Jump to content


Photo

Irritating little problem!


  • Please log in to reply
7 replies to this topic

#1 OOMD

OOMD

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 11 July 2004 - 04:34 PM

Hi there. I'm very new at this, but think I've been infested with the about:blank browser hijacker. I have read the FAQ and run updated adware and spybot s&d with no improvement. I have now downloaded and run HijackThis, and the log file is:

Logfile of HijackThis v1.97.7
Scan saved at 22:47:02, on 06/07/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SISTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\PCI AUDIO APPLICATIONS\MIXER.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\ADDBM.EXE
D:\COOL-ICAM\CALCHECK.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\D3GJ.EXE
C:\WINDOWS\SYSTEM\APIGM32.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\aekuc.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://aekuc.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://aekuc.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\aekuc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://aekuc.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\aekuc.dll/sp.html#37049
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ACCESSORIES\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - (no file)
O2 - BHO: (no name) - {E8F8DF77-A372-CB3E-F005-44B07E1086DE} - C:\WINDOWS\CRZY.DLL
O2 - BHO: (no name) - {F1ADFBD7-BCD2-843D-0FA3-AEEADC7FA510} - C:\WINDOWS\CRZY.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM\SISTRAY.EXE
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
O4 - HKLM\..\Run: [ADDBM.EXE] C:\WINDOWS\ADDBM.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [D3XO.EXE] C:\WINDOWS\SYSTEM\D3XO.EXE
O4 - HKLM\..\RunServices: [NETGS32.EXE] C:\WINDOWS\NETGS32.EXE
O4 - HKLM\..\RunServices: [D3GJ.EXE] C:\WINDOWS\SYSTEM\D3GJ.EXE
O4 - HKLM\..\RunServices: [APIGM32.EXE] C:\WINDOWS\SYSTEM\APIGM32.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = D:\cool-icam\CalCheck.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {430DDE24-C051-11CF-95BE-0020AFF75E4F} (ichat xchat Control) - http://chat1.virgin....sie/msichat.ocx
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://E:\supercd\IntraLaunch.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7876.6724074074
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/s...tect/OSInfo.cab

What little hair I have left is going grey!

#2 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 22 July 2004 - 09:39 PM

Sorry it took so long for someone to answer you, but we've been really swamped!

Get AboutBuster from http://www.downloads...AboutBuster.zip and unzip it to your desktop.

Also, get CWShredder from http://www.downloads.../CWShredder.exe and put it into it's own folder.

This is going to involve running some programs more than once, because this CWS variant is resistant to removal, and repeated passes are often required.

Make sure you have Ad-aware updated. Set it up for a Full Scan per these instructions:

Posted Image Click on the Gear icon (second from the left) to access the preferences/settings window
  • In the General window make sure the following are selected:
    • Automatically save log-file
    • Automatically quarantine objects prior to removal
    • Safe Mode (always request confirmation)
  • Click on the Scanning button on the left and select :
    • Scan Within Archives
    • Scan Active Processes
    • Scan Registry
    • Deep Scan Registry
    • Scan my IE favorites for banned URLís
    • Scan my Hosts file
    • Under Click here to select drives + folders, choose:
    • All of your hard drives
Posted Image Click on the Advanced button on the left and select:
  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details
Posted Image Click the Tweak button and select:
  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile
  • Under the Cleaning Engine:
    • Let Windows remove files in use at next reboot
Posted Image Click on Proceed to save the settings.

Posted Image Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page, and then choose:
  • Use Custom Scanning Options
Posted Image Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

Posted Image Save the log file when it asks and then click Finish

Posted Image When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Posted Image Reboot your computer.

After you log back in, Ad-aware may run to finalize the scan and remove any locked files that it may have found. Allow it to finish.

Now, reboot your computer into Safe Mode How to boot into Safe Mode and stay in Safe Mode until instructed to reboot.

Run a new HijackThis scan. Mark these items for removal:

O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - (no file)

O2 - BHO: (no name) - {E8F8DF77-A372-CB3E-F005-44B07E1086DE} - C:\WINDOWS\CRZY.DLL

O2 - BHO: (no name) - {F1ADFBD7-BCD2-843D-0FA3-AEEADC7FA510} - C:\WINDOWS\CRZY.DLL

O4 - HKLM\..\Run: [ADDBM.EXE] C:\WINDOWS\ADDBM.EXE

O4 - HKLM\..\RunServices: [D3XO.EXE] C:\WINDOWS\SYSTEM\D3XO.EXE

O4 - HKLM\..\RunServices: [NETGS32.EXE] C:\WINDOWS\NETGS32.EXE

O4 - HKLM\..\RunServices: [D3GJ.EXE] C:\WINDOWS\SYSTEM\D3GJ.EXE

O4 - HKLM\..\RunServices: [APIGM32.EXE] C:\WINDOWS\SYSTEM\APIGM32.EXE


Make sure all browser and Windows Explorer windows are closed, and click on Fix Checked. Close HJT when done.

