Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help Diagnose


  • This topic is locked This topic is locked
2 replies to this topic

#1 sk23

sk23

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 01 April 2005 - 08:05 PM

Ok, here's the deal... I ran ad-aware and spybot to try to remove the IE about:blank homepage hijacker, but no avail.

Please help!
sk23

Logfile of HijackThis v1.99.1
Scan saved at 7:47:48 PM, on 4/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\windows\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\windows\system32\winlogon.exe
C:\windows\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\windows\System32\rundll32.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SYSTEM32\tbctray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Ares\Ares.exe
C:\windows\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\windows\system32\winwy32.exe
C:\windows\netjv.exe
C:\windows\System32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Scott&Terri\Desktop\HijackThis.exe
C:\windows\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\windows\xrsok.dll/sp.html#98809
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\windows\xrsok.dll/sp.html#98809
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\windows\xrsok.dll/sp.html#98809
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\windows\xrsok.dll/sp.html#98809
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\windows\xrsok.dll/sp.html#98809
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\windows\xrsok.dll/sp.html#98809
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\windows\xrsok.dll/sp.html#98809
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=127.0.0.1:1080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {33AC10E4-94BE-C3D0-855D-41F27DCEDD3D} - C:\windows\system32\msli.dll
O2 - BHO: (no name) - {3F914477-1DF9-D259-7203-3EB9F96EABDB} - C:\windows\mfcyu32.dll
O2 - BHO: (no name) - {7970E706-D02D-A73A-7C76-6016BB2C1460} - C:\windows\system32\ipki.dll
O2 - BHO: (no name) - {A72AA2FE-E26C-B9E0-B909-4EC233716D29} - C:\windows\mfcur32.dll
O2 - BHO: (no name) - {B6007EAD-B9FB-819A-9125-AF6A6A50A711} - C:\windows\system32\d3on32.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
O4 - HKLM\..\Run: [netjv.exe] C:\windows\netjv.exe
O4 - HKLM\..\RunOnce: [sdktk.exe] C:\windows\sdktk.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Corel Network monitor worker - {8416D5D4-2186-4FBE-8EE8-DF99920D8E83} - C:\WINDOWS\System32\intlmain.dll
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {8416D5D4-2186-4FBE-8EE8-DF99920D8E83} - C:\WINDOWS\System32\intlmain.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {19550FA5-93FA-3813-139A-4DE541B3A0CE} - http://82.179.166.72/1/rdgUS208.exe
O16 - DPF: {20404B83-389C-4BCE-6278-689E1FD37C85} - http://82.179.166.72/1/gdnUS208.exe
O16 - DPF: {4551A2A8-7A14-2C30-4A21-59511A4C063B} - http://82.179.166.72/1/gdnUS208.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-18.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F #`I) - Unknown owner - C:\windows\mfccy.exe (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:14 PM

Posted 02 April 2005 - 12:41 PM

Hi there,
It's better to print out these instructions, because you also have to work in safe mode and this page wouldn't be available then.
It's also very important you don't miss any steps in here!!

* Download and install CCleaner
Do not use it yet.

Download AboutBuster.
Unzip AboutBuster in an own folder such as C:\AboutBuster.
Start AboutBuster.exe. Click OK, Update, Check For Update and download the updates if present.
Close aboutbuster now, because you may not run it yet, that's for later.
If You are getting an error when updating, please let me know first before you proceed with the next steps.

* Download CWShredder.

* Please set your system to show
all files; please see here if you're unsure how to do this.

* Reboot into Safe Mode`:
To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

*Go to start >run and type: services.msc and click OK
Scroll down in that list until you find the service Remote Procedure Call (RPC) Helper !! make sure it's this one and no other!!
Doubleclick on it. In the window that will appear, click on "Stop" (if not greyed out) and change the Startup Type to disabled.
Click apply and OK and close all open windows.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\windows\xrsok.dll/sp.html#98809
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\windows\xrsok.dll/sp.html#98809
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\windows\xrsok.dll/sp.html#98809
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\windows\xrsok.dll/sp.html#98809
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\windows\xrsok.dll/sp.html#98809
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\windows\xrsok.dll/sp.html#98809
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\windows\xrsok.dll/sp.html#98809
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {33AC10E4-94BE-C3D0-855D-41F27DCEDD3D} - C:\windows\system32\msli.dll
O2 - BHO: (no name) - {3F914477-1DF9-D259-7203-3EB9F96EABDB} - C:\windows\mfcyu32.dll
O2 - BHO: (no name) - {7970E706-D02D-A73A-7C76-6016BB2C1460} - C:\windows\system32\ipki.dll
O2 - BHO: (no name) - {A72AA2FE-E26C-B9E0-B909-4EC233716D29} - C:\windows\mfcur32.dll
O2 - BHO: (no name) - {B6007EAD-B9FB-819A-9125-AF6A6A50A711} - C:\windows\system32\d3on32.dll
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [netjv.exe] C:\windows\netjv.exe
O4 - HKLM\..\RunOnce: [sdktk.exe] C:\windows\sdktk.exe
O16 - DPF: {19550FA5-93FA-3813-139A-4DE541B3A0CE} - http://82.179.166.72/1/rdgUS208.exe
O16 - DPF: {20404B83-389C-4BCE-6278-689E1FD37C85} - http://82.179.166.72/1/gdnUS208.exe
O16 - DPF: {4551A2A8-7A14-2C30-4A21-59511A4C063B} - http://82.179.166.72/1/gdnUS208.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F #`I) - Unknown owner - C:\windows\mfccy.exe (file missing)


* Click on Fix Checked when finished and exit HijackThis.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\windows\system32\winwy32.exe
C:\windows\netjv.exe
C:\windows\sdktk.exe

Search for the next files and delete them. Most probably, they're present in your system32-folder

E6F1873B.DLL
D9EBC318C
D0CE0C16B1
D0CE0C16B1


*Start Aboutbuster and let it scan. Click Ok/yes for every instruction that aboutbuster is giving you.
Let it scan a second time to make sure it can get rid of everything.
When finished, click 'save log'

* Start CWShredder and click FIX

* Start Ccleaner and click Run Cleaner

* Reboot your system back to normal mode.

* Perform an onlinescan with housecall and/or Etrust and let it delete everything it finds.

Post back a fresh HijackThislog together with the aboutbusterlog and I'll take another look.

If you had any problems with deleting files or noticed any other problems during your fix, let me also know in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:14 PM

Posted 01 May 2005 - 03:08 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
an email with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users