Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

addjy.exe and more!


  • Please log in to reply

#1
freezefs

freezefs

    New Member

  • Member
  • Pip
  • 4 posts
I thought I got rid of onemoresearch, from reading another victim's account of what happened and the solution, but when I run AdAware SE, it still picks up this addjy.exe, which keeps coming back.

Also, even though I switched to Firefox, the web browser and AdAware keeps crashing.
(Mostly AdAware).

This happens whenever I scan and select the "next" button to begin removal.

This is my HijackThis log:

Logfile of HijackThis v1.99.0
Scan saved at 3:56:38 PM, on 1/25/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\cmd.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Documents and Settings\David\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\kvvhb.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kvvhb.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\kvvhb.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\kvvhb.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kvvhb.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\kvvhb.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\kvvhb.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {68325EC5-8249-986D-EB26-06240713F6EC} - C:\WINDOWS\apiar32.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FastTVSync] "C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe"
O4 - HKLM\..\Run: [addjy.exe] C:\WINDOWS\addjy.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: InterVideo Scheduler server.lnk = C:\Program Files\InterVideo\DVD5R\SchSvr.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1106441775566
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\d3qc.exe
  • 0

Advertisements


#2
freezefs

freezefs

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Obvious things I found in my remove programs menu were:

Home Search Assistant
Search Extender (The icon is MSN Messenger, when I got rid of it the first time it was AIM)
Shopping Wizard
  • 0

#3
freezefs

freezefs

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Now it even crashes AIM (when I attempt to send a message)...
And forces many internet applications to hang when loading, including MSN Messenger, but that managed to get through.

I think I may have deleted something useful when I tried to get rid of OneMoreSeach (about:blank) but after a few restarts, it was back in IE =(
Any help or suggestions would be welcome!
  • 0

#4
ilago

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi freezefs,

I notice that you don't have SP1 installed. This means you are missing a lot of critical security patches for Windows XP and Internet Explorer. You need to update to SP1 from here http://www.microsoft...p1/default.mspx and install it as soon as possible.

But we also need to remove as much of this infection as we can. So we'll go ahead with the fix for now.

Disable System Restore - you will lose all your previous restore points. Right Click the My Computer icon on the desktop and go to the System Restore tab. Put a tick in the 'Turn off System Restore on all drives' box. Click on Apply then OK.

You have a nasty About:Blank spyware infection. You need to download some tools so it can be fixed. Download these but use them as exactly described in the following:

1) About:Buster - Download it and extract it to C:/aboutbuster.
2) CleanUp! - Download it and install it.
3) CWShredder 2.11 - Download it and save it to your desktop.
4) Ad-Aware - Download, install, and update.

Open Windows Explorer and go to > Tools> Folder Options> View, select:*Show hidden files and folders
*Display the contents of system folders
Uncheck:*Hide protected operating system files
During the fix do NOT connect to the internet. Unless you can memorize these instructions, it would be a good idea to print them out.

Boot into safe mode:
Reboot into Safe Mode by continually tapping the F8 key as soon as the computer starts to boot up - after the beep. When the Windows XP Safe Mode menu comes up - Choose Safe Mode. You don't need any networking.

Run AboutBuster
-Click Start to begin the process
-Click OK on the Buster Report dialogue box to start the scan
AboutBuster scans the computer for malicious files and deletes them.
Save the report (copy and paste into Notepad and save as a .txt file) to post a copy for review.

AboutBuster usually needs to be run twice to ensure cleaning is successful.

Run CWShredder
-Next, click on the: ‘Fix’ button
-Follow the prompts, and press OK

Run CleanUp
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Ad-Aware
-Configure Ad-Aware for a full system scan
-Run it

Clean Up the left overs - Do not reboot - stay in Safe Mode

Open the HijackThis and click on Scan. When the scan is complete check all the following items - if they are still there - they may not be. Then disconnect from the internet and close all open windows including this browser window and all instant messaging - AIM, MSN messenger and anything else that is not essential and click on Fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\kvvhb.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kvvhb.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\kvvhb.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\kvvhb.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kvvhb.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\kvvhb.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\kvvhb.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {68325EC5-8249-986D-EB26-06240713F6EC} - C:\WINDOWS\apiar32.dll
O4 - HKLM\..\Run: [addjy.exe] C:\WINDOWS\addjy.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\d3qc.exe


Then delete the following files (if they exist):

It's important that you find these files so they don't get a second chance to infect your system.
If you find you can't delete one for some reason - right-click and rename it by changing the extension to .old

C:\WINDOWS\apiar32.dll
C:\WINDOWS\system32\kvvhb.dll
C:\WINDOWS\addjy.exe
C:\WINDOWS\system32\d3qc.exe
C:\WINDOWS\System32\tibs3.exe

Reboot into normal mode and run the following free, online virus scans:

http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm

Then restart your computer one more time and post a new HJT log as well as the About:Buster log I asked you to save earlier.
  • 0

#5
freezefs

freezefs

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks for your reply, but since the computer was new, and didn't have too much important stuff on it, I just reformatted it. ^^"

Thanks for the help, though. I now have SP2 and I'm running Norton Systemworks along with the newest Ad-aware.

But thanks anyway! :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP