Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

my log, i need to stop drwatson!

Started by Strahd , Feb 16 2005 05:31 PM

Please log in to reply

#1
Strahd

Posted 16 February 2005 - 05:31 PM

Member

Member
10 posts

this is my log....thank you! this thing's driving me nuts

Logfile of HijackThis v1.97.7
Scan saved at 3:28:55 PM, on 2/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\addhz32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\netsb.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Isaac\My Documents\File Library\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\eijbv.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\eijbv.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\eijbv.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\eijbv.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\eijbv.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\eijbv.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\eijbv.dll/sp.html#96676
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {9CCE8035-F0FC-A804-B3E8-B513C07AA22A} - C:\WINDOWS\system32\mfcof32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [netsb.exe] C:\WINDOWS\system32\netsb.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [appou32.exe] C:\WINDOWS\system32\appou32.exe
O4 - HKLM\..\RunOnce: [sdknu32.exe] C:\WINDOWS\system32\sdknu32.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D0C15C3-883F-4ADA-8AB3-C3AAC0059B00}: NameServer = 209.244.0.3 209.244.0.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{9BAA6772-7061-4B84-AA76-EE865E2F2A02}: NameServer = 204.238.56.12,204.238.56.46

#2
mrsw

Posted 16 February 2005 - 08:37 PM

Member

Member
10 posts

You have a nasty About:Blank infection. This fix requires several tools that need to be downloaded. Please download these now, we will run them later.

1) About:Buster - Download it and extract it to C:/aboutbuster.
2) CleanUp! - Download it and install it.
3) CWShredder 2.11 - Download it and save it to your desktop.
4) Ad-Aware - Download, install, and update.

Enable hidden files and folders: http://www.bleepingc...torial=62#winme

During the fix do NOT connect to the internet. Unless you can memorize these instructions, it would be a good idea to print them out.

Boot into safe mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Run AboutBuster
-Click Start to begin the process
-Click OK on the Buster Report dialogue box to start the scan
AboutBuster scans the computer for malicious files and deletes them.
Save the report (copy and paste into Notepad and save as a .txt file) to post a copy for review.

Run CWShredder
-Next, click on the: ‘Fix’ button
-Follow the prompts, and press OK

Run CleanUp
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Ad-Aware
-Configure Ad-Aware for a full system scan
-Run it

Clean Up the left overs

Run HJT, close any open windows, and fix the following items (if they are still there):
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\yunou.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yunou.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\yunou.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\yunou.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {88F772B4-1958-5B75-64B6-2055AEE7B591} - C:\WINDOWS\system32\atlof.dll
O2 - BHO: (no name) - {F3BB3EBD-FF68-CC20-A430-DD043FE93173} - C:\WINDOWS\system32\atlyx.dll
O4 - HKLM\..\Run: [mfclu32.exe] C:\WINDOWS\system32\mfclu32.exe
O4 - HKLM\..\Run: [pdjgxfkfrf] C:\WINDOWS\System32\oehopi.exe
O4 - HKLM\..\Run: [aa] C:\windows\system32\aa.exe
O4 - HKLM\..\Run: [sVGPI.exe] c:\windows\system32\sVGPI.exe
O9 - Extra button: SideFind (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\tmqwshxh.exe
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} - http://www.xxxtoolba...006_regular.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab

Then delete the following files (if they exist):
C:\WINDOWS\yunou.dll
C:\WINDOWS\system32\atlof.dll
C:\WINDOWS\system32\atlyx.dll
C:\WINDOWS\system32\mfclu32.exe
C:\WINDOWS\System32\oehopi.exe
C:\windows\system32\aa.exe
c:\windows\system32\sVGPI.exe
C:\Program Files\Internet Explorer\tmqwshxh.exe

Reboot into normal mode (simply restart your computer as you normally would), and run the following free, online virus scans:

http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp

Then restart your computer one more time and post a new HJT log as well as the About:Buster log I asked you to save earlier.

#3
Strahd

Posted 17 February 2005 - 11:48 AM

Member

Topic Starter
Member
10 posts

wow! I love this site! Okay, first of all though, haven't tried what you recommended. but i will! hmm...next problem...i can't open folders. that includes zip folders, which is your first recommendation. It sucks. and it only affects folders! programs will open up fine. any ideas? I downloaded about:buster to my desktop, but it wont open. so in order to fix my main problem, i think i need to fix this side problem first...imma try to open it and see what happens....hold on...i'll post this now, just in case my computer crashes...and post the results...and thank you so much for your time

#4
Strahd

Posted 17 February 2005 - 11:50 AM

Member

Topic Starter
Member
10 posts

okay...my computer's teasing me. i clicked on the zip file, and the mouse tortured me into thinking it was going to open it for about a minute, cuz it had the sandclock next to it. anyways, afterwards it paused a bit, and returned to normal, opening nothing. I hope i didn't screw myself over :tazz:

#5
mrsw

Posted 17 February 2005 - 07:14 PM

Member

Member
10 posts

Awwww yeah i had the same problem. The trick is too downlaod those pragrams and then boot in safe mode, in safe mode you will be able to open those folders fine and install and run the programs. Also, if you have windows media player 10, try removing it, i think it might be a bug with windows media player 10.

#6
Strahd

Posted 19 February 2005 - 01:01 AM

Member

Topic Starter
Member
10 posts

thank you so much for the help so far. I'm almost done. Here's my log now....

hijackthis log anyways...

Logfile of HijackThis v1.97.7
Scan saved at 10:57:02 PM, on 2/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\appou32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\netsb.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Isaac\My Documents\File Library\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1B81741A-4A6F-C377-307C-927B6A169B63} - C:\WINDOWS\crid32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [netsb.exe] C:\WINDOWS\system32\netsb.exe
O4 - HKLM\..\RunOnce: [sdknu32.exe] C:\WINDOWS\system32\sdknu32.exe
O4 - HKLM\..\RunOnce: [appou32.exe] C:\WINDOWS\system32\appou32.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D0C15C3-883F-4ADA-8AB3-C3AAC0059B00}: NameServer = 209.244.0.3 209.244.0.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{9BAA6772-7061-4B84-AA76-EE865E2F2A02}: NameServer = 204.238.56.12,204.238.56.46

also...here's that one other text that you told me to save...the about:buster log that you wanted to see when all was said and done.

Scanned at: 10:24:16 PM on: 2/18/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19

ADS not scanned System(FAT)
Removed 2 Random Key Entries
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19

ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!

the other files were not there. I didn't run the other virus programs...the online ones...cuz it said something about me not having the proper stuff for netscape, but I use mozilla. anyways, thank you so much, and now i'm going to go try and open a file. if it doesn't work still, i'll take up your suggestion of deleting windows media player 10. but if i uninstall that, what do you suggest i get to play my movies, music and such? any good recommendations? free would be best since I'm broke. thank you so much again for everything

#7
Strahd

Posted 19 February 2005 - 01:04 AM

Member

Topic Starter
Member
10 posts

hmm....it worked! I love you!!!!! I LOOOVE YOU!!!! THANK YOU SUPER SMART PERSON! I just want to say that without you I would be nothing! NOTHING! Oh god I'm feeling good now that my computer's running normal again. Thanks a bunch. If I knew who you were, I'd buy you lunch!