Help - Search - Members - Calendar
Full Version: Help me please, please, please
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
StargazerRN
Feb 16 2005, 07:14 PM
I've been struggling to try to get spyware off my system for days now. Can't sleep, can't eat, and I'm pulling my hair out.....I've run AdAware and Spybot S&D but they just aren't doing the trick. Here is my HJT log from this morning.

Thanks for your help!

Logfile of HijackThis v1.99.1
Scan saved at 11:01:32 AM, on 2/16/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\OFFICE51\SOINTGR.EXE
C:\PROGRAM FILES\IOMEGA\AUTODISK\ADSERVICE.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\EASY KEYBOARD\EASYKEY.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\COMMON FILES\ACD SYSTEMS\EN\DEVDETECT.EXE
C:\PROGRAM FILES\IOMEGA\AUTODISK\ADUSERMON.EXE
C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE
C:\PROGRAM FILES\USBTOOLBOX\RES.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPCLIENT.EXE
C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMON32.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVRID.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0A\AOLTRAY.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\MSGI.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\MFCIH.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\imcks.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\imcks.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\imcks.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\imcks.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\imcks.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\imcks.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\imcks.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {B42A7433-C8AA-0D6B-0B58-D9E2EFC95707} - C:\WINDOWS\CRAW.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\OFFICE51\SOINTGR.EXE
O4 - HKLM\..\Run: [Easykey] C:\Program Files\Easy Keyboard\Easykey.exe
O4 - HKLM\..\Run: [Gene USB Monitor] c:\windows\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Device Detector] C:\PROGRA~1\COMMON~1\ACDSYS~1\EN\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USBToolbox\Res.EXE
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETMSG.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CRFE.EXE] C:\WINDOWS\SYSTEM\CRFE.EXE
O4 - HKLM\..\Run: [JAVAHO32.EXE] C:\WINDOWS\SYSTEM\JAVAHO32.EXE
O4 - HKLM\..\Run: [MFCIH.EXE] C:\WINDOWS\MFCIH.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SO5 Integrator Pass One] C:\OFFICE51\SOINTGR.EXE
O4 - HKLM\..\RunServices: [ADService] C:\Program Files\Iomega\AutoDisk\ADService.exe
O4 - HKLM\..\RunServices: [WINJD.EXE] C:\WINDOWS\WINJD.EXE
O4 - HKLM\..\RunServices: [JAVAKU32.EXE] C:\WINDOWS\SYSTEM\JAVAKU32.EXE
