Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CxtPls?


  • Please log in to reply
2 replies to this topic

#1 TivoBuddy

TivoBuddy

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:40 AM

Posted 21 December 2004 - 08:19 PM

This forum has been a huge help to me in the past (and I've made grateful donations to the forum!), and despite my absolute care in preventing a new infection, I think I have a new one. I swear I never download anything, but I suspect I got this one just by visiting a web page (it's getting scary out there!) Ad-Aware was running (and CyberSitter), blocking lots of stuff, but I don't think it stopped this one.

I'm getting pop-ups in my IE. Ad-aware is blocking some of the content but not all.

I've run Spybot and Ad-Aware (paid version). SpyBot found nothing. Ad-aware cleaned up a few things.

Here's my HiJack This log. Help would be greatly appreciated.

Logfile of HijackThis v1.99.0 [deleted ... replace in reply message]

Edited by TivoBuddy, 22 December 2004 - 06:52 PM.


BC AdBot (Login to Remove)

 


#2 TivoBuddy

TivoBuddy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:40 AM

Posted 22 December 2004 - 06:51 PM

Since no one has replied, I've tried cleaning up some files on my own. No success. Here is my new HiJack This log. Help would be greatly appreciated.



Logfile of HijackThis v1.99.0
Scan saved at 6:46:48 PM, on 12/22/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Cyb2k.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tivo\Desktop\TivoServer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Documents and Settings\The Phillips Family\Desktop\HijackThis.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TiVo\Desktop\TivoBeacon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqfru07.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\The Phillips Family\Application Data\Mozilla\Profiles\default\rqjp8chs.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\The Phillips Family\Application Data\Mozilla\Profiles\default\rqjp8chs.slt\prefs.js)
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper101.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {82F4C088-501A-02BB-4E26-2CF07BCA6991} - C:\WINDOWS\System32\kznxcc.dll
O2 - BHO: SDWin32 Class - {865E6583-4782-412A-BC81-74907D690F49} - C:\WINDOWS\System32\bvypp.dll
O2 - BHO: SDWin32 Class - {E04BCC2F-68A9-40F5-85F2-DA3495C5EDC3} - C:\WINDOWS\System32\yliqo.dll
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\Tivo\Desktop\TivoServer.exe" /service /auto:TivoServer
O4 - Global Startup: Digital Line Detect.lnk.disabled
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103680369109
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_1us.cab
O23 - Service: Intel® NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TiVo Connect Beacon - TiVo Inc. - C:\Program Files\TiVo\Desktop\TivoBeacon.exe

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:40 AM

Posted 26 December 2004 - 05:33 PM

Sorry for not getting back to you sooner :thumbsup:

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper101.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O2 - BHO: (no name) - {82F4C088-501A-02BB-4E26-2CF07BCA6991} - C:\WINDOWS\System32\kznxcc.dll
O2 - BHO: SDWin32 Class - {865E6583-4782-412A-BC81-74907D690F49} - C:\WINDOWS\System32\bvypp.dll
O2 - BHO: SDWin32 Class - {E04BCC2F-68A9-40F5-85F2-DA3495C5EDC3} - C:\WINDOWS\System32\yliqo.dll

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\BTGrab.dll
C:\WINDOWS\Helper101.dll
C:\WINDOWS\System32\kznxcc.dll
C:\WINDOWS\System32\bvypp.dll
C:\WINDOWS\System32\yliqo.dll

Reboot your computer to go back to normal mode and post a new log.


What is this tivo server btw?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users