.exe] C:\WINDOWS\sysgi32.exe

maybe i screwed up. thanks Kato

Edited by Kato, 30 June 2004 - 10:17 PM.


#8 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 01 July 2004 - 06:19 AM

Try doing this in Safe Mode (tap F8 while restarting to get to safe mode)

Open Hijackthis, click Scan, then put a check next to the following entries:

O2 - BHO: (no name) - {629030A7-44B3-27E0-3C20-D6E0DCF53BDA} - C:\WINDOWS\apigu32.dll

O4 - HKLM\..\Run: [netku.exe] C:\WINDOWS\netku.exe


Then, Close all windows, have only HJT open, and click "Fix Checked".


Next, startup About:Buster.

Hit ok on the first prompt.
Then hit start.
Next hit ok.

Wait till the scan completes and copy the report and save it somewhere.

Rerun About:Buster to make sure everything was deleted.

Then restart your computer.

Then, please post a new HJT and Buster log.


**BTW, good job getting HJT into a permanent folder :thumbsup:

Edited by Autodad, 01 July 2004 - 06:25 AM.


#9 Kato

Kato

    Member

  • Full Member
  • Pip
  • 35 posts

Posted 01 July 2004 - 08:40 PM

nope

About:Buster Version 1.22
Removed! : C:\WINDOWS\atlqs.exe
Removed! : C:\WINDOWS\ntrh32.exe
Removed! : C:\WINDOWS\System32\dykvn.dat
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed __NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!


About:Buster Version 1.22
Removed! : C:\WINDOWS\kvdof.dat
Error Removing! : C:\WINDOWS\System32\sysuc.exe
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!


Logfile of HijackThis v1.98.0
Scan saved at 8:32:12 PM, on 7/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\ipht32.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\netku.exe
C:\Program Files\SpyKiller\spykiller.exe
C:\Program Files\America Online 9.0\aoltray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\HJT4\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mchsi.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: (no name) - {35F1EB9B-2875-FC5F-C210-4FA3B45FC995} - C:\WINDOWS\system32\javaeh32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [netku.exe] C:\WINDOWS\netku.exe
O4 - HKLM\..\RunOnce: [sysuc.exe] C:\WINDOWS\system32\sysuc.exe
O4 - HKLM\..\RunOnce: [criq.exe] C:\WINDOWS\system32\criq.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {12589FA1-C456-11CE-BF01-10AA1055595A} - http://www.wsel.net/...lesilent610.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell...t/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll


could not find this w/ ur directions. it was not in there
As for O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
Yes, please remove it.
Click Start, click Control Panel, and then double-click Add or Remove Programs "Change or Remove Programs"
Then Remove/Delete SpyKiller.


**BTW, good job getting HJT into a permanent folder
thanks Auto, could not do any of this w/out ur help! this crap is like chinese to me!lol

Edited by Kato, 01 July 2004 - 08:42 PM.


#10 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 01 July 2004 - 09:16 PM

Hi Kato,

"Nope"? I don't see any signs of your hijack. Are you still getting hijacked?

Lets fix a few things in HJT.

Open Hijackthis, click Scan, then put a check next to the following entries:

O2 - BHO: (no name) - {35F1EB9B-2875-FC5F-C210-4FA3B45FC995} - C:\WINDOWS\system32\javaeh32.dll

O4 - HKLM\..\Run: [netku.exe] C:\WINDOWS\netku.exe
O4 - HKLM\..\RunOnce: [sysuc.exe] C:\WINDOWS\system32\sysuc.exe
O4 - HKLM\..\RunOnce: [criq.exe] C:\WINDOWS\system32\criq.exe

O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup



Then, Close all open Windows and Browsers (have only HJT open) and click "Fix Checked".

Now reboot to safe mode (tap F8 while restarting) and look again for Spykiller in:

C:\Program Files\SpyKiller\

Then, reboot and please post a new log, and let us know what problems you are still having.

You're doing good so far--Hang in there ;)

#11 Kato

Kato

    Member

  • Full Member
  • Pip
  • 35 posts

Posted 01 July 2004 - 09:56 PM

homepage still getting hujacked w/ this... res://gjnxe.dll/index.html#96676 and stupid pop ups. and when i typle in www.whatever.com it does not go to the site, instead it goes to a windows help center .....res://gjnxe.dll/url_error.html#hotmail.com. and says error: you have ebtered the wrong url into the address bar. probably you were trying to enter the following addy: http://hotmail.com. then i have to click on this to get into the site i want

got rid of spykiller! thanks.

:gah: :gah: :gah: :gah:


Logfile of HijackThis v1.98.0
Scan saved at 9:47:30 PM, on 7/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\ipht32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\HJT4\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ezbfc.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ezbfc.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ezbfc.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ezbfc.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ezbfc.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ezbfc.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mchsi.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: (no name) - {AC124343-1176-6B9A-8BCE-FD87B84CF219} - C:\WINDOWS\system32\addzz32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {12589FA1-C456-11CE-BF01-10AA1055595A} - http://www.wsel.net/...lesilent610.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell...t/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

Edited by Kato, 01 July 2004 - 10:07 PM.


#12 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 02 July 2004 - 06:03 AM

Hi Kato,

This one is being a little stubborn. The start up entries are clean now, so lets try this.

1) Open My Computer and choose "Tools" in in the menu option, then choose "Folder Options".

2) Click the "View" tab and under Advanced Settings set it to show "Hidden files and folders"

3) Next press "Alt Ctrl Del" and choose the "Processes tab" to bring up a list of running processes.

4) Click the "Image Name" button to get the processes in alphabetical order. Scroll through the list of processes and end task on this:

ipht32.exe

5) Next, go to Start --> Run and type "Services.msc" (without quotes) then hit OK.

6) Scroll down in the right pane of the screen and find the service called "Network Security Service". Double click it.

7) In the next window that opens, click the Stop button, then change the Startup Type to Disabled. Now hit Apply and then OK and close any open windows.

8) Open HijackThis, click Scan, then put a check next to the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ezbfc.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ezbfc.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ezbfc.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ezbfc.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ezbfc.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ezbfc.dll/index.html#96676

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {AC124343-1176-6B9A-8BCE-FD87B84CF219} - C:\WINDOWS\system32\addzz32.dll

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll


Then, close all open Windows and Browsers (have only HJT open) and click "Fix Checked".


9) Reboot to Safe Mode (tap F8 while restarting) and delete these files:

C:\WINDOWS\ezbfc.dll
C:\WINDOWS\msopt.dll
C:\WINDOWS\ipht32.exe
C:\WINDOWS\system32\addzz32.dll

10) Go to Start, --> Run and type in "regedit" (without quotes) and press "Enter".

11) In the registry, navigate to the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
In the left pane if you see something called "__NS_Service_3" right click on it and choose delete.

12) Next navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\
In the left pane if you see something called "LEGACY___NS_Service_3" right click on it and choose delete.

13) Exit regedit and reboot in Normal Mode.

Then, please post a new HJT log, and let us know if you still have any problems. We will fix this!

#13 Kato

Kato

    Member

  • Full Member
  • Pip
  • 35 posts

Posted 04 July 2004 - 03:07 PM

Hey Auto, happy 4th.

for some reason i couln't get logged on to this board on friday?

thanks for the next step, but i looked around a bit and do not know how to deletes these items?
9) Reboot to Safe Mode (tap F8 while restarting) and delete these files:

C:\WINDOWS\ezbfc.dll
C:\WINDOWS\msopt.dll
C:\WINDOWS\ipht32.exe
C:\WINDOWS\system32\addzz32.dll

#14 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 04 July 2004 - 10:53 PM

Hi Kato,

Let's do this. About:Buster has been updated since your last post, so please follow this:

(So it won't be confusing, delete the current version of About:Buster that you have).

Then, download About:Buster and unzip it to your desktop.
Start it, hit Ok, Start, And Ok to start the scan. It will generate a log. Post that log along with a new Hijack this log here.

Happy 4th to you also!

#15 Kato

Kato

    Member

  • Full Member
  • Pip
  • 35 posts

Posted 05 July 2004 - 10:13 AM

uh oh! i think we may have killed this sucker? check it out. i had some sites open. i ran the new about buster. saved it. then closed all windows ran about buster again. saved. then ran HJT. SAVED. then i opened IE and google was my homepage. then i set my hp to blank and opened it 3-4 times and it stayed blank! here is the info you requesteD!


out:Buster Version 1.24
Removed! : C:\WINDOWS\akhdfi.dat
Removed! : C:\WINDOWS\apigu32.dll
Removed! : C:\WINDOWS\bronmh.dat
Removed! : C:\WINDOWS\cvrzsp.dat
Removed! : C:\WINDOWS\dhvhnc.dat
Removed! : C:\WINDOWS\dptdjc.dat
Removed! : C:\WINDOWS\dugjyn.dat
Removed! : C:\WINDOWS\eerotu.dat
Removed! : C:\WINDOWS\ekndai.dat
Removed! : C:\WINDOWS\eslzei.dat
Removed! : C:\WINDOWS\ewwqdy.dat
Removed! : C:\WINDOWS\fpklgb.dat
Removed! : C:\WINDOWS\fvwvrp.dat
Removed! : C:\WINDOWS\gapnqe.dat
Removed! : C:\WINDOWS\gjnxe.dat
Removed! : C:\WINDOWS\gstsjo.dat
Removed! : C:\WINDOWS\hzfqiy.dat
Removed! : C:\WINDOWS\ijvrlq.dat
Removed! : C:\WINDOWS\ipht32.exe
Removed! : C:\WINDOWS\iveowu.dat
Removed! : C:\WINDOWS\jeigwv.dat
Removed! : C:\WINDOWS\jfnrss.dat
Removed! : C:\WINDOWS\jkxmdf.dat
Removed! : C:\WINDOWS\jnefsl.dat
Removed! : C:\WINDOWS\klfjev.dat
Removed! : C:\WINDOWS\kmgfyx.dat
Removed! : C:\WINDOWS\krobes.dat
Removed! : C:\WINDOWS\kvdof.dat
Removed! : C:\WINDOWS\lqfoez.dat
Removed! : C:\WINDOWS\lydmov.dat
Removed! : C:\WINDOWS\mbojbc.dat
Removed! : C:\WINDOWS\mxxrch.dat
Removed! : C:\WINDOWS\netku.exe
Removed! : C:\WINDOWS\n_ildmms.dat
Removed! : C:\WINDOWS\n_jeigwv.dat
Removed! : C:\WINDOWS\n_woalio.dat
Removed! : C:\WINDOWS\n_wvuryk.dat
Removed! : C:\WINDOWS\oaiooo.dat
Removed! : C:\WINDOWS\olnvhq.dat
Removed! : C:\WINDOWS\opkztu.dat
Removed! : C:\WINDOWS\poysux.dat
Removed! : C:\WINDOWS\qannjo.dat
Removed! : C:\WINDOWS\rhfojn.dat
Removed! : C:\WINDOWS\rqgyek.dat
Removed! : C:\WINDOWS\szkquq.dat
Removed! : C:\WINDOWS\tcdfgx.dat
Removed! : C:\WINDOWS\tghole.dat
Removed! : C:\WINDOWS\tlmfcv.dat
Removed! : C:\WINDOWS\tsplwu.dat
Removed! : C:\WINDOWS\turvzq.dat
Removed! : C:\WINDOWS\ujrlyl.dat
Removed! : C:\WINDOWS\uvihra.dat
Removed! : C:\WINDOWS\vdujyz.dat
Removed! : C:\WINDOWS\vesdgn.dat
Removed! : C:\WINDOWS\vmllpj.dat
Removed! : C:\WINDOWS\wfnyfs.dat
Removed! : C:\WINDOWS\whnfkg.dat
Removed! : C:\WINDOWS\xjyusz.dat
Removed! : C:\WINDOWS\xqehkp.dat
Removed! : C:\WINDOWS\zibipo.dat
Error Removing! : C:\WINDOWS\System32\addzz32.dll
Removed! : C:\WINDOWS\System32\criq.exe
Removed! : C:\WINDOWS\System32\crvq.dll
Removed! : C:\WINDOWS\System32\d3tz.exe
Removed! : C:\WINDOWS\System32\erpqp.dat
Removed! : C:\WINDOWS\System32\javaeh32.dll
Removed! : C:\WINDOWS\System32\knijp.dat
Removed! : C:\WINDOWS\System32\ntqc.exe
Removed! : C:\WINDOWS\System32\sysuc.exe
Removed! : C:\WINDOWS\System32\winpo32.exe
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed __NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!



About:Buster Version 1.24
Removed! : C:\WINDOWS\cfrbpb.dat
Removed! : C:\WINDOWS\crxe.exe
Removed! : C:\WINDOWS\gjnxe.dat
Removed! : C:\WINDOWS\System32\addzz32.dll
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!



Logfile of HijackThis v1.98.0
Scan saved at 10:08:38 AM, on 7/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT4\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mchsi.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: (no name) - {AC124343-1176-6B9A-8BCE-FD87B84CF219} - C:\WINDOWS\system32\addzz32.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {12589FA1-C456-11CE-BF01-10AA1055595A} - http://www.wsel.net/...lesilent610.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell...t/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

Edited by Kato, 05 July 2004 - 10:17 AM.


#16 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 05 July 2004 - 12:30 PM

Hey Kato,

Great job!! :D
It does look like you're rid of that nasty, and probably learned a few things about your PC on the way. ;)

Thanks to RubbeR DuckY for keeping AB up-to-date! :thumbsup:

Just 2 items to clean up in HJT.

Open Hijackthis, click Scan, then put a check next to the following entries:

O2 - BHO: (no name) - {AC124343-1176-6B9A-8BCE-FD87B84CF219} - C:\WINDOWS\system32\addzz32.dll (file missing)

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll


Then, Close all open Windows and Browsers (have only HJT open) and click "Fix Checked".

Here is some free protection you should consider:
Download and install:

SpywareBlaster will block bad ActiveX and malevolent cookies.

IESPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Check for updates occaisionally.

And also see So how did I get infected in the first place?

#17 Kato

Kato

    Member

  • Full Member
  • Pip
  • 35 posts

Posted 05 July 2004 - 07:13 PM

unnnnnnnnnh! i feel like i actually did somethin on this. and i owe all the credit to you! i gotta give you props for ur skills! i envy the knowledge that you and ur peers posess! gotta give you props for ur patience w/ clowns like me who have no skills! lmao plus i give you my vote for modship! I can not thank you enough!

also i gotta kick some cash somewhere? the board, RubbeR DuckY, both? plmk. cuz w/out this board i would be paying some high priced tech.

#18 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 05 July 2004 - 08:32 PM

Hey Kato,

You're welcome! Thanks for the kind words. :D
I'm glad your concerns are gone, and that you didn't give up. Great job! :thumbsup:

As for a contribution, check out this link: http://www.spywareinfo.com/support.php

Stay safe! :wave:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button