Jump to content


Photo

Hijacked to res://C:\WINDOWS\pqqkq.dll/


  • Please log in to reply
11 replies to this topic

#1 wgs426

wgs426

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 24 June 2004 - 10:06 PM

I found that my system's been hijacked. I read the pinned article and downloaded all the latest versions of AdAware, etc. I booted to Safe Mode and ran the latest AdAware, Spybot and HJT and when I restarted, everything looked fine. IE opened normally to my default start page. The second time I open IE I'm redirected and HJT shows the errors. HJT has no R0 or R1 listings when I first rebooted, but the log below shows the errors. The file pqqkq.dll is the same after every repair.

Here is my Hijack This log

Logfile of HijackThis v1.97.7
Scan saved at 10:57:37 PM, on 6/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\ggviewer67-84.exe
C:\WINDOWS\essspk.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\WINDOWS\atlee32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\mshx.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pqqkq.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://pqqkq.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://pqqkq.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pqqkq.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://pqqkq.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pqqkq.dll/sp.html#96676
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_0/home.html"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\5s6btdne.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\5s6btdne.slt\prefs.js)
O2 - BHO: (no name) - {62005B4B-CE95-80CF-E5CD-802CCE4029E7} - C:\WINDOWS\mssi.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [atlee32.exe] C:\WINDOWS\atlee32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKLM\..\RunOnce: [mshx.exe] C:\WINDOWS\mshx.exe
O4 - HKLM\..\RunOnce: [winem32.exe] C:\WINDOWS\system32\winem32.exe
O4 - HKLM\..\RunOnce: [atlff.exe] C:\WINDOWS\system32\atlff.exe
O4 - HKLM\..\RunOnce: [apifr.exe] C:\WINDOWS\apifr.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: WRAL DESKTOP WEATHER.lnk = C:\Program Files\WRAL DESKTOP WEATHER\TrueWeather.exe
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} - http://www.gigex.com.../gigexagent.dll
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2000i\AcDcToday.ocx
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7522.5502893519
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse....eX/FileXfer.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (NOXLATE) - file://C:\Program Files\AutoCAD 2000i\InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://www.microsoft...hy/clearadj.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2000i\AcPreview.ocx

#2 wgs426

wgs426

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 09 July 2004 - 06:06 AM

It's been several weeks and no help. In the meantime I've continued to run AdAware, both real time and in safe mode, with no effect. Even though multiple files are removed at each scan, I continue to be infected, but unfortunately I don't know what else to remove. Please help. My current log is posted below.

Logfile of HijackThis v1.97.7
Scan saved at 7:02:09 AM, on 7/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\ggviewer67-84.exe
C:\WINDOWS\essspk.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\mfcwa32.exe
C:\WINDOWS\system32\javaqy32.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\clueo.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://clueo.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://clueo.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\clueo.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://clueo.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\clueo.dll/sp.html#96676
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_0/home.html"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\5s6btdne.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\5s6btdne.slt\prefs.js)
O2 - BHO: (no name) - {5B81957C-668C-8DEE-B1F0-B56CE783D0E2} - C:\WINDOWS\netin.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [mfcwa32.exe] C:\WINDOWS\mfcwa32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKLM\..\RunOnce: [javaqy32.exe] C:\WINDOWS\system32\javaqy32.exe
O4 - HKLM\..\RunOnce: [sdkop32.exe] C:\WINDOWS\sdkop32.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: WRAL DESKTOP WEATHER.lnk = C:\Program Files\WRAL DESKTOP WEATHER\TrueWeather.exe
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} - http://www.gigex.com.../gigexagent.dll
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2000i\AcDcToday.ocx
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7522.5502893519
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse....eX/FileXfer.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (NOXLATE) - file://C:\Program Files\AutoCAD 2000i\InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://www.microsoft...hy/clearadj.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2000i\AcPreview.ocx

#3 skipsters

skipsters

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 09 July 2004 - 07:28 AM

Hi

I would say in red looks fishy from your log.. if u dont know what they are doing or which apps they are attributed to.. then they could be the culprit

O4 - HKLM\..\Run: [mfcwa32.exe] C:\WINDOWS\mfcwa32.exe
O4 - HKLM\..\RunOnce: [sdkop32.exe] C:\WINDOWS\sdkop32.exe
O4 - HKLM\..\Run: [atlee32.exe] C:\WINDOWS\atlee32.exe
O4 - HKLM\..\RunOnce: [mshx.exe] C:\WINDOWS\mshx.exe
O4 - HKLM\..\RunOnce: [atlff.exe] C:\WINDOWS\system32\atlff.exe
O4 - HKLM\..\RunOnce: [apifr.exe] C:\WINDOWS\apifr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\mfcwa32.exe
O4 - Global Startup: WRAL DESKTOP WEATHER.lnk = C:\Program Files\WRAL DESKTOP WEATHER\TrueWeather.exe
O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} - http://www.gigex.com.../gigexagent.dll


and obviously


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\clueo.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://clueo.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://clueo.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\clueo.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://clueo.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\clueo.dll/sp.html#96676
O2 - BHO: (no name) - {5B81957C-668C-8DEE-B1F0-B56CE783D0E2} - C:\WINDOWS\netin.dll


I recently solved a similar homepage hijacker by doing the following..If the above files are not known by yourself then try the below

1. Stopped the spyware services in taskmgr. searched and deleted the service registry keys i stopped in taskmgr.
3. search and deleted the files that were to run at startup that i deemed as spyware from the results of the EXAM DIF comparison with a clean machine.
4. Ran Hijack this to delete the rogue Browser Helper Object and to see if any new strange files appeared.
5. Deleted internet files , cleared history, and got rid of downloaded internet objects,
6. changed default home page to www.googe.com

Also rerun the log so u can have the below entries
Enumerating Windows NT/2000/XP services

Hope this helps

#4 Marikita

Marikita

    Malware Intern

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 1,822 posts

Posted 09 July 2004 - 10:04 AM

Hello wgs426

Please disregard Skipsters advice, it may not solve your problem.

This is what you do instead
Download About:Bustercreated by Rubber Ducky and unzip it to your desktop. Start it, hit Ok, Start, And Ok again to start the scan. It will generate a log. Post that log along with a new Hijack this log here.
Everything is inconsequential, from a cosmological perspective.

#5 wgs426

wgs426

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 09 July 2004 - 11:32 AM

Thanks Marikita. I've already run the About:buster both live and in Safe Mode. Will try again later tonight and will post the logs as soon as I can.

#6 wgs426

wgs426

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 09 July 2004 - 08:26 PM

About:Buster Version 1.24
Removed! : C:\WINDOWS\apegr.dat
Removed! : C:\WINDOWS\bsoce.dat
Removed! : C:\WINDOWS\sdkop32.exe
Removed! : C:\WINDOWS\tulow.dat
Removed! : C:\WINDOWS\System32\javaqy32.exe
Removed! : C:\WINDOWS\System32\sbgmt.dat
Removed! : C:\WINDOWS\System32\tnrig.dll
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed __NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

========================

Logfile of HijackThis v1.97.7
Scan saved at 9:22:04 PM, on 7/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\ggviewer67-84.exe
C:\WINDOWS\essspk.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\mfcwa32.exe
C:\WINDOWS\system32\javaqy32.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\clueo.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://clueo.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://clueo.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\clueo.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://clueo.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\clueo.dll/sp.html#96676
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_0/home.html"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\5s6btdne.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\5s6btdne.slt\prefs.js)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [mfcwa32.exe] C:\WINDOWS\mfcwa32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKLM\..\RunOnce: [javaqy32.exe] C:\WINDOWS\system32\javaqy32.exe
O4 - HKLM\..\RunOnce: [sdkop32.exe] C:\WINDOWS\sdkop32.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: WRAL DESKTOP WEATHER.lnk = C:\Program Files\WRAL DESKTOP WEATHER\TrueWeather.exe
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2000i\AcDcToday.ocx
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7522.5502893519
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse....eX/FileXfer.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (NOXLATE) - file://C:\Program Files\AutoCAD 2000i\InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://www.microsoft...hy/clearadj.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2000i\AcPreview.ocx

#7 Marikita

Marikita

    Malware Intern

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 1,822 posts

Posted 10 July 2004 - 10:45 PM

Hello

Reboot to safe mode
Turn on task manager and stop the following running processes if present
C:\WINDOWS\mfcwa32.exe
C:\WINDOWS\system32\javaqy32.exe
and run about:buster again

After that,
Configure your windows explorer to enable viewing of hidden files
How to?
http://www.xtra.co.n...1916458,00.html


Run Hijack this and fix the following entries if present

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\clueo.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://clueo.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://clueo.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\clueo.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://clueo.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\clueo.dll/sp.html#96676

O4 - HKLM\..\Run: [mfcwa32.exe] C:\WINDOWS\mfcwa32.exe
O4 - HKLM\..\RunOnce: [javaqy32.exe] C:\WINDOWS\system32\javaqy32.exe
O4 - HKLM\..\RunOnce: [sdkop32.exe] C:\WINDOWS\sdkop32.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

Go to windows explorer and delete the following files if present

C:\WINDOWS\system32\clueo.dll
C:\WINDOWS\mfcwa32.exe
C:\WINDOWS\system32\javaqy32.exe
C:\WINDOWS\sdkop32.exe

Reboot your computer and post a fresh hijack log here
Everything is inconsequential, from a cosmological perspective.

#8 wgs426

wgs426

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 11 July 2004 - 05:53 PM

Followed your advise with no problem other than the fact that most of the files you wanted deleted did not show up in Explorer. The latest HJT log is below. Thanks very much for your help - this seems to be a very persistent bug.

Logfile of HijackThis v1.97.7
Scan saved at 6:50:24 PM, on 7/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Google\ggviewer67-84.exe
C:\WINDOWS\essspk.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\mfcwa32.exe
C:\WINDOWS\system32\netqr32.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rirtg.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rirtg.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rirtg.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rirtg.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rirtg.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rirtg.dll/sp.html#96676
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_0/home.html"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\5s6btdne.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\5s6btdne.slt\prefs.js)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DCDD3EBB-0CE4-4125-DF54-E86A5E591D07} - C:\WINDOWS\winve32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKLM\..\RunOnce: [netmh32.exe] C:\WINDOWS\netmh32.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: WRAL DESKTOP WEATHER.lnk = C:\Program Files\WRAL DESKTOP WEATHER\TrueWeather.exe
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2000i\AcDcToday.ocx
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7522.5502893519
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse....eX/FileXfer.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (NOXLATE) - file://C:\Program Files\AutoCAD 2000i\InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://www.microsoft...hy/clearadj.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2000i\AcPreview.ocx

#9 wgs426

wgs426

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 13 July 2004 - 08:17 PM

Had to reboot system due to a power outage. Thought I ought to post updated logs. Hope someone out there is listning. This bug is still with me even though I continue to run updated versions of AdAware, AboutBuster, etc. Thanks.

About:Buster Version 1.24
Removed! : C:\WINDOWS\rijbj.dll
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

======================================

Logfile of HijackThis v1.97.7
Scan saved at 9:11:37 PM, on 7/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\apphz32.exe
C:\Program Files\Google\ggviewer67-84.exe
C:\WINDOWS\essspk.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\syssu32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rijbj.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rijbj.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rijbj.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rijbj.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rijbj.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rijbj.dll/sp.html#96676
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_0/home.html"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\5s6btdne.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\5s6btdne.slt\prefs.js)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D7595883-DFA2-3BDB-61CA-458C65127F0F} - C:\WINDOWS\system32\addsh32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [syssu32.exe] C:\WINDOWS\system32\syssu32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKLM\..\RunOnce: [apphz32.exe] C:\WINDOWS\system32\apphz32.exe
O4 - HKLM\..\RunOnce: [ieeb.exe] C:\WINDOWS\system32\ieeb.exe
O4 - HKLM\..\RunOnce: [iptz32.exe] C:\WINDOWS\iptz32.exe
O4 - HKLM\..\RunOnce: [syslb.exe] C:\WINDOWS\syslb.exe
O4 - HKLM\..\RunOnce: [netda.exe] C:\WINDOWS\system32\netda.exe
O4 - HKLM\..\RunOnce: [netcc32.exe] C:\WINDOWS\system32\netcc32.exe
O4 - HKLM\..\RunOnce: [winrs.exe] C:\WINDOWS\winrs.exe
O4 - HKLM\..\RunOnce: [iejw32.exe] C:\WINDOWS\system32\iejw32.exe
O4 - HKLM\..\RunOnce: [msym.exe] C:\WINDOWS\msym.exe
O4 - HKLM\..\RunOnce: [addmj32.exe] C:\WINDOWS\system32\addmj32.exe
O4 - HKLM\..\RunOnce: [wineo32.exe] C:\WINDOWS\wineo32.exe
O4 - HKLM\..\RunOnce: [mfcmz.exe] C:\WINDOWS\mfcmz.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: WRAL DESKTOP WEATHER.lnk = C:\Program Files\WRAL DESKTOP WEATHER\TrueWeather.exe
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2000i\AcDcToday.ocx
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7522.5502893519
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse....eX/FileXfer.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (NOXLATE) - file://C:\Program Files\AutoCAD 2000i\InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://www.microsoft...hy/clearadj.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2000i\AcPreview.ocx

#10 Marikita

Marikita

    Malware Intern

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 1,822 posts

Posted 15 July 2004 - 10:29 PM

Lets try this solution by CalamityJane

Download Ad-aware from: http://www.lavasoft.de/res/aaw6.exe

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.



Print out these instructions so you have them handy as most of the steps need to be done in safe mode and you may not be able to go online.


Make sure your PC is configured to show hidden files

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"



Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called "Network Security Service". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.



Reboot to Safe Mode
How to start the computer in Safe mode
http://service1.syma...src=sec_doc_nam


Scan with Hijack This and put checks next to all the following, then click "Fix Checked

1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rijbj.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rijbj.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rijbj.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rijbj.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rijbj.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rijbj.dll/sp.html#96676

O2 - BHO: (no name) - {D7595883-DFA2-3BDB-61CA-458C65127F0F} - C:\WINDOWS\system32\addsh32.dll


O4 - HKLM\..\Run: [syssu32.exe] C:\WINDOWS\system32\syssu32.exe
O4 - HKLM\..\RunOnce: [apphz32.exe] C:\WINDOWS\system32\apphz32.exe
O4 - HKLM\..\RunOnce: [ieeb.exe] C:\WINDOWS\system32\ieeb.exe
O4 - HKLM\..\RunOnce: [iptz32.exe] C:\WINDOWS\iptz32.exe
O4 - HKLM\..\RunOnce: [syslb.exe] C:\WINDOWS\syslb.exe
O4 - HKLM\..\RunOnce: [netda.exe] C:\WINDOWS\system32\netda.exe
O4 - HKLM\..\RunOnce: [netcc32.exe] C:\WINDOWS\system32\netcc32.exe
O4 - HKLM\..\RunOnce: [winrs.exe] C:\WINDOWS\winrs.exe
O4 - HKLM\..\RunOnce: [iejw32.exe] C:\WINDOWS\system32\iejw32.exe
O4 - HKLM\..\RunOnce: [msym.exe] C:\WINDOWS\msym.exe
O4 - HKLM\..\RunOnce: [addmj32.exe] C:\WINDOWS\system32\addmj32.exe
O4 - HKLM\..\RunOnce: [wineo32.exe] C:\WINDOWS\wineo32.exe
O4 - HKLM\..\RunOnce: [mfcmz.exe] C:\WINDOWS\mfcmz.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE


Go to windows explorer and delete the following files if present

C:\WINDOWS\system32\apphz32.exe
C:\WINDOWS\system32\syssu32.exe
C:\WINDOWS\rijbj.dll
C:\WINDOWS\system32\ieeb.exe
C:\WINDOWS\iptz32.exe
C:\WINDOWS\syslb.exe
C:\WINDOWS\system32\netda.exe
C:\WINDOWS\system32\netcc32.exe
C:\WINDOWS\winrs.exe
C:\WINDOWS\system32\iejw32.exe
C:\WINDOWS\msym.exe
C:\WINDOWS\system32\addmj32.exe
C:\WINDOWS\wineo32.exe
C:\WINDOWS\mfcmz.exe


Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

Scan with Adaware and let it remove any bad files found


Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin



Reboot to normal mode, scan again with Hijack This and post a new log here.

Finally, do an online scan at the following site. Let it remove any infected files found.
Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com
Everything is inconsequential, from a cosmological perspective.

#11 wgs426

wgs426

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 16 July 2004 - 05:51 PM

You guys may have just gotten it this time. Boy, this was really tough to get rid of. I've opened IE several times and my start page continues to stay as I set it. Here are my logs for your review. Thanks again for the help - your assistance has been invaluable. GREAT JOB!!!!

-- Scan 1 --------
About:Buster Version 1.30
Removed! : C:\WINDOWS\aaiui.dat
Removed! : C:\WINDOWS\addlt.dll
Removed! : C:\WINDOWS\aimdo.dat
Removed! : C:\WINDOWS\ajtai.dat
Removed! : C:\WINDOWS\appzm32.dll
Removed! : C:\WINDOWS\bicgh.dat
Removed! : C:\WINDOWS\binkk.dat
Removed! : C:\WINDOWS\bkulq.dat
Removed! : C:\WINDOWS\bmlep.dat
Removed! : C:\WINDOWS\bopnl.dat
Removed! : C:\WINDOWS\bqoxyh.dat
Removed! : C:\WINDOWS\bzcxe.dat
Removed! : C:\WINDOWS\crbqt.dat
Removed! : C:\WINDOWS\cydop.dat
Removed! : C:\WINDOWS\cysml.dat
Removed! : C:\WINDOWS\czvki.dat
Removed! : C:\WINDOWS\dcxge.dat
Removed! : C:\WINDOWS\dgpjs.dat
Removed! : C:\WINDOWS\dgttq.dat
Removed! : C:\WINDOWS\dkcqd.dat
Removed! : C:\WINDOWS\dkqsy.dat
Removed! : C:\WINDOWS\dqtfj.dat
Removed! : C:\WINDOWS\dvavw.dat
Removed! : C:\WINDOWS\eigkw.dat
Removed! : C:\WINDOWS\eiumr.dat
Removed! : C:\WINDOWS\ekqgn.dat
Removed! : C:\WINDOWS\emdbo.dat
Removed! : C:\WINDOWS\fbemv.dat
Removed! : C:\WINDOWS\fcrhy.dat
Removed! : C:\WINDOWS\feirp.dat
Removed! : C:\WINDOWS\fkkgg.dat
Removed! : C:\WINDOWS\fkyij.dat
Removed! : C:\WINDOWS\fvwdu.dat
Removed! : C:\WINDOWS\fznhi.dat
Removed! : C:\WINDOWS\fzqsw.dat
Removed! : C:\WINDOWS\gbqdf.dat
Removed! : C:\WINDOWS\gcjvx.dat
Removed! : C:\WINDOWS\gdhow.dat
Removed! : C:\WINDOWS\getgb.dat
Removed! : C:\WINDOWS\ggpmi.dat
Removed! : C:\WINDOWS\glota.dat
Removed! : C:\WINDOWS\grdnq.dat
Removed! : C:\WINDOWS\hncqr.dat
Removed! : C:\WINDOWS\hqilq.dat
Removed! : C:\WINDOWS\hxmuy.dat
Removed! : C:\WINDOWS\hzmna.dat
Removed! : C:\WINDOWS\iepan.dat
Removed! : C:\WINDOWS\igbog.dat
Removed! : C:\WINDOWS\ihzev.dat
Removed! : C:\WINDOWS\inhnfl.dat
Removed! : C:\WINDOWS\iptz32.exe
Removed! : C:\WINDOWS\iwkzs.dat
Removed! : C:\WINDOWS\iyspb.dat
Removed! : C:\WINDOWS\jblpi.dat
Removed! : C:\WINDOWS\jcnoi.dat
Removed! : C:\WINDOWS\jdxys.dat
Removed! : C:\WINDOWS\jfkrbw.dat
Removed! : C:\WINDOWS\jirhq.dat
Removed! : C:\WINDOWS\jmmuq.dat
Removed! : C:\WINDOWS\jplpl.dat
Removed! : C:\WINDOWS\jvpip.dat
Removed! : C:\WINDOWS\jwttz.dat
Removed! : C:\WINDOWS\jximm.dat
Removed! : C:\WINDOWS\kgitp.dat
Removed! : C:\WINDOWS\khkfz.dat
Removed! : C:\WINDOWS\khmpi.dat
Removed! : C:\WINDOWS\kjfldv.dat
Removed! : C:\WINDOWS\klfbd.dat
Removed! : C:\WINDOWS\koedq.dat
Removed! : C:\WINDOWS\kvjbf.dat
Removed! : C:\WINDOWS\kvxgf.dat
Removed! : C:\WINDOWS\ladxzb.dat
Removed! : C:\WINDOWS\leyww.dat
Removed! : C:\WINDOWS\lfeov.dat
Removed! : C:\WINDOWS\liqma.dat
Removed! : C:\WINDOWS\lrrnt.dat
Removed! : C:\WINDOWS\ltmon.dat
Removed! : C:\WINDOWS\mejbq.dat
Removed! : C:\WINDOWS\mevak.dat
Removed! : C:\WINDOWS\mfcmz.exe
Removed! : C:\WINDOWS\mfcwa32.exe.bak
Removed! : C:\WINDOWS\mfgoy.dat
Removed! : C:\WINDOWS\mfnxi.dat
Removed! : C:\WINDOWS\mkmgr.dat
Removed! : C:\WINDOWS\moneb.dat
Removed! : C:\WINDOWS\msym.exe
Removed! : C:\WINDOWS\mxnza.dat
Removed! : C:\WINDOWS\mxsnl.dat
Removed! : C:\WINDOWS\ncpym.dat
Removed! : C:\WINDOWS\ndnumh.dat
Removed! : C:\WINDOWS\ndxzk.dat
Removed! : C:\WINDOWS\netar.dll
Removed! : C:\WINDOWS\nezfh.dat
Removed! : C:\WINDOWS\nweld.dat
Removed! : C:\WINDOWS\n_oytxqg.dat
Removed! : C:\WINDOWS\n_pkmtdn.dat
Removed! : C:\WINDOWS\n_rfdajy.dat
Removed! : C:\WINDOWS\n_rqqulc.dat
Removed! : C:\WINDOWS\n_twfwbk.dat
Removed! : C:\WINDOWS\ojokf.dat
Removed! : C:\WINDOWS\ojxmz.dat
Removed! : C:\WINDOWS\oqscv.dat
Removed! : C:\WINDOWS\ouknd.dat
Removed! : C:\WINDOWS\ovnmt.dat
Removed! : C:\WINDOWS\oxtuc.dat
Removed! : C:\WINDOWS\oyfyu.dat
Removed! : C:\WINDOWS\phmjn.dat
Removed! : C:\WINDOWS\pjbhf.dat
Removed! : C:\WINDOWS\pleni.dat
Removed! : C:\WINDOWS\plivv.dat
Removed! : C:\WINDOWS\pmkcs.dat
Removed! : C:\WINDOWS\ppqsz.dat
Removed! : C:\WINDOWS\prpaj.dat
Removed! : C:\WINDOWS\prxkkf.dat
Removed! : C:\WINDOWS\pyjcd.dat
Removed! : C:\WINDOWS\pzhtf.dat
Removed! : C:\WINDOWS\qbojp.dat
Removed! : C:\WINDOWS\qienn.dat
Removed! : C:\WINDOWS\qklzj.dat
Removed! : C:\WINDOWS\qpuvr.dat
Removed! : C:\WINDOWS\qskeb.dat
Removed! : C:\WINDOWS\qtniz.dat
Removed! : C:\WINDOWS\qurvoq.dat
Removed! : C:\WINDOWS\qzpsw.dat
Removed! : C:\WINDOWS\raqeq.dat
Removed! : C:\WINDOWS\rdbgc.dat
Removed! : C:\WINDOWS\rdkdd.dat
Removed! : C:\WINDOWS\rhnnf.dat
Removed! : C:\WINDOWS\rijbj.dat
Removed! : C:\WINDOWS\rijbj.dll
Removed! : C:\WINDOWS\rjdua.dat
Removed! : C:\WINDOWS\rrbsj.dat
Removed! : C:\WINDOWS\rsevw.dat
Removed! : C:\WINDOWS\sdkwq32.dll
Removed! : C:\WINDOWS\sgnrg.dat
Removed! : C:\WINDOWS\smhxm.dat
Removed! : C:\WINDOWS\sxyym.dat
Removed! : C:\WINDOWS\syhbt.dat
Removed! : C:\WINDOWS\syslb.exe
Removed! : C:\WINDOWS\tazjg.dat
Removed! : C:\WINDOWS\tlkfw.dat
Removed! : C:\WINDOWS\tqrun.dat
Removed! : C:\WINDOWS\tybbb.dat
Removed! : C:\WINDOWS\tyvag.dat
Removed! : C:\WINDOWS\udurds.dat
Removed! : C:\WINDOWS\uemlf.dat
Removed! : C:\WINDOWS\uidhp.dat
Removed! : C:\WINDOWS\ujkhv.dat
Removed! : C:\WINDOWS\ummhm.dat
Removed! : C:\WINDOWS\upmsf.dat
Removed! : C:\WINDOWS\veaod.dat
Removed! : C:\WINDOWS\vhttm.dat
Removed! : C:\WINDOWS\vhxlu.dat
Removed! : C:\WINDOWS\vjjzn.dat
Removed! : C:\WINDOWS\vlgzi.dat
Removed! : C:\WINDOWS\vqzkq.dat
Removed! : C:\WINDOWS\waniy.dat
Removed! : C:\WINDOWS\wcyzo.dat
Removed! : C:\WINDOWS\wdeta.dat
Removed! : C:\WINDOWS\wejkt.dat
Removed! : C:\WINDOWS\weujk.dat
Removed! : C:\WINDOWS\wfnxy.dat
Removed! : C:\WINDOWS\wineo32.exe
Removed! : C:\WINDOWS\winlj.dat
Removed! : C:\WINDOWS\winrs.exe
Removed! : C:\WINDOWS\wjfwj.dat
Removed! : C:\WINDOWS\wmvft.dat
Removed! : C:\WINDOWS\wvivi.dat
Removed! : C:\WINDOWS\wwlto.dat
Removed! : C:\WINDOWS\xdpvd.dat
Removed! : C:\WINDOWS\xfglq.dat
Removed! : C:\WINDOWS\xqgks.dat
Removed! : C:\WINDOWS\xridk.dat
Removed! : C:\WINDOWS\xxojr.dat
Removed! : C:\WINDOWS\ybqkj.dat
Removed! : C:\WINDOWS\ydlfh.dat
Removed! : C:\WINDOWS\yfequ.dat
Removed! : C:\WINDOWS\yfuqz.dat
Removed! : C:\WINDOWS\ygihd.dat
Removed! : C:\WINDOWS\yienk.dat
Removed! : C:\WINDOWS\ykopq.dat
Removed! : C:\WINDOWS\ykqec.dat
Removed! : C:\WINDOWS\ytetn.dat
Removed! : C:\WINDOWS\yuaam.dat
Removed! : C:\WINDOWS\ywsjt.dat
Removed! : C:\WINDOWS\zbzlvx.dat
Removed! : C:\WINDOWS\zfiub.dll
Removed! : C:\WINDOWS\zhuqc.dat
Removed! : C:\WINDOWS\zklvy.dat
Removed! : C:\WINDOWS\zlhev.dat
Removed! : C:\WINDOWS\zliic.dat
Removed! : C:\WINDOWS\znsfc.dat
Removed! : C:\WINDOWS\zwqlh.dat
Removed! : C:\WINDOWS\System32\addfk.dll
Removed! : C:\WINDOWS\System32\addmj32.exe
Removed! : C:\WINDOWS\System32\addsh32.dll
Removed! : C:\WINDOWS\System32\aevge.dat
Removed! : C:\WINDOWS\System32\ahzjm.dat
Removed! : C:\WINDOWS\System32\ajthn.dat
Removed! : C:\WINDOWS\System32\akazx.dat
Removed! : C:\WINDOWS\System32\amwyu.dat
Removed! : C:\WINDOWS\System32\apphz32.exe
Removed! : C:\WINDOWS\System32\aqcen.dat
Removed! : C:\WINDOWS\System32\avufk.dat
Removed! : C:\WINDOWS\System32\awaae.dat
Removed! : C:\WINDOWS\System32\badzx.dat
Removed! : C:\WINDOWS\System32\bfcrj.dat
Removed! : C:\WINDOWS\System32\bfedm.dat
Removed! : C:\WINDOWS\System32\bizck.dat
Removed! : C:\WINDOWS\System32\bofth.dat
Removed! : C:\WINDOWS\System32\brfjd.dat
Removed! : C:\WINDOWS\System32\bxrio.dat
Removed! : C:\WINDOWS\System32\cbewx.dat
Removed! : C:\WINDOWS\System32\cmonr.dat
Removed! : C:\WINDOWS\System32\crmu32.dll
Removed! : C:\WINDOWS\System32\csgku.dat
Removed! : C:\WINDOWS\System32\d3pd32.exe
Removed! : C:\WINDOWS\System32\dmwzv.dat
Removed! : C:\WINDOWS\System32\doyff.dat
Removed! : C:\WINDOWS\System32\dtgrc.dat
Removed! : C:\WINDOWS\System32\dulig.dat
Removed! : C:\WINDOWS\System32\dvbts.dat
Removed! : C:\WINDOWS\System32\dwewu.dat
Removed! : C:\WINDOWS\System32\eeqco.dat
Removed! : C:\WINDOWS\System32\eglas.dat
Removed! : C:\WINDOWS\System32\eixns.dat
Removed! : C:\WINDOWS\System32\elusf.dat
Removed! : C:\WINDOWS\System32\emgoy.dat
Removed! : C:\WINDOWS\System32\evagw.dat
Removed! : C:\WINDOWS\System32\ewrtt.dat
Removed! : C:\WINDOWS\System32\fhltq.dat
Removed! : C:\WINDOWS\System32\fibxv.dat
Removed! : C:\WINDOWS\System32\fjlmr.dat
Removed! : C:\WINDOWS\System32\fmvqg.dat
Removed! : C:\WINDOWS\System32\fwnsw.dat
Removed! : C:\WINDOWS\System32\gaurb.dat
Removed! : C:\WINDOWS\System32\gdkuz.dat
Removed! : C:\WINDOWS\System32\geugf.dat
Removed! : C:\WINDOWS\System32\ghlmo.dat
Removed! : C:\WINDOWS\System32\gkwld.dat
Removed! : C:\WINDOWS\System32\gqkzy.dat
Removed! : C:\WINDOWS\System32\gxfae.dat
Removed! : C:\WINDOWS\System32\hadbz.dat
Removed! : C:\WINDOWS\System32\hmspq.dat
Removed! : C:\WINDOWS\System32\hnfmk.dat
Removed! : C:\WINDOWS\System32\holdv.dat
Removed! : C:\WINDOWS\System32\huary.dat
Removed! : C:\WINDOWS\System32\hzntn.dat
Removed! : C:\WINDOWS\System32\iazil.dat
Removed! : C:\WINDOWS\System32\idnfh.dat
Removed! : C:\WINDOWS\System32\ieeb.exe
Removed! : C:\WINDOWS\System32\iejw32.exe
Removed! : C:\WINDOWS\System32\iftkr.dat
Removed! : C:\WINDOWS\System32\ihezx.dat
Removed! : C:\WINDOWS\System32\ippz.dll
Removed! : C:\WINDOWS\System32\ivblc.dat
Removed! : C:\WINDOWS\System32\jafyu.dat
Removed! : C:\WINDOWS\System32\javadj.dll
Removed! : C:\WINDOWS\System32\jdzmj.dat
Removed! : C:\WINDOWS\System32\jfezb.dat
Removed! : C:\WINDOWS\System32\jkmgo.dat
Removed! : C:\WINDOWS\System32\jlihg.dat
Removed! : C:\WINDOWS\System32\jltkx.dat
Removed! : C:\WINDOWS\System32\jxukn.dat
Removed! : C:\WINDOWS\System32\kcfka.dat
Removed! : C:\WINDOWS\System32\kchun.dat
Removed! : C:\WINDOWS\System32\kdtis.dat
Removed! : C:\WINDOWS\System32\kfekv.dat
Removed! : C:\WINDOWS\System32\kidzs.dat
Removed! : C:\WINDOWS\System32\kjjto.dat
Removed! : C:\WINDOWS\System32\kkkwf.dat
Removed! : C:\WINDOWS\System32\klcec.dat
Removed! : C:\WINDOWS\System32\kwpmo.dat
Removed! : C:\WINDOWS\System32\kwxrz.dat
Removed! : C:\WINDOWS\System32\kxpqx.dat
Removed! : C:\WINDOWS\System32\laeza.dat
Removed! : C:\WINDOWS\System32\llwkl.dat
Removed! : C:\WINDOWS\System32\lnpuv.dat
Removed! : C:\WINDOWS\System32\lnxzu.dat
Removed! : C:\WINDOWS\System32\luooa.dat
Removed! : C:\WINDOWS\System32\lvctb.dat
Removed! : C:\WINDOWS\System32\lwcls.dat
Removed! : C:\WINDOWS\System32\lwlaq.dat
Removed! : C:\WINDOWS\System32\lzwcs.dat
Removed! : C:\WINDOWS\System32\miafi.dat
Removed! : C:\WINDOWS\System32\mjhuj.dat
Removed! : C:\WINDOWS\System32\mlbyz.dat
Removed! : C:\WINDOWS\System32\mntnu.dat
Removed! : C:\WINDOWS\System32\mnwpc.dat
Removed! : C:\WINDOWS\System32\mtupx.dat
Removed! : C:\WINDOWS\System32\muwod.dat
Removed! : C:\WINDOWS\System32\myuqw.dat
Removed! : C:\WINDOWS\System32\netcc32.exe
Removed! : C:\WINDOWS\System32\netda.exe
Removed! : C:\WINDOWS\System32\njana.dat
Removed! : C:\WINDOWS\System32\nvdfu.dat
Removed! : C:\WINDOWS\System32\ocunx.dat
Removed! : C:\WINDOWS\System32\oiiok.dat
Removed! : C:\WINDOWS\System32\ojnbl.dat
Removed! : C:\WINDOWS\System32\olfso.dat
Removed! : C:\WINDOWS\System32\oolny.dat
Removed! : C:\WINDOWS\System32\oqdxf.dat
Removed! : C:\WINDOWS\System32\osafn.dat
Removed! : C:\WINDOWS\System32\pfowz.dat
Removed! : C:\WINDOWS\System32\phmig.dat
Removed! : C:\WINDOWS\System32\pwfpi.dat
Removed! : C:\WINDOWS\System32\qadrx.dat
Removed! : C:\WINDOWS\System32\qctvf.dat
Removed! : C:\WINDOWS\System32\qgjse.dat
Removed! : C:\WINDOWS\System32\qhikk.dat
Removed! : C:\WINDOWS\System32\qmzhi.dat
Removed! : C:\WINDOWS\System32\qqorw.dat
Removed! : C:\WINDOWS\System32\qwqpi.dat
Removed! : C:\WINDOWS\System32\revjj.dat
Removed! : C:\WINDOWS\System32\rfaqr.dat
Removed! : C:\WINDOWS\System32\riafw.dat
Removed! : C:\WINDOWS\System32\rkyfw.dat
Removed! : C:\WINDOWS\System32\rwjsi.dat
Removed! : C:\WINDOWS\System32\sdkfx.dll
Removed! : C:\WINDOWS\System32\sfxjx.dat
Removed! : C:\WINDOWS\System32\shgmv.dat
Removed! : C:\WINDOWS\System32\slyna.dat
Removed! : C:\WINDOWS\System32\sqybt.dat
Removed! : C:\WINDOWS\System32\syssu32.exe
Removed! : C:\WINDOWS\System32\tjbjk.dat
Removed! : C:\WINDOWS\System32\tmuqe.dat
Removed! : C:\WINDOWS\System32\tyabu.dat
Removed! : C:\WINDOWS\System32\tyvwg.dat
Removed! : C:\WINDOWS\System32\ubznu.dat
Removed! : C:\WINDOWS\System32\udiya.dat
Removed! : C:\WINDOWS\System32\uihbs.dat
Removed! : C:\WINDOWS\System32\urrfh.dat
Removed! : C:\WINDOWS\System32\utqqf.dat
Removed! : C:\WINDOWS\System32\uymdw.dat
Removed! : C:\WINDOWS\System32\uztdd.dat
Removed! : C:\WINDOWS\System32\veufo.dat
Removed! : C:\WINDOWS\System32\vgwln.dat
Removed! : C:\WINDOWS\System32\vpwwp.dat
Removed! : C:\WINDOWS\System32\vxrqz.dat
Removed! : C:\WINDOWS\System32\whunn.dat
Removed! : C:\WINDOWS\System32\winxy.dll
Removed! : C:\WINDOWS\System32\wkluc.dat
Removed! : C:\WINDOWS\System32\wmtdj.dat
Removed! : C:\WINDOWS\System32\wnint.dat
Removed! : C:\WINDOWS\System32\wrnxo.dat
Removed! : C:\WINDOWS\System32\wsdhr.dat
Removed! : C:\WINDOWS\System32\wudal.dat
Removed! : C:\WINDOWS\System32\wvyye.dat
Removed! : C:\WINDOWS\System32\wwyck.dat
Removed! : C:\WINDOWS\System32\wygwk.dat
Removed! : C:\WINDOWS\System32\wykmr.dat
Removed! : C:\WINDOWS\System32\xaahk.dat
Removed! : C:\WINDOWS\System32\xfwwm.dat
Removed! : C:\WINDOWS\System32\xlxqu.dat
Removed! : C:\WINDOWS\System32\yaoeq.dat
Removed! : C:\WINDOWS\System32\ybqda.dat
Removed! : C:\WINDOWS\System32\yiwcb.dat
Removed! : C:\WINDOWS\System32\ypmry.dat
Removed! : C:\WINDOWS\System32\ystut.dat
Removed! : C:\WINDOWS\System32\zkklt.dat
Removed! : C:\WINDOWS\System32\znkix.dat
Removed! : C:\WINDOWS\System32\znyjk.dat
Removed! : C:\WINDOWS\System32\zohxa.dat
Removed! : C:\WINDOWS\System32\zrtvh.dat
Removed! : C:\WINDOWS\System32\zylur.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)

==================================

Logfile of HijackThis v1.97.7
Scan saved at 6:45:55 PM, on 7/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\crbt.exe
C:\Program Files\Google\ggviewer67-84.exe
C:\WINDOWS\essspk.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\HJT\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_0/home.html"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\5s6btdne.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\5s6btdne.slt\prefs.js)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKLM\..\RunOnce: [crbt.exe] C:\WINDOWS\system32\crbt.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: WRAL DESKTOP WEATHER.lnk = C:\Program Files\WRAL DESKTOP WEATHER\TrueWeather.exe
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2000i\AcDcToday.ocx
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7522.5502893519
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse....eX/FileXfer.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (NOXLATE) - file://C:\Program Files\AutoCAD 2000i\InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://www.microsoft...hy/clearadj.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2000i\AcPreview.ocx

#12 Marikita

Marikita

    Malware Intern

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 1,822 posts

Posted 17 July 2004 - 12:29 PM

Nice =) We seemed to have hit the motherlode.

Just do this one final thing and you'll be clean

Reboot to safe mode,
Run hijack this and fix this entry
O4 - HKLM\..\RunOnce: [crbt.exe] C:\WINDOWS\system32\crbt.exe

Go to windows exploere and delete the same file C:\WINDOWS\system32\crbt.exe
if present

After this your computer should be clean. However, this bug has a tendency to come back, if it does, send me a personal message and post your hijack log in a new topic.

These are the steps you can take to prevent further infection

Update the latest security patches for windows
This can be accessed by going to http://v4.windowsupdate.microsoft.com/ and following the prompts

A firewall also helps to prevent further intrusion
You can try this, its free
http://www.zonelabs....lid=zadb_zadown

Update your antivirus periodically also, virus programmers simply have too much time on their hands, they thus spend their useless life devicing new methods of compromising your rights to privacy and screwing up your system.

I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

For further protection this is what you can do


Download spybot s&d from
http://www.tomcoyote.org/SPYBOT.

It would be advisable to run the spybot and adaware periodically
Everything is inconsequential, from a cosmological perspective.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button