Hijaked can't find Invisible file help

  1. 08-12-2004  #1
    frank
    frank is offline Newbie

    Hijaked can't find Invisible file help

    Hi Hope someone can help me.
    I have been Hijacked and have read all the forums.
    But the problem seem's to be tracking and deleting the invisible file that keeps creating the *.dll's.
    below is Log of Hijack
    I have been miticulas in following the intructions but the problem is not resolved, as I cannot find the source file, Please have a look and advise.
    Thanks

    Logfile of HijackThis v1.97.7
    Scan saved at 15:36:38, on 08/12/2004
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\ADDRB.EXE
    C:\WINDOWS\SYSTEM\APIAB.EXE
    C:\WINDOWS\ADDYE32.EXE
    C:\WINDOWS\SYSTEM\IPXR.EXE
    C:\WINDOWS\SDKGP.EXE
    C:\WINDOWS\IPEL.EXE
    C:\WINDOWS\SYSTEM\SYSVJ32.EXE
    C:\WINDOWS\SYSTEM\ATLJV.EXE
    C:\WINDOWS\ATLNK.EXE
    C:\WINDOWS\SYSTEM\NETBH.EXE
    C:\WINDOWS\NTWP32.EXE
    C:\WINDOWS\SYSTEM\IPUX.EXE
    C:\WINDOWS\SYSTEM\CRCI.EXE
    C:\WINDOWS\SYSTEM\ATLNC32.EXE
    C:\WINDOWS\SYSTEM\NETOD.EXE
    C:\WINDOWS\WINCW.EXE
    C:\WINDOWS\SYSTEM\IEPR.EXE
    C:\WINDOWS\SYSTEM\NTJB.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\NTXZ.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\DESKTOP\HIJACK\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\tymup.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\tymup.dll/sp.html#28129
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://google.co.uk
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\tymup.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\tymup.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\tymup.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\tymup.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\tymup.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=webcache.blueyonder.co.uk:8080
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {AF5FDECD-1ED9-A1EC-D3B8-8211759346FD} - C:\WINDOWS\IEQV32.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [ADDRB.EXE] C:\WINDOWS\SYSTEM\ADDRB.EXE
    O4 - HKLM\..\RunServices: [ADDYE32.EXE] C:\WINDOWS\ADDYE32.EXE
    O4 - HKLM\..\RunServices: [APIAB.EXE] C:\WINDOWS\SYSTEM\APIAB.EXE
    O4 - HKLM\..\RunServices: [SDKGP.EXE] C:\WINDOWS\SDKGP.EXE
    O4 - HKLM\..\RunServices: [IPXR.EXE] C:\WINDOWS\SYSTEM\IPXR.EXE
    O4 - HKLM\..\RunServices: [IPEL.EXE] C:\WINDOWS\IPEL.EXE
    O4 - HKLM\..\RunServices: [SYSVJ32.EXE] C:\WINDOWS\SYSTEM\SYSVJ32.EXE
    O4 - HKLM\..\RunServices: [ATLJV.EXE] C:\WINDOWS\SYSTEM\ATLJV.EXE
    O4 - HKLM\..\RunServices: [ATLNK.EXE] C:\WINDOWS\ATLNK.EXE
    O4 - HKLM\..\RunServices: [NTWP32.EXE] C:\WINDOWS\NTWP32.EXE
    O4 - HKLM\..\RunServices: [NETBH.EXE] C:\WINDOWS\SYSTEM\NETBH.EXE
    O4 - HKLM\..\RunServices: [CRCI.EXE] C:\WINDOWS\SYSTEM\CRCI.EXE
    O4 - HKLM\..\RunServices: [IPUX.EXE] C:\WINDOWS\SYSTEM\IPUX.EXE
    O4 - HKLM\..\RunServices: [ATLNC32.EXE] C:\WINDOWS\SYSTEM\ATLNC32.EXE
    O4 - HKLM\..\RunServices: [NETOD.EXE] C:\WINDOWS\SYSTEM\NETOD.EXE
    O4 - HKLM\..\RunServices: [WINCW.EXE] C:\WINDOWS\WINCW.EXE
    O4 - HKLM\..\RunServices: [IEPR.EXE] C:\WINDOWS\SYSTEM\IEPR.EXE
    O4 - HKLM\..\RunServices: [NTJB.EXE] C:\WINDOWS\SYSTEM\NTJB.EXE
    O4 - HKLM\..\RunServices: [NTXZ.EXE] C:\WINDOWS\SYSTEM\NTXZ.EXE
    O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
    O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\misc.exe
    O4 - Startup: EReg.lnk = C:\WINDOWS\EReg206\Reg32.exe
    O4 - Startup: PhotoCAL Startup.lnk = C:\Program Files\PANTONE COLORVISION\PhotoCAL\PhotoCAL.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.static.topconverting.com
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall....eInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...896.4711342593
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

  3. 08-12-2004  #2
    owen
    owen is offline D-A-L Team Member (UK)
    Hiya,
    Please could you post a fresh Hijack This log (using the latest version from http://hjt.isecureit.co.uk) along with a GetActiveService's log (see below). Once you have posted these logs, it is very important that you do not reboot your computer or logoff your account. If you do reboot or logoff, this fix will fail.

    In the event that you have to reboot your PC, please edit your previous posts with new logs and also leave a note saying you have had to reboot.
    1. ActiveServices ...
      • Please download GetService.zip
      • Extract it to a new folder in the desktop. Double click on the Getservice.bat file to run it. This will create and open a text file named getservice.txt in the same folder. It will then open getservice.txt for you.
      • getservice.txt will list all active Services. Copy and paste the contents of getservice.txt in your next reply here.
    From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the service will have changed and the fix provided will not work
  4. 08-12-2004  #3
    frank
    frank is offline Newbie
    hi Owen
    Can't Run GetService.zip as I am om Win98.
    As for logging on and off, I will stay logged on as long as I can, But my connection cuts out if idle.
  5. 08-12-2004  #4
    owen
    owen is offline D-A-L Team Member (UK)
    Sorry about that missed it, I don't mean logged onto the net, logged onto your PC I mean.

    Could you please update your version of Hijack This and post a new log. Thanks.
  6. 08-12-2004  #5
    frank
    frank is offline Newbie
    Hi Owen
    I think this is the latest version of HiJack I downloaded it last Night.
    Below is an Updated version of HiJackHit Log
    I think this "tymup.dll" is the funny dll file but when I delete it another file is put in it's place with a different name.
    Hope you can help, Thanks
    Frank

    Logfile of HijackThis v1.97.7
    Scan saved at 19:12:04, on 08/12/2004
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\ADDRB.EXE
    C:\WINDOWS\SYSTEM\APIAB.EXE
    C:\WINDOWS\ADDYE32.EXE
    C:\WINDOWS\SYSTEM\IPXR.EXE
    C:\WINDOWS\SDKGP.EXE
    C:\WINDOWS\IPEL.EXE
    C:\WINDOWS\SYSTEM\SYSVJ32.EXE
    C:\WINDOWS\SYSTEM\ATLJV.EXE
    C:\WINDOWS\ATLNK.EXE
    C:\WINDOWS\SYSTEM\NETBH.EXE
    C:\WINDOWS\NTWP32.EXE
    C:\WINDOWS\SYSTEM\IPUX.EXE
    C:\WINDOWS\SYSTEM\CRCI.EXE
    C:\WINDOWS\SYSTEM\ATLNC32.EXE
    C:\WINDOWS\SYSTEM\NETOD.EXE
    C:\WINDOWS\WINCW.EXE
    C:\WINDOWS\SYSTEM\IEPR.EXE
    C:\WINDOWS\SYSTEM\NTJB.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\NTXZ.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
    C:\WINDOWS\DESKTOP\HIJACK\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\tymup.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\tymup.dll/sp.html#28129
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://google.co.uk
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\tymup.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\tymup.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\tymup.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\tymup.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\tymup.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=webcache.blueyonder.co.uk:8080
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {43DB29D4-B055-B011-24C0-044F81AC210D} - C:\WINDOWS\ADDCF.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [ADDRB.EXE] C:\WINDOWS\SYSTEM\ADDRB.EXE
    O4 - HKLM\..\RunServices: [ADDYE32.EXE] C:\WINDOWS\ADDYE32.EXE
    O4 - HKLM\..\RunServices: [APIAB.EXE] C:\WINDOWS\SYSTEM\APIAB.EXE
    O4 - HKLM\..\RunServices: [SDKGP.EXE] C:\WINDOWS\SDKGP.EXE
    O4 - HKLM\..\RunServices: [IPXR.EXE] C:\WINDOWS\SYSTEM\IPXR.EXE
    O4 - HKLM\..\RunServices: [IPEL.EXE] C:\WINDOWS\IPEL.EXE
    O4 - HKLM\..\RunServices: [SYSVJ32.EXE] C:\WINDOWS\SYSTEM\SYSVJ32.EXE
    O4 - HKLM\..\RunServices: [ATLJV.EXE] C:\WINDOWS\SYSTEM\ATLJV.EXE
    O4 - HKLM\..\RunServices: [ATLNK.EXE] C:\WINDOWS\ATLNK.EXE
    O4 - HKLM\..\RunServices: [NTWP32.EXE] C:\WINDOWS\NTWP32.EXE
    O4 - HKLM\..\RunServices: [NETBH.EXE] C:\WINDOWS\SYSTEM\NETBH.EXE
    O4 - HKLM\..\RunServices: [CRCI.EXE] C:\WINDOWS\SYSTEM\CRCI.EXE
    O4 - HKLM\..\RunServices: [IPUX.EXE] C:\WINDOWS\SYSTEM\IPUX.EXE
    O4 - HKLM\..\RunServices: [ATLNC32.EXE] C:\WINDOWS\SYSTEM\ATLNC32.EXE
    O4 - HKLM\..\RunServices: [NETOD.EXE] C:\WINDOWS\SYSTEM\NETOD.EXE
    O4 - HKLM\..\RunServices: [WINCW.EXE] C:\WINDOWS\WINCW.EXE
    O4 - HKLM\..\RunServices: [IEPR.EXE] C:\WINDOWS\SYSTEM\IEPR.EXE
    O4 - HKLM\..\RunServices: [NTJB.EXE] C:\WINDOWS\SYSTEM\NTJB.EXE
    O4 - HKLM\..\RunServices: [NTXZ.EXE] C:\WINDOWS\SYSTEM\NTXZ.EXE
    O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
    O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\misc.exe
    O4 - Startup: EReg.lnk = C:\WINDOWS\EReg206\Reg32.exe
    O4 - Startup: PhotoCAL Startup.lnk = C:\Program Files\PANTONE COLORVISION\PhotoCAL\PhotoCAL.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.static.topconverting.com
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall....eInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...896.4711342593
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
  7. 08-12-2004  #6
    owen
    owen is offline D-A-L Team Member (UK)
    No, you downloaded Hijack This from a website that offers an older version. You are using 1.97.7 whereas 1.98.2 is the latest. Please download it and post a log using that version from the above address.
  8. 08-12-2004  #7
    frank
    frank is offline Newbie
    Hi Owen
    Sorry about the older version of HiJack This, Have downloaded and run the newer version Log is below.
    Thanks
    Frank

