Can't pin down the problem...

Discussion in 'Malware Help (A Specialist Will Reply)' started by Ashera, Mar 30, 2005.

  1. Ashera

    Ashera Private E-2

    Hello! First of all, thanks for taking the time to read my post. I will say that I posted over at Tomcoyote a while ago, but getting no response, I thought I'd try over here. Normally I'd be more patient, but my Dad is itching to reformat the family computer (Win 98) and I'm hoping to avoid that if possible.

    I'm sorry if I give too much detail, but here's my situation.

    I wasn't having any problems with the old family computer until my father tried installing Quicken (an old version) about 2 weeks ago. Something he did caused a lot of junk to be installed-- too much for this old thing to handle, and it wouldn't run in anything but Safe Mode until I fiddled with things for a bit. I got several messages saying that "Msasn1.dll" was missing, so I figured a few programs trying to run needed it, but didn't have it. After putting it back into a few folders, I was able to run Spybot, and Norton came back on line. AdAware couldn't finish its scans, and caused a blue error screen. I ran Hijack this, and perhaps foolishly, went ahead and deleted a few things that just looked like junk to me. I know, that probably wasn't intelligent, but so far I've had only positive results. (Things like "Bman," and a couple of unfamiliar things with "media" in them... a few others...) Anyway, after that AdAware would run in Safe Mode, so I let it do that, found some things, deleted those... Then did a Norton scan on the C drive- that found a few things that the other programs hadn't caught. It fixed about half of the problems, and I went manually into the C drive to delete the rest. None of the problems were viruses, simply "threats" - ad stuff. I'm still having a lot of pop-ups, and things I thought I deleted keep appearing on my desktop. ("No more spyware," "Virus Hunter", etc. shortcuts...)

    I've tried running TrendMicro's online scan- it has frozen a few times, but I was able to finish 2 scans. It deleted a few trojan problems, but it's never able to get xnjgcj.exe ("Windows is using it"). Panda scan won't run. At one point I was able to run Trojan Hunter, and it found and deleted a few things, but it wasn't able to get whatever is really causing my problems. (Again, the xnjgcj.exe and 2 other .exe files.) A recent AdAware scan in safe mode found and fixed a few things, but not the few troublesome files. Spybot runs, but doesn't clear up whatever is wrong...

    I did go into my Window/System folder and delete several things- that made the number of odd icons (re)appearing on my desktop go from several to two. They reappear randomly- not always after a reboot. Sometimes after I close a program, or open one. Hm, Hijackthis is in its own folder, and I've cleaned out the temp. internet files. Some dpin file- .exe, I think, is running on startup, even though I've removed it, it returns. It was created on the day the rest of the spyware appeared. Hm.

    Sorry again about the length! I would really appreciate any advice you could share with me. Thanks again~

    --Ashera
     
    Ashera, Mar 30, 2005
    #1
  2. seaside

    seaside Corporal

    Last edited by a moderator: Mar 30, 2005
    seaside, Mar 30, 2005
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member


    Seaside,

    Please take note of the proper method to post the help procedures. As you can see I edited your post.


    Ashera,

    It sounds like you may have started trying to run the steps from the READ ME FIRST thread. Please complete them and if still having a problem, follow the steps below:

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Mar 30, 2005
    #3
  4. Ashera

    Ashera Private E-2

    Heh. Well, yes, I did read the various sticky type threads around this forum. I told you all what I had done because by doing that I was hoping to save us both some time- you all wouldn't have to tell me to read the threads, and I wouldn't have to tell you I've read them. :)

    So. Would you really like me to post my HJT log? I've used the program before, so I am a bit familiar with it. Anyway... Do you need me to give you more details than I already have? If so, I would be happy to... Just let me know. Once again, thanks for your time.
     
