Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Another One's Been Hijacked!

Started by myalias , Aug 10 2004 09:52 AM

  • This topic is locked This topic is locked
10 replies to this topic

#1 myalias

myalias

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 10 August 2004 - 09:52 AM

Below is the log from hijackthis. Thanks!


Logfile of HijackThis v1.97.7
Scan saved at 11:47:27 AM, on 8/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sysas32.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\addkv32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Pamela\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yhidf.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://yhidf.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://yhidf.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yhidf.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://yhidf.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\yhidf.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E0C6D820-8362-D0D4-A3D2-7D77A7FCA0D9} - C:\WINDOWS\crag.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [addkv32.exe] C:\WINDOWS\addkv32.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [sysas32.exe] C:\WINDOWS\system32\sysas32.exe
O4 - HKLM\..\RunOnce: [ipfl32.exe] C:\WINDOWS\system32\ipfl32.exe
O4 - HKLM\..\RunOnce: [msjj32.exe] C:\WINDOWS\msjj32.exe
O4 - HKLM\..\RunOnce: [mfcto.exe] C:\WINDOWS\system32\mfcto.exe
O4 - HKLM\..\RunOnce: [javayt.exe] C:\WINDOWS\javayt.exe
O4 - HKLM\..\RunOnce: [atlfv.exe] C:\WINDOWS\atlfv.exe
O4 - HKLM\..\RunOnce: [mssv.exe] C:\WINDOWS\system32\mssv.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yaho...utocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

    Advertisements

Register to Remove

#2 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 10 August 2004 - 05:40 PM

Please read through the instructions before you start (you may want to print this out).

Please note that everytime you reboot your computer there's a good chance that the files names may have changed.
The link below will help ID them:
http://www.pchell.co...lythebest.shtml

Please download and unzip
AboutBuster to a folder. Inside the folder is a readme file that has instructions on the use of the program.
AboutBuster MUST be updated before you use it.
Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box . Don't run it yet.
Current reference list # is 14


You may also find the TheKillBox helpful for deleting and ending task on files to be deleted.
To end task on a file that's running use the drop down arrow in the right lower corner of the program and the button to the left of it.


1. Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first.

2. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called "Network Security Service" (it may also be listed as Remote Procedure Call (RPC) Helper or Workstation NetLogon Service)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.

3. Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

For anyone using Windows XP, 'Search' will not automatically show hidden files even if your folder options settings are set to do that. Do this so you can see hidden files and folders - click here http://www.davehigha...ds/xphidden.zip to download xphidden.zip. Extract xphidden.reg from the zip file and save it to the desktop. When done, double-click the xphidden.reg and when asked to merge say yes.

4. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for:

addkv32.exe
sysas32.exe
ipfl32.exe
msjj32.exe
mfcto.exe
javayt.exe
atlfv.exe
mssv.exe


If you find the files, click on them, and then click End Process => Exit the Task Manager.


5. CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yhidf.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://yhidf.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://yhidf.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yhidf.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://yhidf.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\yhidf.dll/sp.html#96676
O2 - BHO: (no name) - {E0C6D820-8362-D0D4-A3D2-7D77A7FCA0D9} - C:\WINDOWS\crag.dll
O4 - HKLM\..\Run: [addkv32.exe] C:\WINDOWS\addkv32.exe
O4 - HKLM\..\RunOnce: [sysas32.exe] C:\WINDOWS\system32\sysas32.exe
O4 - HKLM\..\RunOnce: [ipfl32.exe] C:\WINDOWS\system32\ipfl32.exe
O4 - HKLM\..\RunOnce: [msjj32.exe] C:\WINDOWS\msjj32.exe
O4 - HKLM\..\RunOnce: [mfcto.exe] C:\WINDOWS\system32\mfcto.exe
O4 - HKLM\..\RunOnce: [javayt.exe] C:\WINDOWS\javayt.exe
O4 - HKLM\..\RunOnce: [atlfv.exe] C:\WINDOWS\atlfv.exe
O4 - HKLM\..\RunOnce: [mssv.exe] C:\WINDOWS\system32\mssv.exe



6. Delete the following files if present:

C:\WINDOWS\crag.dll
C:\WINDOWS\addkv32.exe
C:\WINDOWS\msjj32.exe
C:\WINDOWS\javayt.exe
C:\WINDOWS\atlfv.exe
C:\WINDOWS\system32\mssv.exe
C:\WINDOWS\system32\yhidf.dll
C:\WINDOWS\system32\sysas32.exe
C:\WINDOWS\system32\mfcto.exe
C:\WINDOWS\system32\ipfl32.exe
C:\WINDOWS\system32\ipfl32.exe

(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)

7. Run AboutBuster . This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

8. Scan with AdAware and let it remove any bad files found.

9. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

10. Click here http://www.davehigha...s/cwsuninst.zip to download cwsuninst.zip.
Extract cwsuninst.reg from the zip file and save it to the desktop.
When done, double-click the cwsuninst.reg and when asked to merge say yes.

11. Download the Hoster from here http://members.aol.c...dbee/hoster.zip. Press "Restore Original Hosts" and press "OK". Exit Program.

12. Download and run this online virus scan:
http://housecall.tre.../start_corp.asp
Make sure you check "AutoClean"

12a Download to and run from your desktop CW-Shredder
Hit the fix button and let it run and fix what it finds, make sure you have all browser windows closed.


13. Reboot to normal mode and post a fresh HJT log. MrC
PLEASE USE THE NEW VERSION OF HJT 1.98.2
HJT new version 1.98.2

#3 myalias

myalias

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 13 August 2004 - 08:08 AM

Hi. I followed all of the steps of the script that was sent. However, the running of AboutBuster did not complete because it errored out with the following message: Last bad data stream found: N Currently Scanning File: C:\WINDOWCOMSETUP.LOG Run-time error '13': Type Mismatch I did continue with the rest of the steps and have posted the latest hijackthis log. The problem still exists but with different filenames. Do I need another version of AboutBuster or something else?

#4 myalias

myalias

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 13 August 2004 - 08:09 AM

Sorry, here is the latest hijackthis log:


Logfile of HijackThis v1.98.2
Scan saved at 10:01:30 AM, on 8/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\WINDOWS\system32\netjj.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\appdv32.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Pamela\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\njevp.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\njevp.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\njevp.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://C:\WINDOWS\njevp.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\njevp.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\njevp.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\njevp.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\njevp.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\njevp.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\njevp.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {30CF258B-877E-D68F-75DB-04254FA4477D} - C:\WINDOWS\syssc.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [netjj.exe] C:\WINDOWS\system32\netjj.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

#5 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 13 August 2004 - 01:41 PM

There's a new version of AboutBuster out, I don't know if you used it. The new version is 3 and the Current reference list # 15.
Here's the link:
http://malwarebytes....AboutBuster.zip

You can also try running it in safe mode.

These are all the bad ones in this scan, have HJT fix these,

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\njevp.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\njevp.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\njevp.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://C:\WINDOWS\njevp.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\njevp.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\njevp.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\njevp.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\njevp.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\njevp.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\njevp.dll/sp.html#96676
O2 - BHO: (no name) - {30CF258B-877E-D68F-75DB-04254FA4477D} - C:\WINDOWS\syssc.dll
O4 - HKLM\..\Run: [netjj.exe] C:\WINDOWS\system32\netjj.exe

then delete these files:

C:\WINDOWS\njevp.dll
C:\WINDOWS\syssc.dll
C:\WINDOWS\system32\netjj.exe

Now run AboutBuster and then run AdAware again.

Reboot and let me know. MrC

Edited by MrCharlie, 13 August 2004 - 02:07 PM.

#6 myalias

myalias

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 13 August 2004 - 08:07 PM

I downloaded the new version of About Buster and that one worked fine (log below). I followed all of the other steps again and all seemed to run ok. However, after rebooting and opening IE again, the same problem came up but with different file names. Ugh!!!

Here is the AboutBuster log:

Scanned at: 9:14:20 PM on: 8/13/2004


-- Scan 1 ---------------------------
About:Buster Version 3.0
Reference List : 15

No ADS found on system
Removed 5 Random Key Entries
Deleted 1 Service Keys Successfully!
Removed! : C:\WINDOWS\agtyyt.dat
Removed! : C:\WINDOWS\apico32.dll
Removed! : C:\WINDOWS\apipi.dll
Removed! : C:\WINDOWS\apivp32.dll
Removed! : C:\WINDOWS\aqlwtl.dat
Removed! : C:\WINDOWS\atlzs.dll
Removed! : C:\WINDOWS\bftngp.dat
Removed! : C:\WINDOWS\bhwhp.dat
Removed! : C:\WINDOWS\bhwhp.dll
Removed! : C:\WINDOWS\bkfljv.dat
Removed! : C:\WINDOWS\bolcql.dat
Removed! : C:\WINDOWS\bvryyj.dat
Removed! : C:\WINDOWS\bzbpl.dat
Removed! : C:\WINDOWS\cagkjc.dat
Removed! : C:\WINDOWS\cidjbw.dat
Removed! : C:\WINDOWS\cmjnrv.dat
Removed! : C:\WINDOWS\cuqgoz.dat
Removed! : C:\WINDOWS\cyjvkp.dat
Removed! : C:\WINDOWS\czmlph.dat
Removed! : C:\WINDOWS\d3iq32.exe
Removed! : C:\WINDOWS\d3lg.dll
Removed! : C:\WINDOWS\derdo.dat
Removed! : C:\WINDOWS\dfdbge.dat
Removed! : C:\WINDOWS\dkvdu.dat
Removed! : C:\WINDOWS\dkvdu.dll
Removed! : C:\WINDOWS\dnxxuq.dat
Removed! : C:\WINDOWS\drnoho.dat
Removed! : C:\WINDOWS\dslvhv.dat
Removed! : C:\WINDOWS\dxegv.dat
Removed! : C:\WINDOWS\ekwaco.dat
Removed! : C:\WINDOWS\elvyn.dat
Removed! : C:\WINDOWS\elvyn.dll
Removed! : C:\WINDOWS\etyixl.dat
Removed! : C:\WINDOWS\evwstc.dat
Removed! : C:\WINDOWS\fejesr.dat
Removed! : C:\WINDOWS\fhhtwe.dat
Removed! : C:\WINDOWS\fmdeey.dat
Removed! : C:\WINDOWS\frzwdd.dat
Removed! : C:\WINDOWS\fyqthx.dat
Removed! : C:\WINDOWS\geytlq.dat
Removed! : C:\WINDOWS\gfudq.dll
Removed! : C:\WINDOWS\ghtoko.dat
Removed! : C:\WINDOWS\gjdieo.dat
Removed! : C:\WINDOWS\gkspjk.dat
Removed! : C:\WINDOWS\hdwppz.dat
Removed! : C:\WINDOWS\hhbsfy.dat
Removed! : C:\WINDOWS\hhrpgx.dat
Removed! : C:\WINDOWS\hnjev.dat
Removed! : C:\WINDOWS\hsnmtb.dat
Removed! : C:\WINDOWS\ieitms.dat
Removed! : C:\WINDOWS\ifbgby.dat
Removed! : C:\WINDOWS\ihbinx.dat
Removed! : C:\WINDOWS\ijegbh.dat
Removed! : C:\WINDOWS\isdlfu.dat
Removed! : C:\WINDOWS\izojf.dat
Removed! : C:\WINDOWS\javaxl32.dll
Removed! : C:\WINDOWS\jbcfx.dat
Removed! : C:\WINDOWS\josvbo.dat
Removed! : C:\WINDOWS\jsdhm.dll
Removed! : C:\WINDOWS\judzk.dat
Removed! : C:\WINDOWS\kfmfgo.dat
Removed! : C:\WINDOWS\kfqbm.dll
Removed! : C:\WINDOWS\kixekg.dat
Removed! : C:\WINDOWS\kqwvu.dat
Removed! : C:\WINDOWS\ldexv.dat
Removed! : C:\WINDOWS\leiptc.dat
Removed! : C:\WINDOWS\lkhizv.dat
Removed! : C:\WINDOWS\lkilzy.dat
Removed! : C:\WINDOWS\lkytj.dat
Removed! : C:\WINDOWS\lkytj.dll
Removed! : C:\WINDOWS\lpfbl.dat
Removed! : C:\WINDOWS\lpfbl.dll
Removed! : C:\WINDOWS\lptozi.dat
Removed! : C:\WINDOWS\mdvvip.dat
Removed! : C:\WINDOWS\mfcjw.dll
Removed! : C:\WINDOWS\mhamgj.dat
Removed! : C:\WINDOWS\mnremc.dat
Removed! : C:\WINDOWS\mqwbbu.dat
Removed! : C:\WINDOWS\msmkto.dat
Removed! : C:\WINDOWS\mtsyxm.dat
Removed! : C:\WINDOWS\mxkrjc.dat
Removed! : C:\WINDOWS\nggtfj.dat
Removed! : C:\WINDOWS\nrvmd.dat
Removed! : C:\WINDOWS\ntyz32.dll
Removed! : C:\WINDOWS\n_cuqgoz.dat
Removed! : C:\WINDOWS\n_elvyne.dat
Removed! : C:\WINDOWS\n_fwnuik.dat
Removed! : C:\WINDOWS\n_lptozi.dat
Removed! : C:\WINDOWS\n_mzyijl.dat
Removed! : C:\WINDOWS\n_swwsbi.dat
Removed! : C:\WINDOWS\n_xqpefs.dat
Removed! : C:\WINDOWS\oahllc.dat
Removed! : C:\WINDOWS\ofadh.dat
Removed! : C:\WINDOWS\ojcowj.dat
Removed! : C:\WINDOWS\opqpcw.dat
Removed! : C:\WINDOWS\ovrlsq.dat
Removed! : C:\WINDOWS\pbesur.dat
Removed! : C:\WINDOWS\pcejct.dat
Removed! : C:\WINDOWS\pdhoie.dat
Removed! : C:\WINDOWS\pdziyj.dat
Removed! : C:\WINDOWS\qaqvz.dat
Removed! : C:\WINDOWS\qgzkuk.dat
Removed! : C:\WINDOWS\repghx.dat
Removed! : C:\WINDOWS\rofffg.dat
Removed! : C:\WINDOWS\ryiosj.dat
Removed! : C:\WINDOWS\sdkni.dll
Removed! : C:\WINDOWS\sdkuu.exe
Removed! : C:\WINDOWS\svcbpn.dat
Removed! : C:\WINDOWS\syskl.dll
Removed! : C:\WINDOWS\tjdecq.dat
Removed! : C:\WINDOWS\tyuybt.dat
Removed! : C:\WINDOWS\udhnwy.dat
Removed! : C:\WINDOWS\utqexd.dat
Removed! : C:\WINDOWS\uzpst.dat
Removed! : C:\WINDOWS\vgajje.dat
Removed! : C:\WINDOWS\vpropd.dat
Removed! : C:\WINDOWS\winni.dll
Removed! : C:\WINDOWS\winpd32.dll
Removed! : C:\WINDOWS\winyz.dll
Removed! : C:\WINDOWS\wjurf.dat
Removed! : C:\WINDOWS\wpowlj.dat
Removed! : C:\WINDOWS\wvbzds.dat
Removed! : C:\WINDOWS\xajkkj.dat
Removed! : C:\WINDOWS\xapul.dat
Removed! : C:\WINDOWS\xckqvz.dat
Removed! : C:\WINDOWS\xqpefs.dat
Removed! : C:\WINDOWS\xxtzfc.dat
Removed! : C:\WINDOWS\xzfyo.dat
Removed! : C:\WINDOWS\ycyuj.dll
Removed! : C:\WINDOWS\ytvwv.dat
Removed! : C:\WINDOWS\ytvwv.dll
Removed! : C:\WINDOWS\yyhji.dat
Removed! : C:\WINDOWS\yyuwpy.dat
Removed! : C:\WINDOWS\zbevsj.dat
Removed! : C:\WINDOWS\zmnudc.dat
Removed! : C:\WINDOWS\znxman.dat
Removed! : C:\WINDOWS\zrmmt.dll
Removed! : C:\WINDOWS\zviblm.dat
Removed! : C:\WINDOWS\zxaoat.dat
Removed! : C:\WINDOWS\System32\agomi.dat
Removed! : C:\WINDOWS\System32\appdo32.exe
Error Removing! : C:\WINDOWS\System32\appdv32.exe
Removed! : C:\WINDOWS\System32\ckhjv.dat
Removed! : C:\WINDOWS\System32\crcg32.dll
Removed! : C:\WINDOWS\System32\cyjvk.dat
Removed! : C:\WINDOWS\System32\d3db32.dll
Removed! : C:\WINDOWS\System32\d3sg32.exe
Removed! : C:\WINDOWS\System32\ipfl32.exe
Removed! : C:\WINDOWS\System32\jgrbk.dat
Removed! : C:\WINDOWS\System32\jsiiu.dat
Removed! : C:\WINDOWS\System32\kjjxf.dll
Removed! : C:\WINDOWS\System32\krqbj.dat
Removed! : C:\WINDOWS\System32\kuqhh.dat
Removed! : C:\WINDOWS\System32\ltpqs.dat
Removed! : C:\WINDOWS\System32\mdctc.dat
Removed! : C:\WINDOWS\System32\mfcto.exe
Removed! : C:\WINDOWS\System32\mssv.exe
Removed! : C:\WINDOWS\System32\okaon.dll
Removed! : C:\WINDOWS\System32\opqmq.dll
Removed! : C:\WINDOWS\System32\pilbp.dat
Removed! : C:\WINDOWS\System32\pqtzc.dat
Removed! : C:\WINDOWS\System32\pqtzc.dll
Removed! : C:\WINDOWS\System32\pxffr.dat
Removed! : C:\WINDOWS\System32\qacgk.dat
Removed! : C:\WINDOWS\System32\qcxea.dat
Removed! : C:\WINDOWS\System32\qmjxo.dat
Removed! : C:\WINDOWS\System32\sdkba.exe
Removed! : C:\WINDOWS\System32\sysas32.exe
Removed! : C:\WINDOWS\System32\tfnsv.dll
Removed! : C:\WINDOWS\System32\vijag.dat
Removed! : C:\WINDOWS\System32\vijag.dll
Removed! : C:\WINDOWS\System32\wuhti.dat
Removed! : C:\WINDOWS\System32\xssaz.dat
Removed! : C:\WINDOWS\System32\yhidf.dat
Removed! : C:\WINDOWS\System32\yhidf.dll
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 3.0
Reference List : 15

