• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
[Judge]Snake

IE Hijacker

14 posts in this topic

I've tried just about everything to remove this trojan, but nothing works. I've used every suggested spyware remover like Spybot and AdAware and run various AVG, Norton and TrojanHunter scans, but no matter what viruses or other files that seem to be associated witht hsi thing, it always comes back. It changes my homepage to this, do not click on it because it will most likely infect you too.

 

DO NOT CLICK ON THE FOLLOWING LINK, IT IS THE HOMEPAGE OF THIS TROJAN

 

 

res://jaciw.dll/index.html#96676 <--Do not go here

 

This is the site that seems to be distributing the trojan and makes itself my homepage. Even when using StartPage Guard it comes back. I also deleted the file jaciw.dll from my computer, but it comes back. I am typing this from Mozilla Firefox, but after IE got hijacked my comp seems to be getting slower due to this torjan. Please if anyone has any information on this thing or has any idea how to remove it please post here, I would greatly appreciate the help. Thanks alot all you anti-spyware people for making these forums. Right now I feel like finding out where every hacker lives, breaking down their front doors and walloping them with a baseball bat and throwing their comps out onto the freeway :techsupport:

Share this post


Link to post
Share on other sites

Didn't think to just copy the actual text here lol, sorry, heres the log file

 

__________________________________________________

 

Logfile of HijackThis v1.97.7

Scan saved at 9:29:19 PM, on 6/20/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\System32\CTSvcCDA.EXE

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\d3co.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Grisoft\AVG6\avgcc32.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\TrojanHunter 3.6\THGuard.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\WINDOWS\atlvo32.exe

C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe

C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE

C:\WINDOWS\System32\CTHELPER.EXE

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

E:\Nicks_Docs\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = NOT USED (OK)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = NOT USED (OK)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jaciw.dll/index.html#96676

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jaciw.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jaciw.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jaciw.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jaciw.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)

O2 - BHO: (no name) - {E2817FD0-C114-2AD1-D02A-7F3FC36547E7} - C:\WINDOWS\msyh.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.6\THGuard.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe

O4 - HKLM\..\Run: [atlvo32.exe] C:\WINDOWS\atlvo32.exe

O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL

O4 - HKLM\..\Run: [sBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r

O4 - HKLM\..\RunOnce: [d3aj32.exe] C:\WINDOWS\d3aj32.exe

O4 - HKLM\..\RunOnce: [d3co.exe] C:\WINDOWS\system32\d3co.exe

O4 - HKLM\..\RunOnce: [addfx32.exe] C:\WINDOWS\system32\addfx32.exe

O4 - HKLM\..\RunOnce: [netpp32.exe] C:\WINDOWS\system32\netpp32.exe

O4 - HKLM\..\RunOnce: [ntoz32.exe] C:\WINDOWS\ntoz32.exe

O4 - HKLM\..\RunOnce: [apiij32.exe] C:\WINDOWS\system32\apiij32.exe

O4 - HKLM\..\RunOnce: [javabg.exe] C:\WINDOWS\javabg.exe

O4 - HKLM\..\RunOnce: [ntxh.exe] C:\WINDOWS\ntxh.exe

O4 - HKLM\..\RunOnce: [d3km32.exe] C:\WINDOWS\d3km32.exe

O4 - HKLM\..\RunOnce: [appmq32.exe] C:\WINDOWS\appmq32.exe

O4 - HKLM\..\RunOnce: [addul.exe] C:\WINDOWS\addul.exe

O4 - HKLM\..\RunOnce: [mfcij32.exe] C:\WINDOWS\mfcij32.exe

O4 - HKLM\..\RunOnce: [sdkrw32.exe] C:\WINDOWS\sdkrw32.exe

O4 - HKLM\..\RunOnce: [ipwp.exe] C:\WINDOWS\system32\ipwp.exe

O4 - HKLM\..\RunOnce: [d3ee32.exe] C:\WINDOWS\system32\d3ee32.exe

O4 - HKLM\..\RunOnce: [netgn.exe] C:\WINDOWS\netgn.exe

O4 - HKLM\..\RunOnce: [netfp32.exe] C:\WINDOWS\netfp32.exe

O4 - HKLM\..\RunOnce: [sdkoe.exe] C:\WINDOWS\system32\sdkoe.exe

O4 - HKLM\..\RunOnce: [msda.exe] C:\WINDOWS\system32\msda.exe

O4 - HKLM\..\RunOnce: [d3ou.exe] C:\WINDOWS\system32\d3ou.exe

O4 - HKLM\..\RunOnce: [ntqv32.exe] C:\WINDOWS\system32\ntqv32.exe

O4 - HKLM\..\RunOnce: [sysht.exe] C:\WINDOWS\system32\sysht.exe

O4 - HKLM\..\RunOnce: [syssz32.exe] C:\WINDOWS\syssz32.exe

O4 - HKLM\..\RunOnce: [ieme32.exe] C:\WINDOWS\ieme32.exe

O4 - HKLM\..\RunOnce: [javaqa.exe] C:\WINDOWS\javaqa.exe

O4 - HKLM\..\RunOnce: [ieoi.exe] C:\WINDOWS\system32\ieoi.exe

O4 - HKLM\..\RunOnce: [apiuf.exe] C:\WINDOWS\system32\apiuf.exe

O4 - HKLM\..\RunOnce: [iept.exe] C:\WINDOWS\system32\iept.exe

O4 - HKLM\..\RunOnce: [nthb32.exe] C:\WINDOWS\system32\nthb32.exe

O4 - HKLM\..\RunOnce: [appik.exe] C:\WINDOWS\appik.exe

O4 - HKLM\..\RunOnce: [iewq.exe] C:\WINDOWS\iewq.exe

O4 - HKLM\..\RunOnce: [ntxz32.exe] C:\WINDOWS\system32\ntxz32.exe

O4 - HKLM\..\RunOnce: [atlub.exe] C:\WINDOWS\atlub.exe

O4 - HKLM\..\RunOnce: [iexu32.exe] C:\WINDOWS\system32\iexu32.exe

O4 - HKLM\..\RunOnce: [ntbm.exe] C:\WINDOWS\system32\ntbm.exe

O4 - HKLM\..\RunOnce: [addyl32.exe] C:\WINDOWS\addyl32.exe

O4 - HKLM\..\RunOnce: [addkq.exe] C:\WINDOWS\addkq.exe

O4 - HKLM\..\RunOnce: [atlud32.exe] C:\WINDOWS\atlud32.exe

O4 - HKLM\..\RunOnce: [iepq32.exe] C:\WINDOWS\system32\iepq32.exe

O4 - HKLM\..\RunOnce: [javayd32.exe] C:\WINDOWS\system32\javayd32.exe

O4 - HKLM\..\RunOnce: [netxp32.exe] C:\WINDOWS\system32\netxp32.exe

O4 - HKLM\..\RunOnce: [atlnw32.exe] C:\WINDOWS\system32\atlnw32.exe

O4 - HKLM\..\RunOnce: [atlkt32.exe] C:\WINDOWS\atlkt32.exe

O4 - HKLM\..\RunOnce: [d3vh32.exe] C:\WINDOWS\system32\d3vh32.exe

O4 - HKLM\..\RunOnce: [javacl.exe] C:\WINDOWS\system32\javacl.exe

O4 - HKLM\..\RunOnce: [nttw32.exe] C:\WINDOWS\nttw32.exe

O4 - HKLM\..\RunOnce: [apirm.exe] C:\WINDOWS\apirm.exe

O4 - HKLM\..\RunOnce: [d3jc32.exe] C:\WINDOWS\system32\d3jc32.exe

O4 - HKLM\..\RunOnce: [netmy32.exe] C:\WINDOWS\system32\netmy32.exe

O4 - HKLM\..\RunOnce: [javarr.exe] C:\WINDOWS\system32\javarr.exe

O4 - HKLM\..\RunOnce: [mszc.exe] C:\WINDOWS\mszc.exe

O4 - HKLM\..\RunOnce: [sdkqt.exe] C:\WINDOWS\system32\sdkqt.exe

O4 - HKLM\..\RunOnce: [d3fh32.exe] C:\WINDOWS\d3fh32.exe

O4 - HKLM\..\RunOnce: [iesl.exe] C:\WINDOWS\system32\iesl.exe

O4 - HKLM\..\RunOnce: [apisa32.exe] C:\WINDOWS\apisa32.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: MoneySide (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...wpoint/awp.html

