Jump to content


Photo

Browser hijack neszo.dll


  • Please log in to reply
19 replies to this topic

#1 chinmusic

chinmusic

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 17 July 2004 - 10:42 PM

I have a browser hijack called neszo.dll. The HijackThis log is below. I check
the first six entries (the ones that refer to neszo.dll) and remove them. If I
rerun HiJackThis quickly, they will not be there, but 5 minutes later if I rerun
HiJackThis, they are back. This is true even if my computer is idle.

I also have a virus called Agobot.25.M on my machine which is very stubborn
to get rid of. This may be unrelated, but I mention it in case it is helpful.

Many thanks to anyone who can attempt to help me out with this.


Logfile of HijackThis v1.98.0
Scan saved at 11:35:10 PM, on 7/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\javaln32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\System Tools\SpyStopper\spystopper.exe
C:\Program Files\OfferApp\OfferApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\avgcc32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\crnx32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\msnmsgplus.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WindowsUpdate\wuaudnld.tmp\cabs\com_microsoft.Q817287_XP_SP2\q817287.exe
C:\DOCUME~1\Doug\LOCALS~1\Temp\IXP000.TMP\q817287.exe
c:\bbbf1e0c6521454f9105079f\update\update.exe
C:\Documents and Settings\Doug\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\neszo.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://neszo.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://neszo.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\neszo.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\neszo.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://neszo.dll/index.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B037591-C411-9595-6A6F-7B4FD52BF9DA} - C:\WINDOWS\wingt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpyStopper] C:\System Tools\SpyStopper\spystopper.exe
O4 - HKLM\..\Run: [OfferApp] C:\Program Files\OfferApp\OfferApp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\avgcc32.exe /startup
O4 - HKLM\..\Run: [WSSAConfiguration] wmmon32.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\yiippcz.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Winamp Update] winamp4upd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [crnx32.exe] C:\WINDOWS\crnx32.exe
O4 - HKLM\..\Run: [Microsoft Update] msnmsgplus.exe
O4 - HKLM\..\RunServices: [WSSAConfiguration] wmmon32.exe
O4 - HKLM\..\RunServices: [Winamp Update] winamp4upd.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msnmsgplus.exe
O4 - HKLM\..\RunOnce: [javaln32.exe] C:\WINDOWS\system32\javaln32.exe
O4 - HKLM\..\RunOnce: [Q828026] "C:\WINDOWS\INF\unregmp2.exe" /UpdateWMP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Winamp Update] winamp4upd.exe
O4 - HKCU\..\Run: [Microsoft Update] msnmsgplus.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HPZRCV01.LNK = C:\Program Files\Hewlett-Packard\Temp\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\setup\hpzrcv01.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\OFFICE~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Backgammon - http://download.game...nts/y/at0_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt0_x.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.2...uka.chm::/x.exe
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.6.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip....ro64_loader.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?321
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Jnimje32.dll

#2 chinmusic

chinmusic

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 20 July 2004 - 12:02 PM

I have some new information about this problem.

1. I am still getting references to neszo.dll when I run HijackThis.
2. The agobot virus is gone, so that was a red herring.
3. If I clean up using HijackThis and then sit idle, the spyware does NOT return.
(Contrary to what I wrote in the first post.)
4. If I clean up and then start a web browser, or go into control panel, or just about anything else, then the neszo spyware returns immediately.
5. If I clean up and then reboot, the neszo spyware returns.

The spyware is causing quite a bit of problems, and general slowness when I am using IE. I can clean it up, but it comes back very quickly.

Please somebody help if you can.

Thanks!

#3 expertec

expertec

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 690 posts

Posted 20 July 2004 - 12:07 PM

It's probably a good idea to copy and save these instructions or print them out, as you will not be able to refer back to here while you are performing the fix.

First, learn how to boot into safe mode if you don't already know. See here if you don't know how.

Download about:buster and unzip it, but don't run it yet. http://www.downloads...AboutBuster.zip

Next, download Spybot Search & Destroy from http://safer-network...load/index.html and install it, accepting the default settings. Run it and search for updates. Download any available. Don't scan yet, close Spybot.

Next, download Ad-aware from: http://www.lavasoft.de/res/aaw6.exe

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Now, we need to configure Ad-aware for a full scan.

Posted Image Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
  • Scan Within Archives
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URL’s
  • Scan my Hosts file
  • Under Click here to select drives + folders, choose:
  • All of your hard drives
Posted Image Click on the Advanced button on the left and select:
  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details
Posted Image Click the Tweak button and select:
  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile
  • Under the Cleaning Engine:
    • Let Windows remove files in use at next reboot
Posted Image Click on Proceed to save the settings.

Next run Hijackthis with all browser windows closed, check and fix these lines:

O2 - BHO: (no name) - {0B037591-C411-9595-6A6F-7B4FD52BF9DA} - C:\WINDOWS\wingt.dll

O4 - HKLM\..\Run: [crnx32.exe] C:\WINDOWS\crnx32.exe

O4 - HKLM\..\RunOnce: [javaln32.exe] C:\WINDOWS\system32\javaln32.exe


Now, reboot into safe mode.

Run about:buster, and let it scan and fix anything it finds. When it shows you a log, copy it to a text file and save it. Do this step again and save the second log.

Posted Image Run Ad-Aware again, click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
  • Use Custom Scanning Options
Posted Image Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

Posted Image Save the log file when it asks and then click Finish

Posted Image When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Now run Spybot again, click "Check for Problems", let it scan and then fix anything it finds.

Reboot your computer and post the about:buster logs and a new Hijackthis log.

Edited by expertec, 21 July 2004 - 03:32 AM.


#4 chinmusic

chinmusic

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 20 July 2004 - 09:32 PM

Thanks for helping out. I have followed your instructions up until you want me to check and fix these lines in HijackThis. The problem is, those lines don't exist. A quick check indicates that they did not exist in the original log either. Here is the latest log. Let me know which lines to check and fix, and I will gladly continue from there.

Logfile of HijackThis v1.98.0
Scan saved at 10:27:52 PM, on 7/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\javaln32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\OfferApp\OfferApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\avgcc32.exe
C:\WINDOWS\crnx32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\msnmsgplus.exe
C:\Documents and Settings\Doug\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\neszo.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://neszo.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://neszo.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\neszo.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\neszo.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://neszo.dll/index.html#28129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B037591-C411-9595-6A6F-7B4FD52BF9DA} - C:\WINDOWS\wingt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpyStopper] C:\System Tools\SpyStopper\spystopper.exe
O4 - HKLM\..\Run: [OfferApp] C:\Program Files\OfferApp\OfferApp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\avgcc32.exe /startup
O4 - HKLM\..\Run: [WSSAConfiguration] wmmon32.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\yiippcz.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Winamp Update] winamp4upd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [crnx32.exe] C:\WINDOWS\crnx32.exe
O4 - HKLM\..\Run: [Microsoft Update] msnmsgplus.exe
O4 - HKLM\..\RunServices: [WSSAConfiguration] wmmon32.exe
O4 - HKLM\..\RunServices: [Winamp Update] winamp4upd.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msnmsgplus.exe
O4 - HKLM\..\RunOnce: [javaln32.exe] C:\WINDOWS\system32\javaln32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Winamp Update] winamp4upd.exe
O4 - HKCU\..\Run: [Microsoft Update] msnmsgplus.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HPZRCV01.LNK = C:\Program Files\Hewlett-Packard\Temp\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\setup\hpzrcv01.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\OFFICE~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Jnimje32.dll



Thanks again for your help!

#5 expertec

expertec

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 690 posts

Posted 21 July 2004 - 03:33 AM

:oops:

Very sorry about that, I accidentally gave you someone else's fix. I have edited my post now so it should be OK for you.

#6 chinmusic

chinmusic

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 21 July 2004 - 09:08 AM

Looks like progress is being made, although the neszo problem still persists. It was not there on reboot, but as soon as I started up a browser, it came back.

I have pasted the about:buster logs and Hijackthis log below as you asked. If you also want the Adaware log, just let me know. Your help is most appreciated.


-- Scan 1 --------
About:Buster Version 1.31
Removed! : C:\WINDOWS\apirp32.exe
Removed! : C:\WINDOWS\appse32.exe
Removed! : C:\WINDOWS\crnx32.exe
Removed! : C:\WINDOWS\mfcom.exe
Removed! : C:\WINDOWS\rfjmwd.dat
Removed! : C:\WINDOWS\sqogg.dat
Removed! : C:\WINDOWS\tbhct.dat
Removed! : C:\WINDOWS\System32\apigu32.exe
Removed! : C:\WINDOWS\System32\ieho32.exe
Removed! : C:\WINDOWS\System32\mswo.exe
Removed! : C:\WINDOWS\System32\netcp.exe
Removed! : C:\WINDOWS\System32\rfjmw.dat
Removed! : C:\WINDOWS\System32\sdkov.exe
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 1.31
Attempted Clean Of Temp folder.
Pages Reset... Done!


Logfile of HijackThis v1.98.0
Scan saved at 9:59:38 AM, on 7/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\javaln32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\System Tools\SpyStopper\spystopper.exe
C:\Program Files\OfferApp\OfferApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\avgcc32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\winamp4upd.exe
C:\WINDOWS\System32\msnmsgplus.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\Palm\HOTSYNC.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\syskn.exe
C:\repair\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ebgvf.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ebgvf.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ebgvf.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ebgvf.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ebgvf.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ebgvf.dll/index.html#28129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {F48013EA-594D-303B-6348-E15CF2B505A2} - C:\WINDOWS\system32\crqm.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpyStopper] C:\System Tools\SpyStopper\spystopper.exe
O4 - HKLM\..\Run: [OfferApp] C:\Program Files\OfferApp\OfferApp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\avgcc32.exe /startup
O4 - HKLM\..\Run: [WSSAConfiguration] wmmon32.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\yiippcz.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Winamp Update] winamp4upd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Microsoft Update] msnmsgplus.exe
O4 - HKLM\..\Run: [syskn.exe] C:\WINDOWS\syskn.exe
O4 - HKLM\..\RunServices: [WSSAConfiguration] wmmon32.exe
O4 - HKLM\..\RunServices: [Winamp Update] winamp4upd.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msnmsgplus.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Winamp Update] winamp4upd.exe
O4 - HKCU\..\Run: [Microsoft Update] msnmsgplus.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HPZRCV01.LNK = C:\Program Files\Hewlett-Packard\Temp\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\setup\hpzrcv01.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\OFFICE~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

#7 expertec

expertec

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 690 posts

Posted 22 July 2004 - 06:08 AM

Could you post a new Hijackthis log please. (to see if the file names are changing)

#8 chinmusic

chinmusic

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 22 July 2004 - 11:08 PM

Sure. Here it is.

Logfile of HijackThis v1.98.0
Scan saved at 12:07:34 AM, on 7/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\javaln32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\System Tools\SpyStopper\spystopper.exe
C:\Program Files\OfferApp\OfferApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\avgcc32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\msnmsgplus.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Palm\HOTSYNC.EXE
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\iptf32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\repair\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mgiiv.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mgiiv.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mgiiv.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\mgiiv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mgiiv.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mgiiv.dll/index.html#28129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {F48013EA-594D-303B-6348-E15CF2B505A2} - C:\WINDOWS\system32\crqm.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpyStopper] C:\System Tools\SpyStopper\spystopper.exe
O4 - HKLM\..\Run: [OfferApp] C:\Program Files\OfferApp\OfferApp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\avgcc32.exe /startup
O4 - HKLM\..\Run: [WSSAConfiguration] wmmon32.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\yiippcz.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Microsoft Update] msnmsgplus.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iptf32.exe] C:\WINDOWS\iptf32.exe
O4 - HKLM\..\RunServices: [WSSAConfiguration] wmmon32.exe
O4 - HKLM\..\RunServices: [Winamp Update] winamp4upd.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msnmsgplus.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Microsoft Update] msnmsgplus.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HPZRCV01.LNK = C:\Program Files\Hewlett-Packard\Temp\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\setup\hpzrcv01.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\OFFICE~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

#9 expertec

expertec

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 690 posts

Posted 23 July 2004 - 11:23 AM

Run Hijackthis and check these lines:

O2 - BHO: (no name) - {F48013EA-594D-303B-6348-E15CF2B505A2} - C:\WINDOWS\system32\crqm.dll

O4 - HKLM\..\Run: [iptf32.exe] C:\WINDOWS\iptf32.exe <---The name of this might have changed, but it should be easy to identify. It is just the name of the program and the path to the file, no description. Make a note of the file name and location.

Close all other windows and click "Fix Checked".

Reboot into SAFE MODE and delete:

C:\WINDOWS\system32\crqm.dll

O4 - HKLM\..\Run: [iptf32.exe] C:\WINDOWS\iptf32.exe (Or whatever it was called)

Still in safe mode, run about:buster a few times and save the log from each scan.

Reboot into normal mode and post the about:buster logs and a new Hijackthis log.

Edited by expertec, 23 July 2004 - 11:23 AM.


#10 chinmusic

chinmusic

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 24 July 2004 - 02:41 PM

Ok. I have tried this many times, and the result is always the same.

I have checked and fixed the crqm.dll entry and the other random entries. I have rebooted in safe mode and run AboutBuster. I have deleted the file crqm.dll (had to update the folder options to let me do this)

After that, I can reboot in safe mode as often as I like, and everything is ok. But as soon as I reboot in normal mode, crqm.dll comes back, and there is a new random O4 entry in HijackThis.

I have tried this many many times, in different ways, but no success. So the next question is, what is re-creating crqm.dll, and how do I stop it from doing that.
Here are some of the AboutBuster logs.

-- Scan 1 --------
About:Buster Version 1.31
Removed! : C:\WINDOWS\d3mc.exe
Removed! : C:\WINDOWS\mgiiv.dat
Removed! : C:\WINDOWS\mgiiv.dll
Removed! : C:\WINDOWS\rfjmwd.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 1.31
Attempted Clean Of Temp folder.
Pages Reset... Done!


-- Scan 1 --------
About:Buster Version 1.31
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 1 --------
About:Buster Version 1.31
Removed! : C:\WINDOWS\kokjr.dat
Removed! : C:\WINDOWS\mzdfm.dat
Removed! : C:\WINDOWS\mzdfm.dll
Removed! : C:\WINDOWS\rfjmwd.dat
Removed! : C:\WINDOWS\System32\lhxdc.dat
Removed! : C:\WINDOWS\System32\ntnc32.exe
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

And here is the latest HJT log:

Logfile of HijackThis v1.98.0
Scan saved at 3:39:39 PM, on 7/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\avgcc32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\msnmsgplus.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\javaln32.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\atlkx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\repair\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {F48013EA-594D-303B-6348-E15CF2B505A2} - C:\WINDOWS\system32\crqm.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\avgcc32.exe /startup
O4 - HKLM\..\Run: [WSSAConfiguration] wmmon32.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\yiippcz.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Microsoft Update] msnmsgplus.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [atlkx.exe] C:\WINDOWS\atlkx.exe
O4 - HKLM\..\RunServices: [WSSAConfiguration] wmmon32.exe
O4 - HKLM\..\RunServices: [Winamp Update] winamp4upd.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msnmsgplus.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Microsoft Update] msnmsgplus.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HPZRCV01.LNK = C:\Program Files\Hewlett-Packard\Temp\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\setup\hpzrcv01.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\OFFICE~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

#11 expertec

expertec

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 690 posts

Posted 26 July 2004 - 03:52 AM

Do you think you could post a new Hijackthis log, and then leave the computer running till I get back to you?

#12 chinmusic

chinmusic

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 26 July 2004 - 12:26 PM

Here is the latest hjt log file. I will leave the computer running and not try to fix anything until I hear from you again.

Thanks.


Logfile of HijackThis v1.98.0
Scan saved at 1:25:14 PM, on 7/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\javaln32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\avgcc32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\msnmsgplus.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\addgo.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\repair\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vcwsf.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://vcwsf.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vcwsf.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vcwsf.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vcwsf.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://vcwsf.dll/index.html#28129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {F48013EA-594D-303B-6348-E15CF2B505A2} - C:\WINDOWS\system32\crqm.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\avgcc32.exe /startup
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\yiippcz.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Microsoft Update] msnmsgplus.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [addgo.exe] C:\WINDOWS\system32\addgo.exe
O4 - HKLM\..\RunServices: [Winamp Update] winamp4upd.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msnmsgplus.exe
O4 - HKLM\..\RunOnce: [javacn.exe] C:\WINDOWS\system32\javacn.exe
O4 - HKLM\..\RunOnce: [javaln32.exe] C:\WINDOWS\system32\javaln32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Microsoft Update] msnmsgplus.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HPZRCV01.LNK = C:\Program Files\Hewlett-Packard\Temp\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\setup\hpzrcv01.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\OFFICE~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

#13 expertec

expertec

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 690 posts

Posted 26 July 2004 - 05:00 PM

Print this out, or copy it to a text file, then follow the instructions with all IE windows closed

Make sure your settings allow you to view "Hidden files". Open up any explorer window and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders".

Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for "javaln32.exe", "msnmsgplus.exe" and "addgo.exe". Find the files, click on them, and then click End Process => Exit the Task Manager.

Next, go to Start->Run and type "Services.msc" (without quotes) then hit OK.

Scroll down and find the service called "Network Security Service".

When you find it, double-click on it. In the next window that opens, click the Stop button, then change the Startup Type to Disabled. Now hit Apply and then OK and close any open windows.

Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vcwsf.dll/sp.html#28129

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://vcwsf.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vcwsf.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vcwsf.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vcwsf.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://vcwsf.dll/index.html#28129

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {F48013EA-594D-303B-6348-E15CF2B505A2} - C:\WINDOWS\system32\crqm.dll

O4 - HKLM\..\Run: [Microsoft Update] msnmsgplus.exe

O4 - HKLM\..\Run: [addgo.exe] C:\WINDOWS\system32\addgo.exe

O4 - HKLM\..\RunServices: [Winamp Update] winamp4upd.exe

O4 - HKLM\..\RunServices: [Microsoft Update] msnmsgplus.exe

O4 - HKLM\..\RunOnce: [javacn.exe] C:\WINDOWS\system32\javacn.exe

O4 - HKLM\..\RunOnce: [javaln32.exe] C:\WINDOWS\system32\javaln32.exe

O4 - HKCU\..\Run: [Microsoft Update] msnmsgplus.exe


Reboot into Safe Mode and delete the following files:

C:\WINDOWS\system32\vcwsf.dll

C:\WINDOWS\system32\crqm.dll

C:\WINDOWS\system32\javacn.exe

C:\WINDOWS\system32\javaln32.exe

C:\WINDOWS\system32\addgo.exe

msnmsgplus.exe

winamp4upd.exe

msnmsgplus.exe

snmsgplus.exe


(You will have to use search to find the last four)

Reboot in Normal Mode.

Download this file http://www.wildersse...chmentid=137634 and rename it to cwsuninst.reg

Doubleclick it and confirm you want to merge it with the registry.

Run HijackThis again and post a new log.

#14 chinmusic

chinmusic

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 26 July 2004 - 09:32 PM

I followed all the instructions. There was no "Network Security Service". Instead, I used the NT LM Security Support Provider.

Here is the new hjt log file. Looks encouraging.

Thanks again for your help. Very much appreciated. Hopefully we are done, or almost done now. :cool:


Logfile of HijackThis v1.98.0
Scan saved at 10:28:11 PM, on 7/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\avgcc32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Palm\HOTSYNC.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\repair\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {F48013EA-594D-303B-6348-E15CF2B505A2} - C:\WINDOWS\system32\crqm.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\avgcc32.exe /startup
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\yiippcz.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HPZRCV01.LNK = C:\Program Files\Hewlett-Packard\Temp\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\setup\hpzrcv01.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\OFFICE~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

#15 expertec

expertec

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 690 posts

Posted 27 July 2004 - 02:59 AM

Scan again with Hijackthis and check off these items:

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {F48013EA-594D-303B-6348-E15CF2B505A2} - C:\WINDOWS\system32\crqm.dll (file missing)


O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - Startup: PowerReg Scheduler.exe <---These blue ones are optional fixes


Close all other programs and click "Fix Checked".

Now try the time travel test, to see if it is completely gone. Set your system clock a few days forward, then reboot and post a new Hijackthis log.

Edited by expertec, 27 July 2004 - 02:59 AM.


#16 chinmusic

chinmusic

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 27 July 2004 - 08:27 AM

Logfile of HijackThis v1.98.0
Scan saved at 9:26:22 AM, on 7/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\avgserv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\avgcc32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\repair\HijackThis.exe
C:\WINDOWS\System32\HPZipm12.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.canoe.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\avgcc32.exe /startup
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\yiippcz.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HPZRCV01.LNK = C:\Program Files\Hewlett-Packard\Temp\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\setup\hpzrcv01.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\OFFICE~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

#17 expertec

expertec

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 690 posts

Posted 28 July 2004 - 03:18 AM

Set your clock back to the right date if you haven't already.

Could you get the properties of the file C:\WINDOWS\System32\yiippcz.exe and see if there is any information on it?

It may have tabs such as version, where you can find more info. Post back wit the results (even if there aren't any)

Edited by expertec, 28 July 2004 - 03:18 AM.


#18 chinmusic

chinmusic

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 28 July 2004 - 12:10 PM

I don't have any file by that name on my system. I may have cleaned it up inadvertently by running AboutBuster and AdAware. I searched my hard drive, and also checked the recycle bin, but it was not found.

Sorry.

#19 expertec

expertec

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 690 posts

Posted 28 July 2004 - 03:12 PM

Oh well, don't worry about it. You should be OK now. Read the article http://www.spywarein...ked/prevent.php for advice on preventing hijackings.

#20 chinmusic

chinmusic

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 30 July 2004 - 04:11 PM

Ok. I will check out that article.

Expertec, your help with this problem was so helpful, I don't know what to say.
This particular bug that I got was very difficult to figure out, and I definitely could
not have done it without you.

Thank you so much!

:wave:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button