• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
elcapatante

browser HJ BY "home Search" home page

11 posts in this topic

Help - Browser HJ and pops for affiliated services. Went to FAQ and removed some items - hijacked browser/pops still an issue. Here is my HJT log any help will be greatly appreciated.

 

Logfile of HijackThis v1.97.7

Scan saved at 12:04:52 PM, on 7/5/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Softex\OmniPass\Omniserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\msip.exe

C:\Program Files\Softex\OmniPass\OPXPApp.exe

C:\WINDOWS\Explorer.EXE

C:\windows\system\hpsysdrv.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\WINDOWS\system32\netow32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Yahoo!\Messenger\ypager.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe

C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe

C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe

c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 10 for hijackthis.zip\HijackThis.exe

 

O2 - BHO: (no name) - {7E72F987-8787-B062-BD3E-899CF7791E40} - C:\WINDOWS\crop.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [netow32.exe] C:\WINDOWS\system32\netow32.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKLM\..\RunOnce: [ienq32.exe] C:\WINDOWS\system32\ienq32.exe

O4 - HKLM\..\RunOnce: [msip.exe] C:\WINDOWS\system32\msip.exe

O4 - HKLM\..\RunOnce: [addxo32.exe] C:\WINDOWS\system32\addxo32.exe

O4 - HKLM\..\RunOnce: [d3hb32.exe] C:\WINDOWS\system32\d3hb32.exe

O4 - HKLM\..\RunOnce: [sysyf.exe] C:\WINDOWS\system32\sysyf.exe

O4 - HKLM\..\RunOnce: [atlhb.exe] C:\WINDOWS\system32\atlhb.exe

O4 - HKLM\..\RunOnce: [msog32.exe] C:\WINDOWS\system32\msog32.exe

O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{61DAFA9E-10BA-4006-A70F-81429CE66A2F}: NameServer = 12.102.244.1 204.127.129.1

Share this post


Link to post
Share on other sites

Racktracker - thanks for your help. Attached are the logs you requested. I should also mention that I cannot get to this website from the infected pc (not sure if that matters).

 

About Buster log:

About:Buster Version 1.24

Removed! : C:\WINDOWS\cayxds.dat

Error Removing! : C:\WINDOWS\crop.dll

Removed! : C:\WINDOWS\crop.exe.bak

Removed! : C:\WINDOWS\dqduo.dat

Removed! : C:\WINDOWS\gwmigf.dat

Removed! : C:\WINDOWS\hjsdwy.dat

Removed! : C:\WINDOWS\iakgdp.dat

Removed! : C:\WINDOWS\iofbrl.dat

Removed! : C:\WINDOWS\jachl.dat

Removed! : C:\WINDOWS\juner.dat

Removed! : C:\WINDOWS\lugheo.dat

Removed! : C:\WINDOWS\mxrdr.dat

Removed! : C:\WINDOWS\nyzhjs.dat

Removed! : C:\WINDOWS\n_dmyzef.dat

Removed! : C:\WINDOWS\n_gwmigf.dat

Removed! : C:\WINDOWS\n_ijmdoy.dat

Removed! : C:\WINDOWS\n_olybxa.dat

Removed! : C:\WINDOWS\n_pvryyi.dat

Removed! : C:\WINDOWS\osgvyb.dat

Removed! : C:\WINDOWS\phojl.dat

Removed! : C:\WINDOWS\qdzrlh.dat

Removed! : C:\WINDOWS\qsvqmu.dat

Removed! : C:\WINDOWS\svnmzb.dat

Removed! : C:\WINDOWS\sysoz32.exe

Removed! : C:\WINDOWS\tmgmcb.dat

Removed! : C:\WINDOWS\uxqioi.dat

Removed! : C:\WINDOWS\xzkkff.dat

Removed! : C:\WINDOWS\ycvgsm.dat

Removed! : C:\WINDOWS\System32\addxo32.exe

Removed! : C:\WINDOWS\System32\atlhb.exe

Removed! : C:\WINDOWS\System32\d3hb32.exe

Removed! : C:\WINDOWS\System32\dvjzt.dat

Removed! : C:\WINDOWS\System32\fjmrs.dat

Removed! : C:\WINDOWS\System32\ienq32.exe

Removed! : C:\WINDOWS\System32\iezqb.dat

Removed! : C:\WINDOWS\System32\kxnzg.dat

Removed! : C:\WINDOWS\System32\mjpai.dat

Removed! : C:\WINDOWS\System32\mqbyh.dat

Removed! : C:\WINDOWS\System32\msip.exe

Removed! : C:\WINDOWS\System32\msog32.exe

Removed! : C:\WINDOWS\System32\netow32.exe

Removed! : C:\WINDOWS\System32\sysyf.exe

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Removed __NS_Service_3 Key

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

New HJT Log:

Logfile of HijackThis v1.97.7

Scan saved at 9:16:42 AM, on 7/6/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Softex\OmniPass\Omniserv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Softex\OmniPass\OPXPApp.exe

C:\WINDOWS\Explorer.EXE

C:\windows\system\hpsysdrv.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Yahoo!\Messenger\ypager.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe

C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe

C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe

c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 11 for hijackthis.zip\HijackThis.exe

 

O2 - BHO: (no name) - {7E72F987-8787-B062-BD3E-899CF7791E40} - C:\WINDOWS\crop.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{61DAFA9E-10BA-4006-A70F-81429CE66A2F}: NameServer = 204.127.129.4 12.102.244.4

 

Thanks Again for your help

Share this post


Link to post
Share on other sites

Move Hijackthis out of the temp directory (extract from zip)into a permanent folder. Example:

c:\program files\hijackthis\hijackthis.exe

 

This will allow backups to be made and saved By hijackthis in case something goes wrong.

 

Place a check next to the following entries, then close all open windows except hijackthis and click fix.

O2 - BHO: (no name) - {7E72F987-8787-B062-BD3E-899CF7791E40} - C:\WINDOWS\crop.dll

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

Then reboot into safe mode and delete these files.

C:\WINDOWS\ALCXMNTR.EXE

 

You may have to enable hidden files to find all the files.

 

Then reboot into normal mode.

Next download spybot and adaware. Update and scan with both. Have spybot fix anything it lists in RED and adaware fix everything it finds. Then reboot and run another hijackthis scan and post your new log here.

 

What hapens when you try to get here?

Are you directed to another website or does the page just fail to load?

Share this post


Link to post
Share on other sites

Racktracker -

 

I deleted as requested and ran the spyware. Spybot found 6 items for cleanup, which I did. When I try to reach this forum I am redirected to the Hijacked page, it also says access forbidden accross the top. The excessive popups I get seem to be all from "NVIEW" I've deleted it several times from HJT but it keeps coming back.

 

HJT LOG:

Logfile of HijackThis v1.97.7

Scan saved at 10:23:26 PM, on 7/6/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Softex\OmniPass\Omniserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\netoz.exe

C:\Program Files\Softex\OmniPass\OPXPApp.exe

C:\WINDOWS\Explorer.EXE

C:\windows\system\hpsysdrv.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\apiko32.exe

C:\Program Files\Messenger\msmsgs.ex! e

C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe

C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe

c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe

C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 12 for hijackthis.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xqlcf.dll/sp.html#37049

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xqlcf.dll/index.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xqlcf.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xqlcf.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xqlcf.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xqlcf.dll/sp.html#37049

O2 - BHO: (no name) - {755BA34E-BCAF-6042-9822-36A6D47647C0} - C:\WINDOWS\ipdv.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O4! - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy! .exe"

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - H KLM\..\Run: [apiko32.exe] C:\WINDOWS\system32\apiko32.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

! O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{61DAFA9E-10BA-4006-A70F-81429CE66A2F}: NameServer = 204.127.129.4 12.102.244.4

 

Thanks again for your help

Share this post


Link to post
Share on other sites

boot into safe mode and run AboutBuster again.

 

Move Hijackthis out of the temp directory (extract from zip)into a permanent folder. Example:

c:\program files\hijackthis\hijackthis.exe

 

This will allow backups to be made and saved By hijackthis in case something goes wrong.

 

Place a check next to the following entries, then close all open windows except hijackthis and click fix.

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

Then locate this file and delete it.

nview.dll ( you will have to perform a system search to find it.)

 

Then reboot into normal mode and post another hijackthis log.

Share this post


Link to post
Share on other sites

Racktracker - I ran aboutbuster and deleted nview - I found quite a few instances. Here is my latest HJT log.

 

Logfile of HijackThis v1.97.7

Scan saved at 10:06:08 PM, on 7/7/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Softex\OmniPass\Omniserv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Softex\OmniPass\OPXPApp.exe

C:\WINDOWS\Explorer.EXE

C:\windows\system\hpsysdrv.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe

C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe

C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe

C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\system32\javadr.exe

C:\WINDOWS\javabp.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xqlcf.dll/sp.html#37049

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xqlcf.dll/index.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xqlcf.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xqlcf.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xqlcf.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xqlcf.dll/sp.html#37049

O2 - BHO: (no name) - {755BA34E-BCAF-6042-9822-36A6D47647C0} - C:\WINDOWS\ipdv.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [javabp.exe] C:\WINDOWS\javabp.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{61DAFA9E-10BA-4006-A70F-81429CE66A2F}: NameServer = 12.102.240.1 204.127.160.1

Share this post


Link to post
Share on other sites

For some reason About Buster doesn't seem to be removing the cws hijack from your pc, so we will have to do it manually.

 

Move Hijackthis out of the temp directory (extract from zip)into a permanent folder. Example:

c:\program files\hijackthis\hijackthis.exe

 

This will allow backups to be made and saved By hijackthis in case something goes wrong.

  1. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders".
  2. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for "javadr.exe" & "javabp.exe". If you find the files, click on them, and then click End Process => Exit the Task Manager.
  3. Next, go to Start->Run and type "Services.msc" (without quotes) then hit OK.
  4. Scroll down and find the service called "Network Security Service".
  5. When you find it, double-click on it. In the next window that opens, click the Stop button, then change the Startup Type to Disabled. Now hit Apply and then OK and close any open windows.
  6. Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xqlcf.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xqlcf.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xqlcf.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xqlcf.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xqlcf.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xqlcf.dll/sp.html#37049
    O2 - BHO: (no name) - {755BA34E-BCAF-6042-9822-36A6D47647C0} - C:\WINDOWS\ipdv.dll
    O4 - HKLM\..\Run: [javabp.exe] C:\WINDOWS\javabp.exe

  7. Reboot into Safe Mode - How do I boot into "Safe" mode?, and delete the following files:
     
    C:\WINDOWS\system32\xqlcf.dll
    C:\WINDOWS\ipdv.dll
    C:\WINDOWS\system32\javadr.exe
    C:\WINDOWS\javabp.exe
     
  8. Go to Start => Run and type in "regedit" (without quotes) and press "Enter".
  9. One the registry opens, Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3
    If __NS_Service_3 exists , right click on it and choose delete from the menu.
  10. Still in the registry, navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service_3
    If LEGACY___NS_Service_3 exists then right click on it and choose delete from the menu.
  11. Exit regedit and reboot in Normal Mode.
  12. Two files (Possibly three) were also deleted from your computer and need to be replaced.
    • control.exe - Go to Merijn Files (control) and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.
    • Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program.
    • If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

[*]Run HiJackThis again and post a new log in this thread.

Share this post


Link to post
Share on other sites

Racktracker - I completed all the tasks except downloading the files (Iwas able to download "hoster". I still have issues accessing some of the spywareinfo sites. The error I get know is that it cannot find server - at least I am not being redirected. Seems that my homepage is no longer hijacked. Is there another website that I can use? I downloaded the files on my work pc but the company file wall deletes the files as files that have exe's that could be possible virus spreaders.

 

another HJT if you need it. I have had HJT in program files are you seeing something that leads you to believe otherwise?

 

Logfile of HijackThis v1.97.7

Scan saved at 1:01:48 PM, on 7/8/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Softex\OmniPass\Omniserv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Softex\OmniPass\OPXPApp.exe

C:\WINDOWS\Explorer.EXE

C:\windows\system\hpsysdrv.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe

c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe

C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe

C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

 

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{61DAFA9E-10BA-4006-A70F-81429CE66A2F}: NameServer = 12.102.244.4 204.127.129.4

Share this post


Link to post
Share on other sites

Racktracker - I was able to connect and download the files - attached is the latest HJT log.

 

Logfile of HijackThis v1.97.7

Scan saved at 9:00:13 PM, on 7/11/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Softex\OmniPass\Omniserv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Softex\OmniPass\OPXPApp.exe

C:\WINDOWS\Explorer.EXE

C:\windows\system\hpsysdrv.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Yahoo!\Messenger\ypager.exe

c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe

C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe

C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe

C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe

C:\Program Files\Microsoft Office\Office\EXCEL.EXE

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

 

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{61DAFA9E-10BA-4006-A70F-81429CE66A2F}: NameServer = 12.102.240.2 204.127.160.2

Share this post


Link to post
Share on other sites

This tells me exactly where hijackthis is running from.

 

C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

 

If you are still having conection issues with certain sites.

 

Click start

then run type cmd and click ok

a comand window will open

type Ipconfig/flushdns

and hit enter.

 

Your hijackthis log looks good.

 

You should read this to help prevent future problems.

 

So how did I get infected

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0