Please help here is HijackThis log

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by monkeyman6, Jul 12, 2004.

  1. monkeyman6

    monkeyman6 Private E-2

    I know I have some sort of spyware or a trojan or something with a tickler program that keeps reinstalling all the files I delete. Internet Explorer stopped working for a while then it worked again and I installed Mozilla. I have been all over the web looking for spyware removal tools and the likes. I downloaded the free version of Ad-Aware and it found alot of stuff. I repeated the scan multiple times and each time 4 of the same things kept showing up that I deleted the time before. Ad-Aware labeled those 4 items as CoolWebSearch programs or whatever. I downloaded the CWShredder and ran it but it found no CoolWebSearch items. I repeated that scan multiple times as well. HijackThis has the same problem with me deleting all of the entries but they keep coming back each time I reboot.

    Here's the log:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:40:09 PM, on 7/12/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\systc32.exe
    C:\Program Files\Common Files\ActivCard\acautoreg.exe
    C:\WINDOWS\system32\javatw32.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\PROGRA~1\mozilla.org\Mozilla\Mozilla.exe
    C:\Documents and Settings\Ben\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Ben\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Ben\LOCALS~1\Temp\sp.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Ben\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Ben\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Ben\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://spojs.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\spojs.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Ben\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {0C00E564-86BF-A647-7411-77C3D02CBAB1} - C:\WINDOWS\system32\netrm.dll
    O4 - HKLM\..\Run: [javatw32.exe] C:\WINDOWS\system32\javatw32.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
    O4 - HKLM\..\RunOnce: [systc32.exe] C:\WINDOWS\systc32.exe
    O4 - HKLM\..\RunOnce: [crom32.exe] C:\WINDOWS\system32\crom32.exe
    O4 - HKLM\..\RunOnce: [apifp32.exe] C:\WINDOWS\apifp32.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

    If anyone knows how to get rid of the tickler program and all the spyware/trojans or whatever they are, I would appreciate it.
     
    monkeyman6, Jul 12, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to get the current HijackThis: http://www.majorgeeks.com/download3155.html

    And you need to download and run both HSremove and about:Buster. Get them here:
    HSremove: http://www.majorgeeks.com/download4286.html
    about:Buster: http://www.majorgeeks.com/download4289.html

    When running HSremove do the following:

    - disable system restore: http://forums.majorgeeks.com/showthread.php?t=31668
    - Boot into safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam
    - **** disconnect from the internet (unplug cables) ****
    - run HSremove
    - set your home page to something useful like www.majorgeeks.com
    - boot normal and reconnect to internet

    Then run about:Buster: see the info in the line I gave you above on running it.

    Let me know how things look. Post a new HijaakThis log so we can double check.
     
    chaslang, Jul 12, 2004
    #2
  3. monkeyman6

    monkeyman6 Private E-2

    ok I did all you told me to do. I ran HijackThis again after I rebooted and found some of the same things as last time as well as some new entries. I think that there is still something on my computer.

    Logfile of HijackThis v1.98.0
    Scan saved at 9:24:06 AM, on 7/13/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\systc32.exe
    C:\Program Files\Common Files\ActivCard\acautoreg.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\javatw32.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\Documents and Settings\Ben\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Ben\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dnpzu.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.majorgeeks.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://dnpzu.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\dnpzu.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Ben\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dnpzu.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://dnpzu.dll/index.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Ben\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Ben\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {0C00E564-86BF-A647-7411-77C3D02CBAB1} - C:\WINDOWS\system32\netrm.dll
    O4 - HKLM\..\Run: [javatw32.exe] C:\WINDOWS\system32\javatw32.exe
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

    What should I do now?
     
    monkeyman6, Jul 13, 2004
    #3
  4. krazykrl

    krazykrl Sergeant Major

    You are running processes while running Hijack This!. You need to close all applications before running. I can see that you are running Internet Explorer, apparently installing something, and several others. It is recomended to boot into Safe Mode with Networking and run the program from there. :rolleyes:
     
    krazykrl, Jul 13, 2004
    #4
  5. monkeyman6

    monkeyman6 Private E-2

    Ok I ran HijackThis in safe mode. Do I still have an infection or is it all gone? Here are the results:

    Logfile of HijackThis v1.98.0
    Scan saved at 10:37:46 AM, on 7/13/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\Ben\Desktop\HijackThis.exe

    O2 - BHO: (no name) - {0C00E564-86BF-A647-7411-77C3D02CBAB1} - C:\WINDOWS\system32\netrm.dll
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)
     
    monkeyman6, Jul 13, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! You do not want to run HijackThis in safe mode right now. You will not see the problem. There are time to use safe mode and there are times not to. You are right about not having other process running though. Especially Internet Explorer.

