HiJack this

  1. 26-10-2004  #1
    Michael Grant
    Michael Grant is offline Newbie

    HiJack this

    Hi,
    If you could help me with this spyware problem, I would be eternally grateful.


    Logfile of HijackThis v1.98.2
    Scan saved at 7:10:02 AM, on 10/26/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\ADDUM32.EXE
    C:\WINDOWS\SDKDQ32.EXE
    C:\WINDOWS\ADDSC32.EXE
    C:\WINDOWS\ATLUA.EXE
    C:\WINDOWS\SYSTEM\SYSFG32.EXE
    C:\WINDOWS\APIMD.EXE
    C:\WINDOWS\IPSF32.EXE
    C:\WINDOWS\SYSTEM\APIWE32.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSXM.EXE
    C:\WINDOWS\CRMX.EXE
    C:\WINDOWS\SYSTEM\JAVAIJ.EXE
    C:\WINDOWS\APPEJ32.EXE
    C:\WINDOWS\MFCJW.EXE
    C:\WINDOWS\SYSTEM\APIWH.EXE
    C:\WINDOWS\APIQF.EXE
    C:\WINDOWS\SYSTEM\IPBQ32.EXE
    C:\WINDOWS\APPNF32.EXE
    C:\WINDOWS\APPMH.EXE
    C:\WINDOWS\SYSTEM\IPKR32.EXE
    C:\WINDOWS\SYSTEM\NTLN32.EXE
    C:\WINDOWS\NETJD.EXE
    C:\WINDOWS\MSLR32.EXE
    C:\WINDOWS\SYSTEM\ADDWW.EXE
    C:\WINDOWS\SYSTEM\MSOW32.EXE
    C:\WINDOWS\SYSTEM\APPZM32.EXE
    C:\WINDOWS\SYSTEM\IETR.EXE
    C:\WINDOWS\SYSTEM\JAVACL32.EXE
    C:\WINDOWS\SYSTEM\SYSYH32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MFCAQ32.EXE
    C:\WINDOWS\NTKB.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\ATLCU.EXE
    C:\WINDOWS\APILQ.EXE
    C:\WINDOWS\SYSTEM\SYSFF.EXE
    C:\WINDOWS\SYSTEM\MSDS32.EXE
    C:\WINDOWS\IPVV.EXE
    C:\WINDOWS\SYSTEM\SDKUC32.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\WINDOWS\SYSTEM\SYSVH32.EXE
    C:\WINDOWS\SYSTEM\SMY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\ADDSC32.EXE
    C:\WINDOWS\APPNF32.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\APPMH.EXE
    C:\WINDOWS\NTIS.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jjpwd.dll/sp.html#29126
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jjpwd.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jjpwd.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jjpwd.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jjpwd.dll/sp.html#29126
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jjpwd.dll/sp.html#29126
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {E91DFA37-44A8-E67B-69E8-FF78AE4FC8BD} - C:\WINDOWS\SYSTEM\ATLKV.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [SYSVH32.EXE] C:\WINDOWS\SYSTEM\SYSVH32.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [ADDUM32.EXE] C:\WINDOWS\SYSTEM\ADDUM32.EXE
    O4 - HKLM\..\RunServices: [ADDSC32.EXE] C:\WINDOWS\ADDSC32.EXE
    O4 - HKLM\..\RunServices: [APIWE32.EXE] C:\WINDOWS\SYSTEM\APIWE32.EXE
    O4 - HKLM\..\RunServices: [APIMD.EXE] C:\WINDOWS\APIMD.EXE
    O4 - HKLM\..\RunServices: [SDKDQ32.EXE] C:\WINDOWS\SDKDQ32.EXE
    O4 - HKLM\..\RunServices: [IPSF32.EXE] C:\WINDOWS\IPSF32.EXE
    O4 - HKLM\..\RunServices: [CRMX.EXE] C:\WINDOWS\CRMX.EXE
    O4 - HKLM\..\RunServices: [SYSFG32.EXE] C:\WINDOWS\SYSTEM\SYSFG32.EXE
    O4 - HKLM\..\RunServices: [JAVAIJ.EXE] C:\WINDOWS\SYSTEM\JAVAIJ.EXE
    O4 - HKLM\..\RunServices: [SYSXM.EXE] C:\WINDOWS\SYSXM.EXE
    O4 - HKLM\..\RunServices: [MFCJW.EXE] C:\WINDOWS\MFCJW.EXE
    O4 - HKLM\..\RunServices: [ATLUA.EXE] C:\WINDOWS\ATLUA.EXE
    O4 - HKLM\..\RunServices: [APPEJ32.EXE] C:\WINDOWS\APPEJ32.EXE
    O4 - HKLM\..\RunServices: [APIQF.EXE] C:\WINDOWS\APIQF.EXE
    O4 - HKLM\..\RunServices: [APIWH.EXE] C:\WINDOWS\SYSTEM\APIWH.EXE
    O4 - HKLM\..\RunServices: [IPBQ32.EXE] C:\WINDOWS\SYSTEM\IPBQ32.EXE
    O4 - HKLM\..\RunServices: [APPNF32.EXE] C:\WINDOWS\APPNF32.EXE
    O4 - HKLM\..\RunServices: [APPMH.EXE] C:\WINDOWS\APPMH.EXE
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [NETJD.EXE] C:\WINDOWS\NETJD.EXE
    O4 - HKLM\..\RunServices: [MSOW32.EXE] C:\WINDOWS\SYSTEM\MSOW32.EXE
    O4 - HKLM\..\RunServices: [IPKR32.EXE] C:\WINDOWS\SYSTEM\IPKR32.EXE
    O4 - HKLM\..\RunServices: [ADDWW.EXE] C:\WINDOWS\SYSTEM\ADDWW.EXE
    O4 - HKLM\..\RunServices: [NTLN32.EXE] C:\WINDOWS\SYSTEM\NTLN32.EXE
    O4 - HKLM\..\RunServices: [MSLR32.EXE] C:\WINDOWS\MSLR32.EXE
    O4 - HKLM\..\RunServices: [IETR.EXE] C:\WINDOWS\SYSTEM\IETR.EXE
    O4 - HKLM\..\RunServices: [JAVACL32.EXE] C:\WINDOWS\SYSTEM\JAVACL32.EXE
    O4 - HKLM\..\RunServices: [APPZM32.EXE] C:\WINDOWS\SYSTEM\APPZM32.EXE
    O4 - HKLM\..\RunServices: [SYSYH32.EXE] C:\WINDOWS\SYSTEM\SYSYH32.EXE
    O4 - HKLM\..\RunServices: [MFCAQ32.EXE] C:\WINDOWS\SYSTEM\MFCAQ32.EXE
    O4 - HKLM\..\RunServices: [NTKB.EXE] C:\WINDOWS\NTKB.EXE
    O4 - HKLM\..\RunServices: [APILQ.EXE] C:\WINDOWS\APILQ.EXE
    O4 - HKLM\..\RunServices: [ATLCU.EXE] C:\WINDOWS\SYSTEM\ATLCU.EXE
    O4 - HKLM\..\RunServices: [SYSFF.EXE] C:\WINDOWS\SYSTEM\SYSFF.EXE
    O4 - HKLM\..\RunServices: [MSDS32.EXE] C:\WINDOWS\SYSTEM\MSDS32.EXE
    O4 - HKLM\..\RunServices: [IPVV.EXE] C:\WINDOWS\IPVV.EXE
    O4 - HKLM\..\RunServices: [SDKUC32.EXE] C:\WINDOWS\SYSTEM\SDKUC32.EXE
    O4 - HKLM\..\RunServices: [NTIS.EXE] C:\WINDOWS\NTIS.EXE
    O4 - HKCU\..\Run: [Ftctpzzb] C:\WINDOWS\SYSTEM\smy.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O15 - Trusted Zone: *.05p.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.scoobidoo.com
    O15 - Trusted Zone: *.searchbarcash.com
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct2_x.cab
  2. 26-10-2004  #2
    owen
    owen is offline D-A-L Team Member (UK)
    Save 20% on AVG Internet Security 2012 Suite!
    1. Download AboutBuster http://www.downloads.subratam.org/AboutBuster.zip

    Unzip it to your desktop but don't run it yet.

    2. Download Ad-aware from here. Open the Ad-aware program and near the bottom click the Check For Updates link. This will open the update manager. Follow the prompts to update your Ad-aware Reference File. Close Ad-aware for now, we will use it later.

    3. You may want to print out these instructions for further reference when completing the following steps.

    4. Ensure you are showing Hidden Files and Folders as per instructions here.

    5. Then reboot your PC into Safe Mode. If you don't know how to do this, see here for further instructions.

    6. Restart Hijack This and put a checkmark next to the following entries and click Fix Checked:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jjpwd.dll/sp.html#29126
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jjpwd.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jjpwd.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jjpwd.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jjpwd.dll/sp.html#29126
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jjpwd.dll/sp.html#29126
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {E91DFA37-44A8-E67B-69E8-FF78AE4FC8BD} - C:\WINDOWS\SYSTEM\ATLKV.DLL
    O4 - HKLM\..\Run: [SYSVH32.EXE] C:\WINDOWS\SYSTEM\SYSVH32.EXE
    O4 - HKLM\..\RunServices: [ADDUM32.EXE] C:\WINDOWS\SYSTEM\ADDUM32.EXE
    O4 - HKLM\..\RunServices: [ADDSC32.EXE] C:\WINDOWS\ADDSC32.EXE
    O4 - HKLM\..\RunServices: [APIWE32.EXE] C:\WINDOWS\SYSTEM\APIWE32.EXE
    O4 - HKLM\..\RunServices: [APIMD.EXE] C:\WINDOWS\APIMD.EXE
    O4 - HKLM\..\RunServices: [SDKDQ32.EXE] C:\WINDOWS\SDKDQ32.EXE
    O4 - HKLM\..\RunServices: [IPSF32.EXE] C:\WINDOWS\IPSF32.EXE
    O4 - HKLM\..\RunServices: [CRMX.EXE] C:\WINDOWS\CRMX.EXE
    O4 - HKLM\..\RunServices: [SYSFG32.EXE] C:\WINDOWS\SYSTEM\SYSFG32.EXE
    O4 - HKLM\..\RunServices: [JAVAIJ.EXE] C:\WINDOWS\SYSTEM\JAVAIJ.EXE
    O4 - HKLM\..\RunServices: [SYSXM.EXE] C:\WINDOWS\SYSXM.EXE
    O4 - HKLM\..\RunServices: [MFCJW.EXE] C:\WINDOWS\MFCJW.EXE
    O4 - HKLM\..\RunServices: [ATLUA.EXE] C:\WINDOWS\ATLUA.EXE
    O4 - HKLM\..\RunServices: [APPEJ32.EXE] C:\WINDOWS\APPEJ32.EXE
    O4 - HKLM\..\RunServices: [APIQF.EXE] C:\WINDOWS\APIQF.EXE
    O4 - HKLM\..\RunServices: [APIWH.EXE] C:\WINDOWS\SYSTEM\APIWH.EXE
    O4 - HKLM\..\RunServices: [IPBQ32.EXE] C:\WINDOWS\SYSTEM\IPBQ32.EXE
    O4 - HKLM\..\RunServices: [APPNF32.EXE] C:\WINDOWS\APPNF32.EXE
    O4 - HKLM\..\RunServices: [APPMH.EXE] C:\WINDOWS\APPMH.EXE
    O4 - HKLM\..\RunServices: [NETJD.EXE] C:\WINDOWS\NETJD.EXE
    O4 - HKLM\..\RunServices: [MSOW32.EXE] C:\WINDOWS\SYSTEM\MSOW32.EXE
    O4 - HKLM\..\RunServices: [IPKR32.EXE] C:\WINDOWS\SYSTEM\IPKR32.EXE
    O4 - HKLM\..\RunServices: [ADDWW.EXE] C:\WINDOWS\SYSTEM\ADDWW.EXE
    O4 - HKLM\..\RunServices: [NTLN32.EXE] C:\WINDOWS\SYSTEM\NTLN32.EXE
    O4 - HKLM\..\RunServices: [MSLR32.EXE] C:\WINDOWS\MSLR32.EXE
    O4 - HKLM\..\RunServices: [IETR.EXE] C:\WINDOWS\SYSTEM\IETR.EXE
    O4 - HKLM\..\RunServices: [JAVACL32.EXE] C:\WINDOWS\SYSTEM\JAVACL32.EXE
    O4 - HKLM\..\RunServices: [APPZM32.EXE] C:\WINDOWS\SYSTEM\APPZM32.EXE
    O4 - HKLM\..\RunServices: [SYSYH32.EXE] C:\WINDOWS\SYSTEM\SYSYH32.EXE
    O4 - HKLM\..\RunServices: [MFCAQ32.EXE] C:\WINDOWS\SYSTEM\MFCAQ32.EXE
    O4 - HKLM\..\RunServices: [NTKB.EXE] C:\WINDOWS\NTKB.EXE
    O4 - HKLM\..\RunServices: [APILQ.EXE] C:\WINDOWS\APILQ.EXE
    O4 - HKLM\..\RunServices: [ATLCU.EXE] C:\WINDOWS\SYSTEM\ATLCU.EXE
    O4 - HKLM\..\RunServices: [SYSFF.EXE] C:\WINDOWS\SYSTEM\SYSFF.EXE
    O4 - HKLM\..\RunServices: [MSDS32.EXE] C:\WINDOWS\SYSTEM\MSDS32.EXE
    O4 - HKLM\..\RunServices: [IPVV.EXE] C:\WINDOWS\IPVV.EXE
    O4 - HKLM\..\RunServices: [SDKUC32.EXE] C:\WINDOWS\SYSTEM\SDKUC32.EXE
    O4 - HKLM\..\RunServices: [NTIS.EXE] C:\WINDOWS\NTIS.EXE
    O4 - HKCU\..\Run: [Ftctpzzb] C:\WINDOWS\SYSTEM\smy.exe
    O15 - Trusted Zone: *.05p.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.scoobidoo.com
    O15 - Trusted Zone: *.searchbarcash.com

    Then delete the following files:
    C:\WINDOWS\SYSTEM\ATLKV.DLL
    C:\WINDOWS\SYSTEM\SYSVH32.EXE
    C:\WINDOWS\SYSTEM\ADDUM32.EXE
    C:\WINDOWS\ADDSC32.EXE
    C:\WINDOWS\SYSTEM\APIWE32.EXE
    C:\WINDOWS\APIMD.EXE
    C:\WINDOWS\SDKDQ32.EXE
    C:\WINDOWS\IPSF32.EXE
    C:\WINDOWS\CRMX.EXE
    C:\WINDOWS\SYSTEM\SYSFG32.EXE
    C:\WINDOWS\SYSTEM\JAVAIJ.EXE
    C:\WINDOWS\SYSXM.EXE
    C:\WINDOWS\MFCJW.EXE
    C:\WINDOWS\ATLUA.EXE
    C:\WINDOWS\APPEJ32.EXE
    C:\WINDOWS\APIQF.EXE
    C:\WINDOWS\SYSTEM\APIWH.EXE
    C:\WINDOWS\SYSTEM\IPBQ32.EXE
    C:\WINDOWS\APPNF32.EXE
    C:\WINDOWS\APPMH.EXE
    C:\WINDOWS\NETJD.EXE
    C:\WINDOWS\SYSTEM\MSOW32.EXE
    C:\WINDOWS\SYSTEM\IPKR32.EXE
    C:\WINDOWS\SYSTEM\ADDWW.EXE
    C:\WINDOWS\SYSTEM\NTLN32.EXE
    C:\WINDOWS\MSLR32.EXE
    C:\WINDOWS\SYSTEM\IETR.EXE
    C:\WINDOWS\SYSTEM\JAVACL32.EXE
    C:\WINDOWS\SYSTEM\APPZM32.EXE
    C:\WINDOWS\SYSTEM\SYSYH32.EXE
    C:\WINDOWS\SYSTEM\MFCAQ32.EXE
    C:\WINDOWS\NTKB.EXE
    C:\WINDOWS\APILQ.EXE
    C:\WINDOWS\SYSTEM\ATLCU.EXE
    C:\WINDOWS\SYSTEM\SYSFF.EXE
    C:\WINDOWS\SYSTEM\MSDS32.EXE
    C:\WINDOWS\IPVV.EXE
    C:\WINDOWS\SYSTEM\SDKUC32.EXE
    C:\WINDOWS\NTIS.EXE
    C:\WINDOWS\SYSTEM\smy.exe


    7. Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

    8. Scan with Adaware and let it remove any bad files found.

    9. Download SSS from here. Run the program and on the items to clear tab select both "Temporary Files" options and the "Recycle Bin" option. Then click Clear Selected Items.

    10. Reboot to normal mode

    11. Finally, pay a visit to Housecall. Scan for and remove any infected files found on your system.

    Post a fresh HijackThis log and the AboutBuster report back here please.
+ Reply to Thread
« Trojan Downloader Onenet.E Problem | Spyware that will not go away »