O4 - HKLM\..\RunServices: [APPPF.EXE] C:\WINDOWS\SYSTEM\APPPF.EXE
O4 - HKLM\..\RunServices: [CRRV32.EXE] C:\WINDOWS\CRRV32.EXE
O4 - HKLM\..\RunServices: [SYSPK32.EXE] C:\WINDOWS\SYSPK32.EXE
O4 - HKLM\..\RunServices: [NETSO32.EXE] C:\WINDOWS\SYSTEM\NETSO32.EXE
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O4 - HKLM\..\RunServices: [IEMW32.EXE] C:\WINDOWS\IEMW32.EXE
O4 - HKLM\..\RunServices: [IPYP32.EXE] C:\WINDOWS\IPYP32.EXE
O4 - HKLM\..\RunServices: [SDKYB32.EXE] C:\WINDOWS\SYSTEM\SDKYB32.EXE
O4 - HKLM\..\RunServices: [APISQ.EXE] C:\WINDOWS\APISQ.EXE
O4 - HKLM\..\RunServices: [WINDJ32.EXE] C:\WINDOWS\WINDJ32.EXE
O4 - HKLM\..\RunServices: [SYSRS.EXE] C:\WINDOWS\SYSRS.EXE
O4 - HKLM\..\RunServices: [MFCLA32.EXE] C:\WINDOWS\MFCLA32.EXE
O4 - HKLM\..\RunServices: [NETVH32.EXE] C:\WINDOWS\NETVH32.EXE
O4 - HKLM\..\RunServices: [APPRQ32.EXE] C:\WINDOWS\APPRQ32.EXE
O4 - HKLM\..\RunServices: [APIWS32.EXE] C:\WINDOWS\SYSTEM\APIWS32.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [CRSE.EXE] C:\WINDOWS\CRSE.EXE
O4 - HKLM\..\RunServices: [APPZB.EXE] C:\WINDOWS\SYSTEM\APPZB.EXE
O4 - HKLM\..\RunServices: [APIMF32.EXE] C:\WINDOWS\SYSTEM\APIMF32.EXE
O4 - HKLM\..\RunServices: [MFCLZ.EXE] C:\WINDOWS\SYSTEM\MFCLZ.EXE
O4 - HKLM\..\RunServices: [D3WN32.EXE] C:\WINDOWS\SYSTEM\D3WN32.EXE
O4 - HKLM\..\RunServices: [IELL32.EXE] C:\WINDOWS\SYSTEM\IELL32.EXE
O4 - HKLM\..\RunServices: [APPEI.EXE] C:\WINDOWS\SYSTEM\APPEI.EXE
O4 - HKLM\..\RunServices: [ATLZC32.EXE] C:\WINDOWS\ATLZC32.EXE
O4 - HKLM\..\RunServices: [NETHW32.EXE] C:\WINDOWS\SYSTEM\NETHW32.EXE
O4 - HKLM\..\RunServices: [SYSZG.EXE] C:\WINDOWS\SYSZG.EXE
O4 - HKLM\..\RunServices: [IELN.EXE] C:\WINDOWS\IELN.EXE
O4 - HKLM\..\RunServices: [ADDIJ32.EXE] C:\WINDOWS\SYSTEM\ADDIJ32.EXE
O4 - HKLM\..\RunServices: [ADDOB.EXE] C:\WINDOWS\SYSTEM\ADDOB.EXE
O4 - HKLM\..\RunServices: [APPZP.EXE] C:\WINDOWS\APPZP.EXE
O4 - HKLM\..\RunServices: [IEFW32.EXE] C:\WINDOWS\IEFW32.EXE
O4 - HKLM\..\RunServices: [ADDAK.EXE] C:\WINDOWS\ADDAK.EXE
O4 - HKLM\..\RunServices: [IPQX32.EXE] C:\WINDOWS\SYSTEM\IPQX32.EXE
O4 - HKLM\..\RunServices: [MSGI.EXE] C:\WINDOWS\SYSTEM\MSGI.EXE
O4 - HKLM\..\RunServices: [MFCCR.EXE] C:\WINDOWS\MFCCR.EXE
O4 - HKLM\..\RunServices: [APPAN32.EXE] C:\WINDOWS\SYSTEM\APPAN32.EXE
O4 - HKLM\..\RunServices: [ATLWK32.EXE] C:\WINDOWS\SYSTEM\ATLWK32.EXE
O4 - HKLM\..\RunServices: [APPBL.EXE] C:\WINDOWS\SYSTEM\APPBL.EXE
O4 - HKLM\..\RunOnce: [AAW] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\AD-AWARE.EXE" "+b1"
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Startup: TextBridge Instant Access.lnk = C:\Program Files\Plustek USA\Scanner\TBClass\bin\TBMenu.exe
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
LoPhatPhuud
Feb 17 2005, 03:09 AM
Please take the following steps:

First, please enable viewing of hidden/system files per the instructions here: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Also, before we start, to be safe backup your registry.
Start --> Run --> scanregw
If you get a dialog asking if you want to backup the registry, press 'OK'
Press 'OK' when the backup is finished

IMPORTANT Be sure all browser and explorer windows are closed.

Using the Task Manager end the task on the following processes (if any are present):
Network Security Service
Remote Procedure Call (RPC) Helper
Workstation NetLogon Service
C:\WINDOWS\SYSTEM\MSGI.EXE
C:\WINDOWS\MFCIH.EXE


Run HijackThis and place a check mark next to the following items:[b]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\imcks.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\imcks.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\imcks.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\imcks.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\imcks.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\imcks.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\imcks.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - Default URLSearchHook is missing

O2 - BHO: Class - {B42A7433-C8AA-0D6B-0B58-D9E2EFC95707} - C:\WINDOWS\CRAW.DLL

O4 - HKLM\..\Run: [CRFE.EXE] C:\WINDOWS\SYSTEM\CRFE.EXE
O4 - HKLM\..\Run: [JAVAHO32.EXE] C:\WINDOWS\SYSTEM\JAVAHO32.EXE
O4 - HKLM\..\Run: [MFCIH.EXE] C:\WINDOWS\MFCIH.EXE
O4 - HKLM\..\RunServices: [WINJD.EXE] C:\WINDOWS\WINJD.EXE
O4 - HKLM\..\RunServices: [JAVAKU32.EXE] C:\WINDOWS\SYSTEM\JAVAKU32.EXE
O4 - HKLM\..\RunServices: [APPPF.EXE] C:\WINDOWS\SYSTEM\APPPF.EXE
O4 - HKLM\..\RunServices: [CRRV32.EXE] C:\WINDOWS\CRRV32.EXE
O4 - HKLM\..\RunServices: [SYSPK32.EXE] C:\WINDOWS\SYSPK32.EXE
O4 - HKLM\..\RunServices: [NETSO32.EXE] C:\WINDOWS\SYSTEM\NETSO32.EXE
O4 - HKLM\..\RunServices: [IEMW32.EXE] C:\WINDOWS\IEMW32.EXE
O4 - HKLM\..\RunServices: [IPYP32.EXE] C:\WINDOWS\IPYP32.EXE
O4 - HKLM\..\RunServices: [SDKYB32.EXE] C:\WINDOWS\SYSTEM\SDKYB32.EXE
O4 - HKLM\..\RunServices: [APISQ.EXE] C:\WINDOWS\APISQ.EXE
O4 - HKLM\..\RunServices: [WINDJ32.EXE] C:\WINDOWS\WINDJ32.EXE
O4 - HKLM\..\RunServices: [SYSRS.EXE] C:\WINDOWS\SYSRS.EXE
O4 - HKLM\..\RunServices: [MFCLA32.EXE] C:\WINDOWS\MFCLA32.EXE
O4 - HKLM\..\RunServices: [NETVH32.EXE] C:\WINDOWS\NETVH32.EXE
O4 - HKLM\..\RunServices: [APPRQ32.EXE] C:\WINDOWS\APPRQ32.EXE
O4 - HKLM\..\RunServices: [APIWS32.EXE] C:\WINDOWS\SYSTEM\APIWS32.EXE
O4 - HKLM\..\RunServices: [CRSE.EXE] C:\WINDOWS\CRSE.EXE
O4 - HKLM\..\RunServices: [APPZB.EXE] C:\WINDOWS\SYSTEM\APPZB.EXE
O4 - HKLM\..\RunServices: [APIMF32.EXE] C:\WINDOWS\SYSTEM\APIMF32.EXE
O4 - HKLM\..\RunServices: [MFCLZ.EXE] C:\WINDOWS\SYSTEM\MFCLZ.EXE
O4 - HKLM\..\RunServices: [D3WN32.EXE] C:\WINDOWS\SYSTEM\D3WN32.EXE
O4 - HKLM\..\RunServices: [IELL32.EXE] C:\WINDOWS\SYSTEM\IELL32.EXE
O4 - HKLM\..\RunServices: [APPEI.EXE] C:\WINDOWS\SYSTEM\APPEI.EXE
O4 - HKLM\..\RunServices: [ATLZC32.EXE] C:\WINDOWS\ATLZC32.EXE
O4 - HKLM\..\RunServices: [NETHW32.EXE] C:\WINDOWS\SYSTEM\NETHW32.EXE
O4 - HKLM\..\RunServices: [SYSZG.EXE] C:\WINDOWS\SYSZG.EXE
O4 - HKLM\..\RunServices: [IELN.EXE] C:\WINDOWS\IELN.EXE
O4 - HKLM\..\RunServices: [ADDIJ32.EXE] C:\WINDOWS\SYSTEM\ADDIJ32.EXE
O4 - HKLM\..\RunServices: [ADDOB.EXE] C:\WINDOWS\SYSTEM\ADDOB.EXE
O4 - HKLM\..\RunServices: [APPZP.EXE] C:\WINDOWS\APPZP.EXE
O4 - HKLM\..\RunServices: [IEFW32.EXE] C:\WINDOWS\IEFW32.EXE
O4 - HKLM\..\RunServices: [ADDAK.EXE] C:\WINDOWS\ADDAK.EXE
O4 - HKLM\..\RunServices: [IPQX32.EXE] C:\WINDOWS\SYSTEM\IPQX32.EXE
O4 - HKLM\..\RunServices: [MSGI.EXE] C:\WINDOWS\SYSTEM\MSGI.EXE
O4 - HKLM\..\RunServices: [MFCCR.EXE] C:\WINDOWS\MFCCR.EXE
O4 - HKLM\..\RunServices: [APPAN32.EXE] C:\WINDOWS\SYSTEM\APPAN32.EXE
O4 - HKLM\..\RunServices: [ATLWK32.EXE] C:\WINDOWS\SYSTEM\ATLWK32.EXE
O4 - HKLM\..\RunServices: [APPBL.EXE] C:\WINDOWS\SYSTEM\APPBL.EXE
Press 'Fix Checked'.

Exit HiJackThis.

Reboot into Safe Mode* and delete the following files: <insert R* entry dll's>
(also deleted any *.dat files with the same name as one of these *.exe files)
C:\WINDOWS\SYSTEM\MSGI.EXE
C:\WINDOWS\MFCIH.EXE
C:\WINDOWS\SYSTEM\CRFE.EXE
C:\WINDOWS\SYSTEM\JAVAHO32.EXE
C:\WINDOWS\WINJD.EXE
C:\WINDOWS\SYSTEM\JAVAKU32.EXE
C:\WINDOWS\SYSTEM\APPPF.EXE
C:\WINDOWS\CRRV32.EXE
C:\WINDOWS\SYSPK32.EXE
C:\WINDOWS\SYSTEM\NETSO32.EXE
C:\WINDOWS\IEMW32.EXE
C:\WINDOWS\IPYP32.EXE
C:\WINDOWS\SYSTEM\SDKYB32.EXE
C:\WINDOWS\APISQ.EXE
C:\WINDOWS\WINDJ32.EXE
C:\WINDOWS\SYSRS.EXE
C:\WINDOWS\MFCLA32.EXE
C:\WINDOWS\NETVH32.EXE
C:\WINDOWS\APPRQ32.EXE
C:\WINDOWS\SYSTEM\APIWS32.EXE
C:\WINDOWS\CRSE.EXE
C:\WINDOWS\SYSTEM\APPZB.EXE
C:\WINDOWS\SYSTEM\APIMF32.EXE
C:\WINDOWS\SYSTEM\MFCLZ.EXE
C:\WINDOWS\SYSTEM\D3WN32.EXE
C:\WINDOWS\SYSTEM\IELL32.EXE
C:\WINDOWS\SYSTEM\APPEI.EXE
C:\WINDOWS\ATLZC32.EXE
C:\WINDOWS\SYSTEM\NETHW32.EXE
C:\WINDOWS\SYSZG.EXE
C:\WINDOWS\IELN.EXE
C:\WINDOWS\SYSTEM\ADDIJ32.EXE
C:\WINDOWS\SYSTEM\ADDOB.EXE
C:\WINDOWS\APPZP.EXE
C:\WINDOWS\IEFW32.EXE
C:\WINDOWS\ADDAK.EXE
C:\WINDOWS\SYSTEM\IPQX32.EXE
C:\WINDOWS\SYSTEM\MSGI.EXE
C:\WINDOWS\MFCCR.EXE
C:\WINDOWS\SYSTEM\APPAN32.EXE
C:\WINDOWS\SYSTEM\ATLWK32.EXE
C:\WINDOWS\SYSTEM\APPBL.EXE


While still in Safe Mode* finish the cleanup process, please run through the rest of these steps:

Go to Start --> Run and type Regedit then click Ok.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
and highlight Services in the left pane. In the right pane, look for any of these entries:

__NS_Service
__NS_Service_2
__NS_Service_3

If any are listed, right-click that entry in the right pane and choose Delete.

Now navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
and highlight Root in the Left Pane. In the right pane, look for these entries:

LEGACY___NS_Service
LEGACY___NS_Service_2
LEGACY___NS_Service_3

If you find it, right-click it in the right-pane and choose delete.

If you have trouble deleting a key. Then click once on the key name (LEGACY__NS_SERVICE_ or another name that starts with LEGACY__NS_SERVICE) to highlight it. Then click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritable permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.

Exit regedit, boot in Normal Mode.

To remove the remainder of the files this exploit deposits, run this Online AntiVirus scan, removing all it finds:

Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com


=== Check ActiveX Settings ===
Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the
second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.


=== Replace Deleted Files ===
It is also possible that the infection may have deleted up to three files from your system. If these files are present, to be safe I suggest you overwrite them with a new copy.

Go here: http://www.spywareinfo.com/~merijn/winfiles.html#control and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.

Download the Hoster from here: http://members.aol.com/toadbee/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.

If you have Spybot S&D installed you may also need to replace one file.
Go here: http://www.spywareinfo.com/~merijn/winfiles.html#sdhelper and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.


Download the latest version of Adaware (get the free edition)
http://www.lavasoft.de/software/adaware/
(choose download from the left hand menu)

Go to: Select Full Install and choose the download location of your choice (1.7mb)
Choose Download from http://fileforum.betanews.com/detail.php3?fid=965718306 <--(I found FileForum easiest)

Be sure to UPDATE BEFORE SCANNING FIRST!! That is a very important step and I have included easy directions.

Reboot your PC after cleaning with Adaware and scan again. Repeat the process until no further items are found as bad.

HiJackThis version 199.1 is now available.
If you do already have it installed, download it from here:
http://209.133.47.12/~merijn/files/HijackThis.exe
http://downloads.net-integration.net/HijackThis.exe
http://www.computercops.biz/downloads-file-328.html

Run HiJackThis and post a new log in this thread.



* How to Boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...001052409420406
StargazerRN
Feb 20 2005, 05:20 PM
Thanks so much for your help thus far.......

new HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 9:13:13 AM, on 2/20/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\OFFICE51\SOINTGR.EXE
C:\PROGRAM FILES\IOMEGA\AUTODISK\ADSERVICE.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\EASY KEYBOARD\EASYKEY.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\COMMON FILES\ACD SYSTEMS\EN\DEVDETECT.EXE
C:\PROGRAM FILES\IOMEGA\AUTODISK\ADUSERMON.EXE
C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE
C:\PROGRAM FILES\USBTOOLBOX\RES.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPCLIENT.EXE
C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMON32.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVRID.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0A\AOLTRAY.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\yakec.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\yakec.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\yakec.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\yakec.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\yakec.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {F56CD02D-6CC8-DFBD-3094-CE41A09D83C7} - C:\WINDOWS\IPAY32.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\OFFICE51\SOINTGR.EXE
O4 - HKLM\..\Run: [Easykey] C:\Program Files\Easy Keyboard\Easykey.exe
O4 - HKLM\..\Run: [Gene USB Monitor] c:\windows\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Device Detector] C:\PROGRA~1\COMMON~1\ACDSYS~1\EN\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USBToolbox\Res.EXE
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETMSG.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MFCLB32.EXE] C:\WINDOWS\MFCLB32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SO5 Integrator Pass One] C:\OFFICE51\SOINTGR.EXE
O4 - HKLM\..\RunServices: [ADService] C:\Program Files\Iomega\AutoDisk\ADService.exe
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SDKFH.EXE] C:\WINDOWS\SDKFH.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Startup: TextBridge Instant Access.lnk = C:\Program Files\Plustek USA\Scanner\TBClass\bin\TBMenu.exe
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
LoPhatPhuud
Feb 20 2005, 08:50 PM
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'C:\Program Files\Hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT

Check the following items in HijackThis.
(note: If any R* items do not appear in Safe Mode, re-run HiJackThis in Normal Mode and remove them after you finish removing these items.)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\yakec.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\yakec.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\yakec.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\yakec.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\yakec.dll/sp.html#28129
R3 - Default URLSearchHook is missing

O2 - BHO: Class - {F56CD02D-6CC8-DFBD-3094-CE41A09D83C7} - C:\WINDOWS\IPAY32.DLL (file missing)

O4 - HKLM\..\Run: [MFCLB32.EXE] C:\WINDOWS\MFCLB32.EXE
O4 - HKLM\..\RunServices: [SDKFH.EXE] C:\WINDOWS\SDKFH.EXE

O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149

Close all windows except HijackThis and click Fix checked.

While still in Safe Mode*, delete the following: (you may need to show hidden files**)
(Files specified without a full path will be lcoated in C:\Windows\ or C:\Windows\System32\)
C:\WINDOWS\MFCLB32.EXE
C:\WINDOWS\SDKFH.EXE

*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show Hidden and System files and folders: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode

The current version of HiJackThis is 1991. If you are not already using it please download and install the new version (199.1) from the following link: http://www.computercops.biz/downloads-file-328.html

Run HiJackThis again and post a new log in this thread.
StargazerRN
Feb 20 2005, 11:16 PM
This is my most recent HJT log - cant seem to get rid of a few no matter how hard I try ie: crazywinnings, trusted ip range

thanks again for your time and help

Logfile of HijackThis v1.99.1
Scan saved at 3:11:15 PM, on 2/20/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\OFFICE51\SOINTGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\IOMEGA\AUTODISK\ADSERVICE.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\EASY KEYBOARD\EASYKEY.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\COMMON FILES\ACD SYSTEMS\EN\DEVDETECT.EXE
C:\PROGRAM FILES\IOMEGA\AUTODISK\ADUSERMON.EXE
C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE
C:\PROGRAM FILES\USBTOOLBOX\RES.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPCLIENT.EXE
C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMON32.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVTRAY.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVRID.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0A\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\OFFICE51\SOINTGR.EXE
O4 - HKLM\..\Run: [Easykey] C:\Program Files\Easy Keyboard\Easykey.exe
O4 - HKLM\..\Run: [Gene USB Monitor] c:\windows\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Device Detector] C:\PROGRA~1\COMMON~1\ACDSYS~1\EN\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USBToolbox\Res.EXE
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETMSG.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SO5 Integrator Pass One] C:\OFFICE51\SOINTGR.EXE
O4 - HKLM\..\RunServices: [ADService] C:\Program Files\Iomega\AutoDisk\ADService.exe
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Startup: TextBridge Instant Access.lnk = C:\Program Files\Plustek USA\Scanner\TBClass\bin\TBMenu.exe
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
LoPhatPhuud
Feb 20 2005, 11:56 PM
First:
Download DelDomains.inf from here:

www.mvps.org/winhelp2002/DelDomains.inf

Right-click on the deldomains.inf file and select 'Install'

When its finished your IE Zones wil lbe reset. That will make it necessary to re-install protection using SpywareBlaster and to re-install IE/Spyads, if you use them.


Second:
Run HijackThis again and post a new log in this thread.
StargazerRN
Feb 21 2005, 12:22 AM
Thanx!...




Logfile of HijackThis v1.99.1
Scan saved at 4:18:46 PM, on 2/20/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\OFFICE51\SOINTGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\IOMEGA\AUTODISK\ADSERVICE.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\EASY KEYBOARD\EASYKEY.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\COMMON FILES\ACD SYSTEMS\EN\DEVDETECT.EXE
C:\PROGRAM FILES\IOMEGA\AUTODISK\ADUSERMON.EXE
C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE
C:\PROGRAM FILES\USBTOOLBOX\RES.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPCLIENT.EXE
C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMON32.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVTRAY.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVRID.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0A\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\OFFICE51\SOINTGR.EXE
O4 - HKLM\..\Run: [Easykey] C:\Program Files\Easy Keyboard\Easykey.exe
O4 - HKLM\..\Run: [Gene USB Monitor] c:\windows\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Device Detector] C:\PROGRA~1\COMMON~1\ACDSYS~1\EN\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USBToolbox\Res.EXE
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETMSG.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SO5 Integrator Pass One] C:\OFFICE51\SOINTGR.EXE
O4 - HKLM\..\RunServices: [ADService] C:\Program Files\Iomega\AutoDisk\ADService.exe
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Startup: TextBridge Instant Access.lnk = C:\Program Files\Plustek USA\Scanner\TBClass\bin\TBMenu.exe
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
LoPhatPhuud
Feb 21 2005, 03:08 AM
At last, your system is clean and free of spyware! Want to keep it that way?

Here are some simple steps you can take to reduce the chance of infection in the future.

1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and Internet Explorer. The first defense against infection is a properly patched Operating System.
a. Windows Update: http://v5.windowsupdate.microsoft.com/en/default.asp

2. Adjust your security settings for ActiveX:]
Select Internet Options from the Control Panels, or from Internet Explorer (Tools -> Internet Options)
Press 'default level', then OK
Now press "Custom Level."

In the ActiveX controls and plug-ins section set these options:
'Download singed ActiveX controls' - Prompt
'Download unsigned ActiveX controls' - Disable
'Initialize and script ActiveX controls not maked as safe'- Disable

(All other options accept the default)

3. Download and install the following free programs
a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
b. IE/Spyad: https://netfiles.uiuc.edu/ehowes/www/resource.htm
c. BHODemon: http://www.definitivesolutions.com/bhodemon.htm
d. Bugoff: http://tools.zerosrealm.com/bugoff.zip

4. Install Spyware Detection and Removal Programs:
You may also want to consider installing one of the following:
a. Microsoft AntiSpyware: http://www.microsoft.com/athome/security/s...re/default.mspx
b. Spybot S&D: http://security.kolla.de/index.php?lang=en&page=download
c. AdAware: http://www.lavasoft.de/ Due to AdAware's recent decision to remove WhenU from its detection database, only to quickly add it back in response to public outcry I can no longer recommend this product as a first line of defense. For those interested, here is a link to discussion regarding this: http://www.dslreports.com/forum/remark,12665642~mode=flat

Use these programs to regularly scan your system for and remove many forms of spyware/malware. I recommend and use Micosoft AntiSpyware.

If you use, or plan on using, additional spyware/malware detection and/or removal programs, please check Items 8 and 9.

5. Install 'Spoofstick"
Spoofstick is a simple browser extension that helps users detect spoofed (fake) websites. This extension is free and installs in Internet Explorer and Mozilla Firefox.
a. http://www.corestreet.com/spoofstick

6. Reset System Restore
If you are using Windows ME or Windows XP, please reset your System Restore. See Windows help for information.

7. Clean Temporary Files and Folders
Double Click My Computer (WinXP: Navigate to Start --->My Computer)
You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the bottom of the fly out window. On the very first tab (General) you will see a button labeled "Disk Cleanup"...click that button.

Make sure the following are checked:
Downloaded Program Files
Temporary Internet Files and
Recycle Bin

Click OK and Disk Cleanup will delete those files for you.

8. Rogue/Suspect Anti-Spyware
Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List. It will save you a lot of grief, as well as money if you are thinking of purchasing. Here is the link: http://www.spywarewarrior.com/rogue_anti-spyware.htm

9. Anti-Spyware Programs Compared
Want to know just how effective your anti-spyware program is? Wonder how well any of the "rogue" programs listed above work? Check this link for an independent comparison of several anti-spyware programs: http://www.spywarewarrior.com/asw-test-guide.htm

10. Alternate Browser
Consider using an alternate browser as your default. I recommend and use Firefox as my primary browser. It is still necessary to keep Internet Explorer current and protected in order to use Windows Update.


For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiator-antivirus.com/index...?showtopic=9857

"It is your responsibility to read and adhere to the End User Licensing Agreement (EULA) of all software and services mentioned."

Good luck, and thanks for coming to our forums for help with your security and malware issues.
StargazerRN
Feb 21 2005, 04:25 AM
Thank you, thank you, thank you for all your help - you were wonderful!! :wub:
LoPhatPhuud
Feb 21 2005, 04:39 AM
We are glad we were able to be of assistance.

NOTE: This thread is now closed. Should you need it reopened, please PM a mod.

Everyone else having a similar issue, please launch a new topic for yourselves.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.