Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Please Inform HJT log[RESOLVED]


  • This topic is locked This topic is locked

#1
walker428

walker428

    New Member

  • Member
  • Pip
  • 9 posts
OK have a friends comp, That was totally loaded with spyware, trojans, etc. It would take hours to boot up and could basically do nothing. I have cleaned it up real good, with cwshredder, adaware, and spybot s & d, and applied all the MS patches and services packs they failed to keep up with. Still getting a few popups in IE, but the improvement is 100 fold what it was. So this is my last resort. Here are my HJT from this comp

Logfile of HijackThis v1.98.2
Scan saved at 1:07:48 PM, on 3/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\l?gonui.exe
C:\Documents and Settings\Owner\Application Data\eetu.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Hijack this\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SDWin32 Class - {0B928A4A-F190-45D4-946C-917CBFE8BF16} - C:\WINDOWS\System32\gzwfm.dll (file missing)
O2 - BHO: (no name) - {1B366DC8-BE2E-48DB-9E3B-0C1AC0419AAB} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {1CDBE792-E130-4561-8F2F-99CC08087DF5} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {2BD8D9D0-A8E2-4D30-B512-83C29112A3A1} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {3ED36E89-1CAD-47A5-863B-CF27E85F2B6C} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {4192589B-3142-401E-9AB6-6F7516F9155B} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {506CB2E9-5924-2486-2EF1-5787EF83BEC8} - C:\WINDOWS\System32\akuonp.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5E4BE366-DDD2-44FB-989D-0699BD87BA6F} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {60BE8A3C-ED13-4461-992A-0D1604B5F94D} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {6C9B3A25-F685-4028-8522-CA1A8402128C} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {753BB2C7-FAFC-4CB4-934E-DD8F20050460} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {75445686-1491-4EBA-BD55-816B2B58FBFA} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {8458E436-52AD-5759-DA93-01A2D8D56997} - C:\WINDOWS\System32\hhskf.dll
O2 - BHO: (no name) - {85192E5C-C7A8-42EF-AF25-47F089E2A6B2} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {8DF99BE2-CBB7-4A8E-B162-276D8D39F434} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {A0D6A265-A937-47D1-BC5C-44CE118881AA} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {BC0FE2E2-469E-48DE-AFB4-BA1BCD732265} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {C8FE486F-74DC-4CCD-A767-9E4EBB23B830} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {C9EFCB01-8213-453A-8FDB-85FF42EB2B34} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {D01179A6-DD80-4EFC-B9EE-54F11000759B} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {D0193DFC-E599-423D-AA98-189BA7B6B370} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: SDWin32 Class - {D388F7A8-7CFD-48F3-BEF8-DFCBD509FB99} - C:\WINDOWS\System32\qezxk.dll (file missing)
O2 - BHO: (no name) - {DDFEFF34-7D78-4C74-ABB6-EBB548872C44} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {E422BCFE-CB13-41A6-B21B-3D7EF224F667} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {F3A929E5-BE72-4657-AAEA-8CC7749A84FB} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner AQ3
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Nub] C:\WINDOWS\System32\l?gonui.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Owner\Application Data\eetu.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab


Please Advise.

Thanks for your time
  • 0

Advertisements


#2
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
Before we start, please download the most recent version of hijackthis.

http://www.spywarein.../downloads.html
  • 0

#3
walker428

walker428

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
OK sorry about that. Here is the new log

Logfile of HijackThis v1.99.1
Scan saved at 1:42:41 PM, on 3/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\l?gonui.exe
C:\Documents and Settings\Owner\Application Data\eetu.exe
C:\Program Files\Hijack this\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SDWin32 Class - {0B928A4A-F190-45D4-946C-917CBFE8BF16} - C:\WINDOWS\System32\gzwfm.dll (file missing)
O2 - BHO: (no name) - {1B366DC8-BE2E-48DB-9E3B-0C1AC0419AAB} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {1CDBE792-E130-4561-8F2F-99CC08087DF5} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {2BD8D9D0-A8E2-4D30-B512-83C29112A3A1} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {3ED36E89-1CAD-47A5-863B-CF27E85F2B6C} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {4192589B-3142-401E-9AB6-6F7516F9155B} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {506CB2E9-5924-2486-2EF1-5787EF83BEC8} - C:\WINDOWS\System32\akuonp.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5E4BE366-DDD2-44FB-989D-0699BD87BA6F} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {60BE8A3C-ED13-4461-992A-0D1604B5F94D} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {6C9B3A25-F685-4028-8522-CA1A8402128C} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {753BB2C7-FAFC-4CB4-934E-DD8F20050460} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {75445686-1491-4EBA-BD55-816B2B58FBFA} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {8458E436-52AD-5759-DA93-01A2D8D56997} - C:\WINDOWS\System32\hhskf.dll
O2 - BHO: (no name) - {85192E5C-C7A8-42EF-AF25-47F089E2A6B2} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {8DF99BE2-CBB7-4A8E-B162-276D8D39F434} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {A0D6A265-A937-47D1-BC5C-44CE118881AA} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {BC0FE2E2-469E-48DE-AFB4-BA1BCD732265} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {C8FE486F-74DC-4CCD-A767-9E4EBB23B830} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {C9EFCB01-8213-453A-8FDB-85FF42EB2B34} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {D01179A6-DD80-4EFC-B9EE-54F11000759B} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {D0193DFC-E599-423D-AA98-189BA7B6B370} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: SDWin32 Class - {D388F7A8-7CFD-48F3-BEF8-DFCBD509FB99} - C:\WINDOWS\System32\qezxk.dll (file missing)
O2 - BHO: (no name) - {DDFEFF34-7D78-4C74-ABB6-EBB548872C44} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {E422BCFE-CB13-41A6-B21B-3D7EF224F667} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {F3A929E5-BE72-4657-AAEA-8CC7749A84FB} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner AQ3
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Nub] C:\WINDOWS\System32\l?gonui.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Owner\Application Data\eetu.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE


Thanks
  • 0

#4
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
With IE closed

Load hijackthis,
click the MISC TOOLS section
press open processor
choose the following running processes and then select KILL PROCESS

C:\WINDOWS\System32\l?gonui.exe
C:\Documents and Settings\Owner\Application Data\eetu.exe

Hit the back button, hit scan

check the following

O2 - BHO: SDWin32 Class - {0B928A4A-F190-45D4-946C-917CBFE8BF16} - C:\WINDOWS\System32\gzwfm.dll (file missing)
O2 - BHO: (no name) - {1B366DC8-BE2E-48DB-9E3B-0C1AC0419AAB} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {1CDBE792-E130-4561-8F2F-99CC08087DF5} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {2BD8D9D0-A8E2-4D30-B512-83C29112A3A1} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {3ED36E89-1CAD-47A5-863B-CF27E85F2B6C} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {4192589B-3142-401E-9AB6-6F7516F9155B} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {506CB2E9-5924-2486-2EF1-5787EF83BEC8} - C:\WINDOWS\System32\akuonp.dll (file missing)
O2 - BHO: (no name) - {5E4BE366-DDD2-44FB-989D-0699BD87BA6F} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {60BE8A3C-ED13-4461-992A-0D1604B5F94D} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {6C9B3A25-F685-4028-8522-CA1A8402128C} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {753BB2C7-FAFC-4CB4-934E-DD8F20050460} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {75445686-1491-4EBA-BD55-816B2B58FBFA} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {8458E436-52AD-5759-DA93-01A2D8D56997} - C:\WINDOWS\System32\hhskf.dll
O2 - BHO: (no name) - {85192E5C-C7A8-42EF-AF25-47F089E2A6B2} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {8DF99BE2-CBB7-4A8E-B162-276D8D39F434} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {A0D6A265-A937-47D1-BC5C-44CE118881AA} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {BC0FE2E2-469E-48DE-AFB4-BA1BCD732265} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {C8FE486F-74DC-4CCD-A767-9E4EBB23B830} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {C9EFCB01-8213-453A-8FDB-85FF42EB2B34} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {D01179A6-DD80-4EFC-B9EE-54F11000759B} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {D0193DFC-E599-423D-AA98-189BA7B6B370} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: SDWin32 Class - {D388F7A8-7CFD-48F3-BEF8-DFCBD509FB99} - C:\WINDOWS\System32\qezxk.dll (file missing)
O2 - BHO: (no name) - {DDFEFF34-7D78-4C74-ABB6-EBB548872C44} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {E422BCFE-CB13-41A6-B21B-3D7EF224F667} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O2 - BHO: (no name) - {F3A929E5-BE72-4657-AAEA-8CC7749A84FB} - C:\Program Files\bsj8zhpy\bsj8zhpy.dll
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKCU\..\Run: [Nub] C:\WINDOWS\System32\l?gonui.exe

Hit FIX CHECKED

Open a command line session (start > run type CMD, hit ENTER)

type the following

regsvr32 /u C:\Program Files\bsj8zhpy\bsj8zhpy.dll
regsvr32 /u C:\WINDOWS\System32\hhskf.dll

Reboot

delete the above files.

Repost hijackthis log

On a side note: I do not believe this is part of the problem, but this is the third time in a week I have run into this :

O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner AQ3


Anyone know what it is?
  • 0

#5
walker428

walker428

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I think that is one of those "free" screen savers from gator-gain company. I am pretty sure I deleted it in add/remove control panel. This comp had a ton of shizzal on it, adaware had 248 critical items, avg found like 8 trojans. But I do remember it having some aquarium screen saver (that i had uninstalled already, funny how they keep popping back on systems). Currently printing out your recommendations, that was a lot of stuff.
  • 0

#6
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
thank you for the insight...so far the two people who had that entry (and left it) said they had no problems after leaving it, but knowing it is a screensaver (possibly) might explain that.
  • 0

#7
walker428

walker428

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ok I had some problems trying to run the regsvr32 in the dos prompt. Both files gave the error "Load Library FILENAMEHERE failed. The specified module could not be found." Using OS search feature I could not find hhskf.dll at all on the system. The bsj8zhpy.dll however was in the correct directory but the program wouldnt run on it, I tried changing the spacing and everything else like 20 times to get it to work. Am I doing it wrong? I did however reboot after that and take a new log file I will post. Seeing as that AQ3 screen saver was installed by Gator I would like to remove it, so should i check that box and fix it in HJT?

Here is my new log after fixing the first part but not running regsvr32 on the 2 dll files. Also seems to me that the popups have stopped so far.

ogfile of HijackThis v1.99.1
Scan saved at 2:49:56 PM, on 3/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Application Data\eetu.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijack this\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner AQ3
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Owner\Application Data\eetu.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
  • 0

#8
walker428

walker428

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
whoops completely forgot to "delete the above files." By above files which files did you mean?

all the HJT log file ones you told me to repair or the 2 .dlls that i couldnt get regrsv32 to work on?

and still no pop ups (thats a good sign)
  • 0

#9
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
Oops, my mistake, it should have been

regsvr32 /u C:\"Program Files"\bsj8zhpy\bsj8zhpy.dll

or the short dos name version of

regsvr32 /u C:\Progra~1\bsj8zhpy\bsj8zhpy.dll

Either way, delete the entire C:\Program Files\bsj8zhpy\ directory.

Also, I note this has returned

O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Owner\Application Data\eetu.exe

You normally don't want programs running from these locations. At first, I thought it might be part of Everest system analyzer, but that seems wrong. Take a look at the file, right click and choose properties....any information on it? Check through the tabs that popup.

Try to remove it again
  • 0

#10
walker428

walker428

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
ok deleted that whole directory via trash bin. and then used HJT to fix/delete the eetu.exe. (If i remember correctly i believe that file was infected with a trojan or something in my logs.)

here is the current HJT log

Logfile of HijackThis v1.99.1
Scan saved at 3:59:07 PM, on 3/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijack this\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE



Thanks
  • 0

#11
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
looks good
  • 0

#12
walker428

walker428

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
OK thanks for your help, Much appreciated
  • 0

#13
Guest_thatman_*

Guest_thatman_*
  • Guest
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP