Jump to content


Photo

HIjack list


  • Please log in to reply
5 replies to this topic

#1 susan

susan

    Member

  • New Member
  • Pip
  • 3 posts

Posted 11 July 2004 - 08:38 PM

This is my first time hijack log. Please let me know if any of these should be deleted. Where do I go from here?

Logfile of HijackThis v1.97.7
Scan saved at 6:19:46 PM, on 7/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\criv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Borland\Interbase\bin\ibguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\Program Files\Borland\Interbase\bin\ibserver.exe
C:\WINDOWS\apiem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xurkd.dll/sp.html#27063
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xurkd.dll/index.html#27063
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xurkd.dll/index.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xurkd.dll/sp.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xurkd.dll/index.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xurkd.dll/sp.html#27063
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7AADF982-4598-7DD2-A20B-630DD168492F} - C:\WINDOWS\sysqb32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [criv.exe] C:\WINDOWS\system32\criv.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [apiem.exe] C:\WINDOWS\apiem.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsu...oad/tgctlcm.cab
O16 - DPF: {0BCADE60-1E93-11D8-ABDA-0004759647B3} (FastBid1 Class) - http://www.bxwa.com/...d/fastbidx1.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {32322460-3E7D-11D7-ABD8-0001029A9BA6} (FastBid2 Class) - http://www.bxwa.com/...d/fastbidx2.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep....42037/sb028.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8098.7303240741
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....ta/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec..../ActiveData.cab

#2 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 13 July 2004 - 05:30 AM

Hello susan,

Please put HJT in a Permanent folder. You're running it from C:\Program Files\HijackThis.exe
If you make a new folder in Program Files, that would be ok, such as C:\Program Files\Hijackthis\HijackThis.exe
Or you can do this: Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.
This will allow backups to be made and saved By hijackthis in case something goes wrong.
Follow this link http://www.netstar.me.uk/hjt/hjt.html if you need help.
______

Next, download About:Buster and unzip it to your desktop, but don't run it yet.
______

Download Ad-aware from: http://www.lavasoft.de/res/aaw6.exe

Install the program and launch it, but don't run it yet, just set it up this way:

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

Posted Image Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
  • Scan Within Archives
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URL’s
  • Scan my Hosts file
  • Under Click here to select drives + folders, choose:
  • All of your hard drives
Posted Image Click on the Advanced button on the left and select:
  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details
Posted Image Click the Tweak button and select:
  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile
  • Under the Cleaning Engine:
    • Let Windows remove files in use at next reboot
Posted Image Click on Proceed to save the settings.

Posted Image Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
  • Use Custom Scanning Options
Posted Image Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

Posted Image Save the log file when it asks and then click Finish

Posted Image When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).
___________

Now, reboot to Safe Mode (tap F8 while restarting).

Then open Hijackthis, click Scan, then put a check next to the following entries:

O2 - BHO: (no name) - {7AADF982-4598-7DD2-A20B-630DD168492F} - C:\WINDOWS\sysqb32.dll

O4 - HKLM\..\Run: [criv.exe] C:\WINDOWS\system32\criv.exe
O4 - HKLM\..\RunOnce: [apiem.exe] C:\WINDOWS\apiem.exe

O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep....42037/sb028.cab


Now, make sure you Close all open Windows (have only HJT open) and click "Fix Checked".

- - - - - - - -

Then, while still in safe mode, run About:Buster.
Start it, (Don't worry about the pop-up that says to fix all random objects, we just did that)
Hit Ok, Start, And Ok to start the scan. It will generate a log. Post that log along with a new Hijack this log here.

- - - - - - - -

Now run Ad-aware, while still in safe mode.

_________

Then, reboot normally and take a free on-line scan at HouseCall


After you do the above, please post a new HJT log, and your About Buster log.

#3 susan

susan

    Member

  • New Member
  • Pip
  • 3 posts

Posted 31 July 2004 - 05:58 PM

I followed the instructions you gave me, but am unable to figure out how to save the About:Buster log. I scanned it twice and it removed quite a bit, but left a lot of error in removing messages.

Here is my new HIJack log as of 7/31/04

susan

Logfile of HijackThis v1.97.7
Scan saved at 2:38:25 PM, on 7/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\atlfn32.exe
C:\WINDOWS\system32\criv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vhyim.dll/sp.html#27063
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://vhyim.dll/index.html#27063
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://vhyim.dll/index.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vhyim.dll/sp.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vhyim.dll/index.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vhyim.dll/sp.html#27063
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4098B116-3E9F-6C68-3DD2-D1F9DE132411} - C:\WINDOWS\netkw.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [criv.exe] C:\WINDOWS\system32\criv.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [addjb.exe] C:\WINDOWS\system32\addjb.exe
O4 - HKLM\..\RunOnce: [addyg32.exe] C:\WINDOWS\addyg32.exe
O4 - HKLM\..\RunOnce: [addwe32.exe] C:\WINDOWS\system32\addwe32.exe
O4 - HKLM\..\RunOnce: [mfcnm.exe] C:\WINDOWS\system32\mfcnm.exe
O4 - HKLM\..\RunOnce: [winzx.exe] C:\WINDOWS\winzx.exe
O4 - HKLM\..\RunOnce: [mfcup32.exe] C:\WINDOWS\system32\mfcup32.exe
O4 - HKLM\..\RunOnce: [atlov32.exe] C:\WINDOWS\system32\atlov32.exe
O4 - HKLM\..\RunOnce: [atlbl32.exe] C:\WINDOWS\system32\atlbl32.exe
O4 - HKLM\..\RunOnce: [apizn32.exe] C:\WINDOWS\apizn32.exe
O4 - HKLM\..\RunOnce: [d3fg32.exe] C:\WINDOWS\d3fg32.exe
O4 - HKLM\..\RunOnce: [wintu.exe] C:\WINDOWS\wintu.exe
O4 - HKLM\..\RunOnce: [iezn32.exe] C:\WINDOWS\iezn32.exe
O4 - HKLM\..\RunOnce: [sdkeh.exe] C:\WINDOWS\sdkeh.exe
O4 - HKLM\..\RunOnce: [addja32.exe] C:\WINDOWS\system32\addja32.exe
O4 - HKLM\..\RunOnce: [ntzy.exe] C:\WINDOWS\ntzy.exe
O4 - HKLM\..\RunOnce: [winel32.exe] C:\WINDOWS\system32\winel32.exe
O4 - HKLM\..\RunOnce: [ipfs32.exe] C:\WINDOWS\ipfs32.exe
O4 - HKLM\..\RunOnce: [addbi32.exe] C:\WINDOWS\system32\addbi32.exe
O4 - HKLM\..\RunOnce: [msdl32.exe] C:\WINDOWS\msdl32.exe
O4 - HKLM\..\RunOnce: [d3nu.exe] C:\WINDOWS\d3nu.exe
O4 - HKLM\..\RunOnce: [mfced.exe] C:\WINDOWS\mfced.exe
O4 - HKLM\..\RunOnce: [apild32.exe] C:\WINDOWS\system32\apild32.exe
O4 - HKLM\..\RunOnce: [ntvy32.exe] C:\WINDOWS\system32\ntvy32.exe
O4 - HKLM\..\RunOnce: [appas32.exe] C:\WINDOWS\system32\appas32.exe
O4 - HKLM\..\RunOnce: [crrb.exe] C:\WINDOWS\system32\crrb.exe
O4 - HKLM\..\RunOnce: [appwm.exe] C:\WINDOWS\system32\appwm.exe
O4 - HKLM\..\RunOnce: [syszj.exe] C:\WINDOWS\system32\syszj.exe
O4 - HKLM\..\RunOnce: [sysrt32.exe] C:\WINDOWS\sysrt32.exe
O4 - HKLM\..\RunOnce: [winqu.exe] C:\WINDOWS\winqu.exe
O4 - HKLM\..\RunOnce: [cryd32.exe] C:\WINDOWS\cryd32.exe
O4 - HKLM\..\RunOnce: [syspi.exe] C:\WINDOWS\syspi.exe
O4 - HKLM\..\RunOnce: [addlj.exe] C:\WINDOWS\addlj.exe
O4 - HKLM\..\RunOnce: [atlbu.exe] C:\WINDOWS\system32\atlbu.exe
O4 - HKLM\..\RunOnce: [addjp32.exe] C:\WINDOWS\system32\addjp32.exe
O4 - HKLM\..\RunOnce: [ntwd.exe] C:\WINDOWS\ntwd.exe
O4 - HKLM\..\RunOnce: [ipxs.exe] C:\WINDOWS\system32\ipxs.exe
O4 - HKLM\..\RunOnce: [crjj.exe] C:\WINDOWS\crjj.exe
O4 - HKLM\..\RunOnce: [crdi.exe] C:\WINDOWS\crdi.exe
O4 - HKLM\..\RunOnce: [ntgs.exe] C:\WINDOWS\system32\ntgs.exe
O4 - HKLM\..\RunOnce: [apphb.exe] C:\WINDOWS\apphb.exe
O4 - HKLM\..\RunOnce: [iprz.exe] C:\WINDOWS\system32\iprz.exe
O4 - HKLM\..\RunOnce: [neter.exe] C:\WINDOWS\system32\neter.exe
O4 - HKLM\..\RunOnce: [javaqv32.exe] C:\WINDOWS\javaqv32.exe
O4 - HKLM\..\RunOnce: [atldz.exe] C:\WINDOWS\atldz.exe
O4 - HKLM\..\RunOnce: [syshv32.exe] C:\WINDOWS\syshv32.exe
O4 - HKLM\..\RunOnce: [mfcnb.exe] C:\WINDOWS\system32\mfcnb.exe
O4 - HKLM\..\RunOnce: [winna32.exe] C:\WINDOWS\system32\winna32.exe
O4 - HKLM\..\RunOnce: [d3qa32.exe] C:\WINDOWS\d3qa32.exe
O4 - HKLM\..\RunOnce: [atlmp32.exe] C:\WINDOWS\atlmp32.exe
O4 - HKLM\..\RunOnce: [netdn.exe] C:\WINDOWS\system32\netdn.exe
O4 - HKLM\..\RunOnce: [addid32.exe] C:\WINDOWS\addid32.exe
O4 - HKLM\..\RunOnce: [addyo.exe] C:\WINDOWS\system32\addyo.exe
O4 - HKLM\..\RunOnce: [craj.exe] C:\WINDOWS\craj.exe
O4 - HKLM\..\RunOnce: [mfcms32.exe] C:\WINDOWS\mfcms32.exe
O4 - HKLM\..\RunOnce: [ipbi.exe] C:\WINDOWS\system32\ipbi.exe
O4 - HKLM\..\RunOnce: [apiwm.exe] C:\WINDOWS\apiwm.exe
O4 - HKLM\..\RunOnce: [netab.exe] C:\WINDOWS\netab.exe
O4 - HKLM\..\RunOnce: [d3qw32.exe] C:\WINDOWS\system32\d3qw32.exe
O4 - HKLM\..\RunOnce: [crrw.exe] C:\WINDOWS\crrw.exe
O4 - HKLM\..\RunOnce: [apius.exe] C:\WINDOWS\system32\apius.exe
O4 - HKLM\..\RunOnce: [ieff.exe] C:\WINDOWS\ieff.exe
O4 - HKLM\..\RunOnce: [apixh32.exe] C:\WINDOWS\apixh32.exe
O4 - HKLM\..\RunOnce: [winhy32.exe] C:\WINDOWS\winhy32.exe
O4 - HKLM\..\RunOnce: [netid.exe] C:\WINDOWS\system32\netid.exe
O4 - HKLM\..\RunOnce: [d3nu32.exe] C:\WINDOWS\d3nu32.exe
O4 - HKLM\..\RunOnce: [atlfn32.exe] C:\WINDOWS\atlfn32.exe
O4 - HKLM\..\RunOnce: [javafe.exe] C:\WINDOWS\javafe.exe
O4 - HKLM\..\RunOnce: [javawe.exe] C:\WINDOWS\system32\javawe.exe
O4 - HKLM\..\RunOnce: [mfclc.exe] C:\WINDOWS\mfclc.exe
O4 - HKLM\..\RunOnce: [ntmf.exe] C:\WINDOWS\system32\ntmf.exe
O4 - HKLM\..\RunOnce: [ieee.exe] C:\WINDOWS\system32\ieee.exe
O4 - HKLM\..\RunOnce: [d3ap32.exe] C:\WINDOWS\d3ap32.exe
O4 - HKLM\..\RunOnce: [syshc.exe] C:\WINDOWS\system32\syshc.exe
O4 - HKLM\..\RunOnce: [iput32.exe] C:\WINDOWS\system32\iput32.exe
O4 - HKLM\..\RunOnce: [ntck.exe] C:\WINDOWS\ntck.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsu...oad/tgctlcm.cab
O16 - DPF: {0BCADE60-1E93-11D8-ABDA-0004759647B3} (FastBid1 Class) - http://www.bxwa.com/...d/fastbidx1.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {32322460-3E7D-11D7-ABD8-0001029A9BA6} (FastBid2 Class) - http://www.bxwa.com/...d/fastbidx2.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8098.7303240741
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....ta/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec..../ActiveData.cab

#4 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 31 July 2004 - 08:24 PM

Hi susan,

There has been an update to Hijackthis and About:Buster since the last time you were here.
Also your Ad-aware should be updated.


Download About:Buster v2.0 from here: http://www.downloads...AboutBuster.zip
but don't run it yet.
Unzip all files from the zip folder to a folder or your desktop.
Start it and click ok.
Then click "Update". A new screen should popup.
On that screen click "Check for Updates".
If there is an update found, click "Download Updates".
If it doesnt find an update, it will automatically tell you and exit.
We will run it later.
_ _ _ _ _ _


Make sure you can view hidden and system files: hidden files

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.


It might help to print this part out. Don't open Internet Explorer during any portion of this process.

Reboot to Safe mode (tap F8 while restarting).

Step 1:

Click on start, the control panel, then administrative programs, then services. Look for a service called Network Security Service. Double click on the that service and click stop and then set the startup to disabled. Also write down the name and path of the file listed in the Path to executable field. This filename must be deleted below.

Step 2:

Go to Task Manager (Ctrl + Alt + Delete) and click on "Processes" then "End Process" for these: (if they are there)

atlfn32.exe
criv.exe


Then close task manager.

Step 3:

Open Hijackthis, click Scan, then put a check next to the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vhyim.dll/sp.html#27063
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://vhyim.dll/index.html#27063
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://vhyim.dll/index.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vhyim.dll/sp.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vhyim.dll/index.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vhyim.dll/sp.html#27063

O2 - BHO: (no name) - {4098B116-3E9F-6C68-3DD2-D1F9DE132411} - C:\WINDOWS\netkw.dll

O4 - HKLM\..\Run: [criv.exe] C:\WINDOWS\system32\criv.exe

O4 - HKLM\..\RunOnce: [addjb.exe] C:\WINDOWS\system32\addjb.exe
O4 - HKLM\..\RunOnce: [addyg32.exe] C:\WINDOWS\addyg32.exe
O4 - HKLM\..\RunOnce: [addwe32.exe] C:\WINDOWS\system32\addwe32.exe
O4 - HKLM\..\RunOnce: [mfcnm.exe] C:\WINDOWS\system32\mfcnm.exe
O4 - HKLM\..\RunOnce: [winzx.exe] C:\WINDOWS\winzx.exe
O4 - HKLM\..\RunOnce: [mfcup32.exe] C:\WINDOWS\system32\mfcup32.exe
O4 - HKLM\..\RunOnce: [atlov32.exe] C:\WINDOWS\system32\atlov32.exe
O4 - HKLM\..\RunOnce: [atlbl32.exe] C:\WINDOWS\system32\atlbl32.exe
O4 - HKLM\..\RunOnce: [apizn32.exe] C:\WINDOWS\apizn32.exe
O4 - HKLM\..\RunOnce: [d3fg32.exe] C:\WINDOWS\d3fg32.exe
O4 - HKLM\..\RunOnce: [wintu.exe] C:\WINDOWS\wintu.exe
O4 - HKLM\..\RunOnce: [iezn32.exe] C:\WINDOWS\iezn32.exe
O4 - HKLM\..\RunOnce: [sdkeh.exe] C:\WINDOWS\sdkeh.exe
O4 - HKLM\..\RunOnce: [addja32.exe] C:\WINDOWS\system32\addja32.exe
O4 - HKLM\..\RunOnce: [ntzy.exe] C:\WINDOWS\ntzy.exe
O4 - HKLM\..\RunOnce: [winel32.exe] C:\WINDOWS\system32\winel32.exe
O4 - HKLM\..\RunOnce: [ipfs32.exe] C:\WINDOWS\ipfs32.exe
O4 - HKLM\..\RunOnce: [addbi32.exe] C:\WINDOWS\system32\addbi32.exe
O4 - HKLM\..\RunOnce: [msdl32.exe] C:\WINDOWS\msdl32.exe
O4 - HKLM\..\RunOnce: [d3nu.exe] C:\WINDOWS\d3nu.exe
O4 - HKLM\..\RunOnce: [mfced.exe] C:\WINDOWS\mfced.exe
O4 - HKLM\..\RunOnce: [apild32.exe] C:\WINDOWS\system32\apild32.exe
O4 - HKLM\..\RunOnce: [ntvy32.exe] C:\WINDOWS\system32\ntvy32.exe
O4 - HKLM\..\RunOnce: [appas32.exe] C:\WINDOWS\system32\appas32.exe
O4 - HKLM\..\RunOnce: [crrb.exe] C:\WINDOWS\system32\crrb.exe
O4 - HKLM\..\RunOnce: [appwm.exe] C:\WINDOWS\system32\appwm.exe
O4 - HKLM\..\RunOnce: [syszj.exe] C:\WINDOWS\system32\syszj.exe
O4 - HKLM\..\RunOnce: [sysrt32.exe] C:\WINDOWS\sysrt32.exe
O4 - HKLM\..\RunOnce: [winqu.exe] C:\WINDOWS\winqu.exe
O4 - HKLM\..\RunOnce: [cryd32.exe] C:\WINDOWS\cryd32.exe
O4 - HKLM\..\RunOnce: [syspi.exe] C:\WINDOWS\syspi.exe
O4 - HKLM\..\RunOnce: [addlj.exe] C:\WINDOWS\addlj.exe
O4 - HKLM\..\RunOnce: [atlbu.exe] C:\WINDOWS\system32\atlbu.exe
O4 - HKLM\..\RunOnce: [addjp32.exe] C:\WINDOWS\system32\addjp32.exe
O4 - HKLM\..\RunOnce: [ntwd.exe] C:\WINDOWS\ntwd.exe
O4 - HKLM\..\RunOnce: [ipxs.exe] C:\WINDOWS\system32\ipxs.exe
O4 - HKLM\..\RunOnce: [crjj.exe] C:\WINDOWS\crjj.exe
O4 - HKLM\..\RunOnce: [crdi.exe] C:\WINDOWS\crdi.exe
O4 - HKLM\..\RunOnce: [ntgs.exe] C:\WINDOWS\system32\ntgs.exe
O4 - HKLM\..\RunOnce: [apphb.exe] C:\WINDOWS\apphb.exe
O4 - HKLM\..\RunOnce: [iprz.exe] C:\WINDOWS\system32\iprz.exe
O4 - HKLM\..\RunOnce: [neter.exe] C:\WINDOWS\system32\neter.exe
O4 - HKLM\..\RunOnce: [javaqv32.exe] C:\WINDOWS\javaqv32.exe
O4 - HKLM\..\RunOnce: [atldz.exe] C:\WINDOWS\atldz.exe
O4 - HKLM\..\RunOnce: [syshv32.exe] C:\WINDOWS\syshv32.exe
O4 - HKLM\..\RunOnce: [mfcnb.exe] C:\WINDOWS\system32\mfcnb.exe
O4 - HKLM\..\RunOnce: [winna32.exe] C:\WINDOWS\system32\winna32.exe
O4 - HKLM\..\RunOnce: [d3qa32.exe] C:\WINDOWS\d3qa32.exe
O4 - HKLM\..\RunOnce: [atlmp32.exe] C:\WINDOWS\atlmp32.exe
O4 - HKLM\..\RunOnce: [netdn.exe] C:\WINDOWS\system32\netdn.exe
O4 - HKLM\..\RunOnce: [addid32.exe] C:\WINDOWS\addid32.exe
O4 - HKLM\..\RunOnce: [addyo.exe] C:\WINDOWS\system32\addyo.exe
O4 - HKLM\..\RunOnce: [craj.exe] C:\WINDOWS\craj.exe
O4 - HKLM\..\RunOnce: [mfcms32.exe] C:\WINDOWS\mfcms32.exe
O4 - HKLM\..\RunOnce: [ipbi.exe] C:\WINDOWS\system32\ipbi.exe
O4 - HKLM\..\RunOnce: [apiwm.exe] C:\WINDOWS\apiwm.exe
O4 - HKLM\..\RunOnce: [netab.exe] C:\WINDOWS\netab.exe
O4 - HKLM\..\RunOnce: [d3qw32.exe] C:\WINDOWS\system32\d3qw32.exe
O4 - HKLM\..\RunOnce: [crrw.exe] C:\WINDOWS\crrw.exe
O4 - HKLM\..\RunOnce: [apius.exe] C:\WINDOWS\system32\apius.exe
O4 - HKLM\..\RunOnce: [ieff.exe] C:\WINDOWS\ieff.exe
O4 - HKLM\..\RunOnce: [apixh32.exe] C:\WINDOWS\apixh32.exe
O4 - HKLM\..\RunOnce: [winhy32.exe] C:\WINDOWS\winhy32.exe
O4 - HKLM\..\RunOnce: [netid.exe] C:\WINDOWS\system32\netid.exe
O4 - HKLM\..\RunOnce: [d3nu32.exe] C:\WINDOWS\d3nu32.exe
O4 - HKLM\..\RunOnce: [atlfn32.exe] C:\WINDOWS\atlfn32.exe
O4 - HKLM\..\RunOnce: [javafe.exe] C:\WINDOWS\javafe.exe
O4 - HKLM\..\RunOnce: [javawe.exe] C:\WINDOWS\system32\javawe.exe
O4 - HKLM\..\RunOnce: [mfclc.exe] C:\WINDOWS\mfclc.exe
O4 - HKLM\..\RunOnce: [ntmf.exe] C:\WINDOWS\system32\ntmf.exe
O4 - HKLM\..\RunOnce: [ieee.exe] C:\WINDOWS\system32\ieee.exe
O4 - HKLM\..\RunOnce: [d3ap32.exe] C:\WINDOWS\d3ap32.exe
O4 - HKLM\..\RunOnce: [syshc.exe] C:\WINDOWS\system32\syshc.exe
O4 - HKLM\..\RunOnce: [iput32.exe] C:\WINDOWS\system32\iput32.exe
O4 - HKLM\..\RunOnce: [ntck.exe] C:\WINDOWS\ntck.exe



Now Close all open Windows (have only HJT open) and click "Fix Checked".


Step 4:

Then delete the following files:

The file from step 1,

These are in: C\:Windows\

addid32.exe
addlj.exe
addyg32.exe
apixh32.exe
apiwm.exe
apizn32.exe
apphb.exe
atldz.exe
atlfn32.exe
atlmp32.exe
craj.exe
crdi.exe
crjj.exe
crrw.exe
cryd32.exe
d3ap32.exe
d3fg32.exe
d3nu32.exe
d3nu.exe
d3qa32.exe
ieff.exe
iezn32.exe
ipfs32.exe
javafe.exe
javaqv32.exe
mfced.exe
mfclc.exe
mfcms32.exe
msdl32.exe
netab.exe
netkw.dll
ntck.exe
ntwd.exe
ntzy.exe
sdkeh.exe
syshv32.exe
sysrt32.exe
syspi.exe
vhyim.dll
winhy32.exe
winqu.exe
wintu.exe
winzx.exe


And these are in: C:\WINDOWS\system32\

addbi32.exe
addja32.exe
addjb.exe
addjp32.exe
addyo.exe
addwe32.exe
apild32.exe
apius.exe
appas32.exe
appwm.exe
atlbu.exe
atlbl32.exe
atlov32.exe
criv.exe
crrb.exe
d3qw32.exe
ieee.exe
ipbi.exe
iprz.exe
iput32.exe
ipxs.exe
javawe.exe
mfcnb.exe
mfcnm.exe
mfcup32.exe
netdn.exe
neter.exe
netid.exe
ntgs.exe
ntmf.exe
ntvy32.exe
syshc.exe
syszj.exe
winel32.exe
winna32.exe



Also delete any files that have the same name as these files but end with a dll. You should see them right next to each other.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Step 5:

Go to Start->Run and type Regedit then click Ok. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
and highlight Services in the left pane. In the right pane, look for any of these entries:

__NS_Service
__NS_Service_2
__NS_Service_3


If any are listed, right-click that entry in the right pane and choose Delete.

Again in Regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root and highlight Root in the Left Pane. In the right pane, look for these entries (the number at the end should correspond to the first one you deleted above):

LEGACY___NS_Service
LEGACY___NS_Service_2
LEGACY___NS_Service_3


If you find it, right-click it in the right-pane and choose delete.

If you have trouble deleting a key. Then click once on the key name (LEGACY__NS_SERVICE_ or some other name that starts with LEGACY__NS_SERVICE) to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.

Step 6:


Then browse to the C:\documents and settings\<Your Profile> (repeat for all users)\local settings\temp folder and delete all files and folders in it.
Then browse to the C:\Windows\Temp folder and delete all files in it.
This will delete all your cached internet content including cookies.

Then in internet explorer (when you get back to IE) click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

Step 7:

Double click AboutBuster.exe that you downloaded earlier.
Hit start and then Ok. The program should start scanning. Then hit exit and reboot.
Once rebooted run About:Buster once more to make sure everything is ok.

Step 8:

Restore files deleted by this malware.

Download the Hoster from here Press "Restore Original Hosts" and press "OK". Exit Program.

If you have Spybot S&D installed you will also need to replace one file.
Go here and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

If you are having any problems opening the control panel go here , and download control.exe per the instructions at the site.

Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here http://www.jfitz.com...ity_config.html .

Step 9:

Then, take a free on-line scan at HouseCall

Step 10:

Then, clean out your System Restore
Doing this will remove all your restore points.

Click Start > Settings > Control Panel.
Double-click the System icon.
On the Performance tab click File System.
Click the Troubleshooting tab
Then check Disable System Restore
Click OK.
Click Yes, when you are prompted to restart Windows.

After you have restarted, turn System Restore back on:
Click Start > Settings > Control Panel.
Double-click System.
On the Performance tab click File System.
On the Troubleshooting tab, uncheck Disable System Restore.
Click OK. Click Yes, when you are prompted to restart Windows.

Then clean your Recycle bin.

Also update and run Ad-aware.

After you restart, please post a new HJT log.
There is a newer version of HJT out now.
Open HJT, click Config... then Misc Tools, then Check for Update online, and get v1.98
Or you can get it here: HijackThis.exe


(I'll be away for a few days, but you'll be in good hands)

#5 susan

susan

    Member

  • New Member
  • Pip
  • 3 posts

Posted 03 August 2004 - 11:27 PM

I followed your instructions and my computer is working much quicker.

I could not find a Network Security Services file in the administrative programs. I found Network DDE and Network DDE DSDM.

On the old HJT log the HKCU entries were all \vhyim.dll...#27063. When I went to delete everything you had written, most were not found. The HKCu entries were all \nldju.dll...#27063.

I could not delete wintu.exe from Windows, or criv.exe from System32.

Everything else seemed to go okay.

Thanks.

susan

#6 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 04 August 2004 - 03:08 PM

Hi susan
Autodad is away on vacation this week and he asked if I would help you out while he is gone.

You should post a fresh hijackthis log so we can check it over for you.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button