Jump to content
Sign in to follow this  
zamac_man

[solved]hijacked By Yahoo?

Recommended Posts

I have this games thing at the top of my IE. Sometimes when I click on a link it takes me somewhere else. I could not post this under IE, it takes me to http://worldtracker.biz/

 

Logfile of HijackThis v1.97.7

Scan saved at 9:06:05 PM, on 10/24/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

G:\Kaspersky\avpcc.exe

C:\WINDOWS\System32\CTsvcCDA.exe

D:\Diskeeper\DkService.exe

G:\Kaspersky\avpm.exe

C:\WINDOWS\System32\MsPMSPSv.exe

G:\Kaspersky\avpcc.exe

G:\Hijack\HijackThis.exe

 

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {7A12A061-1396-4A68-8D0D-920618F280DA} - C:\WINDOWS\system32\nnr1yg.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Games toolbar - {02ffc86e-283e-4faa-95d6-addca024f30a} - C:\Program Files\Games\tbGame.dll

O4 - HKLM\..\Run: [Zone Labs Client] "D:\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe

O4 - HKLM\..\Run: [OfficeGuard RegChecker] G:\Kaspersky\ogrc.exe

O4 - HKLM\..\Run: [AVPCC] G:\Kaspersky\avpcc.exe /wait

O4 - HKLM\..\RunOnce: [cybwr.exe] C:\WINDOWS\System32\cybwr.exe /k

O4 - HKCU\..\RunOnce: [cybwr.exe] C:\WINDOWS\System32\cybwr.exe /k

O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra button: AIM (HKLM)

O12 - Plugin for .ipp: C:\Program Files\Internet Explorer\Plugins\npimth32.dll

O12 - Plugin for .ipt: C:\Program Files\Internet Explorer\Plugins\npimth32.dll

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {908F3C82-B57E-11D4-BF33-00A0CCE8754B} (TInterActXInstallObject) - http://mathxl.com/wizmodules/interact/inst...ActXInstall.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

===================================================================

I uninstalled the games toolbar and I still am being taken to other websites

 

I have this games thing at the top of my IE. Sometimes when I click on a link it takes me somewhere else. I could not post this under IE, it takes me to http://worldtracker.biz/

 

Logfile of HijackThis v1.97.7

Scan saved at 9:06:05 PM, on 10/24/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

G:\Kaspersky\avpcc.exe

C:\WINDOWS\System32\CTsvcCDA.exe

D:\Diskeeper\DkService.exe

G:\Kaspersky\avpm.exe

C:\WINDOWS\System32\MsPMSPSv.exe

G:\Kaspersky\avpcc.exe

G:\Hijack\HijackThis.exe

 

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {7A12A061-1396-4A68-8D0D-920618F280DA} - C:\WINDOWS\system32\nnr1yg.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Games toolbar - {02ffc86e-283e-4faa-95d6-addca024f30a} - C:\Program Files\Games\tbGame.dll

O4 - HKLM\..\Run: [Zone Labs Client] "D:\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe

O4 - HKLM\..\Run: [OfficeGuard RegChecker] G:\Kaspersky\ogrc.exe

O4 - HKLM\..\Run: [AVPCC] G:\Kaspersky\avpcc.exe /wait

O4 - HKLM\..\RunOnce: [cybwr.exe] C:\WINDOWS\System32\cybwr.exe /k

O4 - HKCU\..\RunOnce: [cybwr.exe] C:\WINDOWS\System32\cybwr.exe /k

O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra button: AIM (HKLM)

O12 - Plugin for .ipp: C:\Program Files\Internet Explorer\Plugins\npimth32.dll

O12 - Plugin for .ipt: C:\Program Files\Internet Explorer\Plugins\npimth32.dll

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {908F3C82-B57E-11D4-BF33-00A0CCE8754B} (TInterActXInstallObject) - http://mathxl.com/wizmodules/interact/inst...ActXInstall.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Edited by H@ns

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.98.2

Scan saved at 9:57:20 AM, on 10/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

G:\Kaspersky\avpcc.exe

C:\WINDOWS\System32\CTsvcCDA.exe

D:\Diskeeper\DkService.exe

G:\Kaspersky\avpm.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

D:\ZoneAlarm\zlclient.exe

G:\Kaspersky\avpcc.exe

C:\WINDOWS\iau.exe

C:\WINDOWS\stisvsq.exe

C:\WINDOWS\svshost.exe

C:\WINDOWS\msqdevl.exe

C:\WINDOWS\lssas.exe

C:\WINDOWS\mservice.exe

G:\Hijack\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {7A12A061-1396-4A68-8D0D-920618F280DA} - C:\WINDOWS\system32\nnr1yg.dll

O2 - BHO: (no name) - {85CBFDE0-B26B-4EE5-BD3C-4DE111DE763E} - C:\WINDOWS\System32\msacmx.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Zone Labs Client] "D:\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe

O4 - HKLM\..\Run: [OfficeGuard RegChecker] G:\Kaspersky\ogrc.exe

O4 - HKLM\..\Run: [AVPCC] G:\Kaspersky\avpcc.exe /wait

O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe

O4 - HKLM\..\Run: [internet Connection Wizard] stisvsq.exe

O4 - HKLM\..\Run: [Games Acceleration] svshost.exe

O4 - HKLM\..\Run: [internet Mail and News] msqdevl.exe

O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe

O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe

O4 - HKLM\..\RunOnce: [cybwr.exe] C:\WINDOWS\System32\cybwr.exe /k

O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe

O4 - HKCU\..\Run: [internet Connection Wizard] stisvsq.exe

O4 - HKCU\..\Run: [Games Acceleration] svshost.exe

O4 - HKCU\..\Run: [internet Mail and News] msqdevl.exe

O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe

O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe

O4 - HKCU\..\RunOnce: [cybwr.exe] C:\WINDOWS\System32\cybwr.exe /k

O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AIM\aim.exe

O12 - Plugin for .ipp: C:\Program Files\Internet Explorer\Plugins\npimth32.dll

O12 - Plugin for .ipt: C:\Program Files\Internet Explorer\Plugins\npimth32.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://greg-tut.com/G7/chm9.chm::/file1.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {908F3C82-B57E-11D4-BF33-00A0CCE8754B} (TInterActXInstallObject) - http://mathxl.com/wizmodules/interact/inst...ActXInstall.cab

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.98.2

Scan saved at 5:34:02 PM, on 10/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

D:\ZoneAlarm\zlclient.exe

G:\Kaspersky\avpcc.exe

C:\WINDOWS\iau.exe

C:\WINDOWS\stisvsq.exe

C:\WINDOWS\svshost.exe

C:\WINDOWS\msqdevl.exe

C:\WINDOWS\lssas.exe

C:\WINDOWS\mservice.exe

G:\Kaspersky\avpcc.exe

C:\WINDOWS\System32\CTsvcCDA.exe

D:\Diskeeper\DkService.exe

G:\Kaspersky\avpm.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\MsPMSPSv.exe

G:\Hijack\HijackThis.exe

C:\WINDOWS\System32\wuauclt.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {7A12A061-1396-4A68-8D0D-920618F280DA} - C:\WINDOWS\system32\nnr1yg.dll

O2 - BHO: (no name) - {C526FEDE-C11A-4E7D-BE87-C5DE65FA78D1} - C:\WINDOWS\System32\bmf.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Zone Labs Client] "D:\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [OfficeGuard RegChecker] G:\Kaspersky\ogrc.exe

O4 - HKLM\..\Run: [AVPCC] G:\Kaspersky\avpcc.exe /wait

O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe

O4 - HKLM\..\Run: [internet Connection Wizard] stisvsq.exe

O4 - HKLM\..\Run: [Games Acceleration] svshost.exe

O4 - HKLM\..\Run: [internet Mail and News] msqdevl.exe

O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe

O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe

O4 - HKLM\..\Run: [THGuard] "D:\TrojanHunter 4.0\THGuard.exe"

O4 - HKLM\..\RunOnce: [cybwr.exe] C:\WINDOWS\System32\cybwr.exe /k

O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe

O4 - HKCU\..\Run: [internet Connection Wizard] stisvsq.exe

O4 - HKCU\..\Run: [Games Acceleration] svshost.exe

O4 - HKCU\..\Run: [internet Mail and News] msqdevl.exe

O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe

O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe

O4 - HKCU\..\RunOnce: [cybwr.exe] C:\WINDOWS\System32\cybwr.exe /k

O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AIM\aim.exe

O12 - Plugin for .ipp: C:\Program Files\Internet Explorer\Plugins\npimth32.dll

O12 - Plugin for .ipt: C:\Program Files\Internet Explorer\Plugins\npimth32.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {908F3C82-B57E-11D4-BF33-00A0CCE8754B} (TInterActXInstallObject) - http://mathxl.com/wizmodules/interact/inst...ActXInstall.cab

O18 - Filter: text/html - {83885F77-92E6-4408-82CC-121FB1A34351} - C:\WINDOWS\System32\bmf.dll

O18 - Filter: text/plain - {83885F77-92E6-4408-82CC-121FB1A34351} - C:\WINDOWS\System32\bmf.dll

Share this post


Link to post
Share on other sites

new log

 

Logfile of HijackThis v1.98.2

Scan saved at 6:43:31 PM, on 10/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

G:\Kaspersky\avpcc.exe

G:\Kaspersky\avpcc.exe

C:\WINDOWS\System32\CTsvcCDA.exe

D:\Diskeeper\DkService.exe

G:\Kaspersky\avpm.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\System32\cbk05h.exe

G:\Hijack\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {7A12A061-1396-4A68-8D0D-920618F280DA} - C:\WINDOWS\system32\nnr1yg.dll

O2 - BHO: (no name) - {C526FEDE-C11A-4E7D-BE87-C5DE65FA78D1} - C:\WINDOWS\System32\bmf.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Zone Labs Client] "D:\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [OfficeGuard RegChecker] G:\Kaspersky\ogrc.exe

O4 - HKLM\..\Run: [AVPCC] G:\Kaspersky\avpcc.exe /wait

O4 - HKLM\..\Run: [THGuard] "D:\TrojanHunter 4.0\THGuard.exe"

O4 - HKLM\..\RunOnce: [cybwr.exe] C:\WINDOWS\System32\cybwr.exe /k

O4 - HKCU\..\RunOnce: [cybwr.exe] C:\WINDOWS\System32\cybwr.exe /k

O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AIM\aim.exe

O12 - Plugin for .ipp: C:\Program Files\Internet Explorer\Plugins\npimth32.dll

O12 - Plugin for .ipt: C:\Program Files\Internet Explorer\Plugins\npimth32.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {908F3C82-B57E-11D4-BF33-00A0CCE8754B} (TInterActXInstallObject) - http://mathxl.com/wizmodules/interact/inst...ActXInstall.cab

O18 - Filter: text/html - {83885F77-92E6-4408-82CC-121FB1A34351} - C:\WINDOWS\System32\bmf.dll

 

 

it is better but IE will not open without going through my computer. then I get lots of popups

Edited by zamac_man

Share this post


Link to post
Share on other sites

ok it looks like you have managed to get rid of some of the trojans... but you still have a nasty infection there.

 

If possible do not use IE.. everytime you open it the infection will hook deeper into your system.

 

You can try firefox, you might even prefer it!! :)

 

Then

 

Download FxAgentB.exe from this link FxAgentB.exe and save it to your desktop. After downloading, double-click the FxAgentB file to run it and the program will scan your entire hard drive - this may take a while. When it is done, it will generate a log file called FxAgentB.log - save that information as you will need to paste it here later. Reboot when done.

 

Next click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'.

 

Then click here to download Ad-Aware SE and install. Before scanning click on "check for updates now" to make sure you have the latest reference file. Click "Start", select "Perform Full System scan" and "Next" to start the scan. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

 

Reboot when done and post a fresh hijack log. I don't know what time zone you are on but I'm just about to start work.... I'll be back this evening ;)

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.98.2

Scan saved at 10:07:08 AM, on 10/26/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

G:\Kaspersky\avpcc.exe

C:\WINDOWS\System32\CTsvcCDA.exe

D:\Diskeeper\DkService.exe

G:\Kaspersky\avpm.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\msiexec.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wuauclt.exe

D:\ZoneAlarm\zlclient.exe

G:\Kaspersky\avpcc.exe

\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE

\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE

G:\Hijack\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [Zone Labs Client] "D:\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [OfficeGuard RegChecker] G:\Kaspersky\ogrc.exe

O4 - HKLM\..\Run: [AVPCC] G:\Kaspersky\avpcc.exe /wait

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .ipp: C:\Program Files\Internet Explorer\Plugins\npimth32.dll

O12 - Plugin for .ipt: C:\Program Files\Internet Explorer\Plugins\npimth32.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {908F3C82-B57E-11D4-BF33-00A0CCE8754B} (TInterActXInstallObject) - http://mathxl.com/wizmodules/interact/inst...ActXInstall.cab

 

 

I am using firefox but I have to use IE to do homework. When can I use it agian?

Share this post


Link to post
Share on other sites

Well the FxAgentB.exe seems to have done the trick, there isn't even anything left to clean up! :blink:

 

You can use IE again now but could you come back tomorrow after using the net for a little while and post one last hijack log with the FxAgentB log. Just so that I can be sure that you aren't re-infected.

 

Here are some suggestions to reduce the potential for spyware infection in the future. I strongly recommend installing the following :

 

Spyware Blaster - It will prevent most spyware from ever being installed.

Spyware Guard - It offers realtime protection from spyware installation attempts.

IE-Spyad - IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

I also recommend reading this article written by Tony Klein How did I get infected in the first placeHow did I get infected in the first place?

Share this post


Link to post
Share on other sites

new HJT log

 

Logfile of HijackThis v1.98.2

Scan saved at 8:09:11 AM, on 10/27/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

D:\ZoneAlarm\zlclient.exe

G:\Kaspersky\avpcc.exe

G:\Kaspersky\avpcc.exe

C:\WINDOWS\System32\CTsvcCDA.exe

D:\Diskeeper\DkService.exe

G:\Kaspersky\avpm.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\MsPMSPSv.exe

G:\Hijack\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)

O4 - HKLM\..\Run: [Zone Labs Client] "D:\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [OfficeGuard RegChecker] G:\Kaspersky\ogrc.exe

O4 - HKLM\..\Run: [AVPCC] G:\Kaspersky\avpcc.exe /wait

O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AIM\aim.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {908F3C82-B57E-11D4-BF33-00A0CCE8754B} (TInterActXInstallObject) - http://mathxl.com/wizmodules/interact/inst...ActXInstall.cab

Share this post


Link to post
Share on other sites
Sign in to follow this  

×