About:blank strikes again...

OK, it seems that out of nowhere I managed to have my browser hijacked. I managed to stumble on this place by accident and have tried many things here, most of the stuff that was on my PC has been fixed, but I still get tha about:blank thing as well as a few other backgroung programs that will not stay dead...

HJT log:
Logfile of HijackThis v1.98.2
Scan saved at 5:14:15 AM, on 9/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\javati.exe
C:\WINDOWS\DirectX.log:dpghs
C:\Documents and Settings\Jason\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mdyqu.dll/sp.html#37680
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mdyqu.dll/sp.html#37680
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\mdyqu.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mdyqu.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mdyqu.dll/sp.html#37680
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mdyqu.dll/sp.html#37680
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mdyqu.dll/sp.html#37680
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {DA4303A4-7F0E-EE37-6476-E29A5C3B85F5} - C:\WINDOWS\syssu32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [javati.exe] C:\WINDOWS\system32\javati.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095908578406
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab






I also did a SpyBot S&D log:

CoolWWWSearch: Tracking cookie (Internet Explorer: Jason) (Cookie, nothing done)


CoolWWWSearch.HomeSearch: Library (File, nothing done)
C:\WINDOWS\xntij.dll

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-436374069-1637723038-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3


(Note: I have ran SpyBot and Adaware multiple times with ALL windown and programs closed, but these keep coming back...)
--- Spybot - Search && Destroy version: 1.3 ---
2004-08-11 Includes\Cookies.sbi
2004-09-16 Includes\Dialer.sbi
2004-09-16 Includes\Hijackers.sbi
2004-09-16 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-09-16 Includes\Malware.sbi
2004-08-12 Includes\Revision.sbi
2004-09-16 Includes\Security.sbi
2004-09-16 Includes\Spybots.sbi
2004-08-30 Includes\Tracks.uti
2004-09-16 Includes\Trojans.sbi


CWShredder finds nothing either...

Any help would be greatly appreciated.

 

Hello
Is that a log taken while in safe mode ? if so post a new one in a regualr windws session, plus it appears you have some items excluded (ignored)in hijackthis, we need to see them all.Unexclude please.


That Hijack is using alternative data streams (C:\WINDOWS\DirectX.log:dpghs)

Download : autoruns
http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml

Run, In the "view" TOP menu,
select(check)
[X]show Appininit Dll's
[X]Show Services and
[X]Hide signed Microsoft entries
And Uncheck the "Show all locations"

Be sure only those three are checked, Go
to "Entry" menu, 'Copy to clipboard' and paste it here!...

Note: The check boxes on the left should be all left alone!
It's the top "view" menu only that's needed!

Download EnumStreams from here (By expert memeber Freeatlast)
http://downloads.subratam.org/EnumStreams.exe
Run EnumStreams.exe it will extract and open the folder C:\EnumStreams
find and run EnumStreams.cmd, do not use any of the other files please.
a text will open(report.txt), copy that back here in your next reply.


So post the autoruns log and enumstreams in one post and a Hiajckthis log in another.

 

OK... That HJT log was taken when I opened the task manager and closed everything except HJT and the system programs... I'll run it again with the system as is.

Autorun:
HKLM\System\CurrentControlSet\Services
+ O?’ŽrtñåȲ$Ó c:\windows\directx.log:dpghs
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ javati.exe c:\windows\system32\javati.exe
+ wincu32.exe c:\windows\system32\wincu32.exe

(I've done msconfig a number of times and took out javati, but it keeps popping back up, the other two don't show up there, but are currently running in the background as I see in the task manager)


________________________Start__________________________
Scanning local drive......

Microsoft Windows XP Home Edition 5.1 Service Pack 1 (Build 2600)
...................................................
C:\EnumStreams
Running From C:\EnumStreams

.....................
Saturday, September 25, 2004 (9/25/2004)
7:03 AM, Eastern Standard Time
...................................................
The type of the file system is NTFS.
...................................................
### *The current drive supports NTFS compression and Alternate Data Streams ###
...................................................

User: [D-QKICGUK8417IT\Jason], is a member of:

BUILTIN\Administrators
\Everyone

...................................................
...Checking for shell.dll...

A C:\WINDOWS\system\SHELL.DLL
A C:\WINDOWS\system32\dllcache\shell.dll
C:\WINDOWS\system\SHELL.DLL
C:\WINDOWS\system32\dllcache\shell.dll
...in system32...
File not found - C:\WINDOWS\System32\shell.dll
...................................................

...................................................
Streams v1.5 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2003 Mark Russinovich
Sysinternals - www.sysinternals.com
Failed to open C:\\pagefile.sys:
The process cannot access the file because it is being used by another process.
C:\\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Thumbs.db:
:encryptable:$DATA
0
Failed to open C:\\Documents and Settings\Jason\NTUSER.DAT:
The process cannot access the file because it is being used by another process.
Failed to open C:\\Documents and Settings\Jason\ntuser.dat.LOG:
The process cannot access the file because it is being used by another process.
.
Failed to open C:\\Documents and Settings\Jason\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat:
The process cannot access the file because it is being used by another process.
Failed to open C:\\Documents and Settings\Jason\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG:
The process cannot access the file because it is being used by another process.
C:\\Documents and Settings\Jason\Local Settings\Temp\temp.fr6911:
:uefrf:$DATA
93184
C:\\Documents and Settings\Jason\Local Settings\Temp\temp.fr93D2:
hwvu:$DATA
26624
:ygfac:$DATA
26624
C:\\Documents and Settings\Jason\Local Settings\Temp\temp.frB225:
:vzbkj:$DATA
26624
C:\\Documents and Settings\Jason\Local Settings\Temp\temp.frF031:
:vulgu:$DATA
93184
C:\\Documents and Settings\Jason\Local Settings\Temp\temp.frFA26:
jyas:$DATA
3063
..
C:\\Documents and Settings\Jason\My Documents\My Pictures\Thumbs.db:
:encryptable:$DATA
0
C:\\Documents and Settings\Jason\My Documents\My Pictures\p\An\Thumbs.db:
:encryptable:$DATA
0
C:\\Documents and Settings\Jason\My Documents\My Pictures\p\As\Thumbs.db:
:encryptable:$DATA
0
C:\\Documents and Settings\Jason\My Documents\My Pictures\p\B\Thumbs.db:
:encryptable:$DATA
0
C:\\Documents and Settings\Jason\My Documents\My Pictures\p\C\Thumbs.db:
:encryptable:$DATA
0

C:\\Documents and Settings\Jason\My Documents\My Pictures\p\I\Thumbs.db:
:encryptable:$DATA
0
C:\\Documents and Settings\Jason\My Documents\My Pictures\p\W\Thumbs.db:
:encryptable:$DATA
0
C:\\Documents and Settings\Jason\My Documents\My Pictures\p\W\Bl\Thumbs.db:
:encryptable:$DATA
0
C:\\Documents and Settings\Jason\My Documents\My Pictures\p\W\Br\Thumbs.db:
:encryptable:$DATA
0
C:\\Documents and Settings\Jason\My Documents\My Pictures\p\W\R\Thumbs.db:
:encryptable:$DATA
0
Failed to open C:\\Documents and Settings\LocalService\NTUSER.DAT:
The process cannot access the file because it is being used by another process.
Failed to open C:\\Documents and Settings\LocalService\ntuser.dat.LOG:
The process cannot access the file because it is being used by another process.
Failed to open C:\\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat:
The process cannot access the file because it is being used by another process.
Failed to open C:\\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG:
The process cannot access the file because it is being used by another process.
Failed to open C:\\Documents and Settings\NetworkService\NTUSER.DAT:
The process cannot access the file because it is being used by another process.
Failed to open C:\\Documents and Settings\NetworkService\ntuser.dat.LOG:
The process cannot access the file because it is being used by another process.
Failed to open C:\\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat:
The process cannot access the file because it is being used by another process.
Failed to open C:\\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG:
The process cannot access the file because it is being used by another process.
...

...

...

...
C:\\WINDOWS\Ascd_tmp.ini:
:gjrom:$DATA
56832
:wyriz:$DATA
93184
C:\\WINDOWS\bootstat.dat:
:rkzdn:$DATA
10240
C:\\WINDOWS\cadx2.ini:
:wsrny:$DATA
93184
C:\\WINDOWS\Coffee Bean.bmp:
:tkmwy:$DATA
93184
C:\\WINDOWS\comsetup.log:
tcss:$DATA
10240
C:\\WINDOWS\DirectX.log:
:dpghs:$DATA
10240
C:\\WINDOWS\eReg.dat:
:vqrmm:$DATA
26624
C:\\WINDOWS\explorer.scf:
:gebhj:$DATA
10240
C:\\WINDOWS\FeatherTexture.bmp:
:hkenf:$DATA
10240
C:\\WINDOWS\imsins.log:
:urtuj:$DATA
10240
C:\\WINDOWS\IsUninst.exe:
:ufrpc:$DATA
10240
C:\\WINDOWS\KB835732.log:
:mtdgb:$DATA
10240
C:\\WINDOWS\mfcca.exe:
:euvmv:$DATA
26624
C:\\WINDOWS\msgsocm.log:
ysbf:$DATA
93184
:vsfur:$DATA
10240
C:\\WINDOWS\netng32.dll:
:fxdyk:$DATA
26624
C:\\WINDOWS\NOTEPAD.EXE:
:izdgh:$DATA
10240
C:\\WINDOWS\ntel.exe:
:uefrf:$DATA
94168
C:\\WINDOWS\ocmsn.log:
:kaoqa:$DATA
10240
:kpccq:$DATA
56832
C:\\WINDOWS\OEWABLog.txt:
:fnuvh:$DATA
10240
C:\\WINDOWS\Prairie Wind.bmp:
:hqidm:$DATA
10240
C:\\WINDOWS\preInMPP.exe:
:zbpen:$DATA
93184
C:\\WINDOWS\regedit.exe:
:vjaid:$DATA
93184
C:\\WINDOWS\regopt.log:
:zkefy:$DATA
93184
C:\\WINDOWS\Santa Fe Stucco.bmp:
:csebk:$DATA
11388
:kcapj:$DATA
26624
:rdxks:$DATA
10240
C:\\WINDOWS\SchedLgU.Txt:
:biqty:$DATA
11388
:gklaz:$DATA
0
C:\\WINDOWS\setup.log:
:zjuhs:$DATA
93184
C:\\WINDOWS\setupact.log:
:ljtdu:$DATA
11388
:nlhth:$DATA
3063
C:\\WINDOWS\setuperr.log:
:zbqmr:$DATA
94168
C:\\WINDOWS\setuplog.txt:
:gmazb:$DATA
56832
C:\\WINDOWS\Soap Bubbles.bmp:
:eklro:$DATA
0
:mqmkc:$DATA
10240
C:\\WINDOWS\sysbf.exe:
:vzbkj:$DATA
26624
C:\\WINDOWS\tsoc.log:
:kofeo:$DATA
11388

C:\\WINDOWS\twunk_32.exe:
:coxjq:$DATA
11388
C:\\WINDOWS\vb.ini:
:gccmk:$DATA
93184
C:\\WINDOWS\vbaddin.ini:
:vpqpl:$DATA
56832
C:\\WINDOWS\War3Unin.pif:
nvnv:$DATA
11591
C:\\WINDOWS\win.ini:
:iogty:$DATA
11591
C:\\WINDOWS\Windows Update.log:
:xpnmh:$DATA
93184
C:\\WINDOWS\winef32.exe:
:spyys:$DATA
11591
C:\\WINDOWS\winnt256.bmp:
:dhvqw:$DATA
11591
C:\\WINDOWS\Zapotec.bmp:
:vigvq:$DATA
3063
...

...
C:\\WINDOWS\Prefetch\DIRECTX.LOG:
PGHS-25F48237.pf:$DATA
14232
C:\\WINDOWS\Prefetch\PRAIRIE WIND.BMP:
:HQIDM-2A21977A.pf:$DATA
7580

Failed to open C:\\WINDOWS\SoftwareDistribution\EventCache\{ADCD81FD-F74F-430C-B373-3D32637B5DB5}.bin:
The process cannot access the file because it is being used by another process.
Failed to open C:\\WINDOWS\SoftwareDistribution\EventCache\{C59100C4-985A-49DF-9815-32C3B647656C}.bin:
The process cannot access the file because it is being used by another process.
...

Failed to open C:\\WINDOWS\system32\config\default:
The process cannot access the file because it is being used by another process.
Failed to open C:\\WINDOWS\system32\config\default.LOG:
The process cannot access the file because it is being used by another process.
Failed to open C:\\WINDOWS\system32\config\SAM:
The process cannot access the file because it is being used by another process.
Failed to open C:\\WINDOWS\system32\config\SAM.LOG:
The process cannot access the file because it is being used by another process.
Failed to open C:\\WINDOWS\system32\config\SECURITY:
The process cannot access the file because it is being used by another process.
Failed to open C:\\WINDOWS\system32\config\SECURITY.LOG:
The process cannot access the file because it is being used by another process.
Failed to open C:\\WINDOWS\system32\config\software:
The process cannot access the file because it is being used by another process.
Failed to open C:\\WINDOWS\system32\config\software.LOG:
The process cannot access the file because it is being used by another process.
Failed to open C:\\WINDOWS\system32\config\system:
The process cannot access the file because it is being used by another process.
Failed to open C:\\WINDOWS\system32\config\system.LOG:
The process cannot access the file because it is being used by another process.
...

...................................................
These Windows services are started:

Alerter
Automatic Updates
COM+ Event System
Computer Browser
Cryptographic Services
DHCP Client
Distributed Link Tracking Client
DNS Client
Error Reporting Service
Event Log
Fast User Switching Compatibility
Help and Support
IPSEC Services
Messenger
Network Connections
Network Location Awareness (NLA)
Network Security Service
Plug and Play
Portable Media Serial Number
Print Spooler
Protected Storage
Remote Access Connection Manager
Remote Procedure Call (RPC)
Secondary Logon
Security Accounts Manager
Server
Shell Hardware Detection
SSDP Discovery Service
System Event Notification
Task Scheduler
TCP/IP NetBIOS Helper
Telephony
Terminal Services
Themes
Upload Manager
WebClient
Windows Audio
Windows Management Instrumentation
Windows Time
Wireless Zero Configuration
Workstation

The command completed successfully.


...................................................
Service State Type Description
------- ----- ---- -----------
Alerter Running Service: share Alerter
AudioSrv Running Service: share Windows Audio
Browser Running Service: share Computer Browser
CryptSvc Running Service: share Cryptographic Services
Dhcp Running Service: share DHCP Client
Dnscache Running Service: share DNS Client
ERSvc Running Service: share Error Reporting Service
Eventlog Running Service: share Event Log
EventSystem Running Service: share COM+ Event System
FastUserSwitchingCompatibility Running Service: share Fast User Switching Compatibility
helpsvc Running Service: share Help and Support
lanmanserver Running Service: share Server
lanmanworkstation Running Service: share Workstation
LmHosts Running Service: share TCP/IP NetBIOS Helper
Messenger Running Service: share Messenger
Netman Running N/A Network Connections
Nla Running Service: share Network Location Awareness (NLA)
PlugPlay Running Service: share Plug and Play
PolicyAgent Running Service: share IPSEC Services
ProtectedStorage Running N/A Protected Storage
RasMan Running Service: share Remote Access Connection Manager
RpcSs Running Service: share Remote Procedure Call (RPC)
SamSs Running Service: share Security Accounts Manager
Schedule Running N/A Task Scheduler
seclogon Running N/A Secondary Logon
SENS Running Service: share System Event Notification
ShellHWDetection Running Service: share Shell Hardware Detection
Spooler Running N/A Print Spooler
SSDPSRV Running Service: share SSDP Discovery Service
TapiSrv Running Service: share Telephony
TermService Running Service: share Terminal Services
Themes Running Service: share Themes
TrkWks Running Service: share Distributed Link Tracking Client
uploadmgr Running Service: share Upload Manager
W32Time Running Service: share Windows Time
WebClient Running Service: share WebClient
winmgmt Running Service: share Windows Management Instrumentation
WmdmPmSp Running Service: share Portable Media Serial Number
wuauserv Running Service: share Automatic Updates
WZCSVC Running Service: share Wireless Zero Configuration
O?’ŽrtñåȲ$Ó Running Service: share Network Security Service
...................................................
*List of third-party startups Not-MS signed::
(Browser add-0ns, special NT reg keys and services)


HKLM\System\CurrentControlSet\Services
O?’ŽrtñåȲ$Ó
c:\windows\directx.log:dpghs

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
javati.exe
c:\windows\system32\javati.exe
wincu32.exe
c:\windows\system32\wincu32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
AcroIEHlprObj Class
AcroIEHelper Module
c:\program files\adobe\acrobat 5.0\reader\activex\acroiehelper.ocx
{271363C4-4477-FB41-7906-D3C2C7F0D6BE}
c:\windows\system32\sdkfv32.dll
Google Toolbar Helper
Google IE Client Toolbar
(Not verified) Google Inc.
c:\program files\google\googletoolbar1.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Display Panning CPL Extension
File not found: deskpan.dll
HyperTerminal Icon Ext
HyperTerminal Applet Library
(Not verified) Hilgraeve, Inc.
c:\windows\system32\hticons.dll
Desktop Explorer
NVIDIA Desktop Explorer, Version 61.77
(Not verified) NVIDIA Corporation
c:\windows\system32\nvshell.dll
Desktop Explorer Menu
NVIDIA Desktop Explorer, Version 61.77
(Not verified) NVIDIA Corporation
c:\windows\system32\nvshell.dll
NvCpl DesktopContext Class
NVIDIA Display Properties Extension
(Not verified) NVIDIA Corporation
c:\windows\system32\nvcpl.dll
Play on my TV helper
NVIDIA Display Properties Extension
(Not verified) NVIDIA Corporation
c:\windows\system32\nvcpl.dll
nView Desktop Context Menu
NVIDIA Desktop Explorer, Version 61.77
(Not verified) NVIDIA Corporation
c:\windows\system32\nvshell.dll
WinZip
WinZip Shell Extension DLL
(Not verified) WinZip Computing, Inc.
c:\program files\winzip\wzshlstb.dll
WinZip
WinZip Shell Extension DLL
(Not verified) WinZip Computing, Inc.
c:\program files\winzip\wzshlstb.dll
WinZip
WinZip Shell Extension DLL
(Not verified) WinZip Computing, Inc.
c:\program files\winzip\wzshlstb.dll
WinZip
WinZip Shell Extension DLL
(Not verified) WinZip Computing, Inc.
c:\program files\winzip\wzshlstb.dll

HKLM\Software\Microsoft\Internet Explorer\Toolbar
googletoolbar1.dll
Google IE Client Toolbar
(Not verified) Google Inc.
c:\program files\google\googletoolbar1.dll

............................................................
... http://www10.brinkster.com/expl0iter/freeatlast/FNF/ ...
... (*Updated 9/3) ...
............................................................
________________________End_________________________________



Just a second and I'll have a new HJT log.
(edit)turned off errant smilies...

 

New HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 7:08:48 AM, on 9/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wincu32.exe
C:\WINDOWS\DirectX.log:dpghs
C:\Documents and Settings\Jason\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ybnil.dll/sp.html#37680
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ybnil.dll/sp.html#37680
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ybnil.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ybnil.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ybnil.dll/sp.html#37680
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ybnil.dll/sp.html#37680
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ybnil.dll/sp.html#37680
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {271363C4-4477-FB41-7906-D3C2C7F0D6BE} - C:\WINDOWS\system32\sdkfv32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [javati.exe] C:\WINDOWS\system32\javati.exe
O4 - HKLM\..\Run: [wincu32.exe] C:\WINDOWS\system32\wincu32.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095908578406
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

(edit)
For some incredibly goofy reason, which probably caused this, every site IE goes to is listed as a "trusted site ", yet none are even listed when I open the options menu.

 

Let me explain, we cannot use the normal service tools to stop and disbale this Nastie, it works but not always, so my appoligies for the length or the instruction's and multiple tools.
If you have any questions ask before getting started !!

Familiarize yourself with how to start in safe mode and how to show hidden files and folders,
if you don't already know how to, links below.
Set windows to show hidden file's, folder and extensions
>click here for instructions<.

Download About:Buster version (version 3) and unzip it to a new folder.
Run it and check for updates, then exit the tool for now
http://downloads.subratam.org/AboutBuster.zip


Download Cwsredder 1.59.1
http://www.allsecpros.com/#cws dont use it untill further down.


Download pserv.cpl: http://p-nand-q.com/e/pserv.html
This service tool (free) will alow you to stop, disable and then later on delete a rouge service
dirrect download > http://p-nand-q.com/download/pserv_cpl/pserv-2.3.exe
Install then run, find >>>
O?’ŽrtñåȲ$Ó Network Security Service c:\windows\directx.log:dpghs
Right-click > choose stop, then right-click disable if it is still there right-click kill.
close pserv.cpl when complete.
Imediatly Reboot into safe mode administator account
Start into
safe mode(it may help if you print this out)

Copy shell.dll from one of these loactions and place it in the windows\system32 folder
C:\windows\system\SHELL.DLL
C:\windows\system32\dllcache\shell.dll


c:\windows\directx.log
Copy this file to a location outside windows for now

Run AboutBuster, let it scan twice.
save the log and post it when you get back

Run Cwsredder click fix not just scan.


Run Hijackthis and fix these
All the unwanted R's and R1's and those with aboutblank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {271363C4-4477-FB41-7906-D3C2C7F0D6BE} - C:\WINDOWS\system32\sdkfv32.dll
O4 - HKLM\..\Run: [javati.exe] C:\WINDOWS\system32\javati.exe
O4 - HKLM\..\Run: [wincu32.exe] C:\WINDOWS\system32\wincu32.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...8a29296baabe1d6
===============================================
Close hijackthis

Restart back to a normal windows session
delete these files
C:\WINDOWS\system32\wincu32.exe and javati.exe

Important Clear IE's cache via control panel internet options [delete files]
button and mark the popup to also delete offline content
(Provided you have just restarted its safe to), delete the contents of all your
temp folders, as in. Open C:\ then >
C:\documents and settings\(all your pc users)\local settings\temp
Note: Some systems have temporary internet files, Application Data and History in that temp,
if so leave them and delete all other folders and files inside that temp..
and the contents of the C:\windows\temp folder


Open the C:\enumstreasm folder and run "CleanWinStream.cmd "
then in your next post paste the entire "Winclean.txt "
dont stop to post it now, continue on >

Run pserv.cpl double click that rouge service and choose delete
O?’ŽrtñåȲ$Ó Network Security Service c:\windows\directx.log:dpghs
!! only this one !! be carefull please.



Place that copy of directx.log back in the windows folder.


When back Make and post a new hijackthis log, and the winclean.txt

why do we see no antivirus program ?
Are you comfortable with regedit ?

 

Well fill us in on what happend ?

 

Sorry, I was away from my computer for most of the day today. I figured I'd try out SP2, but it didn't seem to help much. I also ran About:buster, and it semeed to help, but the little bugger keeps resurrecting itself. I even ran it in safe mode, but it still keeps coming back.

Cleanstream.cmd doesn't seem to work, it starts up and just sits there saying "please wait" it also seems to be resetting my search, start, etc pages... I recently turned on the Spybot monitor, and it seems to be catching a number of things...