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/11ac1fb4dfee271aa904/...ip/RdxIE601.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200310...llInstaller.exe

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8006.4947916667

O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Ok, you have several issues.. and one of them is a newer CWS hijack with no known FOR SURE fix.. but our experts are working hard at getting one. While I ask around and figure out how to help you clean the hijack.. plese do this in the meantime:

 

You have many issues

 

 

Run this uninstaller:

 

http://www.newdotnet.com/#remove

 

 

Download and install Ad-aware found here: http://www.lavasoftusa.com/support/download/

After installing you need to download all updates for it. Use the Globe Icon in the program, and "Connect" to download latest Reference-file. Please update it before you scan with it then fix all it finds.

Now do the following:

 

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:

check: "Unload recognized processes during scanning."

 

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:

Check: "Let Windows remove files in use after reboot."

 

Press "Scan Now"

 

- Check option "Use Custom scanning options"

- Check option "Activate In-Depth Scan"

- Press "Select drives\folders to scan"

- Select the active partition which is usually C:

 

Now press "Next" to let Ad-aware scan your drives...

It will find a number of "bad" files and registry keys. Click 'Next' again

Right-click in that pane and choose "select all"

 

If it finds "bad" files and registry keys, press "Next" again

It will ask you whether you'd like to remove all checked items. Click OK.

 

Finally, close Ad-Aware, and reboot.

That ought to get rid of most of your spyware.

 

Go to START>.ALL PROGRAMS..ACCESSORIES>>SYSTEM TOOLS>> DISK CLEAN UP>> and clean everything...

Go to start >Run and paste this in:

%Userprofile%\Local Settings\Temp folder

It will open your temp folder.

Go to the toolbar>Edit>Select All

Then go back to File>Delete

 

Then get an online virus scan here: http://housecall.trendmicro.com/ Please select the Autoclean option when prompted.

or here: http://www.pandasoftware.com/activescan/

 

Go here and get one of the free trials of an Anti Trojan and scan for Trojans.

http://www.wilders.org/anti_trojans.htm

 

 

After This, Reboot and Post a Fresh HijackThis log.

And well take it from there =)

Share this post


Link to post
Share on other sites

Did everything except a troajn hunter scan which i will do tomorrow. Only thing that didnt work was the online virus scan *I used AVG instead* and the temp folder thing, where I got this message after I copied and pasted it in start->run 'Windows cannot find 'C:\Documents'.' It then continued to tell me how to search for filenames, but that was the main part of the message. After the scan tomorrow I will put up a log as fast as I can, should be around 2-3 pm Pacific.

Share this post


Link to post
Share on other sites

Heres the latest log

 

Logfile of HijackThis v1.97.7

Scan saved at 3:59:23 PM, on 6/22/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\System32\CTSvcCDA.EXE

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\d3co.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Grisoft\AVG6\avgcc32.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\TrojanHunter 3.6\THGuard.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe

C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE

C:\WINDOWS\System32\CTHELPER.EXE

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

E:\Nicks_Docs\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = NOT USED (OK)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = NOT USED (OK)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jaciw.dll/index.html#96676

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jaciw.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jaciw.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jaciw.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jaciw.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)

O2 - BHO: (no name) - {E2817FD0-C114-2AD1-D02A-7F3FC36547E7} - C:\WINDOWS\msyh.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.6\THGuard.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe

O4 - HKLM\..\Run: [atlvo32.exe] C:\WINDOWS\atlvo32.exe

O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL

O4 - HKLM\..\Run: [sBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\RunOnce: [d3aj32.exe] C:\WINDOWS\d3aj32.exe