    Logfile of HijackThis v1.98.2
    Scan saved at 19:26:49, on 08/12/2004
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\ADDRB.EXE
    C:\WINDOWS\SYSTEM\APIAB.EXE
    C:\WINDOWS\ADDYE32.EXE
    C:\WINDOWS\SYSTEM\IPXR.EXE
    C:\WINDOWS\SDKGP.EXE
    C:\WINDOWS\IPEL.EXE
    C:\WINDOWS\SYSTEM\SYSVJ32.EXE
    C:\WINDOWS\SYSTEM\ATLJV.EXE
    C:\WINDOWS\ATLNK.EXE
    C:\WINDOWS\SYSTEM\NETBH.EXE
    C:\WINDOWS\NTWP32.EXE
    C:\WINDOWS\SYSTEM\IPUX.EXE
    C:\WINDOWS\SYSTEM\CRCI.EXE
    C:\WINDOWS\SYSTEM\ATLNC32.EXE
    C:\WINDOWS\SYSTEM\NETOD.EXE
    C:\WINDOWS\WINCW.EXE
    C:\WINDOWS\SYSTEM\IEPR.EXE
    C:\WINDOWS\SYSTEM\NTJB.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\NTXZ.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://google.co.uk
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\tymup.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\tymup.dll/sp.html#28129
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\tymup.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\tymup.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\tymup.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\tymup.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\tymup.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=webcache.blueyonder.co.uk:8080
    R3 - Default URLSearchHook is missing
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: Class - {9F2AC5E6-7937-6506-09F8-B406538D3B6D} - C:\WINDOWS\SYSTEM\NETTY.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [ADDRB.EXE] C:\WINDOWS\SYSTEM\ADDRB.EXE
    O4 - HKLM\..\RunServices: [ADDYE32.EXE] C:\WINDOWS\ADDYE32.EXE
    O4 - HKLM\..\RunServices: [APIAB.EXE] C:\WINDOWS\SYSTEM\APIAB.EXE
    O4 - HKLM\..\RunServices: [SDKGP.EXE] C:\WINDOWS\SDKGP.EXE
    O4 - HKLM\..\RunServices: [IPXR.EXE] C:\WINDOWS\SYSTEM\IPXR.EXE
    O4 - HKLM\..\RunServices: [IPEL.EXE] C:\WINDOWS\IPEL.EXE
    O4 - HKLM\..\RunServices: [SYSVJ32.EXE] C:\WINDOWS\SYSTEM\SYSVJ32.EXE
    O4 - HKLM\..\RunServices: [ATLJV.EXE] C:\WINDOWS\SYSTEM\ATLJV.EXE
    O4 - HKLM\..\RunServices: [ATLNK.EXE] C:\WINDOWS\ATLNK.EXE
    O4 - HKLM\..\RunServices: [NTWP32.EXE] C:\WINDOWS\NTWP32.EXE
    O4 - HKLM\..\RunServices: [NETBH.EXE] C:\WINDOWS\SYSTEM\NETBH.EXE
    O4 - HKLM\..\RunServices: [CRCI.EXE] C:\WINDOWS\SYSTEM\CRCI.EXE
    O4 - HKLM\..\RunServices: [IPUX.EXE] C:\WINDOWS\SYSTEM\IPUX.EXE
    O4 - HKLM\..\RunServices: [ATLNC32.EXE] C:\WINDOWS\SYSTEM\ATLNC32.EXE
    O4 - HKLM\..\RunServices: [NETOD.EXE] C:\WINDOWS\SYSTEM\NETOD.EXE
    O4 - HKLM\..\RunServices: [WINCW.EXE] C:\WINDOWS\WINCW.EXE
    O4 - HKLM\..\RunServices: [IEPR.EXE] C:\WINDOWS\SYSTEM\IEPR.EXE
    O4 - HKLM\..\RunServices: [NTJB.EXE] C:\WINDOWS\SYSTEM\NTJB.EXE
    O4 - HKLM\..\RunServices: [NTXZ.EXE] C:\WINDOWS\SYSTEM\NTXZ.EXE
    O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
    O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\misc.exe
    O4 - Startup: EReg.lnk = C:\WINDOWS\EReg206\Reg32.exe
    O4 - Startup: PhotoCAL Startup.lnk = C:\Program Files\PANTONE COLORVISION\PhotoCAL\PhotoCAL.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.static.topconverting.com
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall....eInstaller.exe
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
  9. 08-12-2004  #8
    owen
    owen is offline D-A-L Team Member (UK)
    1. Download AboutBuster http://www.downloads.subratam.org/AboutBuster.zip

    Unzip it to your desktop but don't run it yet.

    2. Download Ad-aware from here. Open the Ad-aware program and near the bottom click the Check For Updates link. This will open the update manager. Follow the prompts to update your Ad-aware Reference File. Close Ad-aware for now, we will use it later.

    3. You may want to print out these instructions for further reference when completing the following steps.

    4. Ensure you are showing Hidden Files and Folders as per instructions here.

    5. Then reboot your PC into Safe Mode. If you don't know how to do this, see here for further instructions.

    6. Restart Hijack This and put a checkmark next to the following entries and click Fix Checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\tymup.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\tymup.dll/sp.html#28129
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\tymup.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\tymup.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\tymup.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\tymup.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\tymup.dll/sp.html#28129
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {9F2AC5E6-7937-6506-09F8-B406538D3B6D} - C:\WINDOWS\SYSTEM\NETTY.DLL
    O4 - HKLM\..\RunServices: [ADDRB.EXE] C:\WINDOWS\SYSTEM\ADDRB.EXE
    O4 - HKLM\..\RunServices: [ADDYE32.EXE] C:\WINDOWS\ADDYE32.EXE
    O4 - HKLM\..\RunServices: [APIAB.EXE] C:\WINDOWS\SYSTEM\APIAB.EXE
    O4 - HKLM\..\RunServices: [SDKGP.EXE] C:\WINDOWS\SDKGP.EXE
    O4 - HKLM\..\RunServices: [IPXR.EXE] C:\WINDOWS\SYSTEM\IPXR.EXE
    O4 - HKLM\..\RunServices: [IPEL.EXE] C:\WINDOWS\IPEL.EXE
    O4 - HKLM\..\RunServices: [SYSVJ32.EXE] C:\WINDOWS\SYSTEM\SYSVJ32.EXE
    O4 - HKLM\..\RunServices: [ATLJV.EXE] C:\WINDOWS\SYSTEM\ATLJV.EXE
    O4 - HKLM\..\RunServices: [ATLNK.EXE] C:\WINDOWS\ATLNK.EXE
    O4 - HKLM\..\RunServices: [NTWP32.EXE] C:\WINDOWS\NTWP32.EXE
    O4 - HKLM\..\RunServices: [NETBH.EXE] C:\WINDOWS\SYSTEM\NETBH.EXE
    O4 - HKLM\..\RunServices: [CRCI.EXE] C:\WINDOWS\SYSTEM\CRCI.EXE
    O4 - HKLM\..\RunServices: [IPUX.EXE] C:\WINDOWS\SYSTEM\IPUX.EXE
    O4 - HKLM\..\RunServices: [ATLNC32.EXE] C:\WINDOWS\SYSTEM\ATLNC32.EXE
    O4 - HKLM\..\RunServices: [NETOD.EXE] C:\WINDOWS\SYSTEM\NETOD.EXE
    O4 - HKLM\..\RunServices: [WINCW.EXE] C:\WINDOWS\WINCW.EXE
    O4 - HKLM\..\RunServices: [IEPR.EXE] C:\WINDOWS\SYSTEM\IEPR.EXE
    O4 - HKLM\..\RunServices: [NTJB.EXE] C:\WINDOWS\SYSTEM\NTJB.EXE
    O4 - HKLM\..\RunServices: [NTXZ.EXE] C:\WINDOWS\SYSTEM\NTXZ.EXE

    Then delete the following files and folders:
    C:\WINDOWS\SYSTEM\NETTY.DLL
    C:\WINDOWS\SYSTEM\ADDRB.EXE
    C:\WINDOWS\ADDYE32.EXE
    C:\WINDOWS\SYSTEM\APIAB.EXE
    C:\WINDOWS\SDKGP.EXE
    C:\WINDOWS\SYSTEM\IPXR.EXE
    C:\WINDOWS\IPEL.EXE
    C:\WINDOWS\SYSTEM\SYSVJ32.EXE
    C:\WINDOWS\SYSTEM\ATLJV.EXE
    C:\WINDOWS\ATLNK.EXE
    C:\WINDOWS\NTWP32.EXE
    C:\WINDOWS\SYSTEM\NETBH.EXE
    C:\WINDOWS\SYSTEM\CRCI.EXE
    C:\WINDOWS\SYSTEM\IPUX.EXE
    C:\WINDOWS\SYSTEM\ATLNC32.EXE
    C:\WINDOWS\SYSTEM\NETOD.EXE
    C:\WINDOWS\WINCW.EXE
    C:\WINDOWS\SYSTEM\IEPR.EXE
    C:\WINDOWS\SYSTEM\NTJB.EXE
    C:\WINDOWS\SYSTEM\NTXZ.EXE

    7. Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

    8. Scan with Adaware and let it remove any bad files found.

    9. Download SSS from here. Run the program and on the items to clear tab select both "Temporary Files" options and the "Recycle Bin" option. Then click Clear Selected Items.

    10. Reboot to normal mode

    11. Download the attached DelDomains.zip file. Unzip it and inside is a file called DelDomains.inf. Right click it and select Install. You might not see anything on screen, it is a silent program.

    12. Finally, pay a visit to Housecall. Scan for and remove any infected files found on your system.

    Post a fresh HijackThis log and the AboutBuster report back here please.
    Attached Files
  10. 08-12-2004  #9
    frank
    frank is offline Newbie
    Hi Owen
    This will take me a while, I will get back to you ASAP.
    Thanks so far, fingers crossed.
    Frank
  11. 08-12-2004  #10
    owen
    owen is offline D-A-L Team Member (UK)
    Save 20% on AVG Internet Security 2012 Suite!
    Post back with the appropriate "stuff" when done
+ Reply to Thread
Page 1 of 2 1 2 LastLast
« Mom's computer is in hell | Please Help Me with HiJack This »