Jump to content


Photo

IE Hijacker


  • Please log in to reply
13 replies to this topic

#1 [Judge]Snake

[Judge]Snake

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 20 June 2004 - 05:22 PM

I've tried just about everything to remove this trojan, but nothing works. I've used every suggested spyware remover like Spybot and AdAware and run various AVG, Norton and TrojanHunter scans, but no matter what viruses or other files that seem to be associated witht hsi thing, it always comes back. It changes my homepage to this, do not click on it because it will most likely infect you too.

DO NOT CLICK ON THE FOLLOWING LINK, IT IS THE HOMEPAGE OF THIS TROJAN


res://jaciw.dll/index.html#96676 <--Do not go here

This is the site that seems to be distributing the trojan and makes itself my homepage. Even when using StartPage Guard it comes back. I also deleted the file jaciw.dll from my computer, but it comes back. I am typing this from Mozilla Firefox, but after IE got hijacked my comp seems to be getting slower due to this torjan. Please if anyone has any information on this thing or has any idea how to remove it please post here, I would greatly appreciate the help. Thanks alot all you anti-spyware people for making these forums. Right now I feel like finding out where every hacker lives, breaking down their front doors and walloping them with a baseball bat and throwing their comps out onto the freeway :techsupport:

#2 irelynnmisses

irelynnmisses

    Forum Goddess

  • Retired Staff - Helper
  • PipPipPipPip
  • 282 posts

Posted 20 June 2004 - 07:56 PM

We need an entire hijackthis log, please.
FireFox is recommended over IE: http://www.mozilla.o...oducts/firefox/

Misses Loves Kisses

Also, Please don't PM me your hijack logs. I would you rather post them and PM me if you wish for me to look at them. A PM with a hijacklog will get ignored!

#3 [Judge]Snake

[Judge]Snake

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 20 June 2004 - 11:42 PM

I hope this link works

http://www.msnusers....ments/snakeslog

#4 [Judge]Snake

[Judge]Snake

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 21 June 2004 - 02:16 AM

Didn't think to just copy the actual text here lol, sorry, heres the log file

__________________________________________________

Logfile of HijackThis v1.97.7
Scan saved at 9:29:19 PM, on 6/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\d3co.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\TrojanHunter 3.6\THGuard.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\atlvo32.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
E:\Nicks_Docs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = NOT USED (OK)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = NOT USED (OK)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jaciw.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jaciw.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jaciw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jaciw.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jaciw.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)
O2 - BHO: (no name) - {E2817FD0-C114-2AD1-D02A-7F3FC36547E7} - C:\WINDOWS\msyh.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.6\THGuard.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [atlvo32.exe] C:\WINDOWS\atlvo32.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\RunOnce: [d3aj32.exe] C:\WINDOWS\d3aj32.exe
O4 - HKLM\..\RunOnce: [d3co.exe] C:\WINDOWS\system32\d3co.exe
O4 - HKLM\..\RunOnce: [addfx32.exe] C:\WINDOWS\system32\addfx32.exe
O4 - HKLM\..\RunOnce: [netpp32.exe] C:\WINDOWS\system32\netpp32.exe
O4 - HKLM\..\RunOnce: [ntoz32.exe] C:\WINDOWS\ntoz32.exe
O4 - HKLM\..\RunOnce: [apiij32.exe] C:\WINDOWS\system32\apiij32.exe
O4 - HKLM\..\RunOnce: [javabg.exe] C:\WINDOWS\javabg.exe
O4 - HKLM\..\RunOnce: [ntxh.exe] C:\WINDOWS\ntxh.exe
O4 - HKLM\..\RunOnce: [d3km32.exe] C:\WINDOWS\d3km32.exe
O4 - HKLM\..\RunOnce: [appmq32.exe] C:\WINDOWS\appmq32.exe
O4 - HKLM\..\RunOnce: [addul.exe] C:\WINDOWS\addul.exe
O4 - HKLM\..\RunOnce: [mfcij32.exe] C:\WINDOWS\mfcij32.exe
O4 - HKLM\..\RunOnce: [sdkrw32.exe] C:\WINDOWS\sdkrw32.exe
O4 - HKLM\..\RunOnce: [ipwp.exe] C:\WINDOWS\system32\ipwp.exe
O4 - HKLM\..\RunOnce: [d3ee32.exe] C:\WINDOWS\system32\d3ee32.exe
O4 - HKLM\..\RunOnce: [netgn.exe] C:\WINDOWS\netgn.exe
O4 - HKLM\..\RunOnce: [netfp32.exe] C:\WINDOWS\netfp32.exe
O4 - HKLM\..\RunOnce: [sdkoe.exe] C:\WINDOWS\system32\sdkoe.exe
O4 - HKLM\..\RunOnce: [msda.exe] C:\WINDOWS\system32\msda.exe
O4 - HKLM\..\RunOnce: [d3ou.exe] C:\WINDOWS\system32\d3ou.exe
O4 - HKLM\..\RunOnce: [ntqv32.exe] C:\WINDOWS\system32\ntqv32.exe
O4 - HKLM\..\RunOnce: [sysht.exe] C:\WINDOWS\system32\sysht.exe
O4 - HKLM\..\RunOnce: [syssz32.exe] C:\WINDOWS\syssz32.exe
O4 - HKLM\..\RunOnce: [ieme32.exe] C:\WINDOWS\ieme32.exe
O4 - HKLM\..\RunOnce: [javaqa.exe] C:\WINDOWS\javaqa.exe
O4 - HKLM\..\RunOnce: [ieoi.exe] C:\WINDOWS\system32\ieoi.exe
O4 - HKLM\..\RunOnce: [apiuf.exe] C:\WINDOWS\system32\apiuf.exe
O4 - HKLM\..\RunOnce: [iept.exe] C:\WINDOWS\system32\iept.exe
O4 - HKLM\..\RunOnce: [nthb32.exe] C:\WINDOWS\system32\nthb32.exe
O4 - HKLM\..\RunOnce: [appik.exe] C:\WINDOWS\appik.exe
O4 - HKLM\..\RunOnce: [iewq.exe] C:\WINDOWS\iewq.exe
O4 - HKLM\..\RunOnce: [ntxz32.exe] C:\WINDOWS\system32\ntxz32.exe
O4 - HKLM\..\RunOnce: [atlub.exe] C:\WINDOWS\atlub.exe
O4 - HKLM\..\RunOnce: [iexu32.exe] C:\WINDOWS\system32\iexu32.exe
O4 - HKLM\..\RunOnce: [ntbm.exe] C:\WINDOWS\system32\ntbm.exe
O4 - HKLM\..\RunOnce: [addyl32.exe] C:\WINDOWS\addyl32.exe
O4 - HKLM\..\RunOnce: [addkq.exe] C:\WINDOWS\addkq.exe
O4 - HKLM\..\RunOnce: [atlud32.exe] C:\WINDOWS\atlud32.exe
O4 - HKLM\..\RunOnce: [iepq32.exe] C:\WINDOWS\system32\iepq32.exe
O4 - HKLM\..\RunOnce: [javayd32.exe] C:\WINDOWS\system32\javayd32.exe
O4 - HKLM\..\RunOnce: [netxp32.exe] C:\WINDOWS\system32\netxp32.exe
O4 - HKLM\..\RunOnce: [atlnw32.exe] C:\WINDOWS\system32\atlnw32.exe
O4 - HKLM\..\RunOnce: [atlkt32.exe] C:\WINDOWS\atlkt32.exe
O4 - HKLM\..\RunOnce: [d3vh32.exe] C:\WINDOWS\system32\d3vh32.exe
O4 - HKLM\..\RunOnce: [javacl.exe] C:\WINDOWS\system32\javacl.exe
O4 - HKLM\..\RunOnce: [nttw32.exe] C:\WINDOWS\nttw32.exe
O4 - HKLM\..\RunOnce: [apirm.exe] C:\WINDOWS\apirm.exe
O4 - HKLM\..\RunOnce: [d3jc32.exe] C:\WINDOWS\system32\d3jc32.exe
O4 - HKLM\..\RunOnce: [netmy32.exe] C:\WINDOWS\system32\netmy32.exe
O4 - HKLM\..\RunOnce: [javarr.exe] C:\WINDOWS\system32\javarr.exe
O4 - HKLM\..\RunOnce: [mszc.exe] C:\WINDOWS\mszc.exe
O4 - HKLM\..\RunOnce: [sdkqt.exe] C:\WINDOWS\system32\sdkqt.exe
O4 - HKLM\..\RunOnce: [d3fh32.exe] C:\WINDOWS\d3fh32.exe
O4 - HKLM\..\RunOnce: [iesl.exe] C:\WINDOWS\system32\iesl.exe
O4 - HKLM\..\RunOnce: [apisa32.exe] C:\WINDOWS\apisa32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...wpoint/awp.html
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...llInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8006.4947916667
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#5 irelynnmisses

irelynnmisses

    Forum Goddess

  • Retired Staff - Helper
  • PipPipPipPip
  • 282 posts

Posted 21 June 2004 - 08:04 PM

Ok, you have several issues.. and one of them is a newer CWS hijack with no known FOR SURE fix.. but our experts are working hard at getting one. While I ask around and figure out how to help you clean the hijack.. plese do this in the meantime:

