Jump to content


Photo

computer acting ugly. Help


  • Please log in to reply
10 replies to this topic

#1 amanda007

amanda007

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 09 July 2004 - 08:25 AM

Could someone look at my old post on june 3 (i believe that is the right date) and help me out? I haven't been able to log onto compter since then, and all of a sudden I can... but really really slow. Please help me if u can.
Thank you thank you
Amand007

#2 skipsters

skipsters

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 09 July 2004 - 09:35 AM

Hi Amanda..

These entries look strange

O2 - BHO: (no name) - {B50FA51D-EB7B-47B6-9C71-53DC61B9B536} - C:\WINDOWS\VXNZYGLSQ.DLL
O2 - BHO: (no name) - {198C3050-7DFE-421C-9537-59408FC45A07} - C:\WINDOWS\LLPVG.DLL
O4 - HKLM\..\Run: [gzyvqpan] C:\WINDOWS\gzyvqpan.exe
O4 - HKLM\..\Run: [ugcj] C:\WINDOWS\vwwb.exe
O4 - HKLM\..\Run: [Nj95cb.exe] C:\WINDOWS\TEMP\NJ95CB.EXE
O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE (ABetterInternet program?????)

I would stop these services in taskmgr and delete them in registry with hijack this
C:\WINDOWS\VWWB.EXE
C:\WINDOWS\TEMP\NJ95CB.EXE

Try deleting all internet history, files downloaded program components through internet options. Also clear c:\temp if possible.

Also if u are not using netzero for your internet connection try uninstalling and then repost your hijack this log.. Just to see which services and reg edits were attributed to netzero.

Also did u already try running spybot, adware or any other anti spyware besides hijack this?

One more thing..
these entries .. couldnt find much on them through search engines.. maybe if u search a bit u find some info on them.. if they prove to be bad , delete them of course
O2 - BHO: (no name) - {9E992732-295F-4987-8BE3-16FAC1639198} - C:\WINDOWS\ALL USERS\APPLICATION DATA\IESERVICE\IESERVICE.DLL
O4 - HKCU\..\Run: [\IEService.exe] C:\WINDOWS\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\nzsearch\hcm.exe" -w

#3 Marikita

Marikita

    Malware Intern

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 1,822 posts

Posted 09 July 2004 - 10:06 AM

Hello Amanda
Please disregard Skipsters advice, it will not solve your problem.
Some of the processes he suggested you delete are actually harmless

This is what you do instead
Download About:buster created by Rubber Ducky and unzip it to your desktop. Start it, hit Ok, Start, And Ok again to start the scan. It will generate a log. Post that log along with a new Hijack this log here.
Everything is inconsequential, from a cosmological perspective.

#4 amanda007

amanda007

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 10 July 2004 - 07:15 AM

ok marikita here it is. I hope I did it right. My AVG says that I have 4 virus so far jeesh, i hate this stoopid puter. ugggggg. Thank you for looking at my post, i hope we can fix it.

-- Scan 1 --------
About:Buster Version 1.27
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 1.27
Attempted Clean Of Temp folder.
Pages Reset... Done!