No ADS found on system
Removed 4 Random Key Entries
Error Removing! : C:\WINDOWS\System32\appdv32.exe
Error Removing! : C:\WINDOWS\System32\netjv.exe
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!




Here is the latest HijackThis log:

Logfile of HijackThis v1.98.2
Scan saved at 10:00:47 PM, on 8/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\WINDOWS\system32\netjv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\appdv32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Pamela\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3DF3AE97-927A-A988-F257-18F61D1C5ABA} - C:\WINDOWS\system32\ieub32.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [netjv.exe] C:\WINDOWS\system32\netjv.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

#7 myalias

myalias

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 13 August 2004 - 08:11 PM

Here is the HijackThis log immediately after opening IE (the previous one was generated before opening IE).

Logfile of HijackThis v1.98.2
Scan saved at 10:08:49 PM, on 8/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\WINDOWS\system32\netjv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\appdv32.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Pamela\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fhpez.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fhpez.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\fhpez.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://C:\WINDOWS\system32\fhpez.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fhpez.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fhpez.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fhpez.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\fhpez.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fhpez.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fhpez.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3DF3AE97-927A-A988-F257-18F61D1C5ABA} - C:\WINDOWS\system32\ieub32.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [netjv.exe] C:\WINDOWS\system32\netjv.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

#8 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 14 August 2004 - 05:56 AM

This is a nasty hijacker, but we'll get it - just be patient, it may take several steps.

In the AboutBuster log I see it couldn't delete these:

C:\WINDOWS\System32\appdv32.exe
C:\WINDOWS\System32\netjv.exe

Use the TheKillBox and see if you can delete them.
Here's a link to the full version of the KillBox if needed:
http://www.downloads...org/KillBox.zip

Reboot into safe mode and have HJT fix these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fhpez.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fhpez.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\fhpez.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://C:\WINDOWS\system32\fhpez.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fhpez.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fhpez.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fhpez.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\fhpez.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fhpez.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fhpez.dll/sp.html#96676
O2 - BHO: (no name) - {3DF3AE97-927A-A988-F257-18F61D1C5ABA} - C:\WINDOWS\system32\ieub32.dll
O4 - HKLM\..\Run: [netjv.exe] C:\WINDOWS\system32\netjv.exe

Delete these files:

C:\WINDOWS\system32\fhpez.dll
C:\WINDOWS\system32\ieub32.dll
C:\WINDOWS\system32\netjv.exe <--if it's still there

Run AboutBuster in safe mode, twice with a reboot in between.
Then in normal mode, with a reboot in between.

Reboot and lets see how it is and post a fresh HJT log. MrC

Edited by MrCharlie, 14 August 2004 - 06:09 AM.

#9 myalias

myalias

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 16 August 2004 - 09:40 AM

IT WORKED!!! :D Thanks so much!

#10 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 16 August 2004 - 06:28 PM

Good!! ;) :thumbup:

Please look at Preventive Maintenace

Thanks, MrC

#11 nellie2

nellie2

    Slyware Huntress

  • Authentic Member
  • PipPipPipPipPip
  • 1,311 posts

Posted 22 August 2004 - 08:52 AM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
The problem with troubleshooting is that trouble shoots back.

Malware Complaints - Stand Up and Be Counted! ¦ Microsoft MVP - Windows Security ¦ ASAP member since 2004[/color]
Nellie2's Blog

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·