Now, run these programs, one at a time, with the program being run as the only program open:
  • AboutBuster
  • CWShredder
  • AboutBuster, again
  • Ad-aware
Next, if you have additional user accounts, log in under each user and rerun steps 1-4 (still in Safe Mode).

Reboot normally, run another HJT scan, and post it here for further review.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#3 OOMD

OOMD

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 23 July 2004 - 06:34 PM

Fireflyer, thanks for getting back to me. Looking at the amount of posts on the forums you guys are pretty busy.

Followed your very clear instructions through, and new HijackThis log is:

Logfile of HijackThis v1.97.7
Scan saved at 00:30:55, on 24/07/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SISTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\PROGRAM FILES\PCI AUDIO APPLICATIONS\MIXER.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
D:\COOL-ICAM\CALCHECK.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ACCESSORIES\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {A1D636C9-D767-55BA-CF3E-EE2BEE88C5AE} - C:\WINDOWS\SYSTEM\CRWU32.DLL (file missing)
O2 - BHO: (no name) - {08BEC198-7D8F-EA95-F1EA-2D7648DD4E06} - (no file)
O2 - BHO: (no name) - {2319932C-A5B5-C0DB-4326-82033B7C227A} - (no file)
O2 - BHO: (no name) - {43E92535-41C0-42A6-6DD1-EC22B7AA19CC} - (no file)
O2 - BHO: (no name) - {BD731204-B008-BCDF-1605-EDFD49FEF041} - C:\WINDOWS\SYSTEM\APISM32.DLL (file missing)
O2 - BHO: (no name) - {85432042-AF44-BB62-1A5F-2855B602D604} - C:\WINDOWS\SYSTEM\MSAN.DLL (file missing)
O2 - BHO: (no name) - {6F8D1D12-CFC2-4FA8-AB91-6C897FDF757E} - C:\WINDOWS\APIWK.DLL (file missing)
O2 - BHO: (no name) - {7B557CAE-0E58-EE87-4EC2-EB6EA1BB2AD1} - C:\WINDOWS\SYSTEM\SDKVN32.DLL (file missing)
O2 - BHO: (no name) - {FE572F72-6A9B-CF6C-D339-E410066102D6} - C:\WINDOWS\SYSTEM\MFCEQ32.DLL (file missing)
O2 - BHO: (no name) - {5E5DBFEE-5C17-CE66-1F25-F001EBA4E915} - C:\WINDOWS\CRXT32.DLL (file missing)
O2 - BHO: (no name) - {FD28144A-BE74-ABB6-5C2B-E60BF82588B7} - C:\WINDOWS\ADDRB.DLL (file missing)
O2 - BHO: (no name) - {FA239BAA-E441-30B6-0ABB-3EAAF567B877} - C:\WINDOWS\WINOP.DLL (file missing)
O2 - BHO: (no name) - {984540E0-884A-7144-C86A-1A24E5141AF4} - C:\WINDOWS\MSPL32.DLL (file missing)
O2 - BHO: (no name) - {CC5FEABC-FD03-1BA4-2907-D32BC8AFEBB7} - C:\WINDOWS\D3MK32.DLL (file missing)
O2 - BHO: (no name) - {A0904A77-BFA4-970B-9630-8D199EFD55E9} - C:\WINDOWS\SYSTEM\SYSQJ.DLL (file missing)
O2 - BHO: (no name) - {7A00499E-BCBB-B127-9B94-C5DF5086E096} - C:\WINDOWS\NETIP32.DLL (file missing)
O2 - BHO: (no name) - {66D32E0D-79D6-427C-0100-10B26540E229} - C:\WINDOWS\SYSTEM\SYSUN32.DLL (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM\SISTRAY.EXE
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [D3WC.EXE] C:\WINDOWS\D3WC.EXE
O4 - HKLM\..\RunServices: [D3CJ32.EXE] C:\WINDOWS\SYSTEM\D3CJ32.EXE
O4 - HKLM\..\RunServices: [D3JG32.EXE] C:\WINDOWS\D3JG32.EXE
O4 - HKLM\..\RunServices: [APPJK32.EXE] C:\WINDOWS\SYSTEM\APPJK32.EXE
O4 - HKLM\..\RunServices: [D3GB.EXE] C:\WINDOWS\D3GB.EXE
O4 - HKLM\..\RunServices: [WINCZ.EXE] C:\WINDOWS\WINCZ.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [WINUG32.EXE] C:\WINDOWS\WINUG32.EXE
O4 - HKLM\..\RunServices: [ADDZU.EXE] C:\WINDOWS\SYSTEM\ADDZU.EXE
O4 - HKLM\..\RunServices: [D3QB32.EXE] C:\WINDOWS\SYSTEM\D3QB32.EXE
O4 - HKLM\..\RunServices: [D3FN32.EXE] C:\WINDOWS\D3FN32.EXE
O4 - HKLM\..\RunServices: [IPYY.EXE] C:\WINDOWS\SYSTEM\IPYY.EXE
O4 - HKLM\..\RunServices: [ATLXL.EXE] C:\WINDOWS\ATLXL.EXE
O4 - HKLM\..\RunServices: [JAVAWA.EXE] C:\WINDOWS\JAVAWA.EXE
O4 - HKLM\..\RunServices: [CRZH.EXE] C:\WINDOWS\SYSTEM\CRZH.EXE
O4 - HKLM\..\RunServices: [SDKFD32.EXE] C:\WINDOWS\SDKFD32.EXE
O4 - HKLM\..\RunServices: [SDKXP32.EXE] C:\WINDOWS\SYSTEM\SDKXP32.EXE
O4 - HKLM\..\RunServices: [WINBU32.EXE] C:\WINDOWS\WINBU32.EXE
O4 - HKLM\..\RunServices: [MSSH32.EXE] C:\WINDOWS\SYSTEM\MSSH32.EXE
O4 - HKLM\..\RunServices: [SDKIW32.EXE] C:\WINDOWS\SDKIW32.EXE
O4 - HKLM\..\RunServices: [NTAA.EXE] C:\WINDOWS\SYSTEM\NTAA.EXE
O4 - HKLM\..\RunServices: [JAVAZD.EXE] C:\WINDOWS\JAVAZD.EXE
O4 - HKLM\..\RunServices: [MSWB32.EXE] C:\WINDOWS\SYSTEM\MSWB32.EXE
O4 - HKLM\..\RunServices: [MSDN.EXE] C:\WINDOWS\MSDN.EXE
O4 - HKLM\..\RunServices: [IELB.EXE] C:\WINDOWS\IELB.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = D:\cool-icam\CalCheck.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {430DDE24-C051-11CF-95BE-0020AFF75E4F} (ichat xchat Control) - http://chat1.virgin....sie/msichat.ocx
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://E:\supercd\IntraLaunch.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7876.6724074074
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/s...tect/OSInfo.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A790} - http://www.microsoft...w/0/BerbCln.CAB