Logfile of HijackThis v1.97.7
Scan saved at 8:12:49 AM, on 7/10/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SA3DSRV.EXE
C:\WINDOWS\CPQDIAG\CPQDFWAG.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\CARPSERV.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\CSRSS.EXE
C:\WINDOWS\VWWB.EXE
C:\WINDOWS\TEMP\NJ95CB.EXE
C:\PROGRAM FILES\SAVE\SAVE.EXE
C:\PROGRAM FILES\WHENUSEARCH\SEARCH.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\QUQPJGQ.EXE
C:\PROGRAM FILES\CLOCKSYNC\SYNC.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\AMERICA ONLINE 4.0\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGW.EXE
C:\PROGRAM FILES\NETZERO\EXEC.EXE
C:\PROGRAM FILES\NETZERO\EXEC.EXE
C:\PROGRAM FILES\NETZERO\QSACC\X1EXEC.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.ne...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MSN
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com;*profiles.yahoo.com;*.pogo.com;*test-speed.com;<local>
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\NZSEARCH\SEARCHENH1.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {B50FA51D-EB7B-47B6-9C71-53DC61B9B536} - C:\WINDOWS\VXNZYGLSQ.DLL
O2 - BHO: (no name) - {198C3050-7DFE-421C-9537-59408FC45A07} - C:\WINDOWS\LLPVG.DLL
O2 - BHO: (no name) - {9E992732-295F-4987-8BE3-16FAC1639198} - C:\WINDOWS\ALL USERS\APPLICATION DATA\IESERVICE\IESERVICE.DLL
O2 - BHO: (no name) - {40F36052-EE4F-09B6-8753-60550DA62919} - C:\WINDOWS\SYSTEM\OVMBYCF.DLL
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL
O2 - BHO: (no name) - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\PROGRAM FILES\NETZERO\QSACC\X1IEBHO.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [csrss] C:\WINDOWS\csrss.exe
O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
O4 - HKLM\..\Run: [gzyvqpan] C:\WINDOWS\gzyvqpan.exe
O4 - HKLM\..\Run: [ugcj] C:\WINDOWS\vwwb.exe
O4 - HKLM\..\Run: [Nj95cb.exe] C:\WINDOWS\TEMP\NJ95CB.EXE
O4 - HKLM\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKLM\..\Run: [WhenUSearch] "C:\Program Files\WhenUSearch\Search.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\cpqdiag\CpqDfwAg.exe
O4 - HKLM\..\RunServices: [isdbdc] c:\compaq\internet\isdbdc.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [\IEService.exe] C:\WINDOWS\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - HKCU\..\Run: [Uddo] C:\WINDOWS\Application Data\seia.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [Hncwgqrs] C:\WINDOWS\SYSTEM\quqpjgq.exe
O4 - HKCU\..\Run: [ClockSync] "C:\Program Files\ClockSync\Sync.exe" /q
O4 - HKLM\..\RunOnce: [untd_recovery] C:\PROGRAM FILES\NETZERO\QSACC\X1EXEC.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: America Online Tray Icon.lnk = C:\America Online 4.0\aoltray.exe
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\PROGRAM FILES\NETZERO\QSACC\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\PROGRAM FILES\NETZERO\QSACC\appres.dll/227
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos8.msn.c...d.cab?9,0,917,0
O16 - DPF: {430DDE24-C051-11CF-95BE-0020AFF75E4F} (ichat xchat Control) - http://chat2.webmd.c...sie/msichat.ocx
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt0_x.cab
O16 - DPF: {24FE8666-4CCD-4D40-B09A-487A2241B508} (MSN Picture It! Print Tool) - http://photos.msn.co....cab?2,0,0,1212
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {B33CCD56-0909-42C9-8A88-8976F66B8BF2} (AOL YGP Picture Finder Tool) - http://pak02.picture...der.8.0.3.0.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/...pcaploader1.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolba...006_regular.cab

#5 Marikita

Marikita

    Malware Intern

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 1,822 posts

Posted 11 July 2004 - 12:13 AM

Hello

Don't hate your computer, its just a bit ill now. I get it fixed in no time.

You still have a few malware in your system this is what you do.

First things first, Hijack this should be saved in its own directory.
Go to windows explorer and create a new folder in C:\ name it HJT or Hijack This

Cut and paste the hijack this file all all the hijack logs from this path C:\UNZIPPED\HIJACKTHIS
to your newly created folder. The next time you run hijack this, the log should be saved in this new folder also.

Did you remove the files detected by AVG the last time you ran it? If not run AVG again and heal or quarantine (if AVG cannot heal it) all the viruses detected..

Next install, update and run adaware
For instructions, go to
http://forums.spywar...showtopic=11150


Install, update and run spybot
http://www.tomcoyote.org/SPYBOT


Did you install nzsearch internet directory, if you did not, remove these entries as well as this folder C:\Program Files\NZSearch

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\NZSEARCH\SEARCHENH1.DLL
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w


Reboot your computer and post a fresh hijack log here

Edited by Marikita, 11 July 2004 - 12:13 AM.

Everything is inconsequential, from a cosmological perspective.

#6 Marikita

Marikita

    Malware Intern

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 1,822 posts

Posted 15 July 2004 - 10:33 PM

I guess your problem has been fixed since its been a while since you replied
anyway...

These are the steps you can take to prevent further infection

Update the latest security patches for windows
This can be accessed by going to http://v4.windowsupdate.microsoft.com/ and following the prompts

A firewall also helps to prevent further intrusion
You can try this, its free
http://www.zonelabs....lid=zadb_zadown

Update your AVG antivirus periodically also, virus programmers simply have too much time on their hands, they thus spend their useless life devicing new methods of compromising your rights to privacy and screwing up your system.

I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.
Everything is inconsequential, from a cosmological perspective.

#7 amanda007

amanda007

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 18 July 2004 - 08:14 AM

Hi ya, nope i havent fixed anything. We have been out of town for the past week. I was trying to get it fixed before we headed out, but my computer runs very very very slow. I am going to try to follow your instructions. Hopefully I will be able to. I am sorta puter stupid :huh: so bare with me. Thanks for offering your help. Keep checking on me ok.
thanks again
amanda007

#8 amanda007

amanda007

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 18 July 2004 - 09:55 AM

marikita,
here is a new hijackthis log. I am not sure if I cut and pasted right? Maybe I did. anyhows, here is a new logLogfile of HijackThis v1.97.7
Scan saved at 10:48:59 AM, on 7/18/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SA3DSRV.EXE
C:\WINDOWS\CPQDIAG\CPQDFWAG.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\CARPSERV.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\TEMP\NJ95CB.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\AMERICA ONLINE 4.0\AOLTRAY.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.ne...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MSN
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.ne...ch?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\NZSEARCH\SEARCHENH1.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {B50FA51D-EB7B-47B6-9C71-53DC61B9B536} - C:\WINDOWS\VXNZYGLSQ.DLL
O2 - BHO: (no name) - {198C3050-7DFE-421C-9537-59408FC45A07} - C:\WINDOWS\LLPVG.DLL
O2 - BHO: (no name) - {9E992732-295F-4987-8BE3-16FAC1639198} - C:\WINDOWS\ALL USERS\APPLICATION DATA\IESERVICE\IESERVICE.DLL
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: (no name) - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\PROGRAM FILES\NETZERO\QSACC\X1IEBHO.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
O4 - HKLM\..\Run: [gzyvqpan] C:\WINDOWS\gzyvqpan.exe
O4 - HKLM\..\Run: [ugcj] C:\WINDOWS\vwwb.exe
O4 - HKLM\..\Run: [Nj95cb.exe] C:\WINDOWS\TEMP\NJ95CB.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\cpqdiag\CpqDfwAg.exe
O4 - HKLM\..\RunServices: [isdbdc] c:\compaq\internet\isdbdc.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [\IEService.exe] C:\WINDOWS\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - HKCU\..\Run: [Uddo] C:\WINDOWS\Application Data\seia.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [Hncwgqrs] C:\WINDOWS\SYSTEM\quqpjgq.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: America Online Tray Icon.lnk = C:\America Online 4.0\aoltray.exe
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\PROGRAM FILES\NETZERO\QSACC\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\PROGRAM FILES\NETZERO\QSACC\appres.dll/227
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos8.msn.c...d.cab?9,0,917,0
O16 - DPF: {430DDE24-C051-11CF-95BE-0020AFF75E4F} (ichat xchat Control) - http://chat2.webmd.c...sie/msichat.ocx
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt0_x.cab
O16 - DPF: {24FE8666-4CCD-4D40-B09A-487A2241B508} (MSN Picture It! Print Tool) - http://photos.msn.co....cab?2,0,0,1212
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {B33CCD56-0909-42C9-8A88-8976F66B8BF2} (AOL YGP Picture Finder Tool) - http://pak02.picture...der.8.0.3.0.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/...pcaploader1.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab

Umm I also downloaded the adware and ran a scan, but... i didnt set preferences I just hit the scan now buttton, did i srew up on that part? i hope not. ok.... check on me k..
amanda007

#9 amanda007

amanda007

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 18 July 2004 - 10:04 AM

ummmmm, wasnt sure if ya needed a copy of spybot scan or not so i pasted it anyways. thanks.

BackWeb lite: Class (Registry key, nothing done)
HKEY_CLASSES_ROOT\BackWeb.4.0

BackWeb lite: Class (Registry key, nothing done)
HKEY_CLASSES_ROOT\BackWeb

BackWeb lite: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{53FCF358-5323-11D0-A864-0000B43699FC}

BackWeb lite: File extension link (Registry key, nothing done)
HKEY_CLASSES_ROOT\.bwp

BackWeb lite: File extension link (Registry key, nothing done)
HKEY_CLASSES_ROOT\bwpfile

BackWeb lite: Global settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\BackWeb

BackWeb lite: Interface ( (IBackWebChannelVariableCollection)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{A4BC67F0-6C90-11D0-A866-0000B43699FC}

BackWeb lite: Interface ( (IBackWebAllInfoPakCollection)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{8131F530-649E-11D0-A866-0000B43699FC}

BackWeb lite: Interface ( (IBackWebGeneralSettings)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{12473FC3-61A7-11D0-A866-0000B43699FC}

BackWeb lite: Interface ( (IBackWebDownloadTimeConstraintCollection)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{0D1F7C84-8123-11D0-B5CA-0000B43698D6}

BackWeb lite: Interface ( (IBackWebDisplaySettings)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{12473FC6-61A7-11D0-A866-0000B43699FC}

BackWeb lite: Interface ( (IBackWeb2)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{23F43240-F78D-11D0-9A50-00AA004812C2}

BackWeb lite: Interface ( (IBackWebStoryFieldCollection)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{1D91D9E0-004B-11D1-9951-444553540000}

BackWeb lite: Interface ( (IBackWebSetup4)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{3667E7B0-4F28-11D1-8ADB-00609761C47A}

BackWeb lite: Interface ( (IBackWebFilterSettings)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{C8CEEEE0-17D6-11D1-96A7-F8E906C10000}

BackWeb lite: Interface ( (IBackWebChannel2)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{9647FB70-DC0F-11D0-A875-0000B43699FC}

BackWeb lite: Interface ( (IBackWebItemDownloadServices)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{93BF8F00-DBE8-11D0-A875-0000B43699FC}

BackWeb lite: Interface ( (IBackWebChannel4)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{AEE96320-2131-11D1-9951-444553540000}

BackWeb lite: Interface ( (IBackWebDirectory)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{15030BC0-0B52-11D1-9951-444553540000}

BackWeb lite: Interface ( (IBackWebStoryCollection)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{9DB46422-FF61-11D0-9951-444553540000}

BackWeb lite: Interface ( (IBackWebChannelTableNotifications)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{2F523082-5A0B-11D0-9B9C-444553540000}

BackWeb lite: Interface ( (IBackWebDirectoryNotifications)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{41CEBDC0-32C1-11D1-9951-444553540000}

BackWeb lite: Interface ( (IBackWebSetupNotifications)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{2F099AF0-6329-11D0-A866-0000B43699FC}

BackWeb lite: Interface ( (IBackWebExtension)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{0F4FE440-983F-11D0-9B9C-444553540000}

BackWeb lite: Interface ( (IBackWeb4)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{740904E0-0BFB-11D1-9951-444553540000}

BackWeb lite: Interface ( (IBackWebAllStoryCollection)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{9DB46423-FF61-11D0-9951-444553540000}

BackWeb lite: Interface ( (IBackWebCommunications)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{BAD37BC0-2231-11D1-9951-444553540000}

BackWeb lite: Interface ( (IBackWebGeneralSettings2)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{E01AD640-F87D-11D0-9A50-00AA004812C2}

BackWeb lite: Interface ( (IBackWebApplicationNotifications)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{D0894D60-6C6C-11D0-A866-0000B43699FC}

BackWeb lite: Interface ( (IBackWebInfoPakNotifications)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{4A3666F3-5F2D-11D0-A866-0000B43699FC}

BackWeb lite: Interface ( (IBackWebStoryTableNotifications)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{44230BC0-3105-11D1-9951-444553540000}

BackWeb lite: Interface ( (IBackWebChannelCollection4)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{BCD0C200-69C1-11D1-8AF8-00609761C47A}

BackWeb lite: Interface ( (IBackWebDirectoryEntryCollection)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{5DF6CE40-0B50-11D1-9951-444553540000}

BackWeb lite: Interface ( (IBackWebDirectoryEntry)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{0C6E0440-0B50-11D1-9951-444553540000}

BackWeb lite: Interface ( (IBackWebInfoPakDownloadServices)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{2DE07D90-DC04-11D0-A875-0000B43699FC}

BackWeb lite: Interface ( (IBackWebChannelDownloadServices)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{9132E380-DC21-11D0-A875-0000B43699FC}

BackWeb lite: Interface ( (IBackWebPlayer)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{8028B940-4932-11D1-9951-444553540000}

BackWeb lite: Interface ( (IBackWebAlertSettings)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{72B62B40-17D1-11D1-96A7-F8E906C10000}

BackWeb lite: Interface ( (IBackWebStoryField)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{5B1E13A0-004B-11D1-9951-444553540000}

BackWeb lite: Interface ( (IBackWebStory)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{9DB46424-FF61-11D0-9951-444553540000}

BackWeb lite: Interface ( (IBackWebDialerSettings)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{12473FC4-61A7-11D0-A866-0000B43699FC}

BackWeb lite: Interface ( (IBackWebDownloadTimeConstraint)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{0D1F7C83-8123-11D0-B5CA-0000B43698D6}

BackWeb lite: Interface ( (IBackWebCommSettings)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{12473FC5-61A7-11D0-A866-0000B43699FC}

BackWeb lite: Interface ( (IBackWebSetup)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{12473FC7-61A7-11D0-A866-0000B43699FC}

BackWeb lite: Interface ( (IBackWebChannelVariable)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{FEFCA7F0-6C8E-11D0-A866-0000B43699FC}

BackWeb lite: Interface ( (IBackWebInfoPak)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{EB1FFFC2-5688-11D0-A865-0000B43699FC}

BackWeb lite: Interface ( (IBackWebChannel)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{53FCF35B-5323-11D0-A864-0000B43699FC}

BackWeb lite: Interface ( (IBackWebChannelCollection)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{53FCF35A-5323-11D0-A864-0000B43699FC}

BackWeb lite: Interface ( (IBackWebInfoPakCollection)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{EB1FFFC1-5688-11D0-A865-0000B43699FC}

BackWeb lite: Interface ( (IBackWeb)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{53FCF355-5323-11D0-A864-0000B43699FC}

BackWeb lite: Netscape viewer (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Netscape\Netscape Navigator\Viewers\application/x-iad

BackWeb lite: Netscape viewer (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Netscape\Netscape Navigator\Viewers\application/x-bwpreview

BackWeb lite: Typelib ( (BackWeb 4.0 Type Library)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Typelib\{53FCF357-5323-11D0-A864-0000B43699FC}

BackWeb lite: User settings (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\BackWeb


--- Spybot-S&D version: 1.2 ---
2003-09-05 Includes\Cookies.sbi
2003-10-29 Includes\Temporary.sbi
2003-10-29 Includes\Hijackers.sbi
2003-09-19 Includes\Dialer.sbi
2003-10-29 Includes\Spybots.sbi
2003-10-29 Includes\Keyloggers.sbi
2003-10-29 Includes\Malware.sbi
2003-03-16 Includes\plugin-ignore.ini
2003-09-05 Includes\Security.sbi
2003-10-29 Includes\Trojans.sbi
2003-10-20 Includes\Tracks.uti

#10 amanda007

amanda007

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 18 July 2004 - 10:09 AM

I have been out of town for the past week, so I havent fixed my sick puter yet :huh: . I have posted a new Hijack this log and a spybot scan result. U care to check it out for me?

Thank You so much for all of your help.
amanda007

#11 Marikita

Marikita

    Malware Intern

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 1,822 posts

Posted 18 July 2004 - 11:09 AM

Hello Amanda007

There are still some bugs we need to fix

Print out these instructions so you have them handy as most of the steps need to be done in safe mode and you may not be able to go online.

Firstly enable viewing of hidden files

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"


Reboot to safe mode

How to start the computer in Safe mode
http://service1.syma...src=sec_doc_nam


Scan with Hijack This and put checks next to all the following, then click "Fix Checked

O2 - BHO: (no name) - {B50FA51D-EB7B-47B6-9C71-53DC61B9B536} - C:\WINDOWS\VXNZYGLSQ.DLL
O2 - BHO: (no name) - {198C3050-7DFE-421C-9537-59408FC45A07} - C:\WINDOWS\LLPVG.DLL
O2 - BHO: (no name) - {9E992732-295F-4987-8BE3-16FAC1639198} - C:\WINDOWS\ALL USERS\APPLICATION DATA\IESERVICE\IESERVICE.DLL
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)

O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
O4 - HKLM\..\Run: [gzyvqpan] C:\WINDOWS\gzyvqpan.exe
O4 - HKLM\..\Run: [ugcj] C:\WINDOWS\vwwb.exe
O4 - HKLM\..\Run: [Nj95cb.exe] C:\WINDOWS\TEMP\NJ95CB.EXE
O4 - HKCU\..\Run: [\IEService.exe] C:\WINDOWS\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - HKCU\..\Run: [Uddo] C:\WINDOWS\Application Data\seia.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [Hncwgqrs] C:\WINDOWS\SYSTEM\quqpjgq.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Go to windows explorer and delete the following files if present

C:\WINDOWS\VXNZYGLSQ.DLL
C:\WINDOWS\LLPVG.DLL
C:\WINDOWS\SYSTEM\A.EXE
C:\WINDOWS\gzyvqpan.exe
C:\WINDOWS\vwwb.exe
C:\WINDOWS\TEMP\NJ95CB.EXE
C:\WINDOWS\Application Data\seia.exe
C:\WINDOWS\SYSTEM\quqpjgq.exe

Also delete the following folder

C:\WINDOWS\ALL USERS\APPLICATION DATA\IESERVICE

Did you install Nzsearch web directory

If you didn't, fix this entry from the hijack this scan
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\NZSEARCH\SEARCHENH1.DLL

and delete the following folder

C:\PROGRAM FILES\NZSEARCH

After you're done, reboot and post a fresh hijack log here

Edited by Marikita, 18 July 2004 - 11:30 AM.

Everything is inconsequential, from a cosmological perspective.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button