• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
OOMD

Irritating little problem!

8 posts in this topic

Hi there. I'm very new at this, but think I've been infested with the about:blank browser hijacker. I have read the FAQ and run updated adware and spybot s&d with no improvement. I have now downloaded and run HijackThis, and the log file is:

 

Logfile of HijackThis v1.97.7

Scan saved at 22:47:02, on 06/07/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v5.50 (5.50.4134.0100)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\SISTRAY.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\PCTVOICE.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\PCI AUDIO APPLICATIONS\MIXER.EXE

C:\WINDOWS\SYSTEM\INTERNAT.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE

C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE

C:\WINDOWS\ADDBM.EXE

D:\COOL-ICAM\CALCHECK.EXE

C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\SYSTEM\D3GJ.EXE

C:\WINDOWS\SYSTEM\APIGM32.EXE

C:\PROGRAM FILES\WINZIP\WINZIP32.EXE

C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\aekuc.dll/sp.html#37049

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://aekuc.dll/index.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://aekuc.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\aekuc.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://aekuc.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\aekuc.dll/sp.html#37049

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ACCESSORIES\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - (no file)

O2 - BHO: (no name) - {E8F8DF77-A372-CB3E-F005-44B07E1086DE} - C:\WINDOWS\CRZY.DLL

O2 - BHO: (no name) - {F1ADFBD7-BCD2-843D-0FA3-AEEADC7FA510} - C:\WINDOWS\CRZY.DLL

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [siS Tray] C:\WINDOWS\SYSTEM\SISTRAY.EXE

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe

O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup

O4 - HKLM\..\Run: [internat.exe] internat.exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE

O4 - HKLM\..\Run: [ADDBM.EXE] C:\WINDOWS\ADDBM.EXE

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [sAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE

O4 - HKLM\..\RunServices: [D3XO.EXE] C:\WINDOWS\SYSTEM\D3XO.EXE

O4 - HKLM\..\RunServices: [NETGS32.EXE] C:\WINDOWS\NETGS32.EXE

O4 - HKLM\..\RunServices: [D3GJ.EXE] C:\WINDOWS\SYSTEM\D3GJ.EXE

O4 - HKLM\..\RunServices: [APIGM32.EXE] C:\WINDOWS\SYSTEM\APIGM32.EXE

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = D:\cool-icam\CalCheck.exe

O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll

O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {430DDE24-C051-11CF-95BE-0020AFF75E4F} (ichat xchat Control) - http://chat1.virgin.net/chat/data/html/user/msie/msichat.ocx

O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://E:\supercd\IntraLaunch.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7876.6724074074

O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/support/chipdetect/OSInfo.cab

 

What little hair I have left is going grey!

Share this post


Link to post
Share on other sites

Sorry it took so long for someone to answer you, but we've been really swamped!

 

Get AboutBuster from http://www.downloads.subratam.org/AboutBuster.zip and unzip it to your desktop.

 

Also, get CWShredder from http://www.downloads.subratam.org/CWShredder.exe and put it into it's own folder.

 

This is going to involve running some programs more than once, because this CWS variant is resistant to removal, and repeated passes are often required.

 

Make sure you have Ad-aware updated. Set it up for a Full Scan per these instructions:

 

icon11.gif Click on the Gear icon (second from the left) to access the preferences/settings window

  • In the General window make sure the following are selected:
    • Automatically save log-file
    • Automatically quarantine objects prior to removal
    • Safe Mode (always request confirmation)

    [*]Click on the Scanning button on the left and select :

    • Scan Within Archives
    • Scan Active Processes
    • Scan Registry
    • Deep Scan Registry
    • Scan my IE favorites for banned URL’s
    • Scan my Hosts file
    • Under Click here to select drives + folders, choose:
      • All of your hard drives

icon11.gif Click on the Advanced button on the left and select:

  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details

icon11.gif Click the Tweak button and select:

  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile

    [*]Under the Cleaning Engine:

    • Let Windows remove files in use at next reboot

icon11.gif Click on Proceed to save the settings.

