Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Think im going to scream ! ABCSEARCH4U ! Grr [RESOLVED]

Started by dazlia , Jun 16 2005 05:39 AM

  • This topic is locked This topic is locked

#1
dazlia
Posted 16 June 2005 - 05:39 AM

dazlia

    Member

  • Member
  • PipPip
  • 20 posts
Could someone please look at my log file for HJT as im having major problems, one of them being abcsearch4u.
Its also very slow so if anyone spots anything else id really appreciate it :tazz:
thansk in advance, dont know what we'd do without you folks ;)

Logfile of HijackThis v1.99.1
Scan saved at 12:37:59, on 16/06/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\program files\timbuktu pro\tb2launch.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\program files\timbuktu pro\minitb2.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\hhjduht.exe
C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVpnClient.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\win32.exe
C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Ahead\Nero\nero.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Darren\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Darren\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://abcsearch4u.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcsearch4u.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abcsearch4u.com/index.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [TLogonPath] "c:\program files\timbuktu pro\minitb2.exe"
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [mxafesd] c:\windows\hhjduht.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [ksipojq] c:\windows\hhjduht.exe
O4 - HKCU\..\Run: [daotteq] c:\windows\hhjduht.exe
O4 - HKCU\..\Run: [lkaantu] c:\windows\hhjduht.exe
O4 - HKCU\..\Run: [jhsmfqr] c:\windows\hhjduht.exe
O4 - HKCU\..\Run: [mxflbks] c:\windows\hhjduht.exe
O4 - HKCU\..\Run: [mtuhhei] c:\windows\hhjduht.exe
O4 - HKCU\..\Run: [yebxphx] c:\windows\hhjduht.exe
O4 - HKCU\..\Run: [cfldbdd] c:\windows\hhjduht.exe
O4 - HKCU\..\Run: [jlrfhib] c:\windows\hhjduht.exe
O4 - HKCU\..\Run: [ocfhoae] c:\windows\hhjduht.exe
O4 - HKCU\..\Run: [eyeowsr] c:\windows\hhjduht.exe
O4 - HKCU\..\Run: [hcnagtt] c:\windows\hhjduht.exe
O4 - HKCU\..\Run: [anjvvtp] c:\windows\hhjduht.exe
O4 - HKCU\..\Run: [ahgsxfr] c:\windows\hhjduht.exe
O4 - HKCU\..\Run: [hfjfalg] c:\windows\hhjduht.exe
O4 - HKCU\..\Run: [bjjohpi] c:\windows\uyujvcr.exe
O4 - HKCU\..\Run: [dqkptqs] c:\windows\uyujvcr.exe
O4 - HKCU\..\Run: [utpnyph] c:\windows\uyujvcr.exe
O4 - HKCU\..\Run: [uplhkoc] c:\windows\uyujvcr.exe
O4 - HKCU\..\Run: [hjmrikr] c:\windows\uyujvcr.exe
O4 - HKCU\..\Run: [xkboqgw] c:\windows\uyujvcr.exe
O4 - HKCU\..\Run: [hwasetc] c:\windows\uyujvcr.exe
O4 - HKCU\..\Run: [krgkjuk] c:\windows\uyujvcr.exe
O4 - HKCU\..\Run: [qaoaaku] c:\windows\uyujvcr.exe
O4 - HKCU\..\Run: [msqjbtb] c:\windows\uyujvcr.exe
O4 - HKCU\..\Run: [idpofww] c:\windows\uyujvcr.exe
O4 - HKCU\..\Run: [xrselkc] c:\windows\uyujvcr.exe
O4 - HKCU\..\Run: [ogstsbb] c:\windows\uyujvcr.exe
O4 - HKCU\..\Run: [hlxptfc] c:\windows\uyujvcr.exe
O4 - HKCU\..\Run: [fjithpo] c:\windows\uyujvcr.exe
O4 - HKCU\..\Run: [daasnsc] c:\windows\uyujvcr.exe
O4 - HKCU\..\Run: [xpaxkcj] c:\windows\uyujvcr.exe
O4 - HKCU\..\Run: [gfdeboa] c:\windows\uyujvcr.exe
O4 - HKCU\..\Run: [rsgvoee] c:\windows\uyujvcr.exe
O4 - HKCU\..\Run: [lwkbcxy] c:\windows\uyujvcr.exe
O4 - HKCU\..\Run: [bowjjgp] c:\windows\uyujvcr.exe
O4 - HKCU\..\Run: [nyhcrhr] c:\windows\uyujvcr.exe
O4 - HKCU\..\Run: [vgahygn] c:\windows\uyujvcr.exe
O4 - HKCU\..\Run: [fkvyyne] c:\windows\uyujvcr.exe
O4 - HKCU\..\Run: [nkpagae] c:\windows\uyujvcr.exe
O4 - HKCU\..\Run: [luraxdc] c:\windows\uyujvcr.exe
O4 - HKCU\..\Run: [cqjthmq] c:\windows\uyujvcr.exe
O4 - HKCU\..\Run: [ibginco] c:\windows\uyujvcr.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SonicWALL Global VPN Client.lnk = C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVpnClient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6F90DFC-1151-4C53-A366-9AEA3D12798A}: NameServer = 194.177.170.2,194.177.160.2
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: Timbuktu Pro - c:\program files\timbuktu pro\Hook32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - 3am Labs, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - 3am Labs, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - c:\program files\timbuktu pro\tb2launch.exe
  • 0

Advertisements

#2
TomNJ
Posted 20 June 2005 - 06:47 AM

TomNJ

    Visiting Staff

  • Member
  • PipPipPip
  • 436 posts
Welcome to GeeksToGo :tazz: My name is Tom. I'm working on your log, as soon as another staff member reviews it I'll post a reply. Thank you for your patience.
  • 0

#3
dazlia
Posted 20 June 2005 - 06:56 AM

dazlia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
No proplem Tom, thanks for keeping me informed :tazz:
  • 0

#4
TomNJ
Posted 20 June 2005 - 07:06 AM

TomNJ

    Visiting Staff

  • Member
  • PipPipPip
  • 436 posts
We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...p1/default.mspx
Apply the update, reboot, and post a fresh Hijack This log.

Also you need to run HiJackThis from its own folder (c:\hjt) that way backups can be found if needed.
  • 0

#5
dazlia
Posted 20 June 2005 - 07:17 AM

dazlia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi Tom,
Could yu check that link to service pack again please as it appears to be dead?

cheers
  • 0

#6
TomNJ
Posted 20 June 2005 - 07:45 AM

TomNJ

    Visiting Staff

  • Member
  • PipPipPip
  • 436 posts
OK Try this LINK
  • 0

#7
dazlia
Posted 20 June 2005 - 07:55 AM

dazlia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Thannks Tom, im downloading now. I take it that you dont reccomend service pack 2 then? Im presuming thats why you said to download 1a? :tazz:
  • 0

#8
TomNJ
Posted 20 June 2005 - 08:10 AM

TomNJ

    Visiting Staff

  • Member
  • PipPipPip
  • 436 posts
We do not reccomend service pack 2 until you have SP1a installed and are sure your sysyem is clean.
  • 0

#9
dazlia
Posted 20 June 2005 - 08:17 AM

dazlia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
No problems. In the meantime while im waiting for sp1a i dont suppose you can tell me where i can download HijackThis v1.99.1 can you?
I did have it obvioulsy when i posted my log but some muppet at work has delete it from my desktop for some reason.
cheers
  • 0

#10
TomNJ
Posted 20 June 2005 - 08:20 AM

TomNJ

    Visiting Staff

  • Member
  • PipPipPip
  • 436 posts
sure here is the LINK
  • 0

Advertisements

#11
dazlia
Posted 20 June 2005 - 08:37 AM

dazlia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Cheers Tom,

Ive nwo installed SP1a and rebooted my machine. Ive downloaded HJT and placed in a folder in my C drive called 'hjt' and ran it. Heres my new log for you :-

Logfile of HijackThis v1.99.1
Scan saved at 15:35:21, on 20/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
c:\program files\timbuktu pro\tb2launch.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\program files\timbuktu pro\minitb2.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\windows\hhjduht.exe
C:\Program Files\Macromedia\Director MX\Director.exe
C:\WINDOWS\System32\win32.exe
C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVpnClient.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://abcsearch4u.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcsearch4u.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abcsearch4u.com/index.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [TLogonPath] "c:\program files\timbuktu pro\minitb2.exe"
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [mxafesd] c:\windows\hhjduht.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [wvbbivv] c:\windows\crehbbw.exe
O4 - HKCU\..\Run: [rcswtnp] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [rlrtlxq] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [avpqsnn] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [numlyag] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [cuoemsy] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [itancbq] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [vbpjkwi] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [svqidsr] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [ekfgujy] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [tuiwhbm] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [rsdyljk] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [kfrdbnp] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [tmyqxyi] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [humdnil] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [qblgsuj] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [bdmeouy] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [bpvvidt] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [rdnijrp] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [cnwowjq] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [iucqovv] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [lgnvwpo] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [nbrsimm] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [waqqogf] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [illgcbc] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [bsqqdil] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [kxwjhnu] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [psltspd] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [sdcoppe] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [rbwlkbf] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [dxjfmaa] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [pdhhpsm] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [xvulbqq] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [bckkxpi] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [vyqwaig] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [huxecrv] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [iijngxy] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [bfqvgsq] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [fvwwpfs] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [imvgtme] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [mbdrwcd] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [vnarevf] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [qavffor] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [sbtshxe] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [geuhthj] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [fmkdcgv] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [onipwku] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [oiajgvn] c:\windows\llrqbxo.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SonicWALL Global VPN Client.lnk = C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVpnClient.exe
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6F90DFC-1151-4C53-A366-9AEA3D12798A}: NameServer = 194.177.170.2,194.177.160.2
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: Timbuktu Pro - c:\program files\timbuktu pro\Hook32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Biistr - Unknown owner - (no file)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - 3am Labs, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - 3am Labs, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - c:\program files\timbuktu pro\tb2launch.exe
  • 0

#12
TomNJ
Posted 20 June 2005 - 09:14 AM

TomNJ

    Visiting Staff

  • Member
  • PipPipPip
  • 436 posts
Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

Also I need you to do the following:

Please Download LSPFix from http://www.cexx.org/lspfix.htm and Run the Program. Disconnect from the Internet and close all Internet Explorer Windows. Check the "I know what I'm doing" Button and remove all traces of [file]. Reboot.


After all that, reboot normally please post back with how things went as well as the logs requested and a new HiJackThis log.

Good Luck
  • 0

#13
dazlia
Posted 20 June 2005 - 10:32 AM

dazlia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi Tom,

I've followed your instructions word for word and here are the logs mate :-

SpSeHjfix log :-



(6/20/05 17:03:46) SPSeHjFix started v1.1.2
(6/20/05 17:03:46) OS: WinXP Service Pack 1 (5.1.2600)
(6/20/05 17:03:46) Language: english
(6/20/05 17:03:46) Win-Path: C:\WINDOWS
(6/20/05 17:03:46) System-Path: C:\WINDOWS\System32
(6/20/05 17:03:46) Temp-Path: C:\DOCUME~1\Darren\LOCALS~1\Temp\
(6/20/05 17:03:54) Disinfection started
(6/20/05 17:03:54) Bad-Dll(IEP): (not found)
(6/20/05 17:03:54) Bad-Dll(IEP) in BHO: (not found)
(6/20/05 17:03:54) UBF: 4 - UBB: 1 - UBR: 84
(6/20/05 17:03:54) UBF: 4 - UBB: 1 - UBR: 84
(6/20/05 17:03:54) Bad IE-pages: (none)
(6/20/05 17:03:54) Stealth-String not found
(6/20/05 17:03:54) Not infected->END


Kaspersky Log :-

-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Monday, June 20, 2005 17:19:56
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 20/06/2005
Kaspersky Anti-Virus database records: 127026
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\Darren\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 11465
Number of viruses found: 2
Number of infected objects: 11
Number of suspicious objects: 0
Duration of the scan process: 414 sec

Infected Object Name - Virus Name
C:\WINDOWS\baeyhtx.exe Infected: Trojan.Win32.StartPage.za
C:\WINDOWS\crehbbw.exe Infected: Trojan.Win32.StartPage.za
C:\WINDOWS\hhjduht.exe Infected: Trojan.Win32.StartPage.za
C:\WINDOWS\hxrpevn.exe Infected: Trojan.Win32.StartPage.za
C:\WINDOWS\ihjkddm.exe Infected: Trojan.Win32.StartPage.za
C:\WINDOWS\kdhgkda.exe Infected: Trojan.Win32.StartPage.za
C:\WINDOWS\llrqbxo.exe Infected: Trojan.Win32.StartPage.za
C:\WINDOWS\system32\dbmrnaaa.exe Infected: Trojan.Win32.StartPage.za
C:\WINDOWS\system32\win32.exe Infected: Trojan.Win32.Crypt.c
C:\WINDOWS\uyujvcr.exe Infected: Trojan.Win32.StartPage.za
C:\WINDOWS\yucbxyb.exe Infected: Trojan.Win32.StartPage.za

Scan process completed.


NEW HJT Log :-

Logfile of HijackThis v1.99.1
Scan saved at 17:31:43, on 20/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\program files\timbuktu pro\tb2launch.exe
c:\program files\timbuktu pro\tb2pro.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\program files\timbuktu pro\minitb2.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\win32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVpnClient.exe
C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Darren\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://abcsearch4u.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcsearch4u.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abcsearch4u.com/index.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [TLogonPath] "c:\program files\timbuktu pro\minitb2.exe"
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [mxafesd] c:\windows\hhjduht.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [wvbbivv] c:\windows\crehbbw.exe
O4 - HKCU\..\Run: [rcswtnp] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [rlrtlxq] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [avpqsnn] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [numlyag] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [cuoemsy] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [itancbq] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [vbpjkwi] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [svqidsr] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [ekfgujy] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [tuiwhbm] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [rsdyljk] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [kfrdbnp] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [tmyqxyi] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [humdnil] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [qblgsuj] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [bdmeouy] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [bpvvidt] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [rdnijrp] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [cnwowjq] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [iucqovv] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [lgnvwpo] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [nbrsimm] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [waqqogf] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [illgcbc] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [bsqqdil] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [kxwjhnu] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [psltspd] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [sdcoppe] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [rbwlkbf] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [dxjfmaa] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [pdhhpsm] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [xvulbqq] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [bckkxpi] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [vyqwaig] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [huxecrv] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [iijngxy] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [bfqvgsq] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [fvwwpfs] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [imvgtme] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [mbdrwcd] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [vnarevf] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [qavffor] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [sbtshxe] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [geuhthj] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [fmkdcgv] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [onipwku] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [oiajgvn] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [dwqshlt] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [qundqld] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [kyhoobi] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [edeujbj] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [katkbyn] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [dosapff] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [qronsvw] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [ehqlvrl] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [xjpqswr] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [prilvsd] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [lnrmfwj] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [nolpqgg] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [ykpimkv] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [iqxkcko] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [vtaaaul] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [nswcjxx] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [pgggtnd] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [dqduulb] c:\windows\kdhgkda.exe
O4 - HKCU\..\Run: [ebwiuys] c:\windows\kdhgkda.exe
O4 - HKCU\..\Run: [xkwyryj] c:\windows\kdhgkda.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SonicWALL Global VPN Client.lnk = C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVpnClient.exe
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6F90DFC-1151-4C53-A366-9AEA3D12798A}: NameServer = 194.177.170.2,194.177.160.2
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: Timbuktu Pro - c:\program files\timbuktu pro\Hook32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Biistr - Unknown owner - (no file)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - 3am Labs, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - 3am Labs, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - c:\program files\timbuktu pro\tb2launch.exe

Many thanks Tom :tazz:
  • 0

#14
TomNJ
Posted 20 June 2005 - 01:10 PM

TomNJ

    Visiting Staff

  • Member
  • PipPipPip
  • 436 posts
LINK


You are running HijackThis from the Desktop; please create a new folder for it and move the program into the new folder


Run LSPfix and place a check against the I know what I am doing checkbox.

Highlight every instance of the following names and move them from the Keep to the Remove panel. Be sure to move nothing other than the files listed below!

flsmngr.dll

When done, click on Finish to exit the program; do not use the X in the top right-hand corner as nothing will happen!

[*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://abcsearch4u.com/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abcsearch4u.com/sp.htm
O4 - HKCU\..\Run: [mxafesd] c:\windows\hhjduht.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [wvbbivv] c:\windows\crehbbw.exe
O4 - HKCU\..\Run: [rcswtnp] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [rlrtlxq] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [avpqsnn] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [numlyag] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [cuoemsy] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [itancbq] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [vbpjkwi] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [svqidsr] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [ekfgujy] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [tuiwhbm] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [rsdyljk] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [kfrdbnp] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [tmyqxyi] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [humdnil] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [qblgsuj] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [bdmeouy] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [bpvvidt] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [rdnijrp] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [cnwowjq] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [iucqovv] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [lgnvwpo] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [nbrsimm] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [waqqogf] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [illgcbc] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [bsqqdil] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [kxwjhnu] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [psltspd] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [sdcoppe] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [rbwlkbf] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [dxjfmaa] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [pdhhpsm] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [xvulbqq] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [bckkxpi] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [vyqwaig] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [huxecrv] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [iijngxy] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [bfqvgsq] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [fvwwpfs] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [imvgtme] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [mbdrwcd] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [vnarevf] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [qavffor] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [sbtshxe] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [geuhthj] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [fmkdcgv] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [onipwku] c:\windows\baeyhtx.exe
O4 - HKCU\..\Run: [oiajgvn] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [dwqshlt] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [qundqld] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [kyhoobi] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [edeujbj] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [katkbyn] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [dosapff] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [qronsvw] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [ehqlvrl] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [xjpqswr] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [prilvsd] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [lnrmfwj] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [nolpqgg] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [ykpimkv] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [iqxkcko] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [vtaaaul] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [nswcjxx] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [pgggtnd] c:\windows\llrqbxo.exe
O4 - HKCU\..\Run: [dqduulb] c:\windows\kdhgkda.exe
O4 - HKCU\..\Run: [ebwiuys] c:\windows\kdhgkda.exe
O4 - HKCU\..\Run: [xkwyryj] c:\windows\kdhgkda.exe
O23 - Service: Biistr - Unknown owner - (no file)

Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\System32\win32.exe
c:\windows\hhjduht.exe
c:\windows\crehbbw.exe
c:\windows\baeyhtx.exe
c:\windows\llrqbxo.exe
c:\windows\kdhgkda.exe
c:\windows\system32\flsmngr.dll

Exit Explorer, and reboot as normal afterwards.

Post back a fresh HijackThis log and we will take another look.
  • 0

#15
dazlia
Posted 21 June 2005 - 02:20 AM

dazlia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Morning Tom. Hey progress at last, its dissapeared from my startup page.......whhooo hooooo lol

Sorry about the HJT on the desktop, i'd copied it into a new folder but used the one on desktop by mistake.

Heres my new log :-

Logfile of HijackThis v1.99.1
Scan saved at 09:15:35, on 21/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\program files\timbuktu pro\tb2launch.exe
c:\program files\timbuktu pro\tb2pro.exe
c:\program files\timbuktu pro\TNOTIFY.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\program files\timbuktu pro\minitb2.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVpnClient.exe
C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
C:\hjt\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [TLogonPath] "c:\program files\timbuktu pro\minitb2.exe"
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [xcgvtsk] c:\windows\oawmess.exe
O4 - HKCU\..\Run: [hlvepfl] c:\windows\oawmess.exe
O4 - HKCU\..\Run: [ubugbhp] c:\windows\oawmess.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SonicWALL Global VPN Client.lnk = C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVpnClient.exe
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6F90DFC-1151-4C53-A366-9AEA3D12798A}: NameServer = 194.177.170.2,194.177.160.2
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: Timbuktu Pro - c:\program files\timbuktu pro\Hook32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Biistr - Unknown owner - (no file)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - 3am Labs, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - 3am Labs, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - c:\program files\timbuktu pro\tb2launch.exe

Thansk again.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP