Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

kcitq.dll, bkmjp.dll, netyz32, ipch32 .....

Started by nightcoyote , Jul 12 2004 11:27 AM

  • Please log in to reply

#1
nightcoyote
Posted 12 July 2004 - 11:27 AM

nightcoyote

    New Member

  • Member
  • Pip
  • 6 posts
Hello,
I've been reading your forum about hijacked browers only to discover my husbands computer has fallen victim to this.
I've just run Ad-aware, Spybot and Hijack this (in this order).
What should I delete from the hijack log?
thank you,
Nightcoyote

Here follows the Hijack log....

Logfile of HijackThis v1.98.0
Scan saved at 10:09:42 AM, on 7/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINDOWS\appzn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\d3lz.exe
C:\Documents and Settings\NELSON\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bkmjp.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bkmjp.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bkmjp.dll/sp.html#12802
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {B9FCA0E1-7B64-E16E-A3DC-00928170618E} - C:\WINDOWS\criz.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [appzn.exe] C:\WINDOWS\appzn.exe
O4 - HKLM\..\RunOnce: [d3lz.exe] C:\WINDOWS\d3lz.exe
O4 - HKLM\..\RunOnce: [javacq32.exe] C:\WINDOWS\system32\javacq32.exe
O4 - HKLM\..\RunOnce: [mfceh.exe] C:\WINDOWS\mfceh.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LTM2] C:\WINDOWS\litmus\Winxup32.exe
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2000i\AcDcToday.ocx
O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcaf...0,2/mcmysec.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (NOXLATE) - file://C:\Program Files\AutoCAD LT 2000i\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{204BC8CE-103E-463D-A576-BEACEAB83504}: NameServer = 209.221.205.2 209.221.205.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{204BC8CE-103E-463D-A576-BEACEAB83504}: NameServer = 209.221.205.2 209.221.205.3
  • 0

Advertisements

#2
ditto
Posted 12 July 2004 - 11:47 AM

ditto

    - i pwn n00bs -

  • Member
  • PipPipPipPip
  • 1,260 posts
Hello nightcoyote and welcome to the site.

Looks like you did a pretty good job but still have somethings that we need to clear.

Please move Hijack This to a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bkmjp.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bkmjp.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bkmjp.dll/sp.html#12802
R3 - Default URLSearchHook is missing

I see some suspicious files so lets run a free virus scan found here:
http://housecall.antivirus.com/

And a free trojan scan here:
http://www.moosoft.com/

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log, and let us know how your system's working. <_<

ditto
  • 0

#3
nightcoyote
Posted 12 July 2004 - 12:48 PM

nightcoyote

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hello Ditto...
Just rebooted and so far so good. No strange error messages and homepage seems (???) to be stable.
Followed your instructions and here is the 2nd Hijack This log.
Please advise... nightcoyte

Logfile of HijackThis v1.98.0
Scan saved at 11:43:14 AM, on 7/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\d3lz.exe
C:\WINDOWS\appzn.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {881BB225-84CF-BE39-E313-C5E95E934915} - C:\WINDOWS\crcy.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [appzn.exe] C:\WINDOWS\appzn.exe
O4 - HKLM\..\RunOnce: [d3lz.exe] C:\WINDOWS\d3lz.exe
O4 - HKLM\..\RunOnce: [javacq32.exe] C:\WINDOWS\system32\javacq32.exe
O4 - HKLM\..\RunOnce: [mfceh.exe] C:\WINDOWS\mfceh.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LTM2] C:\WINDOWS\litmus\Winxup32.exe
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2000i\AcDcToday.ocx
O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcaf...0,2/mcmysec.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (NOXLATE) - file://C:\Program Files\AutoCAD LT 2000i\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{204BC8CE-103E-463D-A576-BEACEAB83504}: NameServer = 209.221.205.2 209.221.205.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{204BC8CE-103E-463D-A576-BEACEAB83504}: NameServer = 209.221.205.2 209.221.205.3
  • 0

#4
nightcoyote
Posted 12 July 2004 - 05:25 PM

nightcoyote

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hello Ditto...
Help!!
I've gone through the process a couple of times now, and still being hijacked.
I downloaded the trojan scan and removed WINTRIM (4 entries).
I've tried downloading the free virus scan but to no avail....
so will run a Norton virus scan instead.
Here is the latest log...after multiple tries to remove the Coolweb search and multiple other incidious hijacks.

