• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
blazzinmatt

DLL's Downloaded to PC when IE Launched

12 posts in this topic

When I launch Internet Explorer a new DLL is downloaded to my computer. It changes my start page, lags Internet Explorer and opens 2-3 popups for each instance.

 

I ran Ad-Aware 6, Spybot 1.3, CWShredder and HijackThis but it still comes back. The file will temporarily delete but a new one will download itself within 2-3 more instances of IE.

 

Here is my HijackThis log file. Please help! :cool:

 

Logfile of HijackThis v1.97.7

Scan saved at 9:42:26 PM, on 6/30/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

D:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\NMSSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Intel\Intel Active Monitor\imonnt.exe

C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Intel\Intel Active Monitor\imontray.exe

C:\WINDOWS\System32\Promon.exe

C:\WINDOWS\system32\msqp32.exe

D:\Program Files\AIM\aim.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

D:\Program Files\Nikon\NkView6\NkvMon.exe

D:\Program Files\PrintKey2000\Printkey2000.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\msbn32.exe

C:\Program Files\Internet Explorer\iexplore.exe

E:\My Documents\Downloads\HijackThis.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Internet Explorer\iexplore.exe

D:\PROGRA~1\AMERIC~1.0\waol.exe

D:\PROGRA~1\AMERIC~1.0\shellmon.exe

C:\Program Files\Common Files\Aol\aoltpspd.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hcxcj.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hcxcj.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hcxcj.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hcxcj.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hcxcj.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hcxcj.dll/sp.html#96676

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {9A650B31-1961-1CC7-2626-3144BCA21C8D} - C:\WINDOWS\ipwt.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [iMONTRAY] C:\Program Files\Intel\Intel Active Monitor\imontray.exe

O4 - HKLM\..\Run: [Promon.exe] Promon.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [msqp32.exe] C:\WINDOWS\system32\msqp32.exe

O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Adobe Gamma Loader.lnk.disabled

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = D:\Program Files\America Online 9.0\aoltray.exe

O4 - Global Startup: America Online 9.0 Tray Icon.lnk.disabled

O4 - Global Startup: Microsoft Office.lnk.disabled

O4 - Global Startup: NkvMon.exe.lnk = D:\Program Files\Nikon\NkView6\NkvMon.exe

O4 - Global Startup: Printkey2000.lnk = D:\Program Files\PrintKey2000\Printkey2000.exe

O4 - Global Startup: Wireless PCI Card Config Utility.lnk.disabled

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Post To &WP : The Last Page On The Net - java script:doc=external.menuArguments.document;Q=doc.selection.createRange().text;vo

id(btw=window.open('http://www.thelastpageonthenet.com/life/wp-admin/bookmarklet.php?text='+escape(Q)+'&trackback=1&pingback=1&popupurl='+escape(doc.location.href)+'&popuptitle='+escape(doc.title),'bookmarklet','scrollbars=no,width=480,height=590,left=100,top=150,status=yes'));btw.focus();

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: AOL Toolbar (HKLM)

O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shock...director/sw.cab

O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab

O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab

O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7978.5393865741

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{49DE465D-C9A7-4816-99C8-D6FCD77DF8EB}: NameServer = 205.188.146.146

Share this post


Link to post
Share on other sites

Visit this page http://www.ducky.atribune.org . Download About:Buster and save it to your desktop. Then startup Hijack this. Tick the boxes next to these items.

 

O2 - BHO: (no name) - {9A650B31-1961-1CC7-2626-3144BCA21C8D} - C:\WINDOWS\ipwt.dll

O4 - HKLM\..\Run: [msqp32.exe] C:\WINDOWS\system32\msqp32.exe

 

Then close all windows and hit fix checked. Start About:Buster. On the first prompt hit ok, then start, then ok again. It will run a while. Once it is done there will be a log in the white box. Save that log somewhere. Restart your computer. Post a new Hijack this log and the buster log.

 

If the fix does not work. Reboot into safe mode by tapping F8

Several times when the computer is first booting. Then running About:Buster.

Share this post


Link to post
Share on other sites

Here are my two logs:

 

This is from AboutBuster...

About:Buster Version 1.23

Removed! : C:\WINDOWS\aaxld.dat

Removed! : C:\WINDOWS\adqln.dat

Removed! : C:\WINDOWS\apqor.dat

Removed! : C:\WINDOWS\apqor.dll

Removed! : C:\WINDOWS\atdba.dat

Removed! : C:\WINDOWS\atlxr32.dll

Removed! : C:\WINDOWS\azlsa.dat

Removed! : C:\WINDOWS\beqkv.dll

Removed! : C:\WINDOWS\bfrwf.dll

Removed! : C:\WINDOWS\bhgay.dat

Removed! : C:\WINDOWS\bjoox.dat

Removed! : C:\WINDOWS\bnoah.dll

Removed! : C:\WINDOWS\buwecq.dat

Removed! : C:\WINDOWS\bxkyu.dat

Removed! : C:\WINDOWS\bykvr.dat

Removed! : C:\WINDOWS\celov.dat

Removed! : C:\WINDOWS\csqlx.dat

Removed! : C:\WINDOWS\cvfbdx.dat

Removed! : C:\WINDOWS\cvfih.dll

Removed! : C:\WINDOWS\czobk.dll

Removed! : C:\WINDOWS\d3ui32.exe

Removed! : C:\WINDOWS\dgmok.dat

Removed! : C:\WINDOWS\dhehg.dll

Removed! : C:\WINDOWS\djrpbi.dat

Removed! : C:\WINDOWS\dnrmi.dat

Removed! : C:\WINDOWS\dualb.dat

Removed! : C:\WINDOWS\dualbk.dat

Removed! : C:\WINDOWS\dulft.dat

Removed! : C:\WINDOWS\eckzh.dat

Removed! : C:\WINDOWS\eckzhc.dat

Removed! : C:\WINDOWS\emqms.dat

Removed! : C:\WINDOWS\emqms.dll

Removed! : C:\WINDOWS\euncb.dat

Removed! : C:\WINDOWS\euncb.dll

Removed! : C:\WINDOWS\fejzj.dat

Removed! : C:\WINDOWS\ffpnys.dat

Removed! : C:\WINDOWS\fmktl.dll

Removed! : C:\WINDOWS\fqrey.dat

Removed! : C:\WINDOWS\ftmmj.dat

Removed! : C:\WINDOWS\gbdcb.dll

Removed! : C:\WINDOWS\gfwyp.dat

Removed! : C:\WINDOWS\gkzwq.dat

Removed! : C:\WINDOWS\glikv.dat

Removed! : C:\WINDOWS\gqbet.dat

Removed! : C:\WINDOWS\hswwn.dat

Removed! : C:\WINDOWS\hsxxy.dll

Removed! : C:\WINDOWS\idgdr.dat

Removed! : C:\WINDOWS\ieqe32.exe

Removed! : C:\WINDOWS\iimbp.dat

Removed! : C:\WINDOWS\ivmbj.dll

Removed! : C:\WINDOWS\ivstd.dll

Removed! : C:\WINDOWS\iwwel.dat

Removed! : C:\WINDOWS\jlstv.dat

Removed! : C:\WINDOWS\kdhdk.dat

Removed! : C:\WINDOWS\kirwv.dll

Removed! : C:\WINDOWS\klzos.dat

Removed! : C:\WINDOWS\koqze.dat

Removed! : C:\WINDOWS\kqsnv.dat

Removed! : C:\WINDOWS\kxtcb.dat

Removed! : C:\WINDOWS\kymcl.dat

Removed! : C:\WINDOWS\lavpk.dll

Removed! : C:\WINDOWS\litiv.dat

Removed! : C:\WINDOWS\ljwqhw.dat

Removed! : C:\WINDOWS\lkawe.dat

Removed! : C:\WINDOWS\lnrdm.dll

Removed! : C:\WINDOWS\lqnys.dat

Removed! : C:\WINDOWS\lvvli.dat

Removed! : C:\WINDOWS\mkghr.dat

Removed! : C:\WINDOWS\mkoyb.dll

Error Removing! : C:\WINDOWS\msbn32.exe

Removed! : C:\WINDOWS\msycg.dat

Removed! : C:\WINDOWS\mupmcc.dat

Removed! : C:\WINDOWS\mvssr.dll

Removed! : C:\WINDOWS\naxgb.dll

Removed! : C:\WINDOWS\ndtxg.dll

Removed! : C:\WINDOWS\ntpc32.dll

Removed! : C:\WINDOWS\nzffy.dat

Removed! : C:\WINDOWS\n_atbdqq.dat

Removed! : C:\WINDOWS\n_baupyh.dat

Removed! : C:\WINDOWS\n_dzlbmt.dat

Removed! : C:\WINDOWS\n_ffsfdd.dat

Removed! : C:\WINDOWS\n_ftfufd.dat

Removed! : C:\WINDOWS\n_gtuvmx.dat

Removed! : C:\WINDOWS\n_hkwlzd.dat

Removed! : C:\WINDOWS\n_joincs.dat

Removed! : C:\WINDOWS\n_mroxru.dat

Removed! : C:\WINDOWS\n_nktrux.dat

Removed! : C:\WINDOWS\n_npkyxs.dat

Removed! : C:\WINDOWS\n_owlcxl.dat

Removed! : C:\WINDOWS\n_tymwlu.dat

Removed! : C:\WINDOWS\n_wscvdz.dat

Removed! : C:\WINDOWS\n_wzvcwm.dat

Removed! : C:\WINDOWS\n_yngqpi.dat

Removed! : C:\WINDOWS\oczax.dat

Removed! : C:\WINDOWS\ojakaq.dat

Removed! : C:\WINDOWS\opfglz.dat

Removed! : C:\WINDOWS\orciz.dll

Removed! : C:\WINDOWS\owlcxl.dat

Removed! : C:\WINDOWS\ozodm.dat

Removed! : C:\WINDOWS\paudx.dat

Removed! : C:\WINDOWS\pfwwq.dat

Removed! : C:\WINDOWS\pllbx.dat

Removed! : C:\WINDOWS\pmsda.dll

Removed! : C:\WINDOWS\pqvto.dat

Removed! : C:\WINDOWS\putvu.dat

Removed! : C:\WINDOWS\pvsqe.dll

Removed! : C:\WINDOWS\pvusq.dll

Removed! : C:\WINDOWS\qaysnx.dat

Removed! : C:\WINDOWS\qmjgp.dat

Removed! : C:\WINDOWS\qtcsa.dat

Removed! : C:\WINDOWS\qthjm.dll

Removed! : C:\WINDOWS\raghq.dll

Removed! : C:\WINDOWS\rdogn.dll

Removed! : C:\WINDOWS\rqzkl.dat

Removed! : C:\WINDOWS\rrccki.dat

Removed! : C:\WINDOWS\rwnon.dll

Removed! : C:\WINDOWS\safpm.dll

Removed! : C:\WINDOWS\saugo.dat

Removed! : C:\WINDOWS\scnlc.dat

Removed! : C:\WINDOWS\sdkhh32.exe

Removed! : C:\WINDOWS\sewikh.dat

Removed! : C:\WINDOWS\sgpyx.dat

Removed! : C:\WINDOWS\shdhi.dat

Removed! : C:\WINDOWS\silvb.dat

Removed! : C:\WINDOWS\smvix.dll

Removed! : C:\WINDOWS\sqvpf.dat

Removed! : C:\WINDOWS\sxque.dll

Removed! : C:\WINDOWS\sysha32.exe

Removed! : C:\WINDOWS\sysrm.exe

Removed! : C:\WINDOWS\tdjis.dll

Removed! : C:\WINDOWS\tiirp.dat

Removed! : C:\WINDOWS\tjped.dat

Removed! : C:\WINDOWS\tkeon.dat

Removed! : C:\WINDOWS\tnmuz.dat

Removed! : C:\WINDOWS\tsdoz.dat

Removed! : C:\WINDOWS\tymwlu.dat

Removed! : C:\WINDOWS\ubcnlm.dat

Removed! : C:\WINDOWS\ubhvd.dat

Removed! : C:\WINDOWS\ufsbq.dat

Removed! : C:\WINDOWS\uglmh.dat

Removed! : C:\WINDOWS\uhufp.dll

Removed! : C:\WINDOWS\uzmwp.dll

Removed! : C:\WINDOWS\vbnpu.dll

Removed! : C:\WINDOWS\vcaeo.dat

Removed! : C:\WINDOWS\venkyt.dat

Removed! : C:\WINDOWS\vlixo.dat

Removed! : C:\WINDOWS\vxwdj.dat

Removed! : C:\WINDOWS\vzfrx.dat

Removed! : C:\WINDOWS\vzgnq.dat

Removed! : C:\WINDOWS\waies.dat

Removed! : C:\WINDOWS\wslhs.dat

Removed! : C:\WINDOWS\wslhs.dll

Removed! : C:\WINDOWS\wxita.dat

Removed! : C:\WINDOWS\xfhab.dll

Removed! : C:\WINDOWS\xkgyrs.dat

Removed! : C:\WINDOWS\xqxpu.dat

Removed! : C:\WINDOWS\xreab.dll

Removed! : C:\WINDOWS\xtayp.dat

Removed! : C:\WINDOWS\xxrnj.dat

Removed! : C:\WINDOWS\ybpfk.dat

Removed! : C:\WINDOWS\ybpfk.dll

Removed! : C:\WINDOWS\yikda.dat

Removed! : C:\WINDOWS\yudha.dat

Removed! : C:\WINDOWS\yuleu.dll

Removed! : C:\WINDOWS\yunwvn.dat

Removed! : C:\WINDOWS\yzbqn.dat

Removed! : C:\WINDOWS\yztkp.dat

Removed! : C:\WINDOWS\zahqg.dll

Removed! : C:\WINDOWS\zccfm.dat

Removed! : C:\WINDOWS\zhzvc.dat

Removed! : C:\WINDOWS\zwxpx.dat

Removed! : C:\WINDOWS\zxluo.dat

Removed! : C:\WINDOWS\zyerx.dat

Removed! : C:\WINDOWS\zyerx.dll

Removed! : C:\WINDOWS\System32\acppv.dat

Removed! : C:\WINDOWS\System32\afvak.dat

Removed! : C:\WINDOWS\System32\ajfpj.dat

Removed! : C:\WINDOWS\System32\apigl.exe

Removed! : C:\WINDOWS\System32\bllit.dat

Removed! : C:\WINDOWS\System32\bvofr.dat

Removed! : C:\WINDOWS\System32\bvtlt.dat

Removed! : C:\WINDOWS\System32\cddfz.dat

Removed! : C:\WINDOWS\System32\cmbaw.dat

Removed! : C:\WINDOWS\System32\dbkkq.dat

Removed! : C:\WINDOWS\System32\dxauk.dat

Removed! : C:\WINDOWS\System32\eisac.dat

Removed! : C:\WINDOWS\System32\epfov.dat

Removed! : C:\WINDOWS\System32\fhzlm.dat

Removed! : C:\WINDOWS\System32\ftmtk.dat

Removed! : C:\WINDOWS\System32\fwpem.dat

Removed! : C:\WINDOWS\System32\gmgse.dat

Removed! : C:\WINDOWS\System32\gmyfa.dat

Removed! : C:\WINDOWS\System32\gpdas.dat

Removed! : C:\WINDOWS\System32\gyept.dat

Removed! : C:\WINDOWS\System32\gyvsw.dat

Removed! : C:\WINDOWS\System32\hbyas.dat

Removed! : C:\WINDOWS\System32\hders.dat

Removed! : C:\WINDOWS\System32\hemak.dat

Removed! : C:\WINDOWS\System32\hqsjt.dat

Removed! : C:\WINDOWS\System32\hyjaz.dat

Removed! : C:\WINDOWS\System32\ismmu.dat

Removed! : C:\WINDOWS\System32\iwbey.dat

Removed! : C:\WINDOWS\System32\jnbao.dat

Removed! : C:\WINDOWS\System32\ktnlv.dat

Removed! : C:\WINDOWS\System32\kvljc.dat

Removed! : C:\WINDOWS\System32\ldfqh.dat

Removed! : C:\WINDOWS\System32\ldhuy.dat

Removed! : C:\WINDOWS\System32\ldxyk.dat

Removed! : C:\WINDOWS\System32\lrjwr.dat

Removed! : C:\WINDOWS\System32\lvwnq.dat

Removed! : C:\WINDOWS\System32\mkodd.dat

Removed! : C:\WINDOWS\System32\moaqt.dat

Removed! : C:\WINDOWS\System32\msqp32.exe

Removed! : C:\WINDOWS\System32\nizse.dat

Removed! : C:\WINDOWS\System32\nlleq.dat

Removed! : C:\WINDOWS\System32\npfam.dat

Removed! : C:\WINDOWS\System32\nsibc.dat

Removed! : C:\WINDOWS\System32\nzgmk.dat

Removed! : C:\WINDOWS\System32\odnou.dat

Removed! : C:\WINDOWS\System32\odpyg.dat

Removed! : C:\WINDOWS\System32\orlzi.dat

Removed! : C:\WINDOWS\System32\pdvcv.dat

Removed! : C:\WINDOWS\System32\pmype.dat

Removed! : C:\WINDOWS\System32\qakjw.dat

Removed! : C:\WINDOWS\System32\qdqdh.dat

Removed! : C:\WINDOWS\System32\qhbey.dat

Removed! : C:\WINDOWS\System32\qiinz.dat

Removed! : C:\WINDOWS\System32\qkjdd.dat

Removed! : C:\WINDOWS\System32\qqwct.dat

Removed! : C:\WINDOWS\System32\rnfev.dat

Removed! : C:\WINDOWS\System32\sgvev.dat

Removed! : C:\WINDOWS\System32\slabq.dat

Removed! : C:\WINDOWS\System32\ssuri.dat

Removed! : C:\WINDOWS\System32\thguf.dat

Removed! : C:\WINDOWS\System32\tqdsh.dat

Removed! : C:\WINDOWS\System32\tvapm.dat

Removed! : C:\WINDOWS\System32\upyfp.dat

Removed! : C:\WINDOWS\System32\vfrih.dat

Removed! : C:\WINDOWS\System32\vmarx.dat

Removed! : C:\WINDOWS\System32\vqxda.dat

Removed! : C:\WINDOWS\System32\vuaax.dat

Removed! : C:\WINDOWS\System32\vzush.dat

Removed! : C:\WINDOWS\System32\wenzr.dat

Removed! : C:\WINDOWS\System32\wjhny.dat

Removed! : C:\WINDOWS\System32\wsstz.dat

Removed! : C:\WINDOWS\System32\wugyz.dat

Removed! : C:\WINDOWS\System32\xjikx.dat

Removed! : C:\WINDOWS\System32\xpslq.dat

Removed! : C:\WINDOWS\System32\xvtvk.dat

Removed! : C:\WINDOWS\System32\ymfaz.dat

Removed! : C:\WINDOWS\System32\ytxkx.dat

Removed! : C:\WINDOWS\System32\zmrch.dat

Removed! : C:\WINDOWS\System32\zobgi.dat

Removed! : C:\WINDOWS\System32\zrnuj.dat

Removed! : C:\WINDOWS\System32\zvrzw.dat

Removed! : C:\WINDOWS\System32\zxutz.dat

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Removed __NS_Service_3 Key

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

This is from HijackThis...

Logfile of HijackThis v1.97.7

Scan saved at 10:03:50 PM, on 6/30/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

D:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\NMSSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Intel\Intel Active Monitor\imonnt.exe

C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Intel\Intel Active Monitor\imontray.exe

C:\WINDOWS\System32\Promon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

D:\Program Files\Nikon\NkView6\NkvMon.exe

D:\Program Files\PrintKey2000\Printkey2000.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\msbn32.exe

C:\WINDOWS\system32\sysdg.exe

E:\My Documents\Downloads\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hcxcj.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hcxcj.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hcxcj.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hcxcj.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hcxcj.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hcxcj.dll/sp.html#96676

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {D4453AEB-33E8-3237-5BB4-BD2626EAF5E2} - C:\WINDOWS\crwn.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [iMONTRAY] C:\Program Files\Intel\Intel Active Monitor\imontray.exe

O4 - HKLM\..\Run: [Promon.exe] Promon.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Adobe Gamma Loader.lnk.disabled

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = D:\Program Files\America Online 9.0\aoltray.exe

O4 - Global Startup: America Online 9.0 Tray Icon.lnk.disabled

O4 - Global Startup: Microsoft Office.lnk.disabled

O4 - Global Startup: NkvMon.exe.lnk = D:\Program Files\Nikon\NkView6\NkvMon.exe

O4 - Global Startup: Printkey2000.lnk = D:\Program Files\PrintKey2000\Printkey2000.exe

O4 - Global Startup: Wireless PCI Card Config Utility.lnk.disabled

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Post To &WP : The Last Page On The Net - java script:doc=external.menuArguments.document;Q=doc.selection.createRange().text;vo

id(btw=window.open('http://www.thelastpageonthenet.com/life/wp-admin/bookmarklet.php?text='+escape(Q)+'&trackback=1&pingback=1&popupurl='+escape(doc.location.href)+'&popuptitle='+escape(doc.title),'bookmarklet','scrollbars=no,width=480,height=590,left=100,top=150,status=yes'));btw.focus();

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: AOL Toolbar (HKLM)

O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shock...director/sw.cab

O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab

O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab

O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7978.5393865741

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

 

Also after starting up IE nothing has changed about the overriding startpage and dll.

Edited by blazzinmatt

Share this post


Link to post
Share on other sites

I ran AboutBuster a 2nd time and got these results:

 

About:Buster Version 1.23

Removed! : C:\WINDOWS\berkin.dat

Removed! : C:\WINDOWS\msbn32.exe

Removed! : C:\WINDOWS\upqsv.dat

Error Removing! : C:\WINDOWS\System32\sysdg.exe

Error Removing! : C:\WINDOWS\System32\syskt32.exe

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

Also after this run I ran IE and the DLL wasnt downloaded and I got my default search page, but I still got pop-ups.

Share this post


Link to post
Share on other sites

Sorry for multiple posts but I thought that I would point out that after I launched IE a second time another DLL was downloaded. Maybe this info will help you in helping me.

Share this post


Link to post
Share on other sites

Ok that probably helped ALOT in your infection. The cws was decreased in potential majorly. Post a new Hijack this log after running the buster a second time.

Share this post


Link to post
Share on other sites

I ran AboutBuster in Safe Mode and got this log:

 

About:Buster Version 1.23

Removed! : C:\WINDOWS\ltjol.dat

Removed! : C:\WINDOWS\ntreph.dat

Removed! : C:\WINDOWS\System32\sysdg.exe

Removed! : C:\WINDOWS\System32\syskt32.exe

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

When I launched IE the first time after a reboot it worked just as it should.

Share this post


Link to post
Share on other sites

Sorry for all these posts just running IE a new time each post.

Third time I ran IE i got a new DLL downloaded, and still a popup on the initial launch.

Edited by blazzinmatt

Share this post


Link to post
Share on other sites

Ok set your homepage to whatever you want. Restart your computer and open Internet explorer. See if its still the same as you wanted it to be. If not post a new log. If it is then good job :thumbsup:

Share this post


Link to post
Share on other sites

Now something weird happened. This time as I first launched IE I got the res://<*.dll> instead of my homepage as I had gotten many times before. I am going to run AboutBuster, HijackThis and AdAware in Safe Mode to make sure everything is gone and Ill keep you updated.

Share this post


Link to post
Share on other sites

When I get home at about 4:00PM EDT today I will run HijackThis, Ad-Aware and About:Buster in safe mode and ill post the logs here. I hope that these logs will grealty increase the success of getting rid of my hijack.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0