    Ashera, Mar 30, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Read my message again! It said if you are still having a problem, to follow the directions supplied and post your HJT log. If you do not have any problems, we do not need a HijackThis log.
     
    chaslang, Mar 30, 2005
    #5
  6. Ashera

    Ashera Private E-2

    Oh bother, I'm sorry if I sounded like a brat. I wasn't sure if you were just relaying the "steps" to me again or if you actually wanted the log-- from what I was reading elsewhere it seemed like a sin to post it if it was not specifically asked for... Totally my mistake. Thanks for your patience with me, everyone. Anyway, here it is. I'm not sure if I was clear earlier- I did all the "tutorial" steps I could- some things wouldn't run, however, but I'm happy to try them again-- I still having pop-ups, error messages, a slow system, and random freezes.

    Once again, thanks for sharing your time. :)
     

    Attached Files:

    Ashera, Mar 31, 2005
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is the below something you install? Is it legit?


    O18 - Protocol: IW - {F4CB1DC2-BF71-42F5-81AB-4606998A6B56} - D:\Dani's New Stuffs\Assortment of Stuff\ImageWalker220\ImageWalkerHtml.dll
     
    chaslang, Mar 31, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\RMKVZR.EXE
    C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\EBATESMOEMONEYMAKER0.EXE
    C:\WINDOWS\SYSTEM\XNJGCJ.EXE
    C:\WINDOWS\SYSTEM\GAH95ON6.EXE
    C:\WINDOWS\SYSTEM\SYSMONNT.EXE
    C:\WINDOWS\CALC.EXE
    C:\WINDOWS\SYSTEM\CPGAR.EXE
    C:\WINDOWS\SYSTEM\ROAT.EXE

    After killing all the above processes, click "Back".

    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\PYNIX.DLL
    O2 - BHO: (no name) - {4DCB9761-20FB-372C-D58B-574046E9FDCA} - C:\WINDOWS\SYSTEM\FWPSDPKO.DLL
    O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\SYSTEM\RTNEG2.DLL
    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WINUP2DATE.DLL,SHStart
    O4 - HKLM\..\Run: [version] C:\WINDOWS\SYSTEM\CETKXG.exe
    O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
    O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
    O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\rmkvzr.exe
    O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
    O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\TEMP\DRTEMP\FARMMEXT.exe
    O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
    O4 - HKLM\..\Run: [xnjgcj] c:\windows\system\xnjgcj.exe
    O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\SYSTEM\gah95on6.exe
    O4 - HKCU\..\Run: [SYSMONNT] C:\WINDOWS\SYSTEM\SYSMONNT
    O4 - HKCU\..\Run: [Ceis] C:\WINDOWS\SYSTEM\roat.exe
    O4 - Startup: dpin.exe
    O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
    O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\PYNIX.DLL
    C:\WINDOWS\SYSTEM\FWPSDPKO.DLL
    C:\WINDOWS\SYSTEM\RTNEG2.DLL
    C:\WINDOWS\SYSTB.DLL
    C:\WINDOWS\SYSTEM\WINUP2DATE.DLL
    C:\WINDOWS\SYSTEM\E6F1873B.DLL
    C:\WINDOWS\SYSTEM\CETKXG.exe
    C:\WINDOWS\rmkvzr.exe
    C:\WINDOWS\wupdt.exe
    C:\WINDOWS\TEMP\DRTEMP\FARMMEXT.exe
    C:\PROGRAM FILES\EBATES_MOEMONEYMAKER <--- the whole folder
    C:\WINDOWS\SYSTEM\XNJGCJ.EXE
    C:\WINDOWS\SYSTEM\GAH95ON6.EXE
    C:\WINDOWS\SYSTEM\SYSMONNT.EXE
    C:\WINDOWS\SYSTEM\CPGAR.EXE
    C:\WINDOWS\SYSTEM\ROAT.EXE
    C:\Windows\Start Menu\Programs\Startup\dpin.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST).
    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Mar 31, 2005
    #8
  9. Ashera

    Ashera Private E-2

    I think I did at one point, but I don't think I use it... Nope. I'll uninstall it.

    Edit: Ah, I see you've posted more. I'll read that and then edit this again accordingly.
     
    Ashera, Mar 31, 2005
    #9
  10. Ashera

    Ashera Private E-2

    Here's my most recent log. Things are much better (I didn't get popups on the boot up like I was getting before, and I also don't get them when internet explorer is open now.)

