hijack this log

Discussion in 'Malware Help (A Specialist Will Reply)' started by okienorygun, May 30, 2005.

  1. okienorygun

    okienorygun Private E-2

    Ok so i am a newb to this forum. I have used and recommended the Geek site for along time and I really enjoy the stuff ive dl from here. But being a dl junkie I caught sumtin I don like (backdoor.agent.8 and startpage.ao) here is my log file any help will be welcome


    Edit by chaslang: Unrequested inline log removed. Poor choice of coloring too! :eek:
     
    Last edited by a moderator: May 31, 2005
    okienorygun, May 30, 2005
    #1
  2. okienorygun

    okienorygun Private E-2

    OOps See I am a newb I didnt read the majors directive before posting :rolleyes: . I should have looked around before i posted sorry.
     
    okienorygun, May 30, 2005
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please read the announcement and sticky threads. HJT logs should only be posted when requested and then they must be attachments to your message. And they must be complete logs too. You have an HSA hijacker problem.


    Please follow the steps below:

    - Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

    Make sure you check version numbers and get all updates.

    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    Also to get you started and to reduce the size of your HJT log. Do the following:




    After doing ALL of the above you still have a problem, boot into normal mode and (make sure you follow these directions, you were running HJT from the ZIP file):


    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - to start reducing your current HJT log, Run HijackThis and have it fix the below items:
    O4 - HKLM\..\RunOnce: [atlop32.exe] C:\WINDOWS\atlop32.exe
    O4 - HKLM\..\RunOnce: [iexf32.exe] C:\WINDOWS\system32\iexf32.exe
    O4 - HKLM\..\RunOnce: [mstu32.exe] C:\WINDOWS\system32\mstu32.exe
    O4 - HKLM\..\RunOnce: [msbz32.exe] C:\WINDOWS\msbz32.exe
    O4 - HKLM\..\RunOnce: [applv32.exe] C:\WINDOWS\system32\applv32.exe
    O4 - HKLM\..\RunOnce: [crgs.exe] C:\WINDOWS\crgs.exe
    O4 - HKLM\..\RunOnce: [winro.exe] C:\WINDOWS\system32\winro.exe
    O4 - HKLM\..\RunOnce: [ipxz.exe] C:\WINDOWS\system32\ipxz.exe
    O4 - HKLM\..\RunOnce: [d3pw32.exe] C:\WINDOWS\d3pw32.exe
    O4 - HKLM\..\RunOnce: [netlt.exe] C:\WINDOWS\system32\netlt.exe
    O4 - HKLM\..\RunOnce: [netzi.exe] C:\WINDOWS\netzi.exe
    O4 - HKLM\..\RunOnce: [sdkaa32.exe] C:\WINDOWS\sdkaa32.exe
    O4 - HKLM\..\RunOnce: [ieko.exe] C:\WINDOWS\system32\ieko.exe
    O4 - HKLM\..\RunOnce: [atlav.exe] C:\WINDOWS\system32\atlav.exe
    O4 - HKLM\..\RunOnce: [sdked32.exe] C:\WINDOWS\sdked32.exe
    O4 - HKLM\..\RunOnce: [ienq32.exe] C:\WINDOWS\ienq32.exe
    O4 - HKLM\..\RunOnce: [nettm.exe] C:\WINDOWS\nettm.exe
    O4 - HKLM\..\RunOnce: [nethb32.exe] C:\WINDOWS\system32\nethb32.exe
    O4 - HKLM\..\RunOnce: [netdw.exe] C:\WINDOWS\system32\netdw.exe
    O4 - HKLM\..\RunOnce: [msbh32.exe] C:\WINDOWS\system32\msbh32.exe
    O4 - HKLM\..\RunOnce: [ieup32.exe] C:\WINDOWS\ieup32.exe
    O4 - HKLM\..\RunOnce: [msqw.exe] C:\WINDOWS\msqw.exe
    O4 - HKLM\..\RunOnce: [sdkqo32.exe] C:\WINDOWS\system32\sdkqo32.exe
    O4 - HKLM\..\RunOnce: [sysiu32.exe] C:\WINDOWS\system32\sysiu32.exe
    O4 - HKLM\..\RunOnce: [netrt32.exe] C:\WINDOWS\netrt32.exe
    O4 - HKLM\..\RunOnce: [ipmp32.exe] C:\WINDOWS\ipmp32.exe
    O4 - HKLM\..\RunOnce: [winqi.exe] C:\WINDOWS\winqi.exe
    O4 - HKLM\..\RunOnce: [javatf.exe] C:\WINDOWS\javatf.exe
    O4 - HKLM\..\RunOnce: [d3jp32.exe] C:\WINDOWS\d3jp32.exe
    O4 - HKLM\..\RunOnce: [sdkbo32.exe] C:\WINDOWS\sdkbo32.exe
    O4 - HKLM\..\RunOnce: [appyh.exe] C:\WINDOWS\appyh.exe
    O4 - HKLM\..\RunOnce: [wintl32.exe] C:\WINDOWS\wintl32.exe
    O4 - HKLM\..\RunOnce: [winha32.exe] C:\WINDOWS\winha32.exe
    O4 - HKLM\..\RunOnce: [crwt.exe] C:\WINDOWS\crwt.exe
    O4 - HKLM\..\RunOnce: [d3uo32.exe] C:\WINDOWS\d3uo32.exe
    O4 - HKLM\..\RunOnce: [ntta.exe] C:\WINDOWS\system32\ntta.exe
    O4 - HKLM\..\RunOnce: [ippp32.exe] C:\WINDOWS\ippp32.exe
    O4 - HKLM\..\RunOnce: [ietc.exe] C:\WINDOWS\system32\ietc.exe
    O4 - HKLM\..\RunOnce: [addyg32.exe] C:\WINDOWS\system32\addyg32.exe
    O4 - HKLM\..\RunOnce: [msvi.exe] C:\WINDOWS\system32\msvi.exe
    O4 - HKLM\..\RunOnce: [ippz32.exe] C:\WINDOWS\system32\ippz32.exe
    O4 - HKLM\..\RunOnce: [d3ll32.exe] C:\WINDOWS\system32\d3ll32.exe
    O4 - HKLM\..\RunOnce: [ntdr.exe] C:\WINDOWS\system32\ntdr.exe
    O4 - HKLM\..\RunOnce: [winol32.exe] C:\WINDOWS\winol32.exe
    O4 - HKLM\..\RunOnce: [winba32.exe] C:\WINDOWS\winba32.exe
    O4 - HKLM\..\RunOnce: [appjm32.exe] C:\WINDOWS\system32\appjm32.exe
    O4 - HKLM\..\RunOnce: [windg.exe] C:\WINDOWS\system32\windg.exe
    O4 - HKLM\..\RunOnce: [mfcaw.exe] C:\WINDOWS\mfcaw.exe
    O4 - HKLM\..\RunOnce: [mfcru.exe] C:\WINDOWS\mfcru.exe
    O4 - HKLM\..\RunOnce: [iekt32.exe] C:\WINDOWS\system32\iekt32.exe
    O4 - HKLM\..\RunOnce: [netlh.exe] C:\WINDOWS\system32\netlh.exe
    O4 - HKLM\..\RunOnce: [appei32.exe] C:\WINDOWS\appei32.exe
    O4 - HKLM\..\RunOnce: [mfcpt.exe] C:\WINDOWS\mfcpt.exe
    O4 - HKLM\..\RunOnce: [atlli32.exe] C:\WINDOWS\system32\atlli32.exe
    O4 - HKLM\..\RunOnce: [d3ul32.exe] C:\WINDOWS\d3ul32.exe
    O4 - HKLM\..\RunOnce: [apics.exe] C:\WINDOWS\apics.exe
    O4 - HKLM\..\RunOnce: [atlfd32.exe] C:\WINDOWS\atlfd32.exe
    O4 - HKLM\..\RunOnce: [iekx.exe] C:\WINDOWS\system32\iekx.exe
    O4 - HKLM\..\RunOnce: [msym.exe] C:\WINDOWS\system32\msym.exe
    O4 - HKLM\..\RunOnce: [crbo.exe] C:\WINDOWS\crbo.exe
    O4 - HKLM\..\RunOnce: [mfcol32.exe] C:\WINDOWS\mfcol32.exe
    O4 - HKLM\..\RunOnce: [sdkmu32.exe] C:\WINDOWS\system32\sdkmu32.exe
    O4 - HKLM\..\RunOnce: [d3ck.exe] C:\WINDOWS\d3ck.exe
    O4 - HKLM\..\RunOnce: [msgx32.exe] C:\WINDOWS\msgx32.exe
    O4 - HKLM\..\RunOnce: [msii.exe] C:\WINDOWS\msii.exe
    O4 - HKLM\..\RunOnce: [mfcrn32.exe] C:\WINDOWS\mfcrn32.exe
    O4 - HKLM\..\RunOnce: [msmb32.exe] C:\WINDOWS\system32\msmb32.exe
    O4 - HKLM\..\RunOnce: [sysaw.exe] C:\WINDOWS\sysaw.exe
    O4 - HKLM\..\RunOnce: [ieju.exe] C:\WINDOWS\system32\ieju.exe
    O4 - HKLM\..\RunOnce: [addxc32.exe] C:\WINDOWS\addxc32.exe
    O4 - HKLM\..\RunOnce: [addkx32.exe] C:\WINDOWS\system32\addkx32.exe
    O4 - HKLM\..\RunOnce: [d3hl.exe] C:\WINDOWS\d3hl.exe
    O4 - HKLM\..\RunOnce: [apigj.exe] C:\WINDOWS\apigj.exe
    O4 - HKLM\..\RunOnce: [ipul32.exe] C:\WINDOWS\ipul32.exe
    O4 - HKLM\..\RunOnce: [ieox32.exe] C:\WINDOWS\system32\ieox32.exe
    O4 - HKLM\..\RunOnce: [atlzv.exe] C:\WINDOWS\system32\atlzv.exe
    O4 - HKLM\..\RunOnce: [javauh.exe] C:\WINDOWS\system32\javauh.exe
    O4 - HKLM\..\RunOnce: [mfcbu32.exe] C:\WINDOWS\system32\mfcbu32.exe
    O4 - HKLM\..\RunOnce: [apibc32.exe] C:\WINDOWS\apibc32.exe
    O4 - HKLM\..\RunOnce: [apiqf.exe] C:\WINDOWS\apiqf.exe
    O4 - HKLM\..\RunOnce: [ienv32.exe] C:\WINDOWS\system32\ienv32.exe
    O4 - HKLM\..\RunOnce: [apiso32.exe] C:\WINDOWS\system32\apiso32.exe
    O4 - HKLM\..\RunOnce: [javadn.exe] C:\WINDOWS\javadn.exe
    O4 - HKLM\..\RunOnce: [atlsl.exe] C:\WINDOWS\system32\atlsl.exe
    O4 - HKLM\..\RunOnce: [mfcwe32.exe] C:\WINDOWS\system32\mfcwe32.exe
    O4 - HKLM\..\RunOnce: [ntai.exe] C:\WINDOWS\ntai.exe
    O4 - HKLM\..\RunOnce: [addbo.exe] C:\WINDOWS\system32\addbo.exe
    O4 - HKLM\..\RunOnce: [ieko32.exe] C:\WINDOWS\ieko32.exe
    O4 - HKLM\..\RunOnce: [ntla32.exe] C:\WINDOWS\system32\ntla32.exe
    O4 - HKLM\..\RunOnce: [iptu.exe] C:\WINDOWS\system32\iptu.exe
    O4 - HKLM\..\RunOnce: [apiuv.exe] C:\WINDOWS\apiuv.exe
    O4 - HKLM\..\RunOnce: [mfcna.exe] C:\WINDOWS\mfcna.exe
    O4 - HKLM\..\RunOnce: [addsk32.exe] C:\WINDOWS\system32\addsk32.exe
    O4 - HKLM\..\RunOnce: [crio32.exe] C:\WINDOWS\system32\crio32.exe
    O4 - HKLM\..\RunOnce: [sdkdy32.exe] C:\WINDOWS\sdkdy32.exe
    O4 - HKLM\..\RunOnce: [syscj32.exe] C:\WINDOWS\system32\syscj32.exe
    O4 - HKLM\..\RunOnce: [apifa32.exe] C:\WINDOWS\apifa32.exe
