1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: I've been recently hijacked [Hijack This Log]

Discussion in 'Virus & Other Malware Removal' started by myvicisslow, Apr 13, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. myvicisslow

    myvicisslow Thread Starter

    Joined:
    Sep 2, 2003
    Messages:
    110
    This happened a few days after I changed my IE security settings. I was getting sick of the prompts for loading active X so I changed it. Well now I've changed them back to the recommended settings with the SpywareBlaster program. I even saw the hijack taking place but I couldn't stop it. It reset my homepage to ezreference.com and tried do some other stuff but my firewall blocked it from sending information out. At least I hope it did. Anyways, here is the info I've gathered on the situation. Right after I saw the spyware being installed I noticed a few more programs in my task manager. Below is an attachment with a screenshot of my Windows directory.

    It's the files modified at 2:22AM and 2:23AM. Would it be safe for me to manually remove those new files in Windows? If so would that have to be done in safe mode? I've run ad-aware, spywareblaster, spybot S&D (with immunize) and CWShredder. All are up to date. Ad-aware and spybot detected some things which I removed but it didn't seem related to this. I've also just ran HijackThis but I'm clueless as to what to let it fix. That plsp.exe looks suspicious though since I've never seen it. I don't know what that is either. Did a quick search on google and came up with unrelated results. Any assistance with this is greatly appreciated! If you need anything else let me know. TIA. :)

    Logfile of HijackThis v1.97.7
    Scan saved at 10:54:31 AM, on 4/13/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\WINDOWS\plsp.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\b\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by -= OoBeRMiEoO =-
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {3D175D5A-4D35-4DF4-95C6-4289D1F9D149} - C:\WINDOWS\lszakdcr.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [hpzhq] C:\WINDOWS\plsp.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Dictionary - http://www.ezreference.com/_/ie-com-p3.htm
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Encyclopedia - http://www.ezreference.com/_/ie-com-e-p3.htm
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/classes/BPImageEditor.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab
    O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37516.3557060185
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {C62DFDC7-2EEC-4C2C-827A-BC0BFB4260B3} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.4.0.1071/bin/imvid.cab
    O16 - DPF: {C8A88E8D-9D33-4F01-80EC-E558545C0A9E} (Detector Class) - http://www.optimumonline.com/downloads/xdetector.cab
    O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.com/cabs/roing.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.3.0.2041/bin/imvid.cab
     

    Attached Files:

  2. Grinler

    Grinler Malware Specialist

    Joined:
    Mar 10, 2004
    Messages:
    103
    This happened a few days after I changed my IE security settings. I was getting sick of the prompts for loading active X so I changed it. Well now I've changed them back to the recommended settings with the SpywareBlaster program. I even saw the hijack taking place but I couldn't stop it. It reset my homepage to ezreference.com and tried do some other stuff but my firewall blocked it from sending information out. At least I hope it did. Anyways, here is the info I've gathered on the situation. Right after I saw the spyware being installed I noticed a few more programs in my task manager. Below is an attachment with a screenshot of my Windows directory.

    It's the files modified at 2:22AM and 2:23AM. Would it be safe for me to manually remove those new files in Windows? If so would that have to be done in safe mode? I've run ad-aware, spywareblaster, spybot S&D (with immunize) and CWShredder. All are up to date. Ad-aware and spybot detected some things which I removed but it didn't seem related to this. I've also just ran HijackThis but I'm clueless as to what to let it fix. That plsp.exe looks suspicious though since I've never seen it. I don't know what that is either. Did a quick search on google and came up with unrelated results. Any assistance with this is greatly appreciated! If you need anything else let me know. TIA.

    Logfile of HijackThis v1.97.7
    Scan saved at 10:54:31 AM, on 4/13/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    C:\WINDOWS\plsp.exe

    Please fix these:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    Below Looks suspicious to me. Remove unless you know what it is
    O2 - BHO: (no name) - {3D175D5A-4D35-4DF4-95C6-4289D1F9D149} - C:\WINDOWS\lszakdcr.dll

    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    Below looks Suspicious, remove
    O4 - HKLM\..\Run: [hpzhq] C:\WINDOWS\plsp.exe

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Dictionary - http://www.ezreference.com/_/ie-com-p3.htm
    O8 - Extra context menu item: &Encyclopedia - http://www.ezreference.com/_/ie-com-e-p3.htm
    O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/...ImageEditor.cab
    O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab

    Reboot your computer into safe mode and delete the following files:
    C:\WINDOWS\lszakdcr.dll (if you chose to fix it above)
    C:\WINDOWS\plsp.exe

    Please do this, and rerun Hijackthis and post a new log.

    After,

    I would strongly advise you download and install SpywareBlaster, SpywareGuard, and IE-Spyad.

    Tutorials for both programs can be found below. They will help to prevent a lot of future reinfections.

    Using SpywareBlaster to Protect your Computer

    Using SpywareGuard to protect your computer from Spyware/Hijackers

    Using IE-Spyad to enhance your privacy and security

    Glad i was able to help.
     
  3. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Of the files modified,one is a downloader "syswast.exe" and Internet Optimizer"optimize.exe" Bother should be removed.......I would do a virus scan at Housecall http://housecall.trendmicro.com/ and update your NAV.
    ;)
     
  4. myvicisslow

    myvicisslow Thread Starter

    Joined:
    Sep 2, 2003
    Messages:
    110
    So I should just basically remove everything in the folder from 2:22 and 2:23 right? I just wanted some expert opinion before I go ahead and do that. I already went into safe mode to remove:

    C:\WINDOWS\lszakdcr.dll
    C:\WINDOWS\plsp.exe

    I reran the HijackThis and these are the results. My NAV def are up to date and I'll run a scan with that too. I'll do another scan on trendmicro afterwards. TY $teve and Grinler.

    Logfile of HijackThis v1.97.7
    Scan saved at 12:07:49 PM, on 4/13/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\WINDOWS\System32\devldr32.exe
    C:\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by -= OoBeRMiEoO =-
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37516.3557060185
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {C62DFDC7-2EEC-4C2C-827A-BC0BFB4260B3} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.4.0.1071/bin/imvid.cab
    O16 - DPF: {C8A88E8D-9D33-4F01-80EC-E558545C0A9E} (Detector Class) - http://www.optimumonline.com/downloads/xdetector.cab
    O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.com/cabs/roing.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.3.0.2041/bin/imvid.cab
     
  5. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    There's nothing wrong with these:

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O8 - Extra context menu item: &Dictionary - http://www.ezreference.com/_/ie-com-p3.htm

    O8 - Extra context menu item: &Encyclopedia - http://www.ezreference.com/_/ie-com-e-p3.htm

    O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/...ImageEditor.cab


    You can leave those.


    These you definitely need to fix:

    O2 - BHO: (no name) - {3D175D5A-4D35-4DF4-95C6-4289D1F9D149} - C:\WINDOWS\lszakdcr.dll

    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O4 - HKLM\..\Run: [hpzhq] C:\WINDOWS\plsp.exe

    O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.com/cabs/roing.cab


    Run Hijack This again and put a check by those. Close all windows except HijackThis and click "Fix checked".

    Restart your computer.

    Also delete the files $teve pointed out.
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    I see I was a little late with my post.

    This one you removed:

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    Was placed there by using Spybot's Immunize feature. This entry tells us that:

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

    These were fine also:

    O8 - Extra context menu item: &Dictionary - http://www.ezreference.com/_/ie-com-p3.htm

    O8 - Extra context menu item: &Encyclopedia - http://www.ezreference.com/_/ie-com-e-p3.htm

    O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/...ImageEditor.cab



    Fix this one:

    O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.com/cabs/roing.cab

    Restart your computer.
     
  7. Grinler

    Grinler Malware Specialist

    Joined:
    Mar 10, 2004
    Messages:
    103
    My bad on the:

    O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/...ImageEditor.cab

    Screwed up the editing.