What do you suggest after viewing my latest log file....
Thanks,
nightcoyote
Logfile of HijackThis v1.98.0
Scan saved at 4:21:19 PM, on 7/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\d3lz.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINDOWS\appzn.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jchsp.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jchsp.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jchsp.dll/sp.html#12802
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AC744CBB-CAE9-45FF-286D-02D68E9FC988} - C:\WINDOWS\winqr.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [appzn.exe] C:\WINDOWS\appzn.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\RunOnce: [d3lz.exe] C:\WINDOWS\d3lz.exe
O4 - HKLM\..\RunOnce: [javacq32.exe] C:\WINDOWS\system32\javacq32.exe
O4 - HKLM\..\RunOnce: [mfceh.exe] C:\WINDOWS\mfceh.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2000i\AcDcToday.ocx
O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcaf...0,2/mcmysec.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (NOXLATE) - file://C:\Program Files\AutoCAD LT 2000i\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx
  • 0

#5
admin
Posted 12 July 2004 - 05:37 PM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Yeah, this one's a stubborn one. Run HijackThis again and place a check beside each of the following items. Once done click the fix checked button.

O2 - BHO: (no name) - {AC744CBB-CAE9-45FF-286D-02D68E9FC988} - C:\WINDOWS\winqr.dll

O4 - HKLM\..\RunOnce: [d3lz.exe] C:\WINDOWS\d3lz.exe
O4 - HKLM\..\RunOnce: [mfceh.exe] C:\WINDOWS\mfceh.exe

Download About:Buster here: http://www.geekstogo...=download&id=25

Make sure you have printed this page and close ALL Internet Explorer windows. This is a very important step!!

Run AboutBuster.exe, click ok, then start, then OK. Make a copy of the log once it finishes. Then run aboutbuster.exe again. Make a copy of that log.

Reboot and post a new HijackThis log along with the two reports from About:Buster.
  • 0

#6
nightcoyote
Posted 13 July 2004 - 11:08 AM

nightcoyote

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hello Ditto....
I think I'm getting grayer by the hour!!
Ok... I followed your last instructions.
rebooted and WHAM... right back to square 1.
So.. I followed all instructions a second time and here are most current results..
Logfile of HijackThis v1.98.0
Scan saved at 9:59:17 AM, on 7/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINDOWS\appzn.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\WINDOWS\d3lz.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\whvyg.dll/sp.html#12802
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://whvyg.dll/index.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://whvyg.dll/index.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\whvyg.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\whvyg.dll/sp.html#12802
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://whvyg.dll/index.html#12802
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {A8DC7395-977C-69CC-84A6-109FC9AF6A43} - C:\WINDOWS\apixs.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [appzn.exe] C:\WINDOWS\appzn.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2000i\AcDcToday.ocx
O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcaf...0,2/mcmysec.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (NOXLATE) - file://C:\Program Files\AutoCAD LT 2000i\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{204BC8CE-103E-463D-A576-BEACEAB83504}: NameServer = 209.221.205.2 209.221.205.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{204BC8CE-103E-463D-A576-BEACEAB8

Buster log #1

About:Buster Version 1.25
Removed! : C:\WINDOWS\clnhi.dat
Removed! : C:\WINDOWS\dpxdv.dll
Removed! : C:\WINDOWS\ttsfy.dat
Removed! : C:\WINDOWS\System32\whvyg.dll
Removed! : C:\WINDOWS\System32\ympmq.dat
Removed! : C:\WINDOWS\System32\zxkob.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

Buster log #2

About:Buster Version 1.25
Removed! : C:\WINDOWS\clnhi.dat
Removed! : C:\WINDOWS\dpxdv.dll
Removed! : C:\WINDOWS\System32\zxkob.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

Hmmmm.....I've just been reattacked by runsearch.com and more of the res://...browersers.....
I'm ready for your next suggestions and instructions.
nightcoyote
  • 0