    Monkeyman, please do this (normal boot):

    1) go here and download Registrar lite and install it: http://www.resplendence.com/reglite
    2) Run it, copy and paste this line to reglite's address bar:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

    3) Click the "go" tab
    4) Find: "AppInit_Dlls" value on the right side panel.
    5) DoubleClick on AppInit_Dlls tell me exactly what you see in the Value.

    And then give me your HijaakThis log in normal boot. Do not fix anything and do not shutdown your PC (you can disconnect from the internet just do not reboot) because the problem has a habit of mutating on reboots.
     
    chaslang, Jul 13, 2004
    #6
  7. krazykrl

    krazykrl Sergeant Major

    chaslang is right, my oversight.

    Spybot and Ad-aware are OK to run in Safe Mode. Which you should run them first, because they may shorten the Hijack This! log.
     
    krazykrl, Jul 13, 2004
    #7
  8. monkeyman6

    monkeyman6 Private E-2

    ok I downloaded and ran the registrar lite program. In the Value part of the applInit_DLLS it said:
    C:\WINDOWS\System32\kbdfoep.dll

    now heres my hijackthis log in normal boot:

    Logfile of HijackThis v1.98.0
    Scan saved at 4:59:50 PM, on 7/13/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\systc32.exe
    C:\Program Files\Common Files\ActivCard\acautoreg.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\javatw32.exe
    C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
    C:\Documents and Settings\Ben\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kmyyi.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://kmyyi.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://kmyyi.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\kmyyi.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kmyyi.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://kmyyi.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {0C00E564-86BF-A647-7411-77C3D02CBAB1} - C:\WINDOWS\system32\netrm.dll
    O4 - HKLM\..\Run: [javatw32.exe] C:\WINDOWS\system32\javatw32.exe
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)
     
    monkeyman6, Jul 13, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This does not look like HSremove was run. Please do the following steps exactly:

    Just to be sure you have the current versions (HSremove updated today and About:Buster updated yesterday) download them again:
    HSremove: http://www.majorgeeks.com/download4286.html
    about:Buster: http://www.majorgeeks.com/download4289.html

    Enable ability to view hidden files and folders with Win Explorer:
    http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    Check to see if a Windows service with the following EXACT named "Network Security Service" is running. To do this:
    Click Start, Run, and enter this in the Open box: services.msc Then click OK.
    Now in the Services window that pops up look for Network Security Service. If you find that service, you must stop it by right clicking on it then select stop. Now disable it by right clicking on it and selecting Properties. Then in the General tab see the area that says "
    Startup type: " click on the pull down arrow and change it to Disabled. Also on the Properties page, I want to know the info in the "Path to executable" box.

    Now follow these steps exactly (print them or save them locally because you MUST physically disconnect from the internet when told):

    1) if system restore is not disabled, then disable it but don't reboot when it tells you it is required. To do that see: http://forums.majorgeeks.com/showthread.php?t=31668

    2) **** this is very important disconnect from the internet (physically unplug cables) **** Don't re-connect until told to!
    3) reboot in safe mode:
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

    4) run HSremove 2.36
    5) Reset Web Settings by right clicking on IE and selecting Tools, Internet Options, Programs, then click Reset Web Settings. Now go back to the General tab and specify your home page (like www.majorgeeks.com)
    6) run HijackThis and fix the following if still present:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kmyyi.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://kmyyi.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://kmyyi.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\kmyyi.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kmyyi.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://kmyyi.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {0C00E564-86BF-A647-7411-77C3D02CBAB1} - C:\WINDOWS\system32\netrm.dll
    O4 - HKLM\..\Run: [javatw32.exe] C:\WINDOWS\system32\javatw32.exe
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

