Jump to content


Photo

DLL's Downloaded to PC when IE Launched


  • Please log in to reply
11 replies to this topic

#1 blazzinmatt

blazzinmatt

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 30 June 2004 - 08:43 PM

When I launch Internet Explorer a new DLL is downloaded to my computer. It changes my start page, lags Internet Explorer and opens 2-3 popups for each instance.

I ran Ad-Aware 6, Spybot 1.3, CWShredder and HijackThis but it still comes back. The file will temporarily delete but a new one will download itself within 2-3 more instances of IE.

Here is my HijackThis log file. Please help! :cool:

Logfile of HijackThis v1.97.7
Scan saved at 9:42:26 PM, on 6/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Intel\Intel Active Monitor\imonnt.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\Intel Active Monitor\imontray.exe
C:\WINDOWS\System32\Promon.exe
C:\WINDOWS\system32\msqp32.exe
D:\Program Files\AIM\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Nikon\NkView6\NkvMon.exe
D:\Program Files\PrintKey2000\Printkey2000.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\msbn32.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\My Documents\Downloads\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\PROGRA~1\AMERIC~1.0\waol.exe
D:\PROGRA~1\AMERIC~1.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hcxcj.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hcxcj.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hcxcj.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hcxcj.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hcxcj.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hcxcj.dll/sp.html#96676
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {9A650B31-1961-1CC7-2626-3144BCA21C8D} - C:\WINDOWS\ipwt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel Active Monitor\imontray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msqp32.exe] C:\WINDOWS\system32\msqp32.exe
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = D:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: NkvMon.exe.lnk = D:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Printkey2000.lnk = D:\Program Files\PrintKey2000\Printkey2000.exe
O4 - Global Startup: Wireless PCI Card Config Utility.lnk.disabled
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Post To &WP : The Last Page On The Net - java script:doc=external.menuArguments.document;Q=doc.selection.createRange().text;vo
id(btw=window.open('http://www.thelastpageonthenet.com/life/wp-admin/bookmarklet.php?text='+escape(Q)+'&trackback=1&pingback=1&popupurl='+escape(doc.location.href)+'&popuptitle='+escape(doc.title),'bookmarklet','scrollbars=no,width=480,height=590,left=100,top=150,status=yes'));btw.focus();
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.ma...director/sw.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelg...in/cortvrml.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7978.5393865741
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{49DE465D-C9A7-4816-99C8-D6FCD77DF8EB}: NameServer = 205.188.146.146

#2 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 30 June 2004 - 08:47 PM

Visit this page http://www.ducky.atribune.org . Download About:Buster and save it to your desktop. Then startup Hijack this. Tick the boxes next to these items.


O2 - BHO: (no name) - {9A650B31-1961-1CC7-2626-3144BCA21C8D} - C:\WINDOWS\ipwt.dll
O4 - HKLM\..\Run: [msqp32.exe] C:\WINDOWS\system32\msqp32.exe


Then close all windows and hit fix checked. Start About:Buster. On the first prompt hit ok, then start, then ok again. It will run a while. Once it is done there will be a log in the white box. Save that log somewhere. Restart your computer. Post a new Hijack this log and the buster log.

If the fix does not work. Reboot into safe mode by tapping F8
Several times when the computer is first booting. Then running About:Buster.

Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#3 blazzinmatt

blazzinmatt

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 30 June 2004 - 09:05 PM

Here are my two logs:

This is from AboutBuster...
About:Buster Version 1.23
Removed! : C:\WINDOWS\aaxld.dat
Removed! : C:\WINDOWS\adqln.dat
Removed! : C:\WINDOWS\apqor.dat
Removed! : C:\WINDOWS\apqor.dll
Removed! : C:\WINDOWS\atdba.dat
Removed! : C:\WINDOWS\atlxr32.dll
Removed! : C:\WINDOWS\azlsa.dat
Removed! : C:\WINDOWS\beqkv.dll
Removed! : C:\WINDOWS\bfrwf.dll
Removed! : C:\WINDOWS\bhgay.dat
Removed! : C:\WINDOWS\bjoox.dat
Removed! : C:\WINDOWS\bnoah.dll
Removed! : C:\WINDOWS\buwecq.dat
Removed! : C:\WINDOWS\bxkyu.dat
Removed! : C:\WINDOWS\bykvr.dat
Removed! : C:\WINDOWS\celov.dat
Removed! : C:\WINDOWS\csqlx.dat
Removed! : C:\WINDOWS\cvfbdx.dat
Removed! : C:\WINDOWS\cvfih.dll
Removed! : C:\WINDOWS\czobk.dll
Removed! : C:\WINDOWS\d3ui32.exe
Removed! : C:\WINDOWS\dgmok.dat
Removed! : C:\WINDOWS\dhehg.dll
Removed! : C:\WINDOWS\djrpbi.dat
Removed! : C:\WINDOWS\dnrmi.dat
Removed! : C:\WINDOWS\dualb.dat
Removed! : C:\WINDOWS\dualbk.dat
Removed! : C:\WINDOWS\dulft.dat
Removed! : C:\WINDOWS\eckzh.dat
Removed! : C:\WINDOWS\eckzhc.dat
Removed! : C:\WINDOWS\emqms.dat
Removed! : C:\WINDOWS\emqms.dll
Removed! : C:\WINDOWS\euncb.dat
Removed! : C:\WINDOWS\euncb.dll
Removed! : C:\WINDOWS\fejzj.dat
Removed! : C:\WINDOWS\ffpnys.dat
Removed! : C:\WINDOWS\fmktl.dll
Removed! : C:\WINDOWS\fqrey.dat
Removed! : C:\WINDOWS\ftmmj.dat
Removed! : C:\WINDOWS\gbdcb.dll
Removed! : C:\WINDOWS\gfwyp.dat
Removed! : C:\WINDOWS\gkzwq.dat
Removed! : C:\WINDOWS\glikv.dat
Removed! : C:\WINDOWS\gqbet.dat
Removed! : C:\WINDOWS\hswwn.dat
Removed! : C:\WINDOWS\hsxxy.dll
Removed! : C:\WINDOWS\idgdr.dat
Removed! : C:\WINDOWS\ieqe32.exe
Removed! : C:\WINDOWS\iimbp.dat
Removed! : C:\WINDOWS\ivmbj.dll
Removed! : C:\WINDOWS\ivstd.dll
Removed! : C:\WINDOWS\iwwel.dat
Removed! : C:\WINDOWS\jlstv.dat
Removed! : C:\WINDOWS\kdhdk.dat
Removed! : C:\WINDOWS\kirwv.dll
Removed! : C:\WINDOWS\klzos.dat
Removed! : C:\WINDOWS\koqze.dat
Removed! : C:\WINDOWS\kqsnv.dat
Removed! : C:\WINDOWS\kxtcb.dat
Removed! : C:\WINDOWS\kymcl.dat
Removed! : C:\WINDOWS\lavpk.dll
Removed! : C:\WINDOWS\litiv.dat
Removed! : C:\WINDOWS\ljwqhw.dat
Removed! : C:\WINDOWS\lkawe.dat
Removed! : C:\WINDOWS\lnrdm.dll
Removed! : C:\WINDOWS\lqnys.dat
Removed! : C:\WINDOWS\lvvli.dat
Removed! : C:\WINDOWS\mkghr.dat
Removed! : C:\WINDOWS\mkoyb.dll
Error Removing! : C:\WINDOWS\msbn32.exe
Removed! : C:\WINDOWS\msycg.dat
Removed! : C:\WINDOWS\mupmcc.dat
Removed! : C:\WINDOWS\mvssr.dll
Removed! : C:\WINDOWS\naxgb.dll
Removed! : C:\WINDOWS\ndtxg.dll
Removed! : C:\WINDOWS\ntpc32.dll
Removed! : C:\WINDOWS\nzffy.dat
Removed! : C:\WINDOWS\n_atbdqq.dat
Removed! : C:\WINDOWS\n_baupyh.dat
Removed! : C:\WINDOWS\n_dzlbmt.dat
Removed! : C:\WINDOWS\n_ffsfdd.dat
Removed! : C:\WINDOWS\n_ftfufd.dat
Removed! : C:\WINDOWS\n_gtuvmx.dat
Removed! : C:\WINDOWS\n_hkwlzd.dat
Removed! : C:\WINDOWS\n_joincs.dat
Removed! : C:\WINDOWS\n_mroxru.dat
Removed! : C:\WINDOWS\n_nktrux.dat
Removed! : C:\WINDOWS\n_npkyxs.dat
Removed! : C:\WINDOWS\n_owlcxl.dat
Removed! : C:\WINDOWS\n_tymwlu.dat
Removed! : C:\WINDOWS\n_wscvdz.dat
Removed! : C:\WINDOWS\n_wzvcwm.dat
Removed! : C:\WINDOWS\n_yngqpi.dat
Removed! : C:\WINDOWS\oczax.dat
Removed! : C:\WINDOWS\ojakaq.dat
Removed! : C:\WINDOWS\opfglz.dat
Removed! : C:\WINDOWS\orciz.dll
Removed! : C:\WINDOWS\owlcxl.dat
Removed! : C:\WINDOWS\ozodm.dat
Removed! : C:\WINDOWS\paudx.dat
Removed! : C:\WINDOWS\pfwwq.dat
Removed! : C:\WINDOWS\pllbx.dat
Removed! : C:\WINDOWS\pmsda.dll
Removed! : C:\WINDOWS\pqvto.dat
Removed! : C:\WINDOWS\putvu.dat
Removed! : C:\WINDOWS\pvsqe.dll
Removed! : C:\WINDOWS\pvusq.dll
Removed! : C:\WINDOWS\qaysnx.dat
Removed! : C:\WINDOWS\qmjgp.dat
Removed! : C:\WINDOWS\qtcsa.dat
Removed! : C:\WINDOWS\qthjm.dll
Removed! : C:\WINDOWS\raghq.dll
Removed! : C:\WINDOWS\rdogn.dll
Removed! : C:\WINDOWS\rqzkl.dat
Removed! : C:\WINDOWS\rrccki.dat
Removed! : C:\WINDOWS\rwnon.dll
Removed! : C:\WINDOWS\safpm.dll
Removed! : C:\WINDOWS\saugo.dat
Removed! : C:\WINDOWS\scnlc.dat
Removed! : C:\WINDOWS\sdkhh32.exe
Removed! : C:\WINDOWS\sewikh.dat
Removed! : C:\WINDOWS\sgpyx.dat
Removed! : C:\WINDOWS\shdhi.dat
Removed! : C:\WINDOWS\silvb.dat
Removed! : C:\WINDOWS\smvix.dll
Removed! : C:\WINDOWS\sqvpf.dat
Removed! : C:\WINDOWS\sxque.dll
Removed! : C:\WINDOWS\sysha32.exe
Removed! : C:\WINDOWS\sysrm.exe
Removed! : C:\WINDOWS\tdjis.dll
Removed! : C:\WINDOWS\tiirp.dat
Removed! : C:\WINDOWS\tjped.dat
Removed! : C:\WINDOWS\tkeon.dat
Removed! : C:\WINDOWS\tnmuz.dat
Removed! : C:\WINDOWS\tsdoz.dat
Removed! : C:\WINDOWS\tymwlu.dat
Removed! : C:\WINDOWS\ubcnlm.dat
Removed! : C:\WINDOWS\ubhvd.dat
Removed! : C:\WINDOWS\ufsbq.dat
Removed! : C:\WINDOWS\uglmh.dat
Removed! : C:\WINDOWS\uhufp.dll
Removed! : C:\WINDOWS\uzmwp.dll
Removed! : C:\WINDOWS\vbnpu.dll
Removed! : C:\WINDOWS\vcaeo.dat
Removed! : C:\WINDOWS\venkyt.dat
Removed! : C:\WINDOWS\vlixo.dat
Removed! : C:\WINDOWS\vxwdj.dat
Removed! : C:\WINDOWS\vzfrx.dat
Removed! : C:\WINDOWS\vzgnq.dat
Removed! : C:\WINDOWS\waies.dat
Removed! : C:\WINDOWS\wslhs.dat
Removed! : C:\WINDOWS\wslhs.dll
Removed! : C:\WINDOWS\wxita.dat
Removed! : C:\WINDOWS\xfhab.dll
Removed! : C:\WINDOWS\xkgyrs.dat
Removed! : C:\WINDOWS\xqxpu.dat
Removed! : C:\WINDOWS\xreab.dll
Removed! : C:\WINDOWS\xtayp.dat
Removed! : C:\WINDOWS\xxrnj.dat
Removed! : C:\WINDOWS\ybpfk.dat
Removed! : C:\WINDOWS\ybpfk.dll
Removed! : C:\WINDOWS\yikda.dat
Removed! : C:\WINDOWS\yudha.dat
Removed! : C:\WINDOWS\yuleu.dll
Removed! : C:\WINDOWS\yunwvn.dat
Removed! : C:\WINDOWS\yzbqn.dat
Removed! : C:\WINDOWS\yztkp.dat
Removed! : C:\WINDOWS\zahqg.dll
Removed! : C:\WINDOWS\zccfm.dat
Removed! : C:\WINDOWS\zhzvc.dat
Removed! : C:\WINDOWS\zwxpx.dat
Removed! : C:\WINDOWS\zxluo.dat
Removed! : C:\WINDOWS\zyerx.dat
Removed! : C:\WINDOWS\zyerx.dll
Removed! : C:\WINDOWS\System32\acppv.dat
Removed! : C:\WINDOWS\System32\afvak.dat
Removed! : C:\WINDOWS\System32\ajfpj.dat
Removed! : C:\WINDOWS\System32\apigl.exe
Removed! : C:\WINDOWS\System32\bllit.dat
Removed! : C:\WINDOWS\System32\bvofr.dat
Removed! : C:\WINDOWS\System32\bvtlt.dat
Removed! : C:\WINDOWS\System32\cddfz.dat
Removed! : C:\WINDOWS\System32\cmbaw.dat
Removed! : C:\WINDOWS\System32\dbkkq.dat
Removed! : C:\WINDOWS\System32\dxauk.dat
Removed! : C:\WINDOWS\System32\eisac.dat
Removed! : C:\WINDOWS\System32\epfov.dat
Removed! : C:\WINDOWS\System32\fhzlm.dat
Removed! : C:\WINDOWS\System32\ftmtk.dat
Removed! : C:\WINDOWS\System32\fwpem.dat
Removed! : C:\WINDOWS\System32\gmgse.dat
Removed! : C:\WINDOWS\System32\gmyfa.dat
Removed! : C:\WINDOWS\System32\gpdas.dat
Removed! : C:\WINDOWS\System32\gyept.dat
Removed! : C:\WINDOWS\System32\gyvsw.dat
Removed! : C:\WINDOWS\System32\hbyas.dat
Removed! : C:\WINDOWS\System32\hders.dat
Removed! : C:\WINDOWS\System32\hemak.dat
Removed! : C:\WINDOWS\System32\hqsjt.dat
Removed! : C:\WINDOWS\System32\hyjaz.dat
Removed! : C:\WINDOWS\System32\ismmu.dat
Removed! : C:\WINDOWS\System32\iwbey.dat
Removed! : C:\WINDOWS\System32\jnbao.dat
Removed! : C:\WINDOWS\System32\ktnlv.dat
Removed! : C:\WINDOWS\System32\kvljc.dat
Removed! : C:\WINDOWS\System32\ldfqh.dat
Removed! : C:\WINDOWS\System32\ldhuy.dat
Removed! : C:\WINDOWS\System32\ldxyk.dat
Removed! : C:\WINDOWS\System32\lrjwr.dat
Removed! : C:\WINDOWS\System32\lvwnq.dat
Removed! : C:\WINDOWS\System32\mkodd.dat
Removed! : C:\WINDOWS\System32\moaqt.dat
Removed! : C:\WINDOWS\System32\msqp32.exe
Removed! : C:\WINDOWS\System32\nizse.dat
Removed! : C:\WINDOWS\System32\nlleq.dat
Removed! : C:\WINDOWS\System32\npfam.dat
Removed! : C:\WINDOWS\System32\nsibc.dat
Removed! : C:\WINDOWS\System32\nzgmk.dat
Removed! : C:\WINDOWS\System32\odnou.dat
Removed! : C:\WINDOWS\System32\odpyg.dat
Removed! : C:\WINDOWS\System32\orlzi.dat
Removed! : C:\WINDOWS\System32\pdvcv.dat
Removed! : C:\WINDOWS\System32\pmype.dat
Removed! : C:\WINDOWS\System32\qakjw.dat
Removed! : C:\WINDOWS\System32\qdqdh.dat
Removed! : C:\WINDOWS\System32\qhbey.dat
Removed! : C:\WINDOWS\System32\qiinz.dat
Removed! : C:\WINDOWS\System32\qkjdd.dat
Removed! : C:\WINDOWS\System32\qqwct.dat
Removed! : C:\WINDOWS\System32\rnfev.dat
Removed! : C:\WINDOWS\System32\sgvev.dat
Removed! : C:\WINDOWS\System32\slabq.dat
Removed! : C:\WINDOWS\System32\ssuri.dat
Removed! : C:\WINDOWS\System32\thguf.dat
Removed! : C:\WINDOWS\System32\tqdsh.dat
Removed! : C:\WINDOWS\System32\tvapm.dat
Removed! : C:\WINDOWS\System32\upyfp.dat
Removed! : C:\WINDOWS\System32\vfrih.dat
Removed! : C:\WINDOWS\System32\vmarx.dat
Removed! : C:\WINDOWS\System32\vqxda.dat
Removed! : C:\WINDOWS\System32\vuaax.dat
Removed! : C:\WINDOWS\System32\vzush.dat
Removed! : C:\WINDOWS\System32\wenzr.dat
Removed! : C:\WINDOWS\System32\wjhny.dat
Removed! : C:\WINDOWS\System32\wsstz.dat
Removed! : C:\WINDOWS\System32\wugyz.dat
Removed! : C:\WINDOWS\System32\xjikx.dat
Removed! : C:\WINDOWS\System32\xpslq.dat
Removed! : C:\WINDOWS\System32\xvtvk.dat
Removed! : C:\WINDOWS\System32\ymfaz.dat
Removed! : C:\WINDOWS\System32\ytxkx.dat
Removed! : C:\WINDOWS\System32\zmrch.dat
Removed! : C:\WINDOWS\System32\zobgi.dat
Removed! : C:\WINDOWS\System32\zrnuj.dat
Removed! : C:\WINDOWS\System32\zvrzw.dat
Removed! : C:\WINDOWS\System32\zxutz.dat
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed __NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

This is from HijackThis...
Logfile of HijackThis v1.97.7
Scan saved at 10:03:50 PM, on 6/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Intel\Intel Active Monitor\imonnt.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\Intel Active Monitor\imontray.exe
C:\WINDOWS\System32\Promon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Nikon\NkView6\NkvMon.exe
D:\Program Files\PrintKey2000\Printkey2000.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\msbn32.exe
C:\WINDOWS\system32\sysdg.exe
E:\My Documents\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hcxcj.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hcxcj.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hcxcj.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hcxcj.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hcxcj.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hcxcj.dll/sp.html#96676
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D4453AEB-33E8-3237-5BB4-BD2626EAF5E2} - C:\WINDOWS\crwn.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel Active Monitor\imontray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = D:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: NkvMon.exe.lnk = D:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Printkey2000.lnk = D:\Program Files\PrintKey2000\Printkey2000.exe
O4 - Global Startup: Wireless PCI Card Config Utility.lnk.disabled
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Post To &WP : The Last Page On The Net - java script:doc=external.menuArguments.document;Q=doc.selection.createRange().text;vo
id(btw=window.open('http://www.thelastpageonthenet.com/life/wp-admin/bookmarklet.php?text='+escape(Q)+'&trackback=1&pingback=1&popupurl='+escape(doc.location.href)+'&popuptitle='+escape(doc.title),'bookmarklet','scrollbars=no,width=480,height=590,left=100,top=150,status=yes'));btw.focus();
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.ma...director/sw.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelg...in/cortvrml.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7978.5393865741
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

Also after starting up IE nothing has changed about the overriding startpage and dll.

Edited by blazzinmatt, 30 June 2004 - 09:06 PM.


#4 blazzinmatt

blazzinmatt

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 30 June 2004 - 09:15 PM

I ran AboutBuster a 2nd time and got these results:

About:Buster Version 1.23
Removed! : C:\WINDOWS\berkin.dat
Removed! : C:\WINDOWS\msbn32.exe
Removed! : C:\WINDOWS\upqsv.dat
Error Removing! : C:\WINDOWS\System32\sysdg.exe
Error Removing! : C:\WINDOWS\System32\syskt32.exe
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

Also after this run I ran IE and the DLL wasnt downloaded and I got my default search page, but I still got pop-ups.

#5 blazzinmatt

blazzinmatt

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 30 June 2004 - 09:18 PM

Sorry for multiple posts but I thought that I would point out that after I launched IE a second time another DLL was downloaded. Maybe this info will help you in helping me.

#6 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 30 June 2004 - 09:31 PM

Ok that probably helped ALOT in your infection. The cws was decreased in potential majorly. Post a new Hijack this log after running the buster a second time.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#7 blazzinmatt

blazzinmatt

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 30 June 2004 - 09:36 PM

I ran AboutBuster in Safe Mode and got this log:

About:Buster Version 1.23
Removed! : C:\WINDOWS\ltjol.dat
Removed! : C:\WINDOWS\ntreph.dat
Removed! : C:\WINDOWS\System32\sysdg.exe
Removed! : C:\WINDOWS\System32\syskt32.exe
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

When I launched IE the first time after a reboot it worked just as it should.

#8 blazzinmatt

blazzinmatt

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 30 June 2004 - 09:37 PM

The second time I launched IE i don't get res://<*.dll> anymore I now got this:

http://81.211.105.20:81/cgi-bin/index.cgi?c=0

#9 blazzinmatt

blazzinmatt

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 30 June 2004 - 09:38 PM

Sorry for all these posts just running IE a new time each post.
Third time I ran IE i got a new DLL downloaded, and still a popup on the initial launch.

Edited by blazzinmatt, 30 June 2004 - 09:38 PM.


#10 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 30 June 2004 - 09:39 PM

Ok set your homepage to whatever you want. Restart your computer and open Internet explorer. See if its still the same as you wanted it to be. If not post a new log. If it is then good job :thumbsup:
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#11 blazzinmatt

blazzinmatt

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 30 June 2004 - 09:44 PM

Now something weird happened. This time as I first launched IE I got the res://<*.dll> instead of my homepage as I had gotten many times before. I am going to run AboutBuster, HijackThis and AdAware in Safe Mode to make sure everything is gone and Ill keep you updated.

#12 blazzinmatt

blazzinmatt

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 01 July 2004 - 06:12 AM

When I get home at about 4:00PM EDT today I will run HijackThis, Ad-Aware and About:Buster in safe mode and ill post the logs here. I hope that these logs will grealty increase the success of getting rid of my hijack.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button