O4 - HKLM\..\RunOnce: [d3co.exe] C:\WINDOWS\system32\d3co.exe

O4 - HKLM\..\RunOnce: [addfx32.exe] C:\WINDOWS\system32\addfx32.exe

O4 - HKLM\..\RunOnce: [netpp32.exe] C:\WINDOWS\system32\netpp32.exe

O4 - HKLM\..\RunOnce: [ntoz32.exe] C:\WINDOWS\ntoz32.exe

O4 - HKLM\..\RunOnce: [apiij32.exe] C:\WINDOWS\system32\apiij32.exe

O4 - HKLM\..\RunOnce: [javabg.exe] C:\WINDOWS\javabg.exe

O4 - HKLM\..\RunOnce: [ntxh.exe] C:\WINDOWS\ntxh.exe

O4 - HKLM\..\RunOnce: [d3km32.exe] C:\WINDOWS\d3km32.exe

O4 - HKLM\..\RunOnce: [appmq32.exe] C:\WINDOWS\appmq32.exe

O4 - HKLM\..\RunOnce: [addul.exe] C:\WINDOWS\addul.exe

O4 - HKLM\..\RunOnce: [mfcij32.exe] C:\WINDOWS\mfcij32.exe

O4 - HKLM\..\RunOnce: [sdkrw32.exe] C:\WINDOWS\sdkrw32.exe

O4 - HKLM\..\RunOnce: [ipwp.exe] C:\WINDOWS\system32\ipwp.exe

O4 - HKLM\..\RunOnce: [d3ee32.exe] C:\WINDOWS\system32\d3ee32.exe

O4 - HKLM\..\RunOnce: [netgn.exe] C:\WINDOWS\netgn.exe

O4 - HKLM\..\RunOnce: [netfp32.exe] C:\WINDOWS\netfp32.exe

O4 - HKLM\..\RunOnce: [sdkoe.exe] C:\WINDOWS\system32\sdkoe.exe

O4 - HKLM\..\RunOnce: [msda.exe] C:\WINDOWS\system32\msda.exe

O4 - HKLM\..\RunOnce: [d3ou.exe] C:\WINDOWS\system32\d3ou.exe

O4 - HKLM\..\RunOnce: [ntqv32.exe] C:\WINDOWS\system32\ntqv32.exe

O4 - HKLM\..\RunOnce: [sysht.exe] C:\WINDOWS\system32\sysht.exe

O4 - HKLM\..\RunOnce: [syssz32.exe] C:\WINDOWS\syssz32.exe

O4 - HKLM\..\RunOnce: [ieme32.exe] C:\WINDOWS\ieme32.exe

O4 - HKLM\..\RunOnce: [javaqa.exe] C:\WINDOWS\javaqa.exe

O4 - HKLM\..\RunOnce: [ieoi.exe] C:\WINDOWS\system32\ieoi.exe

O4 - HKLM\..\RunOnce: [apiuf.exe] C:\WINDOWS\system32\apiuf.exe

O4 - HKLM\..\RunOnce: [iept.exe] C:\WINDOWS\system32\iept.exe

O4 - HKLM\..\RunOnce: [nthb32.exe] C:\WINDOWS\system32\nthb32.exe

O4 - HKLM\..\RunOnce: [appik.exe] C:\WINDOWS\appik.exe

O4 - HKLM\..\RunOnce: [iewq.exe] C:\WINDOWS\iewq.exe

O4 - HKLM\..\RunOnce: [ntxz32.exe] C:\WINDOWS\system32\ntxz32.exe

O4 - HKLM\..\RunOnce: [atlub.exe] C:\WINDOWS\atlub.exe

O4 - HKLM\..\RunOnce: [iexu32.exe] C:\WINDOWS\system32\iexu32.exe

O4 - HKLM\..\RunOnce: [ntbm.exe] C:\WINDOWS\system32\ntbm.exe

O4 - HKLM\..\RunOnce: [addyl32.exe] C:\WINDOWS\addyl32.exe

O4 - HKLM\..\RunOnce: [addkq.exe] C:\WINDOWS\addkq.exe

O4 - HKLM\..\RunOnce: [atlud32.exe] C:\WINDOWS\atlud32.exe

O4 - HKLM\..\RunOnce: [iepq32.exe] C:\WINDOWS\system32\iepq32.exe

O4 - HKLM\..\RunOnce: [javayd32.exe] C:\WINDOWS\system32\javayd32.exe

O4 - HKLM\..\RunOnce: [netxp32.exe] C:\WINDOWS\system32\netxp32.exe

O4 - HKLM\..\RunOnce: [atlnw32.exe] C:\WINDOWS\system32\atlnw32.exe

O4 - HKLM\..\RunOnce: [atlkt32.exe] C:\WINDOWS\atlkt32.exe

O4 - HKLM\..\RunOnce: [d3vh32.exe] C:\WINDOWS\system32\d3vh32.exe

O4 - HKLM\..\RunOnce: [javacl.exe] C:\WINDOWS\system32\javacl.exe

O4 - HKLM\..\RunOnce: [nttw32.exe] C:\WINDOWS\nttw32.exe

O4 - HKLM\..\RunOnce: [apirm.exe] C:\WINDOWS\apirm.exe

O4 - HKLM\..\RunOnce: [d3jc32.exe] C:\WINDOWS\system32\d3jc32.exe

O4 - HKLM\..\RunOnce: [netmy32.exe] C:\WINDOWS\system32\netmy32.exe

O4 - HKLM\..\RunOnce: [javarr.exe] C:\WINDOWS\system32\javarr.exe

O4 - HKLM\..\RunOnce: [mszc.exe] C:\WINDOWS\mszc.exe

O4 - HKLM\..\RunOnce: [sdkqt.exe] C:\WINDOWS\system32\sdkqt.exe

O4 - HKLM\..\RunOnce: [d3fh32.exe] C:\WINDOWS\d3fh32.exe

O4 - HKLM\..\RunOnce: [iesl.exe] C:\WINDOWS\system32\iesl.exe

O4 - HKLM\..\RunOnce: [apisa32.exe] C:\WINDOWS\apisa32.exe

O4 - HKLM\..\RunOnce: [appxm32.exe] C:\WINDOWS\appxm32.exe

O4 - HKLM\..\RunOnce: [netep32.exe] C:\WINDOWS\netep32.exe

O4 - HKLM\..\RunOnce: [msng.exe] C:\WINDOWS\msng.exe

O4 - HKLM\..\RunOnce: [mfcie32.exe] C:\WINDOWS\mfcie32.exe

O4 - HKLM\..\RunOnce: [javago.exe] C:\WINDOWS\system32\javago.exe

O4 - HKLM\..\RunOnce: [javagl.exe] C:\WINDOWS\javagl.exe

O4 - HKLM\..\RunOnce: [crbl32.exe] C:\WINDOWS\system32\crbl32.exe

O4 - HKLM\..\RunOnce: [ipvd32.exe] C:\WINDOWS\system32\ipvd32.exe

O4 - HKLM\..\RunOnce: [appmv.exe] C:\WINDOWS\appmv.exe

O4 - HKLM\..\RunOnce: [ntof.exe] C:\WINDOWS\ntof.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: MoneySide (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet5_20.dll' missing

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...wpoint/awp.html

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/11ac1fb4dfee271aa904/...ip/RdxIE601.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200310...llInstaller.exe

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8006.4947916667

O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

I dont' know how to fix your hijack problem.. to be honest and it's a relativly new infection that is spreading. But someone else will be along to help you with that. For now please follow these steps.

 

Have hijackthis fix these entries:

 

O4 - HKLM\..\Run: [atlvo32.exe] C:\WINDOWS\atlvo32.exe

O4 - HKLM\..\RunOnce: [d3aj32.exe] C:\WINDOWS\d3aj32.exe

O4 - HKLM\..\RunOnce: [d3co.exe] C:\WINDOWS\system32\d3co.exe

O4 - HKLM\..\RunOnce: [addfx32.exe] C:\WINDOWS\system32\addfx32.exe

O4 - HKLM\..\RunOnce: [netpp32.exe] C:\WINDOWS\system32\netpp32.exe

O4 - HKLM\..\RunOnce: [ntoz32.exe] C:\WINDOWS\ntoz32.exe

O4 - HKLM\..\RunOnce: [apiij32.exe] C:\WINDOWS\system32\apiij32.exe

O4 - HKLM\..\RunOnce: [javabg.exe] C:\WINDOWS\javabg.exe

O4 - HKLM\..\RunOnce: [ntxh.exe] C:\WINDOWS\ntxh.exe

O4 - HKLM\..\RunOnce: [d3km32.exe] C:\WINDOWS\d3km32.exe

O4 - HKLM\..\RunOnce: [appmq32.exe] C:\WINDOWS\appmq32.exe

O4 - HKLM\..\RunOnce: [addul.exe] C:\WINDOWS\addul.exe

O4 - HKLM\..\RunOnce: [mfcij32.exe] C:\WINDOWS\mfcij32.exe

O4 - HKLM\..\RunOnce: [sdkrw32.exe] C:\WINDOWS\sdkrw32.exe

O4 - HKLM\..\RunOnce: [ipwp.exe] C:\WINDOWS\system32\ipwp.exe

O4 - HKLM\..\RunOnce: [d3ee32.exe] C:\WINDOWS\system32\d3ee32.exe

O4 - HKLM\..\RunOnce: [netgn.exe] C:\WINDOWS\netgn.exe

O4 - HKLM\..\RunOnce: [netfp32.exe] C:\WINDOWS\netfp32.exe

O4 - HKLM\..\RunOnce: [sdkoe.exe] C:\WINDOWS\system32\sdkoe.exe

O4 - HKLM\..\RunOnce: [msda.exe] C:\WINDOWS\system32\msda.exe

O4 - HKLM\..\RunOnce: [d3ou.exe] C:\WINDOWS\system32\d3ou.exe

O4 - HKLM\..\RunOnce: [ntqv32.exe] C:\WINDOWS\system32\ntqv32.exe

O4 - HKLM\..\RunOnce: [sysht.exe] C:\WINDOWS\system32\sysht.exe

O4 - HKLM\..\RunOnce: [syssz32.exe] C:\WINDOWS\syssz32.exe

O4 - HKLM\..\RunOnce: [ieme32.exe] C:\WINDOWS\ieme32.exe

O4 - HKLM\..\RunOnce: [javaqa.exe] C:\WINDOWS\javaqa.exe

O4 - HKLM\..\RunOnce: [ieoi.exe] C:\WINDOWS\system32\ieoi.exe

O4 - HKLM\..\RunOnce: [apiuf.exe] C:\WINDOWS\system32\apiuf.exe

O4 - HKLM\..\RunOnce: [iept.exe] C:\WINDOWS\system32\iept.exe

O4 - HKLM\..\RunOnce: [nthb32.exe] C:\WINDOWS\system32\nthb32.exe

O4 - HKLM\..\RunOnce: [appik.exe] C:\WINDOWS\appik.exe

O4 - HKLM\..\RunOnce: [iewq.exe] C:\WINDOWS\iewq.exe

O4 - HKLM\..\RunOnce: [ntxz32.exe] C:\WINDOWS\system32\ntxz32.exe

O4 - HKLM\..\RunOnce: [atlub.exe] C:\WINDOWS\atlub.exe

O4 - HKLM\..\RunOnce: [iexu32.exe] C:\WINDOWS\system32\iexu32.exe

O4 - HKLM\..\RunOnce: [ntbm.exe] C:\WINDOWS\system32\ntbm.exe

O4 - HKLM\..\RunOnce: [addyl32.exe] C:\WINDOWS\addyl32.exe

O4 - HKLM\..\RunOnce: [addkq.exe] C:\WINDOWS\addkq.exe

O4 - HKLM\..\RunOnce: [atlud32.exe] C:\WINDOWS\atlud32.exe

O4 - HKLM\..\RunOnce: [iepq32.exe] C:\WINDOWS\system32\iepq32.exe

O4 - HKLM\..\RunOnce: [javayd32.exe] C:\WINDOWS\system32\javayd32.exe

O4 - HKLM\..\RunOnce: [netxp32.exe] C:\WINDOWS\system32\netxp32.exe

O4 - HKLM\..\RunOnce: [atlnw32.exe] C:\WINDOWS\system32\atlnw32.exe

O4 - HKLM\..\RunOnce: [atlkt32.exe] C:\WINDOWS\atlkt32.exe

O4 - HKLM\..\RunOnce: [d3vh32.exe] C:\WINDOWS\system32\d3vh32.exe

O4 - HKLM\..\RunOnce: [javacl.exe] C:\WINDOWS\system32\javacl.exe

O4 - HKLM\..\RunOnce: [nttw32.exe] C:\WINDOWS\nttw32.exe

O4 - HKLM\..\RunOnce: [apirm.exe] C:\WINDOWS\apirm.exe

O4 - HKLM\..\RunOnce: [d3jc32.exe] C:\WINDOWS\system32\d3jc32.exe

O4 - HKLM\..\RunOnce: [netmy32.exe] C:\WINDOWS\system32\netmy32.exe

O4 - HKLM\..\RunOnce: [javarr.exe] C:\WINDOWS\system32\javarr.exe

O4 - HKLM\..\RunOnce: [mszc.exe] C:\WINDOWS\mszc.exe

O4 - HKLM\..\RunOnce: [sdkqt.exe] C:\WINDOWS\system32\sdkqt.exe

O4 - HKLM\..\RunOnce: [d3fh32.exe] C:\WINDOWS\d3fh32.exe

O4 - HKLM\..\RunOnce: [iesl.exe] C:\WINDOWS\system32\iesl.exe

O4 - HKLM\..\RunOnce: [apisa32.exe] C:\WINDOWS\apisa32.exe

O4 - HKLM\..\RunOnce: [appxm32.exe] C:\WINDOWS\appxm32.exe

O4 - HKLM\..\RunOnce: [netep32.exe] C:\WINDOWS\netep32.exe

O4 - HKLM\..\RunOnce: [msng.exe] C:\WINDOWS\msng.exe

O4 - HKLM\..\RunOnce: [mfcie32.exe] C:\WINDOWS\mfcie32.exe

O4 - HKLM\..\RunOnce: [javago.exe] C:\WINDOWS\system32\javago.exe

O4 - HKLM\..\RunOnce: [javagl.exe] C:\WINDOWS\javagl.exe

O4 - HKLM\..\RunOnce: [crbl32.exe] C:\WINDOWS\system32\crbl32.exe

O4 - HKLM\..\RunOnce: [ipvd32.exe] C:\WINDOWS\system32\ipvd32.exe

O4 - HKLM\..\RunOnce: [appmv.exe] C:\WINDOWS\appmv.exe

O4 - HKLM\..\RunOnce: [ntof.exe] C:\WINDOWS\ntof.exe

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/11ac1fb4dfee271aa904/...ip/RdxIE601.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200310...llInstaller.exe

 

 

Set hidden files or folders to show HERE'S HOW

 

 

Reboot your PC in safe mode: HERE'S HOW

 

While in safe mode please delete these files or folders:

 

C:\WINDOWS\atlvo32.exe

 

C:\WINDOWS\d3aj32.exe

C:\WINDOWS\system32\d3co.exe

C:\WINDOWS\system32\addfx32.exe

C:\WINDOWS\system32\netpp32.exe

C:\WINDOWS\ntoz32.exe

C:\WINDOWS\system32\apiij32.exe

C:\WINDOWS\javabg.exe

C:\WINDOWS\ntxh.exe

C:\WINDOWS\d3km32.exe

C:\WINDOWS\appmq32.exe

C:\WINDOWS\addul.exe

C:\WINDOWS\mfcij32.exe

C:\WINDOWS\sdkrw32.exe

C:\WINDOWS\system32\ipwp.exe

C:\WINDOWS\system32\d3ee32.exe

C:\WINDOWS\netgn.exe

C:\WINDOWS\netfp32.exe

C:\WINDOWS\system32\sdkoe.exe

C:\WINDOWS\system32\msda.exe

C:\WINDOWS\system32\d3ou.exe

C:\WINDOWS\system32\ntqv32.exe

C:\WINDOWS\system32\sysht.exe

C:\WINDOWS\syssz32.exe

C:\WINDOWS\ieme32.exe

C:\WINDOWS\javaqa.exe

C:\WINDOWS\system32\ieoi.exe

C:\WINDOWS\system32\apiuf.exe

C:\WINDOWS\system32\iept.exe

C:\WINDOWS\system32\nthb32.exe

C:\WINDOWS\appik.exe

C:\WINDOWS\iewq.exe

C:\WINDOWS\system32\ntxz32.exe

C:\WINDOWS\atlub.exe

C:\WINDOWS\system32\iexu32.exe

C:\WINDOWS\system32\ntbm.exe

C:\WINDOWS\addyl32.exe

C:\WINDOWS\addkq.exe

C:\WINDOWS\atlud32.exe

C:\WINDOWS\system32\iepq32.exe

C:\WINDOWS\system32\javayd32.exe

C:\WINDOWS\system32\netxp32.exe

C:\WINDOWS\system32\atlnw32.exe

C:\WINDOWS\atlkt32.exe

C:\WINDOWS\system32\d3vh32.exe

C:\WINDOWS\system32\javacl.exe

C:\WINDOWS\nttw32.exe

C:\WINDOWS\apirm.exe

C:\WINDOWS\system32\d3jc32.exe

C:\WINDOWS\system32\netmy32.exe

C:\WINDOWS\system32\javarr.exe

C:\WINDOWS\mszc.exe

C:\WINDOWS\system32\sdkqt.exe

C:\WINDOWS\d3fh32.exe

C:\WINDOWS\system32\iesl.exe

C:\WINDOWS\apisa32.exe

C:\WINDOWS\appxm32.exe

C:\WINDOWS\netep32.exe

C:\WINDOWS\msng.exe

C:\WINDOWS\mfcie32.exe

C:\WINDOWS\system32\javago.exe

C:\WINDOWS\javagl.exe

C:\WINDOWS\system32\crbl32.exe

C:\WINDOWS\system32\ipvd32.exe

C:\WINDOWS\appmv.exe

C:\WINDOWS\ntof.exe

 

Reboot normally now and:

 

Go here and get one of the free trials of an Anti Trojan and scan for Trojans.

http://www.wilders.org/anti_trojans.htm

 

After This, Reboot and Post a Fresh HijackThis log.

And well take it from there =)

Share this post


Link to post
Share on other sites

Thanks alot so far, here is the latest log after doing everything suggested

 

Logfile of HijackThis v1.97.7

Scan saved at 2:48:28 PM, on 6/27/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\System32\CTSvcCDA.EXE

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\d3co.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Grisoft\AVG6\avgcc32.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\TrojanHunter 3.6\THGuard.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe

C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE

C:\WINDOWS\System32\CTHELPER.EXE

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\WINDOWS\system32\ipuj32.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE

E:\Nicks_Docs\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = NOT USED (OK)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = NOT USED (OK)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jaciw.dll/index.html#96676

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fileplanet.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jaciw.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jaciw.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jaciw.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)

O2 - BHO: (no name) - {E2817FD0-C114-2AD1-D02A-7F3FC36547E7} - C:\WINDOWS\msyh.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.6\THGuard.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe

O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL

O4 - HKLM\..\Run: [sBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [ipuj32.exe] C:\WINDOWS\system32\ipuj32.exe

O4 - HKLM\..\RunOnce: [sdkuc32.exe] C:\WINDOWS\sdkuc32.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: MoneySide (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet5_20.dll' missing

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...wpoint/awp.html

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8006.4947916667

O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Ok, this is starting to get kind of scary. I will be typing in notepad or Word, and suddenly it will close, for absolutely no reason at all. It's like someone is watching my type and when i get to something important, they close it or something. It's really weird, please come up with a solution to that hijacker as fast as possible!

Edited by [Judge]Snake

Share this post


Link to post
Share on other sites

I'm looking for answers.. i really am

I wish I were more skilled with this new infection!

Share this post


Link to post
Share on other sites

Ok, I have a fix i would like to try.. can you please reboot a couple times. then post a fresh hiackthis log and i'll post the instructions :)

Share this post


Link to post
Share on other sites

I finally got this log after my computer recieved the blue screen of death after rebooting. Finally this morning it seems all I had to do was click through AVG virus prompts to get to the desktop. Really weird, heres the log

 

Logfile of HijackThis v1.97.7

Scan saved at 10:57:57 AM, on 7/6/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\System32\CTSvcCDA.EXE

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Grisoft\AVG6\avgcc32.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\TrojanHunter 3.6\THGuard.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe

C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE

C:\WINDOWS\System32\CTHELPER.EXE

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-us\msnappau.exe

E:\Winamp\Winampa.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

E:\Nicks_Docs\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = NOT USED (OK)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = NOT USED (OK)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.fileplanet.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jaciw.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jaciw.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jaciw.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jaciw.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)

O2 - BHO: (no name) - {E2817FD0-C114-2AD1-D02A-7F3FC36547E7} - C:\WINDOWS\msyh.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0000.2693\en-us\msntb.dll (file missing)

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.6\THGuard.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe

O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL

O4 - HKLM\..\Run: [sBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [ipuj32.exe] C:\WINDOWS\system32\ipuj32.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [updater] "C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-us\msnappau.exe"

O4 - HKLM\..\Run: [WinampAgent] "E:\Winamp\Winampa.exe"

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: MoneySide (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet5_20.dll' missing

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...wpoint/awp.html

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8006.4947916667

O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0