Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack Thid log, please help diagnose


  • Please log in to reply
11 replies to this topic

#1 sbart

sbart

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 21 February 2005 - 05:40 PM

Logfile of HijackThis v1.99.1
Scan saved at 4:27:03 PM, on 2/21/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\Logitech\WINGMA~1\Lwpevntm.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\tibs5.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\FRU\Remind32.exe
C:\PROGRA~1\COMMON~1\AOL\110133~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110133~1\EE\AOLServiceHost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\sdkvn.exe
C:\WINDOWS\appfj.exe
C:\Documents and Settings\Steve\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vkoao.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vkoao.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vkoao.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vkoao.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vkoao.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vkoao.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vkoao.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = https://sas.r21.mchsi.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {24E085E6-A513-1BB9-B89C-40092BAEC3AE} - C:\WINDOWS\system32\addtm32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Lwinst Run Profiler] C:\PROGRA~1\Logitech\WINGMA~1\Lwinst.exe -d -l "C:\PROGRA~1\Logitech\WINGMA~1\Lwpevntm.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101337622\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [sdkvn.exe] C:\WINDOWS\system32\sdkvn.exe
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
O4 - HKLM\..\RunOnce: [d3gy32.exe] C:\WINDOWS\d3gy32.exe
O4 - HKLM\..\RunOnce: [nthf.exe] C:\WINDOWS\nthf.exe
O4 - HKLM\..\RunOnce: [appfj.exe] C:\WINDOWS\appfj.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\FRU\Remind32.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/Install...ive/HS_live.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099410756351
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart.com/photo/uploads/WebUploadClient.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {F73BE1F4-82AA-4405-AB81-FAFB5A122359} (SiteBuilderEditor Class) - https://stores.hsprofessional.com/storeadmi...ies/ksbedit.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Procedure Call (RPC) Helper (%AF) - Unknown owner - C:\WINDOWS\system32\iept32.exe (file missing)

BC AdBot (Login to Remove)

 


#2 sbart

sbart
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 21 February 2005 - 06:08 PM

guess I should mention that running ad-aware find huge amounts of spyware, but after deleting it, it is right back....also have the about:blank problem, and some goofy search engine....

#3 Indrid_Cold

Indrid_Cold

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 AM

Posted 24 February 2005 - 03:41 AM

Greetings sbart
Sorry for the wait.

If you are still in need of assistance, it has been a few days since you last posted your HJT log. Please scan again and post a fresh log here so I may review it.
Hope is not a method.

ASAP Proud member since 2004
Alliance of Security Analysis Professionals

#4 sbart

sbart
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 24 February 2005 - 12:47 PM

spy subtract results:


Machine=COMPUTER1
Time=Thu Feb 24 11:04:40 2005
Product Version=1, 0, 1, 49
OS Version=Microsoft Windows XP Home Edition (Build 2600)

Internet Explorer/MSN/AOL Cache
Internet Browser History
AOL URL History
Media Player history
RealPlayer History
Windows common dialog recently used file list
Windows Search History
Windows Temp Files
Windows Document History
Windows Run History
Recycle Bin
Start Menu Order/Click History
MS Download Temp Directory
Google Search History
Winzip Recent File List
Adobe Acrobat recent file list
Jasc Paint Shop Pro History
AOL Instant Messenger Recent Users
AOL Instant Messenger Download Folder
Yahoo Messenger User Profiles
Yahoo Messenger Transaction Log
Cookies
Started Scanning
Programs in Memory
Finished Scanning
--------------------------------- SpySubtract session started ---------------------------------
Machine=COMPUTER1
Time=Thu Feb 24 11:32:11 2005
Product Version=1, 0, 1, 49
OS Version=Microsoft Windows XP Home Edition (Build 2600)

Started Scanning
Internet Cookies
Found 'tribalfusion.com' in 'Internet Explorer Cache'
Found 'atdmt.com' in 'Internet Explorer Cache'
Found 'atwola.com' in 'Internet Explorer Cache'
Found '2o7.net' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Internet URL Shortcuts
Files and Directories
Scanning is stopping...
Scanning is stopping...
--------------------------------- SpySubtract session started ---------------------------------
Machine=COMPUTER1
Time=Thu Feb 24 11:34:57 2005
Product Version=1, 0, 1, 49
OS Version=Microsoft Windows XP Home Edition (Build 2600)

Started Scanning
Internet Cookies
Found 'tribalfusion.com' in 'Internet Explorer Cache'
Found 'atdmt.com' in 'Internet Explorer Cache'
Found 'atwola.com' in 'Internet Explorer Cache'
Found '2o7.net' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Internet URL Shortcuts
Files and Directories
Scanning is stopping...
Started Scanning
Internet Cookies
Found 'tribalfusion.com' in 'Internet Explorer Cache'
Found 'atdmt.com' in 'Internet Explorer Cache'
Found 'atwola.com' in 'Internet Explorer Cache'
Found '2o7.net' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW'
Found 'DisplayName' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA'
Found 'UninstallString' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA'
Found 'DisplayName' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE'
Found 'UninstallString' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE'
Found 'DisplayName' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW'
Found 'UninstallString' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW'
Internet URL Shortcuts
Files and Directories
Found 'qjnodi.dat' in 'C:\WINDOWS'
Found 'hxelh.txt' in 'C:\WINDOWS\system32'
Finished Scanning

#5 sbart

sbart
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 24 February 2005 - 01:01 PM

The latest HJT results:

I really need some help....thank you in advance


Logfile of HijackThis v1.99.1
Scan saved at 11:59:00 AM, on 2/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\netaw32.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Logitech\WINGMA~1\Lwpevntm.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\sdkvn.exe
C:\WINDOWS\System32\Bavqej.exe
C:\PROGRA~1\COMMON~1\AOL\110133~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110133~1\EE\AOLServiceHost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\FRU\Remind32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSPS~1.EXE
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Documents and Settings\Steve\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\raiyn.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\raiyn.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\raiyn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\raiyn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\raiyn.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\raiyn.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\raiyn.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = https://sas.r21.mchsi.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {C78BA420-2354-CF49-9103-FA0AC2A41B6C} - C:\WINDOWS\addpg32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Lwinst Run Profiler] C:\PROGRA~1\Logitech\WINGMA~1\Lwinst.exe -d -l "C:\PROGRA~1\Logitech\WINGMA~1\Lwpevntm.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101337622\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [sdkvn.exe] C:\WINDOWS\system32\sdkvn.exe
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Bavqej.exe
O4 - HKLM\..\Run: [qnsi34S] dfsusr.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AutoLoader704y1QcRLdPW] "C:\WINDOWS\System32\dfsusr.exe" /HideUninstall
O4 - HKLM\..\RunOnce: [netaw32.exe] C:\WINDOWS\netaw32.exe
O4 - HKCU\..\Run: [bC3sRQeFW] desshare.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Mw4ERON9Q] desshare.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\FRU\Remind32.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/Install...ive/HS_live.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099410756351
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart.com/photo/uploads/WebUploadClient.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {F73BE1F4-82AA-4405-AB81-FAFB5A122359} (SiteBuilderEditor Class) - https://stores.hsprofessional.com/storeadmi...ies/ksbedit.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Procedure Call (RPC) Helper (%AF) - Unknown owner - C:\WINDOWS\system32\iept32.exe (file missing)

#6 Indrid_Cold

Indrid_Cold

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 AM

Posted 24 February 2005 - 07:03 PM

Thank you sbart. Looking it over and will be back with you soon.
Hope is not a method.

ASAP Proud member since 2004
Alliance of Security Analysis Professionals

#7 Indrid_Cold

Indrid_Cold

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 AM

Posted 25 February 2005 - 02:02 AM

Thank you for your patience sbart

Your copy of HijackThis is living in a temporary folder. We will be cleaning out that folder later. Before moving on to the instructions below, please create a new folder, c:\programs\HJT, or the like and move your copy of HijackThis to the new folder.

- Please download AboutBuster HERE

Unzip it to your desktop, but DO NOT run it until instructed to do so.

- Configure to show hidden files and folders
*Close all programs so that you are at your desktop.
*Double-click on the My Computer icon.
*Select the Tools menu and click Folder Options.
*After the new window appears select the View tab.
*Put a checkmark in the checkbox labeled Display the contents of system folders.
*Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
*Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
*Remove the checkmark from the checkbox labeled Hide protected operating system files.
*Press the Apply button and then the OK button.

- Click Start>Run
*Type Services.msc then click Ok
*Scroll down and find the service called 'Remote Procedure Call (RPC) Helper'
*Double-click on it.
*Click the Stop button
*Click on properties and under the General Tab, change the Startup Type to Disabled.
*Click Apply then Ok and close any open windows.

- You will want to print the following instructions as we will be in Safe Mode and unable to access the Internet and refer to this page.

- Reboot to Safe Mode
*As the computer is starting up, but before Windows starts to load, hit the F8 Key continously and choose Safe Mode from the menu that will appear

- Scan with Hijack and place a check mark for these entries.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\raiyn.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\raiyn.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\raiyn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\raiyn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\raiyn.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\raiyn.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\raiyn.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {C78BA420-2354-CF49-9103-FA0AC2A41B6C} - C:\WINDOWS\addpg32.dll
O4 - HKLM\..\Run: [sdkvn.exe] C:\WINDOWS\system32\sdkvn.exe
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Bavqej.exe
O4 - HKLM\..\Run: [qnsi34S] dfsusr.exe
O4 - HKLM\..\Run: [AutoLoader704y1QcRLdPW] "C:\WINDOWS\System32\dfsusr.exe" /HideUninstall
O4 - HKLM\..\RunOnce: [netaw32.exe] C:\WINDOWS\netaw32.exe
O4 - HKCU\..\Run: [bC3sRQeFW] desshare.exe
O4 - HKCU\..\Run: [Mw4ERON9Q] desshare.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {F73BE1F4-82AA-4405-AB81-FAFB5A122359} (SiteBuilderEditor Class) - https://stores.hsprofessional.com/storeadmi...ies/ksbedit.cab
O23 - Service: Remote Procedure Call (RPC) Helper (%AF) - Unknown owner - C:\WINDOWS\system32\iept32.exe (file missing)

With ALL other Windows CLOSED, click 'Fix checked'


- Delete the following files and/or folders listed in bold
C:\WINDOWS\netaw32.exe<-----this file
C:\WINDOWS\system32\sdkvn.exe<-----this file
C:\WINDOWS\System32\tibs5.exe<-----this file
C:\WINDOWS\System32\Bavqej.exe<-----this file
C:\WINDOWS\System32\dfsusr.exe<-----this file
C:\WINDOWS\system32\iept32.exe<-----this file
C:\WINDOWS\System32\desshare.exe<-----this file

- Run AboutBuster.
*Click "OK" at the prompt with instructions.
*Click "Update" and then "Check For Update"
*If any updates exist please download them by clicking "Download Update".
*Click Start and then OK to allow AboutBuster to scan. If prompted to shutdown Explorer, click Yes.
*Let the program run and complete. If you are asked to do a second scan, click 'yes'.
*When completed, click 'Save Log'
*Exit AboutBuster.

- Scan with Adaware SE (Be sure to check for the latest updates)
*Let it remove anything it finds.

- Clean out temporary and TIF files.
*Go to Start>Run
*Type cleanmgr
*Be sure these selections are checked
-Temporary Files
-Temporary Internet Files
-Recycle Bin
*Click OK

- REBOOT

Please run this free on-line scan HERE to clean up what might be left.

- REBOOT

- Please post
*AboutBuster log
*Fresh HijackThis log
Hope is not a method.

ASAP Proud member since 2004
Alliance of Security Analysis Professionals

#8 sbart

sbart
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 25 February 2005 - 11:39 AM

Indrid, Thanks for the help, we are making progress.

I am unable to use Aboutbuster...I have d/l it from several sites, but I always get "the file is corrupt or missing , pls d/l again"

some of the files you asked me to delete, I did not find, they are below:

C:Windows\System32\tibs5.exe
\dfsusr.exe
\iept32.exe
\desshare.exe

Both ad aware and housecall found files and deleted them, but they return if I run them again. Housecall calls them trojan files.

here is the latest HJT:

Logfile of HijackThis v1.99.1
Scan saved at 10:17:28 AM, on 2/25/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Logitech\WINGMA~1\Lwpevntm.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\FRU\Remind32.exe
C:\PROGRA~1\COMMON~1\AOL\110133~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110133~1\EE\AOLServiceHost.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HJT\HijackThis.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = https://sas.r21.mchsi.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Lwinst Run Profiler] C:\PROGRA~1\Logitech\WINGMA~1\Lwinst.exe -d -l "C:\PROGRA~1\Logitech\WINGMA~1\Lwpevntm.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101337622\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Bavqej.exe
O4 - HKLM\..\Run: [qnsi34S] dfsusr.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\FRU\Remind32.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/Install...ive/HS_live.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099410756351
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart.com/photo/uploads/WebUploadClient.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Thank you for the help...oh also, something else....my 2nd (drive D) hard drive has become unreadable and unaccessable...there is not much on this drive and I would not mind formatting it as I don't think there is any irreplaceable info there...could this be where the little bugger lives??


Thanks much !

#9 Indrid_Cold

Indrid_Cold

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 AM

Posted 25 February 2005 - 05:51 PM

Right click on the attached file AboutBuster.txt
Choose 'save target as'
Save it to your desktop
Rename the AboutBuster.txt to AboutBuster.zip
Unzip it
Double click on AboutBuster.exe
If the program does execute, immediately exit and then let me know.

Attached Files


Edited by Indrid_Cold, 25 February 2005 - 06:01 PM.

Hope is not a method.

ASAP Proud member since 2004
Alliance of Security Analysis Professionals

#10 sbart

sbart
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 25 February 2005 - 09:54 PM

NOPE....same thing "the database is corrupt or missing, please d/l again"

HOWEVER...adaware se finds nothing...spysubtract finds nothing....and housecall finds nothing...all behaves like it is clean...except my "D" harddrive which I am formatting now.....really nothing but games on it anyway...perhaps the drive is bad or a gremlin lives there....

thanks for all the help....still worried about the AboutBuster tho...

#11 Indrid_Cold

Indrid_Cold

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 AM

Posted 28 February 2005 - 02:03 AM

Sorry for the interruption.
Just saw your last post. I will be back with you soon.
Hope is not a method.

ASAP Proud member since 2004
Alliance of Security Analysis Professionals

#12 Indrid_Cold

Indrid_Cold

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 AM

Posted 01 March 2005 - 12:59 AM

Thank you for your patience sbart.

the database is corrupt or missing, please d/l again

Much different error message then what you previously quoted.

the file is corrupt or missing , pls d/l again"


Are you extracting the files or first double clicking on the file AboutBuster.exe from the directory your zip program is giving you? You MUST extract ALL files before running the program.

Please give me a fresh log.
Hope is not a method.

ASAP Proud member since 2004
Alliance of Security Analysis Professionals




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users