• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
spidey

res://bujyt.dll/index.html Need Help Please

4 posts in this topic

First, thank you helpers for your time! This is a great forum.

 

I have the new dreaded CWS variant...got it last Friday, June 18.

 

I have tried the following:

 

Panda Active Scan

Ad Aware

Trojanhunter

CWShredder

 

http://www.spywareinfoforum.com/index.php?showtopic=4817

 

And have not been able to fix it.

 

Thanks so much for your assistance! :D

 

Here is my log:

 

Logfile of HijackThis v1.97.7

Scan saved at 3:28:53 PM, on 6/22/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\Windows\System32\smss.exe

C:\Windows\system32\csrss.exe

C:\Windows\system32\winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\spoolsv.exe

C:\Windows\System32\alg.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

c:\jetsuite\jsdaemon.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe

C:\Windows\Explorer.EXE

C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Compaq\EAB\EabServr.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Windows\System32\NILaunch.exe

C:\Windows\system32\atlgy32.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\jetsuite\JETSTAT.EXE

C:\Niprint\NIPRINT3.EXE

C:\Program Files\BHODemon\BHODemon.exe

C:\Niprint\NAUDP3.DRV

c:\jetsuite\JSFMAN.EXE

C:\Windows\adddt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE

C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\hjt.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\system32\bujyt.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bujyt.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bujyt.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\system32\bujyt.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bujyt.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\Windows\system32\bujyt.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://go.compaq.com/2Q00CPT/0409/bF7.asp

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {EF4B1BBF-9691-E915-81F6-F75B7DD313AA} - C:\Windows\ieuy32.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Windows\System32\msdxm.ocx

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start

O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\compaq\cpqsetup\cpqset.exe

O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Net-It Launcher] C:\Windows\System32\NILaunch.exe

O4 - HKLM\..\Run: [atlgy32.exe] C:\Windows\system32\atlgy32.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKLM\..\RunOnce: [ipkb.exe] C:\Windows\system32\ipkb.exe

O4 - HKLM\..\RunOnce: [iewi32.exe] C:\Windows\iewi32.exe

O4 - HKLM\..\RunOnce: [apptk32.exe] C:\Windows\system32\apptk32.exe

O4 - HKLM\..\RunOnce: [d3ut.exe] C:\Windows\d3ut.exe

O4 - HKLM\..\RunOnce: [d3bg.exe] C:\Windows\d3bg.exe

O4 - HKLM\..\RunOnce: [netao32.exe] C:\Windows\system32\netao32.exe

O4 - HKLM\..\RunOnce: [ntuf32.exe] C:\Windows\ntuf32.exe

O4 - HKLM\..\RunOnce: [sdkva32.exe] C:\Windows\system32\sdkva32.exe

O4 - HKLM\..\RunOnce: [ntqi.exe] C:\Windows\system32\ntqi.exe

O4 - HKLM\..\RunOnce: [ipcn.exe] C:\Windows\system32\ipcn.exe

O4 - HKLM\..\RunOnce: [adddt.exe] C:\Windows\adddt.exe

O4 - HKLM\..\RunOnce: [addgk.exe] C:\Windows\system32\addgk.exe

O4 - HKLM\..\RunOnce: [atlfl32.exe] C:\Windows\atlfl32.exe

O4 - HKLM\..\RunOnce: [mszr32.exe] C:\Windows\mszr32.exe

O4 - HKLM\..\RunOnce: [javacy32.exe] C:\Windows\system32\javacy32.exe

O4 - HKLM\..\RunOnce: [d3xs.exe] C:\Windows\d3xs.exe

O4 - HKLM\..\RunOnce: [addbz32.exe] C:\Windows\system32\addbz32.exe

O4 - HKLM\..\RunOnce: [d3ph.exe] C:\Windows\d3ph.exe

O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe

O4 - Global Startup: HP LaserJet 3150 Status.lnk = C:\jetsuite\JETSTAT.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: NIPrint.LNK = C:\Niprint\NIPRINT3.EXE

O4 - Global Startup: VPN Dialer (OnStartup).lnk = ?

O9 - Extra button: Create Mobile Favorite (HKLM)

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)

O16 - DPF: ChatSpace Full Java Client 3.1.0.235 - http://streak.fimc.net:8000/Java/cfs31235.cab

O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {4FDF3696-5078-4952-868C-CEEB9683B8C4} (DownloadFile Control) - http://10.175.4.225/cab/DownloadFile.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {7D30109B-DD2B-4339-BE80-1CD48723C2BC} (LiveX(v6.0)) - http://10.175.4.225/cab/Live.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7853.3072916667

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E84E5574-FAE4-4EE2-877D-092AFF688F21} (RPBX(v6.0)) - http://10.175.4.225/cab/RPB.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{A8DC57C9-4781-4463-A7FB-DDA8BD06A7FF}: NameServer = 66.38.0.240,66.38.0.241

O17 - HKLM\System\CCS\Services\Tcpip\..\{AE6C0D41-3D0D-4A4D-9242-93F223103766}: NameServer = 66.38.0.240,66.38.1.240

O17 - HKLM\System\CS1\Services\Tcpip\..\{A8DC57C9-4781-4463-A7FB-DDA8BD06A7FF}: NameServer = 66.38.0.240,66.38.0.241

Share this post


Link to post
Share on other sites

Hi spidey,

 

You need to have HJT in a Permanent folder.

Click My Computer, then C:\

In the menu bar, File->New->Folder.

That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.

This will allow backups to be made and saved By hijackthis in case something goes wrong

Follow this link http://www.netstar.me.uk/hjt/hjt.html if you need help.

