Jump to content


Photo

res://digzv.dll/ is my home page


  • Please log in to reply
3 replies to this topic

#1 fbr

fbr

    Member

  • New Member
  • Pip
  • 2 posts

Posted 07 July 2004 - 10:23 AM

I did download the latest versions of ad-aware 6.0 and spybot S&D. ALready for a couple of days I am trying to get rid of irritating spyware, in which I do not succeed. Currently, ad-aware just gave the message of a tracking-cookie cgi-bin[1].txt and spybot gave a tracking cookie doubleclick[1].txt. After removal and new start-up, these re-appear.
My home page is res://digzv.dll/index.html#37680 and I am continuously re-directed to http://search-to-find.com. Adds appear on my screen, based on the latest search terms I have used via google.
I ran HijackThis and deleted all entries with digzv. After reboot the re-appear.

I really would appreciate your help

FBR
====================

My current HijackThis logfile is as follows.

Logfile of HijackThis v1.97.7
Scan saved at 17:05:49, on 7-7-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\winrx32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\apidp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Frans\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\digzv.dll/sp.html#37680
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://digzv.dll/index.html#37680
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://digzv.dll/index.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\digzv.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://digzv.dll/index.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\digzv.dll/sp.html#37680
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door @Home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
O2 - BHO: (no name) - {04D6A205-BCF1-A72C-2E8D-6CC68DA15F18} - C:\WINDOWS\atlha32.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [atljb32.exe] C:\WINDOWS\system32\atljb32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Gijs\msn\MSNPLUS\MsgPlus.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [apidp.exe] C:\WINDOWS\system32\apidp.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKLM\..\RunOnce: [sysqo32.exe] C:\WINDOWS\sysqo32.exe
O4 - HKLM\..\RunOnce: [javafv32.exe] C:\WINDOWS\javafv32.exe
O4 - HKLM\..\RunOnce: [ntuk32.exe] C:\WINDOWS\system32\ntuk32.exe
O4 - HKLM\..\RunOnce: [winfp.exe] C:\WINDOWS\winfp.exe
O4 - HKLM\..\RunOnce: [addsv32.exe] C:\WINDOWS\system32\addsv32.exe
O4 - HKLM\..\RunOnce: [mfcer.exe] C:\WINDOWS\mfcer.exe
O4 - HKLM\..\RunOnce: [iezg.exe] C:\WINDOWS\system32\iezg.exe
O4 - HKLM\..\RunOnce: [sysyh32.exe] C:\WINDOWS\system32\sysyh32.exe
O4 - HKLM\..\RunOnce: [sysyc.exe] C:\WINDOWS\sysyc.exe
O4 - HKLM\..\RunOnce: [mfceh32.exe] C:\WINDOWS\system32\mfceh32.exe
O4 - HKLM\..\RunOnce: [netmt32.exe] C:\WINDOWS\netmt32.exe
O4 - HKLM\..\RunOnce: [ipqg.exe] C:\WINDOWS\ipqg.exe
O4 - HKLM\..\RunOnce: [netia32.exe] C:\WINDOWS\system32\netia32.exe
O4 - HKLM\..\RunOnce: [ierx32.exe] C:\WINDOWS\ierx32.exe
O4 - HKLM\..\RunOnce: [ntgx.exe] C:\WINDOWS\ntgx.exe
O4 - HKLM\..\RunOnce: [aping32.exe] C:\WINDOWS\system32\aping32.exe
O4 - HKLM\..\RunOnce: [mfczl.exe] C:\WINDOWS\mfczl.exe
O4 - HKLM\..\RunOnce: [apihr.exe] C:\WINDOWS\system32\apihr.exe
O4 - HKLM\..\RunOnce: [netsa32.exe] C:\WINDOWS\system32\netsa32.exe
O4 - HKLM\..\RunOnce: [crhu32.exe] C:\WINDOWS\system32\crhu32.exe
O4 - HKLM\..\RunOnce: [msig32.exe] C:\WINDOWS\system32\msig32.exe
O4 - HKLM\..\RunOnce: [d3sa32.exe] C:\WINDOWS\d3sa32.exe
O4 - HKLM\..\RunOnce: [appml.exe] C:\WINDOWS\appml.exe
O4 - HKLM\..\RunOnce: [crgj32.exe] C:\WINDOWS\system32\crgj32.exe
O4 - HKLM\..\RunOnce: [ieqs32.exe] C:\WINDOWS\ieqs32.exe
O4 - HKLM\..\RunOnce: [crvp.exe] C:\WINDOWS\crvp.exe
