MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: downloader-yk trojan
May 27, 2020, 04:11:09 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
May 27, 2020, 04:11:09 PM

Login with username, password and session length
 Featured Sites:
News
New  Check out our improved Download section for tons of software....
  0 Members and 1 Guest are viewing this topic.
Pages: [1] 2  All Go Down Print
Author Topic: downloader-yk trojan  (Read 3545 times)
anfieldroadend
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 12


Bookmark and Share

View Profile
« on: May 18, 2005, 03:38:04 PM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version: Windows XP


Sorry, about this but I'm a bit of a computer novice and I know that a lot of people have had trouble with the Downloader-yk trojan but i could not understand all the threads on how to remove it.

I have a antivirus program McAfee running and it's telling me that I have a downloaer-yk trojan - it cleans them but they keep coming and the problem is not resolved.

My IE also defaults to a about:blank homepage and i sometimes get annoying pop-ups "only the best".

Please help - i could not work out what highjack this logs were. i really need someone to talk me through it.

regards,
matt

Logged

 
anfieldroadend
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 12


Bookmark and Share

View Profile
« Reply #1 on: May 18, 2005, 07:36:32 PM »

For the attention of anybody that might understand such as geekgirl

Here's my hijackthis log with regards to my downloader-yk trojan problem

please advise on what to do next, thanks

Logfile of HijackThis v1.99.1
Scan saved at 20:27:43, on 18/05/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\AOL 9.0\waol.exe
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\Adobe\Adobe GoLive CS\ControlPanel\VersionCueTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\sysxr.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\AOL\Broadband CheckUp\bin\mpbtn.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
c:\program files\mcafee.com\vso\mcmnhdlr.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC04.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jzzvw.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jzzvw.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jzzvw.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jzzvw.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jzzvw.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jzzvw.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdot.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jzzvw.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdot.net
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchdot.net
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {9A65FF84-5F62-35FE-18D6-0C43F27B7AEB} - C:\WINDOWS\system32\netxj.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe GoLive CS\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [sysxr.exe] C:\WINDOWS\sysxr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Broadband Check-Up.lnk = C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aolsvc.co.uk/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,7/McUpdatePortal.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aolsvc.co.uk/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{00479032-0C21-4738-9CBE-44838D58BF95}: NameServer = 205.188.146.145
O17 - HKLM\System\CS2\Services\Tcpip\..\{00479032-0C21-4738-9CBE-44838D58BF95}: NameServer = 205.188.146.145
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe GoLive CS\service\VersionCue.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

Logged

 
Geekgirl
Global Moderator
Hero Member
*****

Karma: +25/-1
Offline Offline

Gender: Female
Posts: 3175



Bookmark and Share

View Profile
« Reply #2 on: May 19, 2005, 09:13:46 PM »

It is essential to keep your computer's operating system and programs in top condition.  That means keeping up with applying patches, hotfixes and service packs. Make sure that your Operating System and Internet Explorer are up-to-date by visiting the  Windows Update Site and downloading all of the Critical Updates and Service Packs.

Please go get your updates then post a fresh log.
Logged




Girlz Rule ...Boyz Drool
____________________________
ALWAYS BACKUP YOUR REGISTRY BEFORE EDITING
anfieldroadend
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 12


Bookmark and Share

View Profile
« Reply #3 on: May 20, 2005, 08:56:26 AM »

I have been trying to keep up to date but i have not been able to download the service pack 2 in the past - i'll try again. thanks for your help and I'll get back to you soon.
Logged

 
Geekgirl
Global Moderator
Hero Member
*****

Karma: +25/-1
Offline Offline

Gender: Female
Posts: 3175



Bookmark and Share

View Profile
« Reply #4 on: May 20, 2005, 12:05:52 PM »

You need SP1 first

Heres a link for SP1

http://www.microsoft.com/windows/ie/downloads/critical/ie6sp1/default.mspx
Logged




Girlz Rule ...Boyz Drool
____________________________
ALWAYS BACKUP YOUR REGISTRY BEFORE EDITING
anfieldroadend
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 12


Bookmark and Share

View Profile
« Reply #5 on: May 20, 2005, 09:23:52 PM »

Hi, I downloaded sp1 and installed that. I then went to install sp2, however, it seems to stop half way through. it begins updating my system, by inspecting my configuration, archives my current files and updates my files but while it is backing up files it seems to get jammed on file OEM32.INF. I've checked the task manager and that says the programme is still running but nothing happens for hours... Because it does not back up the files the installation does not complete. Any ideas? Thanks again for your help.
Logged

 
anfieldroadend
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 12


Bookmark and Share

View Profile
« Reply #6 on: May 20, 2005, 09:27:32 PM »

by the way here are some of the results from the scans i did with microsoft's beta programme.

Spyware Scan Details
Start Date: 19/05/2005 20:30:31
End Date: 19/05/2005 20:45:50
Total Time: 15 mins 19 secs

Detected Threats

Unclassified.Spyware.65 Spyware  more information...
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.

Infected files detected
c:\windows\iptj32.exe

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce iptj32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce iptj32.exe


Possible Browser Hijack Browser Modifier  more information...
Details: This spyware threat changes Web browser settings, such as the homepage, without adequate consent.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.


Detected Spyware Cookies
No spyware cookies were found during this scan.





Spyware Scan Details
Start Date: 19/05/2005 21:01:00
End Date: 19/05/2005 21:35:57
Total Time: 34 mins 57 secs

Detected Threats

Unclassified.Spyware.65 Spyware  more information...
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.

Infected files detected
c:\windows\system32\netmc.exe
c:\windows\msqj32.exe

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce netmc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce netmc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce netmc.exe


Detected Spyware Cookies
No spyware cookies were found during this scan.

Spyware Scan Details
Start Date: 19/05/2005 21:41:20
End Date: 19/05/2005 22:19:49
Total Time: 38 mins 29 secs

Detected Threats

Unclassified.Spyware.65 Spyware  more information...
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.

Infected files detected
c:\windows\system32\sysxm32.exe
c:\windows\d3oh32.exe

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce sysxm32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce sysxm32.exe


Possible Browser Hijack Browser Modifier  more information...
Details: This spyware threat changes Web browser settings, such as the homepage, without adequate consent.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.


Detected Spyware Cookies
No spyware cookies were found during this scan.
Logged

 
Geekgirl
Global Moderator
Hero Member
*****

Karma: +25/-1
Offline Offline

Gender: Female
Posts: 3175



Bookmark and Share

View Profile
« Reply #7 on: May 21, 2005, 05:36:39 PM »

Lets get started on this log.....

Download / Install / Update / and Run:
Adaware SE check for any updates before running it.
Get the plug-in for fixing VX2 variants. You can download it at this SITE
 To run this tool, install to the hard drive, then open Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection.

Download and install Spybot S&D . Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation.

Scan your pc with one of these free online scanners:
Panda ActiveScan
RAV AntiVirus
Housecall.  Be sure to put a check the box beside AutoClean.


Download AboutBuster and unzip it to a folder on your the Desktop. Do not run it yet!


The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there.  Download CleanUp! (Alternate Link if main link don't work) and install it. You will use this later.



Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one (You must kill them one at a time).

C:\WINDOWS\sysxr.exe

C:\Program Files\hp center\137903\Program\BackWeb-137903.exe <-----Backweb Removal - This is very widely used among corporations like Kodak, WD and HP. The original intention of this program is to easily keep your applications updated without you having to do anything. The down side to this is many variants of are floating around and some collect information about you. I suggest doing all updates yourself and removing this application!




Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jzzvw.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jzzvw.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jzzvw.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jzzvw.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jzzvw.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jzzvw.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdot.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jzzvw.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdot.net
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchdot.net
R3 - Default URLSearchHook is missing

O2 - BHO: Class - {9A65FF84-5F62-35FE-18D6-0C43F27B7AEB} - C:\WINDOWS\system32\netxj.dll

O4 - HKLM\..\Run: [sysxr.exe] C:\WINDOWS\sysxr.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe


If you do not recognize these, fix these as well. They are active-x items that allow external code to be run on your computer. If you change your mind later, you will be asked to reinstall them if you visit those websites again.

O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,7/McUpdatePortal.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aolsvc.co.uk/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab     


Do you know the IP or Domain '205.188.146.145'? If not, fix this entry.

O17 - HKLM\System\CCS\Services\Tcpip\..\{00479032-0C21-4738-9CBE-44838D58BF95}: NameServer = 205.188.146.145
O17 - HKLM\System\CS2\Services\Tcpip\..\{00479032-0C21-4738-9CBE-44838D58BF95}: NameServer = 205.188.146.145






Please remember to close all other windows, including browsers then click Fix checked.



 Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\sysxr.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\WINDOWS\jzzvw.dll/
C:\WINDOWS\system32\netxj.dll




Run AboutBuster and follow the prompts to scan (choose Yes/OK for all). It will ask you if you want a second scan, choose Yes.



Run CleanUp! and click on CleanUp! button.  When it asks you if you want to logoff, click on Yes.
Empty your Recycle Bin.

Reboot your System in normal mode.

Please post a fresh Hijack This log so that we can check if your system is clean.



Logged




Girlz Rule ...Boyz Drool
____________________________
ALWAYS BACKUP YOUR REGISTRY BEFORE EDITING
anfieldroadend
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 12


Bookmark and Share

View Profile
« Reply #8 on: May 22, 2005, 10:32:26 PM »

Dear Geekgirl,

Thanks for your help. I ran through your post step by step but have encountered some problems.
Firstly, when I got to the finish, rebooted my system and than tried to submit another HJT log i had problems.

After reboot the windows tool bar at the bottom of the screen had no start icon in the left hand corner. i could not bring it in from the left to shorten it and no changes to screen size made a difference.

i accessed my HJt programme, though, through 'my computer' and ran the scan, however, i could not access the log. i kept getting this message: the application has failed to start because the application configuration is incorrect. reinstalling this application may fix the problem.

it doesn't.

also, at start-up i get an error message from McAfee saying som components of mcafee security centre are missing or may not have been istalled properly. please reinstall mcafee security centre.

...and IE tries to launch itself at start-up even though i do not try to go online.

also, file backweb_137903.exe_tobedeleted comes up in an error message looking for a programme to run it...

can you help?
Logged

 
Geekgirl
Global Moderator
Hero Member
*****

Karma: +25/-1
Offline Offline

Gender: Female
Posts: 3175



Bookmark and Share

View Profile
« Reply #9 on: May 23, 2005, 01:10:14 PM »

I'm not exactly sure what happened. You can try system restore to go back to the point where it booted and ran correctly and we can start over.

Nothing we removed would have caused this except the backweb item, you can take it out of msconfig becoz it is trying to run at boot.
Logged




Girlz Rule ...Boyz Drool
____________________________
ALWAYS BACKUP YOUR REGISTRY BEFORE EDITING
anfieldroadend
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 12


Bookmark and Share

View Profile
« Reply #10 on: May 23, 2005, 05:17:06 PM »

I did a system restore but the only problem was my system restore tool was not on so it made no difference. ANy ideas what to do next? Also i've found my computer won't run various programees such as adobe photoshop. Also, when i try to click for example my browser window down to the tool bar nothing appears but the window disappears.

I thought that i could get around not having a start button and use the windows key but a strange window pops up listing aol 9.0, windows catalog, windows update and winzip!?!?!?!?!? weird!

it's not your usual menu at all.

also the look of the computer looks like it's running in basic mode with no icons etc..
Logged

 
Geekgirl
Global Moderator
Hero Member
*****

Karma: +25/-1
Offline Offline

Gender: Female
Posts: 3175



Bookmark and Share

View Profile
« Reply #11 on: May 23, 2005, 05:29:10 PM »

Try a repair installation. Put in your xp disc in and click install, it will detect an O.S. and give you a repair option.
Logged




Girlz Rule ...Boyz Drool
____________________________
ALWAYS BACKUP YOUR REGISTRY BEFORE EDITING
anfieldroadend
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 12


Bookmark and Share

View Profile
« Reply #12 on: May 23, 2005, 05:44:12 PM »

i never had an xp disc - it was already on the computer and it installed after i set the computer up.
Logged

 
Geekgirl
Global Moderator
Hero Member
*****

Karma: +25/-1
Offline Offline

Gender: Female
Posts: 3175



Bookmark and Share

View Profile
« Reply #13 on: May 23, 2005, 06:09:05 PM »

Do you have a friend that has a XP disc. As long as you use your valid key code (which should be on the outside of your computer case) it will work.
Logged




Girlz Rule ...Boyz Drool
____________________________
ALWAYS BACKUP YOUR REGISTRY BEFORE EDITING
anfieldroadend
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 12


Bookmark and Share

View Profile
« Reply #14 on: May 23, 2005, 06:13:51 PM »

i can see the sticker with the valid key code but i don't know anyone with a disk - i'm not making this easy am i!??!?!?!?
Logged

 
Pages: [1] 2  All Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page August 08, 2018, 07:11:10 AM