Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Potential error in "How to remove About:Blank Hijacker" memo


  • Please log in to reply
9 replies to this topic

#1 dstein

dstein

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 27 March 2005 - 11:11 PM

To my delight, you have published a process on how to remove About:Blank - a rather clever IE hijacker (which I've been trying to get rid of). However, there appears to be an issue in the fix process titled:
How to remove the About:Blank Hijacker in Windows XP/2000

There was no key called AppInit_DLLs at the location described in step three namely:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
Instead, a search revealed that this key (and there was only one instance of it) was located at:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows

Given this discrepancy with the instructions, I feet a bit uncomfortable following the remaining steps. My HijackThis log is listed below. I would be very indebted if help could be provided on this issue.
Many, many thanks in advance!!


Logfile of HijackThis v1.99.1
Scan saved at 10:03:20 PM, on 3/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\DELLMMKB.EXE
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
F:\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\David\My Documents\LAMP\Security\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://targetclicks.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Name - {3AC14A9B-9A08-4084-99C9-4E233F94BA0C} - C:\WINDOWS\System32\mshqm.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {553D41A0-46FC-435E-9DA9-178220808AE5} - C:\WINDOWS\System32\dskrfuoui.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Name - {D9130E1D-E473-49EF-BDFC-5B34CE4C609A} - C:\WINDOWS\System32\mshqm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: (no name) - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [dwlax.exe] dwlax.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0\aoltray.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Media Card Companion Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200112...meInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D3616A5-5667-4445-9C63-9E68FE32A9B9}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{13F864EE-A88A-42F1-8FC3-D963FCFB28E1}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{B83D36D9-E2FF-4405-8DD6-C3ABD73F290F}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{BAEC9CC8-86BC-4182-9E27-18F474DA3F2B}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = healthpartners.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D3616A5-5667-4445-9C63-9E68FE32A9B9}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = healthpartners.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{0D3616A5-5667-4445-9C63-9E68FE32A9B9}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = healthpartners.com
O18 - Filter: text/html - {BCAA1BF0-3DDE-46AF-8001-8C8B7537612B} - C:\WINDOWS\System32\dskrfuoui.dll
O18 - Filter: text/plain - {BCAA1BF0-3DDE-46AF-8001-8C8B7537612B} - C:\WINDOWS\System32\dskrfuoui.dll
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:32 AM

Posted 28 March 2005 - 09:22 AM

Instructions

>> Download the following file and unzip the contents to a permanent folder[/b]

http://forums.skads.org/index.php?act=Atta...ype=post&id=114

>> Reboot into safe mode and unhide all files and folders

>> Doubleclick on remv3.bat to run it. Wait untill the dos window closes.

>> Post the contents of c:\log.txt for the helper after rebboting into normal mode.

#3 dstein

dstein
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 28 March 2005 - 10:53 PM

Following the above instructions, the contents of log.txt are below. Many thanks for having responded so promptly.


Files Found.................
----------------------------------------
dskrfuoui.dll
audissrp.exe
autodmfp.exe
chkntfsfat.exe
fixmapirs.exe
dwcrnt.exe
mshqm.dll

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------


Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is 1400-7386

Directory of C:\WINDOWS\SYSTEM32

03/28/2005 09:28 PM 19,456 hdcdy.dll
1 File(s) 19,456 bytes
0 Dir(s) 1,113,784,320 bytes free
MSI.DLL
Finished

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:32 AM

Posted 29 March 2005 - 09:22 AM

Lets see a new hjt log

#5 dstein

dstein
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 29 March 2005 - 11:18 PM

The log below is taken with an active internet connection (and IE browser open)


Logfile of HijackThis v1.99.1
Scan saved at 10:23:54 PM, on 3/29/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\DELLMMKB.EXE
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
F:\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\David\My Documents\LAMP\Security\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://targetclicks.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Name - {16FDF165-7784-475D-BBFE-9F1C8F96603E} - C:\WINDOWS\System32\mshqm.dll (file missing)
O2 - BHO: Name - {3AC14A9B-9A08-4084-99C9-4E233F94BA0C} - C:\WINDOWS\System32\mshqm.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {553D41A0-46FC-435E-9DA9-178220808AE5} - C:\WINDOWS\System32\dskrfuoui.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Name - {D9130E1D-E473-49EF-BDFC-5B34CE4C609A} - C:\WINDOWS\System32\mshqm.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: (no name) - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [dwcrnt.exe] dwcrnt.exe
O4 - HKLM\..\RunOnce: [dwdak.exe] dwdak.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0\aoltray.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Media Card Companion Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200112...meInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D3616A5-5667-4445-9C63-9E68FE32A9B9}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{13F864EE-A88A-42F1-8FC3-D963FCFB28E1}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{380DCA3E-4640-45BC-816F-52B8547CC8FA}: NameServer = 69.50.176.197 195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{B83D36D9-E2FF-4405-8DD6-C3ABD73F290F}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{BAEC9CC8-86BC-4182-9E27-18F474DA3F2B}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = healthpartners.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D3616A5-5667-4445-9C63-9E68FE32A9B9}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = healthpartners.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{0D3616A5-5667-4445-9C63-9E68FE32A9B9}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = healthpartners.com
O18 - Filter: text/html - {BCAA1BF0-3DDE-46AF-8001-8C8B7537612B} - C:\WINDOWS\System32\dskrfuoui.dll
O18 - Filter: text/plain - {BCAA1BF0-3DDE-46AF-8001-8C8B7537612B} - C:\WINDOWS\System32\dskrfuoui.dll
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:32 AM

Posted 30 March 2005 - 12:40 AM

Enter your control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically

Press OK twice to get out of the properties screen and reboot if it asks.

Then post a new log

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:


R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://targetclicks.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: Name - {16FDF165-7784-475D-BBFE-9F1C8F96603E} - C:\WINDOWS\System32\mshqm.dll (file missing)
O2 - BHO: Name - {3AC14A9B-9A08-4084-99C9-4E233F94BA0C} - C:\WINDOWS\System32\mshqm.dll (file missing)
O2 - BHO: (no name) - {553D41A0-46FC-435E-9DA9-178220808AE5} - C:\WINDOWS\System32\dskrfuoui.dll (file missing)
O2 - BHO: Name - {D9130E1D-E473-49EF-BDFC-5B34CE4C609A} - C:\WINDOWS\System32\mshqm.dll (file missing)
O3 - Toolbar: (no name) - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - (no file)
O4 - HKLM\..\Run: [dwcrnt.exe] dwcrnt.exe
O4 - HKLM\..\RunOnce: [dwdak.exe] dwdak.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200112...meInstaller.exe
O18 - Filter: text/html - {BCAA1BF0-3DDE-46AF-8001-8C8B7537612B} - C:\WINDOWS\System32\dskrfuoui.dll
O18 - Filter: text/plain - {BCAA1BF0-3DDE-46AF-8001-8C8B7537612B} - C:\WINDOWS\System32\dskrfuoui.dll

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)


c:\windows\system32\dwcrnt.exe
c:\windows\system32\dwdak.exe
C:\WINDOWS\System32\dskrfuoui.dll

Reboot your computer to go back to normal mode and post a new log.

#7 dstein

dstein
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 31 March 2005 - 12:12 AM

I kind of chuckling to myself because I tried a number of things taking at least a few hours before coming to you and having you solve this issue. I am sending 30 bucks your way - although I should probably be sending multiples of that considering how much longer it would have taken without your help.
Thanks!

My last log is below - and it appears that the about:blank problem has been licked.

Logfile of HijackThis v1.99.1
Scan saved at 10:43:09 PM, on 3/30/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\DELLMMKB.EXE
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
F:\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Netropa\OSD.exe
C:\Documents and Settings\David\My Documents\LAMP\Security\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = www.google.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0\aoltray.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Media Card Companion Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D3616A5-5667-4445-9C63-9E68FE32A9B9}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{13F864EE-A88A-42F1-8FC3-D963FCFB28E1}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{B83D36D9-E2FF-4405-8DD6-C3ABD73F290F}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{BAEC9CC8-86BC-4182-9E27-18F474DA3F2B}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = healthpartners.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D3616A5-5667-4445-9C63-9E68FE32A9B9}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = healthpartners.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{0D3616A5-5667-4445-9C63-9E68FE32A9B9}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = healthpartners.com
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:32 AM

Posted 31 March 2005 - 02:10 PM

Fix these:

O17 - HKLM\System\CCS\Services\Tcpip\..\{0D3616A5-5667-4445-9C63-9E68FE32A9B9}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{13F864EE-A88A-42F1-8FC3-D963FCFB28E1}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{B83D36D9-E2FF-4405-8DD6-C3ABD73F290F}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{BAEC9CC8-86BC-4182-9E27-18F474DA3F2B}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D3616A5-5667-4445-9C63-9E68FE32A9B9}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\..\{0D3616A5-5667-4445-9C63-9E68FE32A9B9}: NameServer = 69.50.176.197,195.225.176.31


And then follow these steps if the internet does not work after:

Enter your control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically

then post a last log

#9 dstein

dstein
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 31 March 2005 - 11:24 PM

Works Great !!!!!!!!!!

Here's the final log:

Logfile of HijackThis v1.99.1
Scan saved at 10:30:50 PM, on 3/31/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\DELLMMKB.EXE
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
F:\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\David\My Documents\LAMP\Security\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = www.google.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [jopplerg] clamav.exe
O4 - HKLM\..\Run: [porka_] NSYSCPLSTR.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0\aoltray.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Media Card Companion Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = healthpartners.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = healthpartners.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = healthpartners.com
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:32 AM

Posted 31 March 2005 - 11:33 PM

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

O4 - HKLM\..\Run: [jopplerg] clamav.exe
O4 - HKLM\..\Run: [porka_] NSYSCPLSTR.exe

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

c:\windows\system32\clamav.exe
c:\windows\system32\NSYSCPLSTR.exe

Reboot your computer to go back to normal mode and post a new log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users