• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
VanWilder03

New BHO with some other problems!

19 posts in this topic

It seems I have a new BHO that won't leave. (yes, i've read the FAQ, run S&D, and used HijackThis) There are also some other problems that come back after HT deletes them. I checked the number on the BHO and couldn't find it, so i guess its new? Thanks for any help you can provide

 

Logfile of HijackThis v1.97.7

Scan saved at 5:19:52 PM, on 7/17/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\WINNT\System32\Atievxx.exe

C:\WINNT\System32\hpb2ksrv.exe

C:\WINNT\System32\hpbhksrv.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\wanmpsvc.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\AIM95\aim.exe

C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe

C:\Program Files\America Online 8.0\aoltray.exe

C:\WINNT\System32\wuauclt.exe

C:\WINNT\system32\javaoq.exe

C:\WINNT\system32\javakx.exe

C:\WINNT\explorer.exe

C:\Virus Removal\Browser Hijack Blaster\bhblaster.exe

C:\Program Files\America Online 8.0\waol.exe

C:\Program Files\America Online 8.0\shellmon.exe

C:\Program Files\America Online 8.0\aolwbspd.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Mozilla\mozilla.exe

C:\Virus Removal\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jyuup.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\jyuup.dll/sp.html#37794

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [javaoq.exe] C:\WINNT\system32\javaoq.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O9 - Extra button: AIM (HKLM)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Ducky-

 

thanks for the quick response! here you go, the buster report is first

 

-- Scan 1 --------

About:Buster Version 1.30

Removed! : C:\WINNT\system.html

Removed! : C:\WINNT\ssawg.dat

Removed! : C:\WINNT\tlnqrb.dat

Removed! : C:\WINNT\plrfa.dll

Removed! : C:\WINNT\plrfa.dat

Removed! : C:\WINNT\zmjfy.dat

Removed! : C:\WINNT\anhlq.dat

Removed! : C:\WINNT\pzpci.dat

Removed! : C:\WINNT\pjuel.dat

Removed! : C:\WINNT\jjwwp.dat

Removed! : C:\WINNT\jjwwp.dll

Removed! : C:\WINNT\ntqir.dat

Removed! : C:\WINNT\oebee.dll

Removed! : C:\WINNT\tyaov.dat

Removed! : C:\WINNT\grrcp.dat

Removed! : C:\WINNT\gcews.dat

Removed! : C:\WINNT\jyuup.dll

Removed! : C:\WINNT\System32\javaoq.exe

Removed! : C:\WINNT\System32\tlnqr.dat

Removed! : C:\WINNT\System32\nhdgo.dll

Removed! : C:\WINNT\System32\vnhxs.dat

Removed! : C:\WINNT\System32\ngnrd.dll

Removed! : C:\WINNT\System32\mlshv.dat

Removed! : C:\WINNT\System32\edxjf.dat

Removed! : C:\WINNT\System32\ghqfs.dll

Removed! : C:\WINNT\System32\zxoha.dat

Removed! : C:\WINNT\System32\zxoha.dll

Removed! : C:\WINNT\System32\niwko.dat

Removed! : C:\WINNT\System32\glogb.dat

Removed! : C:\WINNT\System32\ihmxy.dll

Removed! : C:\WINNT\System32\tgmfs.dat

Removed! : C:\WINNT\System32\vckdp.dll

Removed! : C:\WINNT\System32\sfsvi.dll

Removed! : C:\WINNT\System32\iqjcm.dat

Removed! : C:\WINNT\System32\tpxlw.dat

Removed! : C:\WINNT\System32\vbtli.dat

Removed! : C:\WINNT\System32\wmdhc.dll

Removed! : C:\WINNT\System32\nxsll.dat

Removed! : C:\WINNT\System32\nhxfv.dat

Removed! : C:\WINNT\System32\idves.dll

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

 

 

 

And now the new HT log...

 

 

 

Logfile of HijackThis v1.97.7

Scan saved at 5:32:06 PM, on 7/17/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\WINNT\System32\Atievxx.exe

C:\WINNT\System32\hpb2ksrv.exe

C:\WINNT\System32\hpbhksrv.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\wanmpsvc.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\AIM95\aim.exe

C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe

C:\Program Files\America Online 8.0\aoltray.exe

C:\WINNT\System32\wuauclt.exe

C:\WINNT\system32\javakx.exe

C:\Virus Removal\Browser Hijack Blaster\bhblaster.exe

C:\Program Files\America Online 8.0\waol.exe

C:\Program Files\America Online 8.0\shellmon.exe

C:\Program Files\America Online 8.0\aolwbspd.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Mozilla\mozilla.exe

C:\WINNT\explorer.exe

C:\WINNT\msur32.exe

C:\Virus Removal\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\idves.dll/sp.html#37794

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://idves.dll/index.html#37794

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://idves.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\idves.dll/sp.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://idves.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\idves.dll/sp.html#37794

O2 - BHO: (no name) - {3150E1F4-0F4B-0CF3-C203-960F96F4AA6C} - C:\WINNT\system32\atlht.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O9 - Extra button: AIM (HKLM)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Hey there mind finding these files, zipping them up and sending them to here.

 

Note: Please add a password.

How to add a password - Open the compressed folder, goto file and hit add a password. Enter cws in both boxes and hit ok. This way my email program will not scan it for a virus.

  • C:\WINNT\msur32.exe
  • C:\WINNT\system32\atlht.dll
  • C:\WINNT\system32\idves.dll
  • C:\WINNT\system32\javakx.exe

Then start Hijack This and tick the boxes next to these items.

 

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\idves.dll/sp.html#37794

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://idves.dll/index.html#37794

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://idves.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\idves.dll/sp.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://idves.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\idves.dll/sp.html#37794

O2 - BHO: (no name) - {3150E1F4-0F4B-0CF3-C203-960F96F4AA6C} - C:\WINNT\system32\atlht.dll

 

Then close all windows and hit fix checked. Restart your computer and delete the files i asked you to send.

Share this post


Link to post
Share on other sites

I can only find the first file you requested - C:\WINNT\msur32.exe I can't find the others. If I'm using AOL or Yahoo, (the only places i have email), how do i put a password on the files?

Share this post


Link to post
Share on other sites

Alright well I deleted the file, and followed the rest of the directions. I'm not sure it helped though, heres an updated HT log

 

Logfile of HijackThis v1.97.7

Scan saved at 7:02:59 PM, on 7/17/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\Explorer.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\AIM95\aim.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\WINNT\System32\Atievxx.exe

C:\WINNT\System32\hpb2ksrv.exe

C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe

C:\Program Files\America Online 8.0\aoltray.exe

C:\WINNT\System32\hpbhksrv.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\wanmpsvc.exe

C:\WINNT\system32\javakx.exe

C:\WINNT\atlqv.exe

C:\WINNT\System32\wuauclt.exe

C:\Program Files\Mozilla\mozilla.exe

C:\Virus Removal\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\jzbkk.dll/sp.html#37794

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jzbkk.dll/index.html#37794

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jzbkk.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\jzbkk.dll/sp.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jzbkk.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\jzbkk.dll/sp.html#37794

O2 - BHO: (no name) - {E41C8038-ED75-307D-1BBE-5178F99061EE} - C:\WINNT\system32\addrn.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [javaoq.exe] C:\WINNT\system32\javaoq.exe

O4 - HKLM\..\Run: [atlqv.exe] C:\WINNT\atlqv.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O9 - Extra button: AIM (HKLM)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Hmm the thing keeps morphing. Boot into safe mode and try this.

Open Hijack This and tick the boxes next to these items.

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\jzbkk.dll/sp.html#37794

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jzbkk.dll/index.html#37794

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jzbkk.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\jzbkk.dll/sp.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jzbkk.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\jzbkk.dll/sp.html#37794

O2 - BHO: (no name) - {E41C8038-ED75-307D-1BBE-5178F99061EE} - C:\WINNT\system32\addrn.dll

O4 - HKLM\..\Run: [javaoq.exe] C:\WINNT\system32\javaoq.exe

O4 - HKLM\..\Run: [atlqv.exe] C:\WINNT\atlqv.exe

 

Close all windows and hit fix checked. Then run About:Buster twice. Now try finding these files.. if you do send them to that address above.

 

C:\WINNT\atlqv.exe

C:\WINNT\system32\javaoq.exe

C:\WINNT\system32\addrn.dll

 

jzbkk.dll - Search for it.

 

Then restart and post a new log.

Share this post


Link to post
Share on other sites

I followed your directions word for word. I searched for all 4 of those files at the end of the last post, found nothin but a javaoq in a different location. Heres the new log.

 

Logfile of HijackThis v1.97.7

Scan saved at 9:11:56 PM, on 7/17/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\Explorer.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\AIM95\aim.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe

C:\Program Files\America Online 8.0\aoltray.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\WINNT\System32\Atievxx.exe

C:\WINNT\System32\hpb2ksrv.exe

C:\WINNT\System32\hpbhksrv.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\wanmpsvc.exe

C:\WINNT\system32\javakx.exe

C:\Documents and Settings\Stephen1\Desktop\AboutBuster.exe

C:\WINNT\System32\wuauclt.exe

C:\WINNT\system32\wintn32.exe

C:\Virus Removal\HijackThis.exe

C:\PROGRA~1\MOZILLA\MOZILLA.EXE

 

O2 - BHO: (no name) - {F00CE1E8-EA23-8F41-46F5-4A8BEFBE2B53} - C:\WINNT\msur32.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O9 - Extra button: AIM (HKLM)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

The thing is still there. Reboot into safe mode and run About:Buster once more.

 

Please send me that file and this. By that file i mean javaoq.exe.

C:\WINNT\system32\javakx.exe

Share this post


Link to post
Share on other sites

Can I email you in safe mode? also, how do i zip the file and put a password on it? i can use either aol or yahoo if that helps

 

Thanks a lot

Share this post


Link to post
Share on other sites

Right click the file and hit send to... compressed folder. Open the compressed folder and goto file add password. Enter a password and confirm it. No email me the files before you go into safe mode.

Share this post


Link to post
Share on other sites

I made the zip folder, but cant figure out how to open it to add a password. (im using the evaluation version, i dont know if that matters)

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 10:09:54 PM, on 7/17/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\Explorer.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\AIM95\aim.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe

C:\Program Files\America Online 8.0\aoltray.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\WINNT\System32\Atievxx.exe

C:\WINNT\System32\hpb2ksrv.exe

C:\WINNT\System32\hpbhksrv.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\wanmpsvc.exe

C:\WINNT\system32\javakx.exe

C:\Program Files\Mozilla\mozilla.exe

C:\WINNT\System32\wuauclt.exe

C:\WINNT\system32\atldw32.exe

C:\Virus Removal\HijackThis.exe

 

O2 - BHO: (no name) - {F00CE1E8-EA23-8F41-46F5-4A8BEFBE2B53} - C:\WINNT\msur32.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O9 - Extra button: AIM (HKLM)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

 

 

-- Scan 1 --------

About:Buster Version 1.30

Removed! : C:\WINNT\wgpuc.dat

Removed! : C:\WINNT\ysarw.dll

Removed! : C:\WINNT\System32\xzvpm.dat

Removed! : C:\WINNT\System32\atldw32.exe

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

Share this post


Link to post
Share on other sites

Ok i know im making you send alot... of files :-p... What im wondering is why this file isnt being removed.

 

C:\WINNT\msur32.dll

 

Please send that file then start Hijack this and tick the boxes next to these items.

 

O2 - BHO: (no name) - {F00CE1E8-EA23-8F41-46F5-4A8BEFBE2B53} - C:\WINNT\msur32.dll

 

Then close all windows and hit fix checked (do not open internet explorer). Run About:Buster and reboot. Then run About:Buster one last time... Please report if you have any more problems.

Share this post


Link to post
Share on other sites

humph, i did what you said, ran aboutbuster without any problems, but HT still shows a lot of crap.

 

Logfile of HijackThis v1.97.7

Scan saved at 10:35:56 PM, on 7/17/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\WINNT\System32\Atievxx.exe

C:\WINNT\System32\hpb2ksrv.exe

C:\WINNT\System32\hpbhksrv.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\wanmpsvc.exe

C:\WINNT\system32\javakx.exe

C:\WINNT\Explorer.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\AIM95\aim.exe

C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe

C:\Program Files\America Online 8.0\aoltray.exe

C:\Program Files\Mozilla\mozilla.exe

C:\WINNT\msyf32.exe

C:\Virus Removal\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\anfiz.dll/sp.html#37794

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://anfiz.dll/index.html#37794

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://anfiz.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\anfiz.dll/sp.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://anfiz.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\anfiz.dll/sp.html#37794

O2 - BHO: (no name) - {F00CE1E8-EA23-8F41-46F5-4A8BEFBE2B53} - C:\WINNT\msur32.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [msyf32.exe] C:\WINNT\msyf32.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O9 - Extra button: AIM (HKLM)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0