• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
scuzzman

Browser redirection - qnwyl.dll

14 posts in this topic

I have a little problem with a browser hijack. The filename is qnwyl.dll. The nasty kind. Changes my homepage, redirects searches, unknown URL's, and loads of popups.

Troubleshooting I've tried:

Editing all the registry keys in my HijackThis log for this file, to point to about:blank

Searching Google, Yahoo!, and other search engines for this file.

Running Ad-Aware 6.0 and Spybot S&D, with the most recent updates

 

 

HijackThis log file:

Logfile of HijackThis v1.97.7

Scan saved at 11:12:13 PM, on 7/15/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZONELABS\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Yahoo!\Messenger\YPager.exe

C:\WINDOWS\mfcwa32.exe

C:\WINDOWS\javakk.exe

C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe

C:\Documents and Settings\Johnny\Desktop\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qnwyl.dll/sp.html#28129

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qnwyl.dll/index.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qnwyl.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qnwyl.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qnwyl.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qnwyl.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by IPI Network

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://cf.icq.com/cf/2000/lost_password.html

O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {2D6C69C9-A68C-A750-F9F1-9D7ABE3372A9} - C:\WINDOWS\atlen.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [mfcwa32.exe] C:\WINDOWS\mfcwa32.exe

O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: ICQ Pro (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O9 - Extra button: NeoTrace It! (HKCU)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab

O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shock...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C62160A1-6308-4AD7-B62B-06FEB74F31AF}: NameServer = 208.10.192.4 208.10.192.5

Edited by scuzzman

Share this post


Link to post
Share on other sites

Also - just founf About:Buster

Thanks ducky! Great program!

although, still having problems. I ran About:Buster and removed a bunch of files, but upon re-opening IE (I got a little excited about my homepage being the way it should) three times, got redirected back to same old stuff. :(

Share this post


Link to post
Share on other sites

New troubleshooting information:

Ran Ad-Aware & Spybot S&D (found nothing)

Booted safe mode

Ran HijackThis, fixed normal problems

Ran Ad-Aware and Spybot again (found nothing)

Ran About:Buster - fixed a bunch of files, again

Ran RegScrubXP, fixed 11 problems

Ran About:Buster again (found nothing)

Rebooted Windows normal

Opened/closed browser exactly 11 times, then the friggin thing re-appeared. Mine is a little different though, as it is the exact same *.dll file, and same string of numbers. Damn, if I didn't want to lose my Mandrake Linux partition (spyware-free I might add), I'd just redo Windows because of this damn thing. Can't wait till this is illegal and I can sue these bastards.

Share this post


Link to post
Share on other sites

If you are still having trouble, please post a fresh HijackThis log here for review.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 9:43:16 PM, on 7/16/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\javakk.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Grisoft\AVG6\avgcc32.exe

C:\WINDOWS\system32\msdb.exe

C:\Program Files\Yahoo!\Messenger\YPager.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Johnny\Desktop\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qnwyl.dll/sp.html#28129

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qnwyl.dll/index.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qnwyl.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qnwyl.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qnwyl.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qnwyl.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by IPI Network

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://cf.icq.com/cf/2000/lost_password.html

O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {2D6C69C9-A68C-A750-F9F1-9D7ABE3372A9} - C:\WINDOWS\atlen.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [msdb.exe] C:\WINDOWS\system32\msdb.exe

O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: ICQ Pro (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O9 - Extra button: NeoTrace It! (HKCU)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab

O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shock...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C62160A1-6308-4AD7-B62B-06FEB74F31AF}: NameServer = 208.10.192.4 208.10.192.5

Share this post


Link to post
Share on other sites

<EDIT>

Possibly a little bit more pertinent information. My notepad.exe has also been acting funny. I'll be editing a program, and all of a sudden the darned thing will just close. I don't even have to be typing. It stays up for about 20-30 seconds, then closes. I've ran AVG 6.0 (updated today) and Panda to no avail.

</EDIT>

 

Logfile of HijackThis v1.98.0

Scan saved at 9:59:13 PM, on 7/16/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\javakk.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Grisoft\AVG6\avgcc32.exe

C:\WINDOWS\system32\msdb.exe

C:\Program Files\Yahoo!\Messenger\YPager.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Johnny\Desktop\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qnwyl.dll/sp.html#28129

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qnwyl.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qnwyl.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qnwyl.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qnwyl.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qnwyl.dll/index.html#28129

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://cf.icq.com/cf/2000/lost_password.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by IPI Network

R3 - Default URLSearchHook is missing

O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {2D6C69C9-A68C-A750-F9F1-9D7ABE3372A9} - C:\WINDOWS\atlen.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [msdb.exe] C:\WINDOWS\system32\msdb.exe

O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.5.0\bin\npjpi150.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.5.0\bin\npjpi150.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C62160A1-6308-4AD7-B62B-06FEB74F31AF}: NameServer = 208.10.192.4 208.10.192.5

Edited by scuzzman

Share this post


Link to post
Share on other sites

Please print this out for easy reference.

Run HijackThis & put a check in the boxes next to these lines, be sure to close all browsers and windows (including this one) and hit ‘Fix’:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

 

O2 - BHO: (no name) - {2D6C69C9-A68C-A750-F9F1-9D7ABE3372A9} - C:\WINDOWS\atlen.dll

 

Reboot into Safe Mode and run AboutBuster.exe. Click ok, then start, then OK. Make a copy of the log once it finishes. Then run aboutbuster.exe again. Make a copy of that log.

 

Reboot out of Safe Mode and post a new HijackThis log along with the two reports from About:Buster.

Edited by 808chick

Share this post


Link to post
Share on other sites

OK - did what you told me, then followed up with a RegScrubXP to remove the excess regkeys (there were 21)

started/restarted Ie several times: and this little thing came up saying

CANNOT FIND SERVER!!!

res://jduox.dll/index.html

 

<EDIT>

I'm beginning to think javakk.exe has something to do with this: give me a few minutes to expermient, I'll report my results. If I kill my OS, I have Linux-Mandrake on another partition, spyware free

</EDIT>

 

Logfile of HijackThis v1.98.0

Scan saved at 10:29:58 PM, on 7/16/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\javakk.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Grisoft\AVG6\avgcc32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\appbw32.exe

C:\Documents and Settings\Johnny\Desktop\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jduox.dll/sp.html#28129

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jduox.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jduox.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jduox.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jduox.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jduox.dll/index.html#28129

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://cf.icq.com/cf/2000/lost_password.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by IPI Network

R3 - Default URLSearchHook is missing

O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {AC5FBA74-3B09-DD85-9101-E3BA6AA5F315} - C:\WINDOWS\system32\iehh.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [appbw32.exe] C:\WINDOWS\appbw32.exe

O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.5.0\bin\npjpi150.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.5.0\bin\npjpi150.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C62160A1-6308-4AD7-B62B-06FEB74F31AF}: NameServer = 208.10.192.4 208.10.192.5

 

 

-- Scan 1 --------

About:Buster Version 1.30

Removed! : C:\WINDOWS\rrbxeh.dat

Removed! : C:\WINDOWS\System32\rrbxe.dat

Removed! : C:\WINDOWS\System32\qnwyl.dll

Removed! : C:\WINDOWS\System32\msdb.exe

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

-- Scan 1 --------

About:Buster Version 1.30

Attempted Clean Of Temp folder.

Pages Reset... Done!

Edited by scuzzman

Share this post


Link to post
Share on other sites

Can you set your computer's date ahead a couple of days, 2-3, & post a new log from there.

Share this post


Link to post
Share on other sites

I usually would not post a well, post, this size: but people HAVE TO SEE THIS:

 

Steps taken:

1) remove the following from HJT:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jduox.dll/sp.html#28129

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jduox.dll/index.html#28129

O2 - BHO: (no name) - {AC5FBA74-3B09-DD85-9101-E3BA6AA5F315} - C:\WINDOWS\system32\iehh.dll

R3 - Default URLSearchHook is missing

2) Ran about:buster - see log file below

3) Followed up with RegScrubXP - no invalid keys found

4) Re-ran HJT - see newest log below

5) Re-scanned About:Buster - see log below

6) Start/restarted IE 15 times - SPYWARE FREE!!!!!!

 

Other possibly pertinent info:

-notepad is still misbehaving

-javakk.exe is still running, though, there is no executable named that on my system

 

 

-- Scan 1 --------

About:Buster Version 1.30

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

-- Scan 2 --------

About:Buster Version 1.30

Attempted Clean Of Temp folder.

Pages Reset... Done!

 

Logfile of HijackThis v1.98.0

Scan saved at 10:52:33 PM, on 7/16/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\javakk.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Grisoft\AVG6\avgcc32.exe

C:\Program Files\Windows NT\Accessories\wordpad.exe

C:\Documents and Settings\Johnny\Desktop\HijackThis\AboutBuster.exe

C:\Documents and Settings\Johnny\Desktop\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://cf.icq.com/cf/2000/lost_password.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by IPI Network

O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup

O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.5.0\bin\npjpi150.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.5.0\bin\npjpi150.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

Edited by scuzzman

Share this post


Link to post
Share on other sites

You might still want to set your date ahead a few days, just to be safe. The infection has been known to reappear after 2 or 3 days.

 

And your HijackThis is running from your Desktop, this is not recommended. It is best to put it in a permanent folder EX: C:\HJT (or something similar).

Share this post


Link to post
Share on other sites

2 or 3 days, or 2 or 3 reboots.

* scuzzman gets really angry. i will find a tried and true way of getting rid of this thing for good. Ya'll stand by for now.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0