Jump to content


Photo

Browser Problems and Pop Ups


  • Please log in to reply
7 replies to this topic

#1 Pudgie

Pudgie

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 20 June 2004 - 04:54 PM

I'm having problems with some unwanted pop-up ads, as well as a prob with Internet explorer where I can't change my homepage to anything but: res://yller.dll/index.html#96676. I've run adaware and Spybot, but these problems still remain. Any help at all would be greatly appreciated.

Thanks in advance.

Logfile of HijackThis v1.97.7
Scan saved at 1:31:26 AM, on 6/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\system32\sdkrz.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\javadk.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Mike's Junk\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Mike\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yller.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://yller.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Mike\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://yller.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Mike\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yller.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://yller.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\yller.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Mike\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {8A8F47B1-61ED-1CBB-2DB3-D81BFA6E22BF} - C:\WINDOWS\sysog.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [javadk.exe] C:\WINDOWS\system32\javadk.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKLM\..\RunOnce: [sdkrz.exe] C:\WINDOWS\system32\sdkrz.exe
O4 - HKLM\..\RunOnce: [d3ds32.exe] C:\WINDOWS\system32\d3ds32.exe
O4 - HKLM\..\RunOnce: [netal.exe] C:\WINDOWS\system32\netal.exe
O4 - HKLM\..\RunOnce: [addlc.exe] C:\WINDOWS\system32\addlc.exe
O4 - HKLM\..\RunOnce: [winrv32.exe] C:\WINDOWS\system32\winrv32.exe
O4 - HKLM\..\RunOnce: [mfcne.exe] C:\WINDOWS\mfcne.exe
O4 - HKLM\..\RunOnce: [atlka32.exe] C:\WINDOWS\system32\atlka32.exe
O4 - HKLM\..\RunOnce: [atlgl.exe] C:\WINDOWS\atlgl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 The Spie

The Spie

    Member

  • Retired Staff - Helper
  • Pip
  • 68 posts

Posted 20 June 2004 - 05:23 PM

Pudgie:

Start up HijackThis! again and put a check mark next to the following lines:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Mike\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yller.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://yller.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Mike\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://yller.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Mike\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yller.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://yller.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\yller.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Mike\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {8A8F47B1-61ED-1CBB-2DB3-D81BFA6E22BF} - C:\WINDOWS\sysog.dll
O4 - HKLM\..\RunOnce: [sdkrz.exe] C:\WINDOWS\system32\sdkrz.exe
O4 - HKLM\..\RunOnce: [d3ds32.exe] C:\WINDOWS\system32\d3ds32.exe
O4 - HKLM\..\RunOnce: [netal.exe] C:\WINDOWS\system32\netal.exe
O4 - HKLM\..\RunOnce: [addlc.exe] C:\WINDOWS\system32\addlc.exe
O4 - HKLM\..\RunOnce: [winrv32.exe] C:\WINDOWS\system32\winrv32.exe
O4 - HKLM\..\RunOnce: [mfcne.exe] C:\WINDOWS\mfcne.exe
O4 - HKLM\..\RunOnce: [atlka32.exe] C:\WINDOWS\system32\atlka32.exe
O4 - HKLM\..\RunOnce: [atlgl.exe] C:\WINDOWS\atlgl.exe
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab


The following item is optional to be checked. It's not necessary and only eats up system resources:

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

Once you've checked those items, click on "Fix Checked". Then, reboot and delete the following files if present:

C:\WINDOWS\system32\sdkrz.exe
C:\WINDOWS\system32\d3ds32.exe
C:\WINDOWS\system32\netal.exe
C:\WINDOWS\system32\addlc.exe
C:\WINDOWS\system32\winrv32.exe
C:\WINDOWS\mfcne.exe
C:\WINDOWS\system32\atlka32.exe
C:\WINDOWS\atlgl.exe
C:\WINDOWS\sysog.dll
C:\install.cab


Once you've finished that, post a follow-up HijackThis! log to this thread so we can see if anything else is cropping up.

Also, you're currently running Acrobat Reader 5. This version is known to have security difficulties. Go to http://www.adobe.com and download Acrobat Reader 6.02, which is the latest version.

#3 Pudgie

Pudgie

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 20 June 2004 - 07:27 PM

Follow up HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 6:24:34 PM, on 6/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\system32\d3dq.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\javadk.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Mike's Junk\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F4A96451-1267-F9BE-9815-0D77174094D4} - C:\WINDOWS\system32\atlbq.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [javadk.exe] C:\WINDOWS\system32\javadk.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKLM\..\RunOnce: [d3dq.exe] C:\WINDOWS\system32\d3dq.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Thanks for the help and responding so quickly.

#4 The Spie

The Spie

    Member

  • Retired Staff - Helper
  • Pip
  • 68 posts

Posted 20 June 2004 - 08:21 PM

Okay, we've killed most of the dummy files. We have one more thing to eliminate.

Run HijackThis! again. Check the following entries:

O2 - BHO: (no name) - {F4A96451-1267-F9BE-9815-0D77174094D4} - C:\WINDOWS\system32\atlbq.dll
O4 - HKLM\..\RunOnce: [d3dq.exe] C:\WINDOWS\system32\d3dq.exe
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML


Close all browser windows and click "Fix Checked". Let HijackThis! do its work again, then reboot.

After rebooting, delete the following files:

C:\WINDOWS\system32\atlbq.dll
C:\WINDOWS\system32\d3dq.exe


Then, reboot again and post another HijackThis! log to this thread. Hopefully this will clear things up.

#5 Pudgie

Pudgie

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 20 June 2004 - 11:23 PM

Follow up log:

Logfile of HijackThis v1.97.7
Scan saved at 10:19:19 PM, on 6/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\system32\ntww.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\javadk.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Mike's Junk\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hdtij.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hdtij.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hdtij.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hdtij.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hdtij.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hdtij.dll/sp.html#96676
O2 - BHO: (no name) - {2B1E8955-A81B-6BFC-BC93-68F46EB9E806} - C:\WINDOWS\system32\javabf32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [javadk.exe] C:\WINDOWS\system32\javadk.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKLM\..\RunOnce: [ntww.exe] C:\WINDOWS\system32\ntww.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

The problem with my internets homepage being unchangable seems to have returned and when I rebooted windows gave me an error message saying it couldn't locate d3dq.exe and that I could search for it manually with the search function, but I know it's not there because I just deleted it. It hasn't seemed to cause any problems other then that message though.

Thanks again for the help.

#6 The Spie

The Spie

    Member

  • Retired Staff - Helper
  • Pip
  • 68 posts

Posted 21 June 2004 - 03:25 PM

Okay, it's mutating, so let's see if we can kill it once and for all before it gets too crazy. Run HijackThis! again and check the following lines:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hdtij.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hdtij.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hdtij.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hdtij.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hdtij.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hdtij.dll/sp.html#96676
O2 - BHO: (no name) - {2B1E8955-A81B-6BFC-BC93-68F46EB9E806} - C:\WINDOWS\system32\javabf32.dll
O4 - HKLM\..\Run: [javadk.exe] C:\WINDOWS\system32\javadk.exe
O4 - HKLM\..\RunOnce: [ntww.exe] C:\WINDOWS\system32\ntww.exe


Then, do a Control-Alt-Delete and kill the process named "ntww.exe". Delete the following two files:

C:\WINDOWS\system32\javadk.exe
C:\WINDOWS\system32\ntww.exe


After that, close all browser windows and all open programs except for HijackThis! and click on "Fix Checked". After that, reboot. Hopefully this'll get rid of it.

#7 Pudgie

Pudgie

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 21 June 2004 - 09:33 PM

Logfile of HijackThis v1.97.7
Scan saved at 8:31:24 PM, on 6/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Mike's Junk\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Alright, hopfully everything looks good this time. :D

#8 The Spie

The Spie

    Member

  • Retired Staff - Helper
  • Pip
  • 68 posts

Posted 24 June 2004 - 03:47 PM

Looks clean to me. We finally got rid of it. Nice work, Pudgie.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button