    7) delete the below files. You must be able to view hidden files with WinExplorer:
    C:\WINDOWS\system32\kmyyi.dll
    C:\WINDOWS\system32\netrm.dll
    C:\WINDOWS\system32\javatw32.exe
    8) boot normal and reconnect to internet
    9) see how things look. Post new HijackThis log.
     
    chaslang, Jul 13, 2004
    #9
  10. monkeyman6

    monkeyman6 Private E-2

    Ok I followed your directions exactly as you told me to. There were some problems however. 1- I could not get the 018 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file) to delete from HijackThis. It kept coming back each time I tried to delete it. 2- There was no file named kmyyi.dll in my system32 folder. I doubled checked to make sure the Show hidden files was checked but the file simply wasn't there. Internet Explorer is working now. It doesn't go to the weird start pages: it actually goes to the one I want it to. Here is the current HijackThis log:

    Logfile of HijackThis v1.98.0
    Scan saved at 8:59:15 PM, on 7/13/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\ActivCard\acautoreg.exe
    C:\WINDOWS\appkm.exe
    C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
    C:\WINDOWS\wt\updater\wcmdmgr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\msiexec.exe
    C:\Documents and Settings\Ben\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.majorgeeks.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {27B4D80D-852F-D627-7068-BB04F8EA00BC} - C:\WINDOWS\sdkxw.dll
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\RunOnce: [appkm.exe] C:\WINDOWS\appkm.exe
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

    As you can see, some of the entries that I deleted while in Safe Mode came back; specifically the R3 and the O18.
     
    monkeyman6, Jul 13, 2004
    #10
  11. monkeyman6

    monkeyman6 Private E-2

    Ok new problem. I have done absolutely nothing since the last HijackThis scan and I came back onto the internet to check the forum and my homepage was the odd search page again. I didn't reboot or anything. The HijackThis log changed also. Here is the most current one:

    Logfile of HijackThis v1.98.0
    Scan saved at 9:46:26 PM, on 7/13/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\ActivCard\acautoreg.exe
    C:\WINDOWS\appkm.exe
    C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
    C:\WINDOWS\wt\updater\wcmdmgr.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\system32\mfcdc32.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Ben\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ojxfi.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ojxfi.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ojxfi.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ojxfi.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ojxfi.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ojxfi.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {27B4D80D-852F-D627-7068-BB04F8EA00BC} - C:\WINDOWS\sdkxw.dll
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [mfcdc32.exe] C:\WINDOWS\system32\mfcdc32.exe
    O4 - HKLM\..\RunOnce: [appkm.exe] C:\WINDOWS\appkm.exe
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

    All the entries I deleted came back. It seems like nothing is working... :(
     
    monkeyman6, Jul 13, 2004
    #11
  12. skram0

    skram0 Private E-2

    I'd suggest trying some type of investagation software to see who is accessing those new files or entries.

    Try something like Filemon from Sysinternals. Snazzy piece of software. Do a clean like before in safe mode, then when you boot normally, try to run Filemon first thing and have that sucker just keep running and logging which processes access which files on your computer. Maybe even put it in your Startup folder or in the Run entry in the registry if you dare mess with the registry.

    Or try some of the other utilities on this page. Could also try Process Explorer to investigate the threads of each process to see if you find anything out of the ordinary. I use this tool all the time. Got it set for Ctrl-Alt-P. :)

    Or try Regmon after you boot into normal mode to see which processes are accessing the registry and setting those new res:// entries.

    I'm very currious to know if any of these tools help you find the root of the problem. As my brother's computer has the same type of infection, and I don't have access to it at the moment. He's tried all the usual removal tools too. I wish my home computer was infected. Then I'd have something fun to do! ;)
     
    skram0, Jul 30, 2004
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    skram0,

    All the tools you mentioned are very good investigative tools. I have used most of them a bunch of times while trying to help users here resolve problems with about:Blank or Only the Best aka HSA hijacker problems.

    Seems like monkeyman's last reply fell thru the cracks and I missed his last reply. I don't know where his problem stands now but both the HSremove and About:Buster programs have improved a bunch since his last post 18 days ago. They should be tried now. Following the directions given on the links. It may take several runs of the programs to clean up all the files that these hijackers drop into the system.

    If they do not work by themselves to resolve the problem then further investigation and methods will be necessary.
     
    chaslang, Jul 31, 2004
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds