Jump to content


Photo

explore browser is infected please help


  • Please log in to reply
3 replies to this topic

#1 heavyd

heavyd

    Member

  • New Member
  • Pip
  • 3 posts

Posted 10 July 2004 - 02:28 AM

:scratchhead:

#2 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 11 July 2004 - 09:07 AM

Go to http://tomcoyote.org/hjt/ , and download 'Hijack This!'.
Unzip to a permanent folder like c:HJT\HijackThis.exe, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please show us its contents.

Most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.
Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004

#3 heavyd

heavyd

    Member

  • New Member
  • Pip
  • 3 posts

Posted 18 July 2004 - 06:31 AM

OK guys, here is a scanned file from HJT please help me with deleting the applicable nasty files giving me all the trouble... Thanks

Logfile of HijackThis v1.98.0
Scan saved at 1:28:46 PM, on 7/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Ascom EyeSpeed USB\vstartx.exe
C:\Program Files\Ascom EyeSpeed USB\gisdnlog.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\mfcdv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Ascom EyeSpeed USB\gsyno.exe
C:\Program Files\iPod\bin\iPodManager.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\SOFT01~1\multi16.exe
C:\WINDOWS\System32\njqwef.exe
C:\WINDOWS\system32\winqm.exe
C:\windows\system32\sncntr.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\FRITZ!\IWatch.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ozjml.dll/sp.html#22776
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ozjml.dll/index.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ozjml.dll/index.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ozjml.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ozjml.dll/sp.html#22776
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ozjml.dll/index.html#22776
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
R3 - Default URLSearchHook is missing
O2 - BHO: TwaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {306F87C5-2A68-9C39-CFB9-0CD040D569C1} - C:\WINDOWS\system32\apihz.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [GazelDisplay] "C:\Program Files\Ascom EyeSpeed USB\gsyno.exe" -h
O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [soapboob] C:\PROGRA~1\SOFT01~1\multi16.exe
O4 - HKLM\..\Run: [mrdgsu] C:\WINDOWS\System32\njqwef.exe
O4 - HKLM\..\Run: [winqm.exe] C:\WINDOWS\system32\winqm.exe
O4 - HKLM\..\Run: [sncntr] c:\windows\system32\sncntr.exe /nocomm
O4 - HKLM\..\RunOnce: [mfcpt32.exe] C:\WINDOWS\system32\mfcpt32.exe
O4 - HKLM\..\RunOnce: [apizp32.exe] C:\WINDOWS\apizp32.exe
O4 - HKLM\..\RunOnce: [mfcdv.exe] C:\WINDOWS\mfcdv.exe
O4 - HKLM\..\RunOnce: [syskt.exe] C:\WINDOWS\syskt.exe
O4 - HKLM\..\RunOnce: [addha32.exe] C:\WINDOWS\addha32.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: ISDNWatch.lnk = C:\Program Files\FRITZ!\IWatch.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} (SBITAX7Ctrl Class) - http://directplugin.com/tl7000.dll
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolba...006_regular.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.spywarenu...erInstaller.exe
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181...s/ccpm_0237.cab
O16 - DPF: {706F3805-27D7-478D-80E5-E25D2BB030B3} (VacPro.internazionale_ver3) - http://www.advnt01.c...ionale_ver3.CAB
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://217.73.66.1/del/loader.cab
O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} - http://204.177.92.20...deo/NSupd9x.cab
O16 - DPF: {FC87A650-207D-4392-A6A1-82ADBC56FA64} (MultiDist) - http://xbs.mtree.com...MultiDistFC.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A871DB6-48C3-4F42-83F3-7309F3F1BC9E}: NameServer = 194.230.1.200 194.230.1.168

#4 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 18 July 2004 - 11:38 AM

Move HijackThis to it's own, permanent folder such as c:\HJT\HijackThis.exe <-----Very important; needed to keep/maintain backups in


Download the tool About:Buster created by Rubber Ducky. Atri's Stie or Sub's Site
Even if you downloaded this file yesterday please do so again as About:Buster could be updated more than once a day.

Unzip it to your desktop.

Press Ctrl+Alt+Del and 'end task' on any of the follow that are present
C:\WINDOWS\System32\njqwef.exe
C:\WINDOWS\system32\winqm.exe
C:\windows\system32\sncntr.exe
Put a check next to these in hijackthis:
O2 - BHO: TwaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {306F87C5-2A68-9C39-CFB9-0CD040D569C1} - C:\WINDOWS\system32\apihz.dl
O4 - HKLM\..\Run: [winqm.exe] C:\WINDOWS\system32\winqm.exe
O4 - HKLM\..\Run: [sncntr] c:\windows\system32\sncntr.exe /nocomm
O4 - HKLM\..\RunOnce: [mfcpt32.exe] C:\WINDOWS\system32\mfcpt32.exe
O4 - HKLM\..\RunOnce: [apizp32.exe] C:\WINDOWS\apizp32.exe
O4 - HKLM\..\RunOnce: [mfcdv.exe] C:\WINDOWS\mfcdv.exe
O4 - HKLM\..\RunOnce: [syskt.exe] C:\WINDOWS\syskt.exe
O4 - HKLM\..\RunOnce: [addha32.exe] C:\WINDOWS\addha32.exe
O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} (SBITAX7Ctrl Class) - http://directplugin.com/tl7000.dll
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolba...006_regular.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.spywarenu...erInstaller.exe
O16 - DPF: {706F3805-27D7-478D-80E5-E25D2BB030B3} http://www.advnt01.c...ionale_ver3.CAB
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://217.73.66.1/del/loader.cab
O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} - http://204.177.92.20...deo/NSupd9x.cab
O16 - DPF: {FC87A650-207D-4392-A6A1-82ADBC56FA64} (MultiDist) - http://xbs.mtree.com...MultiDistFC.CAB
THEN WITH ALL OTHER WINDOWS CLOSED ,press "Fix".

Start About:Buster >OK>Start>Ok. Let it run; when done it will give you a log, save a copy of it.
Run About:Buster again save the log again (use a different name)

Restart your computer and post both reports and a new Hijack this log.

Edited by jwbirdsong, 18 July 2004 - 11:39 AM.

Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button