Jump to content


some new unlisted BHO's

  • Please log in to reply
3 replies to this topic

#1 26gary26



  • New Member
  • Pip
  • 2 posts

Posted 01 July 2004 - 07:27 AM

I am suffering from a viscious dose of malware, somehow related to CWS, I have CWShredder 1.59 but it will not update for me.
I have followed the instructions listed on www.spywareinfo.com/articles/hijacked .(damn good they are too, Thank You) and have come across several BHOs not listed, I have removed each only to recieve a new one on the next scan, being impatient, I removed some just to see what would happen as I am not far from reformatting and reinstalling XP.
Here are some of the BHO's that were not in the database:

As I said above, each time I removed one of these, another takes it place. Below is a copy of the current Hijack this log:

Logfile of HijackThis v1.98.0
Scan saved at 12:50:48, on 01/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Tweak-XP Pro\popup.exe
C:\Program Files\Tweak-XP Pro\AdBlocker.exe
C:\Program Files\Aladdin Systems\Internet Cleanup\onictask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Gary Byrne\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yjaja.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://yjaja.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://yjaja.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\yjaja.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yjaja.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://yjaja.dll/index.html#96676
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2F5F1BA3-A0B4-232D-5418-72DB337E3831} - C:\WINDOWS\atlyu32.dll
O2 - BHO: (no name) - {A6B1DE48-E2B5-5C45-88EB-509D77A96D02} - C:\WINDOWS\sdkcx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [ipqm.exe] C:\WINDOWS\system32\ipqm.exe
O4 - HKLM\..\Run: [xgghinty] C:\WINDOWS\System32\ulchauxx.exe
O4 - HKLM\..\RunOnce: [javael.exe] C:\WINDOWS\javael.exe
O4 - HKCU\..\Run: [Pop-Up-Blocker] "C:\Program Files\Tweak-XP Pro\popup.exe"
O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro\AdBlocker.exe"
O4 - Startup: IC Task Manager.lnk = C:\Program Files\Aladdin Systems\Internet Cleanup\onictask.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: IC 3.0 - {bba9a1cb-c90a-4912-8f01-dfa51a2b4102} - C:\Program Files\Aladdin Systems\Internet Cleanup\ic3hlpr.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E70B133-7593-41EF-8853-790DED01A4CF}: NameServer =

I would like to express my gratitude to all the people who run this site and the helpers in the forums, I plan to sign up as an assistant as soon as this problem is solved

#2 Autodad


    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 05 July 2004 - 04:02 PM

Hello 26gary26,

Sorry for the delay. If you are still having your concern, let's do this:

First, please put HJT in a Permanent folder.
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.
This will allow backups to be made and saved By hijackthis in case something goes wrong
Follow this link http://www.netstar.me.uk/hjt/hjt.html if you need help.

Please download About:Buster and unzip it to your desktop.
Start it, hit Ok, Start, And Ok to start the scan. It will generate a log. Post that log along with a new Hijack this log here.

#3 26gary26



  • New Member
  • Pip
  • 2 posts

Posted 07 July 2004 - 05:27 AM

Hi Autodad,
Thanks for the response, it turns out I had a version of the res hijack and I adapted a solution from elsewhere in the forums and it seems to have worked, using Hijack this in safe mode, removing BHO's and suspicious .dll's, then mopping up the odd looking .exe's in my system folders. It seems to have worked (only did it yesterday morning), I now have control over IE, also I have all the available ad and spyware tools updated and running.
Again I would like to thank all the contributers to this site forr all thier help

#4 Autodad


    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 07 July 2004 - 05:40 AM

Hi 26gary26,

Glad you have control over IE again! :thumbsup:

Feel free to post a new log for us to look over, if you'd like to.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!