 

icon11.gif Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page, and then choose:

  • Use Custom Scanning Options

icon11.gif Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

 

icon11.gif Save the log file when it asks and then click Finish

 

icon11.gif When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

 

icon11.gifReboot your computer.

 

After you log back in, Ad-aware may run to finalize the scan and remove any locked files that it may have found. Allow it to finish.

 

Now, reboot your computer into Safe Mode How to boot into Safe Mode and stay in Safe Mode until instructed to reboot.

 

Run a new HijackThis scan. Mark these items for removal:

 

O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - (no file)

 

O2 - BHO: (no name) - {E8F8DF77-A372-CB3E-F005-44B07E1086DE} - C:\WINDOWS\CRZY.DLL

 

O2 - BHO: (no name) - {F1ADFBD7-BCD2-843D-0FA3-AEEADC7FA510} - C:\WINDOWS\CRZY.DLL

 

O4 - HKLM\..\Run: [ADDBM.EXE] C:\WINDOWS\ADDBM.EXE

 

O4 - HKLM\..\RunServices: [D3XO.EXE] C:\WINDOWS\SYSTEM\D3XO.EXE

 

O4 - HKLM\..\RunServices: [NETGS32.EXE] C:\WINDOWS\NETGS32.EXE

 

O4 - HKLM\..\RunServices: [D3GJ.EXE] C:\WINDOWS\SYSTEM\D3GJ.EXE

 

O4 - HKLM\..\RunServices: [APIGM32.EXE] C:\WINDOWS\SYSTEM\APIGM32.EXE

 

Make sure all browser and Windows Explorer windows are closed, and click on Fix Checked. Close HJT when done.

 

Now, run these programs, one at a time, with the program being run as the only program open:

  1. AboutBuster
  2. CWShredder
  3. AboutBuster, again
  4. Ad-aware

Next, if you have additional user accounts, log in under each user and rerun steps 1-4 (still in Safe Mode).

 

Reboot normally, run another HJT scan, and post it here for further review.

Share this post


Link to post
Share on other sites

Fireflyer, thanks for getting back to me. Looking at the amount of posts on the forums you guys are pretty busy.

 

Followed your very clear instructions through, and new HijackThis log is:

 

Logfile of HijackThis v1.97.7

Scan saved at 00:30:55, on 24/07/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v5.50 (5.50.4134.0100)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\SISTRAY.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\PCTVOICE.EXE

C:\PROGRAM FILES\PCI AUDIO APPLICATIONS\MIXER.EXE

C:\WINDOWS\SYSTEM\INTERNAT.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE

C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE

C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE

D:\COOL-ICAM\CALCHECK.EXE

C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

 

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ACCESSORIES\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {A1D636C9-D767-55BA-CF3E-EE2BEE88C5AE} - C:\WINDOWS\SYSTEM\CRWU32.DLL (file missing)

O2 - BHO: (no name) - {08BEC198-7D8F-EA95-F1EA-2D7648DD4E06} - (no file)

O2 - BHO: (no name) - {2319932C-A5B5-C0DB-4326-82033B7C227A} - (no file)

O2 - BHO: (no name) - {43E92535-41C0-42A6-6DD1-EC22B7AA19CC} - (no file)

O2 - BHO: (no name) - {BD731204-B008-BCDF-1605-EDFD49FEF041} - C:\WINDOWS\SYSTEM\APISM32.DLL (file missing)

O2 - BHO: (no name) - {85432042-AF44-BB62-1A5F-2855B602D604} - C:\WINDOWS\SYSTEM\MSAN.DLL (file missing)

O2 - BHO: (no name) - {6F8D1D12-CFC2-4FA8-AB91-6C897FDF757E} - C:\WINDOWS\APIWK.DLL (file missing)

O2 - BHO: (no name) - {7B557CAE-0E58-EE87-4EC2-EB6EA1BB2AD1} - C:\WINDOWS\SYSTEM\SDKVN32.DLL (file missing)

O2 - BHO: (no name) - {FE572F72-6A9B-CF6C-D339-E410066102D6} - C:\WINDOWS\SYSTEM\MFCEQ32.DLL (file missing)

