Jump to content


Photo

browser HJ BY "home Search" home page


  • Please log in to reply
10 replies to this topic

#1 elcapatante

elcapatante

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 05 July 2004 - 11:43 AM

Help - Browser HJ and pops for affiliated services. Went to FAQ and removed some items - hijacked browser/pops still an issue. Here is my HJT log any help will be greatly appreciated.

Logfile of HijackThis v1.97.7
Scan saved at 12:04:52 PM, on 7/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msip.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\netow32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 10 for hijackthis.zip\HijackThis.exe

O2 - BHO: (no name) - {7E72F987-8787-B062-BD3E-899CF7791E40} - C:\WINDOWS\crop.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [netow32.exe] C:\WINDOWS\system32\netow32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKLM\..\RunOnce: [ienq32.exe] C:\WINDOWS\system32\ienq32.exe
O4 - HKLM\..\RunOnce: [msip.exe] C:\WINDOWS\system32\msip.exe
O4 - HKLM\..\RunOnce: [addxo32.exe] C:\WINDOWS\system32\addxo32.exe
O4 - HKLM\..\RunOnce: [d3hb32.exe] C:\WINDOWS\system32\d3hb32.exe
O4 - HKLM\..\RunOnce: [sysyf.exe] C:\WINDOWS\system32\sysyf.exe
O4 - HKLM\..\RunOnce: [atlhb.exe] C:\WINDOWS\system32\atlhb.exe
O4 - HKLM\..\RunOnce: [msog32.exe] C:\WINDOWS\system32\msog32.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0309.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{61DAFA9E-10BA-4006-A70F-81429CE66A2F}: NameServer = 12.102.244.1 204.127.129.1

#2 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 05 July 2004 - 08:09 PM

Download About:Buster from Here

http://www.downloads...AboutBuster.zip

Unzip it to your desktop. Double click it and hit Ok, then Start, then Ok to start the scan. The scan should take a few seconds. Once it is done save the report. Post the report and a new Hijack this log here.
Posted Image

#3 elcapatante

elcapatante

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 06 July 2004 - 08:36 AM

Racktracker - thanks for your help. Attached are the logs you requested. I should also mention that I cannot get to this website from the infected pc (not sure if that matters).

About Buster log:
About:Buster Version 1.24
Removed! : C:\WINDOWS\cayxds.dat
Error Removing! : C:\WINDOWS\crop.dll
Removed! : C:\WINDOWS\crop.exe.bak
Removed! : C:\WINDOWS\dqduo.dat
Removed! : C:\WINDOWS\gwmigf.dat
Removed! : C:\WINDOWS\hjsdwy.dat
Removed! : C:\WINDOWS\iakgdp.dat
Removed! : C:\WINDOWS\iofbrl.dat
Removed! : C:\WINDOWS\jachl.dat
Removed! : C:\WINDOWS\juner.dat
Removed! : C:\WINDOWS\lugheo.dat
Removed! : C:\WINDOWS\mxrdr.dat
Removed! : C:\WINDOWS\nyzhjs.dat
Removed! : C:\WINDOWS\n_dmyzef.dat
Removed! : C:\WINDOWS\n_gwmigf.dat
Removed! : C:\WINDOWS\n_ijmdoy.dat
Removed! : C:\WINDOWS\n_olybxa.dat
Removed! : C:\WINDOWS\n_pvryyi.dat
Removed! : C:\WINDOWS\osgvyb.dat
Removed! : C:\WINDOWS\phojl.dat
Removed! : C:\WINDOWS\qdzrlh.dat
Removed! : C:\WINDOWS\qsvqmu.dat
Removed! : C:\WINDOWS\svnmzb.dat
Removed! : C:\WINDOWS\sysoz32.exe
Removed! : C:\WINDOWS\tmgmcb.dat
Removed! : C:\WINDOWS\uxqioi.dat
Removed! : C:\WINDOWS\xzkkff.dat
Removed! : C:\WINDOWS\ycvgsm.dat
Removed! : C:\WINDOWS\System32\addxo32.exe
Removed! : C:\WINDOWS\System32\atlhb.exe
Removed! : C:\WINDOWS\System32\d3hb32.exe
Removed! : C:\WINDOWS\System32\dvjzt.dat
Removed! : C:\WINDOWS\System32\fjmrs.dat
Removed! : C:\WINDOWS\System32\ienq32.exe
Removed! : C:\WINDOWS\System32\iezqb.dat
Removed! : C:\WINDOWS\System32\kxnzg.dat
Removed! : C:\WINDOWS\System32\mjpai.dat
Removed! : C:\WINDOWS\System32\mqbyh.dat
Removed! : C:\WINDOWS\System32\msip.exe
Removed! : C:\WINDOWS\System32\msog32.exe
Removed! : C:\WINDOWS\System32\netow32.exe
Removed! : C:\WINDOWS\System32\sysyf.exe
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed __NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

