Jump to content


Photo

Browser hijack and popups


  • Please log in to reply
5 replies to this topic

#1 Pickett

Pickett

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 30 July 2004 - 05:14 AM

Hi,
I think my browser has been hacked as the homepage has changed to something and I keep getting popups etc.

Here is a full scan from Ad-Aware using the best custom settings, and a HijackThis log.

Thanks for your help


AdAware log:

Lavasoft Ad-aware Personal Build 6.181
Logfile created on  :30 July 2004 09:47:07
Created with Ad-aware Personal, free for private use.
Using reference-file :01R324 22.06.2004
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R324 22.06.2004
Internal build : 256
File location : C:\PROGRA~1\Lavasoft\AD-AWA~1\reflist.ref
Total size : 1265402 Bytes
Signature data size : 1244925 Bytes
Reference data size : 20413 Bytes
Signatures total : 27677
Target categories : 10
Target families : 506

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:54 %
Total physical memory:523760 kb
Available physical memory:279460 kb
Total page file size:1280844 kb
Available on page file:1044964 kb
Total virtual memory:2097024 kb
Available virtual memory:2051276 kb
OS:

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Let windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Always back up reference file, before updating
Set : Play sound if scan produced a result


30-07-2004 09:47:07 - Scan started. (Custom mode)

Listing running processes
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

#:1 [smss.exe]
    FilePath          : \SystemRoot\System32\
    ThreadCreationTime : 30-07-2004 08:01:55
    BasePriority      : Normal


#:2 [winlogon.exe]
    FilePath          : \??\C:\WINDOWS\system32\
    ThreadCreationTime : 30-07-2004 08:01:58
    BasePriority      : High


#:3 [services.exe]
    FilePath          : C:\WINDOWS\system32\
    ThreadCreationTime : 30-07-2004 08:01:59
    BasePriority      : Normal
    FileSize          : 99 KB
    FileVersion        : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion    : 5.1.2600.0
    CompanyName        : Microsoft Corporation
    FileDescription    : Services and Controller app
    InternalName      : services.exe
    OriginalFilename  : services.exe
    ProductName        : Microsoft
    Created on        : 29/08/2002 12:00:00
    Last accessed      : 30/07/2004 08:01:59
    Last modified      : 29/08/2002 12:00:00

#:4 [lsass.exe]
    FilePath          : C:\WINDOWS\system32\
    ThreadCreationTime : 30-07-2004 08:01:59
    BasePriority      : Normal
    FileSize          : 11 KB
    FileVersion        : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion    : 5.1.2600.1106
    CompanyName        : Microsoft Corporation
    FileDescription    : LSA Shell (Export Version)
    InternalName      : lsass.exe
    OriginalFilename  : lsass.exe
    ProductName        : Microsoft
    Created on        : 29/08/2002 12:00:00
    Last accessed      : 30/07/2004 08:01:55
    Last modified      : 29/08/2002 12:00:00

#:5 [svchost.exe]
    FilePath          : C:\WINDOWS\system32\
    ThreadCreationTime : 30-07-2004 08:01:59
    BasePriority      : Normal
    FileSize          : 12 KB
    FileVersion        : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion    : 5.1.2600.0
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName      : svchost.exe
    OriginalFilename  : svchost.exe
    ProductName        : Microsoft
    Created on        : 29/08/2002 12:00:00
    Last accessed      : 30/07/2004 08:02:31
    Last modified      : 29/08/2002 12:00:00

#:6 [svchost.exe]
    FilePath          : C:\WINDOWS\System32\
    ThreadCreationTime : 30-07-2004 08:01:59
    BasePriority      : Normal
    FileSize          : 12 KB
    FileVersion        : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion    : 5.1.2600.0
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName      : svchost.exe
    OriginalFilename  : svchost.exe
    ProductName        : Microsoft
    Created on        : 29/08/2002 12:00:00
    Last accessed      : 30/07/2004 08:02:31
    Last modified      : 29/08/2002 12:00:00

#:7 [spoolsv.exe]
    FilePath          : C:\WINDOWS\system32\
    ThreadCreationTime : 30-07-2004 08:02:01
    BasePriority      : Normal
    FileSize          : 50 KB
    FileVersion        : 5.1.2600.0 (XPClient.010817-1148)
    ProductVersion    : 5.1.2600.0
    CompanyName        : Microsoft Corporation
    FileDescription    : Spooler SubSystem App
    InternalName      : spoolsv.exe
    OriginalFilename  : spoolsv.exe
    ProductName        : Microsoft
    Created on        : 29/08/2002 12:00:00
    Last accessed      : 30/07/2004 08:01:55
    Last modified      : 29/08/2002 12:00:00

#:8 [kodakccs.exe]
    FilePath          : C:\WINDOWS\system32\drivers\
    ThreadCreationTime : 30-07-2004 08:02:02
    BasePriority      : Normal
    FileSize          : 276 KB
    FileVersion        : 1.1.4700.0
    ProductVersion    : 4.3.0.0
    Copyright          : Copyright © Eastman Kodak Co. 2000-2003
    CompanyName        : Eastman Kodak Company
    FileDescription    : Kodak DC Ring 3 Conduit (Win32)
    InternalName      : DcFsSvc.exe
    OriginalFilename  : DcFsSvc.exe
    ProductName        : Kodak DC File System Driver (Win32)
    Created on        : 31/03/2003 14:34:14
    Last accessed      : 30/07/2004 08:01:55
    Last modified      : 31/03/2003 14:34:14

#:9 [mdm.exe]
    FilePath          : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\
    ThreadCreationTime : 30-07-2004 08:02:02
    BasePriority      : Normal
    FileSize          : 328 KB
    FileVersion        : 7.10.3077
    ProductVersion    : 7.10.3077
    Copyright          : Copyright
    CompanyName        : Microsoft Corporation
    FileDescription    : Machine Debug Manager
    InternalName      : mdm.exe
    OriginalFilename  : mdm.exe
    ProductName        : Microsoft
    Created on        : 19/03/2003 00:55:56
    Last accessed      : 30/07/2004 08:01:55
    Last modified      : 19/03/2003 00:55:56

#:10 [nvsvc32.exe]
    FilePath          : C:\WINDOWS\System32\
    ThreadCreationTime : 30-07-2004 08:02:02
    BasePriority      : Normal
    FileSize          : 80 KB
    FileVersion        : 6.14.10.5216
    ProductVersion    : 6.14.10.5216
    Copyright          : © NVIDIA Corporation. All rights reserved.
    CompanyName        : NVIDIA Corporation
    FileDescription    : NVIDIA Driver Helper Service, Version 52.16
    InternalName      : NVSVC
    OriginalFilename  : nvsvc32.exe
    ProductName        : NVIDIA Driver Helper Service, Version 52.16
    Created on        : 06/10/2003 14:16:00
    Last accessed      : 30/07/2004 08:01:55
    Last modified      : 06/10/2003 14:16:00

#:11 [scagent.exe]
    FilePath          : C:\WINDOWS\system32\
    ThreadCreationTime : 30-07-2004 08:02:02
    BasePriority      : Normal
    FileSize          : 25 KB
    Created on        : 19/06/2004 07:17:51
    Last accessed      : 30/07/2004 08:01:55
    Last modified      : 16/07/2004 15:42:03

#:12 [scsiaccess.exe]
    FilePath          : C:\WINDOWS\System32\
    ThreadCreationTime : 30-07-2004 08:02:02
    BasePriority      : Normal
    FileSize          : 177 KB
    Created on        : 04/02/2003 07:22:30
    Last accessed      : 30/07/2004 08:01:55
    Last modified      : 04/02/2003 07:22:30

#:13 [svchost.exe]
    FilePath          : C:\WINDOWS\System32\
    ThreadCreationTime : 30-07-2004 08:02:02
    BasePriority      : Normal
    FileSize          : 12 KB
    FileVersion        : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion    : 5.1.2600.0
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName      : svchost.exe
    OriginalFilename  : svchost.exe
    ProductName        : Microsoft
    Created on        : 29/08/2002 12:00:00
    Last accessed      : 30/07/2004 08:02:31
    Last modified      : 29/08/2002 12:00:00

#:14 [vsmon.exe]
    FilePath          : C:\WINDOWS\system32\ZoneLabs\
    ThreadCreationTime : 30-07-2004 08:02:02
    BasePriority      : Normal
    FileSize          : 901 KB
    FileVersion        : 3.7.202
    ProductVersion    : 3.7.202
    Copyright          : Copyright 
    CompanyName        : Zone Labs Inc.
    FileDescription    : TrueVector Service
    InternalName      : vsmon
    OriginalFilename  : vsmon.exe
    ProductName        : TrueVector Service
    Created on        : 21/08/2003 10:52:37
    Last accessed      : 30/07/2004 08:01:55
    Last modified      : 14/07/2003 12:04:38

#:15 [mspmspsv.exe]
    FilePath          : C:\WINDOWS\System32\
    ThreadCreationTime : 30-07-2004 08:02:03
    BasePriority      : Normal
    FileSize          : 52 KB
    FileVersion        : 7.01.00.3055
    ProductVersion    : 7.01.00.3055
    Copyright          : Copyright © Microsoft Corp. 1981-2000
    CompanyName        : Microsoft Corporation
    FileDescription    : WMDM PMSP Service
    InternalName      : MSPMSPSV.EXE
    OriginalFilename  : MSPMSPSV.EXE
    ProductName        : Microsoft ® DRM
    Created on        : 01/05/2001 17:06:22
    Last accessed      : 30/07/2004 08:01:55
    Last modified      : 01/05/2001 17:06:22

#:16 [appff.exe]
    FilePath          : C:\WINDOWS\system32\
    ThreadCreationTime : 30-07-2004 08:02:03
    BasePriority      : Normal
    FileSize          : 9 KB
    Created on        : 22/07/2004 08:43:38
    Last accessed      : 30/07/2004 08:02:03
    Last modified      : 22/07/2004 08:43:38

#:17 [explorer.exe]
    FilePath          : C:\WINDOWS\
    ThreadCreationTime : 30-07-2004 08:02:06
    BasePriority      : Normal
    FileSize          : 980 KB
    FileVersion        : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion    : 6.00.2800.1106
    CompanyName        : Microsoft Corporation
    FileDescription    : Windows Explorer
    InternalName      : explorer
    OriginalFilename  : EXPLORER.EXE
    ProductName        : Microsoft
    Created on        : 29/08/2002 12:00:00
    Last accessed      : 30/07/2004 08:35:48
    Last modified      : 29/08/2002 12:00:00

#:18 [rundll32.exe]
    FilePath          : C:\WINDOWS\System32\
    ThreadCreationTime : 30-07-2004 08:02:23
    BasePriority      : Normal
    FileSize          : 31 KB
    FileVersion        : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion    : 5.1.2600.0
    CompanyName        : Microsoft Corporation
    FileDescription    : Run a DLL as an App
    InternalName      : rundll
    OriginalFilename  : RUNDLL.EXE
    ProductName        : Microsoft
    Created on        : 29/08/2002 12:00:00
    Last accessed      : 30/07/2004 08:04:05
    Last modified      : 29/08/2002 12:00:00

#:19 [instan~1.exe]
    FilePath          : C:\PROGRA~1\TEXTBR~1.0\Bin\
    ThreadCreationTime : 30-07-2004 08:02:23
    BasePriority      : Normal
    FileSize          : 36 KB

#:20 [realsched.exe]
    FilePath          : C:\Program Files\Common Files\Real\Update_OB\
    ThreadCreationTime : 30-07-2004 08:02:24
    BasePriority      : Normal
    FileSize          : 148 KB
    FileVersion        : 0.1.0.1622
    ProductVersion    : 0.1.0.1622
    Copyright          : Copyright 
    CompanyName        : RealNetworks, Inc.
    FileDescription    : RealNetworks Scheduler
    InternalName      : schedapp
    OriginalFilename  : realsched.exe
    ProductName        : RealOne Player (32-bit)
    Created on        : 29/01/2004 19:09:03
    Last accessed      : 30/07/2004 08:02:24
    Last modified      : 29/01/2004 19:09:03

#:21 [msgplus.exe]
    FilePath          : C:\Program Files\Messenger Plus! 3\
    ThreadCreationTime : 30-07-2004 08:02:24
    BasePriority      : Normal
    FileSize          : 160 KB
    FileVersion        : 3, 0, 0, 94
    ProductVersion    : 3, 0, 0, 94
    Copyright          : Copyright © 2001-2004
    CompanyName        : Patchou
    FileDescription    : Messenger Plus!
    InternalName      : MsgPlus
    OriginalFilename  : MsgPlus.exe
    ProductName        : Messenger Plus! 3
    Created on        : 16/05/2004 09:00:40
    Last accessed      : 30/07/2004 08:02:25
    Last modified      : 23/06/2004 17:30:54

#:22 [point32.exe]
    FilePath          : C:\Program Files\Microsoft IntelliPoint\
    ThreadCreationTime : 30-07-2004 08:02:24
    BasePriority      : Normal
    FileSize          : 160 KB
    FileVersion        : 5.00.174.0
    ProductVersion    : 5.0
    CompanyName        : Microsoft Corporation
    FileDescription    : Point32.exe
    InternalName      : Point32.exe
    OriginalFilename  : Point32.exe
    ProductName        : Microsoft IntelliPoint
    Created on        : 15/05/2003 23:41:15
    Last accessed      : 30/07/2004 08:01:55
    Last modified      : 15/05/2003 23:41:15

#:23 [ntbn.exe]
    FilePath          : C:\WINDOWS\
    ThreadCreationTime : 30-07-2004 08:02:25
    BasePriority      : Normal
    FileSize          : 26 KB
    Created on        : 29/07/2004 22:25:38
    Last accessed      : 30/07/2004 08:01:55
    Last modified      : 29/07/2004 22:25:38

#:24 [quickdcf.exe]
    FilePath          : C:\Program Files\FinePixViewer\
    ThreadCreationTime : 30-07-2004 08:02:25
    BasePriority      : Normal
    FileSize          : 196 KB
    FileVersion        : 3, 0, 0, 0
    ProductVersion    : 3, 0, 0, 0
    Copyright          : Copyright 2000-2002 FUJI PHOTO FILM CO.,LTD.
    CompanyName        : FUJI PHOTO FILM CO., LTD.
    FileDescription    : Exif Launcher
    InternalName      : QuickDCF
    OriginalFilename  : QuickDCF.exe
    ProductName        : FinePixViewer
    Created on        : 09/01/2002 20:53:14
    Last accessed      : 30/07/2004 08:01:55
    Last modified      : 09/01/2002 20:53:14

#:25 [easyshare.exe]
    FilePath          : C:\Program Files\Kodak\Kodak EasyShare software\bin\
    ThreadCreationTime : 30-07-2004 08:02:26
    BasePriority      : Normal
    FileSize          : 584 KB
    FileVersion        : 2, 0, 2, 225
    ProductVersion    : 3, 0, 0, 221
    Copyright          : Copyright 
    CompanyName        : Eastman Kodak Company
    FileDescription    : Kodak EasyShare software
    InternalName      : EasyShare
    OriginalFilename  : EasyShare.exe
    ProductName        : Kodak EasyShare software
    Created on        : 09/04/2003 05:56:24
    Last accessed      : 30/07/2004 08:01:55
    Last modified      : 09/04/2003 05:56:24

#:26 [backweb-7288971.exe]
    FilePath          : C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\
    ThreadCreationTime : 30-07-2004 08:02:26
    BasePriority      : Normal
    FileSize          : 16 KB
    Created on        : 13/03/2002 04:08:34
    Last accessed      : 30/07/2004 08:02:26
    Last modified      : 13/03/2002 04:08:34

#:27 [wkcalrem.exe]
    FilePath          : C:\Program Files\Common Files\Microsoft Shared\Works Shared\
    ThreadCreationTime : 30-07-2004 08:02:26
    BasePriority      : Normal
    FileSize          : 52 KB
    FileVersion        : 5.00.1928.1
    ProductVersion    : 5.00.1928.1
    CompanyName        : Microsoft
    FileDescription    : Microsoft
    InternalName      : WkCalRem
    OriginalFilename  : WKCALREM.EXE
    ProductName        : Microsoft
    Created on        : 05/09/1999 05:23:00
    Last accessed      : 30/07/2004 08:02:26
    Last modified      : 05/09/1999 05:23:00

#:28 [zonealarm.exe]
    FilePath          : C:\Program Files\Zone Labs\ZoneAlarm\
    ThreadCreationTime : 30-07-2004 08:02:26
    BasePriority      : Normal
    FileSize          : 609 KB
    FileVersion        : 3.7.202
    ProductVersion    : 3.7.202
    Copyright          : Copyright 
    CompanyName        : Zone Labs Inc.
    FileDescription    : ZoneAlarm
    InternalName      : zonealarm
    OriginalFilename  : zonealarm.exe
    ProductName        : ZoneAlarm
    Created on        : 25/05/2003 11:30:57
    Last accessed      : 30/07/2004 08:02:26
    Last modified      : 14/07/2003 12:05:40

#:29 [msnmsgr.exe]
    FilePath          : C:\Program Files\MSN Messenger\
    ThreadCreationTime : 30-07-2004 08:02:33
    BasePriority      : Normal
    FileSize          : 4768 KB
    FileVersion        : 6.2.0137
    ProductVersion    : Version 6.2
    Copyright          : Copyright © Microsoft Corporation 1997-2004
    CompanyName        : Microsoft Corporation
    FileDescription    : MSN Messenger
    InternalName      : msnmsgr
    OriginalFilename  : msnmsgr.exe
    ProductName        : MSN Messenger
    Created on        : 28/05/2004 14:22:04
    Last accessed      : 30/07/2004 08:43:27
    Last modified      : 28/05/2004 14:22:04

#:30 [wuauclt.exe]
    FilePath          : C:\WINDOWS\System32\
    ThreadCreationTime : 30-07-2004 08:03:12
    BasePriority      : Normal
    FileSize          : 145 KB
    FileVersion        : 5.4.3790.20 built by: lab04_n
    ProductVersion    : 5.4.3790.20
    CompanyName        : Microsoft Corporation
    FileDescription    : Windows Update AutoUpdate Client
    InternalName      : wuauclt.exe
    OriginalFilename  : wuauclt.exe
    ProductName        : Microsoft
    Created on        : 24/02/2003 11:59:42
    Last accessed      : 30/07/2004 08:01:57
    Last modified      : 31/01/2004 00:40:14

#:31 [ad-aware.exe]
    FilePath          : C:\PROGRA~1\Lavasoft\AD-AWA~1\
    ThreadCreationTime : 30-07-2004 08:43:40
    BasePriority      : Normal
    FileSize          : 668 KB
    FileVersion        : 6.0.1.181
    ProductVersion    : 6.0.0.0
    Copyright          : Copyright 
    CompanyName        : Lavasoft Sweden
    FileDescription    : Ad-aware 6 core application
    InternalName      : Ad-aware.exe
    OriginalFilename  : Ad-aware.exe
    ProductName        : Lavasoft Ad-aware Plus
    Created on        : 29/04/2004 22:27:44
    Last accessed      : 30/07/2004 08:22:44
    Last modified      : 12/07/2003 20:00:20

#:32 [iexplore.exe]
    FilePath          : C:\Program Files\Internet Explorer\
    ThreadCreationTime : 30-07-2004 08:43:43
    BasePriority      : Normal
    FileSize          : 89 KB
    FileVersion        : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion    : 6.00.2800.1106
    CompanyName        : Microsoft Corporation
    FileDescription    : Internet Explorer
    InternalName      : iexplore
    OriginalFilename  : IEXPLORE.EXE
    ProductName        : Microsoft
    Created on        : 24/02/2003 12:01:19
    Last accessed      : 30/07/2004 08:43:43
    Last modified      : 29/08/2002 12:00:00

Memory scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started deep registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Page.dll/index.html

Possible Browser Hijack attempt Object recognized!
    Type              : RegData
    Data              : "res://wwnsv.dll/index.html#28129"
    Category          : Data Miner
    Comment            : Possible browser hijack attempt
    Rootkey            : HKEY_CURRENT_USER
    Object            : Software\Microsoft\Internet Explorer\Main
    Value              : Start Page
    Data              : "res://wwnsv.dll/index.html#28129"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Page.dll/index.html

Possible Browser Hijack attempt Object recognized!
    Type              : RegData
    Data              : "res://wwnsv.dll/index.html#28129"
    Category          : Data Miner
    Comment            : Possible browser hijack attempt
    Rootkey            : HKEY_LOCAL_MACHINE
    Object            : Software\Microsoft\Internet Explorer\Main
    Value              : Start Page
    Data              : "res://wwnsv.dll/index.html#28129"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainDefault_Page_URL.dll/index.html

Possible Browser Hijack attempt Object recognized!
    Type              : RegData
    Data              : "res://wwnsv.dll/index.html#28129"
    Category          : Data Miner
    Comment            : Possible browser hijack attempt
    Rootkey            : HKEY_LOCAL_MACHINE
    Object            : Software\Microsoft\Internet Explorer\Main
    Value              : Default_Page_URL
    Data              : "res://wwnsv.dll/index.html#28129"


Deep registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 3
Objects found so far: 3


Deep scanning and examining files (C:)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Tracking Cookie Object recognized!
    Type              : File
    Data              : family@atdmt[1].txt
    Category          : Data Miner
    Comment            :
    Object            : C:\Documents and Settings\Family\Cookies\

    Created on        : 30/07/2004 07:02:20
    Last accessed      : 30/07/2004 08:36:28
    Last modified      : 30/07/2004 08:36:28



Disk scan result for C:\
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 4


Performing conditional scans..
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Conditional scan result:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 4


10:00:26 Scan complete

Summary of this scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Total scanning time :00:13:18:468
Objects scanned :221987
Objects identified :4
Objects ignored :0
New objects :4


HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 11:14:15, on 30/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\scagent.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\appff.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\ntbn.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wwnsv.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://wwnsv.dll/index.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://wwnsv.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wwnsv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://wwnsv.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wwnsv.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FD6F55F3-10E8-D4AB-3EDD-34285F1DFA2E} - C:\WINDOWS\apphp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ntbn.exe] C:\WINDOWS\ntbn.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKLM\..\RunOnce: [appff.exe] C:\WINDOWS\system32\appff.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: TREND MICRO HouseCall (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: ADVFN US - http://usa.advfn.com/advfn_us8.cab
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\a.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1F996EAE-3D97-4862-AA0E-27F257C089DE} (blueyonder Game Launcher Control) - http://www.bygames.c...ex/launcher.ocx
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {55B058C8-62DA-11D4-B4AD-B91DC3D8A423} (LightsOut Control) - http://www.simonbrad...t/LightsOut.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro...eCallButton.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O16 - DPF: {F8F88D0D-E455-11D6-B547-00400555C7FB} (DiskHealth2 Class) - http://www.pcpitstop...p/PCPitStop.CAB


Thanks again

#2 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 31 July 2004 - 05:57 PM

Hello please download About:Buster and unzip it to your desktop. Don´t run it yet.

How to use Ad-Aware to remove Spyware <= Please check this link for instructions on how to download, install and then use adaware. Don´t use it yet.
1 You already have Adaware installed. Make sure it's up to date. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen. You should now see Reference File # : 01R333 18.07.2004 or higher listed.

2 Print out these instructions so you have them handy as most of the steps need to be done in safe mode and you may not be able to go online.

3. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called "Network Security Service". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. This service is installed by the malware. If this service is not listed go ahead with the next step.

4. Reboot to Safe Mode
How to start the computer in Safe mode


5. Make sure your PC is configured to show hidden files

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

6.CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wwnsv.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://wwnsv.dll/index.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://wwnsv.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wwnsv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://wwnsv.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wwnsv.dll/sp.html#28129
O2 - BHO: (no name) - {FD6F55F3-10E8-D4AB-3EDD-34285F1DFA2E} - C:\WINDOWS\apphp.dll
O4 - HKLM\..\Run: [ntbn.exe] C:\WINDOWS\ntbn.exe
O4 - HKLM\..\RunOnce: [appff.exe] C:\WINDOWS\system32\appff.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\a.exe


7. Delete the following files if present.
C:\WINDOWS\wwnsv.dll
C:\WINDOWS\apphp.dll
C:\WINDOWS\ntbn.exe
C:\WINDOWS\system32\appff.exe
C:\Program Files\Internet Explorer\a.exe



8. Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

9. Scan with Adaware and let it remove any bad files found.

10. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:


Temporary Files
Temporary Internet Files
Recycle Bin


11. Reboot to normal mode, scan again with Hijack This and post a new log here.

12. Finally, do an online scan HERE. Let it remove any infected files found.

Replace Deleted Files
It is also possible that the infection may have deleted up to three files from your system. If these files are present, to be safe I suggest you overwrite them with a new copy.

Go here and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.

Download the Hoster from here Press 'Restore Original Hosts' and press 'OK'
Exit Program.

If you have Spybot S&D installed you may also need to replace one file.
Go here and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the
second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.

#3 Pickett

Pickett

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 01 August 2004 - 02:31 PM

Thanks for the reply.

I followed all your instructions however:
"Network Security Service" was not in Services.msc

I also couldn't find the following:

04 - HKLM\..\Run: [ntbn.exe] C:\WINDOWS\ntbn.exe
016 - DPF: {1000000-100-000-1000-000000000000} - file://C:\Program Files\Internet Explorer\a.exe

C:\WINDOWS\ntbn.exe

---------------------------------------

After following the instructions and rebooting etc, I scanned with HijackThis. Here is my new log.

Logfile of HijackThis v1.97.7
Scan saved at 20:25:31, on 01/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\scagent.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\javayj.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\appxu32.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jbzdx.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jbzdx.dll/index.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jbzdx.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jbzdx.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jbzdx.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jbzdx.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {49E3B74E-F05D-BC3E-9CB7-A196605EC6A6} - C:\WINDOWS\system32\crgb32.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [appxu32.exe] C:\WINDOWS\appxu32.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKLM\..\RunOnce: [ielt32.exe] C:\WINDOWS\ielt32.exe
O4 - HKLM\..\RunOnce: [d3cm32.exe] C:\WINDOWS\d3cm32.exe
O4 - HKLM\..\RunOnce: [mfcbl.exe] C:\WINDOWS\mfcbl.exe
O4 - HKLM\..\RunOnce: [winzy.exe] C:\WINDOWS\winzy.exe
O4 - HKLM\..\RunOnce: [crmq.exe] C:\WINDOWS\crmq.exe
O4 - HKLM\..\RunOnce: [mfcgy32.exe] C:\WINDOWS\mfcgy32.exe
O4 - HKLM\..\RunOnce: [netfx.exe] C:\WINDOWS\netfx.exe
O4 - HKLM\..\RunOnce: [addqn.exe] C:\WINDOWS\addqn.exe
O4 - HKLM\..\RunOnce: [mspi.exe] C:\WINDOWS\system32\mspi.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: TREND MICRO HouseCall (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: ADVFN US - http://usa.advfn.com/advfn_us8.cab
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1F996EAE-3D97-4862-AA0E-27F257C089DE} (blueyonder Game Launcher Control) - http://www.bygames.c...ex/launcher.ocx
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {55B058C8-62DA-11D4-B4AD-B91DC3D8A423} (LightsOut Control) - http://www.simonbrad...t/LightsOut.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro...eCallButton.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O16 - DPF: {F8F88D0D-E455-11D6-B547-00400555C7FB} (DiskHealth2 Class) - http://www.pcpitstop...p/PCPitStop.CAB


I still get the problems when I open IE.

If you want my about:buster logs then let me know.

Thanks for your help

#4 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 02 August 2004 - 03:49 PM

Your version of Hijack this is outdated. Please download version 1.98.0 from either of the following links:
LINK 1
or
LINK 2
And post a new log
And please don´t quote the logs

Edited by mmxx66, 02 August 2004 - 03:56 PM.


#5 Pickett

Pickett

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 02 August 2004 - 03:54 PM

OK, sorry about the quote thing.
Here is my latest log:

Logfile of HijackThis v1.98.1
Scan saved at 21:53:41, on 02/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\scagent.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\javayj.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\ntei32.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zrtlo.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zrtlo.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zrtlo.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zrtlo.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zrtlo.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zrtlo.dll/index.html#28129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1E09A367-5B7D-66F4-0E18-4FBCCE2A8EB3} - C:\WINDOWS\crzf32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ntei32.exe] C:\WINDOWS\system32\ntei32.exe
O4 - HKLM\..\RunOnce: [ielt32.exe] C:\WINDOWS\ielt32.exe
O4 - HKLM\..\RunOnce: [d3cm32.exe] C:\WINDOWS\d3cm32.exe
O4 - HKLM\..\RunOnce: [mfcbl.exe] C:\WINDOWS\mfcbl.exe
O4 - HKLM\..\RunOnce: [winzy.exe] C:\WINDOWS\winzy.exe
O4 - HKLM\..\RunOnce: [crmq.exe] C:\WINDOWS\crmq.exe
O4 - HKLM\..\RunOnce: [mfcgy32.exe] C:\WINDOWS\mfcgy32.exe
O4 - HKLM\..\RunOnce: [netfx.exe] C:\WINDOWS\netfx.exe
O4 - HKLM\..\RunOnce: [addqn.exe] C:\WINDOWS\addqn.exe
O4 - HKLM\..\RunOnce: [mspi.exe] C:\WINDOWS\system32\mspi.exe
O4 - HKLM\..\RunOnce: [atlml32.exe] C:\WINDOWS\atlml32.exe
O4 - HKLM\..\RunOnce: [crqc.exe] C:\WINDOWS\system32\crqc.exe
O4 - HKLM\..\RunOnce: [apipr32.exe] C:\WINDOWS\system32\apipr32.exe
O4 - HKLM\..\RunOnce: [javavf32.exe] C:\WINDOWS\system32\javavf32.exe
O4 - HKLM\..\RunOnce: [atlje.exe] C:\WINDOWS\atlje.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro...usecall_pre.php (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: ADVFN US - http://usa.advfn.com/advfn_us8.cab
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1F996EAE-3D97-4862-AA0E-27F257C089DE} (blueyonder Game Launcher Control) - http://www.bygames.c...ex/launcher.ocx
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {55B058C8-62DA-11D4-B4AD-B91DC3D8A423} (LightsOut Control) - http://www.simonbrad...t/LightsOut.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro...eCallButton.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O16 - DPF: {F8F88D0D-E455-11D6-B547-00400555C7FB} (DiskHealth2 Class) - http://www.pcpitstop...p/PCPitStop.CAB
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - (no file)

#6 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 02 August 2004 - 05:00 PM

Do not reboot
Right click on the task bar, go to Task Manager in the processes tab, stop these processes:
javayj.exe
ntei32.exe


CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zrtlo.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zrtlo.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zrtlo.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zrtlo.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zrtlo.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zrtlo.dll/index.html#28129
O2 - BHO: (no name) - {1E09A367-5B7D-66F4-0E18-4FBCCE2A8EB3} - C:\WINDOWS\crzf32.dll
O4 - HKLM\..\Run: [ntei32.exe] C:\WINDOWS\system32\ntei32.exe
O4 - HKLM\..\RunOnce: [ielt32.exe] C:\WINDOWS\ielt32.exe
O4 - HKLM\..\RunOnce: [d3cm32.exe] C:\WINDOWS\d3cm32.exe
O4 - HKLM\..\RunOnce: [mfcbl.exe] C:\WINDOWS\mfcbl.exe
O4 - HKLM\..\RunOnce: [winzy.exe] C:\WINDOWS\winzy.exe
O4 - HKLM\..\RunOnce: [crmq.exe] C:\WINDOWS\crmq.exe
O4 - HKLM\..\RunOnce: [mfcgy32.exe] C:\WINDOWS\mfcgy32.exe
O4 - HKLM\..\RunOnce: [netfx.exe] C:\WINDOWS\netfx.exe
O4 - HKLM\..\RunOnce: [addqn.exe] C:\WINDOWS\addqn.exe
O4 - HKLM\..\RunOnce: [mspi.exe] C:\WINDOWS\system32\mspi.exe
O4 - HKLM\..\RunOnce: [atlml32.exe] C:\WINDOWS\atlml32.exe
O4 - HKLM\..\RunOnce: [crqc.exe] C:\WINDOWS\system32\crqc.exe
O4 - HKLM\..\RunOnce: [apipr32.exe] C:\WINDOWS\system32\apipr32.exe
O4 - HKLM\..\RunOnce: [javavf32.exe] C:\WINDOWS\system32\javavf32.exe
O4 - HKLM\..\RunOnce: [atlje.exe] C:\WINDOWS\atlje.exe


Delete these files:
C:\WINDOWS\system32\ zrtlo.dll
C:\WINDOWS\crzf32.dll
C:\WINDOWS\javayj.exe
C:\WINDOWS\system32\ntei32.exe
C:\WINDOWS\ielt32.exe
C:\WINDOWS\d3cm32.exe
C:\WINDOWS\mfcbl.exe
C:\WINDOWS\winzy.exe
C:\WINDOWS\crmq.exe
C:\WINDOWS\mfcgy32.exe
C:\WINDOWS\netfx.exe
C:\WINDOWS\addqn.exe
C:\WINDOWS\system32\mspi.exe
C:\WINDOWS\atlml32.exe
C:\WINDOWS\system32\crqc.exe
C:\WINDOWS\system32\apipr32.exe
C:\WINDOWS\system32\javavf32.exe
C:\WINDOWS\atlje.exe

Double click AboutBuster.exe, run the program twice, save both logs.
Scan with Adaware and let it remove any bad files found.

Post a new hijack this log and the About Buster logs




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button