I also got a cheap AV program from someone and it actually found a few things and removed them, but no changes to IE as far as I've seen.

Anyways, here's the HJT log as of a couple minutes ago:

Logfile of HijackThis v1.98.2
Scan saved at 7:32:01 PM, on 9/26/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\d3za32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\javaqi32.exe
C:\Documents and Settings\Jason\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\psgma.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\psgma.dll/sp.html#37680
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = www.gamers.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [d3za32.exe] C:\WINDOWS\d3za32.exe
O4 - HKLM\..\Run: [ipin32.exe] C:\WINDOWS\system32\ipin32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095908578406
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab


(edit)

I figured I'd post the log of all the things that the SpyBot monitor catches when I open my browser:

9/26/2004 8:08:21 PM Denied value "Search Page" (new data: "res://C:\WINDOWS\lglsu.dll/sp.html#37680 ") changed in Browser page!
9/26/2004 8:08:22 PM Denied value "Search Bar" (new data: "res://C:\WINDOWS\lglsu.dll/sp.html#37680 ") changed in Browser page!
9/26/2004 8:08:24 PM Denied value "Search Page" (new data: "res://C:\WINDOWS\lglsu.dll/sp.html#37680 ") changed in Browser page!
9/26/2004 8:08:25 PM Denied value "Search Bar" (new data: "res://C:\WINDOWS\lglsu.dll/sp.html#37680 ") changed in Browser page!
9/26/2004 8:08:25 PM Denied value "SearchAssistant" (new data: "res://C:\WINDOWS\lglsu.dll/sp.html#37680 ") changed in Browser page!


I deny all the changes every thin, but I can't tell it to remember the denial since the clever little rat always uses a different dll file that it creates.

 

Download CWShredder from here. Save it to the desktop.

Turn off Spybot's TeaTimer.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\psgma.dll/sp.html#37680
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\psgma.dll/sp.html#37680
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [d3za32.exe] C:\WINDOWS\d3za32.exe
O4 - HKLM\..\Run: [ipin32.exe] C:\WINDOWS\system32\ipin32.exe


Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

Go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and OK. Yes to restart. This will restart your computer in safe mode. Logon to the Administrator account.

Now in safe mode, you will need to show hidden files and folders, as well as system files.

Open CWShredder, close ALL other windows and click fix.

Open C:\WINDOWS and delete the file d3za32.exe.
Open C:\WINDOWS\system32 and delete the file ipin32.exe.
Open C:\Temp if present, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Documents and settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
Open C:\Windows\Prefetch, select all and delete.

Again, run AboutBuster.

Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and OK.
Uncheck the /safeboot box in msconfig and ok to reboot.

Back in windows, scan your PC with RAV. Check the box to autoclean. If any files are infected and uncleanable, click the report button then copy and paste it here, along with a new HijackThis log.

 

Did all that and it's still alive... Anyways:

Scan started at 9/26/2004 8:47:54 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Documents and Settings\Jason\Desktop\backups\backup-20040925-052739-245.dll - TrojanDownloader:Win32/Agent -> Infected
C:\Documents and Settings\Jason\Desktop\backups\backup-20040925-165332-840.dll - TrojanDownloader:Win32/Agent -> Infected
C:\Documents and Settings\Jason\Desktop\backups\backup-20040926-192015-367.dll - TrojanDownloader:Win32/Agent -> Infected
C:\WINDOWS\addef.exe - TrojanDownloader:Win32/Agent.CD -> Infected
C:\WINDOWS\addfl.exe - TrojanDownloader:Win32/Agent.CD -> Infected
C:\WINDOWS\apido32.exe - Trojan:Win32/Agent.BQ -> Infected
C:\WINDOWS\appsa32.exe - TrojanDownloader:Win32/Agent.CD -> Infected
C:\WINDOWS\crih32.exe - Trojan:Win32/Agent.BQ -> Infected
C:\WINDOWS\cyddi.dll - TrojanDownloader:Win32/WinShow.AK -> Infected
C:\WINDOWS\d3za32.exe - TrojanDownloader:Win32/Agent.Z -> Infected
C:\WINDOWS\flcyj.dll - TrojanDownloader:Win32/WinShow.AK -> Infected
C:\WINDOWS\ipbf32.dll - Trojan:Win32/Agent.BQ -> Infected
C:\WINDOWS\ipbf32.exe - TrojanDownloader:Win32/Agent.CD -> Infected
C:\WINDOWS\ipgl32.exe - TrojanDownloader:Win32/Agent.CD -> Infected
C:\WINDOWS\KB842773.log->ADS:hbdmu - TrojanDownloader:Win32/Agent -> Infected
C:\WINDOWS\lfozg.dll - TrojanDownloader:Win32/WinShow.AK -> Infected
C:\WINDOWS\lglsu.dll - TrojanDownloader:Win32/WinShow.AK -> Infected
C:\WINDOWS\mfcbj.exe - Trojan:Win32/Agent.BQ -> Infected
C:\WINDOWS\ntjb32.exe - TrojanDownloader:Win32/Agent.CD -> Infected
C:\WINDOWS\n_fikspy.log - TrojanDownloader:Win32/Agent.CD -> Infected
C:\WINDOWS\ojrzq.dll - TrojanDownloader:Win32/WinShow.AK -> Infected
C:\WINDOWS\Santa Fe Stucco.bmp->ADS:nagoi - Trojan:Win32/Agent.BQ -> Infected
C:\WINDOWS\syscd.exe - Trojan:Win32/Agent.BQ -> Infected
C:\WINDOWS\sysyi32.dll - TrojanDownloader:Win32/Agent -> Infected
C:\WINDOWS\tmupdate.ini->ADS:iwqup - TrojanDownloader:Win32/Agent.CD -> Infected
C:\WINDOWS\wingx.dll - TrojanDownloader:Win32/Agent -> Infected
C:\WINDOWS\zrcoa.dll - TrojanDownloader:Win32/WinShow.AK -> Infected
C:\WINDOWS\Downloaded Program Files\idszdbuw.exe - TrojanDownloader:Win32/Small.UG -> Infected
C:\WINDOWS\system32\addyt.exe - TrojanDownloader:Win32/Agent.CD -> Infected
C:\WINDOWS\system32\apifs.exe - TrojanDownloader:Win32/Agent.CD -> Infected
C:\WINDOWS\system32\apifu32.exe - TrojanDownloader:Win32/Agent.CD -> Infected
C:\WINDOWS\system32\apihe32.exe - TrojanDownloader:Win32/Agent.CD -> Infected
C:\WINDOWS\system32\appuj32.exe - TrojanDownloader:Win32/Agent.CD -> Infected
C:\WINDOWS\system32\d3ub.exe - Trojan:Win32/Agent.BQ -> Infected
C:\WINDOWS\system32\d3uh32.exe - TrojanDownloader:Win32/Agent.CD -> Infected
C:\WINDOWS\system32\dqsjh.dll - TrojanDownloader:Win32/WinShow.AK -> Infected
C:\WINDOWS\system32\efeoq.dll - TrojanDownloader:Win32/WinShow.AK -> Infected
C:\WINDOWS\system32\iesj32.exe - TrojanDownloader:Win32/Agent.CD -> Infected
C:\WINDOWS\system32\javakg32.dll - Trojan:Win32/Agent.BQ -> Infected
C:\WINDOWS\system32\javakg32.exe - TrojanDownloader:Win32/Agent.CD -> Infected
C:\WINDOWS\system32\javayp32.exe - TrojanDownloader:Win32/Agent.CD -> Infected
C:\WINDOWS\system32\mszo32.exe - TrojanDownloader:Win32/Agent.CD -> Infected
C:\WINDOWS\system32\nettp32.exe - TrojanDownloader:Win32/Agent.CD -> Infected
C:\WINDOWS\system32\psgma.dll - TrojanDownloader:Win32/WinShow.AK -> Infected
C:\WINDOWS\system32\qagmu.dll - TrojanDownloader:Win32/WinShow.AK -> Infected
C:\WINDOWS\system32\sdkfv32.dll - TrojanDownloader:Win32/Agent -> Infected
C:\WINDOWS\system32\sdkgr.exe - TrojanDownloader:Win32/Agent.CD -> Infected
C:\WINDOWS\system32\unrfb.dll - TrojanDownloader:Win32/WinShow.AK -> Infected
C:\WINDOWS\system32\wgemk.dll - TrojanDownloader:Win32/WinShow.AK -> Infected
C:\WINDOWS\system32\winnp.dll - TrojanDownloader:Win32/Agent -> Infected
C:\WINDOWS\system32\yiwjm.dll - TrojanDownloader:Win32/WinShow.AK -> Infected

Scanned
============================
Objects: 22880
Directories: 2153
Archives: 670
Size(Kb): -1485208
Infected files: 51

Found
============================
Viruses found: 6
Suspicious files: 0
Disinfected files: 0
Mail files: 36

I'm guessing since it didn't say anything about it fixing it(autoclean was on), I'll have to delete them 1 by 1 on my own...

As for HJT:

Logfile of HijackThis v1.98.2
Scan saved at 8:59:34 PM, on 9/26/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\javakg32.exe
C:\WINDOWS\iemd32.exe:nkvyx
C:\Documents and Settings\Jason\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lglsu.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lglsu.dll/sp.html#37680
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = www.gamers.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {6D33AC15-1E7C-6792-3A0F-7F24E39ABC19} - C:\WINDOWS\sysyi32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [javakg32.exe] C:\WINDOWS\system32\javakg32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095908578406
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

 

You may need MoveOnBoot to delete some of those files.
I believe the About:Buster failed you for these two reasons.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Those two things are put there by Spybot to prevent changes to the IE start and search pages. These must be removed first, then a reboot.
Then remove these in HJT.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lglsu.dll/sp.html#37680
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lglsu.dll/sp.html#37680
O2 - BHO: (no name) - {6D33AC15-1E7C-6792-3A0F-7F24E39ABC19} - C:\WINDOWS\sysyi32.dll
O4 - HKLM\..\Run: [javakg32.exe] C:\WINDOWS\system32\javakg32.exe

Target these files with MoveOnBoot, by right clicking on the file and selecting to Delete on Next Boot, and reboot.
C:\WINDOWS\lglsu.dll
C:\WINDOWS\system32\javakg32.exe
C:\WINDOWS\sysyi32.dll
C:\WINDOWS\iemd32.exe

Then use the About:Buster.

 

If you had fallowed instrutions without adding new software, well,
Yes enum streams will seam to just sit there, you should have let it do the job.
I did not suggest turning on tea timer ,an online scan or a new install of a antivirus program ,not the thing to do yet.They will adversly affect the outcome.

Everything has now changed and the instructions no longer apply, please delete the tools i had you download.

Im out of this thread. becouse You diverted from the plan and there are to many helpers involved.

Good luck.

 

"why do we see no antivirus program ? "

That usually is understood as advice to install AV software...


And what is so wrong with other people trying to lend assistance?

If you do not want people to install other programs that usually help, then it's usually a good idea to tell them directly to not do so.

 

I asked why there is none, not suggesting an install.
Advice from other helpers is great usualy, and very much appreciated.
But not in this instance the fix is to complicated.

 

Since it seemed like there wasn't any permanent solution coming along for a while, I just went ahead and formatted and reinstalled. I didn't lose much of anything since the former install was less than a week old. I'll just have to use more discression when I go surfing outside of my favorites menu.

 

JHD536
Your computer needed wiped and reinstalled, anyway. It was too badly infected to clean without following Noahdfear's instructions explicitly. With 6 viruses and 51 infected files- trojans of all flavors, you toasted your OS. Took a lot, didn't it?

What kind of AV are you running now? I don't see any in the running processes. You need a firewall, too. Your comp was probably a zombie online. Reinstalling was the best course of action. Make sure you read the two stickys on the top of the Security Forum for more info- it will help protect your squeaky clean install in the future.



One of the best things about the BBS is the collective wisdom of the members. You were given the appropriate suggestions. Now, take the time to read up on PREVENTION, so you don't get stuck like that again.

Best regards,
Johanna

 

Just as a note, this was the FIRST time in 6 years that this has ever happened.

I know prevention. I'm not some random internet moron. I've had my Browser hit with stuff like this before, but since my usual solutions didn't work, I went here.

This was a case of IE stupidity since it listed EVERY site I went to as trusted. It became infected 1 day after I formatted to install some new hardware.

Now that's been fixed.

As for the 51 infected files, the Trojan would infect a new file every time I opened IE, it hijacked everything from .log files to .bmp files. It was resilient as hell and since nobody would just go out and say: "It's probably best to just clear the drive and start fresh" I did so myself.

There may be some wisdom here, but there is also some arrogance in the air; just because someone asks for help, it doesn't make them any less intelligent or you all any more so. It's usually a good idea to talk to the people you are *assisting* on an even level.

 

Hi JHD536,

Appreciate your point of view, but this is a tough "buiness" - assisting people with malware removal.

The removal tools are always behind the curve and the lag between advice and follow through/results is always time consuming and for the victim, nerve racking.

I have great admiration for the people that do this for gratis, and especially the crew here; I've done it a few times, and it can become all consuming.

Regards - Charles

 

JHD536
I am sorry you feel like your experience here was a negative one- seldom does that happen on the BBS. No one called you a "random internet moron ", or meant to imply that, I'm sure. It's hard to communicate only by typing- if we were sitting at a table together and we could see each other's smiles and hear the inflections in our voices, there would be far less misunderstandings.

Generally, we only recommend wiping and starting fresh as a last resort. Often, folks who ask for help are desperate to save their settings and data, and we TRY to help them get the nasties gone, without trashing their OS. If you interpreted the responses you got as "arrogance ", please accept my apologies on behalf of the Board. Because I have been a "regular" here for some time, I know how dedicated the unpaid volunteers are.

I hope you reconsider your opinion, and give us another chance. Browse the Board, chip in your two cents. I think you will be pleasantly surprised at just how helpful and "nice" the BBS is, as well as educational. Like I said earlier, it is the collective experience and knowledge of all the members that make this BBS so effective, and fun to participate in.

Glad you got your problems sorted, hope you post again.
Johanna