Jump to content


Photo

Need help hijackthis


  • Please log in to reply
5 replies to this topic

#1 Dookz

Dookz

    Member

  • New Member
  • Pip
  • 4 posts

Posted 14 July 2004 - 02:08 PM

I've used adware and spybot removals but Pop-ups and bad homepages keep coming back along with slightly slow performance.

Logfile of HijackThis v1.97.7
Scan saved at 3:03:26 PM, on 7/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\SSBRLA\InSight\ARUpld32.exe
C:\SSBRLA\InSight\ARMon32a.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\vnxserv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\atlmy.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\apiss.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\AIM+\AIM+.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Alexander Duque.DUQUE\Desktop\Games\Adwares remover\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\twffo.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://twffo.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://twffo.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\twffo.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://twffo.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\twffo.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3961A393-4FBC-54F8-3D1B-12335B7881AF} - C:\WINDOWS\addjq32.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [apiss.exe] C:\WINDOWS\system32\apiss.exe
O4 - HKLM\..\RunServices: [AccessRampLAN 01] C:\SSBRLA\Insight\ArUpld32.exe
O4 - HKLM\..\RunServices: [AccessRampMonitor 01] C:\SSBRLA\Insight\ArMon32a.exe
O4 - HKCU\..\Run: [SuperRam] "C:\Program Files\SuperRam\SuperRam.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [mfcta32.exe] C:\WINDOWS\mfcta32.exe
O4 - HKLM\..\RunOnce: [atlmy.exe] C:\WINDOWS\system32\atlmy.exe
O4 - HKLM\..\RunOnce: [apibt.exe] C:\WINDOWS\apibt.exe
O4 - HKLM\..\RunOnce: [netif.exe] C:\WINDOWS\system32\netif.exe
O4 - HKLM\..\RunOnce: [netvk32.exe] C:\WINDOWS\netvk32.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk.disabled
O4 - Global Startup: Digital Line Detect.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: MoneySide (HKLM)

#2 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 14 July 2004 - 09:23 PM

Download About:Buster from Here (but don't run it yet)

http://www.downloads...AboutBuster.zip

Unzip it to your desktop.

Run another hijackthis scan. Place a check next to the following entrie, then close all open windows and click the fix button.

O2 - BHO: (no name) - {3961A393-4FBC-54F8-3D1B-12335B7881AF} - C:\WINDOWS\addjq32.dll
O4 - HKLM\..\Run: [apiss.exe] C:\WINDOWS\system32\apiss.exe
O4 - HKLM\..\RunOnce: [mfcta32.exe] C:\WINDOWS\mfcta32.exe
O4 - HKLM\..\RunOnce: [atlmy.exe] C:\WINDOWS\system32\atlmy.exe
O4 - HKLM\..\RunOnce: [apibt.exe] C:\WINDOWS\apibt.exe
O4 - HKLM\..\RunOnce: [netif.exe] C:\WINDOWS\system32\netif.exe
O4 - HKLM\..\RunOnce: [netvk32.exe] C:\WINDOWS\netvk32.exe

Close hijackthis.
Open About:buster and hit Ok, then Start, then Ok to start the scan. The scan should take a few seconds. Once it is done save the report. Post the report and a new Hijack this log here.
Posted Image

#3 Dookz

Dookz

    Member

  • New Member
  • Pip
  • 4 posts

Posted 18 July 2004 - 01:33 PM

-- Scan 1 --------
About:Buster Version 1.30
Removed! : C:\WINDOWS\ronyn.dat
Removed! : C:\WINDOWS\ronyn.dll
Error Removing! : C:\WINDOWS\System32\atlmy.exe
Removed! : C:\WINDOWS\System32\qeiwc.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!


Logfile of HijackThis v1.97.7
Scan saved at 2:33:04 PM, on 7/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\SSBRLA\InSight\ARUpld32.exe
C:\SSBRLA\InSight\ARMon32a.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\vnxserv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\atlmy.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\apiss.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Alexander Duque.DUQUE\Desktop\Games\Adwares remover\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EE68202E-7278-D318-0378-FD11A3F795EB} - C:\WINDOWS\system32\d3yk32.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [apiss.exe] C:\WINDOWS\system32\apiss.exe
O4 - HKLM\..\RunServices: [AccessRampLAN 01] C:\SSBRLA\Insight\ArUpld32.exe
O4 - HKLM\..\RunServices: [AccessRampMonitor 01] C:\SSBRLA\Insight\ArMon32a.exe
O4 - HKCU\..\Run: [SuperRam] "C:\Program Files\SuperRam\SuperRam.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [ipti32.exe] C:\WINDOWS\ipti32.exe
O4 - HKLM\..\RunOnce: [addwy32.exe] C:\WINDOWS\addwy32.exe
O4 - HKLM\..\RunOnce: [mfcte.exe] C:\WINDOWS\mfcte.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk.disabled
O4 - Global Startup: Digital Line Detect.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: MoneySide (HKLM)

#4 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 19 July 2004 - 07:07 PM

About:buster has been updated. Download the new version here.

http://www.downloads...AboutBuster.zip

Unzip it to your desktop.

Then boot into safe mode and run about:buster.

Then reboot back into normal mode and post your new hijackthis log and about:buster report.
Posted Image

#5 Dookz

Dookz

    Member

  • New Member
  • Pip
  • 4 posts

Posted 23 July 2004 - 01:37 PM

im sorry, but how do I reboot in safe mode?

#6 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 23 July 2004 - 01:42 PM

In my previous post the word safe mode is a link. Just click on it and it will take you to a page that gives instructions on booting to safe mode.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button