 

 

 

Please download About:Buster by RubbeR DuckY from

 

http://www.atribune.org/downloads/AboutBuster.zip

 

Then Unzip it to your desktop. Do not run it yet.

 

Print these directions or paste them into a text document as you will be running with your internet explorer closed.

 

Restarting internet explorer may cause a reinfection.

 

 

Please Open Hijackthis, click Scan, then put a check next to the following entries:

 

O2 - BHO: (no name) - {EF4B1BBF-9691-E915-81F6-F75B7DD313AA} - C:\Windows\ieuy32.dll

 

O4 - HKLM\..\Run: [atlgy32.exe] C:\Windows\system32\atlgy32.exe

 

O4 - HKLM\..\RunOnce: [ipkb.exe] C:\Windows\system32\ipkb.exe

O4 - HKLM\..\RunOnce: [iewi32.exe] C:\Windows\iewi32.exe

O4 - HKLM\..\RunOnce: [apptk32.exe] C:\Windows\system32\apptk32.exe

O4 - HKLM\..\RunOnce: [d3ut.exe] C:\Windows\d3ut.exe

O4 - HKLM\..\RunOnce: [d3bg.exe] C:\Windows\d3bg.exe

O4 - HKLM\..\RunOnce: [netao32.exe] C:\Windows\system32\netao32.exe

O4 - HKLM\..\RunOnce: [ntuf32.exe] C:\Windows\ntuf32.exe

O4 - HKLM\..\RunOnce: [sdkva32.exe] C:\Windows\system32\sdkva32.exe

O4 - HKLM\..\RunOnce: [ntqi.exe] C:\Windows\system32\ntqi.exe

O4 - HKLM\..\RunOnce: [ipcn.exe] C:\Windows\system32\ipcn.exe

O4 - HKLM\..\RunOnce: [adddt.exe] C:\Windows\adddt.exe

O4 - HKLM\..\RunOnce: [addgk.exe] C:\Windows\system32\addgk.exe

O4 - HKLM\..\RunOnce: [atlfl32.exe] C:\Windows\atlfl32.exe

O4 - HKLM\..\RunOnce: [mszr32.exe] C:\Windows\mszr32.exe

O4 - HKLM\..\RunOnce: [javacy32.exe] C:\Windows\system32\javacy32.exe

O4 - HKLM\..\RunOnce: [d3xs.exe] C:\Windows\d3xs.exe

O4 - HKLM\..\RunOnce: [addbz32.exe] C:\Windows\system32\addbz32.exe

O4 - HKLM\..\RunOnce: [d3ph.exe] C:\Windows\d3ph.exe

 

 

Then, Close all open Windows and Browsers (have only HJT open) and click "Fix Checked".

 

 

Now startup About:Buster.

 

Hit ok on the first prompt and then hit start.

 

Next hit ok.

 

Wait till the scan completes and copy the report and save it somewhere.

 

Rerun About:Buster to make sure everything was deleted.

 

Then restart your computer.

 

It is now safe to reopen Internet explorer. Please post a new hijack this log along with a report.

Share this post


Link to post
Share on other sites

:D:D:D Autodad (and all you helpers):

 

THANK YOU! So far, so good. I did everthing thing you asked and I **think** I got it (with your assistance)...I had to run About:Buster twice to get it all...but I think it is clean at this point. Crossing my fingers! :lol: Here is the HJT log...do I look clean? :deal:

 

Logfile of HijackThis v1.97.7

Scan saved at 10:12:19 AM, on 6/26/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\Windows\System32\smss.exe

C:\Windows\system32\csrss.exe

C:\Windows\system32\winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\spoolsv.exe

C:\Windows\System32\alg.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

c:\jetsuite\jsdaemon.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe

C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe

C:\Windows\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Compaq\EAB\EabServr.exe

C:\Windows\System32\NILaunch.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\jetsuite\JETSTAT.EXE

C:\Niprint\NIPRINT3.EXE

C:\Niprint\NAUDP3.DRV

C:\Program Files\BHODemon\BHODemon.exe

c:\jetsuite\JSFMAN.EXE

C:\HJT\hjt.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://go.compaq.com/2Q00CPT/0409/bF7.asp

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Windows\System32\msdxm.ocx

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start

O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\compaq\cpqsetup\cpqset.exe

O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe

O4 - HKLM\..\Run: [Net-It Launcher] C:\Windows\System32\NILaunch.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe

O4 - Global Startup: HP LaserJet 3150 Status.lnk = C:\jetsuite\JETSTAT.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: NIPrint.LNK = C:\Niprint\NIPRINT3.EXE

O4 - Global Startup: VPN Dialer (OnStartup).lnk = ?

O9 - Extra button: Create Mobile Favorite (HKLM)

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)

O16 - DPF: ChatSpace Full Java Client 3.1.0.235 - http://streak.fimc.net:8000/Java/cfs31235.cab

O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8162.3773958333

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{A8DC57C9-4781-4463-A7FB-DDA8BD06A7FF}: NameServer = 66.38.0.240,66.38.0.241

O17 - HKLM\System\CCS\Services\Tcpip\..\{AE6C0D41-3D0D-4A4D-9242-93F223103766}: NameServer = 66.38.0.240,66.38.1.240

O17 - HKLM\System\CS1\Services\Tcpip\..\{A8DC57C9-4781-4463-A7FB-DDA8BD06A7FF}: NameServer = 66.38.0.240,66.38.0.241

Share this post


Link to post
Share on other sites

Great job spidey!

 

You're Welcome.

Looks good. Let us know if you have any concerns.

 

Here is some free protection you should consider:

Download and install:

 

SpywareBlaster will block bad ActiveX and malevolent cookies.

 

IESPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

 

Check for updates occaisionally.

 

And also see So how did I get infected in the first place?

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0