O2 - BHO: (no name) - {5E5DBFEE-5C17-CE66-1F25-F001EBA4E915} - C:\WINDOWS\CRXT32.DLL (file missing)

O2 - BHO: (no name) - {FD28144A-BE74-ABB6-5C2B-E60BF82588B7} - C:\WINDOWS\ADDRB.DLL (file missing)

O2 - BHO: (no name) - {FA239BAA-E441-30B6-0ABB-3EAAF567B877} - C:\WINDOWS\WINOP.DLL (file missing)

O2 - BHO: (no name) - {984540E0-884A-7144-C86A-1A24E5141AF4} - C:\WINDOWS\MSPL32.DLL (file missing)

O2 - BHO: (no name) - {CC5FEABC-FD03-1BA4-2907-D32BC8AFEBB7} - C:\WINDOWS\D3MK32.DLL (file missing)

O2 - BHO: (no name) - {A0904A77-BFA4-970B-9630-8D199EFD55E9} - C:\WINDOWS\SYSTEM\SYSQJ.DLL (file missing)

O2 - BHO: (no name) - {7A00499E-BCBB-B127-9B94-C5DF5086E096} - C:\WINDOWS\NETIP32.DLL (file missing)

O2 - BHO: (no name) - {66D32E0D-79D6-427C-0100-10B26540E229} - C:\WINDOWS\SYSTEM\SYSUN32.DLL (file missing)

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [siS Tray] C:\WINDOWS\SYSTEM\SISTRAY.EXE

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe

O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup

O4 - HKLM\..\Run: [internat.exe] internat.exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [sAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE

O4 - HKLM\..\RunServices: [D3WC.EXE] C:\WINDOWS\D3WC.EXE

O4 - HKLM\..\RunServices: [D3CJ32.EXE] C:\WINDOWS\SYSTEM\D3CJ32.EXE

O4 - HKLM\..\RunServices: [D3JG32.EXE] C:\WINDOWS\D3JG32.EXE

O4 - HKLM\..\RunServices: [APPJK32.EXE] C:\WINDOWS\SYSTEM\APPJK32.EXE

O4 - HKLM\..\RunServices: [D3GB.EXE] C:\WINDOWS\D3GB.EXE

O4 - HKLM\..\RunServices: [WINCZ.EXE] C:\WINDOWS\WINCZ.EXE

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKLM\..\RunServices: [WINUG32.EXE] C:\WINDOWS\WINUG32.EXE

O4 - HKLM\..\RunServices: [ADDZU.EXE] C:\WINDOWS\SYSTEM\ADDZU.EXE

O4 - HKLM\..\RunServices: [D3QB32.EXE] C:\WINDOWS\SYSTEM\D3QB32.EXE

O4 - HKLM\..\RunServices: [D3FN32.EXE] C:\WINDOWS\D3FN32.EXE

O4 - HKLM\..\RunServices: [iPYY.EXE] C:\WINDOWS\SYSTEM\IPYY.EXE

O4 - HKLM\..\RunServices: [ATLXL.EXE] C:\WINDOWS\ATLXL.EXE

O4 - HKLM\..\RunServices: [JAVAWA.EXE] C:\WINDOWS\JAVAWA.EXE

O4 - HKLM\..\RunServices: [CRZH.EXE] C:\WINDOWS\SYSTEM\CRZH.EXE

O4 - HKLM\..\RunServices: [sDKFD32.EXE] C:\WINDOWS\SDKFD32.EXE

O4 - HKLM\..\RunServices: [sDKXP32.EXE] C:\WINDOWS\SYSTEM\SDKXP32.EXE

O4 - HKLM\..\RunServices: [WINBU32.EXE] C:\WINDOWS\WINBU32.EXE

O4 - HKLM\..\RunServices: [MSSH32.EXE] C:\WINDOWS\SYSTEM\MSSH32.EXE

O4 - HKLM\..\RunServices: [sDKIW32.EXE] C:\WINDOWS\SDKIW32.EXE

O4 - HKLM\..\RunServices: [NTAA.EXE] C:\WINDOWS\SYSTEM\NTAA.EXE

O4 - HKLM\..\RunServices: [JAVAZD.EXE] C:\WINDOWS\JAVAZD.EXE

O4 - HKLM\..\RunServices: [MSWB32.EXE] C:\WINDOWS\SYSTEM\MSWB32.EXE

O4 - HKLM\..\RunServices: [MSDN.EXE] C:\WINDOWS\MSDN.EXE

O4 - HKLM\..\RunServices: [iELB.EXE] C:\WINDOWS\IELB.EXE

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = D:\cool-icam\CalCheck.exe

O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll

O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {430DDE24-C051-11CF-95BE-0020AFF75E4F} (ichat xchat Control) - http://chat1.virgin.net/chat/data/html/user/msie/msichat.ocx

O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://E:\supercd\IntraLaunch.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7876.6724074074

O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/support/chipdetect/OSInfo.cab

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A790} - http://www.microsoft.com/security/controls...w/0/BerbCln.CAB

 

Couldn't find two of the 04's to remove, so assume one of the other sweeps got 'em. Hope this gives me the all clear?

 

 

Thanks

Share this post


Link to post
Share on other sites

You're definitely not all clear yet - I don't see any malware files running in this log, but there's lots of leftover garbage to clean up.

 

Run a new HijackThis scan. Mark these items for removal:

 

O2 - BHO: (no name) - {A1D636C9-D767-55BA-CF3E-EE2BEE88C5AE} - C:\WINDOWS\SYSTEM\CRWU32.DLL (file missing)

O2 - BHO: (no name) - {08BEC198-7D8F-EA95-F1EA-2D7648DD4E06} - (no file)

O2 - BHO: (no name) - {2319932C-A5B5-C0DB-4326-82033B7C227A} - (no file)

O2 - BHO: (no name) - {43E92535-41C0-42A6-6DD1-EC22B7AA19CC} - (no file)

O2 - BHO: (no name) - {BD731204-B008-BCDF-1605-EDFD49FEF041} - C:\WINDOWS\SYSTEM\APISM32.DLL (file missing)

O2 - BHO: (no name) - {85432042-AF44-BB62-1A5F-2855B602D604} - C:\WINDOWS\SYSTEM\MSAN.DLL (file missing)

O2 - BHO: (no name) - {6F8D1D12-CFC2-4FA8-AB91-6C897FDF757E} - C:\WINDOWS\APIWK.DLL (file missing)

O2 - BHO: (no name) - {7B557CAE-0E58-EE87-4EC2-EB6EA1BB2AD1} - C:\WINDOWS\SYSTEM\SDKVN32.DLL (file missing)

O2 - BHO: (no name) - {FE572F72-6A9B-CF6C-D339-E410066102D6} - C:\WINDOWS\SYSTEM\MFCEQ32.DLL (file missing)

O2 - BHO: (no name) - {5E5DBFEE-5C17-CE66-1F25-F001EBA4E915} - C:\WINDOWS\CRXT32.DLL (file missing)

O2 - BHO: (no name) - {FD28144A-BE74-ABB6-5C2B-E60BF82588B7} - C:\WINDOWS\ADDRB.DLL (file missing)

O2 - BHO: (no name) - {FA239BAA-E441-30B6-0ABB-3EAAF567B877} - C:\WINDOWS\WINOP.DLL (file missing)

O2 - BHO: (no name) - {984540E0-884A-7144-C86A-1A24E5141AF4} - C:\WINDOWS\MSPL32.DLL (file missing)

O2 - BHO: (no name) - {CC5FEABC-FD03-1BA4-2907-D32BC8AFEBB7} - C:\WINDOWS\D3MK32.DLL (file missing)

O2 - BHO: (no name) - {A0904A77-BFA4-970B-9630-8D199EFD55E9} - C:\WINDOWS\SYSTEM\SYSQJ.DLL (file missing)

O2 - BHO: (no name) - {7A00499E-BCBB-B127-9B94-C5DF5086E096} - C:\WINDOWS\NETIP32.DLL (file missing)

O2 - BHO: (no name) - {66D32E0D-79D6-427C-0100-10B26540E229} - C:\WINDOWS\SYSTEM\SYSUN32.DLL (file missing)

