Jump to content


Photo

cannot remove res://syhmw.dll


  • Please log in to reply
4 replies to this topic

#1 nyback

nyback

    Member

  • New Member
  • Pip
  • 2 posts

Posted 29 July 2004 - 02:47 PM

I have tried to remove this one but to no vail. Is there anyone who can help out?
This is the first time i give a real try on something like this. I have tried to use all the remover tools including aboutbuster. I tried regmon to trace who is writing but it seems it wont write in the registry while i have regmon running :-(
With filemon i could see a lot of activity from winlogon.exe. I tried security task manager from a hint in another post and it showed a lot of red on winlogon.exe. I tried to shut down winlogon.exe but then windows rebooted emediately.

Hijackthis log;

Logfile of HijackThis v1.97.7
Scan saved at 21:57:18, on 2004-07-29
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\Smartscaps.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\3Com\Launcher.exe
C:\Program Files\AirXpert Tri-Mode Dualband G\AirPro.exe
C:\Program Files\3Com\Bluetooth\BTCM.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
C:\Program Files\Tele2\Tele2Internet mobil\autoupdate_srv.exe
C:\Program Files\Common Files\3Com\AllWirelessLansService.exe
C:\Program Files\Common Files\3Com\LanSupportService.exe
C:\PROGRA~1\3Com\WLANMA~1\Activate.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\labl\Desktop\HijackThis.exe
C:\WINDOWS\System32\ctfmon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://quick-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\syhmw.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://syhmw.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://syhmw.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\syhmw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://syhmw.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\syhmw.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://quick-searcher.com/index.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {94B07238-5DA7-46C7-3E9F-22E42CC1710A} - C:\WINDOWS\netqe.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Microsoft Office Lang] lesse.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] monsvc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\RunServices: [Microsoft Office Lang] lesse.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] monsvc.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] monsvc.exe
O4 - HKCU\..\Run: [Microsoft Office Lang] lesse.exe
O4 - HKCU\..\Run: [Windows Registers] Svchosts.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: 3Com Launcher.lnk = C:\Program Files\3Com\Launcher.exe
O4 - Global Startup: AirXpert Configuration Utility.lnk = ?
O4 - Global Startup: Bluetooth Connection Manager.lnk = C:\Program Files\3Com\Bluetooth\BTCM.exe
O4 - Global Startup: Certificate Mover.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Tele2Internet mobil Update Agent.lnk = C:\Program Files\Tele2\Tele2Internet mobil\autoupdate_srv.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Skapa mobilfavorit (HKLM)
O9 - Extra 'Tools' menuitem: Skapa mobilfavorit... (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8196.5154166667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = scanexett.se
O17 - HKLM\Software\..\Telephony: DomainName = scanexett.se
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = scanexett.se
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = scanexett.se





Finfnfix log;


»»»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»»»
»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

Microsoft Windows XP [Version 5.1.2600]
»»»IE build and last SP(s)
6.0.2800.1106 SP1-Q823353-Q832894-Q831167
The type of the file system is NTFS.
C: is not dirty.


»»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»
The list will produce a small database of files that will match certain criteria.
You must know how to ID the file based on the filters provided in
the scan, as not all the files flagged are bad.
Ex: read only files, s/h files, last modified date. size, etc.
The filters provided should help narrow down the list, and hopefully
pinpoint the culprit.
Along with that,registry scan logged at the end should match the
corresponding file(s) listed.
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Unless the file match the entire criteria, it should not be pointed to remove
without attempting to confirm it's nature!
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!
If in doubt, always search the file(s) and properties according to criteria!

The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder
»»»»»»»»»»»»»»»»»»***LOG!***(*updated 7/29)»»»»»»»»»»»»»»»»

»»»*»»»*Use at your own risk!»»»*»»»*

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...


»»»»» (*2*) »»»»»........

»»»»» (*3*) »»»»»........

unknown/hidden files...

»»»»» (*4*) »»»»».........
Sniffing..........

»»»»»(*5*)»»»»»

»»»»»(*6*)»»»»»

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»»Search by size...



»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group SCANEXETT\Domain Users.
User is a member of group \Everyone.
User is a member of group LABL\Debugger Users.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group SCANEXETT\Ekonomi.
User is a member of group SCANEXETT\Aerosol Scandinavia.
User is a member of group SCANEXETT\ekonomilocale.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.


»»»»»»Backups created...»»»»»»
9:43pm up 0 days, 1:12

A C:\FINDnFIX\keyback.hiv
--a-- - - - - - 8,192 07-29-2004 keyback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 268 07-29-2004 winkey.reg
*Temp backups...

»»Performing string scan....

---------- WIN.TXT
--------------
--------------
--------------
--------------
No strings found.

--------------
--------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value entry was NOT found!


Edited by nyback, 29 July 2004 - 03:31 PM.


#2 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 29 July 2004 - 03:39 PM

Hello nyback, Findnfix is for other kind of infection.

Please download About:Buster and unzip it to your desktop. Don´t run it yet.
Save Hijack This in its own folder. Like C:\HJT
How to use Ad-Aware to remove Spyware <= Please check this link for instructions on how to download, install and then use adaware. Don´t use it yet.
1 You already have Adaware installed. Make sure it's up to date. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen. You should now see Reference File # : 01R334 24.07.2004 or higher listed.

2 Print out these instructions so you have them handy as most of the steps need to be done in safe mode and you may not be able to go online.

3. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called "Network Security Service". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. This service is installed by the malware. If this service is not listed go ahead with the next step.

4. Reboot to Safe Mode
How to start the computer in
Safe mode


5. Make sure your PC is configured to show hidden files

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

6.CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://quick-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\syhmw.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://syhmw.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://syhmw.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\syhmw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://syhmw.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\syhmw.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://quick-searcher.com/index.htm
O2 - BHO: (no name) - {94B07238-5DA7-46C7-3E9F-22E42CC1710A} - C:\WINDOWS\netqe.dll
O4 - HKLM\..\Run: [Microsoft Office Lang] lesse.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] monsvc.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\RunServices: [Microsoft Office Lang] lesse.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] monsvc.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] monsvc.exe
O4 - HKCU\..\Run: [Microsoft Office Lang] lesse.exe
O4 - HKCU\..\Run: [Windows Registers] Svchosts.exe


Go to Add/Remove Programs in the Control Panel and uninstall:
WindowsSA if present.


7. Delete the following files if present.
C:\WINDOWS\netqe.dll
C:\WINDOWS\system32\syhmw.dll

Find (f3) and delete these files:
lesse.exe
monsvc.exe
Svchosts.exe


Delete this folder:
C:\Program Files\WindowsSA


8. Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

9. Scan with Adaware and let it remove any bad files found.

10. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin


11. Reboot to normal mode, scan again with Hijack This and post a new log here.

12. Finally, do an online scan HERE. Let it remove any infected files found.

Replace Deleted Files
It is also possible that the infection may have deleted up to three files from your system. If these files are present, to be safe I suggest you overwrite them with a new copy.

Go here and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.

Download the Hoster from here Press 'Restore Original Hosts' and press 'OK'
Exit Program.

If you have Spybot S&D installed you may also need to replace one file.
Go here and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the
second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.

Post a fresh HijackThis log and the AboutBuster report back here please.

#3 nyback

nyback

    Member

  • New Member
  • Pip
  • 2 posts

Posted 29 July 2004 - 06:31 PM

Thanks for the quick reply. I am sitting here in the middle of the night trying to solve this.
Ok, i followed the instructions. But after rebooting and running Hijackthis again i got it all back again but with other dll names. And i cant run trend virusscan to the end. I get bluescreens and rebboot before its finished. But it does not report anything as far as it gets and i have been running it before i posted this request when it removed some alchemy a virus and things.

Some logs:


Aboutbuster in safe mode;

-- Scan 1 --------
About:Buster Version 1.5
Main Service Key Not Found!
Removed! : C:\WINDOWS\guexu.dat
Removed! : C:\WINDOWS\System32\frmbz.dat
Removed! : C:\WINDOWS\System32\hpfps.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 1.5
Main Service Key Not Found!
Attempted Clean Of Temp folder.
Pages Reset... Done!

aboutbuster after soming back to normal mode;

-- Scan 1 --------
About:Buster Version 1.5
Main Service Key Not Found!
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 1.5
Main Service Key Not Found!
Attempted Clean Of Temp folder.
Pages Reset... Done!


Hijackthis after returning to normal mode;

Logfile of HijackThis v1.97.7
Scan saved at 00:11:36, on 2004-07-30
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\Smartscaps.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\3Com\Launcher.exe
C:\Program Files\AirXpert Tri-Mode Dualband G\AirPro.exe
C:\Program Files\3Com\Bluetooth\BTCM.exe
C:\Program Files\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
C:\Program Files\Tele2\Tele2Internet mobil\autoupdate_srv.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\3Com\LanSupportService.exe
C:\Program Files\Common Files\3Com\AllWirelessLansService.exe
C:\PROGRA~1\3Com\WLANMA~1\Activate.exe
C:\fix_spyware\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://quick-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jjhqu.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jjhqu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jjhqu.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jjhqu.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://quick-searcher.com/index.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] monsvc.exe
O4 - HKCU\..\Run: [Microsoft Office Lang] lesse.exe
O4 - HKCU\..\Run: [Windows Registers] Svchosts.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: 3Com Launcher.lnk = C:\Program Files\3Com\Launcher.exe
O4 - Global Startup: AirXpert Configuration Utility.lnk = ?
O4 - Global Startup: Bluetooth Connection Manager.lnk = C:\Program Files\3Com\Bluetooth\BTCM.exe
O4 - Global Startup: Certificate Mover.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Tele2Internet mobil Update Agent.lnk = C:\Program Files\Tele2\Tele2Internet mobil\autoupdate_srv.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Skapa mobilfavorit (HKLM)
O9 - Extra 'Tools' menuitem: Skapa mobilfavorit... (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8196.5154166667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = scanexett.se
O17 - HKLM\Software\..\Telephony: DomainName = scanexett.se
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = scanexett.se
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = scanexett.se

Some comments; I could not find any of the files you mentioned even if i remember deleting netqe.dll before. One strange thing. If i run cacls.exe syhmw.dll in an command prompt it responds with a acl-list. But i cannot see the file in any way. (i have turned on all options i explorer and i tried also to see it in the command prompt.


Any further help is greatly appreciated. Even if it means going through the whole procedure again...

/Andreas Nyback

#4 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 29 July 2004 - 07:11 PM

ok. Do not reboot

Download CWShredder install, run and click fix.

CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked" :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://quick-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jjhqu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jjhqu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jjhqu.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jjhqu.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://quick-searcher.com/index.htm
O4 - HKCU\..\Run: [Microsoft Update Machine] monsvc.exe
O4 - HKCU\..\Run: [Microsoft Office Lang] lesse.exe
O4 - HKCU\..\Run: [Windows Registers] Svchosts.exe


Delete this file:
C:\WINDOWS\system32\jjhqu.dll

Find these files they should be located in
C:\WINDOWS\system32\
monsvc.exe
lesse.exe
Svchosts.exe


You may need to show hidden files to delete them.How to show all hidden and system files

Double click AboutBuster.exe, run the program twice , save both logs.
Scan with Adaware and let it remove any bad files found.

POst a new Hijack This log and both About Buster logs.

#5 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 29 July 2004 - 07:11 PM

Your version of Hijack this is outdated. Please download version 1.98.0 from either of the following links:
LINK 1
or
LINK 2




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button