Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan start page-DU.dll


  • Please log in to reply
3 replies to this topic

#1 huckster

huckster

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 10 July 2005 - 01:38 PM

Logfile of HijackThis v1.99.1
Scan saved at 1:23:57 PM, on 7/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\ieto.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\COMMON~1\AOL\110215~1\EE\AOLHOS~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sierra\Planner\PLNRnote.exe
C:\PROGRA~1\COMMON~1\AOL\110215~1\EE\AOLServiceHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

res://C:\WINDOWS\upyiy.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

res://C:\WINDOWS\upyiy.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

res://C:\WINDOWS\upyiy.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

res://C:\WINDOWS\upyiy.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

res://C:\WINDOWS\upyiy.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

res://C:\WINDOWS\upyiy.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

res://C:\WINDOWS\upyiy.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {0D064D84-ED78-BC93-66E2-030B7A926E0F} - C:\WINDOWS\system32\winiz.dll

(file missing)
O2 - BHO: Class - {0E3EC17B-181D-DBCA-0C5F-6B4E08741A24} - C:\WINDOWS\system32\msfc.dll
O2 - BHO: Class - {124D0F11-4118-F197-B2B9-2911BC897B9D} - C:\WINDOWS\ipau32.dll (file

missing)
O2 - BHO: Class - {1675AA03-A4B6-B52E-621F-A324E2D9D861} - C:\WINDOWS\addef.dll (file

missing)
O2 - BHO: Class - {236A52A4-0D6B-4284-F174-EB78C9872A68} - C:\WINDOWS\appsz.dll (file

missing)
O2 - BHO: Class - {28223167-A6CC-2F8F-758F-1F424FBB380E} - C:\WINDOWS\system32\mfczq.dll

(file missing)
O2 - BHO: Class - {35389AF8-6A8A-5D1C-5906-E5ADD61260FF} - C:\WINDOWS\system32\ipwb.dll

(file missing)
O2 - BHO: Class - {36C8BFEE-9131-2E75-B2A0-0B02A6B32FED} - C:\WINDOWS\system32\sdkdb.dll

(file missing)
O2 - BHO: Class - {3F18E16D-F794-AD29-32FD-2AA0E587716B} - C:\WINDOWS\javair32.dll (file

missing)
O2 - BHO: Class - {41F3CA6F-89B1-AA39-EC13-EFBD507CB60F} - C:\WINDOWS\system32\atlou32.dll

(file missing)
O2 - BHO: Class - {4618F47A-1690-B92B-1C12-67DC8F9B1E95} - C:\WINDOWS\ntnf32.dll (file

missing)
O2 - BHO: Class - {4C928477-3A6D-F1DD-A78A-1F75F7C46F82} - C:\WINDOWS\system32\apick.dll

(file missing)
O2 - BHO: Class - {4E2D6015-15E8-2CC0-BDB1-FA231611A30E} - C:\WINDOWS\appqy.dll (file

missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Class - {53EB571E-DF9B-C0FE-846E-402B5896036A} - C:\WINDOWS\msjm.dll (file

missing)
O2 - BHO: Class - {61B76632-572B-32EF-D5FA-80F27E710D9E} - C:\WINDOWS\crjg.dll (file

missing)
O2 - BHO: Class - {61C8EBAC-CCA6-8D58-8D6F-86767AD118FC} - C:\WINDOWS\atlws32.dll (file

missing)
O2 - BHO: Class - {710D83F2-D312-9683-955D-E46F3DC64541} - C:\WINDOWS\ipyk32.dll (file

missing)
O2 - BHO: Class - {7173150A-87AC-C6BF-D728-7964D77F0DA9} - C:\WINDOWS\system32\ipcv32.dll

(file missing)
O2 - BHO: Class - {738E938C-0376-DF66-9DCA-6F6A9AC3C996} - C:\WINDOWS\mshd.dll (file

missing)
O2 - BHO: Class - {7AF28B03-C20B-1F0B-ACFE-97FE7F1D321C} - C:\WINDOWS\system32\ieka32.dll

(file missing)
O2 - BHO: Class - {846C8D01-5152-7880-199F-7570BAA19867} - C:\WINDOWS\system32\netvn32.dll

(file missing)
O2 - BHO: Class - {851A5FD0-7709-B373-4793-7897DC7FEB8D} - C:\WINDOWS\system32\ielw.dll

(file missing)
O2 - BHO: Class - {9627E89A-ADC6-335C-80FB-709684853BA6} - C:\WINDOWS\system32\atlgt32.dll

(file missing)
O2 - BHO: Class - {9B6F61D4-C995-3451-2DBF-E3A22ACA0DC7} - C:\WINDOWS\system32\d3tq32.dll

(file missing)
O2 - BHO: Class - {9E1A8018-A9B5-1BCD-91E7-FC63C21F3EAF} - C:\WINDOWS\d3rh32.dll (file

missing)
O2 - BHO: Class - {A0B35DA7-935D-68EC-35AE-ACA3D098CB9E} - C:\WINDOWS\system32\appuj32.dll

(file missing)
O2 - BHO: Class - {ABCE7D97-8F61-AE41-A751-767BDB1A0E6A} - C:\WINDOWS\ntrq.dll (file

missing)
O2 - BHO: Class - {B29DB64D-9837-FB36-C3F8-5C2D6B2B3204} - C:\WINDOWS\system32\mslo32.dll
O2 - BHO: Class - {B7AE5988-3688-C06D-F636-5509DAD63F01} - C:\WINDOWS\d3vs.dll (file

missing)
O2 - BHO: Class - {BC233C64-EFBC-D80C-C17A-896F21A0FE92} - C:\WINDOWS\atlcj32.dll (file

missing)
O2 - BHO: Class - {C4322B27-0B19-D263-F955-4B1DF8B80E2E} - C:\WINDOWS\nttz.dll (file

missing)
O2 - BHO: Class - {C4846C68-7320-CD9D-77E4-288DF6A3C3A2} - C:\WINDOWS\ntuf32.dll (file

missing)
O2 - BHO: Class - {CAEBD80E-211A-EE88-458E-BFA21C72DCAF} - C:\WINDOWS\system32\sdkba.dll

(file missing)
O2 - BHO: Class - {CFD33941-255A-B1FE-2883-34EEBB5A49E3} - C:\WINDOWS\system32\addcd.dll

(file missing)
O2 - BHO: Class - {D3F18C45-55B7-5E41-4EFA-AD1BE204D605} - C:\WINDOWS\system32\mfcvl.dll

(file missing)
O2 - BHO: Class - {D4A99041-BBC8-A963-8327-6E17563E936B} - C:\WINDOWS\system32\atlid32.dll

(file missing)
O2 - BHO: Class - {D4FD337D-EA63-0119-06F4-B90ADB086B39} - C:\WINDOWS\system32\ntpo32.dll

(file missing)
O2 - BHO: Class - {DA692D53-0117-E647-4FC9-E8D29D3E7D5F} - C:\WINDOWS\system32\ntog32.dll

(file missing)
O2 - BHO: Class - {EDBD92E2-B63E-794C-5397-2A8A46BBD49C} - C:\WINDOWS\system32\msxb.dll

(file missing)
O2 - BHO: Class - {EFD32CB9-039B-2B11-A357-D6D56A398537} - C:\WINDOWS\apprb32.dll (file

missing)
O2 - BHO: Class - {F5374656-DF77-321F-8DF8-5AC3BC97C172} - C:\WINDOWS\ipvx32.dll (file

missing)
O2 - BHO: Class - {F5D5F01E-313A-83BE-F348-F6E8461930C5} - C:\WINDOWS\system32\javauw32.dll

(file missing)
O2 - BHO: Class - {F6BCAC5B-F512-DB71-1A25-5B568F21C13C} - C:\WINDOWS\mszd.dll (file

missing)
O2 - BHO: Class - {FB04EF28-D55C-A95A-794F-75DA8F4D83AF} - C:\WINDOWS\system32\crkf32.dll
O2 - BHO: Class - {FEB759AF-0344-33C1-9B59-C5DB1E7E371F} - C:\WINDOWS\system32\appoo.dll

(file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} -

c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP

Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe"

-Run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common

Files\AOL\1102157669\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP

InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP

InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe

SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [javaah.exe] C:\WINDOWS\javaah.exe
O4 - HKLM\..\Run: [winbv32.exe] C:\WINDOWS\system32\winbv32.exe
O4 - HKLM\..\Run: [ieto.exe] C:\WINDOWS\ieto.exe
O4 - HKLM\..\Run: [crpv.exe] C:\WINDOWS\system32\crpv.exe
O4 - HKLM\..\Run: [atlvn.exe] C:\WINDOWS\system32\atlvn.exe
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\RunOnce: [ieze.exe] C:\WINDOWS\ieze.exe
O4 - HKLM\..\RunOnce: [ieah32.exe] C:\WINDOWS\ieah32.exe
O4 - HKLM\..\RunOnce: [apias32.exe] C:\WINDOWS\apias32.exe
O4 - HKLM\..\RunOnce: [iptx.exe] C:\WINDOWS\system32\iptx.exe
O4 - HKLM\..\RunOnce: [ntvy.exe] C:\WINDOWS\ntvy.exe
O4 - HKLM\..\RunOnce: [javalk32.exe] C:\WINDOWS\system32\javalk32.exe
O4 - HKLM\..\RunOnce: [d3fb32.exe] C:\WINDOWS\system32\d3fb32.exe
O4 - HKLM\..\RunOnce: [appaw32.exe] C:\WINDOWS\system32\appaw32.exe
O4 - HKLM\..\RunOnce: [d3lq.exe] C:\WINDOWS\system32\d3lq.exe
O4 - HKLM\..\RunOnce: [sdkth32.exe] C:\WINDOWS\sdkth32.exe
O4 - HKLM\..\RunOnce: [crrf.exe] C:\WINDOWS\system32\crrf.exe
O4 - HKLM\..\RunOnce: [mfcps32.exe] C:\WINDOWS\mfcps32.exe
O4 - HKLM\..\RunOnce: [sysvn.exe] C:\WINDOWS\system32\sysvn.exe
O4 - HKLM\..\RunOnce: [javaap32.exe] C:\WINDOWS\system32\javaap32.exe
O4 - HKLM\..\RunOnce: [javawm32.exe] C:\WINDOWS\system32\javawm32.exe
O4 - HKLM\..\RunOnce: [crba.exe] C:\WINDOWS\crba.exe
O4 - HKLM\..\RunOnce: [ipri.exe] C:\WINDOWS\system32\ipri.exe
O4 - HKLM\..\RunOnce: [crwk.exe] C:\WINDOWS\system32\crwk.exe
O4 - HKLM\..\RunOnce: [sysra.exe] C:\WINDOWS\system32\sysra.exe
O4 - HKLM\..\RunOnce: [atlcz.exe] C:\WINDOWS\atlcz.exe
O4 - HKLM\..\RunOnce: [apiwk32.exe] C:\WINDOWS\system32\apiwk32.exe
O4 - HKLM\..\RunOnce: [addux32.exe] C:\WINDOWS\addux32.exe
O4 - HKLM\..\RunOnce: [mstk.exe] C:\WINDOWS\system32\mstk.exe
O4 - HKLM\..\RunOnce: [systy.exe] C:\WINDOWS\systy.exe
O4 - HKLM\..\RunOnce: [msfo.exe] C:\WINDOWS\system32\msfo.exe
O4 - HKLM\..\RunOnce: [ipzf32.exe] C:\WINDOWS\system32\ipzf32.exe
O4 - HKLM\..\RunOnce: [netoz32.exe] C:\WINDOWS\netoz32.exe
O4 - HKLM\..\RunOnce: [winiz.exe] C:\WINDOWS\system32\winiz.exe
O4 - HKLM\..\RunOnce: [apphe32.exe] C:\WINDOWS\apphe32.exe
O4 - HKLM\..\RunOnce: [ipsd.exe] C:\WINDOWS\system32\ipsd.exe
O4 - HKLM\..\RunOnce: [crkv.exe] C:\WINDOWS\system32\crkv.exe
O4 - HKLM\..\RunOnce: [d3kl32.exe] C:\WINDOWS\system32\d3kl32.exe
O4 - HKLM\..\RunOnce: [crkf32.exe] C:\WINDOWS\system32\crkf32.exe
O4 - HKLM\..\RunOnce: [ieus.exe] C:\WINDOWS\system32\ieus.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager]

C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O4 - Global Startup: Event Planner Reminders.lnk = C:\Program

Files\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital

Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital

Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support

Tool\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL

Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search -

http://bar.mywebsearch.com/menusearch.html?p=ZRxdm371YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program

Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program

Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program

Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} -

C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -

C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -

http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://v5.windowsupdate.microsoft.com/v5co...eb_site.cab?110

1882912091
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) -

http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner -

C:\WINDOWS\ieze.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common

Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program

Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner -

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner -

c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates

Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates

Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices,

Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. -

C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

BC AdBot (Login to Remove)

 


m

#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 11 July 2005 - 02:41 PM

Hi huckster and Welcome to the Bleeping Computer!

Thats a nasty CWS Infection you have there,Could you post a fresh HijackThis log and then avoid Restarting the PC until I respond!

#3 huckster

huckster
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 12 July 2005 - 09:21 AM

Thanks for the reply and help. Here's a fresh log file. huckster

Logfile of HijackThis v1.99.1
Scan saved at 9:17:49 AM, on 7/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\COMMON~1\AOL\110215~1\EE\AOLHOS~1.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\COMMON~1\AOL\110215~1\EE\AOLServiceHost.exe
C:\WINDOWS\javaah.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\Program Files\Sierra\Planner\PLNRnote.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\upyiy.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\upyiy.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\giatn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\giatn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\giatn.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\upyiy.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\giatn.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {0706312F-18E9-5AD9-3C66-187E150ABB2C} - C:\WINDOWS\system32\javarq.dll
O2 - BHO: Class - {99399FD2-2312-C70A-9033-A6E121F22B6E} - C:\WINDOWS\system32\crks.dll
O2 - BHO: Class - {CD2B4E39-CD9B-C98A-ED81-38BBFD853B81} - C:\WINDOWS\system32\winlo32.dll
O2 - BHO: Class - {EDBD92E2-B63E-794C-5397-2A8A46BBD49C} - C:\WINDOWS\system32\msxb.dll (file missing)
O2 - BHO: Class - {FB04EF28-D55C-A95A-794F-75DA8F4D83AF} - C:\WINDOWS\system32\crkf32.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102157669\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [javaah.exe] C:\WINDOWS\javaah.exe
O4 - HKLM\..\Run: [winbv32.exe] C:\WINDOWS\system32\winbv32.exe
O4 - HKLM\..\Run: [ieto.exe] C:\WINDOWS\ieto.exe
O4 - HKLM\..\Run: [crpv.exe] C:\WINDOWS\system32\crpv.exe
O4 - HKLM\..\Run: [atlvn.exe] C:\WINDOWS\system32\atlvn.exe
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\Run: [d3yp32.exe] C:\WINDOWS\d3yp32.exe
O4 - HKLM\..\RunOnce: [ieze.exe] C:\WINDOWS\ieze.exe
O4 - HKLM\..\RunOnce: [syscw32.exe] C:\WINDOWS\syscw32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b
O4 - Global Startup: Event Planner Reminders.lnk = C:\Program Files\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm371YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1101882912091
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\ieze.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 12 July 2005 - 10:01 AM

Thanks for the Fresh log,lets see cant we get ya headed in the right direction!

Please temporily disable TeaTimer in Spybot S&D as it may prevent part of this fix:
Open Spybot and click on Mode, check Advanced Mode:
Check yes to next window.
Click on Tools in bottom left hand corner:
Click on Resident. Uncheck Resident "TeaTimer" box.
Dont Restart if Prompted to!

Gonna have to download a few tools to help us along the way!

Download Pocket KillBox from here:
http://www.bleepingcomputer.com/files/killbox.php
There is a Direct Download and a description of what the Program does inside this link.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

CWShredder
http://cwshredder.net/bin/CWShredder.exe

Double Click CWShredder.exe to run it>>Click Check Check For Update
Close it out once updated,We will run it in Safe Mode!

ABout Buster
http://www.besttechie.net/forums/index.php?showtopic=1488

Follow the Instructions inside the link to Update it,We will run it it Safe Mode!

Now Click Start-> Click Run-> Type in Services.msc and Click OK!

Scroll the list and locates the entry

Network Security Service

Right Click that entry and Select Properties-> Click Stop-> Go up and change the Startup Type to Disabled!


Use the list of files below and Copy&Paste each into Pocket Killbox

C:\WINDOWS\javaah.exe
C:\WINDOWS\ieto.exe
C:\WINDOWS\d3yp32.exe
C:\WINDOWS\ieze.exe
C:\WINDOWS\syscw32.exe
C:\WINDOWS\upyiy.dll
C:\WINDOWS\system32\giatn.dll
C:\WINDOWS\system32\javarq.dll
C:\WINDOWS\system32\crks.dll
C:\WINDOWS\system32\winlo32.dll
C:\WINDOWS\system32\crkf32.dll
C:\WINDOWS\system32\winbv32.exe
C:\WINDOWS\system32\crpv.exe
C:\WINDOWS\system32\atlvn.exe


As you enter each into Killbox,place a tick by any of theses selections available

"Delete on Reboot"
"Unregister .dll before Deleting"


Click the Red Circle with the White X in the Middle to Delete!

Click "Yes" to Confirm

Click "No" to Reboot

Once at the last file

Click "Yes" to Confirm

Click "Yes" to Reboot

If you get a PendingFileRenameOperations Registry Data has been Removed by External Process! message then just restart manually.

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders Here is a link to help with that:
http://www.bleepingcomputer.com/forums/ind...showtutorial=62


Run those files through Killbox again to ensure none survived,this time place a tick by any of these available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"



Click "Fix ->" and click "OK" at the prompt.
CWShredder will scan and clean your system of CWS files.
Click "Next->" and then "Exit"


Run ABout Buster just as described in the link!

Please run it until you get these Results:

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!



Now Scan the System with Ewido-> Clean all it Finds-> Be sure to Save a Report!


Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\upyiy.dll/sp.html#37049

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\upyiy.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\giatn.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\giatn.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\giatn.dll/sp.html#37049

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\upyiy.dll/sp.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\giatn.dll/sp.html#37049

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R3 - Default URLSearchHook is missing
l
O2 - BHO: Class - {0706312F-18E9-5AD9-3C66-187E150ABB2C} - C:\WINDOWS\system32\javarq.dll

O2 - BHO: Class - {99399FD2-2312-C70A-9033-A6E121F22B6E} - C:\WINDOWS\system32\crks.dll

O2 - BHO: Class - {CD2B4E39-CD9B-C98A-ED81-38BBFD853B81} - C:\WINDOWS\system32\winlo32.dll

O2 - BHO: Class - {EDBD92E2-B63E-794C-5397-2A8A46BBD49C} - C:\WINDOWS\system32\msxb.dll (file missing)

O2 - BHO: Class - {FB04EF28-D55C-A95A-794F-75DA8F4D83AF} - C:\WINDOWS\system32\crkf32.dll

O4 - HKLM\..\Run: [javaah.exe] C:\WINDOWS\javaah.exe

O4 - HKLM\..\Run: [winbv32.exe] C:\WINDOWS\system32\winbv32.exe

O4 - HKLM\..\Run: [ieto.exe] C:\WINDOWS\ieto.exe

O4 - HKLM\..\Run: [crpv.exe] C:\WINDOWS\system32\crpv.exe

O4 - HKLM\..\Run: [atlvn.exe] C:\WINDOWS\system32\atlvn.exe

O4 - HKLM\..\Run: [d3yp32.exe] C:\WINDOWS\d3yp32.exe

O4 - HKLM\..\RunOnce: [ieze.exe] C:\WINDOWS\ieze.exe

O4 - HKLM\..\RunOnce: [syscw32.exe] C:\WINDOWS\syscw32.exe

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm371YYUS

O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\ieze.exe" /s (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!


Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>OK>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates

Post back with a fresh HijackThis log and the reports from Ewido and Panda!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users