You have many issues


Run this uninstaller:

http://www.newdotnet.com/#remove


Download and install Ad-aware found here: http://www.lavasoftu...pport/download/
After installing you need to download all updates for it. Use the Globe Icon in the program, and "Connect" to download latest Reference-file. Please update it before you scan with it then fix all it finds.
Now do the following:

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."

Press "Scan Now"

- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:

Now press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys. Click 'Next' again
Right-click in that pane and choose "select all"

If it finds "bad" files and registry keys, press "Next" again
It will ask you whether you'd like to remove all checked items. Click OK.

Finally, close Ad-Aware, and reboot.
That ought to get rid of most of your spyware.

Go to START>.ALL PROGRAMS..ACCESSORIES>>SYSTEM TOOLS>> DISK CLEAN UP>> and clean everything...
Go to start >Run and paste this in:
%Userprofile%\Local Settings\Temp folder
It will open your temp folder.
Go to the toolbar>Edit>Select All
Then go back to File>Delete

Then get an online virus scan here: http://housecall.trendmicro.com/ Please select the Autoclean option when prompted.
or here: http://www.pandasoft...com/activescan/

Go here and get one of the free trials of an Anti Trojan and scan for Trojans.
http://www.wilders.o...nti_trojans.htm


After This, Reboot and Post a Fresh HijackThis log.
And well take it from there =)
FireFox is recommended over IE: http://www.mozilla.o...oducts/firefox/

Misses Loves Kisses

Also, Please don't PM me your hijack logs. I would you rather post them and PM me if you wish for me to look at them. A PM with a hijacklog will get ignored!

#6 [Judge]Snake

[Judge]Snake

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 22 June 2004 - 02:23 AM

Did everything except a troajn hunter scan which i will do tomorrow. Only thing that didnt work was the online virus scan *I used AVG instead* and the temp folder thing, where I got this message after I copied and pasted it in start->run 'Windows cannot find 'C:\Documents'.' It then continued to tell me how to search for filenames, but that was the main part of the message. After the scan tomorrow I will put up a log as fast as I can, should be around 2-3 pm Pacific.

#7 [Judge]Snake

[Judge]Snake

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 22 June 2004 - 05:59 PM

Heres the latest log

Logfile of HijackThis v1.97.7
Scan saved at 3:59:23 PM, on 6/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\d3co.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\TrojanHunter 3.6\THGuard.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Nicks_Docs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = NOT USED (OK)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = NOT USED (OK)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jaciw.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jaciw.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jaciw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jaciw.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jaciw.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)
O2 - BHO: (no name) - {E2817FD0-C114-2AD1-D02A-7F3FC36547E7} - C:\WINDOWS\msyh.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.6\THGuard.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [atlvo32.exe] C:\WINDOWS\atlvo32.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\RunOnce: [d3aj32.exe] C:\WINDOWS\d3aj32.exe
O4 - HKLM\..\RunOnce: [d3co.exe] C:\WINDOWS\system32\d3co.exe
O4 - HKLM\..\RunOnce: [addfx32.exe] C:\WINDOWS\system32\addfx32.exe
O4 - HKLM\..\RunOnce: [netpp32.exe] C:\WINDOWS\system32\netpp32.exe
O4 - HKLM\..\RunOnce: [ntoz32.exe] C:\WINDOWS\ntoz32.exe
O4 - HKLM\..\RunOnce: [apiij32.exe] C:\WINDOWS\system32\apiij32.exe
O4 - HKLM\..\RunOnce: [javabg.exe] C:\WINDOWS\javabg.exe
O4 - HKLM\..\RunOnce: [ntxh.exe] C:\WINDOWS\ntxh.exe
O4 - HKLM\..\RunOnce: [d3km32.exe] C:\WINDOWS\d3km32.exe
O4 - HKLM\..\RunOnce: [appmq32.exe] C:\WINDOWS\appmq32.exe
O4 - HKLM\..\RunOnce: [addul.exe] C:\WINDOWS\addul.exe
O4 - HKLM\..\RunOnce: [mfcij32.exe] C:\WINDOWS\mfcij32.exe
O4 - HKLM\..\RunOnce: [sdkrw32.exe] C:\WINDOWS\sdkrw32.exe
O4 - HKLM\..\RunOnce: [ipwp.exe] C:\WINDOWS\system32\ipwp.exe
O4 - HKLM\..\RunOnce: [d3ee32.exe] C:\WINDOWS\system32\d3ee32.exe
O4 - HKLM\..\RunOnce: [netgn.exe] C:\WINDOWS\netgn.exe
O4 - HKLM\..\RunOnce: [netfp32.exe] C:\WINDOWS\netfp32.exe
O4 - HKLM\..\RunOnce: [sdkoe.exe] C:\WINDOWS\system32\sdkoe.exe
O4 - HKLM\..\RunOnce: [msda.exe] C:\WINDOWS\system32\msda.exe
O4 - HKLM\..\RunOnce: [d3ou.exe] C:\WINDOWS\system32\d3ou.exe
O4 - HKLM\..\RunOnce: [ntqv32.exe] C:\WINDOWS\system32\ntqv32.exe
O4 - HKLM\..\RunOnce: [sysht.exe] C:\WINDOWS\system32\sysht.exe
O4 - HKLM\..\RunOnce: [syssz32.exe] C:\WINDOWS\syssz32.exe
O4 - HKLM\..\RunOnce: [ieme32.exe] C:\WINDOWS\ieme32.exe
O4 - HKLM\..\RunOnce: [javaqa.exe] C:\WINDOWS\javaqa.exe
O4 - HKLM\..\RunOnce: [ieoi.exe] C:\WINDOWS\system32\ieoi.exe
O4 - HKLM\..\RunOnce: [apiuf.exe] C:\WINDOWS\system32\apiuf.exe
O4 - HKLM\..\RunOnce: [iept.exe] C:\WINDOWS\system32\iept.exe
O4 - HKLM\..\RunOnce: [nthb32.exe] C:\WINDOWS\system32\nthb32.exe
O4 - HKLM\..\RunOnce: [appik.exe] C:\WINDOWS\appik.exe
O4 - HKLM\..\RunOnce: [iewq.exe] C:\WINDOWS\iewq.exe
O4 - HKLM\..\RunOnce: [ntxz32.exe] C:\WINDOWS\system32\ntxz32.exe
O4 - HKLM\..\RunOnce: [atlub.exe] C:\WINDOWS\atlub.exe
O4 - HKLM\..\RunOnce: [iexu32.exe] C:\WINDOWS\system32\iexu32.exe
O4 - HKLM\..\RunOnce: [ntbm.exe] C:\WINDOWS\system32\ntbm.exe
O4 - HKLM\..\RunOnce: [addyl32.exe] C:\WINDOWS\addyl32.exe
O4 - HKLM\..\RunOnce: [addkq.exe] C:\WINDOWS\addkq.exe
O4 - HKLM\..\RunOnce: [atlud32.exe] C:\WINDOWS\atlud32.exe
O4 - HKLM\..\RunOnce: [iepq32.exe] C:\WINDOWS\system32\iepq32.exe
O4 - HKLM\..\RunOnce: [javayd32.exe] C:\WINDOWS\system32\javayd32.exe
O4 - HKLM\..\RunOnce: [netxp32.exe] C:\WINDOWS\system32\netxp32.exe
O4 - HKLM\..\RunOnce: [atlnw32.exe] C:\WINDOWS\system32\atlnw32.exe
O4 - HKLM\..\RunOnce: [atlkt32.exe] C:\WINDOWS\atlkt32.exe
O4 - HKLM\..\RunOnce: [d3vh32.exe] C:\WINDOWS\system32\d3vh32.exe
O4 - HKLM\..\RunOnce: [javacl.exe] C:\WINDOWS\system32\javacl.exe
O4 - HKLM\..\RunOnce: [nttw32.exe] C:\WINDOWS\nttw32.exe
O4 - HKLM\..\RunOnce: [apirm.exe] C:\WINDOWS\apirm.exe
O4 - HKLM\..\RunOnce: [d3jc32.exe] C:\WINDOWS\system32\d3jc32.exe
O4 - HKLM\..\RunOnce: [netmy32.exe] C:\WINDOWS\system32\netmy32.exe
O4 - HKLM\..\RunOnce: [javarr.exe] C:\WINDOWS\system32\javarr.exe
O4 - HKLM\..\RunOnce: [mszc.exe] C:\WINDOWS\mszc.exe
O4 - HKLM\..\RunOnce: [sdkqt.exe] C:\WINDOWS\system32\sdkqt.exe
O4 - HKLM\..\RunOnce: [d3fh32.exe] C:\WINDOWS\d3fh32.exe
O4 - HKLM\..\RunOnce: [iesl.exe] C:\WINDOWS\system32\iesl.exe
O4 - HKLM\..\RunOnce: [apisa32.exe] C:\WINDOWS\apisa32.exe
O4 - HKLM\..\RunOnce: [appxm32.exe] C:\WINDOWS\appxm32.exe
O4 - HKLM\..\RunOnce: [netep32.exe] C:\WINDOWS\netep32.exe
O4 - HKLM\..\RunOnce: [msng.exe] C:\WINDOWS\msng.exe
O4 - HKLM\..\RunOnce: [mfcie32.exe] C:\WINDOWS\mfcie32.exe
O4 - HKLM\..\RunOnce: [javago.exe] C:\WINDOWS\system32\javago.exe
O4 - HKLM\..\RunOnce: [javagl.exe] C:\WINDOWS\javagl.exe
O4 - HKLM\..\RunOnce: [crbl32.exe] C:\WINDOWS\system32\crbl32.exe
O4 - HKLM\..\RunOnce: [ipvd32.exe] C:\WINDOWS\system32\ipvd32.exe
O4 - HKLM\..\RunOnce: [appmv.exe] C:\WINDOWS\appmv.exe
O4 - HKLM\..\RunOnce: [ntof.exe] C:\WINDOWS\ntof.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet5_20.dll' missing
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...wpoint/awp.html
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...llInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8006.4947916667
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#8 irelynnmisses

irelynnmisses

    Forum Goddess

  • Retired Staff - Helper
  • PipPipPipPip
  • 282 posts

Posted 26 June 2004 - 05:50 PM

I dont' know how to fix your hijack problem.. to be honest and it's a relativly new infection that is spreading. But someone else will be along to help you with that. For now please follow these steps.

Have hijackthis fix these entries:

O4 - HKLM\..\Run: [atlvo32.exe] C:\WINDOWS\atlvo32.exe
O4 - HKLM\..\RunOnce: [d3aj32.exe] C:\WINDOWS\d3aj32.exe
O4 - HKLM\..\RunOnce: [d3co.exe] C:\WINDOWS\system32\d3co.exe
O4 - HKLM\..\RunOnce: [addfx32.exe] C:\WINDOWS\system32\addfx32.exe
O4 - HKLM\..\RunOnce: [netpp32.exe] C:\WINDOWS\system32\netpp32.exe
O4 - HKLM\..\RunOnce: [ntoz32.exe] C:\WINDOWS\ntoz32.exe
O4 - HKLM\..\RunOnce: [apiij32.exe] C:\WINDOWS\system32\apiij32.exe
O4 - HKLM\..\RunOnce: [javabg.exe] C:\WINDOWS\javabg.exe
O4 - HKLM\..\RunOnce: [ntxh.exe] C:\WINDOWS\ntxh.exe
O4 - HKLM\..\RunOnce: [d3km32.exe] C:\WINDOWS\d3km32.exe
O4 - HKLM\..\RunOnce: [appmq32.exe] C:\WINDOWS\appmq32.exe
O4 - HKLM\..\RunOnce: [addul.exe] C:\WINDOWS\addul.exe
O4 - HKLM\..\RunOnce: [mfcij32.exe] C:\WINDOWS\mfcij32.exe
O4 - HKLM\..\RunOnce: [sdkrw32.exe] C:\WINDOWS\sdkrw32.exe
O4 - HKLM\..\RunOnce: [ipwp.exe] C:\WINDOWS\system32\ipwp.exe
O4 - HKLM\..\RunOnce: [d3ee32.exe] C:\WINDOWS\system32\d3ee32.exe
O4 - HKLM\..\RunOnce: [netgn.exe] C:\WINDOWS\netgn.exe
O4 - HKLM\..\RunOnce: [netfp32.exe] C:\WINDOWS\netfp32.exe
O4 - HKLM\..\RunOnce: [sdkoe.exe] C:\WINDOWS\system32\sdkoe.exe
O4 - HKLM\..\RunOnce: [msda.exe] C:\WINDOWS\system32\msda.exe
O4 - HKLM\..\RunOnce: [d3ou.exe] C:\WINDOWS\system32\d3ou.exe
O4 - HKLM\..\RunOnce: [ntqv32.exe] C:\WINDOWS\system32\ntqv32.exe
O4 - HKLM\..\RunOnce: [sysht.exe] C:\WINDOWS\system32\sysht.exe
O4 - HKLM\..\RunOnce: [syssz32.exe] C:\WINDOWS\syssz32.exe
O4 - HKLM\..\RunOnce: [ieme32.exe] C:\WINDOWS\ieme32.exe
O4 - HKLM\..\RunOnce: [javaqa.exe] C:\WINDOWS\javaqa.exe
O4 - HKLM\..\RunOnce: [ieoi.exe] C:\WINDOWS\system32\ieoi.exe
O4 - HKLM\..\RunOnce: [apiuf.exe] C:\WINDOWS\system32\apiuf.exe
O4 - HKLM\..\RunOnce: [iept.exe] C:\WINDOWS\system32\iept.exe
O4 - HKLM\..\RunOnce: [nthb32.exe] C:\WINDOWS\system32\nthb32.exe
O4 - HKLM\..\RunOnce: [appik.exe] C:\WINDOWS\appik.exe
O4 - HKLM\..\RunOnce: [iewq.exe] C:\WINDOWS\iewq.exe
O4 - HKLM\..\RunOnce: [ntxz32.exe] C:\WINDOWS\system32\ntxz32.exe
O4 - HKLM\..\RunOnce: [atlub.exe] C:\WINDOWS\atlub.exe
O4 - HKLM\..\RunOnce: [iexu32.exe] C:\WINDOWS\system32\iexu32.exe
O4 - HKLM\..\RunOnce: [ntbm.exe] C:\WINDOWS\system32\ntbm.exe
O4 - HKLM\..\RunOnce: [addyl32.exe] C:\WINDOWS\addyl32.exe
O4 - HKLM\..\RunOnce: [addkq.exe] C:\WINDOWS\addkq.exe
O4 - HKLM\..\RunOnce: [atlud32.exe] C:\WINDOWS\atlud32.exe
O4 - HKLM\..\RunOnce: [iepq32.exe] C:\WINDOWS\system32\iepq32.exe
O4 - HKLM\..\RunOnce: [javayd32.exe] C:\WINDOWS\system32\javayd32.exe
O4 - HKLM\..\RunOnce: [netxp32.exe] C:\WINDOWS\system32\netxp32.exe
O4 - HKLM\..\RunOnce: [atlnw32.exe] C:\WINDOWS\system32\atlnw32.exe
O4 - HKLM\..\RunOnce: [atlkt32.exe] C:\WINDOWS\atlkt32.exe
O4 - HKLM\..\RunOnce: [d3vh32.exe] C:\WINDOWS\system32\d3vh32.exe
O4 - HKLM\..\RunOnce: [javacl.exe] C:\WINDOWS\system32\javacl.exe
O4 - HKLM\..\RunOnce: [nttw32.exe] C:\WINDOWS\nttw32.exe
O4 - HKLM\..\RunOnce: [apirm.exe] C:\WINDOWS\apirm.exe
O4 - HKLM\..\RunOnce: [d3jc32.exe] C:\WINDOWS\system32\d3jc32.exe
O4 - HKLM\..\RunOnce: [netmy32.exe] C:\WINDOWS\system32\netmy32.exe
O4 - HKLM\..\RunOnce: [javarr.exe] C:\WINDOWS\system32\javarr.exe
O4 - HKLM\..\RunOnce: [mszc.exe] C:\WINDOWS\mszc.exe
O4 - HKLM\..\RunOnce: [sdkqt.exe] C:\WINDOWS\system32\sdkqt.exe
O4 - HKLM\..\RunOnce: [d3fh32.exe] C:\WINDOWS\d3fh32.exe
O4 - HKLM\..\RunOnce: [iesl.exe] C:\WINDOWS\system32\iesl.exe
O4 - HKLM\..\RunOnce: [apisa32.exe] C:\WINDOWS\apisa32.exe
O4 - HKLM\..\RunOnce: [appxm32.exe] C:\WINDOWS\appxm32.exe
O4 - HKLM\..\RunOnce: [netep32.exe] C:\WINDOWS\netep32.exe
O4 - HKLM\..\RunOnce: [msng.exe] C:\WINDOWS\msng.exe
O4 - HKLM\..\RunOnce: [mfcie32.exe] C:\WINDOWS\mfcie32.exe
O4 - HKLM\..\RunOnce: [javago.exe] C:\WINDOWS\system32\javago.exe
O4 - HKLM\..\RunOnce: [javagl.exe] C:\WINDOWS\javagl.exe
O4 - HKLM\..\RunOnce: [crbl32.exe] C:\WINDOWS\system32\crbl32.exe
O4 - HKLM\..\RunOnce: [ipvd32.exe] C:\WINDOWS\system32\ipvd32.exe
O4 - HKLM\..\RunOnce: [appmv.exe] C:\WINDOWS\appmv.exe
O4 - HKLM\..\RunOnce: [ntof.exe] C:\WINDOWS\ntof.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...llInstaller.exe


Set hidden files or folders to show HERE'S HOW


Reboot your PC in safe mode: HERE'S HOW

While in safe mode please delete these files or folders:

C:\WINDOWS\atlvo32.exe

C:\WINDOWS\d3aj32.exe
C:\WINDOWS\system32\d3co.exe
C:\WINDOWS\system32\addfx32.exe
C:\WINDOWS\system32\netpp32.exe
C:\WINDOWS\ntoz32.exe
C:\WINDOWS\system32\apiij32.exe
C:\WINDOWS\javabg.exe
C:\WINDOWS\ntxh.exe
C:\WINDOWS\d3km32.exe
C:\WINDOWS\appmq32.exe
C:\WINDOWS\addul.exe
C:\WINDOWS\mfcij32.exe
C:\WINDOWS\sdkrw32.exe
C:\WINDOWS\system32\ipwp.exe
C:\WINDOWS\system32\d3ee32.exe
C:\WINDOWS\netgn.exe
C:\WINDOWS\netfp32.exe
C:\WINDOWS\system32\sdkoe.exe
C:\WINDOWS\system32\msda.exe
C:\WINDOWS\system32\d3ou.exe
C:\WINDOWS\system32\ntqv32.exe
C:\WINDOWS\system32\sysht.exe
C:\WINDOWS\syssz32.exe
C:\WINDOWS\ieme32.exe
C:\WINDOWS\javaqa.exe
C:\WINDOWS\system32\ieoi.exe
C:\WINDOWS\system32\apiuf.exe
C:\WINDOWS\system32\iept.exe
C:\WINDOWS\system32\nthb32.exe
C:\WINDOWS\appik.exe
C:\WINDOWS\iewq.exe
C:\WINDOWS\system32\ntxz32.exe
C:\WINDOWS\atlub.exe
C:\WINDOWS\system32\iexu32.exe
C:\WINDOWS\system32\ntbm.exe
C:\WINDOWS\addyl32.exe
C:\WINDOWS\addkq.exe
C:\WINDOWS\atlud32.exe
C:\WINDOWS\system32\iepq32.exe
C:\WINDOWS\system32\javayd32.exe
C:\WINDOWS\system32\netxp32.exe
C:\WINDOWS\system32\atlnw32.exe
C:\WINDOWS\atlkt32.exe
C:\WINDOWS\system32\d3vh32.exe
C:\WINDOWS\system32\javacl.exe
C:\WINDOWS\nttw32.exe
C:\WINDOWS\apirm.exe
C:\WINDOWS\system32\d3jc32.exe
C:\WINDOWS\system32\netmy32.exe
C:\WINDOWS\system32\javarr.exe
C:\WINDOWS\mszc.exe
C:\WINDOWS\system32\sdkqt.exe
C:\WINDOWS\d3fh32.exe
C:\WINDOWS\system32\iesl.exe
C:\WINDOWS\apisa32.exe
C:\WINDOWS\appxm32.exe
C:\WINDOWS\netep32.exe
C:\WINDOWS\msng.exe
C:\WINDOWS\mfcie32.exe
C:\WINDOWS\system32\javago.exe
C:\WINDOWS\javagl.exe
C:\WINDOWS\system32\crbl32.exe
C:\WINDOWS\system32\ipvd32.exe
C:\WINDOWS\appmv.exe
C:\WINDOWS\ntof.exe

Reboot normally now and:

Go here and get one of the free trials of an Anti Trojan and scan for Trojans.
http://www.wilders.o...nti_trojans.htm

After This, Reboot and Post a Fresh HijackThis log.
And well take it from there =)
FireFox is recommended over IE: http://www.mozilla.o...oducts/firefox/

Misses Loves Kisses

Also, Please don't PM me your hijack logs. I would you rather post them and PM me if you wish for me to look at them. A PM with a hijacklog will get ignored!

#9 [Judge]Snake

[Judge]Snake

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 27 June 2004 - 04:49 PM

Thanks alot so far, here is the latest log after doing everything suggested

Logfile of HijackThis v1.97.7
Scan saved at 2:48:28 PM, on 6/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\d3co.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\TrojanHunter 3.6\THGuard.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\system32\ipuj32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
E:\Nicks_Docs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = NOT USED (OK)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = NOT USED (OK)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jaciw.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fileplanet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jaciw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jaciw.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jaciw.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)
O2 - BHO: (no name) - {E2817FD0-C114-2AD1-D02A-7F3FC36547E7} - C:\WINDOWS\msyh.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.6\THGuard.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ipuj32.exe] C:\WINDOWS\system32\ipuj32.exe
O4 - HKLM\..\RunOnce: [sdkuc32.exe] C:\WINDOWS\sdkuc32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet5_20.dll' missing
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...wpoint/awp.html
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8006.4947916667
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#10 [Judge]Snake

[Judge]Snake

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 30 June 2004 - 03:22 PM

Ok, this is starting to get kind of scary. I will be typing in notepad or Word, and suddenly it will close, for absolutely no reason at all. It's like someone is watching my type and when i get to something important, they close it or something. It's really weird, please come up with a solution to that hijacker as fast as possible!

Edited by [Judge]Snake, 30 June 2004 - 03:22 PM.


#11 irelynnmisses

irelynnmisses

    Forum Goddess

  • Retired Staff - Helper
  • PipPipPipPip
  • 282 posts

Posted 01 July 2004 - 10:18 PM

I'm looking for answers.. i really am
I wish I were more skilled with this new infection!
FireFox is recommended over IE: http://www.mozilla.o...oducts/firefox/

Misses Loves Kisses

Also, Please don't PM me your hijack logs. I would you rather post them and PM me if you wish for me to look at them. A PM with a hijacklog will get ignored!

#12 irelynnmisses

irelynnmisses

    Forum Goddess

  • Retired Staff - Helper
  • PipPipPipPip
  • 282 posts

Posted 02 July 2004 - 12:19 AM

Ok, I have a fix i would like to try.. can you please reboot a couple times. then post a fresh hiackthis log and i'll post the instructions :)
FireFox is recommended over IE: http://www.mozilla.o...oducts/firefox/

Misses Loves Kisses

Also, Please don't PM me your hijack logs. I would you rather post them and PM me if you wish for me to look at them. A PM with a hijacklog will get ignored!

#13 [Judge]Snake

[Judge]Snake

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 04 July 2004 - 10:46 PM

Ok, I will do so tomorrow,thank you for the effort :)

#14 [Judge]Snake

[Judge]Snake

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 06 July 2004 - 12:59 PM

I finally got this log after my computer recieved the blue screen of death after rebooting. Finally this morning it seems all I had to do was click through AVG virus prompts to get to the desktop. Really weird, heres the log

Logfile of HijackThis v1.97.7
Scan saved at 10:57:57 AM, on 7/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\TrojanHunter 3.6\THGuard.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-us\msnappau.exe
E:\Winamp\Winampa.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Nicks_Docs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = NOT USED (OK)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = NOT USED (OK)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.fileplanet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jaciw.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jaciw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jaciw.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jaciw.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)
O2 - BHO: (no name) - {E2817FD0-C114-2AD1-D02A-7F3FC36547E7} - C:\WINDOWS\msyh.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0000.2693\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.6\THGuard.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ipuj32.exe] C:\WINDOWS\system32\ipuj32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Updater] "C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-us\msnappau.exe"
O4 - HKLM\..\Run: [WinampAgent] "E:\Winamp\Winampa.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet5_20.dll' missing
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...wpoint/awp.html
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8006.4947916667
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button