Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log - Help Please


  • This topic is locked This topic is locked
6 replies to this topic

#1 Gordo321

Gordo321

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 05 July 2004 - 06:06 PM

Hello

Well, it finally happened to me! Over the past week I have tried everything I could think of to get rid of my Browser Hijacker.

Could someone offer advice to my problem and how to correct it?

Here is a copy of my HijackThis Log:

Logfile of HijackThis v1.98.0
Scan saved at 6:47:27 PM, on 7/5/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\APIHJ32.EXE
C:\WINDOWS\SYSTEM\NETJN32.EXE
C:\WINDOWS\SYSTEM\APPJV32.EXE
C:\WINDOWS\SYSTEM\D3QM32.EXE
C:\WINDOWS\SYSTEM\APIRH32.EXE
C:\WINDOWS\ATLUJ.EXE
C:\WINDOWS\SYSTEM\NTXC32.EXE
C:\WINDOWS\SYSTEM\SDKQX32.EXE
C:\WINDOWS\APPZH.EXE
C:\WINDOWS\SYSTEM\WINQK.EXE
C:\WINDOWS\D3ZP32.EXE
C:\WINDOWS\CRWZ32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\PASSWORD MANAGER\ACCTMGR.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\PROGRAM FILES\D-LINK AIRPLUS XTREME G\AIRPLUS.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\Monwow.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\APPZH.EXE
C:\WINDOWS\IEOV.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.sympatico.ca/iesearchpane.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ibwor.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ibwor.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ibwor.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ibwor.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ibwor.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ibwor.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\0sstwt98.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\0sstwt98.slt\prefs.js)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - (no file)
O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - (no file)
O2 - BHO: Class - {CB9FE89A-6788-47B8-F958-7988A0FC10DA} - C:\WINDOWS\NETJS32.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\Nprotect.exe
O4 - HKLM\..\Run: [AcctMgr] c:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Gene USB Monitor] c:\windows\SYSTEM\USBMonit.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] c:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\Nprotect.exe
O4 - HKLM\..\RunServices: [CSINJECT.EXE] c:\Program Files\Norton SystemWorks\Norton CleanSweep\csinject.exe
O4 - HKLM\..\RunServices: [APIHJ32.EXE] C:\WINDOWS\SYSTEM\APIHJ32.EXE
O4 - HKLM\..\RunServices: [APPJV32.EXE] C:\WINDOWS\SYSTEM\APPJV32.EXE
O4 - HKLM\..\RunServices: [NETJN32.EXE] C:\WINDOWS\SYSTEM\NETJN32.EXE
O4 - HKLM\..\RunServices: [APIRH32.EXE] C:\WINDOWS\SYSTEM\APIRH32.EXE
O4 - HKLM\..\RunServices: [ATLUJ.EXE] C:\WINDOWS\ATLUJ.EXE
O4 - HKLM\..\RunServices: [D3QM32.EXE] C:\WINDOWS\SYSTEM\D3QM32.EXE
O4 - HKLM\..\RunServices: [APPZH.EXE] C:\WINDOWS\APPZH.EXE
O4 - HKLM\..\RunServices: [SDKQX32.EXE] C:\WINDOWS\SYSTEM\SDKQX32.EXE
O4 - HKLM\..\RunServices: [NTXC32.EXE] C:\WINDOWS\SYSTEM\NTXC32.EXE
O4 - HKLM\..\RunServices: [WINQK.EXE] C:\WINDOWS\SYSTEM\WINQK.EXE
O4 - HKLM\..\RunServices: [CRWZ32.EXE] C:\WINDOWS\CRWZ32.EXE
O4 - HKLM\..\RunServices: [D3ZP32.EXE] C:\WINDOWS\D3ZP32.EXE
O4 - HKLM\..\RunServices: [IEOV.EXE] C:\WINDOWS\IEOV.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200112...meInstaller.exe
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)


Thanks very much....

Gordo321

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:03 AM

Posted 05 July 2004 - 07:19 PM

Please do the following:

Press control-alt-delete and end the following tasks:

C:\WINDOWS\SYSTEM\APIHJ32.EXE
C:\WINDOWS\SYSTEM\NETJN32.EXE
C:\WINDOWS\SYSTEM\APPJV32.EXE
C:\WINDOWS\SYSTEM\D3QM32.EXE
C:\WINDOWS\SYSTEM\APIRH32.EXE
C:\WINDOWS\ATLUJ.EXE
C:\WINDOWS\SYSTEM\NTXC32.EXE
C:\WINDOWS\SYSTEM\SDKQX32.EXE
C:\WINDOWS\APPZH.EXE
C:\WINDOWS\SYSTEM\WINQK.EXE
C:\WINDOWS\D3ZP32.EXE
C:\WINDOWS\CRWZ32.EXE
C:\WINDOWS\APPZH.EXE
C:\WINDOWS\IEOV.EXE

Then fix the following entries with hijackthis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ibwor.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ibwor.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ibwor.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ibwor.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ibwor.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ibwor.dll/index.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - (no file)
O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - (no file)
O2 - BHO: Class - {CB9FE89A-6788-47B8-F958-7988A0FC10DA} - C:\WINDOWS\NETJS32.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O4 - HKLM\..\RunServices: [APIHJ32.EXE] C:\WINDOWS\SYSTEM\APIHJ32.EXE
O4 - HKLM\..\RunServices: [APPJV32.EXE] C:\WINDOWS\SYSTEM\APPJV32.EXE
O4 - HKLM\..\RunServices: [NETJN32.EXE] C:\WINDOWS\SYSTEM\NETJN32.EXE
O4 - HKLM\..\RunServices: [APIRH32.EXE] C:\WINDOWS\SYSTEM\APIRH32.EXE
O4 - HKLM\..\RunServices: [ATLUJ.EXE] C:\WINDOWS\ATLUJ.EXE
O4 - HKLM\..\RunServices: [D3QM32.EXE] C:\WINDOWS\SYSTEM\D3QM32.EXE
O4 - HKLM\..\RunServices: [APPZH.EXE] C:\WINDOWS\APPZH.EXE
O4 - HKLM\..\RunServices: [SDKQX32.EXE] C:\WINDOWS\SYSTEM\SDKQX32.EXE
O4 - HKLM\..\RunServices: [NTXC32.EXE] C:\WINDOWS\SYSTEM\NTXC32.EXE
O4 - HKLM\..\RunServices: [WINQK.EXE] C:\WINDOWS\SYSTEM\WINQK.EXE
O4 - HKLM\..\RunServices: [CRWZ32.EXE] C:\WINDOWS\CRWZ32.EXE
O4 - HKLM\..\RunServices: [D3ZP32.EXE] C:\WINDOWS\D3ZP32.EXE
O4 - HKLM\..\RunServices: [IEOV.EXE] C:\WINDOWS\IEOV.EXE
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

Then reboot into safe mode and delete the following files:

C:\WINDOWS\ibwor.dll
C:\WINDOWS\NETJS32.DLL
C:\WINDOWS\SYSTEM\APIHJ32.EXE
C:\WINDOWS\SYSTEM\NETJN32.EXE
C:\WINDOWS\SYSTEM\APPJV32.EXE
C:\WINDOWS\SYSTEM\D3QM32.EXE
C:\WINDOWS\SYSTEM\APIRH32.EXE
C:\WINDOWS\ATLUJ.EXE
C:\WINDOWS\SYSTEM\NTXC32.EXE
C:\WINDOWS\SYSTEM\SDKQX32.EXE
C:\WINDOWS\APPZH.EXE
C:\WINDOWS\SYSTEM\WINQK.EXE
C:\WINDOWS\D3ZP32.EXE
C:\WINDOWS\CRWZ32.EXE
C:\WINDOWS\APPZH.EXE
C:\WINDOWS\IEOV.EXE

Reboot into normal mode and Restore files deleted by this malware.
  • Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.
  • If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button
  • If you are using Windows 95, 98, or ME it is possible that the malware deleted your control.exe. Please check for the existence of this file by going to to Merijn Files control.exe and examine where the file should be for your operating system. If the file is missing then download the appropriate file and place it in the proper place according to this information.
Then post a post a new log

#3 Gordo321

Gordo321
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 05 July 2004 - 09:55 PM

Grinler,

Thanks for your quick response.

I completed the tasks that you suggested with two exceptions, downloading SDHelper.dll and checking for my control.exe (I was unable to log on to spywareinfo.com for some reason).

Here is a copy of my latest log:

Logfile of HijackThis v1.98.0
Scan saved at 10:52:50 PM, on 7/5/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\NTGR32.EXE
C:\WINDOWS\ADDHV.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\PASSWORD MANAGER\ACCTMGR.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\PROGRAM FILES\D-LINK AIRPLUS XTREME G\AIRPLUS.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\Monwow.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\ADDHV.EXE
C:\WINDOWS\ADDHV.EXE
C:\WINDOWS\ADDHV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\ADDHV.EXE
C:\WINDOWS\ADDHV.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.sympatico.ca/iesearchpane.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ddtni.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ddtni.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ddtni.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ddtni.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ddtni.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ddtni.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\0sstwt98.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\0sstwt98.slt\prefs.js)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: Class - {7394CC45-E29E-AC0B-19B4-FA1B376B3209} - C:\WINDOWS\MFCOK.DLL (file missing)
O2 - BHO: Class - {389793A1-16BF-5CDB-995A-72BC57DA44B5} - C:\WINDOWS\CRGW32.DLL
O2 - BHO: Class - {A84D75BC-8D31-F4CC-7312-9A583961CBA9} - C:\WINDOWS\SYSTEM\APILU.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\Nprotect.exe
O4 - HKLM\..\Run: [AcctMgr] c:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Gene USB Monitor] c:\windows\SYSTEM\USBMonit.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] c:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\Nprotect.exe
O4 - HKLM\..\RunServices: [CSINJECT.EXE] c:\Program Files\Norton SystemWorks\Norton CleanSweep\csinject.exe
O4 - HKLM\..\RunServices: [NTGR32.EXE] C:\WINDOWS\SYSTEM\NTGR32.EXE
O4 - HKLM\..\RunServices: [ADDHV.EXE] C:\WINDOWS\ADDHV.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200112...meInstaller.exe
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)


What now?

Thanks again....Gordo

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:03 AM

Posted 06 July 2004 - 01:19 PM

Press control-alt-delete and end the following tasks:

NTGR32.EXE
ADDHV.EXE

I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ddtni.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ddtni.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ddtni.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ddtni.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ddtni.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ddtni.dll/index.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {7394CC45-E29E-AC0B-19B4-FA1B376B3209} - C:\WINDOWS\MFCOK.DLL (file missing)
O2 - BHO: Class - {389793A1-16BF-5CDB-995A-72BC57DA44B5} - C:\WINDOWS\CRGW32.DLL
O2 - BHO: Class - {A84D75BC-8D31-F4CC-7312-9A583961CBA9} - C:\WINDOWS\SYSTEM\APILU.DLL
O4 - HKLM\..\RunServices: [NTGR32.EXE] C:\WINDOWS\SYSTEM\NTGR32.EXE
O4 - HKLM\..\RunServices: [ADDHV.EXE] C:\WINDOWS\ADDHV.EXE
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)


Reboot your computer into Safe Mode and delete the following files:

Then delete these files or directories (Do not be concerned if they do not exist)
C:\WINDOWS\SYSTEM\NTGR32.EXE
C:\WINDOWS\ADDHV.EXE
C:\WINDOWS\SYSTEM\APILU.DLL
C:\WINDOWS\CRGW32.DLL
C:\WINDOWS\ddtni.dll

Disable System Restore. You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore
or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above

Reboot your computer to go back to normal mode and post a new log.

#5 Gordo321

Gordo321
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 13 July 2004 - 03:53 PM

Grinler,

Completed the tasks as you outlined with the exception of Disable System Restore (could not find in Windows 98SE).

Here is my latest log:

Logfile of HijackThis v1.98.0
Scan saved at 4:46:45 PM, on 7/13/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\PASSWORD MANAGER\ACCTMGR.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\PROGRAM FILES\D-LINK AIRPLUS XTREME G\AIRPLUS.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\Monwow.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.sympatico.ca/iesearchpane.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\0sstwt98.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\0sstwt98.slt\prefs.js)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\Nprotect.exe
O4 - HKLM\..\Run: [AcctMgr] c:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Gene USB Monitor] c:\windows\SYSTEM\USBMonit.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] c:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\Nprotect.exe
O4 - HKLM\..\RunServices: [CSINJECT.EXE] c:\Program Files\Norton SystemWorks\Norton CleanSweep\csinject.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200112...meInstaller.exe
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)


Where to from here?

Regards,

Gordo

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:03 AM

Posted 13 July 2004 - 11:05 PM

Nowhere, because you are all clean.. Great job!!!

Now that you are clean, please follow this simple step and use the following programs:

Visit http://www.windowsupdate.com regularly. This will ensure that you have the latest patches for your operating system installed. If there are new updates to install, install all the critical updates, reboot and revisit the site until there are no more critical updates.

I would strongly advise you download and install SpywareBlaster and Spybot (With TeaTimer)

Tutorials and download locations for each programs can be found below. They will help to prevent a lot of future reinfections.

Using SpywareBlaster to protect your web browser

Using Spybot - Search & Destroy to remove Spyware from Your Computer

Glad i was able to help.

#7 Gordo321

Gordo321
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 14 July 2004 - 09:44 AM

Grinler;

Thanks very much for your time end efforts to help me, it is very much appreciated! I will follow your additional advise.

Regards,

Gordo




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users