Couldn't find two of the 04's to remove, so assume one of the other sweeps got 'em. Hope this gives me the all clear?


Thanks

#4 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 24 July 2004 - 10:18 AM

You're definitely not all clear yet - I don't see any malware files running in this log, but there's lots of leftover garbage to clean up.

Run a new HijackThis scan. Mark these items for removal:

O2 - BHO: (no name) - {A1D636C9-D767-55BA-CF3E-EE2BEE88C5AE} - C:\WINDOWS\SYSTEM\CRWU32.DLL (file missing)
O2 - BHO: (no name) - {08BEC198-7D8F-EA95-F1EA-2D7648DD4E06} - (no file)
O2 - BHO: (no name) - {2319932C-A5B5-C0DB-4326-82033B7C227A} - (no file)
O2 - BHO: (no name) - {43E92535-41C0-42A6-6DD1-EC22B7AA19CC} - (no file)
O2 - BHO: (no name) - {BD731204-B008-BCDF-1605-EDFD49FEF041} - C:\WINDOWS\SYSTEM\APISM32.DLL (file missing)
O2 - BHO: (no name) - {85432042-AF44-BB62-1A5F-2855B602D604} - C:\WINDOWS\SYSTEM\MSAN.DLL (file missing)
O2 - BHO: (no name) - {6F8D1D12-CFC2-4FA8-AB91-6C897FDF757E} - C:\WINDOWS\APIWK.DLL (file missing)
O2 - BHO: (no name) - {7B557CAE-0E58-EE87-4EC2-EB6EA1BB2AD1} - C:\WINDOWS\SYSTEM\SDKVN32.DLL (file missing)
O2 - BHO: (no name) - {FE572F72-6A9B-CF6C-D339-E410066102D6} - C:\WINDOWS\SYSTEM\MFCEQ32.DLL (file missing)
O2 - BHO: (no name) - {5E5DBFEE-5C17-CE66-1F25-F001EBA4E915} - C:\WINDOWS\CRXT32.DLL (file missing)
O2 - BHO: (no name) - {FD28144A-BE74-ABB6-5C2B-E60BF82588B7} - C:\WINDOWS\ADDRB.DLL (file missing)
O2 - BHO: (no name) - {FA239BAA-E441-30B6-0ABB-3EAAF567B877} - C:\WINDOWS\WINOP.DLL (file missing)
O2 - BHO: (no name) - {984540E0-884A-7144-C86A-1A24E5141AF4} - C:\WINDOWS\MSPL32.DLL (file missing)
O2 - BHO: (no name) - {CC5FEABC-FD03-1BA4-2907-D32BC8AFEBB7} - C:\WINDOWS\D3MK32.DLL (file missing)
O2 - BHO: (no name) - {A0904A77-BFA4-970B-9630-8D199EFD55E9} - C:\WINDOWS\SYSTEM\SYSQJ.DLL (file missing)
O2 - BHO: (no name) - {7A00499E-BCBB-B127-9B94-C5DF5086E096} - C:\WINDOWS\NETIP32.DLL (file missing)
O2 - BHO: (no name) - {66D32E0D-79D6-427C-0100-10B26540E229} - C:\WINDOWS\SYSTEM\SYSUN32.DLL (file missing)

O4 - HKLM\..\RunServices: [D3WC.EXE] C:\WINDOWS\D3WC.EXE
O4 - HKLM\..\RunServices: [D3CJ32.EXE] C:\WINDOWS\SYSTEM\D3CJ32.EXE
O4 - HKLM\..\RunServices: [D3JG32.EXE] C:\WINDOWS\D3JG32.EXE
O4 - HKLM\..\RunServices: [APPJK32.EXE] C:\WINDOWS\SYSTEM\APPJK32.EXE
O4 - HKLM\..\RunServices: [D3GB.EXE] C:\WINDOWS\D3GB.EXE
O4 - HKLM\..\RunServices: [WINCZ.EXE] C:\WINDOWS\WINCZ.EXE
O4 - HKLM\..\RunServices: [WINUG32.EXE] C:\WINDOWS\WINUG32.EXE
O4 - HKLM\..\RunServices: [ADDZU.EXE] C:\WINDOWS\SYSTEM\ADDZU.EXE
O4 - HKLM\..\RunServices: [D3QB32.EXE] C:\WINDOWS\SYSTEM\D3QB32.EXE
O4 - HKLM\..\RunServices: [D3FN32.EXE] C:\WINDOWS\D3FN32.EXE
O4 - HKLM\..\RunServices: [IPYY.EXE] C:\WINDOWS\SYSTEM\IPYY.EXE
O4 - HKLM\..\RunServices: [ATLXL.EXE] C:\WINDOWS\ATLXL.EXE
O4 - HKLM\..\RunServices: [JAVAWA.EXE] C:\WINDOWS\JAVAWA.EXE
O4 - HKLM\..\RunServices: [CRZH.EXE] C:\WINDOWS\SYSTEM\CRZH.EXE
O4 - HKLM\..\RunServices: [SDKFD32.EXE] C:\WINDOWS\SDKFD32.EXE
O4 - HKLM\..\RunServices: [SDKXP32.EXE] C:\WINDOWS\SYSTEM\SDKXP32.EXE
O4 - HKLM\..\RunServices: [WINBU32.EXE] C:\WINDOWS\WINBU32.EXE
O4 - HKLM\..\RunServices: [MSSH32.EXE] C:\WINDOWS\SYSTEM\MSSH32.EXE
O4 - HKLM\..\RunServices: [SDKIW32.EXE] C:\WINDOWS\SDKIW32.EXE
O4 - HKLM\..\RunServices: [NTAA.EXE] C:\WINDOWS\SYSTEM\NTAA.EXE
O4 - HKLM\..\RunServices: [JAVAZD.EXE] C:\WINDOWS\JAVAZD.EXE
O4 - HKLM\..\RunServices: [MSWB32.EXE] C:\WINDOWS\SYSTEM\MSWB32.EXE
O4 - HKLM\..\RunServices: [MSDN.EXE] C:\WINDOWS\MSDN.EXE
O4 - HKLM\..\RunServices: [IELB.EXE] C:\WINDOWS\IELB.EXE


Make sure all browser and Windows Explorer windows are closed, and click on Fix Checked. Close HJT when done.

Reboot your computer into Safe Mode.

Navigate to the C:\WINDOWS folder and delete these files:

C:\WINDOWS\ATLXL.EXE
C:\WINDOWS\D3FN32.EXE
C:\WINDOWS\D3GB.EXE
C:\WINDOWS\IELB.EXE
C:\WINDOWS\JAVAWA.EXE
C:\WINDOWS\JAVAZD.EXE
C:\WINDOWS\MSDN.EXE
C:\WINDOWS\SDKFD32.EXE
C:\WINDOWS\SDKIW32.EXE
C:\WINDOWS\WINBU32.EXE
C:\WINDOWS\WINCZ.EXE
C:\WINDOWS\WINUG32.EXE

Navigate to the C:\WINDOWS\SYSTEM folder and delete these files:

C:\WINDOWS\SYSTEM\ADDZU.EXE
C:\WINDOWS\SYSTEM\APPJK32.EXE
C:\WINDOWS\SYSTEM\CRZH.EXE
C:\WINDOWS\SYSTEM\D3QB32.EXE
C:\WINDOWS\SYSTEM\IPYY.EXE
C:\WINDOWS\SYSTEM\MSSH32.EXE
C:\WINDOWS\SYSTEM\MSWB32.EXE
C:\WINDOWS\SYSTEM\NTAA.EXE
C:\WINDOWS\SYSTEM\SDKXP32.EXE

Next, in Internet Explorer, click on Tools => Internet Options => Delete Files and select the box that says Delete All Offline Content and click on OK twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin".

Reboot normally, run another HJT scan, and post it here. Even if everything is clean now, there is still a little more to do.

Edited by Fireflyer, 24 July 2004 - 10:22 AM.

How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#5 OOMD

OOMD

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 24 July 2004 - 04:59 PM

Fireflyer.

OK. Ran HijackThis and checked off and fixed all the items you listed. However, I cannot locate any of the files in C:\windows or C:\windows\system. I have already checked that explorer should show hidden files.

HijackThis log :

Logfile of HijackThis v1.97.7
Scan saved at 22:47:52, on 24/07/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SISTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\PROGRAM FILES\PCI AUDIO APPLICATIONS\MIXER.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
D:\COOL-ICAM\CALCHECK.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virgin.net/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ACCESSORIES\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM\SISTRAY.EXE
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = D:\cool-icam\CalCheck.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {430DDE24-C051-11CF-95BE-0020AFF75E4F} (ichat xchat Control) - http://chat1.virgin....sie/msichat.ocx
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://E:\supercd\IntraLaunch.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7876.6724074074
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/s...tect/OSInfo.cab

Hope you can help.

#6 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 25 July 2004 - 11:58 AM

The log looks good. I don't see any signs of the malware infection. Are you still having any problems? If yes, tell me what they are.

If not, then try the Time Travel Test - set your system clock ahead about a week, and reboot your computer. Go online and check to see that things are still OK.

If it's come back then run a new HijackThis scan and post the log.

If you are still clear of the hijack then reset your date to normal, and go ahead and reset your System Restore so you don't accidentally re-enable the malware.

This involves disabling the System Restore, then rebooting, to clean out the old restore points. You then re-enable System Restore and reboot, which sets a new restore point.
  • Right click the My Computer icon on the Desktop and click on Properties.
  • Click on the Performance tab.
  • Click on the File System button.
  • Click on the Troubleshooting tab.
  • Put a check mark next to 'Disable System Restore'.
  • Click the 'OK' button.
  • You will be prompted to restart the computer. Click Yes.
To re-enable System Restore, follow steps one to seven and on step five remove the check mark next to 'Disable System Restore'.

Let me know how things are going.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#7 OOMD

OOMD

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 25 July 2004 - 05:13 PM

Fireflyer

Everything seems to be working fine. No pop-ups, normal home page and my pc is back to running as fast as its valves will let it! Did the Time Travel Test with no problems, and have reset the restore.

Thank you so much. I was on the point of reformatting the whole shooting match.

OutOfMyDepth

#8 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 25 July 2004 - 05:25 PM

Great! Be sure to keep updated with all the Windows Critical Updates.

To reduce the potential for spyware infection in the future, consider installing:

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

More info and download is available at:
SpywareBlaster: http://www.javacools...areblaster.html
SpywareGuard: http://www.wildersse...ywareguard.html

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.

More info and download is available at:
IE/Spyad: https://netfiles.uiu...ww/resource.htm

You might also want to consider installing a firewall program - two very good free ones are available thru the links in my Signature. I use Kerio Personal Firewall myself.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button