Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT - shanefrombc


  • This topic is locked This topic is locked
10 replies to this topic

#1 shanefrombc

shanefrombc

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 30 December 2004 - 03:44 PM

dont know how i got it but i have it spy bot finds it the it kills it then it comes back next time i open ine

BC AdBot (Login to Remove)

 


m

#2 shanefrombc

shanefrombc
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 30 December 2004 - 04:07 PM

Logfile of HijackThis v1.98.2
Scan saved at 1:05:42 PM, on 12/30/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Admilli Service\AdmilliServ.exe
C:\WINDOWS\system32\atlpa32.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
C:\Program Files\Admilli Service\AdmilliKeep.exe
C:\PROGRA~1\COMMON~1\tsa\ts2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\sdkkx.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Joanne\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rjiul.dll/sp.html#76985
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rjiul.dll/sp.html#76985
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rjiul.dll/sp.html#76985
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rjiul.dll/sp.html#76985
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rjiul.dll/sp.html#76985
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rjiul.dll/sp.html#76985
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {ABCAF261-7745-742A-DD33-09595EAD9B7A} - C:\WINDOWS\syslk32.dll
O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKLM\..\Run: [atlpa32.exe] C:\WINDOWS\system32\atlpa32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com

#3 shanefrombc

shanefrombc
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 30 December 2004 - 04:43 PM

i have now read how to put hyjackthis in to its own folder

#4 shanefrombc

shanefrombc
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 30 December 2004 - 04:50 PM

:flowers: all this reading i am slowly getting how to fix this :thumbsup: part of this is cus the place i got this pc ,i dont know this forsure but windows say i dont have the proper code? and wont up date but it still tells me to do so.is not there anymore

#5 shanefrombc

shanefrombc
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 30 December 2004 - 04:53 PM

this is fun sending all these post for me to read. i hope someone will point me in the right direction

#6 shanefrombc

shanefrombc
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 30 December 2004 - 05:23 PM

Scan saved at 2:22:22 PM, on 12/30/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Admilli Service\AdmilliServ.exe
C:\WINDOWS\system32\atlpa32.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
C:\Program Files\Admilli Service\AdmilliKeep.exe
C:\PROGRA~1\COMMON~1\tsa\ts2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\sdkkx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cmyse.dll/sp.html#76985
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cmyse.dll/sp.html#76985
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cmyse.dll/sp.html#76985
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cmyse.dll/sp.html#76985
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cmyse.dll/sp.html#76985
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cmyse.dll/sp.html#76985
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {5A0DEFF6-060E-5E97-407F-E2E5E95EC803} - C:\WINDOWS\iezk.dll
O4 - HKLM\..\Run: [atlpa32.exe] C:\WINDOWS\system32\atlpa32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\system32\sdkkx.exe

#7 shanefrombc

shanefrombc
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 30 December 2004 - 06:11 PM

A reply to: about:blank homesearch HELP!

The problem is this...it keeps turning my home page back to about:blank, its messing w/ the toolbar buttons and the popup blocker that was installed no longer works (ironically i keep getting ads for adware removal).


i have the same thing . if you use there seach it gives you onemorreseach in the adress box?

EDIT: To avoid multiple locations, this thread is closed.
Please respond a as reply here, shanefrombc. Thanks.

Edited by phawgg, 30 December 2004 - 10:10 PM.


#8 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:12:03 PM

Posted 30 December 2004 - 10:51 PM

this is fun sending all these post for me to read. i hope someone will point me in the right direction

:flowers: HERE! :trumpet:

I will check your HJT log(s) to see what's goin' on. It will take a day...
I see the problem(s) but please take into consideration two things:
  • Several factors in any log need to be checked before we advise you
  • we are advising dozens of people on a consistant basis
meanwhile there is more fun ahead.
The logs show you need to update your operating system.
If you don't, the repair we do won't prevent re-infection.
You may choose between Service Pack1 + critical updates -or-
Service Pack 2 + fewer updates.

when you visit
Windows Updates Express Install will tell you to install SP2.
On the other hand, choose Custom Install for additional options which should include SP1.

Because your infection can hinder the updates, it would be best to use
the time it takes us well.
First try to update with SP1.
It is smaller than SP2.
If you are successful, continue with just the critical updates.
One at a time.

BTW, The first log was with HijackThis v1.98.2.
The second with HijackThis 1.99, but you clipped the top of it off.

You have them in the right location.
Just use the new one from now on.
You can simply delete the first highjackthis.exe only from it's folder.

We need the entire log without editing, please.

Perhaps you noticed the second one has more entries.
The problem can get worse if you continue to reboot your PC.

You need to reboot when getting the updates.
Just keep it to a minimum, please.

Post a new HJT log after you've made some progress.
Post comments after you post the log by placing the cursor I-bar
at the upper left of the message box & keyboard a couple "enters".
Then type in info that will help us understand where you are.

The problem will not simply go away.
The SP1 should work for the time being. :thumbsup:

Edited by phawgg, 30 December 2004 - 11:07 PM.

patiently patrolling, plenty of persisant pests n' problems ...

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:03 PM

Posted 31 December 2004 - 04:38 PM

Posted to stop from appearing on unanswered

#10 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:12:03 PM

Posted 31 December 2004 - 05:09 PM

dont know how i got it but i have it spy bot finds it the it kills it then it comes back next time i open it


shanefrombc, I was hoping to hear of some update success,
but let's do this to get rid of your problems.

Please perform the steps in exact order for best results. Read through them first.
Take your time & read the info at downloads or tutorial links, please.
You may choose to:
Print out, Copy/paste these instructions to a notepad/wordpad or choose file-->save page as: HJT instructions.

You will need tools on your desktop. Please click these download links: Extract AboutBuster to your desktop. "Finish". Open the folder and click on the application file to begin. OK.
Choose to update.

Note: If AboutBuster didn't work:
Click on the missingfiles setup.exe and continue through the "wizard" to install missing files needed in to run AboutBuster.
Once that has been completed, rerun AboutBuster to confirm that it does work.
As long as the program loads, we are in good shape. Exit, we'll run it later.

You also need to install programs. -------------------- preparation done. please continue with the following steps ---------------------------

Click Start-->Add or Remove Programs-->Uninstall (if found), any instances of Admilli Service or Tsa.

Set your PC to: Show Hidden Files. (click tutorial for instructions)

Reboot your computer into Safe Mode. (click tutorial for instructions)

Click Start-->control panel-->administrative programs-->services.
Look for a service called Network Security Service .
Double click on the that service and click stop and then set the startup to disabled.

Press control-alt-delete to get into the task manager and end the follow processes if they exist:
atlpa32.exe
sdkkx.exe


Open your C:\HJT folder and double-click the icon. Close everything except HijackThis, nothing else on your desktop.

Run Hijackthis: click Scan, and put a checkmark next to each of the following objects:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cmyse.dll/sp.html#76985
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cmyse.dll/sp.html#76985
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cmyse.dll/sp.html#76985
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cmyse.dll/sp.html#76985
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cmyse.dll/sp.html#76985
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cmyse.dll/sp.html#76985
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {5A0DEFF6-060E-5E97-407F-E2E5E95EC803} - C:\WINDOWS\iezk.dll
O4 - HKLM\..\Run: [atlpa32.exe] C:\WINDOWS\system32\atlpa32.exe
O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe
http://computercops.biz/startuplist-6732.html
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)

Click the Fix button, when you're sure that files marked for deletion are correct.

Search for, locate and delete the following files or folders
(Don't be concerned if they don't exist, the previous steps may have eliminated them.)
Do not delete the main folders C:\WINDOWS or C:\Program Files.
To find them use: Start-->Search-->select "all files & folders"-->select "more advanced options"-->
check search "system folders", "hidden files & folders" & "sub-folders".
You may also navigate to the appropriate folder, right-click-->delete individual files.
Delete manually:

C:\WINDOWS\system32\atlpa32.exe<--this file
C:\WINDOWS\system32\sdkkx.exe<--this file
C:\WINDOWS\cmyse.dll<--this file
C:\WINDOWS\iezk.dll<--this file
C:\Program Files\Admilli Service<--this this folder & all contents
C:\PROGRA~1\COMMON~1\tsa<--this folder & all contents

If you get an error when deleting a file.
Right click on the file and check to see if the read only attribute is checked.
if it is, uncheck it and try again.

Run AboutBuster 4.0. Open the folder, click the application file. Start. OK to scan. Scan once, Scan twice. Save log & Exit.

Run Ad-Aware
prepare for system scan using "full scan" and not including the "negligible risk items".
Run the scan to completion.
The "Finish"
button will change screen to "scanning results".
The scan summary tab is where to tick the boxes to delete what was found.

Run System Security Suite. (All windows and browsers closed) To clean out Temp and Temporary Internet Files, In the "Items to Clear" tab click:
1. Internet Explorer (left pane): Cookies & Temporary files
2. My Computer (right pane): Temporary files & Recycle Bin
Click the "Clear Selected Items" button. Close.

Open Internet Explorer, and click on the Tools menu and then Internet Options.
At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button.

Extract HostFix. Open the zipped-folder and choose to extract to your desktop. Click "Finish". Then open the unzipped folder and double-click on the HostFix.exe file. With the program open, click "YES". This will restore the Hosts file.

Reboot your computer to go back to normal mode.

Download shell.dll from here: shell-dll98.zip. Once the file is downloaded uncompress the zip file and copy shell.dll to the following locations
C:\WINDOWS\system<--into this folder and
C:\WINDOWS\system32 <-- into this folder

If you have Spybot S&D installed on your computer we advise that you uninstall it and then download and install the latest version.
This will make sure you have the latest files that are necessary for it to run correctly.

Scan online for viruses at TrendMicro's Housecall.
Scan online for viruses at Bitdefender

Run HijackThis again and post the new log as a reply to this post.

Edited by phawgg, 31 December 2004 - 05:12 PM.

patiently patrolling, plenty of persisant pests n' problems ...

#11 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:12:03 PM

Posted 25 January 2005 - 09:47 PM

Closed. Lack of responses.
If you originated this thread, and need it re-opened:
You may also contact a HJT Team Member, and reference the link location address. Thanks. :thumbsup:

If referring to this thread for any other reason, you may:
Right-click Posted. Choose Copy Link Location. Paste with comments to a New Topic.
patiently patrolling, plenty of persisant pests n' problems ...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users