Jump to content


Photo

hijack log & browser, help please


  • Please log in to reply
9 replies to this topic

#1 glenn2003

glenn2003

    Member

  • Full Member
  • Pip
  • 24 posts

Posted 15 June 2004 - 04:15 PM

Logfile of HijackThis v1.97.7
Scan saved at 2:45:26 AM, on 6/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\netzg.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wincz32.exe
C:\Program Files\Apoint\Apntex.exe
C:\Documents and Settings\chrismiz2\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ggjkl.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ggjkl.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ggjkl.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ggjkl.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ggjkl.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ggjkl.dll/sp.html#96676
O2 - BHO: (no name) - {E3C75ADD-28CA-1552-C53A-CB5117FD483C} - C:\WINDOWS\winei.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [netzg.exe] C:\WINDOWS\netzg.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

My internet is going much slower, and I can't play any videos or audios on my computer anymore whether i'm trying to access it from my files or the net, it just pops up a box that says "windows cannot find.........." and my browser used to be blank, but now it has this "Home Search" page whenever I open internet explorer, the link is:
res://ggjkl.dll/index.html#96676

If anyone can please help me fix this, I'd appreciate it so much.

#2 Taz71498

Taz71498

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 225 posts

Posted 15 June 2004 - 07:56 PM

Hello glenn2003,

Download CWShredder Click on update, then close all browsers, and then click on Fix, not scan.

Next, download Spybot S&D Check for Updates first, download ALL Updates and Do a Scan. When finished, make sure ALL RED items have been ticked, and click the "Fix Selected Problems" Button.

Reboot the computer.

Run Hijackthis again with all browsers closed and check these items and then click on Fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ggjkl.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ggjkl.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ggjkl.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ggjkl.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ggjkl.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ggjkl.dll/sp.html#96676


Reboot and post a new log here.

#3 glenn2003

glenn2003

    Member

  • Full Member
  • Pip
  • 24 posts

Posted 15 June 2004 - 09:38 PM

Here is my log:

Logfile of HijackThis v1.97.7
Scan saved at 4:46:40 PM, on 6/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\netzg.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\javabn32.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\chrismiz2\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ggjkl.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ggjkl.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ggjkl.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ggjkl.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ggjkl.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ggjkl.dll/sp.html#96676
O2 - BHO: (no name) - {E3C75ADD-28CA-1552-C53A-CB5117FD483C} - C:\WINDOWS\winei.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [netzg.exe] C:\WINDOWS\netzg.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

I did all those things but it still doesn't work, when I open my EI, the page: res://ggjkl.dll/index.html#96676 comes back again. By the way, i don't have an anti virus, and im on windows xp. I heard anti virus and adware isnt helping a lot of people with this problem. Just wanted to mention that. Thank you for helping me, hope you can still help me with my situation. Still stuck here.

Edited by glenn2003, 15 June 2004 - 09:51 PM.


#4 Taz71498

Taz71498

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 225 posts

Posted 16 June 2004 - 04:33 PM

Hello glenn2003,

Download this file from
http://downloads.sub....org/dllfix.exe

The file when downloaded will be dllfix.exe
Double-Click or Open the self-extracting file. It will ask for installation and change location. Please Keep it on the Desktop.

Navigate to the folder with the contents of the file. You will see there are two more folders inside and two BAT files.

Run start.bat

Run the Option 1. for report.
Once the search is complete a ".txt" file should pop up with the name "Output.txt". Keep it and post it here.

#5 glenn2003

glenn2003

    Member

  • Full Member
  • Pip
  • 24 posts

Posted 16 June 2004 - 11:30 PM

After downloading and installing, I clicked on dllfix folder on my desktop, it opens up a box that has the icons

"programs",
"direct text documents 1kb",
"emerg MS-DOS Batch File 1kb",
"second MS-DOS Batch File 9 KB",
"start MS-DOS Batch File 11 KB."

Then I clicked on "start MS-DOS Batch File 11 KB" and then I clicked on "1" which is the "Run Find-All" option and I got this below:

--==***@@@ FIND-ALL' VERSION MODIFIED -6/14 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

Wed 06/16/2004
11:17 PM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (20A2:AE46) - FS:NTFS clusters:4k
Total: 14 994 649 088 [14G] - Free: 8 497 860 608 [7.9G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0 C:\WINDOWS\system32\notepad.exe
5.1.2600.0 C:\WINDOWS\notepad.exe
*Media Player version :
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q810847;Q813951;Q822925;Q330994;Q832894;Q837009;Q831167;



Locked or 'Suspect' file(s) found...
These may be other files that Dllfix doesnt target.
If not file is listed than Dllfix may not Help.
in this case please post the contents of Windows.txt to the appinit
entry can be checked. You will find it in the dllfix folder after findall completes.


Scanning for main Hijacker:


Dllfix must have the Hijackerfiles in system32 to fix properly.
If there are no protocal keys text/html and text/plain
then dllfix may not work. This fix targets this type Hijack Entry.
that keeps reoccuring with different filenames.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
= res://C:\WINDOWS\System32\xxxxxx.dll/sp.html (obfuscated)
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{469875BB-BC3F-507E-B350-021484557DB4}]
@=""

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

*Security settings for 'Windows' key:

If error than registry may need to be restored from option 4.

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




:unsure: What do I do now?

Edited by glenn2003, 17 June 2004 - 04:29 AM.


#6 Taz71498

Taz71498

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 225 posts

Posted 17 June 2004 - 04:44 PM

Hello,

Let's try this:

Reboot the computer into safe mode

Run HJT again with all browsers closed and check these items and then on Fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ggjkl.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ggjkl.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ggjkl.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ggjkl.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ggjkl.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ggjkl.dll/sp.html#96676

O2 - BHO: (no name) - {E3C75ADD-28CA-1552-C53A-CB5117FD483C} - C:\WINDOWS\winei.dll

O4 - HKLM\..\Run: [netzg.exe] C:\WINDOWS\netzg.exe

O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML

Reboot and run HJT again and post a new log here.

By the way, regardless of that an Antivirus won't fix this problem, you should still have one. There are many free ones out there. I personally use:

http://www.grisoft.c...s_dwnl_free.php

#7 Vulcano

Vulcano

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 17 June 2004 - 05:02 PM

You got probably this:
http://www.spywarein...?showtopic=7447

Right?

#8 glenn2003

glenn2003

    Member

  • Full Member
  • Pip
  • 24 posts

Posted 17 June 2004 - 07:20 PM

Logfile of HijackThis v1.97.7
Scan saved at 2:11:00 PM, on 6/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\sysre.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\system32\sdkde32.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\chrismiz2\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fuldq.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://fuldq.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://fuldq.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fuldq.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://fuldq.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fuldq.dll/sp.html#96676
O2 - BHO: (no name) - {FC8DC405-692D-5DCB-A8CC-66E86CC45311} - C:\WINDOWS\system32\sysif.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [sdkde32.exe] C:\WINDOWS\system32\sdkde32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [ipuc32.exe] C:\WINDOWS\system32\ipuc32.exe
O4 - HKLM\..\RunOnce: [sdkzx32.exe] C:\WINDOWS\sdkzx32.exe
O4 - HKLM\..\RunOnce: [netdh.exe] C:\WINDOWS\netdh.exe
O4 - HKLM\..\RunOnce: [javajs32.exe] C:\WINDOWS\system32\javajs32.exe
O4 - HKLM\..\RunOnce: [javafz.exe] C:\WINDOWS\system32\javafz.exe
O4 - HKLM\..\RunOnce: [sdkrn32.exe] C:\WINDOWS\system32\sdkrn32.exe
O4 - HKLM\..\RunOnce: [netba.exe] C:\WINDOWS\netba.exe
O4 - HKLM\..\RunOnce: [netev32.exe] C:\WINDOWS\system32\netev32.exe
O4 - HKLM\..\RunOnce: [iewr.exe] C:\WINDOWS\iewr.exe
O4 - HKLM\..\RunOnce: [d3jy.exe] C:\WINDOWS\system32\d3jy.exe
O4 - HKLM\..\RunOnce: [netrm32.exe] C:\WINDOWS\netrm32.exe
O4 - HKLM\..\RunOnce: [d3wz32.exe] C:\WINDOWS\system32\d3wz32.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

Taz, i did all that and it still doesn't help. comes back the same way again. Vulcano posted a link:
http://www.spywarein...?showtopic=7447 that relates to a lot of my problems.

Please respond and tell me what I should do next.

#9 Taz71498

Taz71498

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 225 posts

Posted 17 June 2004 - 07:41 PM

Hello,

Let's start here:

1. Open My Computer
2. Right click on your hard drive that you wish to clean (C drive, for example)
3. In the context menu that opens, select properties
4. Under the general tab you should select Disk Cleanup
5. Windows will scan your drive which will take a few seconds/minutes
6. A box will display the various files you can remove. Here are some safe examples:

Temporary Internet Files
Recycle Bin
Temporary Files

7. Click OK and windows will comply.

Next, delete the contents of the "temp" folder and completely delete the cache folders by doing this:

Open Internet Explorer. Then click on TOOLS in the top toolbar. Click on "Internet Options..." from the drop-down menu.
A new smaller window will display. Under the "General" tab, in the middle, are 3 buttons.
Click the Delete Cookies button - then a small warning box pops up. Click OK.
Click the Delete Files button - a small warning box pops us. Check the box for "Delete all offline content" and click OK.
Then on the same General tab, click Clear History, then click OK.

Reboot the computer into safe mode

Make sure you can view all hidden files and folders

Run Hijackthis again and check these entries and then on Fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fuldq.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://fuldq.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://fuldq.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fuldq.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://fuldq.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fuldq.dll/sp.html#96676

O2 - BHO: (no name) - {FC8DC405-692D-5DCB-A8CC-66E86CC45311} - C:\WINDOWS\system32\sysif.dll

O4 - HKLM\..\Run: [sdkde32.exe] C:\WINDOWS\system32\sdkde32.exe
O4 - HKLM\..\RunOnce: [ipuc32.exe] C:\WINDOWS\system32\ipuc32.exe
O4 - HKLM\..\RunOnce: [sdkzx32.exe] C:\WINDOWS\sdkzx32.exe
O4 - HKLM\..\RunOnce: [netdh.exe] C:\WINDOWS\netdh.exe
O4 - HKLM\..\RunOnce: [javajs32.exe] C:\WINDOWS\system32\javajs32.exe
O4 - HKLM\..\RunOnce: [javafz.exe] C:\WINDOWS\system32\javafz.exe
O4 - HKLM\..\RunOnce: [sdkrn32.exe] C:\WINDOWS\system32\sdkrn32.exe
O4 - HKLM\..\RunOnce: [netba.exe] C:\WINDOWS\netba.exe
O4 - HKLM\..\RunOnce: [netev32.exe] C:\WINDOWS\system32\netev32.exe
O4 - HKLM\..\RunOnce: [iewr.exe] C:\WINDOWS\iewr.exe
O4 - HKLM\..\RunOnce: [d3jy.exe] C:\WINDOWS\system32\d3jy.exe
O4 - HKLM\..\RunOnce: [netrm32.exe] C:\WINDOWS\netrm32.exe
O4 - HKLM\..\RunOnce: [d3wz32.exe] C:\WINDOWS\system32\d3wz32.exe


Find and delete these files/folders:

C:\WINDOWS\system32\sdkde32.exe
C:\WINDOWS\system32\ipuc32.exe
C:\WINDOWS\sdkzx32.exe
C:\WINDOWS\netdh.exe
C:\WINDOWS\system32\javajs32.exe
C:\WINDOWS\system32\javafz.exe
C:\WINDOWS\system32\sdkrn32.exe
C:\WINDOWS\netba.exe
C:\WINDOWS\system32\netev32.exe
C:\WINDOWS\iewr.exe
C:\WINDOWS\system32\d3jy.exe
C:\WINDOWS\netrm32.exe
C:\WINDOWS\system32\d3wz32.exe

Reboot.

Download Adaware
Check for updates first and then set these settings and then scan:

Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."

Press "Scan Now"

- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:

Now press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys. Click 'Next' again
Right-click in that pane and choose "select all"

If it finds "bad" files and registry keys, press "Next" again
It will ask you whether you'd like to remove all checked items. Click OK.

Finally, close Ad-Aware, and reboot.

After that, please post a new HJT log. Let's see what happens.

#10 glenn2003

glenn2003

    Member

  • Full Member
  • Pip
  • 24 posts

Posted 18 June 2004 - 10:29 PM

I did everything you told me, and when i did hijack, the following log came out.............

Logfile of HijackThis v1.97.7
Scan saved at 5:22:16 PM, on 6/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\sysre.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\system32\sdkde32.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Documents and Settings\chrismiz2\Desktop\HijackThis.exe

O2 - BHO: (no name) - {8C57E8AD-9376-E315-A81F-1A17FC9316DA} - C:\WINDOWS\javazu32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [sdkde32.exe] C:\WINDOWS\system32\sdkde32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [atlot.exe] C:\WINDOWS\system32\atlot.exe
O4 - HKLM\..\RunOnce: [winij.exe] C:\WINDOWS\winij.exe
O4 - HKLM\..\RunOnce: [javadd.exe] C:\WINDOWS\javadd.exe
O4 - HKLM\..\RunOnce: [netvh.exe] C:\WINDOWS\netvh.exe
O4 - HKLM\..\RunOnce: [systg32.exe] C:\WINDOWS\system32\systg32.exe
O4 - HKLM\..\RunOnce: [sdkzd.exe] C:\WINDOWS\system32\sdkzd.exe
O4 - HKLM\..\RunOnce: [winzd32.exe] C:\WINDOWS\system32\winzd32.exe
O4 - HKLM\..\RunOnce: [ntww32.exe] C:\WINDOWS\ntww32.exe
O4 - HKLM\..\RunOnce: [sdksj32.exe] C:\WINDOWS\sdksj32.exe

But when I open my browser, the "home search" page comes out again, and then I do a hijackthis again and I end up getting this log again:

Logfile of HijackThis v1.97.7
Scan saved at 5:26:35 PM, on 6/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\sysre.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\system32\sdkde32.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\chrismiz2\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dwweu.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://dwweu.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://dwweu.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dwweu.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://dwweu.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dwweu.dll/sp.html#96676
O2 - BHO: (no name) - {8C57E8AD-9376-E315-A81F-1A17FC9316DA} - C:\WINDOWS\javazu32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [sdkde32.exe] C:\WINDOWS\system32\sdkde32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [atlot.exe] C:\WINDOWS\system32\atlot.exe
O4 - HKLM\..\RunOnce: [winij.exe] C:\WINDOWS\winij.exe
O4 - HKLM\..\RunOnce: [javadd.exe] C:\WINDOWS\javadd.exe
O4 - HKLM\..\RunOnce: [netvh.exe] C:\WINDOWS\netvh.exe
O4 - HKLM\..\RunOnce: [systg32.exe] C:\WINDOWS\system32\systg32.exe
O4 - HKLM\..\RunOnce: [sdkzd.exe] C:\WINDOWS\system32\sdkzd.exe
O4 - HKLM\..\RunOnce: [winzd32.exe] C:\WINDOWS\system32\winzd32.exe
O4 - HKLM\..\RunOnce: [ntww32.exe] C:\WINDOWS\ntww32.exe
O4 - HKLM\..\RunOnce: [sdksj32.exe] C:\WINDOWS\sdksj32.exe
O4 - HKLM\..\RunOnce: [netha.exe] C:\WINDOWS\netha.exe

It always comes back, help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button