Jump to content


Photo

Im seriously gonna kill myself if i cant fix this


  • Please log in to reply
5 replies to this topic

#1 chrisgaltieri

chrisgaltieri

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 15 June 2004 - 02:07 AM

Hey there,

I feel a bit intrusive posting my problem and log file on here, kinda like going to see the Godfather for help. But im so desparate ill try anyway.

My probelm probably started as most others' did, in a rage of closing popups and 'Click ok to enlarge penis' Popups ive probably accidentally (yes accidentally) clicked ok, and bobs your uncle gotten this shite installed on my computer... Im an Information Systems student at the University of Melbourne Australia and still with my vast computer knowledge (lol, just joking) still cannot figure a way to remove this shit.. Everytime IE runs it changes the startup/search pages etc etc.. and after manually deleting the .dll files and registry entries it still fires back up and reinstalls it all.. Ive tried every spyware program under the sun: Ad-aware, spybot, CWShredder, The 'Fix it' function of HijackThis etc etc to no avail.. Heres my log and id be very appreciative if someone could help me...


Logfile of HijackThis v1.97.7
Scan saved at 4:44:23 PM, on 15/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
D:\Program Files\mySQL\bin\mysqld-nt.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiy.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\WPSC3PSW.EXE
D:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\WINDOWS\System32\JupitCo.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\PD6000SM.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\WINDOWS\System32\ucjoxa.exe
D:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\system32\sdkcv.exe
D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
D:\WorkPad\hotsync.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Microsoft Office\Office10\POWERPNT.EXE
C:\WINDOWS\msagent\AgentSvr.exe
D:\Program Files\eMule\emule.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pqkyz.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://pqkyz.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://pqkyz.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pqkyz.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://pqkyz.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pqkyz.dll/sp.html#96676
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AAF322C0-53A3-24FC-C5E6-B062F9D982F9} - C:\WINDOWS\mfcma32.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [WpsRePsw] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE
O4 - HKLM\..\Run: [PaperPort PTD] d:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [BAFO USB SECURITY DEVICE CoInstaller] JupitCo.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PD6000StatusMonitor] C:\WINDOWS\System32\PD6000SM.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [rhxdslutzs] C:\WINDOWS\System32\ucjoxa.exe
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [sdkcv.exe] C:\WINDOWS\system32\sdkcv.exe
O4 - HKCU\..\Run: [netmsg] C:\WINDOWS\System32\netmsg.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotSync Manager.lnk = D:\WorkPad\hotsync.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...T=1074316605099
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7896.2041550926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

--Chris Galtieri

#2 chrisgaltieri

chrisgaltieri

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 15 June 2004 - 02:11 AM

Oh, i just read another topic down the list and it seems we all have exactly the same bloody problems... I also have the Installer for Office popup everytime i try and run an office application... :wtf:

#3 chrisgaltieri

chrisgaltieri

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 15 June 2004 - 04:30 AM

Ha!

It seems ive fixed the problem and cleaned everything up - for now...

I booted in safe mode, then deleted all the files from the 'temporary internet files' directory and 'temp' folders, (all located in Local Settings) then used hijackthis to fix the lines with res://C:\WINDOWS\pqkyz.dll/sp.html#96676... yes you've all seen them... and then just checked in regedit to make sure there were no more traces of some bullshit start/search pages that i didnt want.

The other thing i did was delete the suspect .dll files in c:\windows... I dont think this step is necessary because all they contain is the html for the webpages it loads (encrypted of course)... but i got satisfaction from deleting them nonetheless..

I then rebooted in normal mode and hey presto when i ran IE, eveything was all good. Its also a good idea before rebooting (while still in safe mode) to run ad-aware from Lavasoft to get rid of other shitty spyware while the temp internet files and cookies are all disposed of.. It's the best program by far.

Hopefully that may help a few of you waiting for responses from the moderators here at this website... They do a great job even though it seems i didnt need to bother them in the first place... Its not often you find people on the net willing to help ordinary people like me out with frustrating annoying problems like this.

I just want to make it clear that people shouldnt just go around deleting .dll's as they see fit... Make sure you know exactly what each does before yout think about deleting them.

I dont claim to have any great knowledge on the whole spyware front, so i wouldnt suggest posting any questions about how i got that to work, but hey i hope this information helps at least some of you in my situation.

Cheers,
Chris Galtieri

PS: I wish i could have 5 minutes with the bastards that make this shit.. I would see to it that they walk away very bruised and battered... oh the satisfaction :rofl:

#4 chrisgaltieri

chrisgaltieri

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 15 June 2004 - 05:18 AM

ARRRRRRGHHHH!!!

Great, its stuffed again... God this is frustrating.. can anyone help?

It seems that we all have very similar problems here.. surely there is a basic plan of action to follow?

#5 chrisgaltieri

chrisgaltieri

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 15 June 2004 - 07:23 PM

bump......PLEASE!

#6 chrisgaltieri

chrisgaltieri

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 16 June 2004 - 06:34 AM

All fixed - no need for help anymore - infact posted my own help here:

http://www.spywarein...?showtopic=7281




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button