Jump to content


Photo

I keep trying different removal methods...


  • Please log in to reply
3 replies to this topic

#1 JBK2

JBK2

    Member

  • New Member
  • Pip
  • 2 posts

Posted 22 June 2004 - 06:23 PM

Here is my log to start:

Logfile of HijackThis v1.97.3
Scan saved at 6:11:11 PM, on 6/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\KMaestro\KMaestro.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\appcv32.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ieol32.exe
C:\Program Files\KMaestro\WTS_KEY.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Joseph Kora\My Documents\Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hvuwk.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hvuwk.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hvuwk.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hvuwk.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hvuwk.dll/sp.html#96676
O2 - BHO: (no name) - {B0652369-5121-A435-F727-38BA64793FF8} - C:\WINDOWS\system32\atljj.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [BtcMaestro] C:\Program Files\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [appcv32.exe] C:\WINDOWS\system32\appcv32.exe
O4 - HKLM\..\RunOnce: [apiwg.exe] C:\WINDOWS\apiwg.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O9 - Extra button: AIM (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw...nt/iftwclix.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7932.6865972222
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab

I have run hijack this, adaware, spybot SD, adaware in safe mode and no luck. Any suggestions?

#2 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 22 June 2004 - 06:26 PM

Hello, Please download my tool called about:buster from Here


Unzip it to your desktop.

Now start Hijack this and tick the boxes next to these items..


O2 - BHO: (no name) - {B0652369-5121-A435-F727-38BA64793FF8} - C:\WINDOWS\system32\atljj.dll
O4 - HKLM\..\Run: [appcv32.exe] C:\WINDOWS\system32\appcv32.exe
O4 - HKLM\..\RunOnce: [apiwg.exe] C:\WINDOWS\apiwg.exe


Now close ALL windows and hit fix checked.
Do not open internet explorer to come back here until after running my tool.

Start about:buster and hit start. In the first white box input this -
res://hvuwk.dll/index.html#96676

Now hit ok. Restart your computer and post the report and a new Hijack this log.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#3 JBK2

JBK2

    Member

  • New Member
  • Pip
  • 2 posts

Posted 22 June 2004 - 06:35 PM

Happened again, thanks for the quick reply btw.... Here is the reboot log:

Logfile of HijackThis v1.97.3
Scan saved at 6:34:39 PM, on 6/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\crfj.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\KMaestro\KMaestro.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\appcv32.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\KMaestro\WTS_KEY.EXE
C:\Documents and Settings\Joseph Kora\My Documents\Downloads\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {56CDF9C1-56A8-F6F5-D235-2292CC21E897} - C:\WINDOWS\system32\nethe32.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [BtcMaestro] C:\Program Files\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [appcv32.exe] C:\WINDOWS\system32\appcv32.exe
O4 - HKLM\..\RunOnce: [ieol32.exe] C:\WINDOWS\system32\ieol32.exe
O4 - HKLM\..\RunOnce: [crsa.exe] C:\WINDOWS\crsa.exe
O4 - HKLM\..\RunOnce: [wincs.exe] C:\WINDOWS\system32\wincs.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O9 - Extra button: AIM (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw...nt/iftwclix.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7932.6865972222
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab

#4 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 22 June 2004 - 06:39 PM

No it looks like your clean.. But..

O2 - BHO: (no name) - {56CDF9C1-56A8-F6F5-D235-2292CC21E897} - C:\WINDOWS\system32\nethe32.dll


Tick the box next to that and hit fix checked. Then rerun about:buster . In the box put this in res://nethe32.dll
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button