Jump to content


Photo

New BHO with some other problems!


  • Please log in to reply
18 replies to this topic

#1 VanWilder03

VanWilder03

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 17 July 2004 - 04:20 PM

It seems I have a new BHO that won't leave. (yes, i've read the FAQ, run S&D, and used HijackThis) There are also some other problems that come back after HT deletes them. I checked the number on the BHO and couldn't find it, so i guess its new? Thanks for any help you can provide

Logfile of HijackThis v1.97.7
Scan saved at 5:19:52 PM, on 7/17/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\Atievxx.exe
C:\WINNT\System32\hpb2ksrv.exe
C:\WINNT\System32\hpbhksrv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\system32\javaoq.exe
C:\WINNT\system32\javakx.exe
C:\WINNT\explorer.exe
C:\Virus Removal\Browser Hijack Blaster\bhblaster.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\shellmon.exe
C:\Program Files\America Online 8.0\aolwbspd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla\mozilla.exe
C:\Virus Removal\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jyuup.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\jyuup.dll/sp.html#37794
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [javaoq.exe] C:\WINNT\system32\javaoq.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O9 - Extra button: AIM (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 17 July 2004 - 04:21 PM

Hello please download About:Buster Version 1.3 and unzip it to your desktop. Start it, hit Ok, Start, And Ok again to start the scan. It will generate a log. Post that log along with a new Hijack this log here.


Ducky

If this doesnt work, boot into safe mode and try. How to boot into safe mode?
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#3 VanWilder03

VanWilder03

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 17 July 2004 - 04:33 PM

Ducky-

thanks for the quick response! here you go, the buster report is first

-- Scan 1 --------
About:Buster Version 1.30
Removed! : C:\WINNT\system.html
Removed! : C:\WINNT\ssawg.dat
Removed! : C:\WINNT\tlnqrb.dat
Removed! : C:\WINNT\plrfa.dll
Removed! : C:\WINNT\plrfa.dat
Removed! : C:\WINNT\zmjfy.dat
Removed! : C:\WINNT\anhlq.dat
Removed! : C:\WINNT\pzpci.dat
Removed! : C:\WINNT\pjuel.dat
Removed! : C:\WINNT\jjwwp.dat
Removed! : C:\WINNT\jjwwp.dll
Removed! : C:\WINNT\ntqir.dat
Removed! : C:\WINNT\oebee.dll
Removed! : C:\WINNT\tyaov.dat
Removed! : C:\WINNT\grrcp.dat
Removed! : C:\WINNT\gcews.dat
Removed! : C:\WINNT\jyuup.dll
Removed! : C:\WINNT\System32\javaoq.exe
Removed! : C:\WINNT\System32\tlnqr.dat
Removed! : C:\WINNT\System32\nhdgo.dll
Removed! : C:\WINNT\System32\vnhxs.dat
Removed! : C:\WINNT\System32\ngnrd.dll
Removed! : C:\WINNT\System32\mlshv.dat
Removed! : C:\WINNT\System32\edxjf.dat
Removed! : C:\WINNT\System32\ghqfs.dll
Removed! : C:\WINNT\System32\zxoha.dat
Removed! : C:\WINNT\System32\zxoha.dll
Removed! : C:\WINNT\System32\niwko.dat
Removed! : C:\WINNT\System32\glogb.dat
Removed! : C:\WINNT\System32\ihmxy.dll
Removed! : C:\WINNT\System32\tgmfs.dat
Removed! : C:\WINNT\System32\vckdp.dll
Removed! : C:\WINNT\System32\sfsvi.dll
Removed! : C:\WINNT\System32\iqjcm.dat
Removed! : C:\WINNT\System32\tpxlw.dat
Removed! : C:\WINNT\System32\vbtli.dat
Removed! : C:\WINNT\System32\wmdhc.dll
Removed! : C:\WINNT\System32\nxsll.dat
Removed! : C:\WINNT\System32\nhxfv.dat
Removed! : C:\WINNT\System32\idves.dll
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!




And now the new HT log...



Logfile of HijackThis v1.97.7
Scan saved at 5:32:06 PM, on 7/17/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\Atievxx.exe
C:\WINNT\System32\hpb2ksrv.exe
C:\WINNT\System32\hpbhksrv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\system32\javakx.exe
C:\Virus Removal\Browser Hijack Blaster\bhblaster.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\shellmon.exe
C:\Program Files\America Online 8.0\aolwbspd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla\mozilla.exe
C:\WINNT\explorer.exe
C:\WINNT\msur32.exe
C:\Virus Removal\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\idves.dll/sp.html#37794
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://idves.dll/index.html#37794
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://idves.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\idves.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://idves.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\idves.dll/sp.html#37794
O2 - BHO: (no name) - {3150E1F4-0F4B-0CF3-C203-960F96F4AA6C} - C:\WINNT\system32\atlht.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O9 - Extra button: AIM (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#4 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 17 July 2004 - 04:42 PM

Hey there mind finding these files, zipping them up and sending them to here.

Note: Please add a password.
How to add a password - Open the compressed folder, goto file and hit add a password. Enter cws in both boxes and hit ok. This way my email program will not scan it for a virus.
  • C:\WINNT\msur32.exe
  • C:\WINNT\system32\atlht.dll
  • C:\WINNT\system32\idves.dll
  • C:\WINNT\system32\javakx.exe
Then start Hijack This and tick the boxes next to these items.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\idves.dll/sp.html#37794
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://idves.dll/index.html#37794
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://idves.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\idves.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://idves.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\idves.dll/sp.html#37794
O2 - BHO: (no name) - {3150E1F4-0F4B-0CF3-C203-960F96F4AA6C} - C:\WINNT\system32\atlht.dll

Then close all windows and hit fix checked. Restart your computer and delete the files i asked you to send.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#5 VanWilder03

VanWilder03

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 17 July 2004 - 04:50 PM

How do I find the files, then zip them to you?

#6 VanWilder03

VanWilder03

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 17 July 2004 - 05:39 PM

I can only find the first file you requested - C:\WINNT\msur32.exe I can't find the others. If I'm using AOL or Yahoo, (the only places i have email), how do i put a password on the files?

#7 VanWilder03

VanWilder03

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 17 July 2004 - 06:04 PM

Alright well I deleted the file, and followed the rest of the directions. I'm not sure it helped though, heres an updated HT log

Logfile of HijackThis v1.97.7
Scan saved at 7:02:59 PM, on 7/17/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM95\aim.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\Atievxx.exe
C:\WINNT\System32\hpb2ksrv.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\WINNT\System32\hpbhksrv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\javakx.exe
C:\WINNT\atlqv.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Mozilla\mozilla.exe
C:\Virus Removal\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\jzbkk.dll/sp.html#37794
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jzbkk.dll/index.html#37794
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jzbkk.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\jzbkk.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jzbkk.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\jzbkk.dll/sp.html#37794
O2 - BHO: (no name) - {E41C8038-ED75-307D-1BBE-5178F99061EE} - C:\WINNT\system32\addrn.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [javaoq.exe] C:\WINNT\system32\javaoq.exe
O4 - HKLM\..\Run: [atlqv.exe] C:\WINNT\atlqv.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O9 - Extra button: AIM (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#8 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 17 July 2004 - 06:58 PM

Hmm the thing keeps morphing. Boot into safe mode and try this.
Open Hijack This and tick the boxes next to these items.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\jzbkk.dll/sp.html#37794
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jzbkk.dll/index.html#37794
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jzbkk.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\jzbkk.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jzbkk.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\jzbkk.dll/sp.html#37794
O2 - BHO: (no name) - {E41C8038-ED75-307D-1BBE-5178F99061EE} - C:\WINNT\system32\addrn.dll
O4 - HKLM\..\Run: [javaoq.exe] C:\WINNT\system32\javaoq.exe
O4 - HKLM\..\Run: [atlqv.exe] C:\WINNT\atlqv.exe

Close all windows and hit fix checked. Then run About:Buster twice. Now try finding these files.. if you do send them to that address above.

C:\WINNT\atlqv.exe
C:\WINNT\system32\javaoq.exe
C:\WINNT\system32\addrn.dll

jzbkk.dll - Search for it.

Then restart and post a new log.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#9 VanWilder03

VanWilder03

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 17 July 2004 - 08:12 PM

I followed your directions word for word. I searched for all 4 of those files at the end of the last post, found nothin but a javaoq in a different location. Heres the new log.

Logfile of HijackThis v1.97.7
Scan saved at 9:11:56 PM, on 7/17/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\Atievxx.exe
C:\WINNT\System32\hpb2ksrv.exe
C:\WINNT\System32\hpbhksrv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\javakx.exe
C:\Documents and Settings\Stephen1\Desktop\AboutBuster.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\system32\wintn32.exe
C:\Virus Removal\HijackThis.exe
C:\PROGRA~1\MOZILLA\MOZILLA.EXE

O2 - BHO: (no name) - {F00CE1E8-EA23-8F41-46F5-4A8BEFBE2B53} - C:\WINNT\msur32.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O9 - Extra button: AIM (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#10 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 17 July 2004 - 08:19 PM

The thing is still there. Reboot into safe mode and run About:Buster once more.

Please send me that file and this. By that file i mean javaoq.exe.
C:\WINNT\system32\javakx.exe
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#11 VanWilder03

VanWilder03

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 17 July 2004 - 08:22 PM

Can I email you in safe mode? also, how do i zip the file and put a password on it? i can use either aol or yahoo if that helps

Thanks a lot

#12 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 17 July 2004 - 08:24 PM

Right click the file and hit send to... compressed folder. Open the compressed folder and goto file add password. Enter a password and confirm it. No email me the files before you go into safe mode.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#13 VanWilder03

VanWilder03

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 17 July 2004 - 08:42 PM

I made the zip folder, but cant figure out how to open it to add a password. (im using the evaluation version, i dont know if that matters)

#14 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 17 July 2004 - 08:44 PM

Ok just send the file... dont password protect it.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#15 VanWilder03

VanWilder03

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 17 July 2004 - 08:49 PM

Email sent

#16 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 17 July 2004 - 08:58 PM

Ok lets just see a final log.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#17 VanWilder03

VanWilder03

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 17 July 2004 - 09:11 PM

Logfile of HijackThis v1.97.7
Scan saved at 10:09:54 PM, on 7/17/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\Atievxx.exe
C:\WINNT\System32\hpb2ksrv.exe
C:\WINNT\System32\hpbhksrv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\javakx.exe
C:\Program Files\Mozilla\mozilla.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\system32\atldw32.exe
C:\Virus Removal\HijackThis.exe

O2 - BHO: (no name) - {F00CE1E8-EA23-8F41-46F5-4A8BEFBE2B53} - C:\WINNT\msur32.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O9 - Extra button: AIM (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab



-- Scan 1 --------
About:Buster Version 1.30
Removed! : C:\WINNT\wgpuc.dat
Removed! : C:\WINNT\ysarw.dll
Removed! : C:\WINNT\System32\xzvpm.dat
Removed! : C:\WINNT\System32\atldw32.exe
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

#18 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 17 July 2004 - 09:17 PM

Ok i know im making you send alot... of files :-p... What im wondering is why this file isnt being removed.

C:\WINNT\msur32.dll

Please send that file then start Hijack this and tick the boxes next to these items.

O2 - BHO: (no name) - {F00CE1E8-EA23-8F41-46F5-4A8BEFBE2B53} - C:\WINNT\msur32.dll

Then close all windows and hit fix checked (do not open internet explorer). Run About:Buster and reboot. Then run About:Buster one last time... Please report if you have any more problems.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#19 VanWilder03

VanWilder03

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 17 July 2004 - 09:36 PM

humph, i did what you said, ran aboutbuster without any problems, but HT still shows a lot of crap.

Logfile of HijackThis v1.97.7
Scan saved at 10:35:56 PM, on 7/17/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\Atievxx.exe
C:\WINNT\System32\hpb2ksrv.exe
C:\WINNT\System32\hpbhksrv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\javakx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\Mozilla\mozilla.exe
C:\WINNT\msyf32.exe
C:\Virus Removal\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\anfiz.dll/sp.html#37794
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://anfiz.dll/index.html#37794
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://anfiz.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\anfiz.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://anfiz.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\anfiz.dll/sp.html#37794
O2 - BHO: (no name) - {F00CE1E8-EA23-8F41-46F5-4A8BEFBE2B53} - C:\WINNT\msur32.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msyf32.exe] C:\WINNT\msyf32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O9 - Extra button: AIM (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button