Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HiJack This Log:Please help Diagnose


  • This topic is locked This topic is locked
8 replies to this topic

#1 TomWilson

TomWilson

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:50 PM

Posted 25 June 2004 - 01:34 AM

From reading about Hijack This I can already see that I have a few different items of Spyware in my system:

The homepage is being hijacked to:

res://jfues.dll/index.html#96676

Here's the Hijack This Log. Thanks for any help you can give. Tom.

Logfile of HijackThis v1.97.7
Scan saved at 1:42:57 AM, on 24/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\d3xr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\d3xr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\documents and settings\thomas\local settings\temp\u.exe
C:\WINDOWS\system32\winwy32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\crter32.exe
C:\WINDOWS\System32\Vfmnx.exe
C:\WINDOWS\System32\Zqygzf5.exe
C:\Documents and Settings\James\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jfues.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jfues.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jfues.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jfues.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jfues.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jfues.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {5E5CDAA5-6515-89C3-CE2C-CB7B0F711BBF} - C:\WINDOWS\system32\ipow32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [u] C:\documents and settings\thomas\local settings\temp\u.exe
O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\System32\Usy6x9W5.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [fijabjutz] C:\WINDOWS\System32\awupvecr.exe
O4 - HKLM\..\Run: [AutoLoaderv3rt1ZYVdPMP] "C:\WINDOWS\System32\exefat.exe" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - HKLM\..\Run: [v88R3tl] exefat.exe
O4 - HKLM\..\Run: [winwy32.exe] C:\WINDOWS\system32\winwy32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe
O4 - HKCU\..\Run: [WAPI] C:\WINDOWS\System32\wtstr.exe
O4 - HKCU\..\Run: [ezr5RjJ5i] crter32.exe
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\sdkqh32.dll,Install
O4 - HKLM\..\RunOnce: [d3xr.exe] C:\WINDOWS\system32\d3xr.exe
O4 - HKLM\..\RunOnce: [atltk32.exe] C:\WINDOWS\atltk32.exe
O4 - HKLM\..\RunOnce: [d3hm.exe] C:\WINDOWS\d3hm.exe
O4 - HKLM\..\RunOnce: [ieni.exe] C:\WINDOWS\ieni.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc

BC AdBot (Login to Remove)

 


#2 meeeeeee

meeeeeee

    just meeeeeee


  • Members
  • 329 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 25 June 2004 - 10:55 AM

1. Please down About:Buster from here: http://tools.zerosrealm.com/AboutBuster.zip

2. Once it is download, please run the tool. When the tool is open press ok and then start. In the field labeled "Input in here..." enter the following:

res://jfues.dll/index.html#96676

3. Then press the OK button. The program will start to delete the various elements of this malware.

4. After the tool is completed please run hijackthis again and, with all windows closed, fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jfues.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jfues.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jfues.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jfues.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jfues.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jfues.dll/sp.html#96676
O2 - BHO: (no name) - {5E5CDAA5-6515-89C3-CE2C-CB7B0F711BBF} - C:\WINDOWS\system32\ipow32.dll
O4 - HKCU\..\Run: [ezr5RjJ5i] crter32.exe
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\sdkqh32.dll,Install
O4 - HKLM\..\RunOnce: [d3xr.exe] C:\WINDOWS\system32\d3xr.exe
O4 - HKLM\..\RunOnce: [atltk32.exe] C:\WINDOWS\atltk32.exe
O4 - HKLM\..\RunOnce: [d3hm.exe] C:\WINDOWS\d3hm.exe
O4 - HKLM\..\RunOnce: [ieni.exe] C:\WINDOWS\ieni.exe
O4 - HKLM\..\Run: [v88R3tl] exefat.exe
O4 - HKLM\..\Run: [winwy32.exe] C:\WINDOWS\system32\winwy32.exe
O4 - HKLM\..\Run: [fijabjutz] C:\WINDOWS\System32\awupvecr.exe


5. Then press control-alt-delete and click on the processes tab. Please make sure the following processes are ended:

C:\WINDOWS\system32\d3xr.exe
C:\WINDOWS\system32\winwy32.exe
C:\WINDOWS\System32\crter32.exe
C:\WINDOWS\System32\Vfmnx.exe
C:\WINDOWS\System32\Zqygzf5.exe

6. Manually delete the following files:

C:\WINDOWS\system32\d3xr.exe
C:\WINDOWS\system32\winwy32.exe
C:\WINDOWS\System32\crter32.exe
C:\WINDOWS\System32\Vfmnx.exe
C:\WINDOWS\System32\Zqygzf5.exe


Reboot and post a fresh hijackThis log.

:thumbsup:
Knowledge is the most powerful weapon.

http://pcbizowner.com

If I have helped you please pass along the good deed to someone else. If you would like to donate then I thank you also.

#3 TomWilson

TomWilson
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:50 PM

Posted 26 June 2004 - 10:25 AM

Thanks for your help I think things are being cleaned up but the homepage is still being hijacked to the same search site - now called

res://bioqz.dll/index.html#96676.


Here's the new hijack this log. Thanks for the help youve been giving me. Cheers, Tom.


NB I got rid of winwy32 but it still seems to be in there??

Logfile of HijackThis v1.97.7
Scan saved at 1:19:57 AM, on 27/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\iedw32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\winwy32.exe
C:\WINDOWS\System32\ext8dmod.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\Zqygzf5.exe
C:\WINDOWS\System32\Zqygzf5.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Thomas\Local Settings\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bioqz.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bioqz.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bioqz.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bioqz.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bioqz.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bioqz.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.ninemsn.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = a
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = BigPond Dial-Up Residential Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.ninemsn.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.ninemsn.com.au
O2 - BHO: (no name) - {42B7CFF8-A757-D31D-1B76-9B9401F53679} - C:\WINDOWS\netem.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\System32\UbgrYPnp.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - HKLM\..\Run: [winwy32.exe] C:\WINDOWS\system32\winwy32.exe
O4 - HKCU\..\Run: [WAPI] C:\WINDOWS\System32\wtstr.exe
O4 - HKCU\..\Run: [ezr5RjJ5i] ext8dmod.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [iedw32.exe] C:\WINDOWS\iedw32.exe
O4 - HKLM\..\RunOnce: [nettn32.exe] C:\WINDOWS\nettn32.exe
O4 - HKLM\..\RunOnce: [mstu.exe] C:\WINDOWS\system32\mstu.exe
O4 - HKLM\..\RunOnce: [mfcks32.exe] C:\WINDOWS\mfcks32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

#4 meeeeeee

meeeeeee

    just meeeeeee


  • Members
  • 329 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 26 June 2004 - 10:48 AM

Let's try this again! Sometimes it takes a few shots with this infection.

Please download this tool called About:Buster from:

http://www.downloads.subratam.org/AboutBuster.zip

Unzip it to your desktop but don't run it yet.

Now start Hijackthis and tick the boxes next to these items:
O2 - BHO: (no name) - {42B7CFF8-A757-D31D-1B76-9B9401F53679} - C:\WINDOWS\netem.dll
O4 - HKLM\..\Run: [winwy32.exe] C:\WINDOWS\system32\winwy32.exe
O4 - HKCU\..\Run: [ezr5RjJ5i] ext8dmod.exe
O4 - HKLM\..\RunOnce: [iedw32.exe] C:\WINDOWS\iedw32.exe
O4 - HKLM\..\RunOnce: [nettn32.exe] C:\WINDOWS\nettn32.exe
O4 - HKLM\..\RunOnce: [mstu.exe] C:\WINDOWS\system32\mstu.exe
O4 - HKLM\..\RunOnce: [mfcks32.exe] C:\WINDOWS\mfcks32.exe


Now close ALL windows and hit fix checked.
Do not open internet explorer to come back here until after running the tool.

Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

Once the tool is done scanning, copy the log and paste it into your thread.

Restart your computer and post the About:Blank report and a new Hijack this log.


:thumbsup:
Knowledge is the most powerful weapon.

http://pcbizowner.com

If I have helped you please pass along the good deed to someone else. If you would like to donate then I thank you also.

#5 TomWilson

TomWilson
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:50 PM

Posted 29 June 2004 - 08:33 AM

Well the logs are looking quite clean now, what do you think?

However I noticed - C:\WINDOWS\System32\Zqygzf5.exe is still in the running processes list which is one you got mr to delete previously.
The homepage looks ok for now. Any more suggestions?

Thanks for all the help you've been giving me. Regards, Tom.


About:Buster Version 1.21
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Pages Reset... Done!

Logfile of HijackThis v1.97.7
Scan saved at 11:19:58 PM, on 29/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\Zqygzf5.exe
C:\WINDOWS\System32\Lidxzoh.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Thomas\Local Settings\Temp\Temporary Directory 8 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = BigPond Dial-Up Residential Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.ninemsn.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.ninemsn.com.au
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\System32\JwqVfC.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - HKCU\..\Run: [WAPI] C:\WINDOWS\System32\wtstr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

#6 meeeeeee

meeeeeee

    just meeeeeee


  • Members
  • 329 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 29 June 2004 - 10:12 AM

Please boot into safe mode and select the following with HijackThis. With all windows (including this one!) closed, please select "fix.

O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\System32\JwqVfC.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKCU\..\Run: [WAPI] C:\WINDOWS\System32\wtstr.exe

Next, please find and delete the following:
C:\WINDOWS\System32\JwqVfC.exe
C:\WINDOWS\System32\dp-him.exe
C:\WINDOWS\System32\tstr.exe



Also, I would like you to read http://www.purityscan.com/uninstall.html
and follow the instructions there. This is not a helpful product at all, for more information read this: http://www.kephyr.com/spywarescanner/libra...n.b/index.phtml

Then reboot and post a fresh HijackThis log.

:thumbsup:_
Knowledge is the most powerful weapon.

http://pcbizowner.com

If I have helped you please pass along the good deed to someone else. If you would like to donate then I thank you also.

#7 TomWilson

TomWilson
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:50 PM

Posted 01 July 2004 - 08:37 AM

feedback on your requests:

JwqVfC.exe not found
dp-him.exe not found
tstr.exe - deleted

ending program 'sample' message when logging out of safe mode
current security does allow download of purityscan uninstall

looked in registry but only saw a file called msmsgs in that place
I left it alone.

Here''s the latest log;

thanks for all the help youve been giving me... regards, Tom

Logfile of HijackThis v1.97.7
Scan saved at 11:32:24 PM, on 1/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Thomas\Local Settings\Temp\Temporary Directory 9 for hijackthis.zip\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = BigPond Dial-Up Residential Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.ninemsn.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.ninemsn.com.au
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

#8 meeeeeee

meeeeeee

    just meeeeeee


  • Members
  • 329 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 01 July 2004 - 09:07 AM

Looks good! How's it behaving?
Knowledge is the most powerful weapon.

http://pcbizowner.com

If I have helped you please pass along the good deed to someone else. If you would like to donate then I thank you also.

#9 TomWilson

TomWilson
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:50 PM

Posted 05 July 2004 - 01:00 AM

Yeah it seems faster and the homepage is not being hijacked now - so I guess I'm all done!

Well thank you for your help and I will start a new thread if any other wierd things start happening.

Im quite computer literate so Ive learnt a lot about safemode, regedit, hijack this and what to look for, from this.

I also used Bazooka to search for malware and cleaned a few files they recommended. Its as good as could be expected, I think.

I sometimes wonder why the harddrive seems a bit busy when the laptop is just kinda sitting there but I guess it could be due to internal system requirements, hey?

Anyway thanks a lot and I will close this post now, unless you have anything else for me.

Best wishes, Tom.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users