#7
nightcoyote
Posted 14 July 2004 - 10:26 AM

nightcoyote

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hello Ditto....
I think I'm getting grayer by the hour!!
Ok... I followed your last instructions.
rebooted and WHAM... right back to square 1.
So.. I followed all instructions a second time and here are most current results..
Logfile of HijackThis v1.98.0
Scan saved at 9:59:17 AM, on 7/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINDOWS\appzn.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\WINDOWS\d3lz.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\whvyg.dll/sp.html#12802
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://whvyg.dll/index.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://whvyg.dll/index.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\whvyg.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\whvyg.dll/sp.html#12802
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://whvyg.dll/index.html#12802
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {A8DC7395-977C-69CC-84A6-109FC9AF6A43} - C:\WINDOWS\apixs.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [appzn.exe] C:\WINDOWS\appzn.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2000i\AcDcToday.ocx
O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcaf...0,2/mcmysec.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (NOXLATE) - file://C:\Program Files\AutoCAD LT 2000i\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{204BC8CE-103E-463D-A576-BEACEAB83504}: NameServer = 209.221.205.2 209.221.205.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{204BC8CE-103E-463D-A576-BEACEAB8

Buster log #1

About:Buster Version 1.25
Removed! : C:\WINDOWS\clnhi.dat
Removed! : C:\WINDOWS\dpxdv.dll
Removed! : C:\WINDOWS\ttsfy.dat
Removed! : C:\WINDOWS\System32\whvyg.dll
Removed! : C:\WINDOWS\System32\ympmq.dat
Removed! : C:\WINDOWS\System32\zxkob.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

Buster log #2

About:Buster Version 1.25
Removed! : C:\WINDOWS\clnhi.dat
Removed! : C:\WINDOWS\dpxdv.dll
Removed! : C:\WINDOWS\System32\zxkob.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

Well...it seems I just cannot get rid of this insidious browser problems.
What are your next suggestions and instructions.
I have run:
Ad-Aware
SpyBot
Higjack this
Buster
The cleaner
CW shredder
I'm at a loss - as these to not solve the problem.
What shall I do next???
Thanks
nightcoyote
  • 0

#8
admin
Posted 14 July 2004 - 10:44 AM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Download About:Buster again (it's been updated)
Download About:Buster here: http://www.geekstogo...=download&id=25

Reboot in safe mode (by tapping F8 at startup and select safe mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):

Start it, hit Ok, Start, And Ok again to start the scan. It will generate a log. Post that log along with a new Hijack this log here.
  • 0

#9
nightcoyote
Posted 15 July 2004 - 10:31 AM

nightcoyote

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Here goes...
While in safe mode - I ran (downloaded) Buster and HijackThis as follows....
Log #1
About:Buster Version 1.25
Removed! : C:\WINDOWS\System32\xtkjf.dll
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

Logfile of HijackThis v1.98.0
Scan saved at 9:59:17 AM, on 7/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINDOWS\appzn.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\WINDOWS\d3lz.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\whvyg.dll/sp.html#12802
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://whvyg.dll/index.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://whvyg.dll/index.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\whvyg.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\whvyg.dll/sp.html#12802
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://whvyg.dll/index.html#12802
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {A8DC7395-977C-69CC-84A6-109FC9AF6A43} - C:\WINDOWS\apixs.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [appzn.exe] C:\WINDOWS\appzn.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2000i\AcDcToday.ocx
O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcaf...0,2/mcmysec.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (NOXLATE) - file://C:\Program Files\AutoCAD LT 2000i\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{204BC8CE-103E-463D-A576-BEACEAB83504}: NameServer = 209.221.205.2 209.221.205.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{204BC8CE-103E-463D-A576-BEACEAB83504}: NameServer = 209.221.205.2 209.221.205.3

Everytime I run the sequence with Ad-aware, spybot and hijack.... I keep getting re-attacked by CoolWebSearch (among others).
I have consitantly run the programs in order, rebooted - only to be hijacked again.
Same problems....not being resolved.
I sure do appreciate your help and input.. and ready for your next instructions.
nightcoyote
  • 0

#10
admin
Posted 15 July 2004 - 11:18 AM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Can you zip this file and email it to me? You have a variant that hasn't been detected yet. <_<

C:\WINDOWS\apixs.dll

I'll PM you the email.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP