Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack this log, please diagnose


  • Please log in to reply
1 reply to this topic

#1 chinooktoe

chinooktoe

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 22 March 2005 - 09:39 PM

Logfile of HijackThis v1.99.1
Scan saved at 6:31:57 PM, on 3/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\fptd\ubrqx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\WINDOWS\System32\ltuztrtf.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\yziqxchh.exe
C:\docume~1\sueche~1\locals~1\temp\180ax.exe
C:\WINDOWS\system32\pazvrr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\packager.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\system32\peopleonpage.exe
C:\WINDOWS\system32\rohryirx\lmjt.exe
C:\WINDOWS\System32\fqgnwyg\wdeyj.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.adultwebstuff.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {1FFED2CB-FC98-49f8-B3D0-678D03350F1E} - (no file)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\SZIEBHO.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [p37h37l] nwacr71.exe
O4 - HKLM\..\Run: [abu] abu.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [Makarzy] C:\WINDOWS\nyei.exe
O4 - HKLM\..\Run: [wdeyj] C:\WINDOWS\System32\fqgnwyg\wdeyj.exe
O4 - HKLM\..\Run: [ntechin] C:\WINDOWS\system32\n20050308.exe
O4 - HKLM\..\Run: [ltuztrtf] c:\windows\system32\ltuztrtf.exe
O4 - HKLM\..\Run: [orspba] C:\WINDOWS\System32\ltuztrtf.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [qrqqczilcxwykauchcqnbsqmnkzkivs] C:\WINDOWS\yziqxchh.exe
O4 - HKLM\..\Run: [180ax] c:\docume~1\sueche~1\locals~1\temp\180ax.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ErrorGuard] C:\Program Files\ErrorGuard\ErrorGuard.Exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\pazvrr.exe
O4 - HKLM\..\Run: [tuvoh] c:\windows\tuvoh.exe
O4 - HKLM\..\Run: [kxauwnu] C:\WINDOWS\System32\rkaex\kxauwnu.exe
O4 - HKLM\..\Run: [ubrqx] C:\WINDOWS\System32\fptd\ubrqx.exe
O4 - HKLM\..\Run: [jxgrvp] C:\WINDOWS\system32\nlln\jxgrvp.exe
O4 - HKLM\..\Run: [lmjt] C:\WINDOWS\system32\rohryirx\lmjt.exe
O4 - HKCU\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [winpack] C:\WINDOWS\System32\winpack.exe
O4 - HKCU\..\Run: [Rqoae] C:\WINDOWS\System32\??erinit.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0522.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0522.DLL
O9 - Extra button: 3721CMail - {5D73EE86-05F1-49ed-B850-E423120EC329} - http://cmail.3721.com?fb=client (file missing)
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O16 - DPF: {706F3805-27D7-478D-80E5-E25D2BB030B3} - http://advnt01.com/dialer/internazionale_ver3.CAB
O16 - DPF: {712D42CD-3513-473E-96E8-019C9AD78F1A} (MSN Money QuickList) - http://moneycentral.msn.com/cabs/pmupdate2.exe
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupdate.exe
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ymmapi_0727.dll
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/IA/netslv32_EN_XP.cab
O23 - Service: kxauwnurkaex - Unknown owner - C:\WINDOWS\System32\rkaex\kxauwnu.exe
O23 - Service: lmjtrohryirx - Unknown owner - C:\WINDOWS\system32\rohryirx\lmjt.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe
O23 - Service: ubrqxfptd - Unknown owner - C:\WINDOWS\System32\fptd\ubrqx.exe (file missing)

Hello, my name is Neil. I have used CW shredder and Avast and Spybot but have not been able to stop something from preventing me from launching Internet Explorer. I can launch Mozilla, but not IE. I appreciate your help if you can. Thanks.

BC AdBot (Login to Remove)

 


#2 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:05 AM

Posted 23 March 2005 - 06:37 AM

Hi Neil,

You may want to print these instructions, since you're closing your Web Browser.

Download the program Hoster which gives you the ability to restore the default host file back onto your machine. To do so, download the Hoster program and run it. When it opens, click on the Restore Original Hosts button and then exit Hoster.

Download LSPFix from
here and unzip into it's own folder

Disconnect from the Internet and close all Internet Explorer Windows. Check the "I know what I'm doing" Button and move all instances of aklsp.dll and dolsp.dll from the left panel to the right panel then click ‘Finish’

Viewpoint Media Player/Manager is foistware, I recommend you uninstall it from "Add/Remove Programs" in the Windows® Control Panel.
Errorguard is a rogue programme, I recommend uninstalling it in the Add/remove Programs in the Control Panel.


Open Hijackthis, take another scan and place a checkmark next to these entries.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.adultwebstuff.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {1FFED2CB-FC98-49f8-B3D0-678D03350F1E} - (no file)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - (no file)
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [p37h37l] nwacr71.exe
O4 - HKLM\..\Run: [abu] abu.exe
O4 - HKLM\..\Run: [Makarzy] C:\WINDOWS\nyei.exe
O4 - HKLM\..\Run: [wdeyj] C:\WINDOWS\System32\fqgnwyg\wdeyj.exe
O4 - HKLM\..\Run: [ntechin] C:\WINDOWS\system32\n20050308.exe
O4 - HKLM\..\Run: [ltuztrtf] c:\windows\system32\ltuztrtf.exe
O4 - HKLM\..\Run: [orspba] C:\WINDOWS\System32\ltuztrtf.exe
O4 - HKLM\..\Run: [qrqqczilcxwykauchcqnbsqmnkzkivs] C:\WINDOWS\yziqxchh.exe
O4 - HKLM\..\Run: [180ax] c:\docume~1\sueche~1\locals~1\temp\180ax.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\pazvrr.exe
O4 - HKLM\..\Run: [tuvoh] c:\windows\tuvoh.exe
O4 - HKLM\..\Run: [kxauwnu] C:\WINDOWS\System32\rkaex\kxauwnu.exe
O4 - HKLM\..\Run: [ubrqx] C:\WINDOWS\System32\fptd\ubrqx.exe
O4 - HKLM\..\Run: [jxgrvp] C:\WINDOWS\system32\nlln\jxgrvp.exe
O4 - HKLM\..\Run: [lmjt] C:\WINDOWS\system32\rohryirx\lmjt.exe
O4 - HKCU\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [winpack] C:\WINDOWS\System32\winpack.exe
O4 - HKCU\..\Run: [Rqoae] C:\WINDOWS\System32\??erinit.exe

The next two 06 entries are restrictions. If you didn't set them yourself or have them set by a software program such as Spybot Search and Destroy then click the check-box on the left. If you intentionally set the restriction, then leave it alone.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O16 - DPF: {706F3805-27D7-478D-80E5-E25D2BB030B3} - http://advnt01.com/dialer/internazionale_ver3.CAB
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/IA/netslv32_EN_XP.cab
O23 - Service: kxauwnurkaex - Unknown owner - C:\WINDOWS\System32\rkaex\kxauwnu.exe
O23 - Service: lmjtrohryirx - Unknown owner - C:\WINDOWS\system32\rohryirx\lmjt.exe
O23 - Service: ubrqxfptd - Unknown owner - C:\WINDOWS\System32\fptd\ubrqx.exe (file missing)

Close all open Windows except Hijackthis and click on "fix Checked".

* Enable the ”Show Hidden Files and Folders” option:

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select "Show hidden files and folders".
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files (recommended)"
Click Yes to confirm.
Click OK.

* Navigate to and delete the following Files/Folders if present.
Do not be concerned if some of them aren't there:

C:\Program Files\Viewpoint\<<<---folder
C:\Program Files\ErrorGuard\<<<---folder
c:\windows\system32\aklsp.dll<<<---file
c:\windows\system32\dolsp.dll<<<---file
C:\Program Files\support.com\<<<---folder
C:\WINDOWS\nyei.exe<<<---file
C:\WINDOWS\System32\fqgnwyg\<<<---folder
C:\WINDOWS\system32\n20050308.exe<<<---file
c:\windows\system32\ltuztrtf.exe<<<---file
C:\WINDOWS\yziqxchh.exe<<<---file
c:\docume~1\sueche~1\locals~1\temp\180ax.exe<<<---file
C:\WINDOWS\system32\pazvrr.exe<<<---file
c:\windows\tuvoh.exe<<<---file
C:\WINDOWS\System32\rkaex\<<<---folder
C:\WINDOWS\System32\fptd\<<<---folder
C:\WINDOWS\system32\nlln\<<<---folder
C:\WINDOWS\system32\rohryirx\<<<---folder
C:\PROGRA~1\COMMON~1\WinTools\<<<---folder
C:\WINDOWS\System32\winpack.exe<<<---file
C:\WINDOWS\System32\??erinit.exe<<<---file

Reboot the Computer in normal mode, click the "AddReply" button and post a new log in this thread for further review and evaluation.
Please let us know how the Computer is performing?

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users