New HJT Log:
Logfile of HijackThis v1.97.7
Scan saved at 9:16:42 AM, on 7/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 11 for hijackthis.zip\HijackThis.exe

O2 - BHO: (no name) - {7E72F987-8787-B062-BD3E-899CF7791E40} - C:\WINDOWS\crop.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0309.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{61DAFA9E-10BA-4006-A70F-81429CE66A2F}: NameServer = 204.127.129.4 12.102.244.4

Thanks Again for your help

#4 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 06 July 2004 - 01:29 PM

Move Hijackthis out of the temp directory (extract from zip)into a permanent folder. Example:
c:\program files\hijackthis\hijackthis.exe

This will allow backups to be made and saved By hijackthis in case something goes wrong.

Place a check next to the following entries, then close all open windows except hijackthis and click fix.

O2 - BHO: (no name) - {7E72F987-8787-B062-BD3E-899CF7791E40} - C:\WINDOWS\crop.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

Then reboot into safe mode and delete these files.
C:\WINDOWS\ALCXMNTR.EXE

You may have to enable hidden files to find all the files.

Then reboot into normal mode.
Next download spybot and adaware. Update and scan with both. Have spybot fix anything it lists in RED and adaware fix everything it finds. Then reboot and run another hijackthis scan and post your new log here.

What hapens when you try to get here?
Are you directed to another website or does the page just fail to load?
Posted Image

#5 elcapatante

elcapatante

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 07 July 2004 - 07:44 AM

Racktracker -

I deleted as requested and ran the spyware. Spybot found 6 items for cleanup, which I did. When I try to reach this forum I am redirected to the Hijacked page, it also says access forbidden accross the top. The excessive popups I get seem to be all from "NVIEW" I've deleted it several times from HJT but it keeps coming back.

HJT LOG:
Logfile of HijackThis v1.97.7
Scan saved at 10:23:26 PM, on 7/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\netoz.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\apiko32.exe
C:\Program Files\Messenger\msmsgs.ex! e
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 12 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xqlcf.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xqlcf.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xqlcf.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xqlcf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xqlcf.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xqlcf.dll/sp.html#37049
O2 - BHO: (no name) - {755BA34E-BCAF-6042-9822-36A6D47647C0} - C:\WINDOWS\ipdv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4! - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy! .exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - H KLM\..\Run: [apiko32.exe] C:\WINDOWS\system32\apiko32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
! O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0309.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{61DAFA9E-10BA-4006-A70F-81429CE66A2F}: NameServer = 204.127.129.4 12.102.244.4

Thanks again for your help

#6 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 07 July 2004 - 01:20 PM

boot into safe mode and run AboutBuster again.

Move Hijackthis out of the temp directory (extract from zip)into a permanent folder. Example:
c:\program files\hijackthis\hijackthis.exe

This will allow backups to be made and saved By hijackthis in case something goes wrong.

Place a check next to the following entries, then close all open windows except hijackthis and click fix.

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

Then locate this file and delete it.
nview.dll ( you will have to perform a system search to find it.)

Then reboot into normal mode and post another hijackthis log.
Posted Image

#7 elcapatante

elcapatante

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 07 July 2004 - 09:09 PM

Racktracker - I ran aboutbuster and deleted nview - I found quite a few instances. Here is my latest HJT log.

Logfile of HijackThis v1.97.7
Scan saved at 10:06:08 PM, on 7/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\javadr.exe
C:\WINDOWS\javabp.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xqlcf.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xqlcf.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xqlcf.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xqlcf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xqlcf.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xqlcf.dll/sp.html#37049
O2 - BHO: (no name) - {755BA34E-BCAF-6042-9822-36A6D47647C0} - C:\WINDOWS\ipdv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [javabp.exe] C:\WINDOWS\javabp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0309.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{61DAFA9E-10BA-4006-A70F-81429CE66A2F}: NameServer = 12.102.240.1 204.127.160.1

#8 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 08 July 2004 - 08:24 AM

For some reason About Buster doesn't seem to be removing the cws hijack from your pc, so we will have to do it manually.

Move Hijackthis out of the temp directory (extract from zip)into a permanent folder. Example:
c:\program files\hijackthis\hijackthis.exe

This will allow backups to be made and saved By hijackthis in case something goes wrong.
  • Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders".
  • Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for "javadr.exe" & "javabp.exe". If you find the files, click on them, and then click End Process => Exit the Task Manager.
  • Next, go to Start->Run and type "Services.msc" (without quotes) then hit OK.
  • Scroll down and find the service called "Network Security Service".
  • When you find it, double-click on it. In the next window that opens, click the Stop button, then change the Startup Type to Disabled. Now hit Apply and then OK and close any open windows.
  • Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xqlcf.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xqlcf.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xqlcf.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xqlcf.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xqlcf.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xqlcf.dll/sp.html#37049
    O2 - BHO: (no name) - {755BA34E-BCAF-6042-9822-36A6D47647C0} - C:\WINDOWS\ipdv.dll
    O4 - HKLM\..\Run: [javabp.exe] C:\WINDOWS\javabp.exe
  • Reboot into Safe Mode - How do I boot into "Safe" mode?, and delete the following files:

    C:\WINDOWS\system32\xqlcf.dll
    C:\WINDOWS\ipdv.dll
    C:\WINDOWS\system32\javadr.exe
    C:\WINDOWS\javabp.exe
  • Go to Start => Run and type in "regedit" (without quotes) and press "Enter".
  • One the registry opens, Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3
    If __NS_Service_3 exists , right click on it and choose delete from the menu.
  • Still in the registry, navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service_3
    If LEGACY___NS_Service_3 exists then right click on it and choose delete from the menu.
  • Exit regedit and reboot in Normal Mode.
  • Two files (Possibly three) were also deleted from your computer and need to be replaced.
    • control.exe - Go to Merijn Files (control) and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.
    • Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program.
    • If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)
  • Run HiJackThis again and post a new log in this thread.

Posted Image

#9 elcapatante

elcapatante

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 08 July 2004 - 12:03 PM

Racktracker - I completed all the tasks except downloading the files (Iwas able to download "hoster". I still have issues accessing some of the spywareinfo sites. The error I get know is that it cannot find server - at least I am not being redirected. Seems that my homepage is no longer hijacked. Is there another website that I can use? I downloaded the files on my work pc but the company file wall deletes the files as files that have exe's that could be possible virus spreaders.

another HJT if you need it. I have had HJT in program files are you seeing something that leads you to believe otherwise?

Logfile of HijackThis v1.97.7
Scan saved at 1:01:48 PM, on 7/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0309.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{61DAFA9E-10BA-4006-A70F-81429CE66A2F}: NameServer = 12.102.244.4 204.127.129.4

#10 elcapatante

elcapatante

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 11 July 2004 - 08:01 PM

Racktracker - I was able to connect and download the files - attached is the latest HJT log.

Logfile of HijackThis v1.97.7
Scan saved at 9:00:13 PM, on 7/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0309.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{61DAFA9E-10BA-4006-A70F-81429CE66A2F}: NameServer = 12.102.240.2 204.127.160.2

#11 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 12 July 2004 - 07:35 PM

This tells me exactly where hijackthis is running from.

C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

If you are still having conection issues with certain sites.

Click start
then run type cmd and click ok
a comand window will open
type Ipconfig/flushdns
and hit enter.

Your hijackthis log looks good.

You should read this to help prevent future problems.

So how did I get infected
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button