1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: sspmydoom

Discussion in 'Virus & Other Malware Removal' started by flitsct, Feb 7, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. flitsct

    flitsct Thread Starter

    Joined:
    Feb 7, 2005
    Messages:
    7
    I have been infected by this virus/spyware
    Can anyone help?
    Here is my log file from adware.
    Listing running processes
    #:1 [KERNEL32.DLL]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4291810675
    Threads : 4
    Priority : High
    FileVersion : 4.10.2222
    ProductVersion : 4.10.2222
    ProductName : Microsoft(R) Windows(R) Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Win32 Kernel core component
    InternalName : KERNEL32
    LegalCopyright : Copyright (C) Microsoft Corp. 1991-1999
    OriginalFilename : KERNEL32.DLL

    #:2 [MSGSRV32.EXE]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294935259
    Threads : 1
    Priority : Normal
    FileVersion : 4.10.2222
    ProductVersion : 4.10.2222
    ProductName : Microsoft(R) Windows(R) Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Windows 32-bit VxD Message Server
    InternalName : MSGSRV32
    LegalCopyright : Copyright (C) Microsoft Corp. 1992-1998
    OriginalFilename : MSGSRV32.EXE

    #:3 [MPREXE.EXE]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294939723
    Threads : 2
    Priority : Normal
    FileVersion : 4.10.1998
    ProductVersion : 4.10.1998
    ProductName : Microsoft(R) Windows(R) Operating System
    CompanyName : Microsoft Corporation
    FileDescription : WIN32 Network Interface Service Process
    InternalName : MPREXE
    LegalCopyright : Copyright (C) Microsoft Corp. 1993-1998
    OriginalFilename : MPREXE.EXE

    #:4 [mmtask.tsk]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294838527
    Threads : 1
    Priority : Normal
    FileVersion : 4.03.1998
    ProductVersion : 4.03.1998
    ProductName : Microsoft Windows
    CompanyName : Microsoft Corporation
    FileDescription : Multimedia background task support module
    InternalName : mmtask.tsk
    LegalCopyright : Copyright © Microsoft Corp. 1991-1998
    OriginalFilename : mmtask.tsk

    #:5 [EXPLORER.EXE]
    FilePath : C:\WINDOWS\
    ProcessID : 4294725447
    Threads : 13
    Priority : Normal
    FileVersion : 4.72.3110.1
    ProductVersion : 4.72.3110.1
    ProductName : Microsoft(R) Windows NT(R) Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    LegalCopyright : Copyright (C) Microsoft Corp. 1981-1997
    OriginalFilename : EXPLORER.EXE

    #:6 [SYSTRAY.EXE]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294856271
    Threads : 2
    Priority : Normal
    FileVersion : 4.10.2224
    ProductVersion : 4.10.2222
    ProductName : Microsoft(R) Windows(R) Operating System
    CompanyName : Microsoft Corporation
    FileDescription : System Tray Applet
    InternalName : SYSTRAY
    LegalCopyright : Copyright (C) Microsoft Corp. 1993-1999
    OriginalFilename : SYSTRAY.EXE

    #:7 [EM_EXEC.EXE]
    FilePath : C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\
    ProcessID : 4294765743
    Threads : 1
    Priority : Normal
    FileVersion : 8.62.192
    ProductVersion : 8.62
    ProductName : MouseWare
    CompanyName : Logitech Inc.
    FileDescription : Control Center
    InternalName : EM_EXEC
    LegalCopyright : Copyright © Logitech Inc. 1987-1999.
    LegalTrademarks : Logitech® and MouseWare® are registered trademarks of Logitech Inc.
    OriginalFilename : EM_EXEC.CPP
    Comments : Created by the MouseWare Team

    #:8 [3DFXMAN.EXE]
    FilePath : C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\
    ProcessID : 4294740047
    Threads : 2
    Priority : Normal
    FileVersion : 2.1.9.139
    ProductVersion : 2.6.2.116
    ProductName : 3dfx Tools
    CompanyName : 3dfx Interactive, Inc.
    FileDescription : 3dfxTools Task Manager
    LegalCopyright : Copyright © 3dfx Interactive, Inc. 2000

    #:9 [QTTASK.EXE]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294746659
    Threads : 2
    Priority : Normal
    FileVersion : 6.0.2
    ProductVersion : QuickTime 6.0.2
    ProductName : QuickTime
    CompanyName : Apple Computer, Inc.
    InternalName : QuickTime Task
    LegalCopyright : © Apple Computer, Inc. 2001-2002
    OriginalFilename : QTTask.exe

    #:10 [DISK_MONITOR.EXE]
    FilePath : C:\PROGRAM FILES\GENERIC\MEMORYSTICK USB CARD READER DRIVER V1.7\
    ProcessID : 4294663199
    Threads : 1
    Priority : Normal
    FileVersion : 1.4.730.1
    ProductVersion : 1.4.0610.1
    ProductName : Disk Monitor
    CompanyName : Neodio Corp.
    FileDescription : Disk Monitor
    InternalName : Disk Monitor
    LegalCopyright : Copyright (C) Neodio Corp. 2001
    LegalTrademarks : Neodio
    OriginalFilename : Disk_Monitor.exe

    #:11 [SDKIU.EXE]
    FilePath : C:\WINDOWS\
    ProcessID : 4294663623
    Threads : 2
    Priority : Normal


    #:12 [CREATECD.EXE]
    FilePath : C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\
    ProcessID : 4294650699
    Threads : 2
    Priority : Normal
    FileVersion : 4.02d (292)
    ProductVersion : 4.02d (292)
    ProductName : Easy CD Creator
    CompanyName : Adaptec
    FileDescription : Adaptec Create CD
    InternalName : createcd.exe
    LegalCopyright : Copyright (c) 1996-2000 Adaptec, Inc.
    OriginalFilename : createcd.exe

    #:13 [MSMSGS.EXE]
    FilePath : C:\PROGRAM FILES\MESSENGER\
    ProcessID : 4294691555
    Threads : 1
    Priority : Normal
    FileVersion : 3.0.0286
    ProductVersion : Version 3.0
    ProductName : MSN(tm) Messenger Service
    CompanyName : Microsoft Corporation
    FileDescription : MSN Messenger Service
    InternalName : msmsgs
    LegalCopyright : Copyright (c) Microsoft Corporation 1997-2000
    LegalTrademarks : Microsoft(R) is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
    OriginalFilename : msmsgs.exe

    #:14 [RNAAPP.EXE]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294588387
    Threads : 2
    Priority : Normal
    FileVersion : 4.10.2222
    ProductVersion : 4.10.2222
    ProductName : Microsoft(R) Windows(R) Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Dial-Up Networking Application
    InternalName : RNAAPP
    LegalCopyright : Copyright (C) Microsoft Corp. 1992-1996
    OriginalFilename : RNAAPP.EXE

    #:15 [PSTORES.EXE]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294630951
    Threads : 3
    Priority : Normal
    FileVersion : 5.00.1877.3
    ProductVersion : 5.00.1877.3
    ProductName : Microsoft(R) Windows NT(R) Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Protected storage server
    InternalName : Protected storage server
    LegalCopyright : Copyright (C) Microsoft Corp. 1981-1998
    OriginalFilename : Protected storage server

    #:16 [TAPISRV.EXE]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294618679
    Threads : 5
    Priority : Normal
    FileVersion : 4.10.2222
    ProductVersion : 4.10.2222
    ProductName : Microsoft(R) Windows(R) Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Microsoft® Windows(TM) Telephony Server
    InternalName : Telephony Service
    LegalCopyright : Copyright (C) Microsoft Corp. 1994-1998
    OriginalFilename : TAPISRV.EXE

    #:17 [WMIEXE.EXE]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294523919
    Threads : 3
    Priority : Normal
    FileVersion : 5.00.1755.1
    ProductVersion : 5.00.1755.1
    ProductName : Microsoft(R) Windows NT(R) Operating System
    CompanyName : Microsoft Corporation
    FileDescription : WMI service exe housing
    InternalName : wmiexe
    LegalCopyright : Copyright (C) Microsoft Corp. 1981-1998
    OriginalFilename : wmiexe.exe

    #:18 [SPOOL32.EXE]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294371463
    Threads : 4
    Priority : Normal
    FileVersion : 4.10.1998
    ProductVersion : 4.10.1998
    ProductName : Microsoft(R) Windows(R) Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Spooler Sub System Process
    InternalName : spool32
    LegalCopyright : Copyright (C) Microsoft Corp. 1994 - 1998
    OriginalFilename : spool32.exe

    #:19 [DDHELP.EXE]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294316855
    Threads : 2
    Priority : Realtime
    FileVersion : 4.08.01.0881
    ProductVersion : 4.08.01.0881
    ProductName : Microsoft® DirectX for Windows® 95 and 98
    CompanyName : Microsoft Corporation
    FileDescription : Microsoft DirectX Helper
    InternalName : DDHelp.exe
    LegalCopyright : Copyright © Microsoft Corp. 1994-2001
    OriginalFilename : DDHelp.exe

    #:20 [CVEKVIJ.EXE]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294763883
    Threads : 3
    Priority : Normal
    FileVersion : 1, 0, 2, 17
    ProductVersion : 0, 0, 7, 0
    ProductName : TODO: <Product name>
    CompanyName : TODO: <Company name>
    FileDescription : TODO: <File description>
    LegalCopyright : TODO: (c) <Company name>. All rights reserved.

    VX2 Object Recognized!
    Type : Process
    Data : CVEKVIJ.EXE
    Category : Malware
    Comment : (CSI MATCH)
    Object : C:\WINDOWS\SYSTEM\
    FileVersion : 1, 0, 2, 17
    ProductVersion : 0, 0, 7, 0
    ProductName : TODO: <Product name>
    CompanyName : TODO: <Company name>
    FileDescription : TODO: <File description>
    LegalCopyright : TODO: (c) <Company name>. All rights reserved.

    Warning! VX2 Object found in memory(C:\WINDOWS\SYSTEM\CVEKVIJ.EXE)

    "C:\WINDOWS\SYSTEM\CVEKVIJ.EXE"Process terminated successfully

    #:21 [PACKAGER.EXE]
    FilePath : C:\WINDOWS\
    ProcessID : 4294804059
    Threads : 1
    Priority : Realtime
    FileVersion : 4.10.1998
    ProductVersion : 4.10.1998
    ProductName : Microsoft(R) Windows(R) Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Windows Packager application file
    InternalName : PACKAGER
    LegalCopyright : Copyright (C) Microsoft Corp. 1991-1998
    OriginalFilename : PACKAGER.EXE

    #:22 [AD-AWARE.EXE]
    FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\
    ProcessID : 4294840347
    Threads : 2
    Priority : Normal
    FileVersion : 6.2.0.206
    ProductVersion : VI.Second Edition
    ProductName : Lavasoft Ad-Aware SE
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-Aware SE Core application
    InternalName : Ad-Aware.exe
    LegalCopyright : Copyright © Lavasoft Sweden
    Memory scan result:


    Started Tracking Cookie scan

    Tracking Cookie Object Recognized!
    Type : IECache Entry
    Data : tim [email protected][1].txt
    Category : Data Miner
    Comment : Hits:5
    Value : Cookie:tim [email protected]/
    Expires : 2-7-08 8:30:54 PM
    LastSync : Hits:5
    UseCount : 0
    Hits : 5

    Tracking cookie scan result:



    Deep scanning and examining files...
    CoolWebSearch Object Recognized!
    Type : File
    Data : ovxaau.dat
    Category : Malware
    Comment :
    Object : C:\WINDOWS\



    ImIServer IEPlugin Object Recognized!
    Type : File
    Data : systb.dll
    Category : Data Miner
    Comment :
    Object : C:\WINDOWS\
    FileVersion : 1, 0, 8, 1
    ProductVersion : 1, 0, 8, 1
    ProductName : wbho Module
    FileDescription : wbho Module
    InternalName : wbho
    LegalCopyright : Copyright 2004
    OriginalFilename : wbho.DLL


    CoolWebSearch Object Recognized!
    Type : File
    Data : zwakwh.txt
    Category : Malware
    Comment :
    Object : C:\WINDOWS\



    CoolWebSearch Object Recognized!
    Type : File
    Data : vuemyj.dat
    Category : Malware
    Comment :
    Object : C:\WINDOWS\



    CoolWebSearch Object Recognized!
    Type : File
    Data : dixls.dll
    Category : Malware
    Comment :
    Object : C:\WINDOWS\



    CoolWebSearch Object Recognized!
    Type : File
    Data : dgqed.txt
    Category : Malware
    Comment :
    Object : C:\WINDOWS\



    CoolWebSearch Object Recognized!
    Type : File
    Data : jmccn.dll
    Category : Malware
    Comment :
    Object : C:\WINDOWS\



    CoolWebSearch Object Recognized!
    Type : File
    Data : iedwa.dat
    Category : Malware
    Comment :
    Object : C:\WINDOWS\



    CoolWebSearch Object Recognized!
    Type : File
    Data : yghwd.dll
    Category : Malware
    Comment :
    Object : C:\WINDOWS\



    CoolWebSearch Object Recognized!
    Type : File
    Data : uwtbcu.txt
    Category : Malware
    Comment :
    Object : C:\WINDOWS\



    CoolWebSearch Object Recognized!
    Type : File
    Data : nxmgwx.txt
    Category : Malware
    Comment :
    Object : C:\WINDOWS\



    CoolWebSearch Object Recognized!
    Type : File
    Data : yypzss.log
    Category : Malware
    Comment :
    Object : C:\WINDOWS\



    CoolWebSearch Object Recognized!
    Type : File
    Data : pjbvg.dll
    Category : Malware
    Comment :
    Object : C:\WINDOWS\



    CoolWebSearch Object Recognized!
    Type : File
    Data : skensw.txt
    Category : Malware
    Comment :
    Object : C:\WINDOWS\



    CoolWebSearch Object Recognized!
    Type : File
    Data : mgfff.dat
    Category : Malware
    Comment :
    Object : C:\WINDOWS\



    CoolWebSearch Object Recognized!
    Type : File
    Data : rxkoii.log
    Category : Malware
    Comment :
    Object : C:\WINDOWS\



    CoolWebSearch Object Recognized!
    Type : File
    Data : cywyed.log
    Category : Malware
    Comment :
    Object : C:\WINDOWS\



    Disk Scan Result for C:\WINDOWS
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 19

    CoolWebSearch Object Recognized!
    Type : File
    Data : bdkmu.dat
    Category : Malware
    Comment :
    Object : C:\WINDOWS\SYSTEM\



    CoolWebSearch Object Recognized!
    Type : File
    Data : ffklo.dll
    Category : Malware
    Comment :
    Object : C:\WINDOWS\SYSTEM\



    CoolWebSearch Object Recognized!
    Type : File
    Data : qbguy.txt
    Category : Malware
    Comment :
    Object : C:\WINDOWS\SYSTEM\



    CoolWebSearch Object Recognized!
    Type : File
    Data : lofzj.txt
    Category : Malware
    Comment :
    Object : C:\WINDOWS\SYSTEM\



    CoolWebSearch Object Recognized!
    Type : File
    Data : tfnrd.txt
    Category : Malware
    Comment :
    Object : C:\WINDOWS\SYSTEM\



    CoolWebSearch Object Recognized!
    Type : File
    Data : fdsed.dat
    Category : Malware
    Comment :
    Object : C:\WINDOWS\SYSTEM\



    Disk Scan Result for C:\WINDOWS\SYSTEM
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 25

    VX2 Object Recognized!
    Type : File
    Data : satmat.cab
    Category : Malware
    Comment :
    Object : C:\WINDOWS\TEMP\



    VX2 Object Recognized!
    Type : File
    Data : satmat.exe
    Category : Malware
    Comment :
    Object : C:\WINDOWS\TEMP\
    FileVersion : 0, 1, 1, 3
    ProductVersion : 0, 1, 1, 3
    CompanyName : Better Internet Inc.
    FileDescription : www.abetterinternet.com
    LegalCopyright : Copyright © 2002


    win32.winshow Object Recognized!
    Type : File
    Data : B055.TMP
    Category : Malware
    Comment :
    Object : C:\WINDOWS\TEMP\



    win32.winshow Object Recognized!
    Type : File
    Data : B055.TMP.exe
    Category : Malware
    Comment :
    Object : C:\WINDOWS\TEMP\



    win32.winshow Object Recognized!
    Type : File
    Data : B200.TMP
    Category : Malware
    Comment :
    Object : C:\WINDOWS\TEMP\



    win32.winshow Object Recognized!
    Type : File
    Data : B200.TMP.exe
    Category : Malware
    Comment :
    Object : C:\WINDOWS\TEMP\



    Disk Scan Result for C:\WINDOWS\TEMP\
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 31

    Possible Browser Hijack attempt Object Recognized!
    Type : File
    Data : Search the web.url
    Category : Misc
    Comment : Problematic URL discovered: http://www.lookfor.cc/
    Object : C:\WINDOWS\Profiles\Tim Flitsch\Favorites\



    Possible Browser Hijack attempt Object Recognized!
    Type : File
    Data : Only sex website.url
    Category : Misc
    Comment : Problematic URL discovered: http://www.onlysex.ws/
    Object : C:\WINDOWS\Profiles\Tim Flitsch\Favorites\



    Possible Browser Hijack attempt Object Recognized!
    Type : File
    Data : Seven days of free porn.url
    Category : Misc
    Comment : Problematic URL discovered: http://www.7days.ws/



    Performing conditional scans...
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    VX2 Object Recognized!
    Type : Regkey
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\vendor\xml

    VX2 Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\vendor\xml
    Value :

    VX2 Object Recognized!
    Type : Regkey
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\vendor

    VX2 Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\microsoft\internet explorer\toolbar\webbrowser
    Value : {0E5CBF21-D15F-11D0-8301-00AA005B4383}

    VX2 Object Recognized!
    Type : File
    Data : dummy.htm
    Category : Malware
    Comment :
    Object : C:\WINDOWS\TEMP\



    CoolWebSearch Object Recognized!
    Type : Regkey
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\windows\currentversion\uninstall\sw

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\windows\currentversion\uninstall\sw
    Value : DisplayName

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\windows\currentversion\uninstall\sw
    Value : UninstallString

    CoolWebSearch Object Recognized!
    Type : Regkey
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\windows\currentversion\uninstall\se

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\windows\currentversion\uninstall\se
    Value : DisplayName

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\windows\currentversion\uninstall\se
    Value : UninstallString

    CoolWebSearch Object Recognized!
    Type : Regkey
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\windows\currentversion\uninstall\hsa

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\windows\currentversion\uninstall\hsa
    Value : DisplayName

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\windows\currentversion\uninstall\hsa
    Value : UninstallString

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\microsoft\internet explorer\search
    Value : SearchAssistant

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\microsoft\internet explorer\main
    Value : Search Bar

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft
    Value : set

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\windows\currentversion\internet settings\zonemap\ranges\range1
    Value : :Range

    ImIServer IEPlugin Object Recognized!
    Type : Regkey
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_CLASSES_ROOT
    Object : remove

    ImIServer IEPlugin Object Recognized!
    Type : Regkey
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\intexp

    ImIServer IEPlugin Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\intexp
    Value : IID

    ImIServer IEPlugin Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\intexp
    Value : Version

    ImIServer IEPlugin Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\intexp
    Value : bid

    ImIServer IEPlugin Object Recognized!
    Type : File
    Data : redir.txt
    Category : Data Miner
    Comment :
    Object : C:\WINDOWS\



    win32.winshow Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\microsoft\windows\currentversion\internet settings
    Value : Security_RunActiveXControls

    win32.winshow Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\microsoft\windows\currentversion\internet settings
    Value : Safety Warning Level

    win32.winshow Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\microsoft\windows\currentversion\internet settings
    Value : Security_RunScripts

    win32.winshow Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_USERS
    Object : .default\software\microsoft\windows\currentversion\internet settings
    Value : Safety Warning Level

    win32.winshow Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_USERS
    Object : .default\software\microsoft\windows\currentversion\internet settings
    Value : MinLevel

    win32.winshow Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_USERS
    Object : .default\software\microsoft\windows\currentversion\internet settings
    Value : Security_RunActiveXControls
     
  2. pentiums4

    pentiums4

    Joined:
    Jan 13, 2005
    Messages:
    106
  3. flitsct

    flitsct Thread Starter

    Joined:
    Feb 7, 2005
    Messages:
    7
    This tool does not work for Windows 98 which I am running
    Any other suggestions???
    Thanks
     
  4. pentiums4

    pentiums4

    Joined:
    Jan 13, 2005
    Messages:
    106
    I may be mistaken but I feel pretty sure mydoom is a virus that affects systems running XP only. I am not sure what is going on with your sys. But, here is something to try: Go to www.majorgeeks.com and look at the menu on the left and find "anti-virus", then look for the program called "antivir". Install and run this free anti-virus program. Hope this helps.
     
  5. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    SpywareBlaster http://www.javacoolsoftware.com/spywareblaster.html
    AdAware SE http://www.majorgeeks.com/download506.html
    SpyBot S&D 1.3 http://www.safer-networking.org/en/download/

    DL them (they are free), install them, check each for their
    definition updates
    and then run AdAware and Spybot, fixing anything
    they say.

    In SpywareBlaster - Always enable all protection after updates
    SpyBot - After an update run immunize

    Do these and reboot before the next step.

    Then get HiJack This http://www.majorgeeks.com/download3155.html, put
    it in a permanent folder (C:\HJT) , run it , DO NOT fix anything, post the
    log here.
     
  6. flitsct

    flitsct Thread Starter

    Joined:
    Feb 7, 2005
    Messages:
    7
    Here is the log file
    Adware would not delete some things found
    It would lock up and just sit there
    I think it was this program

    C:\WINDOWS\SYSTEM\CVEKVIJ.EXE


    Logfile of HijackThis v1.99.0
    Scan saved at 12:07:08 AM, on 2/10/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\WINXO.EXE
    C:\WINDOWS\SYSTEM\SDKCD.EXE
    C:\WINDOWS\WINXZ32.EXE
    C:\WINDOWS\CRNA32.EXE
    C:\WINDOWS\SYSTEM\SYSAT32.EXE
    C:\WINDOWS\SYSTEM\NETRK.EXE
    C:\WINDOWS\SYSTEM\IESJ32.EXE
    C:\WINDOWS\SYSTEM\NETYT32.EXE
    C:\WINDOWS\APPEM32.EXE
    C:\WINDOWS\SYSTEM\JAVAYG32.EXE
    C:\WINDOWS\SYSTEM\ADDPE.EXE
    C:\WINDOWS\SYSTEM\NTHY.EXE
    C:\WINDOWS\SYSTEM\IPUU32.EXE
    C:\WINDOWS\ATLYX.EXE
    C:\WINDOWS\NETJC32.EXE
    C:\WINDOWS\JAVALF.EXE
    C:\WINDOWS\WINGD.EXE
    C:\WINDOWS\SYSTEM\SYSPP.EXE
    C:\WINDOWS\SYSTEM\D3RC32.EXE
    C:\WINDOWS\SYSTEM\MFCCZ.EXE
    C:\WINDOWS\SYSTEM\SYSVI.EXE
    C:\WINDOWS\SDKLR.EXE
    C:\WINDOWS\ATLQT32.EXE
    C:\WINDOWS\NETHT.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
    C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\GENERIC\MEMORYSTICK USB CARD READER DRIVER V1.7\DISK_MONITOR.EXE
    C:\WINDOWS\SDKIU.EXE
    C:\WINDOWS\SYSTEM\CVEKVIJ.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
    C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
    C:\WINDOWS\SYSTEM\SYSPP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\WINXO.EXE
    C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
    C:\WINDOWS\PACKAGER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SDKLR.EXE
    C:\WINDOWS\CRPI.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\CRPI.EXE
    C:\WINDOWS\SYSTEM\MFCMT.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\dluce.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\dluce.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\dluce.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\dluce.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\dluce.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\dluce.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\dluce.dll/sp.html#28129
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {C5FDFB41-2927-504B-74D4-04BFC6A9C392} - C:\WINDOWS\WINKG32.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
    O4 - HKLM\..\Run: [Tango] D:\RELEASE\..\Setup.exe
    O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\MemoryStick USB Card Reader Driver v1.7\Disk_Monitor.exe
    O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\SYSTEM\tibs3.exe
    O4 - HKLM\..\Run: [SDKIU.EXE] C:\WINDOWS\SDKIU.EXE
    O4 - HKLM\..\Run: [cvekvij] c:\windows\system\cvekvij.exe
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [NETYT32.EXE] C:\WINDOWS\SYSTEM\NETYT32.EXE
    O4 - HKLM\..\RunServices: [SYSAT32.EXE] C:\WINDOWS\SYSTEM\SYSAT32.EXE
    O4 - HKLM\..\RunServices: [SDKCD.EXE] C:\WINDOWS\SYSTEM\SDKCD.EXE
    O4 - HKLM\..\RunServices: [NETRK.EXE] C:\WINDOWS\SYSTEM\NETRK.EXE
    O4 - HKLM\..\RunServices: [APPEM32.EXE] C:\WINDOWS\APPEM32.EXE
    O4 - HKLM\..\RunServices: [WINXZ32.EXE] C:\WINDOWS\WINXZ32.EXE
    O4 - HKLM\..\RunServices: [IESJ32.EXE] C:\WINDOWS\SYSTEM\IESJ32.EXE
    O4 - HKLM\..\RunServices: [WINXO.EXE] C:\WINDOWS\WINXO.EXE
    O4 - HKLM\..\RunServices: [JAVAYG32.EXE] C:\WINDOWS\SYSTEM\JAVAYG32.EXE
    O4 - HKLM\..\RunServices: [CRNA32.EXE] C:\WINDOWS\CRNA32.EXE
    O4 - HKLM\..\RunServices: [ADDPE.EXE] C:\WINDOWS\SYSTEM\ADDPE.EXE
    O4 - HKLM\..\RunServices: [IPUU32.EXE] C:\WINDOWS\SYSTEM\IPUU32.EXE
    O4 - HKLM\..\RunServices: [NTHY.EXE] C:\WINDOWS\SYSTEM\NTHY.EXE
    O4 - HKLM\..\RunServices: [ATLYX.EXE] C:\WINDOWS\ATLYX.EXE
    O4 - HKLM\..\RunServices: [D3RC32.EXE] C:\WINDOWS\SYSTEM\D3RC32.EXE
    O4 - HKLM\..\RunServices: [NETJC32.EXE] C:\WINDOWS\NETJC32.EXE
    O4 - HKLM\..\RunServices: [JAVALF.EXE] C:\WINDOWS\JAVALF.EXE
    O4 - HKLM\..\RunServices: [SYSPP.EXE] C:\WINDOWS\SYSTEM\SYSPP.EXE
    O4 - HKLM\..\RunServices: [WINGD.EXE] C:\WINDOWS\WINGD.EXE
    O4 - HKLM\..\RunServices: [MFCCZ.EXE] C:\WINDOWS\SYSTEM\MFCCZ.EXE
    O4 - HKLM\..\RunServices: [SYSVI.EXE] C:\WINDOWS\SYSTEM\SYSVI.EXE
    O4 - HKLM\..\RunServices: [SDKLR.EXE] C:\WINDOWS\SDKLR.EXE
    O4 - HKLM\..\RunServices: [ATLQT32.EXE] C:\WINDOWS\ATLQT32.EXE
    O4 - HKLM\..\RunServices: [NETHT.EXE] C:\WINDOWS\NETHT.EXE
    O4 - HKLM\..\RunServices: [CRPI.EXE] C:\WINDOWS\CRPI.EXE
    O4 - HKLM\..\RunServices: [MFCMT.EXE] C:\WINDOWS\SYSTEM\MFCMT.EXE
    O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O9 - Extra button: PhoenixNet - {59226440-fb18-11d4-9cf8-a2f19057a065} - http://www.seqdl.com/servlets/Redir?BID=65457&CID=9875 (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: 206.161.124.130 (HKLM)
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
     
  7. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Wow...

    I'm gonna have a Mod check that out a.s.a.p

    Hang tight
     
  8. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Hi flitsct, Give me a few minutes and I'll post something for you...

    EDIT: I just noticed you are running Hijackthis from a temp folder. You need to move that to a permanent folder before we begin.

    To create a permanent folder click My Computer, then C:\
    In the menu bar click on File, New, Folder.
    That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Now you need to move hijackthis.exe into that folder.

    When you have done that post a new log and don't reboot or do any kind of scans or fixes until you receive a reply.
     
  9. flitsct

    flitsct Thread Starter

    Joined:
    Feb 7, 2005
    Messages:
    7
    Moved it...here you go


    Logfile of HijackThis v1.99.0
    Scan saved at 6:24:41 PM, on 2/10/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\SDKCD.EXE
    C:\WINDOWS\SYSTEM\SYSAT32.EXE
    C:\WINDOWS\APPEM32.EXE
    C:\WINDOWS\SYSTEM\NETYT32.EXE
    C:\WINDOWS\SYSTEM\NETRK.EXE
    C:\WINDOWS\WINXZ32.EXE
    C:\WINDOWS\CRNA32.EXE
    C:\WINDOWS\SYSTEM\IESJ32.EXE
    C:\WINDOWS\WINXO.EXE
    C:\WINDOWS\SYSTEM\ADDPE.EXE
    C:\WINDOWS\SYSTEM\IPUU32.EXE
    C:\WINDOWS\SYSTEM\JAVAYG32.EXE
    C:\WINDOWS\ATLYX.EXE
    C:\WINDOWS\SYSTEM\NTHY.EXE
    C:\WINDOWS\SYSTEM\D3RC32.EXE
    C:\WINDOWS\NETJC32.EXE
    C:\WINDOWS\JAVALF.EXE
    C:\WINDOWS\SYSTEM\SYSPP.EXE
    C:\WINDOWS\WINGD.EXE
    C:\WINDOWS\SYSTEM\MFCCZ.EXE
    C:\WINDOWS\SYSTEM\SYSVI.EXE
    C:\WINDOWS\SDKLR.EXE
    C:\WINDOWS\ATLQT32.EXE
    C:\WINDOWS\NETHT.EXE
    C:\WINDOWS\CRPI.EXE
    C:\WINDOWS\SYSTEM\MFCMT.EXE
    C:\WINDOWS\SYSTEM\SYSWL.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
    C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\GENERIC\MEMORYSTICK USB CARD READER DRIVER V1.7\DISK_MONITOR.EXE
    C:\WINDOWS\SDKIU.EXE
    C:\WINDOWS\SYSTEM\CVEKVIJ.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
    C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
    C:\WINDOWS\SYSTEM\SYSWL.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\SDKCD.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\PACKAGER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\HJT\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\baeyp.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\baeyp.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\baeyp.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\baeyp.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\baeyp.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\baeyp.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\baeyp.dll/sp.html#28129
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {FBC7D80C-C17A-896F-1A0F-9292CE6726F7} - C:\WINDOWS\D3JA32.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
    O4 - HKLM\..\Run: [Tango] D:\RELEASE\..\Setup.exe
    O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\MemoryStick USB Card Reader Driver v1.7\Disk_Monitor.exe
    O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\SYSTEM\tibs3.exe
    O4 - HKLM\..\Run: [SDKIU.EXE] C:\WINDOWS\SDKIU.EXE
    O4 - HKLM\..\Run: [cvekvij] c:\windows\system\cvekvij.exe
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [NETYT32.EXE] C:\WINDOWS\SYSTEM\NETYT32.EXE
    O4 - HKLM\..\RunServices: [SYSAT32.EXE] C:\WINDOWS\SYSTEM\SYSAT32.EXE
    O4 - HKLM\..\RunServices: [SDKCD.EXE] C:\WINDOWS\SYSTEM\SDKCD.EXE
    O4 - HKLM\..\RunServices: [NETRK.EXE] C:\WINDOWS\SYSTEM\NETRK.EXE
    O4 - HKLM\..\RunServices: [APPEM32.EXE] C:\WINDOWS\APPEM32.EXE
    O4 - HKLM\..\RunServices: [WINXZ32.EXE] C:\WINDOWS\WINXZ32.EXE
    O4 - HKLM\..\RunServices: [IESJ32.EXE] C:\WINDOWS\SYSTEM\IESJ32.EXE
    O4 - HKLM\..\RunServices: [WINXO.EXE] C:\WINDOWS\WINXO.EXE
    O4 - HKLM\..\RunServices: [JAVAYG32.EXE] C:\WINDOWS\SYSTEM\JAVAYG32.EXE
    O4 - HKLM\..\RunServices: [CRNA32.EXE] C:\WINDOWS\CRNA32.EXE
    O4 - HKLM\..\RunServices: [ADDPE.EXE] C:\WINDOWS\SYSTEM\ADDPE.EXE
    O4 - HKLM\..\RunServices: [IPUU32.EXE] C:\WINDOWS\SYSTEM\IPUU32.EXE
    O4 - HKLM\..\RunServices: [NTHY.EXE] C:\WINDOWS\SYSTEM\NTHY.EXE
    O4 - HKLM\..\RunServices: [ATLYX.EXE] C:\WINDOWS\ATLYX.EXE
    O4 - HKLM\..\RunServices: [D3RC32.EXE] C:\WINDOWS\SYSTEM\D3RC32.EXE
    O4 - HKLM\..\RunServices: [NETJC32.EXE] C:\WINDOWS\NETJC32.EXE
    O4 - HKLM\..\RunServices: [JAVALF.EXE] C:\WINDOWS\JAVALF.EXE
    O4 - HKLM\..\RunServices: [SYSPP.EXE] C:\WINDOWS\SYSTEM\SYSPP.EXE
    O4 - HKLM\..\RunServices: [WINGD.EXE] C:\WINDOWS\WINGD.EXE
    O4 - HKLM\..\RunServices: [MFCCZ.EXE] C:\WINDOWS\SYSTEM\MFCCZ.EXE
    O4 - HKLM\..\RunServices: [SYSVI.EXE] C:\WINDOWS\SYSTEM\SYSVI.EXE
    O4 - HKLM\..\RunServices: [SDKLR.EXE] C:\WINDOWS\SDKLR.EXE
    O4 - HKLM\..\RunServices: [ATLQT32.EXE] C:\WINDOWS\ATLQT32.EXE
    O4 - HKLM\..\RunServices: [NETHT.EXE] C:\WINDOWS\NETHT.EXE
    O4 - HKLM\..\RunServices: [CRPI.EXE] C:\WINDOWS\CRPI.EXE
    O4 - HKLM\..\RunServices: [MFCMT.EXE] C:\WINDOWS\SYSTEM\MFCMT.EXE
    O4 - HKLM\..\RunServices: [SYSWL.EXE] C:\WINDOWS\SYSTEM\SYSWL.EXE
    O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O9 - Extra button: PhoenixNet - {59226440-fb18-11d4-9cf8-a2f19057a065} - http://www.seqdl.com/servlets/Redir?BID=65457&CID=9875 (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: 206.161.124.130 (HKLM)
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
     
  10. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    If you have any questions ask them prior to starting. It would be a good idea to print this out before you start.

    First copy the contents of the quotebox to notepad. Go to File > Save As and name it Fix.reg (save as type: 'all files' )

    ___________________________________________________________________________

    Click here to download CWShredder. Do Not run it yet. Download it to the desktop and have it ready to run later.

    ____________________________________________________________________

    Click here to download AboutBuster created by Rubber Ducky.

    Unzip AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode.
    _____________________________________________________________________

    Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line. Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it.
    ______________________________________________________________________

    Restart to safe mode.

    How to start your computer in safe mode


    Perform the following steps in safe mode:

    ____________________________________________________________________

    To configure Windows98 to show all files

    On the Windows desktop, double-click the My Computer icon.
    On the View menu, click Folder Options.
    In the Advanced Settings box, under the "Hidden files" folder, click Show all files.
    Click Apply.
    Click OK.

    ____________________________________________________________________

    Double click on the fix.reg file you saved at the beginning to enter into the registry. Answer yes when asked to have it's contents added to the registry.
    ____________________________________________________________________

    Go to Start > Run and type Hijackthis. Press enter to start HijackThis. DO NOT OPEN ANYTHING ELSE!

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\baeyp.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\baeyp.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\baeyp.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\baeyp.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\baeyp.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\baeyp.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\baeyp.dll/sp.html#28129
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {FBC7D80C-C17A-896F-1A0F-9292CE6726F7} - C:\WINDOWS\D3JA32.DLL
    O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\SYSTEM\tibs3.exe
    O4 - HKLM\..\Run: [SDKIU.EXE] C:\WINDOWS\SDKIU.EXE
    O4 - HKLM\..\Run: [cvekvij] c:\windows\system\cvekvij.exe
    O4 - HKLM\..\RunServices: [NETYT32.EXE] C:\WINDOWS\SYSTEM\NETYT32.EXE
    O4 - HKLM\..\RunServices: [SYSAT32.EXE] C:\WINDOWS\SYSTEM\SYSAT32.EXE
    O4 - HKLM\..\RunServices: [SDKCD.EXE] C:\WINDOWS\SYSTEM\SDKCD.EXE
    O4 - HKLM\..\RunServices: [NETRK.EXE] C:\WINDOWS\SYSTEM\NETRK.EXE
    O4 - HKLM\..\RunServices: [APPEM32.EXE] C:\WINDOWS\APPEM32.EXE
    O4 - HKLM\..\RunServices: [WINXZ32.EXE] C:\WINDOWS\WINXZ32.EXE
    O4 - HKLM\..\RunServices: [IESJ32.EXE] C:\WINDOWS\SYSTEM\IESJ32.EXE
    O4 - HKLM\..\RunServices: [WINXO.EXE] C:\WINDOWS\WINXO.EXE
    O4 - HKLM\..\RunServices: [JAVAYG32.EXE] C:\WINDOWS\SYSTEM\JAVAYG32.EXE
    O4 - HKLM\..\RunServices: [CRNA32.EXE] C:\WINDOWS\CRNA32.EXE
    O4 - HKLM\..\RunServices: [ADDPE.EXE] C:\WINDOWS\SYSTEM\ADDPE.EXE
    O4 - HKLM\..\RunServices: [IPUU32.EXE] C:\WINDOWS\SYSTEM\IPUU32.EXE
    O4 - HKLM\..\RunServices: [NTHY.EXE] C:\WINDOWS\SYSTEM\NTHY.EXE
    O4 - HKLM\..\RunServices: [ATLYX.EXE] C:\WINDOWS\ATLYX.EXE
    O4 - HKLM\..\RunServices: [D3RC32.EXE] C:\WINDOWS\SYSTEM\D3RC32.EXE
    O4 - HKLM\..\RunServices: [NETJC32.EXE] C:\WINDOWS\NETJC32.EXE
    O4 - HKLM\..\RunServices: [JAVALF.EXE] C:\WINDOWS\JAVALF.EXE
    O4 - HKLM\..\RunServices: [SYSPP.EXE] C:\WINDOWS\SYSTEM\SYSPP.EXE
    O4 - HKLM\..\RunServices: [WINGD.EXE] C:\WINDOWS\WINGD.EXE
    O4 - HKLM\..\RunServices: [MFCCZ.EXE] C:\WINDOWS\SYSTEM\MFCCZ.EXE
    O4 - HKLM\..\RunServices: [SYSVI.EXE] C:\WINDOWS\SYSTEM\SYSVI.EXE
    O4 - HKLM\..\RunServices: [SDKLR.EXE] C:\WINDOWS\SDKLR.EXE
    O4 - HKLM\..\RunServices: [ATLQT32.EXE] C:\WINDOWS\ATLQT32.EXE
    O4 - HKLM\..\RunServices: [NETHT.EXE] C:\WINDOWS\NETHT.EXE
    O4 - HKLM\..\RunServices: [CRPI.EXE] C:\WINDOWS\CRPI.EXE
    O4 - HKLM\..\RunServices: [MFCMT.EXE] C:\WINDOWS\SYSTEM\MFCMT.EXE
    O4 - HKLM\..\RunServices: [SYSWL.EXE] C:\WINDOWS\SYSTEM\SYSWL.EXE
    O9 - Extra button: PhoenixNet - {59226440-fb18-11d4-9cf8-a2f19057a065} - http://www.seqdl.com/servlets/Redir?BID=65457&CID=9875 (file missing)
    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: 206.161.124.130 (HKLM)


    Delete these files:
    C:\WINDOWS\baeyp.dll
    C:\WINDOWS\D3JA32.DLL
    C:\WINDOWS\SYSTEM\tibs3.exe
    C:\WINDOWS\SDKIU.EXE
    c:\windows\system\cvekvij.exe
    C:\WINDOWS\SYSTEM\NETYT32.EXE
    C:\WINDOWS\SYSTEM\SYSAT32.EXE
    C:\WINDOWS\SYSTEM\SDKCD.EXE
    C:\WINDOWS\SYSTEM\NETRK.EXE
    C:\WINDOWS\APPEM32.EXE
    C:\WINDOWS\WINXZ32.EXE
    C:\WINDOWS\SYSTEM\IESJ32.EXE
    C:\WINDOWS\WINXO.EXE
    C:\WINDOWS\SYSTEM\JAVAYG32.EXE
    C:\WINDOWS\CRNA32.EXE
    C:\WINDOWS\SYSTEM\ADDPE.EXE
    C:\WINDOWS\SYSTEM\IPUU32.EXE
    C:\WINDOWS\SYSTEM\NTHY.EXE
    C:\WINDOWS\ATLYX.EXE
    C:\WINDOWS\SYSTEM\D3RC32.EXE
    C:\WINDOWS\NETJC32.EXE
    C:\WINDOWS\JAVALF.EXE
    C:\WINDOWS\SYSTEM\SYSPP.EXE
    C:\WINDOWS\WINGD.EXE
    C:\WINDOWS\SYSTEM\MFCCZ.EXE
    C:\WINDOWS\SYSTEM\SYSVI.EXE
    C:\WINDOWS\SDKLR.EXE
    C:\WINDOWS\ATLQT32.EXE
    C:\WINDOWS\NETHT.EXE
    C:\WINDOWS\CRPI.EXE
    C:\WINDOWS\SYSTEM\MFCMT.EXE
    C:\WINDOWS\SYSTEM\SYSWL.EXE


    Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

    ________________________________________________________________________

    Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.
    _______________________________________________________________________

    Finally, run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.
    _______________________________________________________________________

    Boot back into Windows now.

    Go here and do an online virus scan.

    Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself. Housecall will detect the leftover files from this hijacker.



    This hijacker is known to alter or delete certain files so check this out please:

    Download the Hoster from here . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.

    If you have Spybot S&D installed you will also need to replace one file.
    Go here and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)


    control.exe may have been deleted.
    See if control.exe is present in C:\windows\system

    If control.exe isn't there, Click here to download control_me.zip.

    Unzip the file and copy the new control.exe file to the C:\Windows\System folder.


    IMPORTANT!: Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here.
     
  11. flitsct

    flitsct Thread Starter

    Joined:
    Feb 7, 2005
    Messages:
    7
    Thanks...I will do this on Sunday...busy until then

    Going to do it tonight
     
  12. flitsct

    flitsct Thread Starter

    Joined:
    Feb 7, 2005
    Messages:
    7
    Still have it after doing all this

    Did not find
    C;\windows\baeyp.dll
    c:windows\d3ja32.dll

    when I ran hijackthis but deleted all the others

    Also got an internet error when I tried to do the online virus scan

    Here is a new log file

    Logfile of HijackThis v1.99.0
    Scan saved at 1:24:43 AM, on 2/11/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
    C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\GENERIC\MEMORYSTICK USB CARD READER DRIVER V1.7\DISK_MONITOR.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
    C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\ADDNF.EXE
    C:\WINDOWS\SDKIU.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\HJT\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\wnidu.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\wnidu.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\wnidu.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\wnidu.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\wnidu.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\wnidu.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\wnidu.dll/sp.html#28129
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {D92E50CF-C735-C403-CC44-197C38A75AE8} - C:\WINDOWS\SYSTEM\NTZN32.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
    O4 - HKLM\..\Run: [Tango] D:\RELEASE\..\Setup.exe
    O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\MemoryStick USB Card Reader Driver v1.7\Disk_Monitor.exe
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
    O4 - HKLM\..\Run: [SDKIU.EXE] C:\WINDOWS\SDKIU.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [ADDNF.EXE] C:\WINDOWS\SYSTEM\ADDNF.EXE
    O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O9 - Extra button: PhoenixNet - {59226440-fb18-11d4-9cf8-a2f19057a065} - http://www.seqdl.com/servlets/Redir?BID=65457&CID=9875 (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: 206.161.124.130 (HKLM)
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
     
  13. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    This hijacker changes when you reboot or do any fixes, that's why some of those files could not be found.

    What was the error you got when you tried to do the virus scan?

    What is this? [Tango] D:\RELEASE\..\Setup.exe


    Download this tool
    http://www.mvps.org/winhelp2002/DelDomains.inf

    Right click on the file and choose install.

    Run HJT again and put a check in the following:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\wnidu.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\wnidu.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\wnidu.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\wnidu.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\wnidu.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\wnidu.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\wnidu.dll/sp.html#28129
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {D92E50CF-C735-C403-CC44-197C38A75AE8} - C:\WINDOWS\SYSTEM\NTZN32.DLL
    O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
    O4 - HKLM\..\Run: [SDKIU.EXE] C:\WINDOWS\SDKIU.EXE
    O4 - HKLM\..\RunServices: [ADDNF.EXE] C:\WINDOWS\SYSTEM\ADDNF.EXE
    O9 - Extra button: PhoenixNet - {59226440-fb18-11d4-9cf8-a2f19057a065} - http://www.seqdl.com/servlets/Redir?BID=65457&CID=9875 (file missing)
    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: 206.161.124.130 (HKLM)

    Close all applications and browser windows before you click "fix checked".

    Restart in safe mode

    Delete these files:
    C:\WINDOWS\SYSTEM\ADDNF.EXE
    C:\WINDOWS\SYSTEM\NTZN32.DLL
    C:\WINDOWS\SDKIU.EXE
    C:\WINDOWS\system\wnidu.dll
    mtwirl.dll
    mtwirl32.dll

    Empty this folder: c:\windows\temp

    Empty your recycle bin.

    Run Ad-Aware again while in safe mode.
    Run About:buster again.

    Reboot.
     
  14. flitsct

    flitsct Thread Starter

    Joined:
    Feb 7, 2005
    Messages:
    7
    I think it is gone
    Here is the Hijackthis logfile

    Logfile of HijackThis v1.99.0
    Scan saved at 5:54:14 PM, on 2/13/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
    C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\GENERIC\MEMORYSTICK USB CARD READER DRIVER V1.7\DISK_MONITOR.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
    C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\HJT\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.district6hockey.net/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [Tango] D:\RELEASE\..\Setup.exe
    O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\MemoryStick USB Card Reader Driver v1.7\Disk_Monitor.exe
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

    let me n\know if there is anything else I can do
    Thanks
    Tim
     
  15. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    The most important thing now is installl an antivirus so you don't get reinfected
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/327984

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice