|
|||||||||
|
|||||||||
| |||||||||
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
Get inside! Sample the range of functionality easily built with JMSL Library for Time Series Data Analysis, Heat Maps, Portfolio Optimization, Monte Carlo Simulation, Stock Price Charting and more. Download Now! |
|
#1
July 7th, 2004, 05:49 PM
|
|||
|
|||
|
Homepage is now a search engine
I have seen all the posts of everyone helping on this subject and would love some myself. I am about to throw this thing out the window because everytime it says its fixed the page comes back up. First I need some help on how to insert hijackthis details in this post
Thanks
|
|
#2
July 7th, 2004, 07:11 PM
|
|||
|
|||
|
Hey vaio7,
Enable everything in MSCONFIG (if you have disabled anything). Go to Start > Run > msconfig > click Startup Tab > everything should have a checkmark to the left of it. Please note: this does not apply to Windows 2000 users. Download HijackThis (link below). Make sure you install HijackThis to a permanent folder such as C:\HJT\HijackThis.exe as it creates backups of what we will fix. Run the program, press Scan, after a brief pause press Save log. Notepad will open, copy and paste the entire log into your post. Do not fix anything yet, most of what's in the log is needed! Tom
__________________
HijackThis Ad-aware Spybot Search & Destroy SpywareBlaster SpywareGuard Housecall Online A/V Scan Please read the stickys at the top of the forum before posting!
|
|
#3
July 8th, 2004, 01:31 PM
|
|||
|
|||
|
Tom
Thanks a million for responding. Here is the report: Logfile of HijackThis v1.97.7 Scan saved at 1:19:11 PM, on 7/8/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\SSDPSRV.EXE C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\JAVAJY.EXE C:\WINDOWS\SYSTEM\WINGF32.EXE C:\WINDOWS\SYSTEM\LEXBCES.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\WINWE32.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\SUPPORT.COM\CLIENT\BIN\TGCMD.EXE C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE C:\WINDOWS\SYSTEM\PRINTRAY.EXE C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\SONY\VAIO ACTION SETUP\VASERV.EXE C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE C:\VSTASCAN\VSACCESS.EXE C:\PROGRAM FILES\MSAC-FD1\MSSTAT.EXE C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\TEMP\TD_0003.DIR\HIJACKTHIS.EXE C:\PROGRAM FILES\MGI\PHOTOSUITE 8.1\PSUITE.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sfqhv.dll/sp.html#96676 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://sfqhv.dll/index.html#96676 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://sfqhv.dll/index.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sfqhv.dll/sp.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://sfqhv.dll/index.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\sfqhv.dll/sp.html#96676 O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (file missing) O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL O2 - BHO: (no name) - {67C14542-8CAB-B849-1F51-98CAE7FF4511} - C:\WINDOWS\SYSTEM\ADDDS.DLL O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_12_0.DLL (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\Client\bin\tgcmd.exe" /server /nosystray O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [WINWE32.EXE] C:\WINDOWS\WINWE32.EXE O4 - HKLM\..\Run: [LexStart] Lexstart.exe O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE" O4 - HKLM\..\RunServices: [CRGD32.EXE] C:\WINDOWS\CRGD32.EXE O4 - HKLM\..\RunServices: [WINGF32.EXE] C:\WINDOWS\SYSTEM\WINGF32.EXE O4 - HKLM\..\RunServices: [JAVAJY.EXE] C:\WINDOWS\JAVAJY.EXE O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe O4 - Startup: Memory Stick Monitor.lnk = C:\Program Files\MSAC-FD1\MSstat.exe O4 - Startup: PowerReg Scheduler V3.exe O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: VAIO Action Setup (Server).lnk = C:\Program Files\Sony\VAIO Action Setup\VAServ.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: AOL Toolbar (HKLM) O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM) O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople O16 - DPF: {A305FBA3-4A87-483D-A53B-138F9F635357} (PCInfo.CMClass) - http://ciscdb.sel.sony.com/support/...tect/PCInfo.CAB O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab O19 - User stylesheet: (file missing) Thanks Again, Mike
|
|
#4
July 8th, 2004, 02:22 PM
|
|||
|
|||
|
Hey Mike,
Credit goes to RubberDucky for this fix! Run HijackThis again and place a check beside each of the following items. Once done click the fix checked button. O2 - BHO: (no name) - {67C14542-8CAB-B849-1F51-98CAE7FF4511} - C:\WINDOWS\SYSTEM\ADDDS.DLL O4 - HKLM\..\Run: [WINWE32.EXE] C:\WINDOWS\WINWE32.EXE O4 - HKLM\..\RunServices: [CRGD32.EXE] C:\WINDOWS\CRGD32.EXE O4 - HKLM\..\RunServices: [WINGF32.EXE] C:\WINDOWS\SYSTEM\WINGF32.EXE O4 - HKLM\..\RunServices: [JAVAJY.EXE] C:\WINDOWS\JAVAJY.EXE Download about:Buster from either of the following locations. http://www.atribune.org/downloads/AboutBuster.zip or http://tools.zerosrealm.com/AboutBuster.zip Make sure you have printed this page and close ALL Internet Explorer windows. This is a very important step!! Run AboutBuster.exe, click ok, then start, then OK. Make a copy of the log once it finishes. Then run aboutbuster.exe again. Make a copy of that log. Reboot and post a new HijackThis log along with the two reports from about:Buster. Tom
|
|
#5
July 8th, 2004, 03:49 PM
|
|||
|
|||
|
Tom,
Thanks you two. Here is the log and the final report from about:buster. HLogfile of HijackThis v1.97.7 Scan saved at 3:32:10 PM, on 7/8/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\SSDPSRV.EXE C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\SUPPORT.COM\CLIENT\BIN\TGCMD.EXE C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE C:\WINDOWS\SYSTEM\PRINTRAY.EXE C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\WINDOWS\WINWE32.EXE C:\WINDOWS\SYSTEM\LEXBCES.EXE C:\PROGRAM FILES\SONY\VAIO ACTION SETUP\VASERV.EXE C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE C:\VSTASCAN\VSACCESS.EXE C:\PROGRAM FILES\MSAC-FD1\MSSTAT.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\JAVAJY.EXE C:\WINDOWS\SYSTEM\ADDQG32.EXE C:\WINDOWS\JAVAJY.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\TEMP\TD_0003.DIR\HIJACKTHIS.EXE O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (file missing) O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL O2 - BHO: (no name) - {74D26490-9E7F-905B-3BAA-08765509E086} - C:\WINDOWS\ATLPF32.DLL (file missing) O2 - BHO: (no name) - {086CADC8-DB28-0DA6-9AE8-E716A3654576} - C:\WINDOWS\SYSTEM\ADDDK32.DLL (file missing) O2 - BHO: (no name) - {8A3B6063-89CB-9FA5-FE92-931770E7299B} - C:\WINDOWS\D3VC.DLL (file missing) O2 - BHO: (no name) - {9CC24F8C-C090-F78B-2849-1C3653933660} - C:\WINDOWS\IELB.DLL (file missing) O2 - BHO: (no name) - {4FA3DEC1-D04D-E7B3-2CFE-A94E2B308831} - C:\WINDOWS\NTAI.DLL O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_12_0.DLL (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\Client\bin\tgcmd.exe" /server /nosystray O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [LexStart] Lexstart.exe O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [WINWE32.EXE] C:\WINDOWS\WINWE32.EXE O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE" O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [JAVAJY.EXE] C:\WINDOWS\JAVAJY.EXE O4 - HKLM\..\RunServices: [ADDQG32.EXE] C:\WINDOWS\SYSTEM\ADDQG32.EXE O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe O4 - Startup: Memory Stick Monitor.lnk = C:\Program Files\MSAC-FD1\MSstat.exe O4 - Startup: PowerReg Scheduler V3.exe O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: VAIO Action Setup (Server).lnk = C:\Program Files\Sony\VAIO Action Setup\VAServ.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: AOL Toolbar (HKLM) O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM) O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople O16 - DPF: {A305FBA3-4A87-483D-A53B-138F9F635357} (PCInfo.CMClass) - http://ciscdb.sel.sony.com/support/...tect/PCInfo.CAB O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab O19 - User stylesheet: (file missing) about:Buster Version 1.25 Error Removing! : C:\WINDOWS\javajy.exe Error Removing! : C:\WINDOWS\System\wingf32.exe Attempted Clean Of Temp folder. Pages Reset... Done!
|
|
#6
July 8th, 2004, 05:34 PM
|
|||
|
|||
|
You might want to print these instructions.
Please move HijackThis into it's own folder such as C:\HJT\HijackThis.exe so it can make backups of what we fix. In case something goes wrong, we can depend on them being there. Logoff your internet connection. Close all browsers and other windows except HijackThis. Run HijackThis, place a checkmark next to the following items. Click "fix checked". O2 - BHO: (no name) - {74D26490-9E7F-905B-3BAA-08765509E086} - C:\WINDOWS\ATLPF32.DLL (file missing) O2 - BHO: (no name) - {086CADC8-DB28-0DA6-9AE8-E716A3654576} - C:\WINDOWS\SYSTEM\ADDDK32.DLL (file missing) O2 - BHO: (no name) - {8A3B6063-89CB-9FA5-FE92-931770E7299B} - C:\WINDOWS\D3VC.DLL (file missing) O2 - BHO: (no name) - {9CC24F8C-C090-F78B-2849-1C3653933660} - C:\WINDOWS\IELB.DLL (file missing) O2 - BHO: (no name) - {4FA3DEC1-D04D-E7B3-2CFE-A94E2B308831} - C:\WINDOWS\NTAI.DLL O4 - HKLM\..\Run: [WINWE32.EXE] C:\WINDOWS\WINWE32.EXE O4 - HKLM\..\RunServices: [JAVAJY.EXE] C:\WINDOWS\JAVAJY.EXE O4 - HKLM\..\RunServices: [ADDQG32.EXE] C:\WINDOWS\SYSTEM\ADDQG32.EXE Optional resource hogs... OK to have HJT fix these: O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - Startup: PowerReg Scheduler V3.exe O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE Boot into Safe Mode. Here's instructions: http://service1.symantec.com/SUPPOR...01052409420406/ Show hidden files: How to Show hidden files and folders. http://www.xtra.co.nz/help/0,,4155-1916458,00.html Delete the following files: C:\WINDOWS\WINWE32.EXE C:\WINDOWS\JAVAJY.EXE C:\WINDOWS\SYSTEM\ADDQG32.EXE Reboot normally and post a fresh log. Tom
|
|
#7
July 9th, 2004, 05:14 PM
|
|||
|
|||
|
Hi Tom,
JAVAJY.EXE could not be deleted. A window popped up and said the specified file is being used by windows. Also I could not find ADDQG32.EXE. Logfile of HijackThis v1.97.7 Scan saved at 5:03:43 PM, on 7/9/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\SSDPSRV.EXE C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\JAVAJY.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\SUPPORT.COM\CLIENT\BIN\TGCMD.EXE C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE C:\WINDOWS\SYSTEM\PRINTRAY.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE C:\WINDOWS\ATLPF32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\LEXBCES.EXE C:\PROGRAM FILES\SONY\VAIO ACTION SETUP\VASERV.EXE C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE C:\VSTASCAN\VSACCESS.EXE C:\PROGRAM FILES\MSAC-FD1\MSSTAT.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\TEMP\TD_0006.DIR\HIJACKTHIS.EXE C:\WINDOWS\WUAUBOOT.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\smkog.dll/sp.html#96676 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://smkog.dll/index.html#96676 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://smkog.dll/index.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\smkog.dll/sp.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://smkog.dll/index.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\smkog.dll/sp.html#96676 O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (file missing) O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL O2 - BHO: (no name) - {1538E7F0-E0B7-1772-9132-BA5EAF5F0739} - C:\WINDOWS\SYSTEM\CRJH.DLL (file missing) O2 - BHO: (no name) - {74D26490-9E7F-905B-3BAA-08765509E086} - C:\WINDOWS\ATLPF32.DLL O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_12_0.DLL (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\Client\bin\tgcmd.exe" /server /nosystray O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [LexStart] Lexstart.exe O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [ATLPF32.EXE] C:\WINDOWS\ATLPF32.EXE O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE" O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [JAVAJY.EXE] C:\WINDOWS\JAVAJY.EXE O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe O4 - Startup: Memory Stick Monitor.lnk = C:\Program Files\MSAC-FD1\MSstat.exe O4 - Global Startup: VAIO Action Setup (Server).lnk = C:\Program Files\Sony\VAIO Action Setup\VAServ.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: AOL Toolbar (HKLM) O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM) O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople O16 - DPF: {A305FBA3-4A87-483D-A53B-138F9F635357} (PCInfo.CMClass) - http://ciscdb.sel.sony.com/support/...tect/PCInfo.CAB O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab O19 - User stylesheet: (file missing)
|
|
#8
July 10th, 2004, 10:43 AM
|
|||
|
|||
|
You are reinfected! Let's go through this again and have you setup some protection right after the fix,
Run HijackThis again and place a check beside each of the following items. Once done click the fix checked button. O2 - BHO: (no name) - {1538E7F0-E0B7-1772-9132-BA5EAF5F0739} - C:\WINDOWS\SYSTEM\CRJH.DLL (file missing) O2 - BHO: (no name) - {74D26490-9E7F-905B-3BAA-08765509E086} - C:\WINDOWS\ATLPF32.DLL O4 - HKLM\..\Run: [ATLPF32.EXE] C:\WINDOWS\ATLPF32.EXE O4 - HKLM\..\RunServices: [JAVAJY.EXE] C:\WINDOWS\JAVAJY.EXE Download about:Buster from either of the following locations. http://www.atribune.org/downloads/AboutBuster.zip or http://tools.zerosrealm.com/AboutBuster.zip Make sure you have printed this page and close ALL Internet Explorer windows. This is a very important step!! Run AboutBuster.exe, click ok, then start, then OK. Make a copy of the log once it finishes. Then run aboutbuster.exe again. Make a copy of that log. Boot into Safe Mode (reboot and tap F8 key when the computer first starts up). Delete these two files: C:\WINDOWS\ATLPF32.EXE C:\WINDOWS\JAVAJY.EXE Reboot and post a new HijackThis log along with the two reports from about:Buster. While you are waiting for a response from me, please do the following to set up some protection... These are tools that will help heep you from getting infected again: SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacoolsoftware.com/spywareblaster.html SpywareGuard is a real-time spyware scanner. http://www.wilderssecurity.net/spywareguard.html IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD All are very small free programs. Occasionally check for updates. Adjust your security settings for ActiveX: Go to Internet Options/Security/Internet, press 'default level', then OK. Now press "Custom Level." In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'. Check for updates for Windows and Internet Explorer every week or so. Download each critical update one by one, rebooting when necessary.. Repeat this until you get the message "no critical updates available" http://v4.windowsupdate.microsoft.com/ Tom
|
|
#9
July 10th, 2004, 01:09 PM
|
|||
|
|||
|
Tom,
Thanks for the sites. They are all downloaded. Here's the lastest. Logfile of HijackThis v1.97.7 Scan saved at 12:57:20 PM, on 7/10/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\SSDPSRV.EXE C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\SUPPORT.COM\CLIENT\BIN\TGCMD.EXE C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE C:\WINDOWS\SYSTEM\PRINTRAY.EXE C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE C:\WINDOWS\SYSTEM\LEXBCES.EXE C:\WINDOWS\ATLPF32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\SONY\VAIO ACTION SETUP\VASERV.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE C:\VSTASCAN\VSACCESS.EXE C:\PROGRAM FILES\MSAC-FD1\MSSTAT.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\SYSTEM\NETHT32.EXE C:\WINDOWS\SYSTEM\NETHT32.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\TEMP\TD_0006.DIR\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10 O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (file missing) O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL O2 - BHO: (no name) - {74D26490-9E7F-905B-3BAA-08765509E086} - C:\WINDOWS\ATLPF32.DLL (file missing) O2 - BHO: (no name) - {B4C96F7A-8DBA-A271-24A8-DCA0E278A9D9} - C:\WINDOWS\D3DI.DLL O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_12_0.DLL (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\Client\bin\tgcmd.exe" /server /nosystray O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [LexStart] Lexstart.exe O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [ATLPF32.EXE] C:\WINDOWS\ATLPF32.EXE O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE" O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [NETHT32.EXE] C:\WINDOWS\SYSTEM\NETHT32.EXE O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe O4 - Startup: Memory Stick Monitor.lnk = C:\Program Files\MSAC-FD1\MSstat.exe O4 - Global Startup: VAIO Action Setup (Server).lnk = C:\Program Files\Sony\VAIO Action Setup\VAServ.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: AOL Toolbar (HKLM) O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM) O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople O16 - DPF: {A305FBA3-4A87-483D-A53B-138F9F635357} (PCInfo.CMClass) - http://ciscdb.sel.sony.com/support/...tect/PCInfo.CAB O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab O19 - User stylesheet: (file missing) about:Buster Version 1.25 Removed! : C:\WINDOWS\lrviom.dat Removed! : C:\WINDOWS\ybweaf.dat Error Removing! : C:\WINDOWS\javajy.exe Removed! : C:\WINDOWS\ntai.dll Removed! : C:\WINDOWS\iktou.dat Removed! : C:\WINDOWS\pqlvy.dll Removed! : C:\WINDOWS\atlpf32.dll Removed! : C:\WINDOWS\smkog.dll Removed! : C:\WINDOWS\System\wingf32.exe Removed! : C:\WINDOWS\System\haouk.dat Removed! : C:\WINDOWS\System\cvmlh.dll Removed! : C:\WINDOWS\System\nunwa.dat Removed! : C:\WINDOWS\System\oxytn.dat Removed! : C:\WINDOWS\System\yzntk.dat Removed! : C:\WINDOWS\System\yzntk.dll Attempted Clean Of Temp folder. Removed Uninstall Key (HSA) Removed Uninstall Key (SE) Removed Uninstall Key (SW) Pages Reset... Done! about:Buster Version 1.25 Error Removing! : C:\WINDOWS\javajy.exe Attempted Clean Of Temp folder. Pages Reset... Done!
|
|
#10
July 10th, 2004, 01:20 PM
|
|||
|
|||
|
Tom
This infection keeps duplicating itself. It works the fine and goes to my homepage after I do what you told me. However, after the first time it goes back to the hijackers page. Mike
|
|
#11
July 10th, 2004, 01:39 PM
|
|||
|
|||
|
I see that about:Buster is having problems removing javajy.exe
Error Removing! : C:\WINDOWS\javajy.exe Post a fresh log, and we'll do the fix in Safe Mode this time.
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
