• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Socialite

Large amount of malware/spyware problems

14 posts in this topic

Hi, I'm brand new. I'd like to give my thanks to this community first, it's great what all of you are doing.

 

Over the past two days, a vast amount of malware and spyware has installed itself into my computer. I have tried to clean the majority of it with CWShedder, Ad-aware, and Spybot, however I'm sure a lot remains, as my [HOME] is still hijacked and I receive many 'illict' pop ups still. The programs I delete return the next day as well. PLEASE HELP, I'm very desperate. Going on Explorer is a great pain for me. Thank you in advance.

 

Here is my log:

 

Logfile of HijackThis v1.97.7

Scan saved at 12:09:49 PM, on 28/07/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\CTSvcCDA.exe

C:\WINDOWS\System32\GEARSEC.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Speed Disk\nopdb.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\crpc.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\PROGRA~1\NORTON~3\navapw32.exe

C:\PROGRA~1\DATACA~1\FLashKsk.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\java\trustlib\taskjava.exe

C:\WINDOWS\crtn.exe

C:\WINDOWS\System32\nv4mgmts.exe

C:\WINDOWS\System32\dmaeng.exe

C:\Documents and Settings\Kathy\Application Data\psao.exe

C:\WINDOWS\System32\ubs.exe

C:\Program Files\Norton Utilities\SYSDOC32.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Winamp\winamp.exe

C:\Documents and Settings\Kathy\My Documents\Hijack This\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rhdrj.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rhdrj.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rhdrj.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotmail.com/

O2 - BHO: (no name) - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\Kathy\LOCALS~1\Temp\avajksat.dat

O2 - BHO: (no name) - {846C8D01-5152-7880-199F-7570BAA19867} - C:\WINDOWS\system32\netwf32.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~3\navapw32.exe

O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe

O4 - HKLM\..\Run: [eulavss] C:\WINDOWS\Help\eulavss.exe

O4 - HKLM\..\Run: [taskjava] C:\WINDOWS\java\trustlib\taskjava.exe

O4 - HKLM\..\Run: [rhomubijtopf] C:\WINDOWS\System32\ppijbve.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [crtn.exe] C:\WINDOWS\crtn.exe

O4 - HKLM\..\Run: [os3T36j] nv4mgmts.exe

O4 - HKCU\..\Run: [ZBs3RWHnl] dmaeng.exe

O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe

O4 - HKCU\..\Run: [Hcbc] C:\Documents and Settings\Kathy\Application Data\psao.exe

O4 - HKCU\..\Run: [Dzfxy] C:\WINDOWS\System32\ubs.exe

O4 - HKLM\..\RunOnce: [crpc.exe] C:\WINDOWS\crpc.exe

O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: ICQ (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: AOL Instant Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O15 - Trusted Zone: *.clickspring.net

O15 - Trusted Zone: *.mt-download.com

O15 - Trusted Zone: *.my-internet.info

O15 - Trusted Zone: *.searchmiracle.com

O15 - Trusted Zone: *.skoobidoo.com

O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab

O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab

O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab

O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/Install...ive/HS_live.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...tall_popup.pl?1

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...0e1e2729109a237

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...tor/sw-intl.cab

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...38112.283287037

O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://mirror.worldwinner.com/games/v40/ti...ty/tilecity.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DA04CC86-07A5-11D5-A700-0001031AD955} (TP_live Control) - http://www.homestead.com/~site/InstallFile...ive/TP_live.cab

O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab

Share this post


Link to post
Share on other sites

Our apologies that no response has been forthcoming - Too many logs and too few volunteers :(

 

If you are still having a problem and due to the time pased:

  • Double click on "My Computer" to open it.
  • Double click on the local "C-Drive" to open it.
  • Click on "File" => "New Folder" and name it HJT. i.e. The folder will be C:\HJT.
  • Please download HijackThis from any of the following locations:

    [*]Install/Unzip it into C:\HJT.

    [*]Only run HijackThis from C:\HJT\HijackThis.exe. That way we can ensure that we have the backup files available in the event that they are needed.

    [*]Run HijackThis, click on scan and wait for the scan to finish.

    [*]The "Scan" button will change to "Save Log", click on it and simply press "Save" on the window that will appear.

    [*]Notepad will open with a copy of the log.

    • Click on "Edit" => "Select All".
    • Click on "Edit" => "Copy". This will copy the contents of the Notepad instance to the clipboard.

