Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please help.


  • This topic is locked This topic is locked
7 replies to this topic

#1 pygmy

pygmy

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 02 March 2005 - 05:11 PM

I have been hijacked, trojanized, attacked by viruses and whatever else lurks out there.
Seriously, would you please diagnose my HJT log?
ThanksLogfile of HijackThis v1.99.1
Scan saved at 3:51:27 PM, on 3/2/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 SP1 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\ADDRW32.EXE
C:\WINDOWS\SYSTEM\APIXZ.EXE
C:\WINDOWS\SYSTEM\ADDHH.EXE
C:\WINDOWS\SYSTEM\SDKOH.EXE
C:\WINDOWS\SYSTEM\SDKTA32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\IELW32.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS\COMPONENTS\QBAGENT\QBDAGENT.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\PARTNERS\BUSBOY.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\APIXZ.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\WINDOWS\ADDRW32.EXE
C:\PROGRAM FILES\PARTNERS\BBPART11.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACRORD32.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACRORD32.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACRORD32.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cmiso.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cmiso.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cmiso.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cmiso.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cmiso.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cmiso.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cmiso.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Class - {07F4D6C6-5773-A150-C674-8A79572066F8} - C:\WINDOWS\SYSTEM\MSLH32.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_5_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QBCD Autorun] M:\autorun.exe restart QB_SEQUENCE first
O4 - HKLM\..\Run: [agpart] C:\Program Files\Partners\AGPART11.EXE
O4 - HKLM\..\Run: [IELW32.EXE] C:\WINDOWS\IELW32.EXE
O4 - HKLM\..\RunServices: [NETAC32.EXE] C:\WINDOWS\NETAC32.EXE
O4 - HKLM\..\RunServices: [NTSA32.EXE] C:\WINDOWS\NTSA32.EXE
O4 - HKLM\..\RunServices: [SYSCT32.EXE] C:\WINDOWS\SYSCT32.EXE
O4 - HKLM\..\RunServices: [SDKCL32.EXE] C:\WINDOWS\SDKCL32.EXE
O4 - HKLM\..\RunServices: [APIZJ32.EXE] C:\WINDOWS\APIZJ32.EXE
O4 - HKLM\..\RunServices: [MSGV32.EXE] C:\WINDOWS\MSGV32.EXE
O4 - HKLM\..\RunServices: [IERK32.EXE] C:\WINDOWS\IERK32.EXE
O4 - HKLM\..\RunServices: [D3AA32.EXE] C:\WINDOWS\D3AA32.EXE
O4 - HKLM\..\RunServices: [MSXZ.EXE] C:\WINDOWS\MSXZ.EXE
O4 - HKLM\..\RunServices: [ATLCH32.EXE] C:\WINDOWS\ATLCH32.EXE
O4 - HKLM\..\RunServices: [JAVAQS.EXE] C:\WINDOWS\JAVAQS.EXE
O4 - HKLM\..\RunServices: [ATLBF.EXE] C:\WINDOWS\ATLBF.EXE
O4 - HKLM\..\RunServices: [D3ZH32.EXE] C:\WINDOWS\D3ZH32.EXE
O4 - HKLM\..\RunServices: [D3PJ32.EXE] C:\WINDOWS\D3PJ32.EXE
O4 - HKLM\..\RunServices: [SYSQK.EXE] C:\WINDOWS\SYSQK.EXE
O4 - HKLM\..\RunServices: [IEYH32.EXE] C:\WINDOWS\IEYH32.EXE
O4 - HKLM\..\RunServices: [JAVADP.EXE] C:\WINDOWS\JAVADP.EXE
O4 - HKLM\..\RunServices: [D3AT32.EXE] C:\WINDOWS\D3AT32.EXE
O4 - HKLM\..\RunServices: [CRYW32.EXE] C:\WINDOWS\CRYW32.EXE
O4 - HKLM\..\RunServices: [SDKTA32.EXE] C:\WINDOWS\SYSTEM\SDKTA32.EXE
O4 - HKLM\..\RunServices: [SDKOH.EXE] C:\WINDOWS\SYSTEM\SDKOH.EXE
O4 - HKLM\..\RunServices: [APIXZ.EXE] C:\WINDOWS\SYSTEM\APIXZ.EXE
O4 - HKLM\..\RunServices: [ADDRW32.EXE] C:\WINDOWS\ADDRW32.EXE
O4 - HKLM\..\RunServices: [ADDHH.EXE] C:\WINDOWS\SYSTEM\ADDHH.EXE
O4 - Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {869F3BBC-A812-4D13-A93B-7B3FC816DCD5} (McAfee.com Updater) - http://download.mcafee.com/molbin/clinic/v...can/mcasupd.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

BC AdBot (Login to Remove)

 


#2 QuietFusion

QuietFusion

    Got Malware?


  • Members
  • 264 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 03 March 2005 - 03:23 AM

Hi,

First make sure you can view all hidden files and folders, use this link for help.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html


Now Download the followingAbout:Buster, CWshredder, Ad-aware, & Spy-Bot.
  • Updating Ad-aware:
    Double-Click the Desktop Icon > Click 'Check For Updates Now' > Click 'Connect'
  • Updating Spybot:
    Double-Click the Desktop Icon > Click Update > Drop-Down Box UniDo(Europe) > Select Pure-Elite(USA) or EON (AU) > Click 'Search for Updates' > Click 'Download Updates'
Please Copy ALL My Notes Below Into Notepad and Save the File to Your Desktop. You Need to be Offline and In Safe Mode to Remove Everything in your Log

Now rebooot into safe mode (press f8 during reboot, select safe mode) and DON'T reconnect to the net. You MUST be in safe mode to remove the About:Blank Bug on your system.

Run Hijackthis and place a check next to the following

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cmiso.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cmiso.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cmiso.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cmiso.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cmiso.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cmiso.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cmiso.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {07F4D6C6-5773-A150-C674-8A79572066F8} - C:\WINDOWS\SYSTEM\MSLH32.DLL
O4 - HKLM\..\Run: [IELW32.EXE] C:\WINDOWS\IELW32.EXE
O4 - HKLM\..\RunServices: [NETAC32.EXE] C:\WINDOWS\NETAC32.EXE
O4 - HKLM\..\RunServices: [NTSA32.EXE] C:\WINDOWS\NTSA32.EXE
O4 - HKLM\..\RunServices: [SYSCT32.EXE] C:\WINDOWS\SYSCT32.EXE
O4 - HKLM\..\RunServices: [SDKCL32.EXE] C:\WINDOWS\SDKCL32.EXE
O4 - HKLM\..\RunServices: [APIZJ32.EXE] C:\WINDOWS\APIZJ32.EXE
O4 - HKLM\..\RunServices: [MSGV32.EXE] C:\WINDOWS\MSGV32.EXE
O4 - HKLM\..\RunServices: [IERK32.EXE] C:\WINDOWS\IERK32.EXE
O4 - HKLM\..\RunServices: [D3AA32.EXE] C:\WINDOWS\D3AA32.EXE
O4 - HKLM\..\RunServices: [MSXZ.EXE] C:\WINDOWS\MSXZ.EXE
O4 - HKLM\..\RunServices: [ATLCH32.EXE] C:\WINDOWS\ATLCH32.EXE
O4 - HKLM\..\RunServices: [JAVAQS.EXE] C:\WINDOWS\JAVAQS.EXE
O4 - HKLM\..\RunServices: [ATLBF.EXE] C:\WINDOWS\ATLBF.EXE
O4 - HKLM\..\RunServices: [D3ZH32.EXE] C:\WINDOWS\D3ZH32.EXE
O4 - HKLM\..\RunServices: [D3PJ32.EXE] C:\WINDOWS\D3PJ32.EXE
O4 - HKLM\..\RunServices: [SYSQK.EXE] C:\WINDOWS\SYSQK.EXE
O4 - HKLM\..\RunServices: [IEYH32.EXE] C:\WINDOWS\IEYH32.EXE
O4 - HKLM\..\RunServices: [JAVADP.EXE] C:\WINDOWS\JAVADP.EXE
O4 - HKLM\..\RunServices: [D3AT32.EXE] C:\WINDOWS\D3AT32.EXE
O4 - HKLM\..\RunServices: [CRYW32.EXE] C:\WINDOWS\CRYW32.EXE
O4 - HKLM\..\RunServices: [SDKTA32.EXE] C:\WINDOWS\SYSTEM\SDKTA32.EXE
O4 - HKLM\..\RunServices: [SDKOH.EXE] C:\WINDOWS\SYSTEM\SDKOH.EXE
O4 - HKLM\..\RunServices: [APIXZ.EXE] C:\WINDOWS\SYSTEM\APIXZ.EXE
O4 - HKLM\..\RunServices: [ADDRW32.EXE] C:\WINDOWS\ADDRW32.EXE
O4 - HKLM\..\RunServices: [ADDHH.EXE] C:\WINDOWS\SYSTEM\ADDHH.EXE
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

and click fix.

Remain in safe mode for the next part of the removal.

- Unzip the About:Buster Program to your desktop > Double-Click the Folder > Double-Click About:Buster > Click 'OK' > Click 'Start' >

now the program will start to run, it will take a few minutes, once the program is complete go ahead and run the program again.

- Double-Click CWShredder and click 'Fix'
  • Close CWShredder, open Ad-aware and make the following changes to the settings in Ad-aware.
  • Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Scanning Engine:
    check: "Unload recognized processes during scanning."
  • Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Cleaning Engine:
    Check: "Let Windows remove files in use at next reboot."
Press 'Proceed'

Press 'Start'
  • Select option 'Use Custom scanning options'
  • Click 'Activate in-depth scan'
  • Press 'Select drives\folders to scan' Select the active partition which is usually C:
Click 'Customize'
  • Make sure the following are all are Checked:
  • 'Scan Within Archives'
  • 'Scan Active Processes'
  • 'Scan Registry'
  • 'Deep Scan Registry'
  • 'Scan My IE Favorites For Banned URL'S
  • 'Scan My Hosts File'
Click 'Proceed'
  • Now press "Next" to let Ad-aware scan your drives.
  • Once Ad-aware has completed its scan click 'Next' > Now Click 'Scan Summary' > Click All the Boxes with a Green Check Mark
  • Now Click 'Next' and Finally Click 'OK'
Close Out Ad-aware

Open Spybot.
  • Click 'Search & Destroy'
  • Click 'Check for problems' (the program will now search your HDD)
  • Make sure all finding are checked and click 'Fix Selected Problems'
Close SpyBot!

Now Delete the following Files and Folders,

Files:
C:\WINDOWS\IELW32.EXE
C:\WINDOWS\NETAC32.EXE
C:\WINDOWS\NTSA32.EXE
C:\WINDOWS\SYSCT32.EXE
C:\WINDOWS\SDKCL32.EXE
C:\WINDOWS\APIZJ32.EXE
C:\WINDOWS\MSGV32.EXE
C:\WINDOWS\IERK32.EXE
C:\WINDOWS\D3AA32.EXE
C:\WINDOWS\MSXZ.EXE
C:\WINDOWS\ATLCH32.EXE
C:\WINDOWS\JAVAQS.EXE
C:\WINDOWS\ATLBF.EXE
C:\WINDOWS\D3ZH32.EXE
C:\WINDOWS\D3PJ32.EXE
C:\WINDOWS\SYSQK.EXE
C:\WINDOWS\IEYH32.EXE
C:\WINDOWS\JAVADP.EXE
C:\WINDOWS\D3AT32.EXE
C:\WINDOWS\CRYW32.EXE
C:\WINDOWS\SYSTEM\SDKTA32.EXE
C:\WINDOWS\SYSTEM\SDKOH.EXE
C:\WINDOWS\SYSTEM\APIXZ.EXE
C:\WINDOWS\ADDRW32.EXE
C:\WINDOWS\SYSTEM\ADDHH.EXE
C:\WINDOWS\cmiso.dll

Folders:

Now Click Start > goto Run > type cleanmgr hit enter > Click 'OK' > Click 'OK' > Exit out the program.

Reboot back into normal mode and post a fresh Hijackthis log in your thread.

#3 pygmy

pygmy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 03 March 2005 - 02:55 PM

Thanks,
I did everything per your instructions except for the
02-BHO: Class - (07FD6C6-5773-A150-C674-8A79572066F8) - C:\WINDOWS\SYSTEM\
MSLH32.DLL was not on the scan and I only had 9 of the files to delete.'
Here is the latest scan.
Logfile of HijackThis v1.99.1
Scan saved at 1:37:11 PM, on 3/3/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 SP1 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS\COMPONENTS\QBAGENT\QBDAGENT.EXE
C:\PROGRAM FILES\PARTNERS\BUSBOY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\PARTNERS\BBPART11.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Class - {1C96E95D-4D34-92CA-758A-78A6CAC650C4} - C:\WINDOWS\SYSTEM\WINPS32.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_5_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QBCD Autorun] M:\autorun.exe restart QB_SEQUENCE first
O4 - HKLM\..\Run: [agpart] C:\Program Files\Partners\AGPART11.EXE
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {869F3BBC-A812-4D13-A93B-7B3FC816DCD5} (McAfee.com Updater) - http://download.mcafee.com/molbin/clinic/v...can/mcasupd.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

#4 QuietFusion

QuietFusion

    Got Malware?


  • Members
  • 264 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 03 March 2005 - 04:44 PM

Run Hijackthis and place a check next to the following.

O2 - BHO: Class - {1C96E95D-4D34-92CA-758A-78A6CAC650C4} - C:\WINDOWS\SYSTEM\WINPS32.DLL

close all your internet explorer browsers and click fix.


Now to remove the pesky O15 line

Download this file to your desktop. http://www.mvps.org/winhelp2002/DelDomains.inf

Close all your Internet Browsers

Right-click on the deldomains.inf file and select 'Install'


Once complete post a fresh Hijackthis log.

#5 pygmy

pygmy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 04 March 2005 - 08:42 AM

Looks like about blank has crept back in.
Where do we go from here? ThanksLogfile of HijackThis v1.99.1
Scan saved at 7:40:58 AM, on 3/4/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 SP1 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS\COMPONENTS\QBAGENT\QBDAGENT.EXE
C:\PROGRAM FILES\PARTNERS\BUSBOY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\PARTNERS\BBPART11.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nazmx.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nazmx.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nazmx.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nazmx.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nazmx.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nazmx.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nazmx.dll/sp.html#28129
R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_5_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QBCD Autorun] M:\autorun.exe restart QB_SEQUENCE first
O4 - HKLM\..\Run: [agpart] C:\Program Files\Partners\AGPART11.EXE
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {869F3BBC-A812-4D13-A93B-7B3FC816DCD5} (McAfee.com Updater) - http://download.mcafee.com/molbin/clinic/v...can/mcasupd.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

#6 QuietFusion

QuietFusion

    Got Malware?


  • Members
  • 264 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 04 March 2005 - 04:06 PM

Please Copy ALL My Notes Below Into Notepad and Save the File to Your Desktop. You Need to be Offline and In Safe Mode to Remove Everything in your Log

Now rebooot into safe mode (press f8 during reboot, select safe mode) and DON'T reconnect to the net. You MUST be in safe mode to remove the About:Blank Bug on your system.

Run Hijackthis and place a check next to the following

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nazmx.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nazmx.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nazmx.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nazmx.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nazmx.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nazmx.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nazmx.dll/sp.html#28129
R3 - Default URLSearchHook is missing

and click fix.

Remain in safe mode for the next part of the removal.

- Unzip the About:Buster Program to your desktop > Double-Click the Folder > Double-Click About:Buster > Click 'OK' > Click 'Start' >

now the program will start to run, it will take a few minutes, once the program is complete go ahead and run the program again.

- Double-Click CWShredder and click 'Fix'
  • Close CWShredder, open Ad-aware and make the following changes to the settings in Ad-aware.
  • Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Scanning Engine:
    check: "Unload recognized processes during scanning."
  • Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Cleaning Engine:
    Check: "Let Windows remove files in use at next reboot."
Press 'Proceed'

Press 'Start'
  • Select option 'Use Custom scanning options'
  • Click 'Activate in-depth scan'
  • Press 'Select drives\folders to scan' Select the active partition which is usually C:
Click 'Customize'
  • Make sure the following are all are Checked:
  • 'Scan Within Archives'
  • 'Scan Active Processes'
  • 'Scan Registry'
  • 'Deep Scan Registry'
  • 'Scan My IE Favorites For Banned URL'S
  • 'Scan My Hosts File'
Click 'Proceed'
  • Now press "Next" to let Ad-aware scan your drives.
  • Once Ad-aware has completed its scan click 'Next' > Now Click 'Scan Summary' > Click All the Boxes with a Green Check Mark
  • Now Click 'Next' and Finally Click 'OK'
Close Out Ad-aware

Open Spybot.
  • Click 'Search & Destroy'
  • Click 'Check for problems' (the program will now search your HDD)
  • Make sure all finding are checked and click 'Fix Selected Problems'
Close SpyBot!

Now Delete the following Files and Folders,

Files:
C:\WINDOWS\nazmx.dll

Reboot back into normal mode and post a fresh Hijackthis log in your thread.

#7 pygmy

pygmy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 04 March 2005 - 06:14 PM

It really looks good this time. THANKS QuietFusion.
I will continue to run Spybot, Ad-Aware SE, and Avast.
Is Sygate a good firewall, as I am not running one now?

Logfile of HijackThis v1.99.1
Scan saved at 5:11:36 PM, on 3/4/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 SP1 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS\COMPONENTS\QBAGENT\QBDAGENT.EXE
C:\PROGRAM FILES\PARTNERS\BUSBOY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\PARTNERS\BBPART11.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_5_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QBCD Autorun] M:\autorun.exe restart QB_SEQUENCE first
O4 - HKLM\..\Run: [agpart] C:\Program Files\Partners\AGPART11.EXE
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {869F3BBC-A812-4D13-A93B-7B3FC816DCD5} (McAfee.com Updater) - http://download.mcafee.com/molbin/clinic/v...can/mcasupd.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

#8 QuietFusion

QuietFusion

    Got Malware?


  • Members
  • 264 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 05 March 2005 - 05:03 AM

That looks good. I am going to lock you thread. If you have any problems in the future, please PM a moderator and request your thread be re-opened.

To prevent the hijackers from taking over your system, increase the level of security on your system. Don't allow the hijackers to take you over!! Review these articles to increase the level of security.

http://www.computercops.biz/postt7736.html
http://www.markusjansson.net/eienbid.html




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users