Request for advice on HJT log: DMVlite

pgwisn · 2005/02/19

Here is the output from running HJT.
Thanks in advance,
Pgwisn

Logfile of HijackThis v1.99.1
Scan saved at 5:51:49 PM, on 2/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\wogeduov6.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\a64sddd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\pgwhiz\Application Data\aslt.exe
C:\WINDOWS\system32\??erinit.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\pgwhiz\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whizbark.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.whizbark.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whizbark.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Worst Web Browser in the world
R3 - URLSearchHook: (no name) - _{0199DF25-9820-4bd5-9FEE-5A765AB4371E} - (no file)
O2 - BHO: NavErrRedir Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {02AE3601-2E1C-4EF1-9869-6334479138B9} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0710E6CB-7827-24D6-2EF0-2E87EC81BAC1} - C:\WINDOWS\system32\nzlyaosb.dll
O2 - BHO: (no name) - {373DD6CD-5563-1CEE-03B2-16AADAC097F9} - C:\WINDOWS\system32\nzlyaosb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O3 - Toolbar: Search Bar - {0A8CE102-FA03-4612-9BEE-7FE5452F4CB1} - C:\WINDOWS\system32\srchbar.dll
O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdTools Service] C:\Program Files\AdTools Service\AdTools.exe
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [popuppers64] C:\WINDOWS\a64sddd.exe
O4 - HKLM\..\Run: [rvuxejrzbu] C:\WINDOWS\system32\zbertp.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Csda] C:\Documents and Settings\pgwhiz\Application Data\aslt.exe
O4 - HKCU\..\Run: [Iizfd] C:\WINDOWS\system32\??erinit.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: ACS.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{842B7BF2-20C6-4545-9464-64E4FDB2EAFF}: NameServer = 192.168.0.1,66.36.236.57
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kldjyjoruxjl (viduzbcc6) - Unknown owner - C:\WINDOWS\system32\wogeduov6.exe

PeteC · 2005/02/20

pgwisn - Welcome to the Board

Always better to start a new thread under these circumstances - I have split your post to a new thread.

Before one of our experts asks - download HijackThis to a folder on your hard drive, say C:\HJT - not to the Desktop and post another log.

pgwisn · 2005/02/20

PeteC, and other helpful souls,
Here is new logfile after deleting HJT, re-d/l'ing into its own file and running it from there. Thx
--P

Logfile of HijackThis v1.99.1
Scan saved at 8:55:47 AM, on 2/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\wogeduov6.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\a64sddd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\pgwhiz\Application Data\aslt.exe
C:\WINDOWS\system32\??erinit.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whizbark.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.whizbark.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whizbark.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Worst Web Browser in the world
R3 - URLSearchHook: (no name) - _{0199DF25-9820-4bd5-9FEE-5A765AB4371E} - (no file)
O2 - BHO: NavErrRedir Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {02AE3601-2E1C-4EF1-9869-6334479138B9} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0710E6CB-7827-24D6-2EF0-2E87EC81BAC1} - C:\WINDOWS\system32\nzlyaosb.dll
O2 - BHO: (no name) - {373DD6CD-5563-1CEE-03B2-16AADAC097F9} - C:\WINDOWS\system32\nzlyaosb.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O3 - Toolbar: Search Bar - {0A8CE102-FA03-4612-9BEE-7FE5452F4CB1} - C:\WINDOWS\system32\srchbar.dll
O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdTools Service] C:\Program Files\AdTools Service\AdTools.exe
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [popuppers64] C:\WINDOWS\a64sddd.exe
O4 - HKLM\..\Run: [rvuxejrzbu] C:\WINDOWS\system32\zbertp.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Csda] C:\Documents and Settings\pgwhiz\Application Data\aslt.exe
O4 - HKCU\..\Run: [Iizfd] C:\WINDOWS\system32\??erinit.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: ACS.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{842B7BF2-20C6-4545-9464-64E4FDB2EAFF}: NameServer = 192.168.0.1,66.36.236.57
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kldjyjoruxjl (viduzbcc6) - Unknown owner - C:\WINDOWS\system32\wogeduov6.exe

pgwisn · 2005/02/20

DMVlite

Anyone able to take a look at this logfile above?
TIA

markp62 · 2005/02/22

Disable System Restore, and reboot. This is important to do this as deleted files will reappear otherwise.

Click on Start then Run and type in Services.Msc, then hit enter. Locate "viduzbcc6 ", right click and choose Properties. Stop the service, then set to disabled. Click Apply then OK. Close the services window.

Remove these items in HJT with all internet browsers, and Windows Explorer windows closed. Rescan with HJT and remove these items.

R3 - URLSearchHook: (no name) - _{0199DF25-9820-4bd5-9FEE-5A765AB4371E} - (no file)
O2 - BHO: (no name) - {0710E6CB-7827-24D6-2EF0-2E87EC81BAC1} - C:\WINDOWS\system32\nzlyaosb.dll
O2 - BHO: (no name) - {373DD6CD-5563-1CEE-03B2-16AADAC097F9} - C:\WINDOWS\system32\nzlyaosb.dll
O3 - Toolbar: Search Bar - {0A8CE102-FA03-4612-9BEE-7FE5452F4CB1} - C:\WINDOWS\system32\srchbar.dll
O4 - HKLM\..\Run: [AdTools Service] C:\Program Files\AdTools Service\AdTools.exe
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [popuppers64] C:\WINDOWS\a64sddd.exe
O4 - HKLM\..\Run: [rvuxejrzbu] C:\WINDOWS\system32\zbertp.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKCU\..\Run: [Csda] C:\Documents and Settings\pgwhiz\Application Data\aslt.exe
O4 - HKCU\..\Run: [Iizfd] C:\WINDOWS\system32\??erinit.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O23 - Service: kldjyjoruxjl (viduzbcc6) - Unknown owner - C:\WINDOWS\system32\wogeduov6.exe

Reboot into Safe Mode and set Windows Explorer Folder Options to Show All Files.
Delete all files in the folder C:\Windows\Prefetch.

Delete these folders.
C:\Program Files\AdTools Service
C:\Program Files\Common files\SearchUpgrader
C:\WINDOWS\system32\wsxsvc
C:\WINDOWS\system32\vmss

Delete these files.
C:\WINDOWS\system32\nzlyaosb.dll
C:\WINDOWS\system32\srchbar.dll
C:\WINDOWS\a64sddd.exe
C:\WINDOWS\system32\zbertp.exe
C:\Documents and Settings\pgwhiz\Application Data\aslt.exe
C:\WINDOWS\system32\??erinit.exe
C:\WINDOWS\system32\wogeduov6.exe

Clear out the Recycle Bin, surf for a bit, and then post a new log.

Log in or Sign up

Request for advice on HJT log: DMVlite

pgwisn Inactive Thread Starter

PeteC SuperGeek Staff

pgwisn Inactive Thread Starter

pgwisn Inactive Thread Starter

markp62 Geek Member Alumni

Share This Page

Log in or Sign up

Request for advice on HJT log: DMVlite

pgwisn Inactive Thread Starter

PeteC SuperGeek Staff

pgwisn Inactive Thread Starter

pgwisn Inactive Thread Starter

markp62 Geek Member Alumni

Share This Page

Useful Searches