 

O4 - HKLM\..\RunServices: [D3WC.EXE] C:\WINDOWS\D3WC.EXE

O4 - HKLM\..\RunServices: [D3CJ32.EXE] C:\WINDOWS\SYSTEM\D3CJ32.EXE

O4 - HKLM\..\RunServices: [D3JG32.EXE] C:\WINDOWS\D3JG32.EXE

O4 - HKLM\..\RunServices: [APPJK32.EXE] C:\WINDOWS\SYSTEM\APPJK32.EXE

O4 - HKLM\..\RunServices: [D3GB.EXE] C:\WINDOWS\D3GB.EXE

O4 - HKLM\..\RunServices: [WINCZ.EXE] C:\WINDOWS\WINCZ.EXE

O4 - HKLM\..\RunServices: [WINUG32.EXE] C:\WINDOWS\WINUG32.EXE

O4 - HKLM\..\RunServices: [ADDZU.EXE] C:\WINDOWS\SYSTEM\ADDZU.EXE

O4 - HKLM\..\RunServices: [D3QB32.EXE] C:\WINDOWS\SYSTEM\D3QB32.EXE

O4 - HKLM\..\RunServices: [D3FN32.EXE] C:\WINDOWS\D3FN32.EXE

O4 - HKLM\..\RunServices: [iPYY.EXE] C:\WINDOWS\SYSTEM\IPYY.EXE

O4 - HKLM\..\RunServices: [ATLXL.EXE] C:\WINDOWS\ATLXL.EXE

O4 - HKLM\..\RunServices: [JAVAWA.EXE] C:\WINDOWS\JAVAWA.EXE

O4 - HKLM\..\RunServices: [CRZH.EXE] C:\WINDOWS\SYSTEM\CRZH.EXE

O4 - HKLM\..\RunServices: [sDKFD32.EXE] C:\WINDOWS\SDKFD32.EXE

O4 - HKLM\..\RunServices: [sDKXP32.EXE] C:\WINDOWS\SYSTEM\SDKXP32.EXE

O4 - HKLM\..\RunServices: [WINBU32.EXE] C:\WINDOWS\WINBU32.EXE

O4 - HKLM\..\RunServices: [MSSH32.EXE] C:\WINDOWS\SYSTEM\MSSH32.EXE

O4 - HKLM\..\RunServices: [sDKIW32.EXE] C:\WINDOWS\SDKIW32.EXE

O4 - HKLM\..\RunServices: [NTAA.EXE] C:\WINDOWS\SYSTEM\NTAA.EXE

O4 - HKLM\..\RunServices: [JAVAZD.EXE] C:\WINDOWS\JAVAZD.EXE

O4 - HKLM\..\RunServices: [MSWB32.EXE] C:\WINDOWS\SYSTEM\MSWB32.EXE

O4 - HKLM\..\RunServices: [MSDN.EXE] C:\WINDOWS\MSDN.EXE

O4 - HKLM\..\RunServices: [iELB.EXE] C:\WINDOWS\IELB.EXE

 

Make sure all browser and Windows Explorer windows are closed, and click on Fix Checked. Close HJT when done.

 

Reboot your computer into Safe Mode.

 

Navigate to the C:\WINDOWS folder and delete these files:

 

C:\WINDOWS\ATLXL.EXE

C:\WINDOWS\D3FN32.EXE

C:\WINDOWS\D3GB.EXE

C:\WINDOWS\IELB.EXE

C:\WINDOWS\JAVAWA.EXE

C:\WINDOWS\JAVAZD.EXE

C:\WINDOWS\MSDN.EXE

C:\WINDOWS\SDKFD32.EXE

C:\WINDOWS\SDKIW32.EXE

C:\WINDOWS\WINBU32.EXE

C:\WINDOWS\WINCZ.EXE

C:\WINDOWS\WINUG32.EXE

 

Navigate to the C:\WINDOWS\SYSTEM folder and delete these files:

 

C:\WINDOWS\SYSTEM\ADDZU.EXE

C:\WINDOWS\SYSTEM\APPJK32.EXE

C:\WINDOWS\SYSTEM\CRZH.EXE

C:\WINDOWS\SYSTEM\D3QB32.EXE

C:\WINDOWS\SYSTEM\IPYY.EXE

C:\WINDOWS\SYSTEM\MSSH32.EXE

C:\WINDOWS\SYSTEM\MSWB32.EXE

C:\WINDOWS\SYSTEM\NTAA.EXE

C:\WINDOWS\SYSTEM\SDKXP32.EXE

 

Next, in Internet Explorer, click on Tools => Internet Options => Delete Files and select the box that says Delete All Offline Content and click on OK twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin".

 

Reboot normally, run another HJT scan, and post it here. Even if everything is clean now, there is still a little more to do.

Edited by Fireflyer

Share this post


Link to post
Share on other sites

Fireflyer.

 

OK. Ran HijackThis and checked off and fixed all the items you listed. However, I cannot locate any of the files in C:\windows or C:\windows\system. I have already checked that explorer should show hidden files.

 

HijackThis log :

 

Logfile of HijackThis v1.97.7

Scan saved at 22:47:52, on 24/07/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v5.50 (5.50.4134.0100)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\SISTRAY.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\PCTVOICE.EXE

C:\PROGRAM FILES\PCI AUDIO APPLICATIONS\MIXER.EXE

C:\WINDOWS\SYSTEM\INTERNAT.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE

C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE

D:\COOL-ICAM\CALCHECK.EXE

C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virgin.net/

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ACCESSORIES\READER\ACTIVEX\ACROIEHELPER.OCX

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [siS Tray] C:\WINDOWS\SYSTEM\SISTRAY.EXE

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe

O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup

O4 - HKLM\..\Run: [internat.exe] internat.exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [sAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = D:\cool-icam\CalCheck.exe

O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll

O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {430DDE24-C051-11CF-95BE-0020AFF75E4F} (ichat xchat Control) - http://chat1.virgin.net/chat/data/html/user/msie/msichat.ocx

O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://E:\supercd\IntraLaunch.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7876.6724074074

O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/support/chipdetect/OSInfo.cab

 

Hope you can help.

Share this post


Link to post
Share on other sites

The log looks good. I don't see any signs of the malware infection. Are you still having any problems? If yes, tell me what they are.

 

If not, then try the Time Travel Test - set your system clock ahead about a week, and reboot your computer. Go online and check to see that things are still OK.

 

If it's come back then run a new HijackThis scan and post the log.

 

If you are still clear of the hijack then reset your date to normal, and go ahead and reset your System Restore so you don't accidentally re-enable the malware.

 

This involves disabling the System Restore, then rebooting, to clean out the old restore points. You then re-enable System Restore and reboot, which sets a new restore point.

  1. Right click the My Computer icon on the Desktop and click on Properties.
  2. Click on the Performance tab.
  3. Click on the File System button.
  4. Click on the Troubleshooting tab.
  5. Put a check mark next to 'Disable System Restore'.
  6. Click the 'OK' button.
  7. You will be prompted to restart the computer. Click Yes.

To re-enable System Restore, follow steps one to seven and on step five remove the check mark next to 'Disable System Restore'.

 

Let me know how things are going.

Share this post


Link to post
Share on other sites

Fireflyer

 

Everything seems to be working fine. No pop-ups, normal home page and my pc is back to running as fast as its valves will let it! Did the Time Travel Test with no problems, and have reset the restore.

 

Thank you so much. I was on the point of reformatting the whole shooting match.

 

OutOfMyDepth

Share this post


Link to post
Share on other sites

Great! Be sure to keep updated with all the Windows Critical Updates.

 

To reduce the potential for spyware infection in the future, consider installing:

 

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

 

More info and download is available at:

SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html

SpywareGuard: http://www.wilderssecurity.net/spywareguard.html

 

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.

 

More info and download is available at:

IE/Spyad: https://netfiles.uiuc.edu/ehowes/www/resource.htm

 

You might also want to consider installing a firewall program - two very good free ones are available thru the links in my Signature. I use Kerio Personal Firewall myself.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0