Jump to content


Photo

res://bujyt.dll/index.html Need Help Please


  • Please log in to reply
3 replies to this topic

#1 spidey

spidey

    Member

  • New Member
  • Pip
  • 2 posts

Posted 22 June 2004 - 03:30 PM

First, thank you helpers for your time! This is a great forum.

I have the new dreaded CWS variant...got it last Friday, June 18.

I have tried the following:

Panda Active Scan
Ad Aware
Trojanhunter
CWShredder

http://www.spywarein...?showtopic=4817

And have not been able to fix it.

Thanks so much for your assistance! :D

Here is my log:

Logfile of HijackThis v1.97.7
Scan saved at 3:28:53 PM, on 6/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\System32\alg.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\jetsuite\jsdaemon.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\Windows\Explorer.EXE
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\NILaunch.exe
C:\Windows\system32\atlgy32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\jetsuite\JETSTAT.EXE
C:\Niprint\NIPRINT3.EXE
C:\Program Files\BHODemon\BHODemon.exe
C:\Niprint\NAUDP3.DRV
c:\jetsuite\JSFMAN.EXE
C:\Windows\adddt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\system32\bujyt.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bujyt.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bujyt.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\system32\bujyt.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bujyt.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\Windows\system32\bujyt.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://go.compaq.com...PT/0409/bF7.asp
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {EF4B1BBF-9691-E915-81F6-F75B7DD313AA} - C:\Windows\ieuy32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Windows\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Net-It Launcher] C:\Windows\System32\NILaunch.exe
O4 - HKLM\..\Run: [atlgy32.exe] C:\Windows\system32\atlgy32.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKLM\..\RunOnce: [ipkb.exe] C:\Windows\system32\ipkb.exe
O4 - HKLM\..\RunOnce: [iewi32.exe] C:\Windows\iewi32.exe
O4 - HKLM\..\RunOnce: [apptk32.exe] C:\Windows\system32\apptk32.exe
O4 - HKLM\..\RunOnce: [d3ut.exe] C:\Windows\d3ut.exe
O4 - HKLM\..\RunOnce: [d3bg.exe] C:\Windows\d3bg.exe
O4 - HKLM\..\RunOnce: [netao32.exe] C:\Windows\system32\netao32.exe
O4 - HKLM\..\RunOnce: [ntuf32.exe] C:\Windows\ntuf32.exe
O4 - HKLM\..\RunOnce: [sdkva32.exe] C:\Windows\system32\sdkva32.exe
O4 - HKLM\..\RunOnce: [ntqi.exe] C:\Windows\system32\ntqi.exe
O4 - HKLM\..\RunOnce: [ipcn.exe] C:\Windows\system32\ipcn.exe
O4 - HKLM\..\RunOnce: [adddt.exe] C:\Windows\adddt.exe
O4 - HKLM\..\RunOnce: [addgk.exe] C:\Windows\system32\addgk.exe
O4 - HKLM\..\RunOnce: [atlfl32.exe] C:\Windows\atlfl32.exe
O4 - HKLM\..\RunOnce: [mszr32.exe] C:\Windows\mszr32.exe
O4 - HKLM\..\RunOnce: [javacy32.exe] C:\Windows\system32\javacy32.exe
O4 - HKLM\..\RunOnce: [d3xs.exe] C:\Windows\d3xs.exe
O4 - HKLM\..\RunOnce: [addbz32.exe] C:\Windows\system32\addbz32.exe
O4 - HKLM\..\RunOnce: [d3ph.exe] C:\Windows\d3ph.exe
O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
O4 - Global Startup: HP LaserJet 3150 Status.lnk = C:\jetsuite\JETSTAT.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NIPrint.LNK = C:\Niprint\NIPRINT3.EXE
O4 - Global Startup: VPN Dialer (OnStartup).lnk = ?
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O16 - DPF: ChatSpace Full Java Client 3.1.0.235 - http://streak.fimc.n...va/cfs31235.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups...plorer1_8us.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4FDF3696-5078-4952-868C-CEEB9683B8C4} (DownloadFile Control) - http://10.175.4.225/...ownloadFile.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7D30109B-DD2B-4339-BE80-1CD48723C2BC} (LiveX(v6.0)) - http://10.175.4.225/cab/Live.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7853.3072916667
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E84E5574-FAE4-4EE2-877D-092AFF688F21} (RPBX(v6.0)) - http://10.175.4.225/cab/RPB.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8DC57C9-4781-4463-A7FB-DDA8BD06A7FF}: NameServer = 66.38.0.240,66.38.0.241
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE6C0D41-3D0D-4A4D-9242-93F223103766}: NameServer = 66.38.0.240,66.38.1.240
O17 - HKLM\System\CS1\Services\Tcpip\..\{A8DC57C9-4781-4463-A7FB-DDA8BD06A7FF}: NameServer = 66.38.0.240,66.38.0.241

#2 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 25 June 2004 - 10:27 PM

Hi spidey,

You need to have HJT in a Permanent folder.
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.
This will allow backups to be made and saved By hijackthis in case something goes wrong
Follow this link http://www.netstar.me.uk/hjt/hjt.html if you need help.



Please download About:Buster by RubbeR DuckY from

http://www.atribune....AboutBuster.zip

Then Unzip it to your desktop. Do not run it yet.

Print these directions or paste them into a text document as you will be running with your internet explorer closed.

Restarting internet explorer may cause a reinfection.


Please Open Hijackthis, click Scan, then put a check next to the following entries:

O2 - BHO: (no name) - {EF4B1BBF-9691-E915-81F6-F75B7DD313AA} - C:\Windows\ieuy32.dll

O4 - HKLM\..\Run: [atlgy32.exe] C:\Windows\system32\atlgy32.exe

O4 - HKLM\..\RunOnce: [ipkb.exe] C:\Windows\system32\ipkb.exe
O4 - HKLM\..\RunOnce: [iewi32.exe] C:\Windows\iewi32.exe
O4 - HKLM\..\RunOnce: [apptk32.exe] C:\Windows\system32\apptk32.exe
O4 - HKLM\..\RunOnce: [d3ut.exe] C:\Windows\d3ut.exe
O4 - HKLM\..\RunOnce: [d3bg.exe] C:\Windows\d3bg.exe
O4 - HKLM\..\RunOnce: [netao32.exe] C:\Windows\system32\netao32.exe
O4 - HKLM\..\RunOnce: [ntuf32.exe] C:\Windows\ntuf32.exe
O4 - HKLM\..\RunOnce: [sdkva32.exe] C:\Windows\system32\sdkva32.exe
O4 - HKLM\..\RunOnce: [ntqi.exe] C:\Windows\system32\ntqi.exe
O4 - HKLM\..\RunOnce: [ipcn.exe] C:\Windows\system32\ipcn.exe
O4 - HKLM\..\RunOnce: [adddt.exe] C:\Windows\adddt.exe
O4 - HKLM\..\RunOnce: [addgk.exe] C:\Windows\system32\addgk.exe
O4 - HKLM\..\RunOnce: [atlfl32.exe] C:\Windows\atlfl32.exe
O4 - HKLM\..\RunOnce: [mszr32.exe] C:\Windows\mszr32.exe
O4 - HKLM\..\RunOnce: [javacy32.exe] C:\Windows\system32\javacy32.exe
O4 - HKLM\..\RunOnce: [d3xs.exe] C:\Windows\d3xs.exe
O4 - HKLM\..\RunOnce: [addbz32.exe] C:\Windows\system32\addbz32.exe
O4 - HKLM\..\RunOnce: [d3ph.exe] C:\Windows\d3ph.exe


Then, Close all open Windows and Browsers (have only HJT open) and click "Fix Checked".


Now startup About:Buster.

Hit ok on the first prompt and then hit start.

Next hit ok.

Wait till the scan completes and copy the report and save it somewhere.

Rerun About:Buster to make sure everything was deleted.

Then restart your computer.

It is now safe to reopen Internet explorer. Please post a new hijack this log along with a report.

#3 spidey

spidey

    Member

  • New Member
  • Pip
  • 2 posts

Posted 26 June 2004 - 10:17 AM

:D :D :D Autodad (and all you helpers):

THANK YOU! So far, so good. I did everthing thing you asked and I **think** I got it (with your assistance)...I had to run About:Buster twice to get it all...but I think it is clean at this point. Crossing my fingers! :lol: Here is the HJT log...do I look clean? :deal:

Logfile of HijackThis v1.97.7
Scan saved at 10:12:19 AM, on 6/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\System32\alg.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\jetsuite\jsdaemon.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Windows\System32\NILaunch.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\jetsuite\JETSTAT.EXE
C:\Niprint\NIPRINT3.EXE
C:\Niprint\NAUDP3.DRV
C:\Program Files\BHODemon\BHODemon.exe
c:\jetsuite\JSFMAN.EXE
C:\HJT\hjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://go.compaq.com...PT/0409/bF7.asp
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Windows\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [Net-It Launcher] C:\Windows\System32\NILaunch.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
O4 - Global Startup: HP LaserJet 3150 Status.lnk = C:\jetsuite\JETSTAT.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NIPrint.LNK = C:\Niprint\NIPRINT3.EXE
O4 - Global Startup: VPN Dialer (OnStartup).lnk = ?
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O16 - DPF: ChatSpace Full Java Client 3.1.0.235 - http://streak.fimc.n...va/cfs31235.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups...plorer1_8us.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8162.3773958333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8DC57C9-4781-4463-A7FB-DDA8BD06A7FF}: NameServer = 66.38.0.240,66.38.0.241
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE6C0D41-3D0D-4A4D-9242-93F223103766}: NameServer = 66.38.0.240,66.38.1.240
O17 - HKLM\System\CS1\Services\Tcpip\..\{A8DC57C9-4781-4463-A7FB-DDA8BD06A7FF}: NameServer = 66.38.0.240,66.38.0.241

#4 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 26 June 2004 - 08:16 PM

Great job spidey!

You're Welcome.
Looks good. Let us know if you have any concerns.

Here is some free protection you should consider:
Download and install:

SpywareBlaster will block bad ActiveX and malevolent cookies.

IESPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Check for updates occaisionally.

And also see So how did I get infected in the first place?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button