MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Spyware/Adware infestation hijackthis log
November 14, 2019, 09:43:12 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
November 14, 2019, 09:43:12 PM

Login with username, password and session length
 Featured Sites:
News
New  We now offer MyTechSupport.ca Merchandise! Every purchase goes towards maintaining our site.
Thank you for supporting MyTechSupport.ca!
  0 Members and 1 Guest are viewing this topic.
Pages: [1] 2 3 Go Down Print
Author Topic: Spyware/Adware infestation hijackthis log  (Read 4723 times)
axaday
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 38


Bookmark and Share

View Profile
« on: August 03, 2004, 12:17:46 AM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version: XP



I am doing long overdue maintennance on my parents computers.  I have an old CWShredder that won't update, Spyhunter, HijackThis, and LSPFix at my disposal.  Between the 3 computers, I have deleted over 1000 files that spyhunter wanted off and I have run scandisks and defrags like crazy.

Here is the Hijackthis log for the first of 3 computers.  A search thing keeps appearing back in the log.  Periodically, an error pops up to tell me that mfcql.exe isn't a good image.  Additionally, at startup, kbdla886h.exe, ntmsevt321o.exe, winnls834r.exe, and shellstyle579p.exe all have errors and quit.  I understand that it is their job to keep this sort of thing from happening, so I guess the virus has attacked them.  Here's my log.

Logfile of HijackThis v1.97.7
Scan saved at 7:04:10 PM, on 8/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\ntmu32.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\BTV\btv.exe
C:\WINDOWS\system32\mfcql.exe
C:\documents and settings\albert\local settings\temp\ZrhFK.exe
C:\WINDOWS\System32\IEHost35.exe
C:\Program Files\Common files\updmgr\updmgr.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\mcc.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\MProcessor\mprocessor.exe
C:\WINDOWS\System32\mf3astore.exe
C:\WINDOWS\System32\shellstyle579p.exe
C:\WINDOWS\System32\Npk0kVMy.exe
C:\Program Files\Creative\VoIP Blaster\VoipDial.exe
C:\WINDOWS\System32\IpjB.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Albert\Desktop\Spyware Tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {93757B32-DCC3-5C75-4010-8C148E619B58} - C:\WINDOWS\system32\sdkwb.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [win32clf] C:\Documents and Settings\Albert\win32clf\win32clf.exe
O4 - HKLM\..\Run: [BTV] C:\Program Files\BTV\btv.exe
O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\breg.exe"
O4 - HKLM\..\Run: [mfcql.exe] C:\WINDOWS\system32\mfcql.exe
O4 - HKLM\..\Run: [ZrhFK] C:\documents and settings\albert\local settings\temp\ZrhFK.exe
O4 - HKLM\..\Run: [3AN2JT642BWARQ] C:\WINDOWS\System32\FhuJr5.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost35.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\Albert\LOCALS~1\Temp\app62.tmp
O4 - HKLM\..\Run: [Multimedia Codecs] C:\WINDOWS\System32\mcc.exe
O4 - HKLM\..\Run: [AutoLoaderrF0d1MIUULaa] "C:\WINDOWS\System32\fhuxpand.exe"
O4 - HKLM\..\Run: [rsrX32V] fhuxpand.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - HKCU\..\Run: [aB07RSZ4P] mf3astore.exe
O4 - HKCU\..\Run: [icwphbk799e.exe] "C:\WINDOWS\System32\icwphbk799e.exe"
O4 - HKCU\..\Run: [kbdla886h.exe] "C:\WINDOWS\System32\kbdla886h.exe"
O4 - HKCU\..\Run: [ntmsevt321o.exe] "C:\WINDOWS\System32\ntmsevt321o.exe"
O4 - HKCU\..\Run: [winnls834r.exe] "C:\WINDOWS\System32\winnls834r.exe"
O4 - HKCU\..\Run: [shellstyle579p.exe] "C:\WINDOWS\System32\shellstyle579p.exe"
O4 - HKLM\..\RunOnce: [ntmu32.exe] C:\WINDOWS\ntmu32.exe
O4 - HKLM\..\RunOnce: [ipgt32.exe] C:\WINDOWS\ipgt32.exe
O4 - HKLM\..\RunOnce: [ipbb.exe] C:\WINDOWS\ipbb.exe
O4 - Global Startup: Creative VoIP Blaster Dialer.lnk = C:\Program Files\Creative\VoIP Blaster\VoipDial.exe
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37903.0329166667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/12119/CTPID.cab

Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #1 on: August 03, 2004, 12:48:21 AM »

First off you are running an old version of Hijackthis
Open hijackthis----Click Config----Misc Tools---Check for update
If it won't update-----delete your copy and redownload
download from
HERE or HERE

You have many issues in your log
After you have updated hijackthis

I would uninstall Spyhunter, you can see why from this link
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Weatherbug has the spyware stamp on it too...
I would shut it down in Task manager and remove it in Add/Remove Programs---Optional, but I would get rid of it.......
You can find a spywarefree one later....

Pay attention to this entry in your log
O4 - HKLM\..\Run: [3AN2JT642BWARQ] C:\WINDOWS\System32\FhuJr5.exe
Related too Peper Trojan
Download the uninstaller
http://downloads.subratam.org/PeperFix.exe

Disconnect from the NET-----With only hijackthis open FIX CHECKED just that entry for now
Run the Peper uninstaller
RESTART your computer and run the uninstaller again, just to make sure it is gone

You should also do an Online Virus Scan,
At Housecall's---set it too Autoclean
http://housecall.trendmicro.com/
and/or do one here at Panda's
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
If you need a free AV solution later, we can find you one
I know of 2 that I use, but you only need to run one on a computer

Download the free version of Ad-Aware
Important---after installation---CHECK FOR UPDATES
Set these additional options for a custom scan
click the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

RESTART your computer and post back with a fresh hijackthis log

« Last Edit: August 03, 2004, 12:49:45 AM by benditup » Logged

 
axaday
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 38


Bookmark and Share

View Profile
« Reply #2 on: August 03, 2004, 02:09:35 AM »

Thanks!

Is Ad-Aware a program I can use ongoing or will it expire soon?

Peper found lots of stuff.  But that O4 file didn't show up in Hijackthis so I didn't delete it.  My browser collapsed several times in a row while trying to use housecall, but Panda got 11 files cleaned.  Ad-Aware got rid of 284 files.  When I restarted, those 4 files still had to shut down.  Here's the new log:



Logfile of HijackThis v1.98.0
Scan saved at 8:59:54 PM, on 8/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\ntmu32.exe
C:\WINDOWS\system32\ntbf32.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Documents and Settings\Albert\win32clf\win32clf.exe
C:\documents and settings\albert\local settings\temp\ZrhFK.exe
C:\WINDOWS\System32\IEHost35.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\WINDOWS\System32\mcc.exe
C:\Program Files\MProcessor\mprocessor.exe
C:\WINDOWS\System32\mf3astore.exe
C:\WINDOWS\System32\kbdla886h.exe
C:\Documents and Settings\Albert\Desktop\Spyware Tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pandasoftware.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {5F536490-B339-D031-1643-3DD3B48171F4} - C:\WINDOWS\system32\ntbf32.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [win32clf] C:\Documents and Settings\Albert\win32clf\win32clf.exe
O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\breg.exe"
O4 - HKLM\..\Run: [ZrhFK] C:\documents and settings\albert\local settings\temp\ZrhFK.exe
O4 - HKLM\..\Run: [3AN2JT642BWARQ] C:\WINDOWS\System32\ZkqXS9u0.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost35.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\Albert\LOCALS~1\Temp\app62.tmp
O4 - HKLM\..\Run: [Multimedia Codecs] C:\WINDOWS\System32\mcc.exe
O4 - HKLM\..\Run: [AutoLoaderrF0d1MIUULaa] "C:\WINDOWS\System32\fhuxpand.exe"
O4 - HKLM\..\Run: [rsrX32V] fhuxpand.exe
O4 - HKLM\..\Run: [sdkwb.exe] C:\WINDOWS\system32\sdkwb.exe
O4 - HKLM\..\Run: [ntbf32.exe] C:\WINDOWS\system32\ntbf32.exe
O4 - HKLM\..\Run: [BTV] C:\Program Files\BTV\btv.exe
O4 - HKLM\..\RunOnce: [ntmu32.exe] C:\WINDOWS\ntmu32.exe
O4 - HKLM\..\RunOnce: [ipgt32.exe] C:\WINDOWS\ipgt32.exe
O4 - HKLM\..\RunOnce: [ipbb.exe] C:\WINDOWS\ipbb.exe
O4 - HKLM\..\RunOnce: [iefc.exe] C:\WINDOWS\system32\iefc.exe
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - HKCU\..\Run: [aB07RSZ4P] mf3astore.exe
O4 - HKCU\..\Run: [icwphbk799e.exe] "C:\WINDOWS\System32\icwphbk799e.exe"
O4 - HKCU\..\Run: [kbdla886h.exe] "C:\WINDOWS\System32\kbdla886h.exe"
O4 - HKCU\..\Run: [ntmsevt321o.exe] "C:\WINDOWS\System32\ntmsevt321o.exe"
O4 - HKCU\..\Run: [winnls834r.exe] "C:\WINDOWS\System32\winnls834r.exe"
O4 - HKCU\..\Run: [shellstyle579p.exe] "C:\WINDOWS\System32\shellstyle579p.exe"
O4 - Global Startup: Creative VoIP Blaster Dialer.lnk = C:\Program Files\Creative\VoIP Blaster\VoipDial.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {BC8C3AA8-425B-40C4-9F5D-E44DB68CBBAD} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/12119/CTPID.cab

Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #3 on: August 03, 2004, 03:17:09 AM »

You may want to print this out because a lot of it you must remain offline for....

Go ahead and hold on to AD-Aware---Check for updates once a week
Perform a smart system scan
But we're not through with your log yet

You look like you may have an infection that about:buster can rid you of---Download and unzip to desktop About:buster
http://downloads.subratam.org/AboutBuster.zip
CHECK FOR UPDATES--don't run it yet
But let's try some manual cleanup

Set Windows to Show Hidden Files and Folders

I'm quite sure that all these files are bad or unknown, just want to make sure
Navigate to them----right click on them--properties--version
Find what they are related too
Could you submit them to Kapersky's for a free virus scan
http://www.kaspersky.com/scanforvirus
Simply use the Browse button to navigate to the file
Right click on it-----Select---Submit

C:\Documents and Settings\Albert\win32clf\
win32clf.exe <--quite sure it's a virus or leftover from virus
C:\WINDOWS\System32\ZkqXS9u0.exe <--this file
C:\WINDOWS\System32\fhuxpand.exe
C:\WINDOWS\ntmu32.exe
C:\WINDOWS\ipgt32.exe
C:\WINDOWS\ipbb.exe
C:\WINDOWS\system32\iefc.exe
C:\WINDOWS\System32\icwphbk799e.exe"
C:\WINDOWS\System32\kbdla886h.exe"
C:\WINDOWS\System32\ntmsevt321o.exe"
C:\WINDOWS\System32\winnls834r.exe"
C:\WINDOWS\System32\shellstyle579p.exe"

You may not find them, carry on with the rest of the instructions

Disconnect completely from the Internet

Enter your task manager(Hold down the CTRL+SHIFT keys and tap ESC)
End process on these
ntmu32.exe
ntbf32.exe
win32clf.exe
ZrhFK.exe
IEHost35.exe
pcsvc.exe
mcc.exe
mprocessor.exe
mf3astore.exe
kbdla886h.exe

Do another Scan with Hijackthis and put a check next to these entries
and then FIX CHECKED when ALL other windows are closed

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [win32clf] C:\Documents and Settings\Albert\win32clf\win32clf.exe
O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\breg.exe"
O4 - HKLM\..\Run: [ZrhFK] C:\documents and settings\albert\local settings\temp\ZrhFK.exe
O4 - HKLM\..\Run: [3AN2JT642BWARQ] C:\WINDOWS\System32\ZkqXS9u0.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost35.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\Albert\LOCALS~1\Temp\app62.tmp
O4 - HKLM\..\Run: [Multimedia Codecs] C:\WINDOWS\System32\mcc.exe
O4 - HKLM\..\Run: [AutoLoaderrF0d1MIUULaa] "C:\WINDOWS\System32\fhuxpand.exe"
O4 - HKLM\..\Run: [rsrX32V] fhuxpand.exe
O4 - HKLM\..\Run: [sdkwb.exe] C:\WINDOWS\system32\sdkwb.exe
O4 - HKLM\..\Run: [ntbf32.exe] C:\WINDOWS\system32\ntbf32.exe
O4 - HKLM\..\Run: [BTV] C:\Program Files\BTV\btv.exe
O4 - HKLM\..\RunOnce: [ntmu32.exe] C:\WINDOWS\ntmu32.exe
O4 - HKLM\..\RunOnce: [ipgt32.exe] C:\WINDOWS\ipgt32.exe
O4 - HKLM\..\RunOnce: [ipbb.exe] C:\WINDOWS\ipbb.exe
O4 - HKLM\..\RunOnce: [iefc.exe] C:\WINDOWS\system32\iefc.exe
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - HKCU\..\Run: [aB07RSZ4P] mf3astore.exe
O4 - HKCU\..\Run: [icwphbk799e.exe] "C:\WINDOWS\System32\icwphbk799e.exe"
O4 - HKCU\..\Run: [kbdla886h.exe] "C:\WINDOWS\System32\kbdla886h.exe"
O4 - HKCU\..\Run: [ntmsevt321o.exe] "C:\WINDOWS\System32\ntmsevt321o.exe"
O4 - HKCU\..\Run: [winnls834r.exe] "C:\WINDOWS\System32\winnls834r.exe"
O4 - HKCU\..\Run: [shellstyle579p.exe] "C:\WINDOWS\System32\shellstyle579p.exe"
O2 - BHO: (no name) - {5F536490-B339-D031-1643-3DD3B48171F4} - C:\WINDOWS\system32\ntbf32.dll

O9 - Extra button: (no name) - {BC8C3AA8-425B-40C4-9F5D-E44DB68CBBAD} - (no file) (HKCU)

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?

After you have fix checked and have close hijackthis
Run the Peperfix one more time
NEXT run the About:buster fix---copy and paste the log to Notepad

RESTART your Computer in SAFE MODE

Find and delete these files and folders if they exist, and exact name
FILES
C:\Program Files\Common Files\Java\breg.exe <--this file
C:\WINDOWS\System32\SearchBar.htm
C:\WINDOWS\System32\ZkqXS9u0.exe
C:\WINDOWS\System32\IEHost35.exe
C:\WINDOWS\System32\mcc.exe
C:\WINDOWS\System32\fhuxpand.exe
C:\WINDOWS\system32\sdkwb.exe
C:\WINDOWS\system32\ntbf32.exe
C:\WINDOWS\ntmu32.exe
C:\WINDOWS\ipgt32.exe
C:\WINDOWS\ipbb.exe
C:\WINDOWS\system32\iefc.exe
C:\WINDOWS\System32\icwphbk799e.exe
C:\WINDOWS\System32\kbdla886h.exe
C:\WINDOWS\System32\ntmsevt321o.exe
C:\WINDOWS\System32\winnls834r.exe
C:\WINDOWS\System32\shellstyle579p.exe

C:\documents and settings\albert\local settings\temp\ZrhFK.exe
C:\documents and settings\albert\local settings\temp\app62.tmp
Or delete the whole contents of the TEMP folder

FOLDERS
C:\Program Files\BTV  <--this folder
C:\Program Files\\MProcessor <--this folder
C:\WINDOWS\system32\pcs <--this folder
C:\Documents and Settings\Albert\win32clf <--this folder

I hope we got it all Smiley

While still in safe mode run About:buster again, save the log

Restart back in normal mode
Don't open a browser yet, instead access Internet Options via Control
Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

Post back with a Fresh hijackthis log and about:buster logs
« Last Edit: August 03, 2004, 03:46:55 AM by benditup » Logged

 
axaday
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 38


Bookmark and Share

View Profile
« Reply #4 on: August 03, 2004, 04:35:47 AM »

Whatever you changed when you edited, I probably didn't do it.

Here's the busterreports

#1
-- Scan 1 --------
About:Buster Version 2.0
Deleted Service Key Successfully!
Removed! : C:\WINDOWS\afzchm.dat
Removed! : C:\WINDOWS\ampok.dat
Removed! : C:\WINDOWS\d3ql.dll
Removed! : C:\WINDOWS\flvgj.dat
Removed! : C:\WINDOWS\frfuk.dat
Removed! : C:\WINDOWS\gondv.dat
Removed! : C:\WINDOWS\hmhzi.dat
Removed! : C:\WINDOWS\ipbb.exe
Removed! : C:\WINDOWS\ipgt32.exe
Removed! : C:\WINDOWS\isltt.dat
Removed! : C:\WINDOWS\ixntl.dll
Removed! : C:\WINDOWS\jsxjrb.dat
Removed! : C:\WINDOWS\kfpsc.dat
Removed! : C:\WINDOWS\lgrmq.dat
Removed! : C:\WINDOWS\ljnmr.dat
Error Removing! : C:\WINDOWS\ntmu32.exe
Removed! : C:\WINDOWS\realtime.exe
Removed! : C:\WINDOWS\sbmpjk.dat
Removed! : C:\WINDOWS\sdkmn.dll
Error Removing! : C:\WINDOWS\sfesdv.dat
Removed! : C:\WINDOWS\srxak.dat
Error Removing! : C:\WINDOWS\srxakw.dat
Removed! : C:\WINDOWS\sysupd.exe
Removed! : C:\WINDOWS\tixoy.dat
Removed! : C:\WINDOWS\vwzot.dat
Removed! : C:\WINDOWS\xzkhs.dat
Error Removing! : C:\WINDOWS\yvrodq.dat
Removed! : C:\WINDOWS\zxfgx.dat
Removed! : C:\WINDOWS\System32\addfe.dll
Removed! : C:\WINDOWS\System32\appjl.exe
Removed! : C:\WINDOWS\System32\iefc.exe
Removed! : C:\WINDOWS\System32\kkjyf.dat
Removed! : C:\WINDOWS\System32\mkgbi.dat
Removed! : C:\WINDOWS\System32\mywhb.dat
Removed! : C:\WINDOWS\System32\oihbi.dat
Removed! : C:\WINDOWS\System32\ojjlu.dat
Removed! : C:\WINDOWS\System32\orgjx.dat
Removed! : C:\WINDOWS\System32\pitwr.dat
Removed! : C:\WINDOWS\System32\romdx.dat
Removed! : C:\WINDOWS\System32\sdklt.dll
Removed! : C:\WINDOWS\System32\sdkwb.dll
Removed! : C:\WINDOWS\System32\ubcrb.dat
Removed! : C:\WINDOWS\System32\uzkjr.dat
Removed! : C:\WINDOWS\System32\vfasr.dat
Removed! : C:\WINDOWS\System32\xoegk.dat
Removed! : C:\WINDOWS\System32\zvlty.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 2.0
Error Removing! : C:\WINDOWS\ntmu32.exe
Error Removing! : C:\WINDOWS\sfesdv.dat
Removed! : C:\WINDOWS\srxakw.dat
Removed! : C:\WINDOWS\yvrodq.dat
Attempted Clean Of Temp folder.
Pages Reset... Done!

#2
-- Scan 1 --------
About:Buster Version 2.0
Removed! : C:\WINDOWS\sfesdv.dat
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 2.0
Attempted Clean Of Temp folder.
Pages Reset... Done!

And the new Hijack
Logfile of HijackThis v1.98.0
Scan saved at 11:30:41 PM, on 8/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\sdklt.exe
C:\Documents and Settings\Albert\Desktop\Spyware Tools\HijackThis.exe

O2 - BHO: (no name) - {93757B32-DCC3-5C75-4010-8C148E619B58} - C:\WINDOWS\system32\sdkwb.dll (file missing)
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [sdklt.exe] C:\WINDOWS\system32\sdklt.exe
O4 - HKCU\..\RunOnce: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play
O4 - Global Startup: Creative VoIP Blaster Dialer.lnk = C:\Program Files\Creative\VoIP Blaster\VoipDial.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/12119/CTPID.cab



THanks for all your help (so far?)
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #5 on: August 03, 2004, 04:49:02 AM »

Hee Hee, sorry about the Edit
I had this
"Find and delete these files and folders"
I changed it too this
"Find and delete these files and folders if they exist, and exact name"

Can you do me another favor, I see this in your log
Do you know what it's related too?
Run it through Kapersky's AV
O4 - HKLM\..\Run: [sdklt.exe] C:\WINDOWS\system32\sdklt.exe <-file

I don't know much about this one
O4 - Global Startup: Creative VoIP Blaster Dialer.lnk = C:\Program Files\Creative\VoIP Blaster\VoipDial.exe
It doesn't look bad, just curious if it's needed on startup

We will want to clean out your Restore Points after we're done, let me know about that file

One more thing
Copy the contents of the 'QUOTE' box to Notepad, and save as GetServices.vbs (make sure you save as type: 'all files' )

Doubleclick GetServices.vbs, and it will produce a list of all active services on your computer; please post that list in your reply.

If you have script blocking installed, you will get a warning when you try to run the script. Please allow it to run. It is only collecting information

 
quote:
set objIdDictionary = CreateObject("Scripting.Dictionary")
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServices = objWMIService.ExecQuery _
("Select * from Win32_Service Where State <> 'Stopped'")
For Each objService in colServices
If objIdDictionary.Exists(objService.ProcessID) Then
Else
objIdDictionary.Add objService.ProcessID, objService.ProcessID
End If
Next
colProcessIDs = objIdDictionary.Items
For i = 0 to objIdDictionary.Count - 1
Set colServices = objWMIService.ExecQuery _
("Select * from Win32_Service Where ProcessID = '" & _
colProcessIDs(i) & "'")

For Each objService in colServices
msg = msg & vbcrlf & " " & Ucase(objService.DisplayName) & ":" & " " & objService.Name & vbcrlf & objService.PathName & vbcrlf

Next
Next
Dim fso, Services,Wshshell
Set Wshshell = Wscript.CreateObject("Wscript.Shell")
Set fso = Wscript.CreateObject("Scripting.FileSystemObject")
Set Services = fso.CreateTextFile("Active.txt",true)
Services.Write "These are the Current Active Services:"
Services.WriteLine
Services.Write msg
Services.Close
Wshshell.Run "Active.txt"


Post the contents of the Active.txt file

Are you willing to get a free AV installed on your computer, I would
I'll supply links once we have you clean.....

Logged

 
axaday
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 38


Bookmark and Share

View Profile
« Reply #6 on: August 03, 2004, 05:00:15 AM »

As a matter of fact, that sdklt thing is still causing problems and I was about to ask you about it when I saw your reply.  Various errors come up saying that file is a "bad image".  And Kaspresky agrees.

VOIP is a voice-over IP.  I suppose it doesn't have to come on at startup, but my dad uses it a lot and this is his computer.


These are the Current Active Services:

 WINDOWS AUDIO: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

 COMPUTER BROWSER: Browser
C:\WINDOWS\System32\svchost.exe -k netsvcs

 CRYPTOGRAPHIC SERVICES: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs

 DHCP CLIENT: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs

 LOGICAL DISK MANAGER: dmserver
C:\WINDOWS\System32\svchost.exe -k netsvcs

 ERROR REPORTING SERVICE: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

 COM+ EVENT SYSTEM: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs

 FAST USER SWITCHING COMPATIBILITY: FastUserSwitchingCompatibility
C:\WINDOWS\System32\svchost.exe -k netsvcs

 HELP AND SUPPORT: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

 SERVER: lanmanserver
C:\WINDOWS\System32\svchost.exe -k netsvcs

 WORKSTATION: lanmanworkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs

 MESSENGER: Messenger
C:\WINDOWS\System32\svchost.exe -k netsvcs

 NETWORK CONNECTIONS: Netman
C:\WINDOWS\System32\svchost.exe -k netsvcs

 NETWORK LOCATION AWARENESS (NLA): Nla
C:\WINDOWS\System32\svchost.exe -k netsvcs

 REMOTE ACCESS CONNECTION MANAGER: RasMan
C:\WINDOWS\System32\svchost.exe -k netsvcs

 TASK SCHEDULER: Schedule
C:\WINDOWS\System32\svchost.exe -k netsvcs

 SECONDARY LOGON: seclogon
C:\WINDOWS\System32\svchost.exe -k netsvcs

 SYSTEM EVENT NOTIFICATION: SENS
C:\WINDOWS\system32\svchost.exe -k netsvcs

 SHELL HARDWARE DETECTION: ShellHWDetection
C:\WINDOWS\System32\svchost.exe -k netsvcs

 SYSTEM RESTORE SERVICE: srservice
C:\WINDOWS\System32\svchost.exe -k netsvcs

 TELEPHONY: TapiSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

 TERMINAL SERVICES: TermService
C:\WINDOWS\System32\svchost.exe -k netsvcs

 THEMES: Themes
C:\WINDOWS\System32\svchost.exe -k netsvcs

 DISTRIBUTED LINK TRACKING CLIENT: TrkWks
C:\WINDOWS\system32\svchost.exe -k netsvcs

 UPLOAD MANAGER: uploadmgr
C:\WINDOWS\System32\svchost.exe -k netsvcs

 WINDOWS TIME: W32Time
C:\WINDOWS\System32\svchost.exe -k netsvcs

 WINDOWS MANAGEMENT INSTRUMENTATION: winmgmt
C:\WINDOWS\system32\svchost.exe -k netsvcs

 AUTOMATIC UPDATES: wuauserv
C:\WINDOWS\system32\svchost.exe -k netsvcs

 WIRELESS ZERO CONFIGURATION: WZCSVC
C:\WINDOWS\System32\svchost.exe -k netsvcs

 CREATIVE SERVICE FOR CDROM ACCESS: Creative Service for CDROM Access
C:\WINDOWS\System32\CTsvcCDA.exe

 CRYPKEY LICENSE: Crypkey License
crypserv.exe

 DNS CLIENT: Dnscache
C:\WINDOWS\System32\svchost.exe -k NetworkService

 EVENT LOG: Eventlog
C:\WINDOWS\system32\services.exe

 PLUG AND PLAY: PlugPlay
C:\WINDOWS\system32\services.exe

 TCP/IP NETBIOS HELPER: LmHosts
C:\WINDOWS\System32\svchost.exe -k LocalService

 REMOTE REGISTRY: RemoteRegistry
C:\WINDOWS\system32\svchost.exe -k LocalService

 SSDP DISCOVERY SERVICE: SSDPSRV
C:\WINDOWS\System32\svchost.exe -k LocalService

 WEBCLIENT: WebClient
C:\WINDOWS\System32\svchost.exe -k LocalService

 NVIDIA DISPLAY DRIVER SERVICE: NVSvc
C:\WINDOWS\System32\nvsvc32.exe

 IPSEC SERVICES: PolicyAgent
C:\WINDOWS\System32\lsass.exe

 PROTECTED STORAGE: ProtectedStorage
C:\WINDOWS\system32\lsass.exe

 SECURITY ACCOUNTS MANAGER: SamSs
C:\WINDOWS\system32\lsass.exe

 REMOTE PROCEDURE CALL (RPC): RpcSs
C:\WINDOWS\system32\svchost -k rpcss

 PRINT SPOOLER: Spooler
C:\WINDOWS\system32\spoolsv.exe

 WINDOWS IMAGE ACQUISITION (WIA): stisvc
C:\WINDOWS\System32\svchost.exe -k imgsvc

 WMDM PMSP SERVICE: WMDM PMSP Service
C:\WINDOWS\System32\MsPMSPSv.exe
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #7 on: August 03, 2004, 05:16:12 AM »

I thought it looked bad axaday

Open your task manager and end process on this
sdklt.exe

Do another Scan with Hijackthis and put a check next to these entries
and then FIX CHECKED when ALL other windows are closed

O2 - BHO: (no name) - {93757B32-DCC3-5C75-4010-8C148E619B58} - C:\WINDOWS\system32\sdkwb.dll (file missing)
O4 - HKLM\..\Run: [sdklt.exe] C:\WINDOWS\system32\sdklt.exe

Restart your computer into safe mode and delete that file
C:\WINDOWS\system32\sdklt.exe

While still in safe mode run about:buster again, let's make sure we got it all

Here's what I would do axaday,
Go to AVG antivirus and download the free version---I like free Smiley
Here's a link
http://free.grisoft.com/freeweb.php/doc/2/
Give them a valid email address, not webbased such as hotmail
Make sure you get the free version and not the trial version

After installation----make sure you check for updates

With the infections you had you will want to disable system restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

RESTART your computer in Safe Mode and do a full virus scan
You should also do a DiskCleanup
START--RUN---"type in cleanmgr"
Restart back in normal mode
If you would like to supply another hijackthis log and about:buster logs, I would like to see them...
I have a couple other free apps. you may find interesting
Best of all they don't run in the background.....
Do the above first, let me know how everything is running
Logged

 
axaday
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 38


Bookmark and Share

View Profile
« Reply #8 on: August 03, 2004, 06:12:01 AM »

Thanks

My parents went to bed so I came home.  I'll go over and resume work tomorrow morning.
Logged

 
axaday
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 38


Bookmark and Share

View Profile
« Reply #9 on: August 03, 2004, 03:00:47 PM »

Buster logs
-- Scan 1 --------
About:Buster Version 2.0
Removed! : C:\WINDOWS\fudkh.dat
Removed! : C:\WINDOWS\hrmin.dat
Removed! : C:\WINDOWS\jdyzg.dat
Removed! : C:\WINDOWS\rtfdm.dat
Removed! : C:\WINDOWS\tduju.dat
Removed! : C:\WINDOWS\System32\ilhcm.dat
Removed! : C:\WINDOWS\System32\prutk.dat
Removed! : C:\WINDOWS\System32\vpbhz.dat
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 2.0
Attempted Clean Of Temp folder.
Pages Reset... Done!


I couldn't install the AV because it couldn't find shell.dll.  But other than that the computer seems to be running fine.

Let me post this and then run another Hijack This.

Logged

 
axaday
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 38


Bookmark and Share

View Profile
« Reply #10 on: August 03, 2004, 03:02:04 PM »

Logfile of HijackThis v1.98.0
Scan saved at 9:59:43 AM, on 8/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Creative\VoIP Blaster\VoipDial.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Documents and Settings\Albert\Desktop\avg6732fu_free.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Documents and Settings\Albert\Desktop\Spyware Tools\HijackThis.exe

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\RunOnce: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play
O4 - Global Startup: Creative VoIP Blaster Dialer.lnk = C:\Program Files\Creative\VoIP Blaster\VoipDial.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/12119/CTPID.cab

Logged

 
axaday
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 38


Bookmark and Share

View Profile
« Reply #11 on: August 03, 2004, 07:31:48 PM »

Something is still there.  It changed my start page to a search page.  And I see searchbar in this new hijack this.


Logfile of HijackThis v1.98.0
Scan saved at 2:28:23 PM, on 8/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Creative\VoIP Blaster\VoipDial.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Documents and Settings\Albert\Desktop\avg6732fu_free.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Documents and Settings\Albert\Desktop\Spyware Tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Albert\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Albert\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Albert\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Albert\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Albert\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Albert\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {59DEF70F-21B5-4E23-AB07-BA87D0CABD38} - C:\WINDOWS\System32\imlc.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\RunOnce: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play
O4 - Global Startup: Creative VoIP Blaster Dialer.lnk = C:\Program Files\Creative\VoIP Blaster\VoipDial.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/12119/CTPID.cab
O18 - Filter: text/html - {591E2358-32B3-438A-86CF-028499224C99} - C:\WINDOWS\System32\imlc.dll
O18 - Filter: text/plain - {591E2358-32B3-438A-86CF-028499224C99} - C:\WINDOWS\System32\imlc.dll

Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #12 on: August 03, 2004, 10:24:40 PM »

I want to see if you have a hidden installer

Open up Notepad (START, run, enter NOTEPAD in the BOX and hit OK).
Copy the CONTENTS of the Quote box to notepad
Now in Notepad select file, save as and enter in the filename box "Appinit.bat" (Use the quotes too) and save it on the desktop.

quote:
Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
chkntfs c: > windows.txt
type windows1.hiv >> windows.txt


Double click on Appinit.bat
This will create a file on the desktop named windows.txt
Upload windows.txt in your next reply----Insert file attachmet

What OS are you using? XP Pro or Home
If your not sure go to Start----Run---type in "WINVER" without quotes
Logged

 
axaday
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 38


Bookmark and Share

View Profile
« Reply #13 on: August 03, 2004, 10:40:37 PM »

XP Professional

I have tried several times to use the file attachment and it keeps telling me I need to login, but I've logged in several times and it forgets me as soon as I am logged in.
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #14 on: August 03, 2004, 10:46:42 PM »

Go ahead and copy and paste it in a reply then.....
Gotta step out, check up on you in a bit
Logged

 
Pages: [1] 2 3 Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page December 31, 2018, 07:59:20 PM