    What is Ceres? I found something like Ceres.dll and Ceres.ini when I was browsing around- both were created today. Should I have deleted them?

    Also, I didn't find C:\WINDOWS\TEMP\DRTEMP\FARMMEXT.exe-- but the temp folder did have some other stuff in it... Should I have deleted all of that? (I haven't, yet.)

    Everything else went well. Thanks for your help, chaslang.
     

    Attached Files:

    • hjt.log
      File size:
      8.1 KB
      Views:
      4
    Ashera, Mar 31, 2005
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Ceres is a new problem you just picked up. It was not in your previous log. Also the RMKVZR.EXE is back as I expected. These O4 line thathave the [KavSvc] in them are difficult to remove. There are hidden processes that are restarting them. We have been seeing a bunch of these lately. I working on some procedures to locate the files but the problem seems to be they are randomly named.

    Looks like you missed some items I asked you to fix last time too. (like xnjgcj.exe and WINUP2DATE.DLL and dpin.exe) You must tell me if you have a problem finding files. Did you find these last time and were you able to delete them?


    Is this SLIPSTREAM WEB ACCELERATOR something you installed and use?

    Download but do not run yet: Pocket KillBox just extract it to its own folder for now. We will use it later.

    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).
    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\RMKVZR.EXE

    After killing all the above processes, click "Back".

    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
    O4 - HKLM\..\Run: [xnjgcj] c:\windows\system\xnjgcj.exe
    O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WINUP2DATE.DLL,SHStart
    O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\rmkvzr.exe
    O4 - Startup: dpin.exe

    After clicking Fix, exit HJT.

    Now Run Pocket KillBox

    Now, Copy and Paste C:\WINDOWS\rmkvzr.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES. But when your system reboots, have it boot into safe mode.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\CERES.DLL
    C:\WINDOWS\CERES.ini
    c:\windows\system\xnjgcj.exe
    C:\WINDOWS\SYSTEM\WINUP2DATE.DLL
    C:\WINDOWS\rmkvzr.exe <-- I'm double checking!! Is it back already?
    Use Windows file search to locate dpin.exe and delete it. Let me know where you find it.

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST).
    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Mar 31, 2005
    #11
  12. Ashera

    Ashera Private E-2

    Ceres is a new problem you just picked up. It was not in your previous log.

    I found it when I was using explorer to delete the items as you instructed while in safe mode. It just looked unfamiliar, so I made a note of it. I am now having Ceres popups- I had popups before, but not with "Ceres" in the title bar, like I do now. Still, I'm not yet getting the startups on boot up like I had before. Just when using IE.

    Also the RMKVZR.EXE is back as I expected. These O4 line thathave the [KavSvc] in them are difficult to remove. There are hidden processes that are restarting them. We have been seeing a bunch of these lately. I working on some procedures to locate the files but the problem seems to be they are randomly named.

    Good luck on your work! Sounds like a worthy quest. :)

    Looks like you missed some items I asked you to fix last time too. (like xnjgcj.exe and WINUP2DATE.DLL and dpin.exe) You must tell me if you have a problem finding files. Did you find these last time and were you able to delete them?

    I was able to find and delete xnjgcj.exe and all the winup2date files, as well as dpin.exe in the startup folder. One thing about xnjgcj.exe- When we used hjt to kill it earlier, and then I went to scan and fix-- after the scan, I just looked back in on the process tool again-- xnjgcj.exe was back. I tried killing it again, but it didn't disappear as it had earlier. Kind of odd.

    Anyway, thanks again for the help-- I'll follow the rest of your steps and get back to you in a bit.
     
    Ashera, Mar 31, 2005
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    When you come back here are the steps I want you to do next before posting a new HJT log.


    1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

    2 - Please EXTRACT all the files form RKFILES Tool.Zip Tool to its own folder - C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.

    Now also post a new HJT log.     This will require two message to post the three attachments.
     
    chaslang, Apr 1, 2005
    #13
  14. Ashera

    Ashera Private E-2

    Hello again!

    I deleted the following in safe mode:

    C:\WINDOWS\CERES.DLL
    C:\WINDOWS\CERES.ini
    c:\windows\system\xnjgcj.exe
    C:\WINDOWS\SYSTEM\WINUP2DATE.DLL
    C:\WINDOWS\rmkvzr.exe (Yes, it was back.)
    C:\WINDOWS\farmmext.exe
    C:\WINDOWS\abetterinternet.exe*
    C:\WINDOWS\netsync.exe*

    *You didn't tell me to delete these, so I hope I wasn't in the wrong doing it... Still, they were both created recently and I didn't install them-- so I just went ahead... So far, no ill effects from doing so. I also found "Pmhfxt.exe" which was created recently as well, however I could not delete it- some message about it being in use, or something to that effect.

    I empited a "temp" folder in windows/system-- from the looks of it, it only had trash-- also had the farmmext folder- something I know I had deleted a few days ago... It had a bunch of other stuff, but since it was all created recently, I wasn't worried about dumping it.

    I checked off dpin.exe for fixing in HJT, and that worked... While searching for it in safe mode, however, I wasn't able to find it. I guess that's a good thing?

    Norton gives me a message about a potentially malicious script running while running Qoologic-- I'm guessing that's just the nature of the program... Or do I really have a problem? Its name was "Activesetup.vbs."

    Slipstream Web Accelerator-- yes, I think someone in my family installed that, and it was used for a while. However, I think we can get rid of it now, so I'll probably uninstall it in a bit.

    Was the Qoologic scan(?) supposed to be run in normal or safe mode? I did both, but will attach the normal mode. (The RKFiles log was created in safe mode.)

    The popups with "Ceres" in the title bar are gone now, but now there are others with the same ad content and different words in the title bar.

    Well, I hope that was everything I was supposed to do. :) Let me know if I missed something, or screwed something up. :) Thanks again for your help.
     

    Attached Files:

    • file.txt
      File size:
      594 bytes
      Views:
      1
    • log.txt
      File size:
      840 bytes
      Views:
      1
    Ashera, Apr 1, 2005
    #14
  15. Ashera

    Ashera Private E-2

    And here's the most recent HJT log... :)
     

    Attached Files:

    • hjt.log
      File size:
      8.5 KB
      Views:
      2
    Ashera, Apr 1, 2005
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you sure you let Find-Qoologic.bat run long enough to completion and you posted the whole file. It appears to be missing some info.

    Please ONLY run and delete things I tell you to do. The steps you are doing on your own are making it difficult to provide a proper solution. While the files you deleted did need to be deleted, you can make things mutate and spread if all the related files are not found and removed at the same time. We may need to run everything over again after a reboot. We shall see. I will be posting an attempt at a fix in my next message but I worried about the fact the the log seemed incomplete from Find_Qoologic plus some items that have been in your HJT log were not in your last log and we have not yet completed all the required fixes.
     
    Last edited: Apr 2, 2005
    chaslang, Apr 2, 2005
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download Pocket Killbox and save it to its own folder where you can find it.

    Read thru the below steps and make sure you understand them before starting. Ask questions if you have any before starting.

    Run Killbox by double clicking on the killbox.exe file.

    Check the following boxes:

    Standard File Kill
    End Explorer Shell While Killing file

    Copy & paste (you must use copy & paste - typing will give an error) the full path of each of the files below (one at a time - see directions after the list) into the Full Path of File to Delete box.
    C:\WINDOWS\RLUninstall.exe
    C:\WINDOWS\systb.exe
    C:\WINDOWS\qbkpu.dat
    C:\WINDOWS\AHZJN.DLL
    C:\WINDOWS\PHRTYPH.DLL
    C:\WINDOWS\NPUAR.DLL
    C:\WINDOWS\CRMBACR.EXE
    C:\WINDOWS\SYSTEM\AUNPS2.dll
    C:\WINDOWS\SYSTEM\wmconfig.cpl
    c:\windows\system\xnjgcj.exe
    C:\WINDOWS\SYSTEM\WINUP2DATE.DLL
    C:\WINDOWS\rmkvzr.exe

    With the full path to the file name in the Full Path of File to Delete textbox. The filename will appear under the box in a blue color to indicate it was found. Now Click the Red X and for the confirmation message that will appear, you will need to click Yes. If the file is successfully delete you will get a message of confirmation. Just click OK!
    Do this for each of the files listed. Some will not be deleted. Make sure you keep a list of them.

    Now for any files not delete properly above (the ones you wrote down), do the below (if all of them deleted, skip these steps):
    - in Killbox select the option to Delete on Reboot
    - uncheck the option to End Explorer Shell While Killing file

    Copy & paste the full path of each of the files you could not delete above into the box and then click the Red X and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? You will need to click No (since you are not finished adding all related files in yet).

    When you do enter the last file name that needs to be deleted, click Yes on the last file.
    Note: Killbox will let you know if the file does not exist.

    Okay so now your PC should be reboot.

    After the reboot run nothing else but HijackThis and select and Fix the below (some of these may not exist anymore)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL (file missing)
    O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\DLMAX.DLL
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [xnjgcj] c:\windows\system\xnjgcj.exe
    O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WINUP2DATE.DLL,SHStart
    O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\rmkvzr.exe
    O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
    O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone

    Now reboot your PC one more time and post a new HijackThis log.
     
    chaslang, Apr 2, 2005
    #17
  18. Ashera

    Ashera Private E-2

    Hm, I don't know about the Qoologic log. I'll run it again... Now nothing is show in the text. Well, nothing found-- it still has the little "not all files found may be harmful" thing at the top. (This is after I've followed all of the steps you suggested.)

    The blue text didn't appear for winup2date w/ Killbox. The one I set to delete on reboot was xnjgcj.exe... I was able to delete the other files you mentioned. Here's my newest HJT log.
     

    Attached Files:

    • hjt.log
      File size:
      7.8 KB
      Views:
      1
    Ashera, Apr 2, 2005
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please copy the contents of the below quote box and paste into notepad. Save to your desktop as FixIE.reg.

    Please close ALL your Internet Explorer Windows - the fix will not work unless they are all closed.

    Now Double-Click fixIE.reg, a prompt will appear asking if you want to add the information into the registry. Click 'Yes'

    Now post a new HJT log (hopefully the final one)!
     
    chaslang, Apr 2, 2005
    #19
  20. Ashera

    Ashera Private E-2

    I had no difficulties while following your instructions, chaslang. Here's the most recent log. :)
     

    Attached Files:

    • hjt.log
      File size:
      7.3 KB
      Views:
      1
    Ashera, Apr 2, 2005
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Apr 2, 2005
    #21
  22. Ashera

    Ashera Private E-2

    Thanks for all of your help, chaslang!

    Can I ask you one last question? If it's inappropriate to do so here, just tell me and I'll ask elsewhere-- hoping that it's not, however--

    I'm just finishing my first build running XP Pro and I really don't want to use Norton. (My father is too attached to let me switch the AV on this family computer...) For my system, however, I was thinking about PCCillin-- do you think that's a good idea, or should I just go with one of the free programs you mentioned in your "protect yourself from malware" thread?

    Thanks again for sharing so much of your time in helping me.

    - Ashera
     
    Ashera, Apr 2, 2005
    #22
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    The free programs work well! They also have pay versions where you can get more features and support. PC-Cillin is good too. If you don't mind paying you have many good choices but I would personally stay away from Symantec and McAfee because they are becoming way too bloated. Why don't you give Avast or AVG a try for awhile and see what you think!
     
    chaslang, Apr 2, 2005
    #23
  24. Ashera

    Ashera Private E-2

    Sounds good to me. :)

    Thanks again for your advice, and take care.

    - Ashera
     
    Ashera, Apr 2, 2005
    #24
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome! Make sure you get the rest of the steps done ASAP. Especially adding a firewall.
     
    chaslang, Apr 2, 2005
    #25

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds