Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

mchill

9 Posts

9251

July 13th, 2004 20:00

Homepage changes to res://zdpd.dll

My homepage changes to res://zdlpd.dll/index.html#37049.I check the registry and that is listed as search page and start page.I've run ad-aware and spybot with no success.  I've changed my start page and search page on the registry-no luck. Also changed them on control panel and under tool-internet options.

HELP PLEASE!!! Thank you

pskelley

933 Posts

July 13th, 2004 22:00

mchill, It appears you are infected by a hard to remove,  new CWS Exploit.  At present only manual fixes are available, and they are fairly complex and a challenge for a novice.  Not knowing your abilities, if you will follow the instructions so an expert can look at your log, they will be able to advise you.

We need to make you aware that many, many logs are being posted.  Because we are few, all volunteers with families and real jobs, who do not work for Dell, we will have to ask you to be patient.  We work the logs in the order they come in, One of the experts (trained at SpywareInfo & Tom Coyote) will assist with your log as soon as possible. They may ask for a fresh log as rebooting can mutate the newest infections.
 
We need you to download and install an analysis and repair tool called HijackThis.
 
Download the zipped file from here: http://www.majorgeeks.com/download3155.html.  Please see the following link for information about downloading and other FAQ's.  There is also a link there to an .exe version of HijackThis if there is anyone who absolutely can not open a .zip file.  Please use this for that purpose only due to limited bandwidth, thank you.   HijackThis FAQ (Frequently Asked Questions) also at: http://russelltexas.com/malware/faqhijackthis.htm
 

Please unzip HijackThis.zip or move the HijackThis.exe file into a new folder you create in the root (first) level of the C: drive. Name this folder HJT for best and safest results. Don't place it on the Wallpaper, in a Temp folder, or the My Documents folder. It will create many backup files and they need to be stored in a unique HijackThis folder. If it is properly placed it will look like this:   C:\HJT\HijackThis.exe. Please be careful with these instructions, a misplaced log can slow down your repair while it is placed properly.
 
After downloading, and unzipping the HijackThis file into a safe folder you create (preferably a folder named HJT in the first level of the C: drive)...run HijackThis, click on the 'scan' button and then 'save log' button.
 
Copy and paste the contents of the text file you save into a reply to this message. A lot of posters make mistakes here in copying and pasting so reread the left info sidebar called Copy and Paste at http://www.tomcoyote.com/hjt
 
Special Notice! HijackThis is a powerful tool that edits the brains of Windows (the Registry). DO NOT FIX anything in the HijackThis log screen without assistance from the experts! Most of the line items in the scanned log are normal for Windows operation. HijackThis should identify the vast majority of your problems and enable us to help you clean them off your system.
 
Stay in this thread for continuity. Reply to this message.
 
Thanks,
 
pskelley
In Training at TomCoyote.com and Spywareinfo.com


Please be aware only the following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley.

Also...these longtime DellForum regulars have proven to me time and again their advice is excellent for malware questions in general and many specific items in Hijackthis logs:  jimw, ddeerrff, and msgale.

Clicking on people's usernames at the left will reveal information about them if they chose to have an open profile.

 

mchill

9 Posts

July 13th, 2004 23:00

Message Edited by mchill on 07-14-2004 01:29 PM

mcseeboth

5 Posts

July 14th, 2004 00:00

mchill

check this out me too. res://mdpnj.dll/index.html#37049

my spyware remover describes it as a "DyFuCA" file, author and or hi-jacker.

this has infected your browser as soon as it starts, each time it starts it places another address to refer to that homepage. i'm no computer tech either.

I saw your thread and had to respond. I need a solution like you.

Forum help, I will download "highjackThis" and post my log.

mcseeboth 

 

mchill

9 Posts

July 14th, 2004 17:00

Logfile of HijackThis v1.98.0
Scan saved at 2:26:04 PM, on 7/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\crqy32.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\ntig32.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpctr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zdlpd.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zdlpd.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zdlpd.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zdlpd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zdlpd.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zdlpd.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {24EC266E-58F6-C76B-ECDF-18E86769E35F} - C:\WINDOWS\sysnl32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ntig32.exe] C:\WINDOWS\system32\ntig32.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\RunOnce: [ieva.exe] C:\WINDOWS\ieva.exe
O4 - HKLM\..\RunOnce: [crqy32.exe] C:\WINDOWS\crqy32.exe
O4 - HKLM\..\RunOnce: [javauq.exe] C:\WINDOWS\system32\javauq.exe
O4 - HKLM\..\RunOnce: [sdkhb32.exe] C:\WINDOWS\system32\sdkhb32.exe
O4 - HKLM\..\RunOnce: [sdksr32.exe] C:\WINDOWS\sdksr32.exe
O4 - HKLM\..\RunOnce: [crep32.exe] C:\WINDOWS\system32\crep32.exe
O4 - HKLM\..\RunOnce: [winks32.exe] C:\WINDOWS\winks32.exe
O4 - HKLM\..\RunOnce: [mfcfs32.exe] C:\WINDOWS\mfcfs32.exe
O4 - HKLM\..\RunOnce: [msah32.exe] C:\WINDOWS\system32\msah32.exe
O4 - HKLM\..\RunOnce: [winqp.exe] C:\WINDOWS\system32\winqp.exe
O4 - HKLM\..\RunOnce: [crgx32.exe] C:\WINDOWS\system32\crgx32.exe
O4 - HKLM\..\RunOnce: [winsx.exe] C:\WINDOWS\winsx.exe
O4 - HKLM\..\RunOnce: [addbj32.exe] C:\WINDOWS\addbj32.exe
O4 - HKLM\..\RunOnce: [atlva32.exe] C:\WINDOWS\system32\atlva32.exe
O4 - HKLM\..\RunOnce: [addyc.exe] C:\WINDOWS\system32\addyc.exe
O4 - HKLM\..\RunOnce: [crln32.exe] C:\WINDOWS\system32\crln32.exe
O4 - HKLM\..\RunOnce: [ntfq.exe] C:\WINDOWS\system32\ntfq.exe
O4 - HKLM\..\RunOnce: [mfcrb.exe] C:\WINDOWS\mfcrb.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: {11111111-1111-1111-1111-111410141459} - mhtml:file://C:NO_SUCH_MHT.MHT!http://www.008k.com/partner/inst/f10213.exe
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www.webpcfos.com/webpcfos/Citrix/wfica.cab
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/idenupdate/nextel/iUpdateAutoLaunch.ocx
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/hitthepros03/foxsports/wtinst.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab

 

pskelley

933 Posts

July 14th, 2004 21:00

Hi mchill, The bad news is that you have a nasty CWS Exploit.  The good news is a fix has just been released for it.

Lets start like this, with all other explorer windows closed, open HijackThis and click on scan. Then place a check in front of each of these line items, and click on "Fix Checked"

O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: {11111111-1111-1111-1111-111410141459} - mhtml:file://C:NO_SUCH_MHT.MHT!http://www.008k.com/partner/inst/f10213.exe
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www.webpcfos.com/webpcfos/Citrix/wfica.cab
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/idenupdate/nextel/iUpdateAutoLaunch.ocx
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/hitthepros03/foxsports/wtinst.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab

Then go to the following link and try FIX FOUR. 

TRY THIS FIRST!  HOT ON THE CHARTS!  FIX FOUR  ABout:Buster 1.27

http://russelltexas.com/malware/malware.htm

Follow the instructions to remove the item which looks like this in your log:  
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zdlpd.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zdlpd.dll/index.html#37049

When this is completed, the empty your recycle bin and reboot your computer.  Then follow the directions at this link:

http://www.cjwd.demon.co.uk/spybot-adaware.html
When you have completed this, empty the  recycle bin and reboot your computer. Then post a fresh log so we can see where we are.  Thanks...pskelley

mchill

9 Posts

July 14th, 2004 23:00

How does this look?

Logfile of HijackThis v1.98.0
Scan saved at 8:38:29 PM, on 7/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\crqy32.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\ntig32.exe
C:\Firewall\ZoneAlarm\zlclient.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpctr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zdlpd.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zdlpd.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zdlpd.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zdlpd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zdlpd.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zdlpd.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {24EC266E-58F6-C76B-ECDF-18E86769E35F} - C:\WINDOWS\sysnl32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ntig32.exe] C:\WINDOWS\system32\ntig32.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Firewall\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\System32\pc32.exe bg
O4 - HKLM\..\RunOnce: [crqy32.exe] C:\WINDOWS\crqy32.exe
O4 - HKLM\..\RunOnce: [javauq.exe] C:\WINDOWS\system32\javauq.exe
O4 - HKLM\..\RunOnce: [sdkhb32.exe] C:\WINDOWS\system32\sdkhb32.exe
O4 - HKLM\..\RunOnce: [sdksr32.exe] C:\WINDOWS\sdksr32.exe
O4 - HKLM\..\RunOnce: [crep32.exe] C:\WINDOWS\system32\crep32.exe
O4 - HKLM\..\RunOnce: [mfcfs32.exe] C:\WINDOWS\mfcfs32.exe
O4 - HKLM\..\RunOnce: [msah32.exe] C:\WINDOWS\system32\msah32.exe
O4 - HKLM\..\RunOnce: [winqp.exe] C:\WINDOWS\system32\winqp.exe
O4 - HKLM\..\RunOnce: [crgx32.exe] C:\WINDOWS\system32\crgx32.exe
O4 - HKLM\..\RunOnce: [winsx.exe] C:\WINDOWS\winsx.exe
O4 - HKLM\..\RunOnce: [addbj32.exe] C:\WINDOWS\addbj32.exe
O4 - HKLM\..\RunOnce: [atlva32.exe] C:\WINDOWS\system32\atlva32.exe
O4 - HKLM\..\RunOnce: [addyc.exe] C:\WINDOWS\system32\addyc.exe
O4 - HKLM\..\RunOnce: [crln32.exe] C:\WINDOWS\system32\crln32.exe
O4 - HKLM\..\RunOnce: [ntfq.exe] C:\WINDOWS\system32\ntfq.exe
O4 - HKLM\..\RunOnce: [mfcrb.exe] C:\WINDOWS\mfcrb.exe
O4 - HKLM\..\RunOnce: [mfcxx.exe] C:\WINDOWS\mfcxx.exe
O4 - HKLM\..\RunOnce: [addqo32.exe] C:\WINDOWS\system32\addqo32.exe
O4 - HKLM\..\RunOnce: [netem.exe] C:\WINDOWS\netem.exe
O4 - HKLM\..\RunOnce: [apidi32.exe] C:\WINDOWS\system32\apidi32.exe
O4 - HKLM\..\RunOnce: [netaf.exe] C:\WINDOWS\netaf.exe
O4 - HKLM\..\RunOnce: [javagd32.exe] C:\WINDOWS\system32\javagd32.exe
O4 - HKLM\..\RunOnce: [sysci.exe] C:\WINDOWS\sysci.exe
O4 - HKLM\..\RunOnce: [appic.exe] C:\WINDOWS\system32\appic.exe
O4 - HKLM\..\RunOnce: [netlu32.exe] C:\WINDOWS\netlu32.exe
O4 - HKLM\..\RunOnce: [iehn32.exe] C:\WINDOWS\iehn32.exe
O4 - HKLM\..\RunOnce: [d3rl32.exe] C:\WINDOWS\system32\d3rl32.exe
O4 - HKLM\..\RunOnce: [crzy.exe] C:\WINDOWS\system32\crzy.exe
O4 - HKLM\..\RunOnce: [appcu32.exe] C:\WINDOWS\appcu32.exe
O4 - HKLM\..\RunOnce: [addzv32.exe] C:\WINDOWS\system32\addzv32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

 

pskelley

933 Posts

July 15th, 2004 00:00

The infection is still there, review the instructions again to make sure you have prepared for and run the tool correctly. Here is that link: http://www.majorgeeks.com/download4289.html  This proceedure is new and we are all learning it at once.  I am consulting with others at present to see if there is additional information I can give you. HTH...pskelley

Texruss

3.4K Posts

July 15th, 2004 01:00

Let's clear out some of the random-named Trojans and see what happens. Then we'll run About:Buster after next log.

Hit Control-Shift-Escape keys at same time. Click on Processes tab and End Task for the following entries:

crqy32.exe
ntig32.exe

Run Hijackthis, scan and check the box left of these numbered line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zdlpd.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zdlpd.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zdlpd.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zdlpd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zdlpd.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zdlpd.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {24EC266E-58F6-C76B-ECDF-18E86769E35F} - C:\WINDOWS\sysnl32.dll
O4 - HKLM\..\Run: [ntig32.exe] C:\WINDOWS\system32\ntig32.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Firewall\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\System32\pc32.exe bg
O4 - HKLM\..\RunOnce: [crqy32.exe] C:\WINDOWS\crqy32.exe
O4 - HKLM\..\RunOnce: [javauq.exe] C:\WINDOWS\system32\javauq.exe
O4 - HKLM\..\RunOnce: [sdkhb32.exe] C:\WINDOWS\system32\sdkhb32.exe
O4 - HKLM\..\RunOnce: [sdksr32.exe] C:\WINDOWS\sdksr32.exe
O4 - HKLM\..\RunOnce: [crep32.exe] C:\WINDOWS\system32\crep32.exe
O4 - HKLM\..\RunOnce: [mfcfs32.exe] C:\WINDOWS\mfcfs32.exe
O4 - HKLM\..\RunOnce: [msah32.exe] C:\WINDOWS\system32\msah32.exe
O4 - HKLM\..\RunOnce: [winqp.exe] C:\WINDOWS\system32\winqp.exe
O4 - HKLM\..\RunOnce: [crgx32.exe] C:\WINDOWS\system32\crgx32.exe
O4 - HKLM\..\RunOnce: [winsx.exe] C:\WINDOWS\winsx.exe
O4 - HKLM\..\RunOnce: [addbj32.exe] C:\WINDOWS\addbj32.exe
O4 - HKLM\..\RunOnce: [atlva32.exe] C:\WINDOWS\system32\atlva32.exe
O4 - HKLM\..\RunOnce: [addyc.exe] C:\WINDOWS\system32\addyc.exe
O4 - HKLM\..\RunOnce: [crln32.exe] C:\WINDOWS\system32\crln32.exe
O4 - HKLM\..\RunOnce: [ntfq.exe] C:\WINDOWS\system32\ntfq.exe
O4 - HKLM\..\RunOnce: [mfcrb.exe] C:\WINDOWS\mfcrb.exe
O4 - HKLM\..\RunOnce: [mfcxx.exe] C:\WINDOWS\mfcxx.exe
O4 - HKLM\..\RunOnce: [addqo32.exe] C:\WINDOWS\system32\addqo32.exe
O4 - HKLM\..\RunOnce: [netem.exe] C:\WINDOWS\netem.exe
O4 - HKLM\..\RunOnce: [apidi32.exe] C:\WINDOWS\system32\apidi32.exe
O4 - HKLM\..\RunOnce: [netaf.exe] C:\WINDOWS\netaf.exe
O4 - HKLM\..\RunOnce: [javagd32.exe] C:\WINDOWS\system32\javagd32.exe
O4 - HKLM\..\RunOnce: [sysci.exe] C:\WINDOWS\sysci.exe
O4 - HKLM\..\RunOnce: [appic.exe] C:\WINDOWS\system32\appic.exe
O4 - HKLM\..\RunOnce: [netlu32.exe] C:\WINDOWS\netlu32.exe
O4 - HKLM\..\RunOnce: [iehn32.exe] C:\WINDOWS\iehn32.exe
O4 - HKLM\..\RunOnce: [d3rl32.exe] C:\WINDOWS\system32\d3rl32.exe
O4 - HKLM\..\RunOnce: [crzy.exe] C:\WINDOWS\system32\crzy.exe
O4 - HKLM\..\RunOnce: [appcu32.exe] C:\WINDOWS\appcu32.exe
O4 - HKLM\..\RunOnce: [addzv32.exe] C:\WINDOWS\system32\addzv32.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
Comments: http://www.windowsstartup.com/wso/detail.php?id=1424
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

With no other windows open click on fix checked button in Hijackthis.

Exit Hijackthis.

Open Windows Explorer: type the word explorer at Start/Run box and click OK:

Navigate down the folder structure in left hand window and then in the right window delete the following files and folder: (if present...some may be gone...but look very carefully and make sure you have enabled hidden files option):
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339

C:\Program Files\WildTangent     folder

C:\WINDOWS\zdlpd.dll
C:\WINDOWS\sysnl32.dll
C:\WINDOWS\sdksr32.exe
C:\WINDOWS\mfcfs32.exe
C:\WINDOWS\winsx.exe
C:\WINDOWS\crqy32.exe
C:\WINDOWS\addbj32.exe
C:\WINDOWS\mfcrb.exe
C:\WINDOWS\mfcxx.exe
C:\WINDOWS\netem.exe
C:\WINDOWS\netaf.exe
C:\WINDOWS\sysci.exe
C:\WINDOWS\netlu32.exe
C:\WINDOWS\iehn32.exe
C:\WINDOWS\appcu32.exe


C:\WINDOWS\system32\ntig32.exe
C:\WINDOWS\System32\pc32.exe
C:\WINDOWS\system32\javauq.exe
C:\WINDOWS\system32\sdkhb32.exe
C:\WINDOWS\system32\crep32.exe
C:\WINDOWS\system32\msah32.exe
C:\WINDOWS\system32\winqp.exe
C:\WINDOWS\system32\crgx32.exe
C:\WINDOWS\system32\atlva32.exe
C:\WINDOWS\system32\addyc.exe
C:\WINDOWS\system32\crln32.exe
C:\WINDOWS\system32\ntfq.exe
C:\WINDOWS\system32\addqo32.exe
C:\WINDOWS\system32\apidi32.exe
C:\WINDOWS\system32\javagd32.exe
C:\WINDOWS\system32\appic.exe
C:\WINDOWS\system32\d3rl32.exe
C:\WINDOWS\system32\crzy.exe
C:\WINDOWS\system32\addzv32.exe

Reboot in normal mode Windows and run Disk Cleanup: type cleanmgr at Start/Run. Scan all hard drives and check all categories at the end and click OK.

If you have any problems with Disk Cleanup completing...XP users can fix it here:

 http://www2.whidbey.net/djdenham/DeleteOldFiles.htm

Next...download and run these two programs (Spybot S&D and Adaware) at the link below. Use Spybot first.

Most of the Internet baddies can be killed by a one-two punch with Spybot and Adaware assuming these three factors are achieved:

1. Latest version
2. Configured correctly for running options
3. New definitions from update feature

Chris has posted an excellent tutorial by dgosling on how to run Spybot S&D and also how to enable customized deep scanning functions for Adaware. Once you set these options they will be retained for future scans by Adaware.

Follow the directions in this detailed guide for Spybot and Adaware...print out the directions in the custom scan tutorial as a reference while you set these options for the custom setup of Adaware. These custom settings will be retained for future custom scans so don't go nuts thinking you have to do this every time you run it! It may take you five minutes to set them up, but it's worth it.

http://www.cjwd.demon.co.uk/spybot-adaware.html

Please note the free Spybot 1.3 does have a slight bug...it detects some DSO exploits falsely. Hopefully an upgrade will fix this.The problem is not serious and should not deter people from using Spybot.

Reboot and browse a bit, exit IE 6 and post a new Hijackthis log.

Special Comments: After the final all clear is given by us you should flush your Restore Points for XP. That means disabling the Restore Point, rebooting to flush it, then re-enabling a new Restore Point. The reason why we need to do this is to purge the bad files hidden in System Restore which can't be cleaned by your antivirus programs.

See FAQ 12 here: http://www.russelltexas.com/malware/faqhijackthis.htm

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum                  
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

Please be aware only the following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley.

Also...these longtime DellForum regulars have proven to me time and again their advice is excellent for malware questions in general, Windows operations, and many specific items in Hijackthis logs:  jimw, ddeerrff, and msgale. Please follow their advice when they respond to your problems. They have a proven track record here.

BTW...clicking on people's usernames at the left will reveal information about them if they chose to have an open profile. My credentials are available for your perusal.

mchill

9 Posts

July 15th, 2004 01:00

Did it work this time? I tried it again.Thank you for your info. I look forward to hearing from you.

Logfile of HijackThis v1.98.0
Scan saved at 9:48:09 PM, on 7/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {24EC266E-58F6-C76B-ECDF-18E86769E35F} - C:\WINDOWS\sysnl32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ntig32.exe] C:\WINDOWS\system32\ntig32.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Firewall\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\System32\pc32.exe bg
O4 - HKLM\..\RunOnce: [crqy32.exe] C:\WINDOWS\crqy32.exe
O4 - HKLM\..\RunOnce: [javauq.exe] C:\WINDOWS\system32\javauq.exe
O4 - HKLM\..\RunOnce: [sdkhb32.exe] C:\WINDOWS\system32\sdkhb32.exe
O4 - HKLM\..\RunOnce: [sdksr32.exe] C:\WINDOWS\sdksr32.exe
O4 - HKLM\..\RunOnce: [crep32.exe] C:\WINDOWS\system32\crep32.exe
O4 - HKLM\..\RunOnce: [mfcfs32.exe] C:\WINDOWS\mfcfs32.exe
O4 - HKLM\..\RunOnce: [msah32.exe] C:\WINDOWS\system32\msah32.exe
O4 - HKLM\..\RunOnce: [winqp.exe] C:\WINDOWS\system32\winqp.exe
O4 - HKLM\..\RunOnce: [crgx32.exe] C:\WINDOWS\system32\crgx32.exe
O4 - HKLM\..\RunOnce: [winsx.exe] C:\WINDOWS\winsx.exe
O4 - HKLM\..\RunOnce: [addbj32.exe] C:\WINDOWS\addbj32.exe
O4 - HKLM\..\RunOnce: [atlva32.exe] C:\WINDOWS\system32\atlva32.exe
O4 - HKLM\..\RunOnce: [addyc.exe] C:\WINDOWS\system32\addyc.exe
O4 - HKLM\..\RunOnce: [crln32.exe] C:\WINDOWS\system32\crln32.exe
O4 - HKLM\..\RunOnce: [ntfq.exe] C:\WINDOWS\system32\ntfq.exe
O4 - HKLM\..\RunOnce: [mfcrb.exe] C:\WINDOWS\mfcrb.exe
O4 - HKLM\..\RunOnce: [mfcxx.exe] C:\WINDOWS\mfcxx.exe
O4 - HKLM\..\RunOnce: [addqo32.exe] C:\WINDOWS\system32\addqo32.exe
O4 - HKLM\..\RunOnce: [netem.exe] C:\WINDOWS\netem.exe
O4 - HKLM\..\RunOnce: [apidi32.exe] C:\WINDOWS\system32\apidi32.exe
O4 - HKLM\..\RunOnce: [netaf.exe] C:\WINDOWS\netaf.exe
O4 - HKLM\..\RunOnce: [javagd32.exe] C:\WINDOWS\system32\javagd32.exe
O4 - HKLM\..\RunOnce: [sysci.exe] C:\WINDOWS\sysci.exe
O4 - HKLM\..\RunOnce: [appic.exe] C:\WINDOWS\system32\appic.exe
O4 - HKLM\..\RunOnce: [netlu32.exe] C:\WINDOWS\netlu32.exe
O4 - HKLM\..\RunOnce: [iehn32.exe] C:\WINDOWS\iehn32.exe
O4 - HKLM\..\RunOnce: [d3rl32.exe] C:\WINDOWS\system32\d3rl32.exe
O4 - HKLM\..\RunOnce: [crzy.exe] C:\WINDOWS\system32\crzy.exe
O4 - HKLM\..\RunOnce: [appcu32.exe] C:\WINDOWS\appcu32.exe
O4 - HKLM\..\RunOnce: [addzv32.exe] C:\WINDOWS\system32\addzv32.exe
O4 - HKLM\..\RunOnce: [ipjg.exe] C:\WINDOWS\ipjg.exe
O4 - HKLM\..\RunOnce: [sdkcs32.exe] C:\WINDOWS\system32\sdkcs32.exe
O4 - HKLM\..\RunOnce: [addfb.exe] C:\WINDOWS\addfb.exe
O4 - HKLM\..\RunOnce: [winiv32.exe] C:\WINDOWS\system32\winiv32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

 

mchill

9 Posts

July 15th, 2004 03:00

Logfile of HijackThis v1.98.0
Scan saved at 12:07:16 AM, on 7/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\crqy32.exe
C:\WINDOWS\system32\ieel32.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: (no name) - {9330FA17-207B-8C8A-8A1A-7D04ECCE10CC} - C:\WINDOWS\system32\ieel32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ieel32.exe] C:\WINDOWS\system32\ieel32.exe
O4 - HKLM\..\RunOnce: [ipjg.exe] C:\WINDOWS\ipjg.exe
O4 - HKLM\..\RunOnce: [sdkcs32.exe] C:\WINDOWS\system32\sdkcs32.exe
O4 - HKLM\..\RunOnce: [addfb.exe] C:\WINDOWS\addfb.exe
O4 - HKLM\..\RunOnce: [winiv32.exe] C:\WINDOWS\system32\winiv32.exe
O4 - HKLM\..\RunOnce: [crnp.exe] C:\WINDOWS\system32\crnp.exe
O4 - HKLM\..\RunOnce: [mslu32.exe] C:\WINDOWS\system32\mslu32.exe
O4 - HKLM\..\RunOnce: [msmf.exe] C:\WINDOWS\msmf.exe
O4 - HKLM\..\RunOnce: [winlh.exe] C:\WINDOWS\system32\winlh.exe
O4 - HKLM\..\RunOnce: [atltb32.exe] C:\WINDOWS\atltb32.exe
O4 - HKLM\..\RunOnce: [mfclt.exe] C:\WINDOWS\system32\mfclt.exe
O4 - HKLM\..\RunOnce: [sysrb.exe] C:\WINDOWS\sysrb.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

Better?I had to do it twice it seems to come back

Texruss

3.4K Posts

July 15th, 2004 12:00

Yes...you will need to kill the bad files using About:Buster.

Download the tool:

http://www.majorgeeks.com/download4289.html

1: Boot into safe mode by tapping the F8 key as your computer boots. You should do this before you see the Windows splash screen.

2: Also, make sure you can see hidden files; Open My Computer and choose Tools, then click on Folder Options, click on the View tab and under Advanced Setting, choose Show Hidden Files and Folders, then click on OK and close My Computer.

3: Right-click on My Computer, Choose Manage, Double-click on Services and Applications, Click on Services. In the righthand column find "Network Security Service", and double-click on it. (In Safe Mode this may already be stopped) Choose Stop and then write down the name and path of the file in the "Path to Executable" section. Set the Startup Type to Disabled. Click Ok. Close the Computer Management window.

4: Remove any lines that relate to res://.dll/index.html#37049 with Hijack This.

5: Delete the dll file that was in the place of the word random; res://.dll/index.html#37049    (This may be ieel32.dll on your machine if it has't mutated)   Use Windows Explorer to delete it.

Reboot and post a fresh log.

Texruss

mchill

9 Posts

July 16th, 2004 18:00

This was my latest log because I noticed something still left after the last scan.

Logfile of HijackThis v1.98.0
Scan saved at 3:38:04 PM, on 7/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\crqy32.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\ieel32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpctr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ieel32.exe] C:\WINDOWS\system32\ieel32.exe
O4 - HKLM\..\RunOnce: [addfb.exe] C:\WINDOWS\addfb.exe
O4 - HKLM\..\RunOnce: [winiv32.exe] C:\WINDOWS\system32\winiv32.exe
O4 - HKLM\..\RunOnce: [crnp.exe] C:\WINDOWS\system32\crnp.exe
O4 - HKLM\..\RunOnce: [mslu32.exe] C:\WINDOWS\system32\mslu32.exe
O4 - HKLM\..\RunOnce: [msmf.exe] C:\WINDOWS\msmf.exe
O4 - HKLM\..\RunOnce: [winlh.exe] C:\WINDOWS\system32\winlh.exe
O4 - HKLM\..\RunOnce: [atltb32.exe] C:\WINDOWS\atltb32.exe
O4 - HKLM\..\RunOnce: [mfclt.exe] C:\WINDOWS\system32\mfclt.exe
O4 - HKLM\..\RunOnce: [sysrb.exe] C:\WINDOWS\sysrb.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

 

mchill

9 Posts

July 16th, 2004 18:00

How is this one?

Logfile of HijackThis v1.98.0
Scan saved at 3:08:19 PM, on 7/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\crqy32.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\ieel32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {5B7AB13C-069E-0A96-369B-83180E283DCD} - C:\WINDOWS\atlmn.dll
O2 - BHO: (no name) - {5BC3F7BC-69C1-08BC-EB9C-EC3C41D197CF} - C:\WINDOWS\appsw.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ieel32.exe] C:\WINDOWS\system32\ieel32.exe
O4 - HKLM\..\RunOnce: [addfb.exe] C:\WINDOWS\addfb.exe
O4 - HKLM\..\RunOnce: [winiv32.exe] C:\WINDOWS\system32\winiv32.exe
O4 - HKLM\..\RunOnce: [crnp.exe] C:\WINDOWS\system32\crnp.exe
O4 - HKLM\..\RunOnce: [mslu32.exe] C:\WINDOWS\system32\mslu32.exe
O4 - HKLM\..\RunOnce: [msmf.exe] C:\WINDOWS\msmf.exe
O4 - HKLM\..\RunOnce: [winlh.exe] C:\WINDOWS\system32\winlh.exe
O4 - HKLM\..\RunOnce: [atltb32.exe] C:\WINDOWS\atltb32.exe
O4 - HKLM\..\RunOnce: [mfclt.exe] C:\WINDOWS\system32\mfclt.exe
O4 - HKLM\..\RunOnce: [sysrb.exe] C:\WINDOWS\sysrb.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

 

mchill

9 Posts

July 16th, 2004 19:00

Whatever it is it won't go away-it just keeps changing names

Texruss

3.4K Posts

July 17th, 2004 03:00

Was this post helpful?

View All

No Events found!

Top