    O4 - HKLM\..\RunOnce: [atlbc32.exe] C:\WINDOWS\system32\atlbc32.exe
    O4 - HKLM\..\RunOnce: [ipfg.exe] C:\WINDOWS\system32\ipfg.exe
    O4 - HKLM\..\RunOnce: [applq32.exe] C:\WINDOWS\applq32.exe
    O4 - HKLM\..\RunOnce: [msjq.exe] C:\WINDOWS\msjq.exe
    O4 - HKLM\..\RunOnce: [atlnf32.exe] C:\WINDOWS\system32\atlnf32.exe
    O4 - HKLM\..\RunOnce: [nthf32.exe] C:\WINDOWS\system32\nthf32.exe
    O4 - HKLM\..\RunOnce: [cruc.exe] C:\WINDOWS\system32\cruc.exe
    O4 - HKLM\..\RunOnce: [netzw32.exe] C:\WINDOWS\netzw32.exe
    O4 - HKLM\..\RunOnce: [mfcsw32.exe] C:\WINDOWS\system32\mfcsw32.exe
    O4 - HKLM\..\RunOnce: [netrm32.exe] C:\WINDOWS\netrm32.exe
    O4 - HKLM\..\RunOnce: [sdkxl.exe] C:\WINDOWS\system32\sdkxl.exe
    O4 - HKLM\..\RunOnce: [ieqh.exe] C:\WINDOWS\ieqh.exe
    O4 - HKLM\..\RunOnce: [d3nc.exe] C:\WINDOWS\d3nc.exe
    O4 - HKLM\..\RunOnce: [netcv32.exe] C:\WINDOWS\system32\netcv32.exe
    O4 - HKLM\..\RunOnce: [crnr.exe] C:\WINDOWS\crnr.exe
    O4 - HKLM\..\RunOnce: [sysqv.exe] C:\WINDOWS\sysqv.exe
    O4 - HKLM\..\RunOnce: [winui32.exe] C:\WINDOWS\winui32.exe
    O4 - HKLM\..\RunOnce: [crzv32.exe] C:\WINDOWS\crzv32.exe
    O4 - HKLM\..\RunOnce: [crxm32.exe] C:\WINDOWS\crxm32.exe
    O4 - HKLM\..\RunOnce: [ipbq32.exe] C:\WINDOWS\ipbq32.exe

    - Now boot into safe mode and delete all the file associated with each of those O4 lines.

    - Now reboot into normal mode and and save a new HJT log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

    Note this will not fix your problem yet, but it should help reduce the amount of infestation.
    After posting your HJT log DO NOT REBOOT or power down or the problem will spread and mutate. Just wait for a fix. You can disconnect you cable to the internet for security.
     
    chaslang, May 31, 2005
    #3
  4. okienorygun

    okienorygun Private E-2

    Sorry about previous post. I have since simply followed instructions and cured my problem. I might add that you guys and dolls are are akin to a killer app. with one glaring diff, ya'll have skin on :p . I truly do thank you for your help :D and may the light of the 60 hz shine upon your scriptriding all your days. OUT
     
    okienorygun, Jun 1, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I seriously doubt your problems are gone. We just removed some of the registry entries and some of the files. We have not cleaned up all of the hijacker. You should finish the rest of what I gave you, including posting the follow up HijackThis log and then do not reboot or power down.
     
    chaslang, Jun 1, 2005
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds