Jump to content


Photo

back to the same problem


  • Please log in to reply
12 replies to this topic

#1 johnboy

johnboy

    Member

  • Full Member
  • Pip
  • 94 posts

Posted 29 July 2004 - 08:31 AM

im back to having the same problem again here is my hjt log someone help please Logfile of HijackThis v1.98.0
Scan saved at 8:19:49 AM, on 7/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\javaiw32.exe
C:\WINDOWS\system32\fxssvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\svchosting.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\system32\appnz32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\IEXPLORE.EXE
C:\WINDOWS\System32\ms32cfg.exe
C:\WINDOWS\System32\ms32cfg.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\timmy helm\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jwvmp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jwvmp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jwvmp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jwvmp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jwvmp.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jwvmp.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {FE91B9D4-3653-458A-EDE1-263E7454EF29} - C:\WINDOWS\netpn32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll (file missing)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Syscheck] C:\WINDOWS\Fonts\win.hta
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [appnz32.exe] C:\WINDOWS\system32\appnz32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\xczkpckx.exe
O4 - HKLM\..\Run: [Internet Explorer] IEXPLORE.EXE
O4 - HKLM\..\Run: [Win32 USB2 Driver] svchosting.exe
O4 - HKLM\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\RunServices: [Internet Explorer] IEXPLORE.EXE
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] svchosting.exe
O4 - HKLM\..\RunServices: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\RunOnce: [crih.exe] C:\WINDOWS\crih.exe
O4 - HKLM\..\RunOnce: [javahm.exe] C:\WINDOWS\javahm.exe
O4 - HKLM\..\RunOnce: [msfk32.exe] C:\WINDOWS\msfk32.exe
O4 - HKLM\..\RunOnce: [javahg.exe] C:\WINDOWS\system32\javahg.exe
O4 - HKLM\..\RunOnce: [atlbg32.exe] C:\WINDOWS\atlbg32.exe
O4 - HKLM\..\RunOnce: [msdp.exe] C:\WINDOWS\system32\msdp.exe
O4 - HKLM\..\RunOnce: [appkz.exe] C:\WINDOWS\system32\appkz.exe
O4 - HKLM\..\RunOnce: [addoe32.exe] C:\WINDOWS\system32\addoe32.exe
O4 - HKLM\..\RunOnce: [winlw.exe] C:\WINDOWS\system32\winlw.exe
O4 - HKLM\..\RunOnce: [mfcov32.exe] C:\WINDOWS\system32\mfcov32.exe
O4 - HKLM\..\RunOnce: [wintc.exe] C:\WINDOWS\system32\wintc.exe
O4 - HKLM\..\RunOnce: [atley.exe] C:\WINDOWS\system32\atley.exe
O4 - HKLM\..\RunOnce: [crde.exe] C:\WINDOWS\system32\crde.exe
O4 - HKLM\..\RunOnce: [atlvw32.exe] C:\WINDOWS\atlvw32.exe
O4 - HKLM\..\RunOnce: [addwt.exe] C:\WINDOWS\system32\addwt.exe
O4 - HKLM\..\RunOnce: [appdn.exe] C:\WINDOWS\appdn.exe
O4 - HKLM\..\RunOnce: [iekq32.exe] C:\WINDOWS\system32\iekq32.exe
O4 - HKLM\..\RunOnce: [apigj.exe] C:\WINDOWS\apigj.exe
O4 - HKLM\..\RunOnce: [crqp.exe] C:\WINDOWS\crqp.exe
O4 - HKLM\..\RunOnce: [d3hi32.exe] C:\WINDOWS\d3hi32.exe
O4 - HKLM\..\RunOnce: [sdkax32.exe] C:\WINDOWS\system32\sdkax32.exe
O4 - HKLM\..\RunOnce: [apisx.exe] C:\WINDOWS\apisx.exe
O4 - HKLM\..\RunOnce: [sysap32.exe] C:\WINDOWS\sysap32.exe
O4 - HKLM\..\RunOnce: [addar.exe] C:\WINDOWS\system32\addar.exe
O4 - HKLM\..\RunOnce: [mfczk.exe] C:\WINDOWS\mfczk.exe
O4 - HKLM\..\RunOnce: [ntjz32.exe] C:\WINDOWS\ntjz32.exe
O4 - HKLM\..\RunOnce: [appyp32.exe] C:\WINDOWS\system32\appyp32.exe
O4 - HKLM\..\RunOnce: [ietn.exe] C:\WINDOWS\system32\ietn.exe
O4 - HKLM\..\RunOnce: [msco.exe] C:\WINDOWS\msco.exe
O4 - HKLM\..\RunOnce: [iplt32.exe] C:\WINDOWS\iplt32.exe
O4 - HKLM\..\RunOnce: [sdkpo32.exe] C:\WINDOWS\system32\sdkpo32.exe
O4 - HKLM\..\RunOnce: [appmm32.exe] C:\WINDOWS\system32\appmm32.exe
O4 - HKLM\..\RunOnce: [winsb32.exe] C:\WINDOWS\winsb32.exe
O4 - HKLM\..\RunOnce: [ntlr.exe] C:\WINDOWS\system32\ntlr.exe
O4 - HKLM\..\RunOnce: [javalv32.exe] C:\WINDOWS\javalv32.exe
O4 - HKLM\..\RunOnce: [javasn.exe] C:\WINDOWS\system32\javasn.exe
O4 - HKLM\..\RunOnce: [sysuc32.exe] C:\WINDOWS\system32\sysuc32.exe
O4 - HKLM\..\RunOnce: [appjg.exe] C:\WINDOWS\system32\appjg.exe
O4 - HKLM\..\RunOnce: [apptj.exe] C:\WINDOWS\system32\apptj.exe
O4 - HKLM\..\RunOnce: [ntyo32.exe] C:\WINDOWS\system32\ntyo32.exe
O4 - HKLM\..\RunOnce: [d3ao32.exe] C:\WINDOWS\d3ao32.exe
O4 - HKLM\..\RunOnce: [winym32.exe] C:\WINDOWS\winym32.exe
O4 - HKLM\..\RunOnce: [ipko.exe] C:\WINDOWS\system32\ipko.exe
O4 - HKLM\..\RunOnce: [atldt.exe] C:\WINDOWS\system32\atldt.exe
O4 - HKLM\..\RunOnce: [atlcl.exe] C:\WINDOWS\system32\atlcl.exe
O4 - HKLM\..\RunOnce: [netuo32.exe] C:\WINDOWS\netuo32.exe
O4 - HKLM\..\RunOnce: [mfcqt32.exe] C:\WINDOWS\mfcqt32.exe
O4 - HKLM\..\RunOnce: [winwi.exe] C:\WINDOWS\system32\winwi.exe
O4 - HKLM\..\RunOnce: [javadn.exe] C:\WINDOWS\javadn.exe
O4 - HKLM\..\RunOnce: [ntdh.exe] C:\WINDOWS\ntdh.exe
O4 - HKLM\..\RunOnce: [addnh32.exe] C:\WINDOWS\system32\addnh32.exe
O4 - HKLM\..\RunOnce: [syske32.exe] C:\WINDOWS\system32\syske32.exe
O4 - HKLM\..\RunOnce: [netlh32.exe] C:\WINDOWS\netlh32.exe
O4 - HKLM\..\RunOnce: [sysfo32.exe] C:\WINDOWS\system32\sysfo32.exe
O4 - HKLM\..\RunOnce: [apipu32.exe] C:\WINDOWS\apipu32.exe
O4 - HKLM\..\RunOnce: [mfcpw32.exe] C:\WINDOWS\mfcpw32.exe
O4 - HKLM\..\RunOnce: [appcs.exe] C:\WINDOWS\appcs.exe
O4 - HKLM\..\RunOnce: [netro.exe] C:\WINDOWS\netro.exe
O4 - HKLM\..\RunOnce: [msyq.exe] C:\WINDOWS\msyq.exe
O4 - HKLM\..\RunOnce: [winix.exe] C:\WINDOWS\system32\winix.exe
O4 - HKLM\..\RunOnce: [javahx32.exe] C:\WINDOWS\system32\javahx32.exe
O4 - HKLM\..\RunOnce: [ntvn32.exe] C:\WINDOWS\ntvn32.exe
O4 - HKLM\..\RunOnce: [sdkie32.exe] C:\WINDOWS\system32\sdkie32.exe
O4 - HKLM\..\RunOnce: [iemt32.exe] C:\WINDOWS\iemt32.exe
O4 - HKLM\..\RunOnce: [d3oz32.exe] C:\WINDOWS\d3oz32.exe
O4 - HKLM\..\RunOnce: [javaiw32.exe] C:\WINDOWS\javaiw32.exe
O4 - HKLM\..\RunOnce: [ietm32.exe] C:\WINDOWS\ietm32.exe
O4 - HKLM\..\RunOnce: [addeg32.exe] C:\WINDOWS\system32\addeg32.exe
O4 - HKLM\..\RunOnce: [winrc32.exe] C:\WINDOWS\winrc32.exe
O4 - HKLM\..\RunOnce: [sdkle32.exe] C:\WINDOWS\sdkle32.exe
O4 - HKLM\..\RunOnce: [apimz.exe] C:\WINDOWS\system32\apimz.exe
O4 - HKLM\..\RunOnce: [winax.exe] C:\WINDOWS\winax.exe
O4 - HKLM\..\RunOnce: [ipep.exe] C:\WINDOWS\ipep.exe
O4 - HKLM\..\RunOnce: [addzx32.exe] C:\WINDOWS\system32\addzx32.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] svchosting.exe
O4 - HKLM\..\RunOnce: [apinv32.exe] C:\WINDOWS\apinv32.exe
O4 - HKLM\..\RunOnce: [addhs32.exe] C:\WINDOWS\system32\addhs32.exe
O4 - HKLM\..\RunOnce: [ipvc32.exe] C:\WINDOWS\system32\ipvc32.exe
O4 - HKLM\..\RunOnce: [javabs.exe] C:\WINDOWS\javabs.exe
O4 - HKLM\..\RunOnce: [addao32.exe] C:\WINDOWS\system32\addao32.exe
O4 - HKLM\..\RunOnce: [mfckb32.exe] C:\WINDOWS\system32\mfckb32.exe
O4 - HKLM\..\RunOnce: [atlwh32.exe] C:\WINDOWS\system32\atlwh32.exe
O4 - HKLM\..\RunOnce: [javaiu32.exe] C:\WINDOWS\javaiu32.exe
O4 - HKLM\..\RunOnce: [iebd32.exe] C:\WINDOWS\system32\iebd32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00014\gd-dial.exe -remove
O4 - HKCU\..\Run: [Win32 USB2 Driver] svchosting.exe
O4 - HKCU\..\Run: [Internet Explorer] IEXPLORE.EXE
O4 - HKCU\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] svchosting.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file)
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU)
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - (no file) (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab28578.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C2FDAC1-48A7-4DCB-B716-6CC47AFEC434}: NameServer = 66.38.0.240 66.38.0.241
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Lbnohl32.dll

#2 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 31 July 2004 - 11:49 AM

Grr lets try this again.

http://www.majorgeek...wnload4289.html

Follow the directions on that page.. Well you know the drill, we went over it 100 times. But this time dont forget to update About:Buster 2.0

DuckY :ph34r:
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#3 johnboy

johnboy

    Member

  • Full Member
  • Pip
  • 94 posts

Posted 31 July 2004 - 03:13 PM

well here is the 1st b-- Scan 1 --------
About:Buster Version 2.0
Deleted Service Key Successfully!
Removed! : C:\WINDOWS\abbwlb.dat
Removed! : C:\WINDOWS\addgo.dll
Removed! : C:\WINDOWS\addiu.exe
Removed! : C:\WINDOWS\alchem.exe
Removed! : C:\WINDOWS\annnuv.dat
Removed! : C:\WINDOWS\anrnp.dat
Removed! : C:\WINDOWS\apigj.exe
Removed! : C:\WINDOWS\apihd32.exe
Removed! : C:\WINDOWS\apipu32.exe
Removed! : C:\WINDOWS\apiqp.dll
Removed! : C:\WINDOWS\apird.exe
Removed! : C:\WINDOWS\apisx.exe
Removed! : C:\WINDOWS\appcs.exe
Removed! : C:\WINDOWS\appdn.exe
Removed! : C:\WINDOWS\appgz32.dll
Removed! : C:\WINDOWS\appsr.exe
Removed! : C:\WINDOWS\appti32.dll
Removed! : C:\WINDOWS\appyu32.exe
Removed! : C:\WINDOWS\appzf.dll
Removed! : C:\WINDOWS\atlbg32.exe
Removed! : C:\WINDOWS\atlds.exe
Removed! : C:\WINDOWS\atlou32.exe
Removed! : C:\WINDOWS\atlvw32.exe
Removed! : C:\WINDOWS\azlbq.dat
Removed! : C:\WINDOWS\bpioyc.dat
Removed! : C:\WINDOWS\btjty.dat
Removed! : C:\WINDOWS\cafhx.dat
Removed! : C:\WINDOWS\ckwmc.dat
Removed! : C:\WINDOWS\ckwmc.dll
Removed! : C:\WINDOWS\cnjwt.dll
Removed! : C:\WINDOWS\cqbjj.dll
Removed! : C:\WINDOWS\crby32.dll
Removed! : C:\WINDOWS\crfne.dat
Removed! : C:\WINDOWS\crih.exe
Removed! : C:\WINDOWS\crqp.exe
Removed! : C:\WINDOWS\cruv.exe
Removed! : C:\WINDOWS\cruv.exe.$$$
Removed! : C:\WINDOWS\ctzjgp.dat
Removed! : C:\WINDOWS\cwckr.dat
Removed! : C:\WINDOWS\czgop.dat
Removed! : C:\WINDOWS\d3ao32.exe
Removed! : C:\WINDOWS\d3ep.exe
Removed! : C:\WINDOWS\d3hi32.exe
Removed! : C:\WINDOWS\d3oz32.exe
Removed! : C:\WINDOWS\d3qg.dll
Removed! : C:\WINDOWS\d3ut.dll
Removed! : C:\WINDOWS\d3yt.dll
Removed! : C:\WINDOWS\dbdmp.dll
Removed! : C:\WINDOWS\dedmm.dll
Removed! : C:\WINDOWS\djfvf.dat
Removed! : C:\WINDOWS\dtigj.dll
Removed! : C:\WINDOWS\dxhxwo.dat
Removed! : C:\WINDOWS\eazmrv.dat
Removed! : C:\WINDOWS\ebenge.dat
Removed! : C:\WINDOWS\ejnxs.dll
Removed! : C:\WINDOWS\ejqsj.dll
Removed! : C:\WINDOWS\emzqy.dat
Removed! : C:\WINDOWS\etibdh.dat
Removed! : C:\WINDOWS\etrvo.dat
Removed! : C:\WINDOWS\fdueu.dat
Removed! : C:\WINDOWS\ffdio.dat
Removed! : C:\WINDOWS\ffpcp.dat
Removed! : C:\WINDOWS\fkpkn.dat
Removed! : C:\WINDOWS\fmfns.dat
Removed! : C:\WINDOWS\frjet.dll
Removed! : C:\WINDOWS\fvzps.dll
Removed! : C:\WINDOWS\fxxap.dll
Removed! : C:\WINDOWS\fykumi.dat
Removed! : C:\WINDOWS\fzlrs.dat
Removed! : C:\WINDOWS\gqwaw.dat
Removed! : C:\WINDOWS\hmsuu.dat
Removed! : C:\WINDOWS\hoosu.dll
Removed! : C:\WINDOWS\ibuxy.dat
Removed! : C:\WINDOWS\iegy.dll
Removed! : C:\WINDOWS\iekr.exe
Removed! : C:\WINDOWS\iemt32.exe
Removed! : C:\WINDOWS\iepu.dll
Removed! : C:\WINDOWS\ierl32.dll
Removed! : C:\WINDOWS\ietk.dll
Removed! : C:\WINDOWS\ietm32.exe
Removed! : C:\WINDOWS\ieyr32.dll
Removed! : C:\WINDOWS\ihuja.dat
Removed! : C:\WINDOWS\inwxu.dll
Removed! : C:\WINDOWS\ipeji.dat
Removed! : C:\WINDOWS\ipgg.exe
Removed! : C:\WINDOWS\iplt32.exe
Removed! : C:\WINDOWS\ipot.dll
Removed! : C:\WINDOWS\iprf32.dll
Removed! : C:\WINDOWS\iprx32.dll
Removed! : C:\WINDOWS\iubbw.dat
Removed! : C:\WINDOWS\ivetl.dat
Removed! : C:\WINDOWS\iwdnjw.dat
Removed! : C:\WINDOWS\iwxaqa.dat
Removed! : C:\WINDOWS\javadh.dll
Removed! : C:\WINDOWS\javadn.exe
Removed! : C:\WINDOWS\javafn.exe
Removed! : C:\WINDOWS\javahm.exe
Removed! : C:\WINDOWS\javaiu32.exe
Error Removing! : C:\WINDOWS\javaiw32.exe
Removed! : C:\WINDOWS\javalg.exe
Removed! : C:\WINDOWS\javalv32.exe
Removed! : C:\WINDOWS\jfjkzq.dat
Removed! : C:\WINDOWS\jmcvs.dat
Removed! : C:\WINDOWS\jnxtg.dat
Removed! : C:\WINDOWS\jpcue.dat
Removed! : C:\WINDOWS\keoyl.dat
Removed! : C:\WINDOWS\kexve.dll
Removed! : C:\WINDOWS\kgvgha.dat
Removed! : C:\WINDOWS\khuym.dll
Removed! : C:\WINDOWS\kkqum.dat
Removed! : C:\WINDOWS\ktjedh.dat
Removed! : C:\WINDOWS\kxvbas.dat
Removed! : C:\WINDOWS\kykbk.dll
Removed! : C:\WINDOWS\lfukt.dat
Removed! : C:\WINDOWS\lhlyh.dat
Removed! : C:\WINDOWS\loruq.dat
Removed! : C:\WINDOWS\lsasss.exe
Removed! : C:\WINDOWS\mfcbg32.dll
Removed! : C:\WINDOWS\mfcbz.dll
Removed! : C:\WINDOWS\mfcpw32.exe
Removed! : C:\WINDOWS\mfcqt32.exe
Removed! : C:\WINDOWS\mfcvh.dll
Removed! : C:\WINDOWS\mfcvi32.exe
Removed! : C:\WINDOWS\mfcwf32.dll
Removed! : C:\WINDOWS\mfcyl.dll
Removed! : C:\WINDOWS\mfczk.exe
Removed! : C:\WINDOWS\mfredf.dat
Removed! : C:\WINDOWS\mkiuz.dat
Removed! : C:\WINDOWS\mktzqf.dat
Removed! : C:\WINDOWS\mmrgf.dat
Removed! : C:\WINDOWS\mpufm.dll
Removed! : C:\WINDOWS\mrqlw.dll
Removed! : C:\WINDOWS\msco.exe
Removed! : C:\WINDOWS\mscv.exe
Removed! : C:\WINDOWS\msfk32.exe
Removed! : C:\WINDOWS\msia.exe
Removed! : C:\WINDOWS\msyq.exe
Removed! : C:\WINDOWS\mvsln.dll
Removed! : C:\WINDOWS\mwcqp.dll
Removed! : C:\WINDOWS\nbsir.dll
Removed! : C:\WINDOWS\ndrbz.dll
Removed! : C:\WINDOWS\ndwqv.dat
Removed! : C:\WINDOWS\nejmx.dat
Removed! : C:\WINDOWS\netch.dll
Removed! : C:\WINDOWS\netdm.dll
Removed! : C:\WINDOWS\netfv32.dll
Removed! : C:\WINDOWS\netlh32.exe
Removed! : C:\WINDOWS\netoe32.dll
Removed! : C:\WINDOWS\netow32.exe
Removed! : C:\WINDOWS\netpn32.dll
Removed! : C:\WINDOWS\netrn32.dll
Removed! : C:\WINDOWS\netro.exe
Removed! : C:\WINDOWS\nettl32.exe
Removed! : C:\WINDOWS\netuo32.exe
Removed! : C:\WINDOWS\netwh.exe
Removed! : C:\WINDOWS\npkec.dll
Removed! : C:\WINDOWS\ntcu.dll
Removed! : C:\WINDOWS\ntdh.exe
Removed! : C:\WINDOWS\ntjz32.exe
Removed! : C:\WINDOWS\ntrm32.dll
Removed! : C:\WINDOWS\ntvn32.exe
Removed! : C:\WINDOWS\n_aqgmtj.dat
Removed! : C:\WINDOWS\n_evpwsz.dat
Removed! : C:\WINDOWS\odubf.dll
Removed! : C:\WINDOWS\ogglw.dll
Removed! : C:\WINDOWS\oiylq.dll
Removed! : C:\WINDOWS\oqsth.dat
Removed! : C:\WINDOWS\oyiqe.dll
Removed! : C:\WINDOWS\pedwq.dll
Removed! : C:\WINDOWS\plqup.dll
Removed! : C:\WINDOWS\qfoju.dat
Removed! : C:\WINDOWS\qlzhp.dat
Removed! : C:\WINDOWS\qqukr.dll
Removed! : C:\WINDOWS\quzdf.dll
Removed! : C:\WINDOWS\qvykbf.dat
Removed! : C:\WINDOWS\qybat.dll
Removed! : C:\WINDOWS\rfglq.dat
Removed! : C:\WINDOWS\ridri.dll
Removed! : C:\WINDOWS\rlqkk.dat
Removed! : C:\WINDOWS\rmqdj.dat
Removed! : C:\WINDOWS\rqrkq.dat
Removed! : C:\WINDOWS\rtont.dll
Removed! : C:\WINDOWS\saqsi.dll
Removed! : C:\WINDOWS\sdeaq.dll
Removed! : C:\WINDOWS\sdkcj32.exe
Removed! : C:\WINDOWS\sdkdk32.dll
Removed! : C:\WINDOWS\sdkdy.dll
Removed! : C:\WINDOWS\sdkkc.dll
Removed! : C:\WINDOWS\sdkle32.exe
Removed! : C:\WINDOWS\sdkoq.exe
Removed! : C:\WINDOWS\sdkua.exe
Removed! : C:\WINDOWS\sdkut32.exe
Removed! : C:\WINDOWS\snngk.dat
Removed! : C:\WINDOWS\spdgu.dll
Removed! : C:\WINDOWS\spdin.dll
Removed! : C:\WINDOWS\spqcs.dll
Removed! : C:\WINDOWS\stwgp.dat
Removed! : C:\WINDOWS\sysap32.exe
Removed! : C:\WINDOWS\sysmz32.exe
Removed! : C:\WINDOWS\sysnj.exe
Removed! : C:\WINDOWS\sysra.exe
Removed! : C:\WINDOWS\sytns.dll
Removed! : C:\WINDOWS\tigcg.dll
Removed! : C:\WINDOWS\tilino.dat
Removed! : C:\WINDOWS\tlaib.dat
Removed! : C:\WINDOWS\tnipo.dat
Removed! : C:\WINDOWS\umjyc.dat
Removed! : C:\WINDOWS\uqgrel.dat
Removed! : C:\WINDOWS\uthvdc.dat
Removed! : C:\WINDOWS\vjzjr.dll
Removed! : C:\WINDOWS\vnzrq.dat
Removed! : C:\WINDOWS\vpadt.dat
Removed! : C:\WINDOWS\winlb.dll
Removed! : C:\WINDOWS\winsb32.exe
Removed! : C:\WINDOWS\winym32.exe
Removed! : C:\WINDOWS\wwjrs.dat
Removed! : C:\WINDOWS\xalrg.dll
Removed! : C:\WINDOWS\xbved.dat
Removed! : C:\WINDOWS\xszgi.dat
Removed! : C:\WINDOWS\xumlf.dll
Removed! : C:\WINDOWS\xvwbu.dll
Removed! : C:\WINDOWS\ycrff.dat
Removed! : C:\WINDOWS\ycufev.dat
Removed! : C:\WINDOWS\yjzfw.dat
Removed! : C:\WINDOWS\yoxxw.dll
Removed! : C:\WINDOWS\yrkmfc.dat
Removed! : C:\WINDOWS\yyjoh.dll
Removed! : C:\WINDOWS\zbfly.dll
Removed! : C:\WINDOWS\znpxf.dll
Removed! : C:\WINDOWS\zwvxco.dat
Removed! : C:\WINDOWS\System32\aaaiy.dll
Removed! : C:\WINDOWS\System32\addao32.exe
Removed! : C:\WINDOWS\System32\addar.exe
Removed! : C:\WINDOWS\System32\addgi.exe
Removed! : C:\WINDOWS\System32\addmm32.dll
Removed! : C:\WINDOWS\System32\addnh32.exe
Removed! : C:\WINDOWS\System32\addoe32.exe
Removed! : C:\WINDOWS\System32\addwt.exe
Removed! : C:\WINDOWS\System32\aemiu.dll
Removed! : C:\WINDOWS\System32\agvup.dat
Removed! : C:\WINDOWS\System32\aljaq.dll
Removed! : C:\WINDOWS\System32\apikz.exe
Removed! : C:\WINDOWS\System32\apimz.exe
Removed! : C:\WINDOWS\System32\apiud.dll
Removed! : C:\WINDOWS\System32\apiwa.dll
Removed! : C:\WINDOWS\System32\apixj32.exe
Removed! : C:\WINDOWS\System32\appba.dll
Removed! : C:\WINDOWS\System32\appef32.dll
Removed! : C:\WINDOWS\System32\appfy32.exe
Removed! : C:\WINDOWS\System32\appjg.exe
Removed! : C:\WINDOWS\System32\appkz.exe
Removed! : C:\WINDOWS\System32\appmm32.exe
Removed! : C:\WINDOWS\System32\apptj.exe
Removed! : C:\WINDOWS\System32\appyp32.exe
Removed! : C:\WINDOWS\System32\atlcl.exe
Removed! : C:\WINDOWS\System32\atldt.exe
Removed! : C:\WINDOWS\System32\atley.exe
Removed! : C:\WINDOWS\System32\atlfz.dll
Removed! : C:\WINDOWS\System32\atlgy32.dll
Removed! : C:\WINDOWS\System32\atltv32.dll
Removed! : C:\WINDOWS\System32\atlwh32.exe
Removed! : C:\WINDOWS\System32\avrql.dat
Removed! : C:\WINDOWS\System32\awnze.dat
Removed! : C:\WINDOWS\System32\axrwc.dat
Removed! : C:\WINDOWS\System32\aymsb.dll
Removed! : C:\WINDOWS\System32\bdrav.dll
Removed! : C:\WINDOWS\System32\bffwr.dat
Removed! : C:\WINDOWS\System32\bhnxe.dat
Removed! : C:\WINDOWS\System32\bjqnt.dll
Removed! : C:\WINDOWS\System32\bopfk.dat
Removed! : C:\WINDOWS\System32\bsjks.dat
Removed! : C:\WINDOWS\System32\bxrzq.dll
Removed! : C:\WINDOWS\System32\cmtox.dat
Removed! : C:\WINDOWS\System32\crapg.dat
Removed! : C:\WINDOWS\System32\crde.exe
Removed! : C:\WINDOWS\System32\crie32.dll
Removed! : C:\WINDOWS\System32\crppi.dat
Removed! : C:\WINDOWS\System32\crxs32.exe
Removed! : C:\WINDOWS\System32\cuqto.dll
Removed! : C:\WINDOWS\System32\cxtxr.dat
Removed! : C:\WINDOWS\System32\d3an32.dll
Removed! : C:\WINDOWS\System32\d3fz.dll
Removed! : C:\WINDOWS\System32\d3zw.exe
Removed! : C:\WINDOWS\System32\dafoa.dat
Removed! : C:\WINDOWS\System32\daprt.dat
Removed! : C:\WINDOWS\System32\doomx.dat
Removed! : C:\WINDOWS\System32\doxyr.dll
Removed! : C:\WINDOWS\System32\dyhmu.dat
Removed! : C:\WINDOWS\System32\enysu.dat
Removed! : C:\WINDOWS\System32\fdxkn.dll
Removed! : C:\WINDOWS\System32\fgiaf.dat
Removed! : C:\WINDOWS\System32\fkemu.dll
Removed! : C:\WINDOWS\System32\folez.dat
Removed! : C:\WINDOWS\System32\fpzss.dat
Removed! : C:\WINDOWS\System32\fsjid.dll
Removed! : C:\WINDOWS\System32\fztzo.dat
Removed! : C:\WINDOWS\System32\gpifn.dll
Removed! : C:\WINDOWS\System32\grcdk.dat
Removed! : C:\WINDOWS\System32\hcyht.dat
Removed! : C:\WINDOWS\System32\hinea.dat
Removed! : C:\WINDOWS\System32\hkjcw.dll
Removed! : C:\WINDOWS\System32\hniga.dll
Removed! : C:\WINDOWS\System32\hofmr.dll
Removed! : C:\WINDOWS\System32\hshid.dat
Removed! : C:\WINDOWS\System32\iaobj.dat
Removed! : C:\WINDOWS\System32\iebd32.exe
Removed! : C:\WINDOWS\System32\iekq32.exe
Removed! : C:\WINDOWS\System32\ietn.dll
Removed! : C:\WINDOWS\System32\ietn.exe
Removed! : C:\WINDOWS\System32\igpja.dat
Removed! : C:\WINDOWS\System32\ipko.exe
Removed! : C:\WINDOWS\System32\irqzm.dat
Removed! : C:\WINDOWS\System32\itifz.dat
Removed! : C:\WINDOWS\System32\ittvx.dat
Removed! : C:\WINDOWS\System32\iverk.dat
Removed! : C:\WINDOWS\System32\iwvms.dll
Removed! : C:\WINDOWS\System32\iyizp.dat
Removed! : C:\WINDOWS\System32\jagcr.dll
Removed! : C:\WINDOWS\System32\javaan32.exe
Removed! : C:\WINDOWS\System32\javadc.exe
Removed! : C:\WINDOWS\System32\javadu32.dll
Removed! : C:\WINDOWS\System32\javahg.exe
Removed! : C:\WINDOWS\System32\javahx32.exe
Removed! : C:\WINDOWS\System32\javakj.exe
Removed! : C:\WINDOWS\System32\javaob.exe
Removed! : C:\WINDOWS\System32\javapc32.exe
Removed! : C:\WINDOWS\System32\javasi.dll
Removed! : C:\WINDOWS\System32\javasn.exe
Removed! : C:\WINDOWS\System32\javasr32.dll
Removed! : C:\WINDOWS\System32\javata.dll
Removed! : C:\WINDOWS\System32\javawa.dll
Removed! : C:\WINDOWS\System32\jkfgn.dll
Removed! : C:\WINDOWS\System32\jteqy.dat
Removed! : C:\WINDOWS\System32\jwvmp.dll
Removed! : C:\WINDOWS\System32\kdtgy.dll
Removed! : C:\WINDOWS\System32\kjnix.dll
Removed! : C:\WINDOWS\System32\kligl.dat
Removed! : C:\WINDOWS\System32\knxza.dat
Removed! : C:\WINDOWS\System32\ktvnb.dat
Removed! : C:\WINDOWS\System32\ltruc.dat
Removed! : C:\WINDOWS\System32\lwuyp.dat
Removed! : C:\WINDOWS\System32\matds.dat
Removed! : C:\WINDOWS\System32\mfcgu32.dll
Removed! : C:\WINDOWS\System32\mfckb32.exe
Removed! : C:\WINDOWS\System32\mfcop32.exe
Removed! : C:\WINDOWS\System32\mfcov32.exe
Removed! : C:\WINDOWS\System32\mfcpj.dll
Removed! : C:\WINDOWS\System32\mfctd.dll
Removed! : C:\WINDOWS\System32\mfcvx32.exe
Removed! : C:\WINDOWS\System32\msdp.exe
Removed! : C:\WINDOWS\System32\msff32.dll
Removed! : C:\WINDOWS\System32\msjy.dll
Removed! : C:\WINDOWS\System32\nacbm.dll
Removed! : C:\WINDOWS\System32\ndezf.dll
Removed! : C:\WINDOWS\System32\nehxa.dat
Removed! : C:\WINDOWS\System32\netkx32.exe
Removed! : C:\WINDOWS\System32\netlu32.dll
Removed! : C:\WINDOWS\System32\netvi.dll
Removed! : C:\WINDOWS\System32\netvs32.dll
Removed! : C:\WINDOWS\System32\netyl32.dll
Error Removing! : C:\WINDOWS\System32\netzr.dll
Removed! : C:\WINDOWS\System32\nqlqn.dat
Removed! : C:\WINDOWS\System32\nrygw.dat
Removed! : C:\WINDOWS\System32\nsiec.dat
Removed! : C:\WINDOWS\System32\ntlr.exe
Removed! : C:\WINDOWS\System32\ntws.dll
Removed! : C:\WINDOWS\System32\ntyo32.exe
Removed! : C:\WINDOWS\System32\okuak.dat
Removed! : C:\WINDOWS\System32\olwld.dat
Removed! : C:\WINDOWS\System32\ossuv.dat
Removed! : C:\WINDOWS\System32\otlzv.dat
Removed! : C:\WINDOWS\System32\pamrk.dat
Removed! : C:\WINDOWS\System32\pdkqi.dll
Removed! : C:\WINDOWS\System32\pefbf.dat
Removed! : C:\WINDOWS\System32\qlqke.dat
Removed! : C:\WINDOWS\System32\qqcjo.dll
Removed! : C:\WINDOWS\System32\qxjbz.dll
Removed! : C:\WINDOWS\System32\qzewo.dat
Removed! : C:\WINDOWS\System32\rwkhh.dat
Removed! : C:\WINDOWS\System32\sdkad32.dll
Removed! : C:\WINDOWS\System32\sdkax32.exe
Removed! : C:\WINDOWS\System32\sdkbp32.exe
Removed! : C:\WINDOWS\System32\sdkie32.exe
Removed! : C:\WINDOWS\System32\sdklr.dll
Removed! : C:\WINDOWS\System32\sdkpo32.exe
Removed! : C:\WINDOWS\System32\sgreg.dat
Removed! : C:\WINDOWS\System32\smkbr.dll
Removed! : C:\WINDOWS\System32\sysfo32.exe
Removed! : C:\WINDOWS\System32\syske32.exe
Removed! : C:\WINDOWS\System32\syssu.exe
Removed! : C:\WINDOWS\System32\sysuc32.exe
Removed! : C:\WINDOWS\System32\sysuh.exe
Removed! : C:\WINDOWS\System32\tacjq.dll
Removed! : C:\WINDOWS\System32\tbvlf.dll
Removed! : C:\WINDOWS\System32\tgcax.dat
Removed! : C:\WINDOWS\System32\tgxbm.dat
Removed! : C:\WINDOWS\System32\uruoe.dat
Removed! : C:\WINDOWS\System32\veohw.dll
Removed! : C:\WINDOWS\System32\vlmpf.dat
Removed! : C:\WINDOWS\System32\vuwmw.dat
Removed! : C:\WINDOWS\System32\wfjne.dat
Removed! : C:\WINDOWS\System32\winix.exe
Removed! : C:\WINDOWS\System32\winlw.exe
Removed! : C:\WINDOWS\System32\winlx32.dll
Removed! : C:\WINDOWS\System32\wintc.exe
Removed! : C:\WINDOWS\System32\winvb.exe
Removed! : C:\WINDOWS\System32\winwi.exe
Removed! : C:\WINDOWS\System32\wtfxv.dll
Removed! : C:\WINDOWS\System32\wwatw.dll
Removed! : C:\WINDOWS\System32\xkqvt.dat
Removed! : C:\WINDOWS\System32\xvure.dat
Removed! : C:\WINDOWS\System32\yixov.dll
Removed! : C:\WINDOWS\System32\zfkbs.dll
Removed! : C:\WINDOWS\System32\zphnj.dll
Removed! : C:\WINDOWS\System32\zqkib.dat
Removed! : C:\WINDOWS\System32\zslyo.dat
Removed! : C:\WINDOWS\System32\ztgwj.dat
Removed! : C:\WINDOWS\System32\zyuec.dll
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!uster log

#4 johnboy

johnboy

    Member

  • Full Member
  • Pip
  • 94 posts

Posted 31 July 2004 - 03:19 PM

here is the next-- Scan 1 --------
About:Buster Version 2.0
Error Removing! : C:\WINDOWS\javaiw32.exe
Removed! : C:\WINDOWS\System32\bopfk.dat
Removed! : C:\WINDOWS\System32\enysu.dat
Removed! : C:\WINDOWS\System32\fpzss.dat
Removed! : C:\WINDOWS\System32\netzr.dll
Removed! : C:\WINDOWS\System32\tbvlf.dll
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 2.0
Error Removing! : C:\WINDOWS\javaiw32.exe
Removed! : C:\WINDOWS\System32\bopfk.dat
Removed! : C:\WINDOWS\System32\enysu.dat
Removed! : C:\WINDOWS\System32\fpzss.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done! buster log

#5 johnboy

johnboy

    Member

  • Full Member
  • Pip
  • 94 posts

Posted 31 July 2004 - 03:20 PM

and here is the nLogfile of HijackThis v1.98.0
Scan saved at 3:19:37 PM, on 7/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\javaiw32.exe
C:\WINDOWS\system32\fxssvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\svchosting.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\system32\appnz32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\IEXPLORE.EXE
C:\WINDOWS\System32\ms32cfg.exe
C:\WINDOWS\System32\ms32cfg.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\mIRC\mirc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\timmy helm\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tbvlf.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://tbvlf.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://tbvlf.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\tbvlf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tbvlf.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://tbvlf.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {9ABD7A72-E3AF-99CC-2DB5-195B9DBD1932} - C:\WINDOWS\system32\apphr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll (file missing)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Syscheck] C:\WINDOWS\Fonts\win.hta
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [appnz32.exe] C:\WINDOWS\system32\appnz32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\bnvbhung.exe
O4 - HKLM\..\Run: [Internet Explorer] IEXPLORE.EXE
O4 - HKLM\..\Run: [Win32 USB2 Driver] svchosting.exe
O4 - HKLM\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\RunServices: [Internet Explorer] IEXPLORE.EXE
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] svchosting.exe
O4 - HKLM\..\RunServices: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\RunOnce: [addeg32.exe] C:\WINDOWS\system32\addeg32.exe
O4 - HKLM\..\RunOnce: [winrc32.exe] C:\WINDOWS\winrc32.exe
O4 - HKLM\..\RunOnce: [winax.exe] C:\WINDOWS\winax.exe
O4 - HKLM\..\RunOnce: [ipep.exe] C:\WINDOWS\ipep.exe
O4 - HKLM\..\RunOnce: [addzx32.exe] C:\WINDOWS\system32\addzx32.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] svchosting.exe
O4 - HKLM\..\RunOnce: [apinv32.exe] C:\WINDOWS\apinv32.exe
O4 - HKLM\..\RunOnce: [addhs32.exe] C:\WINDOWS\system32\addhs32.exe
O4 - HKLM\..\RunOnce: [ipvc32.exe] C:\WINDOWS\system32\ipvc32.exe
O4 - HKLM\..\RunOnce: [javabs.exe] C:\WINDOWS\javabs.exe
O4 - HKLM\..\RunOnce: [apibb32.exe] C:\WINDOWS\apibb32.exe
O4 - HKLM\..\RunOnce: [crld.exe] C:\WINDOWS\system32\crld.exe
O4 - HKLM\..\RunOnce: [atllq32.exe] C:\WINDOWS\system32\atllq32.exe
O4 - HKLM\..\RunOnce: [ntpv32.exe] C:\WINDOWS\system32\ntpv32.exe
O4 - HKLM\..\RunOnce: [d3wz.exe] C:\WINDOWS\d3wz.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00014\gd-dial.exe -remove
O4 - HKCU\..\Run: [Win32 USB2 Driver] svchosting.exe
O4 - HKCU\..\Run: [Internet Explorer] IEXPLORE.EXE
O4 - HKCU\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] svchosting.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file)
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU)
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - (no file) (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab28578.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C2FDAC1-48A7-4DCB-B716-6CC47AFEC434}: NameServer = 66.38.0.240 66.38.0.241
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Lbnohl32.dll

ext hjt log

#6 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 31 July 2004 - 03:29 PM

First end these processes

appnz32.exe
javaiw32.exe

Then can you please see if you can find any of these files and send them to here. Follow the directions below.

C:\WINDOWS\system32\apphr.dll
C:\WINDOWS\system32\addeg32.exe
C:\WINDOWS\winrc32.exe
C:\WINDOWS\winax.exe
C:\WINDOWS\ipep.exe
C:\WINDOWS\system32\addzx32.exe
C:\WINDOWS\apinv32.exe
C:\WINDOWS\system32\addhs32.exe
C:\WINDOWS\system32\ipvc32.exe
C:\WINDOWS\javabs.exe
C:\WINDOWS\apibb32.exe
C:\WINDOWS\system32\crld.exe
C:\WINDOWS\system32\atllq32.exe
C:\WINDOWS\system32\ntpv32.exe
C:\WINDOWS\d3wz.exe

Create a compressed folder called submit.zip on your desktop. If you find any of the files above. Drag them into the compressed folder and then delete the from their original location. After going through all the files. Send the compressed folder to the address above. Do not delete the compressed folder just yet.

Note the files may be hidden so do this first.
Show hidden files and folders.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#7 johnboy

johnboy

    Member

  • Full Member
  • Pip
  • 94 posts

Posted 31 July 2004 - 05:31 PM

here is the new hjt loLogfile of HijackThis v1.98.0
Scan saved at 5:27:20 PM, on 7/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\svchosting.exe
C:\WINDOWS\netei32.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\system32\appnz32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ms32cfg.exe
C:\WINDOWS\System32\IEXPLORE.EXE
C:\WINDOWS\System32\ms32cfg.exe
C:\Program Files\mIRC\mirc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\timmy helm\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\swfyq.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://swfyq.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://swfyq.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\swfyq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\swfyq.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://swfyq.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {CDD86D3D-AA27-ABC8-6C93-9E5DB990A866} - C:\WINDOWS\javagf.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll (file missing)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Syscheck] C:\WINDOWS\Fonts\win.hta
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [appnz32.exe] C:\WINDOWS\system32\appnz32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\bnvbhung.exe
O4 - HKLM\..\Run: [Internet Explorer] IEXPLORE.EXE
O4 - HKLM\..\Run: [Win32 USB2 Driver] svchosting.exe
O4 - HKLM\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\RunServices: [Internet Explorer] IEXPLORE.EXE
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] svchosting.exe
O4 - HKLM\..\RunServices: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] svchosting.exe
O4 - HKLM\..\RunOnce: [netsj32.exe] C:\WINDOWS\netsj32.exe
O4 - HKLM\..\RunOnce: [javate.exe] C:\WINDOWS\javate.exe
O4 - HKLM\..\RunOnce: [ntvz.exe] C:\WINDOWS\ntvz.exe
O4 - HKLM\..\RunOnce: [crcc.exe] C:\WINDOWS\system32\crcc.exe
O4 - HKLM\..\RunOnce: [netei32.exe] C:\WINDOWS\netei32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00014\gd-dial.exe -remove
O4 - HKCU\..\Run: [Win32 USB2 Driver] svchosting.exe
O4 - HKCU\..\Run: [Internet Explorer] IEXPLORE.EXE
O4 - HKCU\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] svchosting.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file)
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU)
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - (no file) (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab28578.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C2FDAC1-48A7-4DCB-B716-6CC47AFEC434}: NameServer = 66.38.0.240 66.38.0.241
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Lbnohl32.dll

g

#8 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 01 August 2004 - 12:40 PM

hello

The O21 you have indicates a trojan and so run an Online AV scan, it'll probably find much more.

Trendmicro

Click free online scan and continue from there to get it started, don't exit the site while it is scanning or else itlll close.

Check auto clean before you start the scan. Try and delete as much as you can, it should delete all of it. When it's done, right click my computer..properties...restore tab...check the box to disable it..apply-ok. Restart computer. then go back to the same place and uncheck the box to enable it again, apply-ok. Then post a new log.




PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#9 johnboy

johnboy

    Member

  • Full Member
  • Pip
  • 94 posts

Posted 01 August 2004 - 01:54 PM

here it isLogfile of HijackThis v1.98.0
Scan saved at 1:52:05 PM, on 8/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\sysbz32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\fxssvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\svchosting.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\system32\appnz32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\IEXPLORE.EXE
C:\WINDOWS\System32\ms32cfg.exe
C:\WINDOWS\System32\ms32cfg.exe
C:\Documents and Settings\timmy helm\My Documents\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zitqe.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zitqe.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zitqe.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zitqe.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zitqe.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zitqe.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {40967C3E-0316-B8F3-7AC2-AC680D6E22D9} - C:\WINDOWS\crzw.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll (file missing)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Syscheck] C:\WINDOWS\Fonts\win.hta
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [appnz32.exe] C:\WINDOWS\system32\appnz32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\bnvbhung.exe
O4 - HKLM\..\Run: [Internet Explorer] IEXPLORE.EXE
O4 - HKLM\..\Run: [Win32 USB2 Driver] svchosting.exe
O4 - HKLM\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\RunServices: [Internet Explorer] IEXPLORE.EXE
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] svchosting.exe
O4 - HKLM\..\RunServices: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] svchosting.exe
O4 - HKLM\..\RunOnce: [sysbz32.exe] C:\WINDOWS\sysbz32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00014\gd-dial.exe -remove
O4 - HKCU\..\Run: [Win32 USB2 Driver] svchosting.exe
O4 - HKCU\..\Run: [Internet Explorer] IEXPLORE.EXE
O4 - HKCU\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] svchosting.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file)
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU)
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - (no file) (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab28578.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Lbnohl32.dll

#10 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 01 August 2004 - 02:52 PM

hey ok let's try this.

Boot up into safe mode. Have hijackthis fix the following with no browser windows open of course:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zitqe.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zitqe.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zitqe.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zitqe.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zitqe.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zitqe.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {40967C3E-0316-B8F3-7AC2-AC680D6E22D9} - C:\WINDOWS\crzw.dll
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Lbnohl32.dll

Reboot your computer back into safe mode.

Find and delete:

C:\WINDOWS\crzw.dll

Empty recycling bin.

Boot into normal mode now.

Go here http://download.nai....ert/stinger.exe and download the removal tool to your desktop.

Also go here and download another removal tool to your desktop http://www.sophos.co...rs/sdbotgui.com

Boot into safe mode.

Open up stinger.exe and start the scan, if it finds anything , delete anything it finds. When it's done, restart computer back into safe mode.

Open sdbptgui.com and start the scan on that, if it finds anything remove everything it finds.

Restart computer back into safe mode. Right click my computer-properties..restore tab..check the box to disable restore..apply-ok.

Boot finally back into normal mode, post a new hijackthis log.

Edited by pomp86, 01 August 2004 - 02:53 PM.





PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#11 johnboy

johnboy

    Member

  • Full Member
  • Pip
  • 94 posts

Posted 03 August 2004 - 09:54 AM

here is the new 1 aLogfile of HijackThis v1.98.0
Scan saved at 9:50:48 AM, on 8/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\sysbz32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\fxssvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\system32\appnz32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ms32cfg.exe
C:\WINDOWS\System32\ms32cfg.exe
C:\Documents and Settings\timmy helm\My Documents\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ddzxa.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ddzxa.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ddzxa.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ddzxa.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ddzxa.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ddzxa.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {7410FF16-07DC-0AB0-315E-D232123E588C} - C:\WINDOWS\system32\javaxm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll (file missing)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Syscheck] C:\WINDOWS\Fonts\win.hta
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [appnz32.exe] C:\WINDOWS\system32\appnz32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\RunServices: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\RunOnce: [sysbz32.exe] C:\WINDOWS\sysbz32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00014\gd-dial.exe -remove
O4 - HKCU\..\Run: [Win32 USB2 Driver] svchosting.exe
O4 - HKCU\..\Run: [Internet Explorer] IEXPLORE.EXE
O4 - HKCU\..\Run: [Microsoft Features] ms32cfg.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file)
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU)
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - (no file) (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab28578.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab

fter all of the scanning

#12 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 03 August 2004 - 10:10 AM

hey

Reboot computer into safe mode. Open up about:buster, update the program first. Make sure te ref file is 6 . Then scan with the program, scan twice and save the log file for each scan. Restart computer back into safe mode.

Have hijackthis fix the following with no browser windows open:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll (file missing)
O4 - HKLM\..\Run: [Syscheck] C:\WINDOWS\Fonts\win.hta
O4 - HKLM\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\RunServices: [Microsoft Features] ms32cfg.exe
O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00014\gd-dial.exe -remove
O4 - HKCU\..\Run: [Win32 USB2 Driver] svchosting.exe
O4 - HKCU\..\Run: [Microsoft Features] ms32cfg.exe

reboot computer back into safe mode.

Find and delete the following in bold if there:

C:\WINDOWS\Fonts\win.hta
C:\WINDOWS\System32\ms32cfg.exe
c:\program files\GlobalDialer
C:\WINDOWS\System32\svchosting.exe

Empty recycling bin. Boot back into normal mode, post both about:buster logs and a new hijackthis log.




PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#13 johnboy

johnboy

    Member

  • Full Member
  • Pip
  • 94 posts

Posted 04 August 2004 - 06:00 PM

well here is theLogfile of HijackThis v1.98.0
Scan saved at 5:46:30 PM, on 8/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\sysbz32.exe
C:\WINDOWS\system32\fxssvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\system32\appnz32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\timmy helm\My Documents\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ddzxa.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ddzxa.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {7410FF16-07DC-0AB0-315E-D232123E588C} - C:\WINDOWS\system32\javaxm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [appnz32.exe] C:\WINDOWS\system32\appnz32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [sysbz32.exe] C:\WINDOWS\sysbz32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00014\gd-dial.exe -remove
O4 - HKCU\..\Run: [Win32 USB2 Driver] svchosting.exe
O4 - HKCU\..\Run: [Internet Explorer] IEXPLORE.EXE
O4 - HKCU\..\Run: [Microsoft Features] ms32cfg.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file)
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU)
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - (no file) (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab28578.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab

hjt log




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button