Jump to content


Photo

VERY SLOW XP logon


  • Please log in to reply
15 replies to this topic

#1 shabih

shabih

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 15 July 2004 - 08:12 PM

I can start windows XP but when i try to log on to a user account then it takes a really long time. In Windows 2000 it is running fine. Heres my HiJack this log.

Logfile of HijackThis v1.97.7
Scan saved at 9:10:59 PM, on 7/15/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\VerizonDSL\IPInsight\ARUpld32.exe
C:\Program Files\VerizonDSL\IPInsight\ARMon32a.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\VerizonDSL\WinPoET\WrOS.EXE
C:\Program Files\Common Files\BullGuard\BullGuard Communicator\xcommsvr.exe
C:\Program Files\Common Files\BullGuard\BullGuard Scan Server\bdss.exe
D:\Program Files\BullGuard\vsserv.exe
C:\WINNT\Explorer.exe
C:\Program Files\VerizonDSL\WinPoET\WinPPPoverEthernet.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
D:\LogiTray.exe
C:\WINNT\loadqm.exe
D:\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
D:\Program Files\BullGuard\bdmcon.exe
C:\Program Files\AdDestroyer\AdDestroyer.exe
D:\LowLight.exe
C:\Program Files\VerizonDSL\IPInsight\ARUpld32.exe
D:\AIM\aim.exe
D:\Mozilla\MozillaFirebird\MozillaFirebird.exe
C:\WINNT\Dotest.exe
D:\Shabih\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll (file missing)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinPoET] C:\Program Files\VerizonDSL\WinPoET\WinPPPoverEthernet.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WindowsUpd] C:\WINNT\WindowsUpd1.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] D:\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] D:\LogiTray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINNT\WindowsUpd1.exe
O4 - HKLM\..\Run: [Symantec Security Routine Addon] navpaw.exe
O4 - HKLM\..\Run: [IE Loader] nsc32.exe
O4 - HKLM\..\Run: [IE Processes] nosc32.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Winamp\winampa.exe
O4 - HKLM\..\Run: [qwqkeatv] C:\WINNT\System32\ynoxtr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe
O4 - HKLM\..\Run: [WindowsUpd1] C:\WINNT\WindowsUpd1.exe
O4 - HKLM\..\Run: [BDMCon] D:\PROGRA~1\BULLGU~1\bdmcon.exe
O4 - HKLM\..\RunServices: [Symantec Security Routine Addon] navpaw.exe
O4 - HKLM\..\RunServices: [IE Loader] nsc32.exe
O4 - HKLM\..\RunServices: [IE Processes] nosc32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [WhatPulse] D:\Shabih\whatpulse\WhatPulse.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7189BA6-9C07-4351-9B0E-931CA2EBA68C}: NameServer = 199.45.32.43 199.45.32.38

#2 shabih

shabih

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 15 July 2004 - 09:41 PM

by the way, ive tried Bullguard, Ad-aware, and spybot s&d

#3 shabih

shabih

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 16 July 2004 - 12:16 AM

please help me soon, most of the programs dont work on 2k now :-/

#4 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 16 July 2004 - 05:21 AM

Hi,
First thing to do is ...

Update Ad-aware's Reference File: instructions Posted Image here

Required Step: Posted Image Reconfigure Ad-Aware for Full Scan

Note: do not run Ad-Aware yet, just update and reconfigure.

Next:

Reconfigure Windows Explorer to show Hidden Files: [required step]
Open the Windows Explorer | Tools | Folder Options - View [tab]:

Scroll down to the "Files and Folders" section.
Select: "Display the contents of system folders".

Scroll down to the "Hidden Files and Folders" section.
Select: "Show hidden files and folders", Ok the prompt
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

Click the "Apply to all Folders" button. Close Windows Explorer.

Next:

Close all open windows, rescan with HijackThis
Place a check in each of the following then click "Fix checked".

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll (file missing)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [WindowsUpd] C:\WINNT\WindowsUpd1.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINNT\WindowsUpd1.exe
O4 - HKLM\..\Run: [IE Loader] nsc32.exe
O4 - HKLM\..\Run: [IE Processes] nosc32.exe
O4 - HKLM\..\Run: [qwqkeatv] C:\WINNT\System32\ynoxtr.exe
O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe
O4 - HKLM\..\Run: [WindowsUpd1] C:\WINNT\WindowsUpd1.exe
O4 - HKLM\..\RunServices: [IE Loader] nsc32.exe
O4 - HKLM\..\RunServices: [IE Processes] nosc32.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab


Then reboot, on restart, restart in Safe Mode [required step - see "How To" below]

Start | Run (type) "%temp%" (no quotes)
Completely delete the entire contents of that "temp" folder.

Open Windows Explorer locate and delete the following:

C:\Program Files\INCREDIFIND <--this folder
C:\Program Files\VBouncer <--this folder
C:\WINNT\WindowsUpd1.exe <--this file
C:\WINNT\System32\ynoxtr.exe <--this file
C:\WINNT\alchem.exe <--this file
nsc32.exe <--this file
nosc32.exe <--this file :alarm: Win32.Boxbot.B
Note: locate the last 2 via Start > Search > Advanced Options

While still in Safe Mode run Ad-Aware and fix everything it finds.

Restart normally and then ... Download Posted Image HijackThis! 1.98

After the above, reboot, rescan with HijackThis and post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#5 shabih

shabih

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 16 July 2004 - 01:57 PM

i did everything you asked...

Logfile of HijackThis v1.97.7
Scan saved at 2:50:17 PM, on 7/16/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\VerizonDSL\IPInsight\ARUpld32.exe
C:\Program Files\VerizonDSL\IPInsight\ARMon32a.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\VerizonDSL\WinPoET\WrOS.EXE
C:\Program Files\Common Files\BullGuard\BullGuard Communicator\xcommsvr.exe
C:\Program Files\Common Files\BullGuard\BullGuard Scan Server\bdss.exe
D:\Program Files\BullGuard\vsserv.exe
C:\WINNT\Explorer.exe
C:\Program Files\VerizonDSL\WinPoET\WinPPPoverEthernet.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
D:\LogiTray.exe
C:\WINNT\loadqm.exe
D:\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\LowLight.exe
C:\Program Files\AdDestroyer\AdDestroyer.exe
C:\Program Files\VerizonDSL\IPInsight\ARUpld32.exe
D:\AIM\aim.exe
D:\mIRC\mirc.exe
D:\Shabih\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinPoET] C:\Program Files\VerizonDSL\WinPoET\WinPPPoverEthernet.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] D:\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] D:\LogiTray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Symantec Security Routine Addon] navpaw.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BDMCon] D:\PROGRA~1\BULLGU~1\bdmcon.exe
O4 - HKLM\..\Run: [THGuard] "D:\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\RunServices: [Symantec Security Routine Addon] navpaw.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [WhatPulse] D:\Shabih\whatpulse\WhatPulse.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7189BA6-9C07-4351-9B0E-931CA2EBA68C}: NameServer = 199.45.32.43 199.45.32.38

BUT i still cant log on to XP... The screen to choose which account to go into comes up, it logs on to the account. Then the desktop wallpaper just shows up, and thats it. Then I go to the task manager and check the processes and every time theres new things running that i know i didnt put on there.
Heres some of them(i would put a screenshot but i cant get into xp :-/):
ntye32.exe
javahl.exe
ipvj32.exe
netcm32.exe
apixk.exe
iexy32.exe
apinzs.exe
ieed32.exe
crxf.exe
mswy.exe
netvx32.exe
javaki32.exe

#6 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 16 July 2004 - 04:09 PM

Hi,
Your log is clean now ... good job!

Well by looking at that list of files it looks like the XP is infected with a version of CWS.
Several of the files you list match the same ones in this log Posted Image here

1) Are you dual-booting 2k & XP?
2) If so, can you view the XP files from 2K?
3) Can you get XP to start in Safe Mode? (see "How To" below)

If you can get into Safe Mode, run HijackThis from there

Download Posted Image HijackThis! 1.98

Edited by WinHelp2002, 16 July 2004 - 04:11 PM.

Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#7 shabih

shabih

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 16 July 2004 - 05:08 PM

1) yes, i have a dual-boot with 2k and XP
2) yes, the XP files are on the E: partition on my computer
3) yes, and i ran HijackThis

Logfile of HijackThis v1.98.0
Scan saved at 6:01:00 PM, on 7/16/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINDOWS1\System32\smss.exe
E:\WINDOWS1\system32\winlogon.exe
E:\WINDOWS1\system32\services.exe
E:\WINDOWS1\system32\lsass.exe
E:\WINDOWS1\system32\svchost.exe
E:\WINDOWS1\system32\svchost.exe
E:\Program Files\Common Files\Stardock\SDMCP.exe
E:\WINDOWS1\Explorer.EXE
D:\Shabih\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS1\ayygn.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ayygn.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ayygn.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://E:\WINDOWS1\ayygn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS1\ayygn.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ayygn.dll/index.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {27C21F83-683C-675C-3EAF-DB7FF6EDC4F8} - E:\WINDOWS1\system32\crhw32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS1\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "D:\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mfcup.exe] E:\WINDOWS1\system32\mfcup.exe
O4 - HKLM\..\Run: [Configuration Loader] zonealarm.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] xnfphfg.exe
O4 - HKLM\..\Run: [WhenUSave] "E:\Program Files\Save\Save.exe"
O4 - HKLM\..\Run: [WhenUSearch] "E:\Program Files\WhenUSearch\Search.exe"
O4 - HKLM\..\Run: [BDMCon] E:\Program Files\BullGuard\\bdmcon.exe
O4 - HKLM\..\Run: [BGNewsAgent] e:\program files\bullguard\bgnewsag.exe
O4 - HKLM\..\RunServices: [Configuration Loader] zonealarm.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] xnfphfg.exe
O4 - HKLM\..\RunOnce: [d3qr32.exe] E:\WINDOWS1\d3qr32.exe
O4 - HKLM\..\RunOnce: [syswu32.exe] E:\WINDOWS1\system32\syswu32.exe
O4 - HKLM\..\RunOnce: [ntcg.exe] E:\WINDOWS1\system32\ntcg.exe
O4 - HKLM\..\RunOnce: [ntca.exe] E:\WINDOWS1\system32\ntca.exe
O4 - HKLM\..\RunOnce: [d3tt.exe] E:\WINDOWS1\d3tt.exe
O4 - HKLM\..\RunOnce: [sysri.exe] E:\WINDOWS1\sysri.exe
O4 - HKLM\..\RunOnce: [msjy.exe] E:\WINDOWS1\msjy.exe
O4 - HKLM\..\RunOnce: [javavy.exe] E:\WINDOWS1\javavy.exe
O4 - HKLM\..\RunOnce: [d3gw.exe] E:\WINDOWS1\d3gw.exe
O4 - HKLM\..\RunOnce: [apirl32.exe] E:\WINDOWS1\apirl32.exe
O4 - HKLM\..\RunOnce: [addqw.exe] E:\WINDOWS1\system32\addqw.exe
O4 - HKLM\..\RunOnce: [addet.exe] E:\WINDOWS1\addet.exe
O4 - HKLM\..\RunOnce: [winjf.exe] E:\WINDOWS1\system32\winjf.exe
O4 - HKLM\..\RunOnce: [ipxr.exe] E:\WINDOWS1\ipxr.exe
O4 - HKLM\..\RunOnce: [winpf.exe] E:\WINDOWS1\winpf.exe
O4 - HKLM\..\RunOnce: [javafd.exe] E:\WINDOWS1\system32\javafd.exe
O4 - HKLM\..\RunOnce: [atlgo.exe] E:\WINDOWS1\system32\atlgo.exe
O4 - HKLM\..\RunOnce: [ievz32.exe] E:\WINDOWS1\system32\ievz32.exe
O4 - HKLM\..\RunOnce: [ipvj32.exe] E:\WINDOWS1\ipvj32.exe
O4 - HKLM\..\RunOnce: [javahl.exe] E:\WINDOWS1\javahl.exe
O4 - HKLM\..\RunOnce: [crxp32.exe] E:\WINDOWS1\system32\crxp32.exe
O4 - HKLM\..\RunOnce: [netcm32.exe] E:\WINDOWS1\system32\netcm32.exe
O4 - HKLM\..\RunOnce: [ntye32.exe] E:\WINDOWS1\system32\ntye32.exe
O4 - HKLM\..\RunOnce: [javaol32.exe] E:\WINDOWS1\javaol32.exe
O4 - HKLM\..\RunOnce: [ipsn32.exe] E:\WINDOWS1\system32\ipsn32.exe
O4 - HKLM\..\RunOnce: [netdy32.exe] E:\WINDOWS1\system32\netdy32.exe
O4 - HKLM\..\RunOnce: [sdkrz32.exe] E:\WINDOWS1\system32\sdkrz32.exe
O4 - HKLM\..\RunOnce: [mfcdd32.exe] E:\WINDOWS1\mfcdd32.exe
O4 - HKLM\..\RunOnce: [apixk.exe] E:\WINDOWS1\apixk.exe
O4 - HKLM\..\RunOnce: [appry.exe] E:\WINDOWS1\system32\appry.exe
O4 - HKLM\..\RunOnce: [mskr32.exe] E:\WINDOWS1\system32\mskr32.exe
O4 - HKLM\..\RunOnce: [iexy32.exe] E:\WINDOWS1\system32\iexy32.exe
O4 - HKLM\..\RunOnce: [apinz.exe] E:\WINDOWS1\apinz.exe
O4 - HKLM\..\RunOnce: [ieed32.exe] E:\WINDOWS1\system32\ieed32.exe
O4 - HKLM\..\RunOnce: [crxf.exe] E:\WINDOWS1\crxf.exe
O4 - HKLM\..\RunOnce: [atlmq.exe] E:\WINDOWS1\system32\atlmq.exe
O4 - HKLM\..\RunOnce: [mswy.exe] E:\WINDOWS1\mswy.exe
O4 - HKLM\..\RunOnce: [netvx32.exe] E:\WINDOWS1\system32\netvx32.exe
O4 - HKLM\..\RunOnce: [msgw32.exe] E:\WINDOWS1\msgw32.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] D:\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Extreme Messenger for AIM] D:\Extreme Messenger\ExtremeMessenger.exe nosplash
O4 - HKCU\..\Run: [Microsoft Update Machine] xnfphfg.exe
O4 - HKCU\..\Run: [Configuration Loader] zonealarm.exe
O4 - HKCU\..\Run: [Ruon] E:\Documents and Settings\Shabih\Application Data\ibma.exe
O4 - HKCU\..\Run: [Uisguus] E:\WINDOWS1\System32\vaihhix.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://E:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://E:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://E:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS1\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS1\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...lim/install.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - E:\WINDOWS1\msopt.dll
O20 - AppInit_DLLs: sockspy.dll
O21 - SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - E:\Program Files\Common Files\Stardock\MCPCore.dll

guess the log doesnt look so clean now

#8 shabih

shabih

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 16 July 2004 - 07:59 PM

i hope im almost there...

#9 shabih

shabih

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 16 July 2004 - 09:57 PM

gonna bump it up one more time before i go so hopefully i can have it fixed tomorrow

#10 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 17 July 2004 - 03:45 AM

Hi,
Just as I figured ... you have several trojans some adware and CWS!

I assume that log was from Safe Mode?

Note: there are no automated removal tools for CWS, the best method is to use System Restore to "restore" the machine to a Date prior to the CWS infection.

To do this, locate the following file:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS1\ayygn.dll/sp.html#28129

Right-click and select: Properties = "Date created"
Run System Restore and select a Date prior to the "Date created"

To start System Restore = Start > Help
[or]
How to start the System Restore tool at a command prompt in Windows XP
http://support.micro...om/?kbid=304449

[otherwise]
Reconfigure Ad-Aware to scan "E:\" only ...
Settings | "Click here to select drives and folders"

After the above rescan with HijackThis and post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#11 shabih

shabih

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 17 July 2004 - 02:07 PM

I'd rather have to do the system restore as a last resort, because the file was created June 16th. So I ran Ad-Aware for the E: drive and it fixed some stuff but XP still wont get past the desktop wallpaper. Here's my log I got in safe mode on XP after running Ad-Aware.

Logfile of HijackThis v1.98.0
Scan saved at 2:30:08 PM, on 7/22/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINDOWS1\System32\smss.exe
E:\WINDOWS1\system32\winlogon.exe
E:\WINDOWS1\system32\services.exe
E:\WINDOWS1\system32\lsass.exe
E:\WINDOWS1\system32\svchost.exe
E:\WINDOWS1\system32\svchost.exe
E:\Program Files\Common Files\Stardock\SDMCP.exe
E:\WINDOWS1\Explorer.EXE
D:\Shabih\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS1\ayygn.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ayygn.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ayygn.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://E:\WINDOWS1\ayygn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS1\ayygn.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ayygn.dll/index.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {36CC7432-49FC-4CA0-A19B-542646CAFF53} - E:\WINDOWS1\system32\mfcga.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS1\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "D:\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mfcup.exe] E:\WINDOWS1\system32\mfcup.exe
O4 - HKLM\..\Run: [Configuration Loader] zonealarm.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] xnfphfg.exe
O4 - HKLM\..\Run: [WhenUSave] "E:\Program Files\Save\Save.exe"
O4 - HKLM\..\Run: [WhenUSearch] "E:\Program Files\WhenUSearch\Search.exe"
O4 - HKLM\..\Run: [BDMCon] E:\Program Files\BullGuard\\bdmcon.exe
O4 - HKLM\..\Run: [BGNewsAgent] e:\program files\bullguard\bgnewsag.exe
O4 - HKLM\..\RunServices: [Configuration Loader] zonealarm.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] xnfphfg.exe
O4 - HKLM\..\RunOnce: [javavy.exe] E:\WINDOWS1\javavy.exe
O4 - HKLM\..\RunOnce: [d3gw.exe] E:\WINDOWS1\d3gw.exe
O4 - HKLM\..\RunOnce: [apirl32.exe] E:\WINDOWS1\apirl32.exe
O4 - HKLM\..\RunOnce: [addqw.exe] E:\WINDOWS1\system32\addqw.exe
O4 - HKLM\..\RunOnce: [addet.exe] E:\WINDOWS1\addet.exe
O4 - HKLM\..\RunOnce: [winjf.exe] E:\WINDOWS1\system32\winjf.exe
O4 - HKLM\..\RunOnce: [ipxr.exe] E:\WINDOWS1\ipxr.exe
O4 - HKLM\..\RunOnce: [winpf.exe] E:\WINDOWS1\winpf.exe
O4 - HKLM\..\RunOnce: [javafd.exe] E:\WINDOWS1\system32\javafd.exe
O4 - HKLM\..\RunOnce: [atlgo.exe] E:\WINDOWS1\system32\atlgo.exe
O4 - HKLM\..\RunOnce: [ievz32.exe] E:\WINDOWS1\system32\ievz32.exe
O4 - HKLM\..\RunOnce: [ipvj32.exe] E:\WINDOWS1\ipvj32.exe
O4 - HKLM\..\RunOnce: [javahl.exe] E:\WINDOWS1\javahl.exe
O4 - HKLM\..\RunOnce: [crxp32.exe] E:\WINDOWS1\system32\crxp32.exe
O4 - HKLM\..\RunOnce: [netcm32.exe] E:\WINDOWS1\system32\netcm32.exe
O4 - HKLM\..\RunOnce: [ntye32.exe] E:\WINDOWS1\system32\ntye32.exe
O4 - HKLM\..\RunOnce: [javaol32.exe] E:\WINDOWS1\javaol32.exe
O4 - HKLM\..\RunOnce: [ipsn32.exe] E:\WINDOWS1\system32\ipsn32.exe
O4 - HKLM\..\RunOnce: [netdy32.exe] E:\WINDOWS1\system32\netdy32.exe
O4 - HKLM\..\RunOnce: [sdkrz32.exe] E:\WINDOWS1\system32\sdkrz32.exe
O4 - HKLM\..\RunOnce: [mfcdd32.exe] E:\WINDOWS1\mfcdd32.exe
O4 - HKLM\..\RunOnce: [apixk.exe] E:\WINDOWS1\apixk.exe
O4 - HKLM\..\RunOnce: [appry.exe] E:\WINDOWS1\system32\appry.exe
O4 - HKLM\..\RunOnce: [mskr32.exe] E:\WINDOWS1\system32\mskr32.exe
O4 - HKLM\..\RunOnce: [iexy32.exe] E:\WINDOWS1\system32\iexy32.exe
O4 - HKLM\..\RunOnce: [apinz.exe] E:\WINDOWS1\apinz.exe
O4 - HKLM\..\RunOnce: [ieed32.exe] E:\WINDOWS1\system32\ieed32.exe
O4 - HKLM\..\RunOnce: [crxf.exe] E:\WINDOWS1\crxf.exe
O4 - HKLM\..\RunOnce: [atlmq.exe] E:\WINDOWS1\system32\atlmq.exe
O4 - HKLM\..\RunOnce: [mswy.exe] E:\WINDOWS1\mswy.exe
O4 - HKLM\..\RunOnce: [netvx32.exe] E:\WINDOWS1\system32\netvx32.exe
O4 - HKLM\..\RunOnce: [msgw32.exe] E:\WINDOWS1\msgw32.exe
O4 - HKLM\..\RunOnce: [d3qr32.exe] E:\WINDOWS1\d3qr32.exe
O4 - HKLM\..\RunOnce: [syswu32.exe] E:\WINDOWS1\system32\syswu32.exe
O4 - HKLM\..\RunOnce: [ntcg.exe] E:\WINDOWS1\system32\ntcg.exe
O4 - HKLM\..\RunOnce: [ntca.exe] E:\WINDOWS1\system32\ntca.exe
O4 - HKLM\..\RunOnce: [d3tt.exe] E:\WINDOWS1\d3tt.exe
O4 - HKLM\..\RunOnce: [sysri.exe] E:\WINDOWS1\sysri.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] D:\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Extreme Messenger for AIM] D:\Extreme Messenger\ExtremeMessenger.exe nosplash
O4 - HKCU\..\Run: [Microsoft Update Machine] xnfphfg.exe
O4 - HKCU\..\Run: [Configuration Loader] zonealarm.exe
O4 - HKCU\..\Run: [Ruon] E:\Documents and Settings\Shabih\Application Data\ibma.exe
O4 - HKCU\..\Run: [Uisguus] E:\WINDOWS1\System32\vaihhix.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://E:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://E:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://E:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS1\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS1\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...lim/install.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - E:\WINDOWS1\msopt.dll
O21 - SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - E:\Program Files\Common Files\Stardock\MCPCore.dll

#12 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 17 July 2004 - 02:48 PM

Hi,
You can use this link as a guide, read it entirely before procedding.
http://forums.spywar...showtopic=12609

Download: About:Buster 1.30
http://www.majorgeek...wnload4289.html
Follow the instructions on the page ...

Download Posted Image CWShredder v1.59.1
Run CWShredder after running "About:Buster"

Then while still in Safe Mode run Ad-Aware again.


Next: run an online scan at: Trend Micro HouseCall
http://housecall.ant...m/pc_housecall/

After the above rescan with HijackThis and post a fresh log.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#13 shabih

shabih

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 17 July 2004 - 05:36 PM

Thank you sooooooooooo much I'm back on XP and its running perfectly. Here's the latest HJT log.

Logfile of HijackThis v1.98.0
Scan saved at 6:36:19 PM, on 7/22/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINDOWS1\System32\smss.exe
E:\WINDOWS1\system32\winlogon.exe
E:\WINDOWS1\system32\services.exe
E:\WINDOWS1\system32\lsass.exe
E:\WINDOWS1\system32\svchost.exe
E:\WINDOWS1\System32\svchost.exe
E:\WINDOWS1\system32\spoolsv.exe
E:\Program Files\Common Files\Stardock\SDMCP.exe
E:\WINDOWS1\Explorer.EXE
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\program files\bullguard\bgnewsag.exe
E:\Program Files\Messenger\msmsgs.exe
D:\AIM\aim.exe
E:\WINDOWS1\System32\svchost.exe
E:\Program Files\Common Files\BullGuard\BullGuard Communicator\xcommsvr.exe
E:\WINDOWS1\system32\crxp32.exe
E:\Program Files\Common Files\BullGuard\BullGuard Scan Server\bdss.exe
E:\Program Files\BullGuard\vsserv.exe
D:\Mozilla\Mozilla Firefox\firefox.exe
D:\Shabih\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {27C21F83-683C-675C-3EAF-DB7FF6EDC4F8} - E:\WINDOWS1\system32\crhw32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS1\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "D:\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BDMCon] E:\Program Files\BullGuard\\bdmcon.exe
O4 - HKLM\..\Run: [BGNewsAgent] e:\program files\bullguard\bgnewsag.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] D:\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Extreme Messenger for AIM] D:\Extreme Messenger\ExtremeMessenger.exe nosplash
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://E:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://E:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://E:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...lim/install.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD7E44D5-1822-4F36-A943-501EA5521733}: NameServer = 199.45.32.43 199.45.32.38
O21 - SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - E:\Program Files\Common Files\Stardock\MCPCore.dll

#14 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 17 July 2004 - 08:46 PM

Hi,
Your log looks clean now ... good job!

Just one minor item ...

Have HijackThis fix the following:

R3 - Default URLSearchHook is missing

Then reboot, on restart, Control Panel | Internet Options | Programs [tab]
Click the "Reset web settings" button, click Apply\Ok

Now ... one of the reasons you got hijacked ...

Posted ImageImportant! Your system is severly out of date!
Visit Posted Image Windows Update and install all the "Critical Updates"

I would suggest adding some "Defense" to your system ...
Posted Image How To: Prevent this from happening again? :wave:
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#15 shabih

shabih

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 19 July 2004 - 08:56 PM

Im baaaaaaack... After I leave my computer on for a few hours it starts getting slow again, I have to keep going into HJT and fixing things to make it get back to normal speed again. Here's my latest log before fixing the stuff.

Logfile of HijackThis v1.98.0
Scan saved at 9:19:41 PM, on 7/19/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINDOWS1\System32\smss.exe
E:\WINDOWS1\system32\winlogon.exe
E:\WINDOWS1\system32\services.exe
E:\WINDOWS1\system32\lsass.exe
E:\WINDOWS1\system32\svchost.exe
E:\WINDOWS1\System32\svchost.exe
E:\WINDOWS1\system32\spoolsv.exe
E:\Program Files\Common Files\Stardock\SDMCP.exe
E:\WINDOWS1\System32\svchost.exe
E:\Program Files\Common Files\BullGuard\BullGuard Communicator\xcommsvr.exe
E:\WINDOWS1\system32\crxp32.exe
E:\Program Files\Common Files\BullGuard\BullGuard Scan Server\bdss.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\BullGuard\bgnewsag.exe
E:\WINDOWS1\system32\crhw32.exe
D:\AIM\aim.exe
E:\Program Files\MSN Messenger\msnmsgr.exe
E:\WINDOWS1\system32\winlogon.exe
D:\mIRC\mirc.exe
E:\WINDOWS1\explorer.exe
E:\Program Files\BullGuard\bdmcon.exe
E:\Program Files\BullGuard\vsserv.exe
E:\WINDOWS1\system32\winlogon.exe
E:\WINDOWS1\system32\winlogon.exe
D:\shabih\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS1\qvakd.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qvakd.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qvakd.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://E:\WINDOWS1\qvakd.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS1\qvakd.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qvakd.dll/index.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0BC171EC-69B1-8323-283F-055923F172A8} - E:\WINDOWS1\mfcqy32.dll
O2 - BHO: (no name) - {27C21F83-683C-675C-3EAF-DB7FF6EDC4F8} - E:\WINDOWS1\system32\crhw32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {DFBFEE67-D1F0-4CB0-DEB2-7F4A2C8A823E} - E:\WINDOWS1\atlwh32.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "D:\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BDMCon] E:\Program Files\BullGuard\\bdmcon.exe
O4 - HKLM\..\Run: [BGNewsAgent] E:\Program Files\BullGuard\bgnewsag.exe
O4 - HKLM\..\Run: [crhw32.exe] E:\WINDOWS1\system32\crhw32.exe
O4 - HKCU\..\Run: [AIM] D:\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://E:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://E:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://E:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD7E44D5-1822-4F36-A943-501EA5521733}: NameServer = 199.45.32.43 199.45.32.38

-_-

#16 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 19 July 2004 - 09:30 PM

Hi,
Since you failed to update your machine, you now have an infection that there is no automated removal for. Your best aopproach at this point is to use System Restore to revert your system back to a Date prior to the infection.

Locate: E:\WINDOWS1\qvakd.dll, locate the "Date created", then select a Date in System Restore prior to that ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button