• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
mike12345

I need help with random 5 digit .exe file

8 posts in this topic

This iteration it is call altfu.exe

If I delete it from windows/system32/ another random 5 digit .exe is produced. here is my hijack this log:

 

Logfile of HijackThis v1.97.7

Scan saved at 11:57:05 PM, on 6/24/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\mysql\bin\mysqld.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\atlri.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Dell\AccessDirect\dadapp.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\pctspk.exe

C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\System32\taskmgr.exe

C:\WINDOWS\system32\atlfu.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\temp\HijackThis.exe

C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE

C:\Program Files\Messenger\msmsgs.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uzwkq.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://uzwkq.dll/index.html#96676

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://uzwkq.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uzwkq.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://uzwkq.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\uzwkq.dll/sp.html#96676

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell.com/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {707F0F71-057B-4AA0-B6C8-47ADC7D5FD34} - C:\WINDOWS\system32\mfctk.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [WinPatrol Plus] C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe

O4 - HKLM\..\Run: [atlfu.exe] C:\WINDOWS\system32\atlfu.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\xmlspy\spy.htm

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O9 - Extra button: Edit with XML Spy (HKCU)

O9 - Extra 'Tools' menuitem: Edit with XML Spy (HKCU)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: JSyn Audio - http://www.softsynth.com/jsyn/plugins/archives/jsynv142.cab

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.archibus.com/CFIDE/classes/CFJava.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://63.118.100.51/main/Install/en/US/CentraDownloader.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shock...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cyberfm.local

O17 - HKLM\Software\..\Telephony: DomainName = cyberfm.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cyberfm.local

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cyberfm.local

Share this post


Link to post
Share on other sites

Please download About:Buster by RubbeR DuckY ( thats me lol ) from

 

Here

 

Then Unzip it to your desktop. Do not run it yet. Print these directions or paste them into a text document as you will be running with your internet explorer closed. Restarting internet explorer may cause a reinfection.

 

Please start Hijack this and tick the boxes next to these items.

 

O2 - BHO: (no name) - {707F0F71-057B-4AA0-B6C8-47ADC7D5FD34} - C:\WINDOWS\system32\mfctk.dll

O4 - HKLM\..\Run: [atlfu.exe] C:\WINDOWS\system32\atlfu.exe

 

Then close all windows and hit fix checked. Now startup About:Buster. Hit ok on the first prompt and then hit start. Next hit ok. Wait till the scan completes and copy the report and save it somewhere. Rerun About:Buster to make sure everything was deleted. Then restart your computer.

 

It is now safe to reopen Internet explorer. Please post a new hijack this log along with a report.

Share this post


Link to post
Share on other sites

1) followed your directions, ran Buster 1st time:

 

About:Buster Version 1.21

Error Removing! : C:\WINDOWS\atlri.exe

Removed! : C:\WINDOWS\pihhd.dat

Removed! : C:\WINDOWS\uzwkq.dll

Removed! : C:\WINDOWS\System32\qtnjo.dll

Removed! : C:\WINDOWS\System32\pxubl.dat

Removed! : C:\WINDOWS\System32\qtnjo.dat

Removed! : C:\WINDOWS\System32\rafpy.dat

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Removed __NS_Service_3 Key

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

2) removed these from task manager manually. they were in memory: (WinPatrol is blocking them from going in my startup folder)

 

altfu.exe

altri.exe

 

 

3) reran Buster

 

About:Buster Version 1.21

Removed! : C:\WINDOWS\atlri.exe

Removed! : C:\WINDOWS\sysru.exe

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Pages Reset... Done!

 

4) reran again

About:Buster Version 1.21

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Pages Reset... Done!

 

 

5) Rebooted

 

6) HijackThis log

 

 

Logfile of HijackThis v1.97.7

Scan saved at 12:32:19 AM, on 6/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\mysql\bin\mysqld.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Dell\AccessDirect\dadapp.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\pctspk.exe

C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\TextPad 4\TextPad.exe

C:\Documents and Settings\TimS.CYBERFM\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell.com/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {D317FD4A-8BEC-5C0E-90F8-92A748A8F4B6} - C:\WINDOWS\ieth32.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [WinPatrol Plus] C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\xmlspy\spy.htm

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O9 - Extra button: Edit with XML Spy (HKCU)

O9 - Extra 'Tools' menuitem: Edit with XML Spy (HKCU)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: JSyn Audio - http://www.softsynth.com/jsyn/plugins/archives/jsynv142.cab

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.archibus.com/CFIDE/classes/CFJava.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://63.118.100.51/main/Install/en/US/CentraDownloader.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shock...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cyberfm.local

O17 - HKLM\Software\..\Telephony: DomainName = cyberfm.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cyberfm.local

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cyberfm.local

Share this post


Link to post
Share on other sites

ran hijackthis again:

 

 

 

Logfile of HijackThis v1.97.7

Scan saved at 12:44:38 AM, on 6/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\mysql\bin\mysqld.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Dell\AccessDirect\dadapp.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\pctspk.exe

C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\TextPad 4\TextPad.exe

C:\Documents and Settings\TimS.CYBERFM\Desktop\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\msiv32.exe

C:\Program Files\Messenger\msmsgs.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qtnjo.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qtnjo.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qtnjo.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qtnjo.dll/sp.html#96676

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell.com/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {D317FD4A-8BEC-5C0E-90F8-92A748A8F4B6} - C:\WINDOWS\ieth32.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [WinPatrol Plus] C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\xmlspy\spy.htm

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O9 - Extra button: Edit with XML Spy (HKCU)

O9 - Extra 'Tools' menuitem: Edit with XML Spy (HKCU)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: JSyn Audio - http://www.softsynth.com/jsyn/plugins/archives/jsynv142.cab

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.archibus.com/CFIDE/classes/CFJava.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://63.118.100.51/main/Install/en/US/CentraDownloader.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shock...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cyberfm.local

O17 - HKLM\Software\..\Telephony: DomainName = cyberfm.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cyberfm.local

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cyberfm.local

Share this post


Link to post
Share on other sites

following up to myself...

 

I reran the instructions from RD, but then also downloaded ad-aware 6.0. The combination of hijacthis, aboutbuser, and ad-ware (which found 8 other things) seemed to take care of this.

 

thx RD

 

Mike

Share this post


Link to post
Share on other sites

Just a little note. (I'm not a helper here or anything so I'll just let you know I'm speaking for myself not for this site) Keep an eye on the outgoing sends from your computer. I had the same problem on my XP machine, and it ended up being the Sasser worm. What it does is exploit a bug in LSASS.EXE to force you to download & execute the worm. Then it sets up an FTP server and randomizes IP addresses until it finds other computers it can exploit. It then forces them to download the file from you. The files it creates for download are four- or five-digit random numbers with the .exe extension.

 

Keep Windows XP fully updated at all times. Microsoft has released an update to patch this security hole.

 

Good luck, and if this sounds like it might be your computer, search for information on W32/Sasser.Worm on Symantec.com.

Share this post


Link to post
Share on other sites

RubbeR DuckY --- Thanks a million! This seems to have worked for me.

 

I ran Hijack, removed one suspicious BHO entry (sysjo.dll) that may or may not have been associated with the malware...I don't know, removed a bunch of HKLM\..\Run entries that I know were associated with this thing (at this point, their names were unfortunately all too familar and recognizable). Then I ran your About:Buster -- it found a couple of dozen additional .dat files that were missed by ad-aware, spybot, and trendmicro.

 

After deleting those I am (cross-fingers) finally clean: at least no problems booting, and no more rogue processes created when I start up IE; so unless there are additional time bombs it looks good. No idea how I got this, but it was pretty horrid.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0