O4 - HKLM\..\RunOnce: [ieuw.exe] C:\WINDOWS\ieuw.exe
O4 - HKLM\..\RunOnce: [netcv.exe] C:\WINDOWS\system32\netcv.exe
O4 - HKLM\..\RunOnce: [sysbu32.exe] C:\WINDOWS\system32\sysbu32.exe
O4 - HKLM\..\RunOnce: [atlsc.exe] C:\WINDOWS\system32\atlsc.exe
O4 - HKLM\..\RunOnce: [msbw.exe] C:\WINDOWS\msbw.exe
O4 - HKLM\..\RunOnce: [atlnw32.exe] C:\WINDOWS\system32\atlnw32.exe
O4 - HKLM\..\RunOnce: [winpw.exe] C:\WINDOWS\system32\winpw.exe
O4 - HKLM\..\RunOnce: [mfcqg32.exe] C:\WINDOWS\mfcqg32.exe
O4 - HKLM\..\RunOnce: [ipyo32.exe] C:\WINDOWS\ipyo32.exe
O4 - HKLM\..\RunOnce: [javato.exe] C:\WINDOWS\system32\javato.exe
O4 - HKLM\..\RunOnce: [mfcqh32.exe] C:\WINDOWS\system32\mfcqh32.exe
O4 - HKLM\..\RunOnce: [sysef32.exe] C:\WINDOWS\system32\sysef32.exe
O4 - HKLM\..\RunOnce: [crrg32.exe] C:\WINDOWS\system32\crrg32.exe
O4 - HKLM\..\RunOnce: [sysnc32.exe] C:\WINDOWS\sysnc32.exe
O4 - HKLM\..\RunOnce: [sdkar.exe] C:\WINDOWS\system32\sdkar.exe
O4 - HKLM\..\RunOnce: [apppr32.exe] C:\WINDOWS\apppr32.exe
O4 - HKLM\..\RunOnce: [sysmr.exe] C:\WINDOWS\sysmr.exe
O4 - HKLM\..\RunOnce: [addxz32.exe] C:\WINDOWS\addxz32.exe
O4 - HKLM\..\RunOnce: [javakl32.exe] C:\WINDOWS\system32\javakl32.exe
O4 - HKLM\..\RunOnce: [apiqy.exe] C:\WINDOWS\apiqy.exe
O4 - HKLM\..\RunOnce: [addjp32.exe] C:\WINDOWS\system32\addjp32.exe
O4 - HKLM\..\RunOnce: [atllc.exe] C:\WINDOWS\system32\atllc.exe
O4 - HKLM\..\RunOnce: [ipwm.exe] C:\WINDOWS\ipwm.exe
O4 - HKLM\..\RunOnce: [atlnw.exe] C:\WINDOWS\atlnw.exe
O4 - HKLM\..\RunOnce: [appxa32.exe] C:\WINDOWS\system32\appxa32.exe
O4 - HKLM\..\RunOnce: [adddz.exe] C:\WINDOWS\system32\adddz.exe
O4 - HKLM\..\RunOnce: [d3rz.exe] C:\WINDOWS\d3rz.exe
O4 - HKLM\..\RunOnce: [crpl32.exe] C:\WINDOWS\crpl32.exe
O4 - HKLM\..\RunOnce: [msfz.exe] C:\WINDOWS\system32\msfz.exe
O4 - HKLM\..\RunOnce: [d3lv32.exe] C:\WINDOWS\d3lv32.exe
O4 - HKLM\..\RunOnce: [addon32.exe] C:\WINDOWS\system32\addon32.exe
O4 - HKLM\..\RunOnce: [msbt32.exe] C:\WINDOWS\system32\msbt32.exe
O4 - HKLM\..\RunOnce: [d3ze.exe] C:\WINDOWS\d3ze.exe
O4 - HKLM\..\RunOnce: [atlic.exe] C:\WINDOWS\atlic.exe
O4 - HKLM\..\RunOnce: [apiut.exe] C:\WINDOWS\apiut.exe
O4 - HKLM\..\RunOnce: [sdklg.exe] C:\WINDOWS\sdklg.exe
O4 - HKLM\..\RunOnce: [mfcqc.exe] C:\WINDOWS\system32\mfcqc.exe
O4 - HKLM\..\RunOnce: [mfcob.exe] C:\WINDOWS\mfcob.exe
O4 - HKLM\..\RunOnce: [netln32.exe] C:\WINDOWS\netln32.exe
O4 - HKLM\..\RunOnce: [sysws32.exe] C:\WINDOWS\sysws32.exe
O4 - HKLM\..\RunOnce: [apigi.exe] C:\WINDOWS\system32\apigi.exe
O4 - HKLM\..\RunOnce: [atlks.exe] C:\WINDOWS\system32\atlks.exe
O4 - HKLM\..\RunOnce: [ipya.exe] C:\WINDOWS\ipya.exe
O4 - HKLM\..\RunOnce: [mfcep.exe] C:\WINDOWS\mfcep.exe
O4 - HKLM\..\RunOnce: [syswe.exe] C:\WINDOWS\system32\syswe.exe
O4 - HKLM\..\RunOnce: [winec.exe] C:\WINDOWS\winec.exe
O4 - HKLM\..\RunOnce: [ieex32.exe] C:\WINDOWS\system32\ieex32.exe
O4 - HKLM\..\RunOnce: [ipvt.exe] C:\WINDOWS\system32\ipvt.exe
O4 - HKLM\..\RunOnce: [d3hb.exe] C:\WINDOWS\d3hb.exe
O4 - HKLM\..\RunOnce: [crpv32.exe] C:\WINDOWS\crpv32.exe
O4 - HKLM\..\RunOnce: [msxl.exe] C:\WINDOWS\msxl.exe
O4 - HKLM\..\RunOnce: [cryn32.exe] C:\WINDOWS\cryn32.exe
O4 - HKLM\..\RunOnce: [atltx.exe] C:\WINDOWS\atltx.exe
O4 - HKLM\..\RunOnce: [mfcil.exe] C:\WINDOWS\system32\mfcil.exe
O4 - HKLM\..\RunOnce: [syswn.exe] C:\WINDOWS\syswn.exe
O4 - HKLM\..\RunOnce: [appkt32.exe] C:\WINDOWS\appkt32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postb...l/sesam/CAX.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://195.18.69.102...sCamControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8172.5102430556
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_3us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab28177.cab

#2 stockkbroker

stockkbroker

    Advanced Member

  • Helper
  • PipPipPip
  • 102 posts

Posted 07 July 2004 - 11:17 AM

Hi,

Before you begin, please print out the following instructions so that you can follow along as we go.

Download About:Buster from my signature and unzip it to its own folder.


Fixing the HIJACKTHIS log
Please look over the following entries I have listed, check them and Press the "Fix Checked" button with HijackThis.
When you are doing this, make sure you have NO Internet Explorer windows open, including this one.
  • O2 - BHO: (no name) - {04D6A205-BCF1-A72C-2E8D-6CC68DA15F18} - C:\WINDOWS\atlha32.dll
  • O4 - HKLM\..\Run: [atljb32.exe] C:\WINDOWS\system32\atljb32.exe
  • O4 - HKLM\..\Run: [apidp.exe] C:\WINDOWS\system32\apidp.exe
  • O4 - HKLM\..\RunOnce: [sysqo32.exe] C:\WINDOWS\sysqo32.exe
  • O4 - HKLM\..\RunOnce: [javafv32.exe] C:\WINDOWS\javafv32.exe
  • O4 - HKLM\..\RunOnce: [ntuk32.exe] C:\WINDOWS\system32\ntuk32.exe
  • O4 - HKLM\..\RunOnce: [winfp.exe] C:\WINDOWS\winfp.exe
  • O4 - HKLM\..\RunOnce: [addsv32.exe] C:\WINDOWS\system32\addsv32.exe
  • O4 - HKLM\..\RunOnce: [mfcer.exe] C:\WINDOWS\mfcer.exe
  • O4 - HKLM\..\RunOnce: [iezg.exe] C:\WINDOWS\system32\iezg.exe
  • O4 - HKLM\..\RunOnce: [sysyh32.exe] C:\WINDOWS\system32\sysyh32.exe
  • O4 - HKLM\..\RunOnce: [sysyc.exe] C:\WINDOWS\sysyc.exe
  • O4 - HKLM\..\RunOnce: [mfceh32.exe] C:\WINDOWS\system32\mfceh32.exe
  • O4 - HKLM\..\RunOnce: [netmt32.exe] C:\WINDOWS\netmt32.exe
  • O4 - HKLM\..\RunOnce: [ipqg.exe] C:\WINDOWS\ipqg.exe
  • O4 - HKLM\..\RunOnce: [netia32.exe] C:\WINDOWS\system32\netia32.exe
  • O4 - HKLM\..\RunOnce: [ierx32.exe] C:\WINDOWS\ierx32.exe
  • O4 - HKLM\..\RunOnce: [ntgx.exe] C:\WINDOWS\ntgx.exe
  • O4 - HKLM\..\RunOnce: [aping32.exe] C:\WINDOWS\system32\aping32.exe
  • O4 - HKLM\..\RunOnce: [mfczl.exe] C:\WINDOWS\mfczl.exe
  • O4 - HKLM\..\RunOnce: [apihr.exe] C:\WINDOWS\system32\apihr.exe
  • O4 - HKLM\..\RunOnce: [netsa32.exe] C:\WINDOWS\system32\netsa32.exe
  • O4 - HKLM\..\RunOnce: [crhu32.exe] C:\WINDOWS\system32\crhu32.exe
  • O4 - HKLM\..\RunOnce: [msig32.exe] C:\WINDOWS\system32\msig32.exe
  • O4 - HKLM\..\RunOnce: [d3sa32.exe] C:\WINDOWS\d3sa32.exe
  • O4 - HKLM\..\RunOnce: [appml.exe] C:\WINDOWS\appml.exe
  • O4 - HKLM\..\RunOnce: [crgj32.exe] C:\WINDOWS\system32\crgj32.exe
  • O4 - HKLM\..\RunOnce: [ieqs32.exe] C:\WINDOWS\ieqs32.exe
  • O4 - HKLM\..\RunOnce: [crvp.exe] C:\WINDOWS\crvp.exe
  • O4 - HKLM\..\RunOnce: [ieuw.exe] C:\WINDOWS\ieuw.exe
  • O4 - HKLM\..\RunOnce: [netcv.exe] C:\WINDOWS\system32\netcv.exe
  • O4 - HKLM\..\RunOnce: [sysbu32.exe] C:\WINDOWS\system32\sysbu32.exe
  • O4 - HKLM\..\RunOnce: [atlsc.exe] C:\WINDOWS\system32\atlsc.exe
  • O4 - HKLM\..\RunOnce: [msbw.exe] C:\WINDOWS\msbw.exe
  • O4 - HKLM\..\RunOnce: [atlnw32.exe] C:\WINDOWS\system32\atlnw32.exe
  • O4 - HKLM\..\RunOnce: [winpw.exe] C:\WINDOWS\system32\winpw.exe
  • O4 - HKLM\..\RunOnce: [mfcqg32.exe] C:\WINDOWS\mfcqg32.exe
  • O4 - HKLM\..\RunOnce: [ipyo32.exe] C:\WINDOWS\ipyo32.exe
  • O4 - HKLM\..\RunOnce: [javato.exe] C:\WINDOWS\system32\javato.exe
  • O4 - HKLM\..\RunOnce: [mfcqh32.exe] C:\WINDOWS\system32\mfcqh32.exe
  • O4 - HKLM\..\RunOnce: [sysef32.exe] C:\WINDOWS\system32\sysef32.exe
  • O4 - HKLM\..\RunOnce: [crrg32.exe] C:\WINDOWS\system32\crrg32.exe
  • O4 - HKLM\..\RunOnce: [sysnc32.exe] C:\WINDOWS\sysnc32.exe
  • O4 - HKLM\..\RunOnce: [sdkar.exe] C:\WINDOWS\system32\sdkar.exe
  • O4 - HKLM\..\RunOnce: [apppr32.exe] C:\WINDOWS\apppr32.exe
  • O4 - HKLM\..\RunOnce: [sysmr.exe] C:\WINDOWS\sysmr.exe
  • O4 - HKLM\..\RunOnce: [addxz32.exe] C:\WINDOWS\addxz32.exe
  • O4 - HKLM\..\RunOnce: [javakl32.exe] C:\WINDOWS\system32\javakl32.exe
  • O4 - HKLM\..\RunOnce: [apiqy.exe] C:\WINDOWS\apiqy.exe
  • O4 - HKLM\..\RunOnce: [addjp32.exe] C:\WINDOWS\system32\addjp32.exe
  • O4 - HKLM\..\RunOnce: [atllc.exe] C:\WINDOWS\system32\atllc.exe
  • O4 - HKLM\..\RunOnce: [ipwm.exe] C:\WINDOWS\ipwm.exe
  • O4 - HKLM\..\RunOnce: [atlnw.exe] C:\WINDOWS\atlnw.exe
  • O4 - HKLM\..\RunOnce: [appxa32.exe] C:\WINDOWS\system32\appxa32.exe
  • O4 - HKLM\..\RunOnce: [adddz.exe] C:\WINDOWS\system32\adddz.exe
  • O4 - HKLM\..\RunOnce: [d3rz.exe] C:\WINDOWS\d3rz.exe
  • O4 - HKLM\..\RunOnce: [crpl32.exe] C:\WINDOWS\crpl32.exe
  • O4 - HKLM\..\RunOnce: [msfz.exe] C:\WINDOWS\system32\msfz.exe
  • O4 - HKLM\..\RunOnce: [d3lv32.exe] C:\WINDOWS\d3lv32.exe
  • O4 - HKLM\..\RunOnce: [addon32.exe] C:\WINDOWS\system32\addon32.exe
  • O4 - HKLM\..\RunOnce: [msbt32.exe] C:\WINDOWS\system32\msbt32.exe
  • O4 - HKLM\..\RunOnce: [d3ze.exe] C:\WINDOWS\d3ze.exe
  • O4 - HKLM\..\RunOnce: [atlic.exe] C:\WINDOWS\atlic.exe
  • O4 - HKLM\..\RunOnce: [apiut.exe] C:\WINDOWS\apiut.exe
  • O4 - HKLM\..\RunOnce: [sdklg.exe] C:\WINDOWS\sdklg.exe
  • O4 - HKLM\..\RunOnce: [mfcqc.exe] C:\WINDOWS\system32\mfcqc.exe
  • O4 - HKLM\..\RunOnce: [mfcob.exe] C:\WINDOWS\mfcob.exe
  • O4 - HKLM\..\RunOnce: [netln32.exe] C:\WINDOWS\netln32.exe
  • O4 - HKLM\..\RunOnce: [sysws32.exe] C:\WINDOWS\sysws32.exe
  • O4 - HKLM\..\RunOnce: [apigi.exe] C:\WINDOWS\system32\apigi.exe
  • O4 - HKLM\..\RunOnce: [atlks.exe] C:\WINDOWS\system32\atlks.exe
  • O4 - HKLM\..\RunOnce: [ipya.exe] C:\WINDOWS\ipya.exe
  • O4 - HKLM\..\RunOnce: [mfcep.exe] C:\WINDOWS\mfcep.exe
  • O4 - HKLM\..\RunOnce: [syswe.exe] C:\WINDOWS\system32\syswe.exe
  • O4 - HKLM\..\RunOnce: [winec.exe] C:\WINDOWS\winec.exe
  • O4 - HKLM\..\RunOnce: [ieex32.exe] C:\WINDOWS\system32\ieex32.exe
  • O4 - HKLM\..\RunOnce: [ipvt.exe] C:\WINDOWS\system32\ipvt.exe
  • O4 - HKLM\..\RunOnce: [d3hb.exe] C:\WINDOWS\d3hb.exe
  • O4 - HKLM\..\RunOnce: [crpv32.exe] C:\WINDOWS\crpv32.exe
  • O4 - HKLM\..\RunOnce: [msxl.exe] C:\WINDOWS\msxl.exe
  • O4 - HKLM\..\RunOnce: [cryn32.exe] C:\WINDOWS\cryn32.exe
  • O4 - HKLM\..\RunOnce: [atltx.exe] C:\WINDOWS\atltx.exe
  • O4 - HKLM\..\RunOnce: [mfcil.exe] C:\WINDOWS\system32\mfcil.exe
  • O4 - HKLM\..\RunOnce: [syswn.exe] C:\WINDOWS\syswn.exe
  • O4 - HKLM\..\RunOnce: [appkt32.exe] C:\WINDOWS\appkt32.exe
Clean your computer of useless cookies, temporary files
Navigate to the following folders and delete the contents inside but not the folders
  • Start | Run (type) "%temp%" (no quotes)
    Completely delete the entire contents of that "temp" folder.
  • Empty your "Recycle Bin"
Run About:Buster
  • Double click About:Buster.
  • Click OK and Start.
  • Let About:buster fix all the entries it finds.
Scanning for viruses and trojans
Due to the large number of infections that you have, please consider running a virus and trojan scan. Before you do please turn off system Restore first.Deleting spyware files and folders
You need to show hidden files and boot into safe mode before the deletion process.Once in safe mode, follow the directory listed and delete the following .exe's.
  • C:\WINDOWS\system32\apidp.exe
  • C:\WINDOWS\sysqo32.exe
  • C:\WINDOWS\javafv32.exe
  • c:\WINDOWS\system32\ntuk32.exe
  • C:\WINDOWS\system32\addsv32.exe
  • C:\WINDOWS\mfcer.exe
  • C:\WINDOWS\system32\iezg.exe
  • C:\WINDOWS\system32\sysyh32.exe
  • C:\WINDOWS\sysyc.exe
  • C:\WINDOWS\system32\mfceh32.exe
  • C:\WINDOWS\netmt32.exe
  • C:\WINDOWS\ipqg.exe
  • C:\WINDOWS\ierx32.exe
  • C:\WINDOWS\ntgx.exe
  • C:\WINDOWS\system32\aping32.exe
  • C:\WINDOWS\mfczl.exe
  • C:\WINDOWS\system32\apihr.exe
  • C:\WINDOWS\system32\netsa32.exe
  • C:\WINDOWS\system32\crhu32.exe
  • C:\WINDOWS\system32\msig32.exe
  • C:\WINDOWS\d3sa32.exe
  • C:\WINDOWS\appml.exe
  • C:\WINDOWS\system32\crgj32.exe
  • C:\WINDOWS\ieqs32.exe
  • C:\WINDOWS\crvp.exe
  • C:\WINDOWS\ieuw.exe
  • C:\WINDOWS\system32\netcv.exe
  • C:\WINDOWS\system32\sysbu32.exe
  • C:\WINDOWS\system32\atlsc.exe
  • C:\WINDOWS\msbw.exe
  • C:\WINDOWS\system32\atlnw32.exe
  • C:\WINDOWS\system32\winpw.exe
  • C:\WINDOWS\mfcqg32.exe
  • C:\WINDOWS\ipyo32.exe
  • C:\WINDOWS\system32\javato.exe
  • C:\WINDOWS\system32\mfcqh32.exe
  • C:\WINDOWS\system32\sysef32.exe
  • C:\WINDOWS\system32\crrg32.exe
  • C:\WINDOWS\sysnc32.exe
  • C:\WINDOWS\system32\sdkar.exe
  • C:\WINDOWS\apppr32.exe
  • C:\WINDOWS\sysmr.exe
  • C:\WINDOWS\addxz32.exe
  • C:\WINDOWS\system32\javakl32.exe
  • C:\WINDOWS\apiqy.exe
  • C:\WINDOWS\system32\addjp32.exe
  • C:\WINDOWS\system32\atllc.exe
  • C:\WINDOWS\ipwm.exe
  • C:\WINDOWS\atlnw.exe
  • C:\WINDOWS\system32\appxa32.exe
  • C:\WINDOWS\system32\adddz.exe
  • C:\WINDOWS\d3rz.exe
  • C:\WINDOWS\crpl32.exe
  • C:\WINDOWS\system32\msfz.exe
  • C:\WINDOWS\d3lv32.exe
  • C:\WINDOWS\system32\addon32.exe
  • C:\WINDOWS\system32\msbt32.exe
  • C:\WINDOWS\d3ze.exe
  • C:\WINDOWS\atlic.exe
  • C:\WINDOWS\apiut.exe
  • C:\WINDOWS\sdklg.exe
  • C:\WINDOWS\system32\mfcqc.exe
  • C:\WINDOWS\mfcob.exe
  • C:\WINDOWS\netln32.exe
  • C:\WINDOWS\sysws32.exe
  • C:\WINDOWS\system32\apigi.exe
  • C:\WINDOWS\system32\atlks.exe
  • C:\WINDOWS\ipya.exe
  • C:\WINDOWS\mfcep.exe
  • C:\WINDOWS\system32\syswe.exe
  • C:\WINDOWS\winec.exe
  • C:\WINDOWS\system32\ieex32.exe
  • C:\WINDOWS\system32\ipvt.exe
  • C:\WINDOWS\d3hb.exe
  • C:\WINDOWS\crpv32.exe
  • C:\WINDOWS\msxl.exe
  • C:\WINDOWS\cryn32.exe
  • C:\WINDOWS\atltx.exe
  • C:\WINDOWS\system32\mfcil.exe
  • C:\WINDOWS\syswn.exe
  • C:\WINDOWS\appkt32.exe
Reboot and post a new HijackThis Log.

Learn how to prevent future infectionSpyware preventions
To reduce the likelyhood of future infections, I strongly recommend installing the following antispyware tools.
  • SpywareBlaster<=SpywareBlaster will prevent spyware from being installed and consumes no system resources.
  • Spyware Guard<=SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad<=IE/Spyad is a free tool that places over 4000 websites and domains in the IE Restricted list which will seriously impair attempts to infect your system.
  • Script Defender<=Script Defender is a script blocker that can be used to protect against drive by downloads.
I would also recommend installing any one of the following firewalls.
  • Sygate<=Sygate Security Agent incorporates an application-centric firewall that stealths host systems, provides stateful firewalling, applies rule-based security policy, and controls application usage.
  • Agtinum Outpost<=Agnitum Outpost is a full-featured yet light-weight personal firewall product with application scanning and basic intrusion-detection features. It offers a good balance between ease of use and protection.
  • Zone Labs<=Zone Labs is a leading creator of endpoint security solutions and one of the most trusted brands in Internet security, protecting millions of PCs from risks posed by hackers and data theft. The award-winning endpoint security product line is deployed in global enterprises.
  • Kerio Personal Firewall<=Kerio Personal Firewall (KPF) helps users control how their computers exchange data with other computers on the Internet or local network.Necessity for all desktop computers connected to broadband Internet, using DSL, cable, ISDN, WiFi or satellite modems.

Edited by stockkbroker, 07 July 2004 - 11:22 AM.


#3 fbr

fbr

    Member

  • New Member
  • Pip
  • 2 posts

Posted 07 July 2004 - 02:23 PM

Thanks for all the help. It is getting better, but I am not yet there. I followed all your advises, and finally ran again hijackthis. Still my home page is redirected to a wrong place. My PC is much faster now though, which means for me that a lot of rubbish has gone. So far so good, now the rest. Again, I would greatly appreciate your advise.


FBR
===========

My new log file is as follows:

Logfile of HijackThis v1.97.7
Scan saved at 21:14:24, on 7-7-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\winrx32.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\addqg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Frans\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nngqi.dll/sp.html#37680
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://nngqi.dll/index.html#37680
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://nngqi.dll/index.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nngqi.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://nngqi.dll/index.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nngqi.dll/sp.html#37680
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door @Home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5389907B-5AA0-FD40-FFCD-B654F6817EFA} - C:\WINDOWS\system32\mfcfg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Gijs\msn\MSNPLUS\MsgPlus.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [apidp.exe] C:\WINDOWS\system32\apidp.exe
O4 - HKLM\..\Run: [addqg.exe] C:\WINDOWS\system32\addqg.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKLM\..\RunOnce: [msvq32.exe] C:\WINDOWS\system32\msvq32.exe
O4 - HKLM\..\RunOnce: [sysep.exe] C:\WINDOWS\sysep.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postb...l/sesam/CAX.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://195.18.69.102...sCamControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8172.5102430556
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_3us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab28177.cab

#4 stockkbroker

stockkbroker

    Advanced Member

  • Helper
  • PipPipPip
  • 102 posts

Posted 07 July 2004 - 05:21 PM

Hi,

Your log is a lot cleaner.

I am afraid you have to redo some of the steps since some new files have been generated.

Print out the following instructions so that you can follow along as we go.

Make sure you follow my instructions exactly and close ALL explorer windows when fixing HijackThis and About:buster.

Fixing the HIJACKTHIS log
Please look over the following entries I have listed, check them and Press the "Fix Checked" button with HijackThis.
When you are doing this, make sure you have NO Internet Explorer windows open, including this one.
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nngqi.dll/sp.html#37680
  • R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://nngqi.dll/index.html#37680
  • R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://nngqi.dll/index.html#37680
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nngqi.dll/sp.html#37680
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://nngqi.dll/index.html#37680
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nngqi.dll/sp.html#37680
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door @Home
  • O2 - BHO: (no name) - {5389907B-5AA0-FD40-FFCD-B654F6817EFA} - C:\WINDOWS\system32\mfcfg.dll
  • O4 - HKLM\..\Run: [apidp.exe] C:\WINDOWS\system32\apidp.exe
  • O4 - HKLM\..\Run: [addqg.exe] C:\WINDOWS\system32\addqg.exe
  • O4 - HKLM\..\RunOnce: [msvq32.exe] C:\WINDOWS\system32\msvq32.exe
  • O4 - HKLM\..\RunOnce: [sysep.exe] C:\WINDOWS\sysep.exe
Clean your computer of useless cookies, temporary files
Navigate to the following folders and delete the contents inside but not the folders
  • Start | Run (type) "%temp%" (no quotes)
  • Completely delete the entire contents of that "temp" folder.
  • Empty your "Recycle Bin"

Run About:Buster
  • Double click About:Buster.
  • Click OK and Start.
  • Let About:buster fix all the entries it finds.
Deleting spyware files and folders
You need to show hidden files and boot into safe mode before the deletion process.Once in safe mode, follow the directory listed and delete the following exe's.
  • C:\WINDOWS\winrx32.exe
  • C:\WINDOWS\system32\addqg.exe
  • C:\WINDOWS\system32\apidp.exe
  • C:\WINDOWS\system32\addqg.exe
  • C:\WINDOWS\system32\msvq32.exe
  • C:\WINDOWS\sysep.exe
Update and run Adaware again.
  • Ad-Aware<=Follow the link to learn how to update and use Ad aware.
Reboot and post a new HijackThis log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button