    [*]Please post your entire log here for analysis.

Share this post


Link to post
Share on other sites

Thank you for looking. I don't mind the wait, just as long as I can get rid of everything. It's gotten worse, although I still use Adaware, Spybot, CWShedder and Trojanhunter religiously.

 

* C:\WINDOWS\secure.html will NOT delete, it is not my regular homepage

 

 

Logfile of HijackThis v1.97.7

Scan saved at 3:19:53 PM, on 02/08/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\CTSvcCDA.exe

C:\WINDOWS\System32\GEARSEC.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Speed Disk\nopdb.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\crpc.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\PROGRA~1\NORTON~3\navapw32.exe

C:\PROGRA~1\DATACA~1\FLashKsk.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\java\trustlib\taskjava.exe

C:\WINDOWS\crtn.exe

C:\Program Files\TrojanHunter 3.9\THGuard.exe

C:\WINDOWS\System32\sharov.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\System32\shfbvm50.exe

C:\Documents and Settings\Kathy\Application Data\psao.exe

C:\WINDOWS\System32\ubs.exe

C:\Program Files\Norton Utilities\SYSDOC32.EXE

C:\Program Files\Winamp\winamp.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\msiexec.exe

C:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rhdrj.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rhdrj.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rhdrj.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotmail.com/

O2 - BHO: (no name) - {846C8D01-5152-7880-199F-7570BAA19867} - C:\WINDOWS\system32\netwf32.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~3\navapw32.exe

O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [eulavss] C:\WINDOWS\Help\eulavss.exe

O4 - HKLM\..\Run: [taskjava] C:\WINDOWS\java\trustlib\taskjava.exe

O4 - HKLM\..\Run: [rhomubijtopf] C:\WINDOWS\System32\ppijbve.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [crtn.exe] C:\WINDOWS\crtn.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [kyngzc] C:\WINDOWS\System32\kyngzc.exe

O4 - HKLM\..\Run: [os3T36j] sharov.exe

O4 - HKCU\..\Run: [ZBs3RWHnl] shfbvm50.exe

O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe

O4 - HKCU\..\Run: [Hcbc] C:\Documents and Settings\Kathy\Application Data\psao.exe

O4 - HKCU\..\Run: [Dzfxy] C:\WINDOWS\System32\ubs.exe

O4 - HKLM\..\RunOnce: [crpc.exe] C:\WINDOWS\crpc.exe

O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"

O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: SideFind (HKLM)

O9 - Extra button: ICQ (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: AOL Instant Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O15 - Trusted Zone: *.blazefind.com

O15 - Trusted Zone: *.clickspring.net

O15 - Trusted Zone: *.flingstone.com

O15 - Trusted Zone: *.mt-download.com

O15 - Trusted Zone: *.my-internet.info

O15 - Trusted Zone: *.searchbarcash.com

O15 - Trusted Zone: *.searchmiracle.com

O15 - Trusted Zone: *.skoobidoo.com

O15 - Trusted Zone: *.slotch.com

O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab

O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab

O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab

O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab

O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/Install...ive/HS_live.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...tall_popup.pl?1

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...0e1e2729109a237

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...tor/sw-intl.cab

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_adult.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe

O16 - DPF: {683DFF0F-331F-44D2-B69B-46D7BFB58F32} (VacPro.canada_ver3) - http://www.advnt01.com/dialer/canada_ver3.CAB

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...38112.283287037

O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://mirror.worldwinner.com/games/v40/ti...ty/tilecity.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DA04CC86-07A5-11D5-A700-0001031AD955} (TP_live Control) - http://www.homestead.com/~site/InstallFile...ive/TP_live.cab

O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

O16 - DPF: {FE4BBEA8-1EFD-4B8A-BD1B-341CCDBEEAA6} - http://ads.dealhelper.com/updates/DealHelperNew.cab

O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab

Share this post


Link to post
Share on other sites

  1. Please download About:Buster from any of the following locations:

[*]Boot into safe mode. How do I boot into "Safe" mode?

[*]Unzip the downloaded about:buster program to your desktop.

[*]Double click it and hit "Ok".

[*]Click "Start".

[*]Select "Ok" to start the scan.

[*]The scan should take a few seconds.

[*]Once it is done save the report.

[*]Reboot and sign in as you normally do and repeat the procedure for running about:buster.

[*]Post the results of the report and a fresh HijackThis log for review.

Share this post


Link to post
Share on other sites

I did all of that. This is new:

 

Logfile of HijackThis v1.97.7

Scan saved at 4:50:25 PM, on 03/08/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\CTSvcCDA.exe

C:\WINDOWS\System32\GEARSEC.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Speed Disk\nopdb.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\crpc.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\PROGRA~1\NORTON~3\navapw32.exe

C:\PROGRA~1\DATACA~1\FLashKsk.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\java\trustlib\taskjava.exe

C:\WINDOWS\System32\vbr42u.exe

C:\WINDOWS\System32\sccx.exe

C:\Documents and Settings\Kathy\Application Data\psao.exe

C:\WINDOWS\System32\ubs.exe

C:\Program Files\Norton Utilities\SYSDOC32.EXE

C:\Documents and Settings\Kathy\Desktop\AboutBuster.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\sdkiy.exe

C:\WINDOWS\System32\msiexec.exe

C:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rhdrj.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rhdrj.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rhdrj.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rhdrj.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rhdrj.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rhdrj.dll/sp.html#96676

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotmail.com/

O2 - BHO: (no name) - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\Kathy\LOCALS~1\Temp\avajksat.dat

O2 - BHO: (no name) - {846C8D01-5152-7880-199F-7570BAA19867} - C:\WINDOWS\system32\netwf32.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~3\navapw32.exe

O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [eulavss] C:\WINDOWS\Help\eulavss.exe

O4 - HKLM\..\Run: [taskjava] C:\WINDOWS\java\trustlib\taskjava.exe

O4 - HKLM\..\Run: [rhomubijtopf] C:\WINDOWS\System32\ppijbve.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [kyngzc] C:\WINDOWS\System32\kyngzc.exe

O4 - HKLM\..\Run: [os3T36j] vbr42u.exe

O4 - HKLM\..\Run: [sdkiy.exe] C:\WINDOWS\sdkiy.exe

O4 - HKCU\..\Run: [ZBs3RWHnl] sccx.exe

O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe

O4 - HKCU\..\Run: [Hcbc] C:\Documents and Settings\Kathy\Application Data\psao.exe

O4 - HKCU\..\Run: [Dzfxy] C:\WINDOWS\System32\ubs.exe

O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: ICQ (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: AOL Instant Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O15 - Trusted Zone: *.blazefind.com

O15 - Trusted Zone: *.clickspring.net

O15 - Trusted Zone: *.flingstone.com

O15 - Trusted Zone: *.mt-download.com

O15 - Trusted Zone: *.my-internet.info

O15 - Trusted Zone: *.searchbarcash.com

O15 - Trusted Zone: *.searchmiracle.com

O15 - Trusted Zone: *.skoobidoo.com

O15 - Trusted Zone: *.slotch.com

O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab

O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab

O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab

O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab

O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/Install...ive/HS_live.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...tall_popup.pl?1

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...0e1e2729109a237

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...tor/sw-intl.cab

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_adult.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe

O16 - DPF: {683DFF0F-331F-44D2-B69B-46D7BFB58F32} (VacPro.canada_ver3) - http://www.advnt01.com/dialer/canada_ver3.CAB

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...38112.283287037

O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://mirror.worldwinner.com/games/v40/ti...ty/tilecity.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DA04CC86-07A5-11D5-A700-0001031AD955} (TP_live Control) - http://www.homestead.com/~site/InstallFile...ive/TP_live.cab

O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab

 

Thanks again for helping

Share this post


Link to post
Share on other sites

Please perform the procedure again - Run through the process twice in safe mode and then twice in normal mode - PLease include those logs when posting the next HijackThis log.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 8:03:41 PM, on 03/08/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\CTSvcCDA.exe

C:\WINDOWS\System32\GEARSEC.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Speed Disk\nopdb.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\addtc.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\PROGRA~1\NORTON~3\navapw32.exe

C:\PROGRA~1\DATACA~1\FLashKsk.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\java\trustlib\taskjava.exe

C:\WINDOWS\System32\vbr42u.exe

C:\WINDOWS\System32\sccx.exe

C:\Documents and Settings\Kathy\Application Data\psao.exe

C:\WINDOWS\System32\ubs.exe

C:\Program Files\Norton Utilities\SYSDOC32.EXE

C:\Documents and Settings\Kathy\Desktop\AboutBuster.exe

C:\WINDOWS\javaaz.exe

C:\WINDOWS\System32\msiexec.exe

C:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rhdrj.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rhdrj.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rhdrj.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rhdrj.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rhdrj.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rhdrj.dll/sp.html#96676

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotmail.com/

O2 - BHO: (no name) - {846C8D01-5152-7880-199F-7570BAA19867} - C:\WINDOWS\system32\netwf32.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~3\navapw32.exe

O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [eulavss] C:\WINDOWS\Help\eulavss.exe

O4 - HKLM\..\Run: [taskjava] C:\WINDOWS\java\trustlib\taskjava.exe

O4 - HKLM\..\Run: [rhomubijtopf] C:\WINDOWS\System32\ppijbve.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [kyngzc] C:\WINDOWS\System32\kyngzc.exe

O4 - HKLM\..\Run: [os3T36j] vbr42u.exe

O4 - HKLM\..\Run: [javaaz.exe] C:\WINDOWS\javaaz.exe

O4 - HKCU\..\Run: [ZBs3RWHnl] sccx.exe

O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe

O4 - HKCU\..\Run: [Hcbc] C:\Documents and Settings\Kathy\Application Data\psao.exe

O4 - HKCU\..\Run: [Dzfxy] C:\WINDOWS\System32\ubs.exe

O4 - HKLM\..\RunOnce: [crpc.exe] C:\WINDOWS\crpc.exe

O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: ICQ (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: AOL Instant Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O15 - Trusted Zone: *.blazefind.com

O15 - Trusted Zone: *.clickspring.net

O15 - Trusted Zone: *.flingstone.com

O15 - Trusted Zone: *.mt-download.com

O15 - Trusted Zone: *.my-internet.info

O15 - Trusted Zone: *.searchbarcash.com

O15 - Trusted Zone: *.searchmiracle.com

O15 - Trusted Zone: *.skoobidoo.com

O15 - Trusted Zone: *.slotch.com

O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab

O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab

O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab

O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab

O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/Install...ive/HS_live.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...tall_popup.pl?1

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...0e1e2729109a237

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...tor/sw-intl.cab

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_adult.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe

O16 - DPF: {683DFF0F-331F-44D2-B69B-46D7BFB58F32} (VacPro.canada_ver3) - http://www.advnt01.com/dialer/canada_ver3.CAB

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...38112.283287037

O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://mirror.worldwinner.com/games/v40/ti...ty/tilecity.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DA04CC86-07A5-11D5-A700-0001031AD955} (TP_live Control) - http://www.homestead.com/~site/InstallFile...ive/TP_live.cab

O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab

 

 

and (I did the 2 in safe, but I did 4 in normal)

 

-- Scan 1 --------

About:Buster Version 2.0

Deleted Service Key Successfully!

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

-- Scan 2 --------

About:Buster Version 2.0

Removed! : C:\WINDOWS\wtayb.dat

Removed! : C:\WINDOWS\System32\omnsl.dat

Removed! : C:\WINDOWS\System32\ntni.exe

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

-- Scan 3 --------

About:Buster Version 2.0

Removed! : C:\WINDOWS\ssoqah.dat

Removed! : C:\WINDOWS\mfcja32.exe

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

-- Scan 4 --------

About:Buster Version 2.0

Removed! : C:\WINDOWS\System32\javaht.exe

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

Share this post


Link to post
Share on other sites

From my understanding ... Norton'active protection is interfering with the fix. Please disable it and run through the procedure again.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 8:50:21 AM, on 04/08/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\CTSvcCDA.exe

C:\WINDOWS\System32\GEARSEC.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Speed Disk\nopdb.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\crpc.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\PROGRA~1\NORTON~3\navapw32.exe

C:\PROGRA~1\DATACA~1\FLashKsk.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\java\trustlib\taskjava.exe

C:\WINDOWS\System32\dxm20.exe

C:\WINDOWS\System32\sccx.exe

C:\Documents and Settings\Kathy\Application Data\psao.exe

C:\WINDOWS\System32\ubs.exe

C:\Documents and Settings\Kathy\Desktop\AboutBuster.exe

C:\WINDOWS\msae32.exe

C:\WINDOWS\System32\msiexec.exe

C:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rhdrj.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rhdrj.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rhdrj.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rhdrj.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rhdrj.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rhdrj.dll/sp.html#96676

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotmail.com/

O2 - BHO: (no name) - {846C8D01-5152-7880-199F-7570BAA19867} - C:\WINDOWS\system32\netwf32.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~3\navapw32.exe

O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [eulavss] C:\WINDOWS\Help\eulavss.exe

O4 - HKLM\..\Run: [taskjava] C:\WINDOWS\java\trustlib\taskjava.exe

O4 - HKLM\..\Run: [rhomubijtopf] C:\WINDOWS\System32\ppijbve.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [kyngzc] C:\WINDOWS\System32\kyngzc.exe

O4 - HKLM\..\Run: [os3T36j] dxm20.exe

O4 - HKLM\..\Run: [msae32.exe] C:\WINDOWS\msae32.exe

O4 - HKCU\..\Run: [ZBs3RWHnl] sccx.exe

O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe

O4 - HKCU\..\Run: [Hcbc] C:\Documents and Settings\Kathy\Application Data\psao.exe

O4 - HKCU\..\Run: [Dzfxy] C:\WINDOWS\System32\ubs.exe

O4 - HKLM\..\RunOnce: [sdkjc.exe] C:\WINDOWS\system32\sdkjc.exe

O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: ICQ (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: AOL Instant Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O15 - Trusted Zone: *.clickspring.net

O15 - Trusted Zone: *.mt-download.com

O15 - Trusted Zone: *.my-internet.info

O15 - Trusted Zone: *.searchbarcash.com

O15 - Trusted Zone: *.searchmiracle.com

O15 - Trusted Zone: *.skoobidoo.com

O15 - Trusted Zone: *.slotch.com

O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab

O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab

O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab

O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab

O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/Install...ive/HS_live.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...tall_popup.pl?1

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...0e1e2729109a237

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...tor/sw-intl.cab

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe

O16 - DPF: {683DFF0F-331F-44D2-B69B-46D7BFB58F32} (VacPro.canada_ver3) - http://www.advnt01.com/dialer/canada_ver3.CAB

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...38112.283287037

O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://mirror.worldwinner.com/games/v40/ti...ty/tilecity.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DA04CC86-07A5-11D5-A700-0001031AD955} (TP_live Control) - http://www.homestead.com/~site/InstallFile...ive/TP_live.cab

O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab

 

...................................

 

-- Scan 1 --------

About:Buster Version 2.0

Deleted Service Key Successfully!

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

-- Scan 2 --------

About:Buster Version 2.0

Removed! : C:\WINDOWS\wtayb.dat

Removed! : C:\WINDOWS\crjx32.exe

Removed! : C:\WINDOWS\System32\omnsl.dat

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

-- Scan 3 --------

About:Buster Version 2.0

Removed! : C:\WINDOWS\wtayb.dat

Removed! : C:\WINDOWS\vauerv.dat

Removed! : C:\WINDOWS\System32\omnsl.dat

Removed! : C:\WINDOWS\System32\addok.exe

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

-- Scan 4 --------

About:Buster Version 2.0

Removed! : C:\WINDOWS\vauerv.dat

Removed! : C:\WINDOWS\System32\d3xr.exe

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

Share this post


Link to post
Share on other sites

Let's approach this a little differently.

  1. Disable System restore as per the instructions here.
  2. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for "crpc.exe", "dxm20.exe", "sccx.exe", "ubs.exe", "msae32.exe". If you find the files, click on them, and then click End Process => Exit the Task Manager.
  3. Run HijackThis (This should, typically, be run from C:\HJT\HijackThis.exe)
    • Click on "Config" in the bottom right corner of the HijackThis window.
    • Make sure that the "Main" tab is selected at the top.
    • Place a checkmark in the box labelled "Make backups before fixing items".
    • Click on "Back" in the bottom right corner.
    • Make sure all Browser windows are closed otherwise it may interfere with the fixing of items.
    • Click on "Scan" and then place a check mark in the following boxes (If they still exist), And click on "Fix Checked":

    • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rhdrj.dll/sp.html#96676
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rhdrj.dll/index.html#96676
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rhdrj.dll/index.html#96676
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rhdrj.dll/sp.html#96676
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rhdrj.dll/index.html#96676
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rhdrj.dll/sp.html#96676
      O2 - BHO: (no name) - {846C8D01-5152-7880-199F-7570BAA19867} - C:\WINDOWS\system32\netwf32.dll
      O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
      O4 - HKLM\..\Run: [eulavss] C:\WINDOWS\Help\eulavss.exe
      O4 - HKLM\..\Run: [taskjava] C:\WINDOWS\java\trustlib\taskjava.exe
      O4 - HKLM\..\Run: [rhomubijtopf] C:\WINDOWS\System32\ppijbve.exe
      O4 - HKLM\..\Run: [kyngzc] C:\WINDOWS\System32\kyngzc.exe
      O4 - HKLM\..\Run: [os3T36j] dxm20.exe
      O4 - HKLM\..\Run: [msae32.exe] C:\WINDOWS\msae32.exe
      O4 - HKCU\..\Run: [ZBs3RWHnl] sccx.exe
      O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
      O4 - HKCU\..\Run: [Hcbc] C:\Documents and Settings\Kathy\Application Data\psao.exe
      O4 - HKCU\..\Run: [Dzfxy] C:\WINDOWS\System32\ubs.exe
      O4 - HKLM\..\RunOnce: [sdkjc.exe] C:\WINDOWS\system32\sdkjc.exe
      O15 - Trusted Zone: *.clickspring.net
      O15 - Trusted Zone: *.mt-download.com
      O15 - Trusted Zone: *.my-internet.info
      O15 - Trusted Zone: *.searchbarcash.com
      O15 - Trusted Zone: *.searchmiracle.com
      O15 - Trusted Zone: *.skoobidoo.com
      O15 - Trusted Zone: *.slotch.com
      O16 - DPF: v2cab -
http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/Install...ive/HS_live.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...tall_popup.pl?1
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...0e1e2729109a237
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...tor/sw-intl.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe
O16 - DPF: {683DFF0F-331F-44D2-B69B-46D7BFB58F32} (VacPro.canada_ver3) - http://www.advnt01.com/dialer/canada_ver3.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...38112.283287037
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://mirror.worldwinner.com/games/v40/ti...ty/tilecity.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {DA04CC86-07A5-11D5-A700-0001031AD955} (TP_live Control) - http://www.homestead.com/~site/InstallFile...ive/TP_live.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab

[*]Please reboot into safe mode - How do I boot into "Safe" mode?

[*]The following DIRECTORY CONTENTS (But not the directory), DIRECTORIES and FILES, need to be deleted while in safe mode. Make sure your settings allow you to view "Hidden files". Open up any explorer window and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". If the files etc listed are not present - Do not worry, just delete those that you can find. If no path is listed, you may need to search for the file(s) - To search, click on "Start" => "Search" => "For Files and Folders" => "All Files and Folders" and type in the file name. You can delete it right from the search results window.

  1. DIRECTORY CONTENTS (But not the directory)
    • %windir%\Temp\
    • %temp%\
    • %userprofile%\Local Settings\Temp\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
    • Click on "Start" => "Settings" => "Control Panel" => "Internet Options". Click on "Delete Files", select "Delete All Offline Content" and click on "OK". <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested. Click on "OK" once more to close the options panel.
    • Right click on "Recycle Bin" and select "Empty Recycle Bin" and respond "Yes" when prompted.

[*]DIRECTORIES

  • C:\Program Files\TV Media\

[*]FILES

  • C:\WINDOWS\crpc.exe
  • C:\WINDOWS\System32\dxm20.exe
  • C:\WINDOWS\System32\sccx.exe
  • C:\WINDOWS\System32\ubs.exe
  • C:\WINDOWS\msae32.exe
  • C:\WINDOWS\system32\netwf32.dll
  • C:\WINDOWS\Help\eulavss.exe
  • C:\WINDOWS\System32\ppijbve.exe
  • C:\WINDOWS\System32\kyngzc.exe
  • C:\Documents and Settings\Kathy\Application Data\psao.exe
  • C:\WINDOWS\system32\sdkjc.exe

[*]Enable System restore as per the instructions here.

[*]HijackThis ... (Yes, I do need you to download it again as you are using an older version)

  • Double click on "My Computer" to open it.
  • Double click on the local "C-Drive" to open it.
  • Click on "File" => "New Folder" and name it HJT. i.e. The folder will be C:\HJT.
  • Please download HijackThis from any of the following locations:

    [*]Install/Unzip it into C:\HJT.

    [*]Only run HijackThis from C:\HJT\HijackThis.exe. That way we can ensure that we have the backup files available in the event that they are needed.

    [*]Run HijackThis, click on scan and wait for the scan to finish.

    [*]The "Scan" button will change to "Save Log", click on it and simply press "Save" on the window that will appear.

    [*]Notepad will open with a copy of the log.

    • Click on "Edit" => "Select All".
    • Click on "Edit" => "Copy". This will copy the contents of the Notepad instance to the clipboard.

    [*]Please post your entire log here for analysis.

[*]Reboot again and log in normally, repost a new HijackThis log into this message for further review.

Share this post


Link to post
Share on other sites

I did exactly all of that. Here is my new log, it seems my browswer has been hijacked by a different program now.

 

Logfile of HijackThis v1.97.7

Scan saved at 5:25:51 PM, on 05/08/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\CTSvcCDA.exe

C:\WINDOWS\System32\GEARSEC.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\ipvi32.exe

C:\Program Files\Speed Disk\nopdb.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\PROGRA~1\NORTON~3\navapw32.exe

C:\PROGRA~1\DATACA~1\FLashKsk.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\java\trustlib\taskjava.exe

C:\Program Files\TrojanHunter 3.9\THGuard.exe

C:\WINDOWS\sdkft32.exe

C:\Program Files\AutoUpdate\AutoUpdate.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\corcapp.exe

C:\Program Files\Norton Utilities\SYSDOC32.EXE

C:\WINDOWS\System32\msiexec.exe

C:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\fodjr.dll/sp.html#96676

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fodjr.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://fodjr.dll/index.html#96676

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\fodjr.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://fodjr.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\fodjr.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fodjr.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://fodjr.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\fodjr.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\fodjr.dll/sp.html#96676

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotmail.com/

O2 - BHO: (no name) - {1F538EA8-B9CA-F988-6EE4-567DFA2D8761} - C:\WINDOWS\system32\netwy.dll

O2 - BHO: (no name) - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\Kathy\LOCALS~1\Temp\avajksat.dat

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~3\navapw32.exe

O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [taskjava] C:\WINDOWS\java\trustlib\taskjava.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [sdkft32.exe] C:\WINDOWS\sdkft32.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [os3T36j] corcapp.exe

O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: ICQ (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: AOL Instant Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...0e1e2729109a237

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

 

 

I will be leaving town until the 23rd or so, but your help would still be appreciated :)

Share this post


Link to post
Share on other sites

My applogies, I thought I had the latest version

 

Logfile of HijackThis v1.98.1

Scan saved at 6:30:36 PM, on 05/08/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\CTSvcCDA.exe

C:\WINDOWS\System32\GEARSEC.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\ipvi32.exe

C:\Program Files\Speed Disk\nopdb.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\PROGRA~1\NORTON~3\navapw32.exe

C:\PROGRA~1\DATACA~1\FLashKsk.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\java\trustlib\taskjava.exe

C:\Program Files\TrojanHunter 3.9\THGuard.exe

C:\WINDOWS\sdkft32.exe

C:\Program Files\AutoUpdate\AutoUpdate.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\corcapp.exe

C:\Program Files\Norton Utilities\SYSDOC32.EXE

C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

C:\WINDOWS\System32\msiexec.exe

C:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\fodjr.dll/sp.html#96676

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fodjr.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://fodjr.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://fodjr.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\fodjr.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\fodjr.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fodjr.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://fodjr.dll/index.html#96676

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\fodjr.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\fodjr.dll/sp.html#96676

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotmail.com/

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {1F538EA8-B9CA-F988-6EE4-567DFA2D8761} - C:\WINDOWS\system32\netwy.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~3\navapw32.exe

O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [taskjava] C:\WINDOWS\java\trustlib\taskjava.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [sdkft32.exe] C:\WINDOWS\sdkft32.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [os3T36j] corcapp.exe

O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra button: AOL Instant Messenger - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (file missing)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...0e1e2729109a237

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

O19 - User stylesheet: (file missing)

O21 - SSODL: System - {EC399D86-6B27-4441-8694-E9452D0F3D79} - C:\WINDOWS\system32\system32.dll (file missing)

 

* C:\WINDOWS\system32\system32.dll This was always missing, I didn't remove it (can I get it back?)

Share this post


Link to post
Share on other sites

Usually I only ask a person to update the O/S and IE after the infections are cleaned up but in your case, there might be something preveting cleaning so ... Please go to Microsoft Windows Update and download all critical updates for your system. This is imperative.

 

After that is done, reboot, sign in and post another HijackThis log.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0