• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
crunchman

New Hijacker?

4 posts in this topic

Here is the hijack this log,

 

I think this is a new one, I have searched for the running processes and can't seem to find the keywords or exe's anywhere.

 

maybe someone here knows what they are :-)

 

Thank You

Scott C.

 

Ok,

 

So I spent several hours last night, I think I got about 80% of the stuff using McAfee and SpyBot, but I can't seem to get it all, here is the log, first few lines keep comming back, seemingly no matter how I try to get rid of it.

 

Thank You in advance

 

Scott C

 

Logfile of HijackThis v1.97.7

Scan saved at 11:31:55 PM, on 6/27/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe

C:\WINDOWS\sdkmm32.exe

C:\Program Files\Network Associates\VirusScan\VsStat.exe

C:\Program Files\Network Associates\VirusScan\Vshwin32.exe

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\Avconsol.exe

C:\Program Files\Network Associates\VirusScan\Webscanx.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\system32\syslc.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Documents and Settings\Ken\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ujuku.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ujuku.dll/index.html#96676

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {D0255E6F-0063-155E-E155-8DEDD32646C8} - C:\WINDOWS\ipjx.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [syslc.exe] C:\WINDOWS\system32\syslc.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKLM\..\RunOnce: [sdkmm32.exe] C:\WINDOWS\sdkmm32.exe

O4 - HKLM\..\RunOnce: [appus.exe] C:\WINDOWS\system32\appus.exe

O4 - HKLM\..\RunOnce: [apict.exe] C:\WINDOWS\system32\apict.exe

O4 - HKLM\..\RunOnce: [winyo32.exe] C:\WINDOWS\winyo32.exe

O4 - HKLM\..\RunOnce: [sdkkw32.exe] C:\WINDOWS\system32\sdkkw32.exe

O4 - HKLM\..\RunOnce: [netky.exe] C:\WINDOWS\system32\netky.exe

O4 - HKLM\..\RunOnce: [sysyz.exe] C:\WINDOWS\sysyz.exe

O4 - HKLM\..\RunOnce: [mfcuf32.exe] C:\WINDOWS\system32\mfcuf32.exe

O4 - HKLM\..\RunOnce: [apimb.exe] C:\WINDOWS\system32\apimb.exe

O4 - HKLM\..\RunOnce: [mswf.exe] C:\WINDOWS\system32\mswf.exe

O4 - HKLM\..\RunOnce: [ntjk.exe] C:\WINDOWS\ntjk.exe

O4 - HKLM\..\RunOnce: [netml32.exe] C:\WINDOWS\system32\netml32.exe

O4 - HKLM\..\RunOnce: [addrk32.exe] C:\WINDOWS\system32\addrk32.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: MoneySide (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

Share this post


Link to post
Share on other sites

It's not a new one - we've been dealing with this for a while - it's been very resistant and hard to kill - but let's take a shot at it - RubbeRDuckY's removal tool is being constantly updated.

 

Start by downloading About:Buster from http://www.downloads.subratam.org/AboutBuster.zip

or this alternate location http://tools.zerosrealm.com/AboutBuster.zip

 

Unzip it to your desktop. Start it, hit Ok, Start, And Ok again to start the scan. It will generate a log. Post that log along with a new HijackThis log here.

Share this post


Link to post
Share on other sites

popup stopper is working

spybot s&d is working properly

 

ran about:buster and seemed to fix it but couldn't get a log from that,

or couldn't find it.

here is the new hijack this log. updated version today as well

 

thank you

 

 

Logfile of HijackThis v1.98.0

Scan saved at 4:04:41 PM, on 7/10/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe

C:\Program Files\Network Associates\VirusScan\VsStat.exe

C:\Program Files\Network Associates\VirusScan\Vshwin32.exe

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\Webscanx.exe

C:\Program Files\Network Associates\VirusScan\Avconsol.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ujuku.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ujuku.dll/index.html#96676

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {98992BEF-C386-CF53-DECE-D2A0FB2B61D0} - C:\WINDOWS\atleb32.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll (file missing)

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

Share this post


Link to post
Share on other sites

The About:Buster log is generated in the window in the center of the program box - not in a separate one like HJT. I mainly wanted to see the log to see if it reported any errors. The updated HJT has revealed something that the previous version didn't show that may kept About:Buster from being fully effective.

 

Run a new HJT scan, and mark these items for removal:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ujuku.dll/sp.html#96676

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ujuku.dll/index.html#96676

 

R3 - Default URLSearchHook is missing

 

O2 - BHO: (no name) - {98992BEF-C386-CF53-DECE-D2A0FB2B61D0} - C:\WINDOWS\atleb32.dll (file missing)

 

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

 

Make sure all browser and Windows Explorer windows are closed, and click on Fix Checked.

 

Reboot your computer into Safe Mode by repeatedly tapping the F8 key during bootup.

 

Open Windows Explorer and reconfigure it to Enable Hidden Files:

Open the Windows Explorer Folder Options - View [tab]:

 

Scroll down to the Files and Folders section.

Select: Display the contents of system folders.

 

Scroll down to the Hidden Files and Folders section.

Select: Show hidden files and folders, Ok the prompt

Uncheck: Hide file extensions for known file types

Uncheck: Hide protected operating system files

Ok the Prompt, click Apply

 

Click the Apply to all Folders button.

 

Now, find and delete this file:

 

C:\WINDOWS\msopt.dll

 

Reboot normally, and run About:Buster again. Then, run another HJT scan, and post it here for further review.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0