    You made reference that you did not change your home page to ezreference but it was instead done by the Hijacker. That leads me to believe you may not want it then. If that is the case (you should decide this):

    Then you should remove these, even though they cause no harm:

    O8 - Extra context menu item: &Dictionary - http://www.ezreference.com/_/ie-com-p3.htm

    O8 - Extra context menu item: &Encyclopedia - http://www.ezreference.com/_/ie-com-e-p3.htm
     
  8. myvicisslow

    myvicisslow Thread Starter

    Joined:
    Sep 2, 2003
    Messages:
    110
    Yeap, I removed:

    O8 - Extra context menu item: &Dictionary - http://www.ezreference.com/_/ie-com-p3.htm

    O8 - Extra context menu item: &Encyclopedia - http://www.ezreference.com/_/ie-com-e-p3.htm

    Because that's what one of the problems were. I restored the control panel and imagestation entries. My NAV scan came up clean with the lastest definitions. I'll do a trendmicro scan later when I go to my dentist (AHH!). I've also removed "syswast.exe" and Internet Optimizer "optimize.exe". New HijackThis included below. I still need an opinion about the new files created in the Windows folder. Should I delete the rest out? The ones still remaining are usta32.ini, unstall.exe, dict2.exe, dictcomp3s.exe, ast_4_mm.exe, tempf.txt, and setupapi.log?? Sorry if this is a no brainer question. I'd rather ask first than regret it later.

    Logfile of HijackThis v1.97.7
    Scan saved at 2:11:51 PM, on 4/13/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\NavNT\vptray.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    C:\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by -= OoBeRMiEoO =-
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/classes/BPImageEditor.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37516.3557060185
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {C62DFDC7-2EEC-4C2C-827A-BC0BFB4260B3} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.4.0.1071/bin/imvid.cab
    O16 - DPF: {C8A88E8D-9D33-4F01-80EC-E558545C0A9E} (Detector Class) - http://www.optimumonline.com/downloads/xdetector.cab
    O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.3.0.2041/bin/imvid.cab
     
  9. myvicisslow

    myvicisslow Thread Starter

    Joined:
    Sep 2, 2003
    Messages:
    110
    I've also noticed in my Add/Remove programs "Roings" is listed in there. I tried removing it in that screen and it asked me to reboot. Upon reboot it is still in there. I hope I didn't just open up a can of worms.
     
  10. Grinler

    Grinler Malware Specialist

    Joined:
    Mar 10, 2004
    Messages:
    103
    The log looks fine now. The roing is probably having trouble uninstalling because it was already removed somewhat through HijackThis and then failing.

    As for the other files, I really cant advise you on what to do. I would say that there is an almost gaurantee that some of those files are leftover from the ezrefernce toolbar. I just do not know which.

    You can copy all the files you suspect into a backup folder, and see how your computer continue to act. If programs start failing, copy the files back. If you do not have any problem...they leave them out.

    I will see if I can find a computer to install the ezreference on to see what gets installed.
     
  11. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Grinler

    Let us know if you find out anything good, bad or indifferent about ezreference.

    myvicisslow

    You can remove the roings entry from Add/Remove by editing the registry. If you feel comfortable doing that.

    Warning! Always back up the registry before editing. Modifying the registry can cause serious problems that may require you to reinstall your operating system. I cannot guarantee that problems resulting from modifications to the registry can be solved. Use the information provided at your own risk.

    Go to Start > Run and type in regedit.

    Find this Key Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

    To back up that key before editing it just right click on it and choose "Export" and save it to a convenient location. If you make a mistake you can doubleclick the .reg key you exported to restore it to it's original state.


    To see which application each sub-key represents, open it and there should be at least two values 'DisplayName' and 'UninstallString'. 'DisplayName' is the name used
    in the Add/Remove programs list, and 'UninstallString' is the program used to uninstall the application.

    To remove a program from the list you can simply delete the sub-key representing that program.
     
  12. myvicisslow

    myvicisslow Thread Starter

    Joined:
    Sep 2, 2003
    Messages:
    110
    Sounds great. Very much appreciated!

    flrman1:
    Thanks for the tip for the regedit. That worked as well.
     
  13. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    My pleasure! :)

    I assume this means I can mark this thread solved. Right?
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/219974

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice