Please HELP

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Computer Elliterat, Jul 15, 2004.

Page 2 of 2
  1. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please give About:Buster a run: http://www.majorgeeks.com/download4289.html
    Ignore the steps on that link on how to run it and do the following (print the instructions, you must have no browsers running and must be disconnected from the Internet):

    - Disconnect from the Internet

    - Please close all windows especially browsers like Internet Explorer.

    - Now please run HijackThis and fix the following:

    O2 - BHO: (no name) - {6B07DBD2-6506-D6F3-F19B-88A0B3F17062} - C:\WINNT\system32\sdkjh.dll
    O4 - HKLM\..\Run: [atlag32.exe] C:\WINNT\system32\atlag32.exe

    - Unzip AboutBuster.zip and doubleclick the exe to run it

    - Next click ok and allow the program to run. (it may take awhile)

    - Make a copy of the log it creates for posting later. (ABLog1.txt)

    - Then run the About:Buster a second time just to be sure it got everything.

    - Make a copy of the log it creates again. (ABLog2.txt)

    - Run HSremove

    - Reboot & reconnect to the internet
    - Post the 2 about buster logs and a fresh HijackThis log.
     
    chaslang, Jul 20, 2004
    #51
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to read all messages being posted!

    Did you fix the NT LM Security Support Provider service you disabled?

    The service packs for Win2k should be available right where I sent you for Critical Updates.
    You should see: Windows 2000 Service Pack 4 Express Install for End Users
     
    chaslang, Jul 20, 2004
    #52
  3. Computer Elliterat

    Computer Elliterat Private E-2

    I think I did the about:buster, HijackThis, steps incorrectly. As shown in my name I am not a computer guru. I am happy to admit that I am woefully out of my depth here. I am attatching new Hijackthis Log. Please tell me which files to erase and how EXACTLY to procedd. Do I need to be in Safe Mode, any other things that I may have forgetten to do. I am disconnecting from the internet.


    I did fre-enable NT LM Security Support Provider and downloaded Windows 2000 Service Pack 4 Express

    Here is the log.



    Logfile of HijackThis v1.98.0
    Scan saved at 7:03:13 PM, on 7/20/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\atlem32.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\WebEraser\weraser.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINNT\System32\HPZipm12.exe
    C:\WINNT\system32\ntlr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINNT\system32\wuauclt.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\nbmkr.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://nbmkr.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://nbmkr.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\nbmkr.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\nbmkr.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://nbmkr.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {6B07DBD2-6506-D6F3-F19B-88A0B3F17062} - C:\WINNT\system32\sdkjh.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ntlr.exe] C:\WINNT\system32\ntlr.exe
    O4 - HKCU\..\Run: [Web Eraser] C:\Program Files\WebEraser\weraser.exe min
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/expressview/webinstall/isetup.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
     
    Computer Elliterat, Jul 20, 2004
    #53
  4. Computer Elliterat

    Computer Elliterat Private E-2

    In my latest reply I did not mean that I am disconnecting from the internet right now, I meant that as I am doing the removal process I am not connected.
     
    Computer Elliterat, Jul 20, 2004
    #54
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do the steps I gave you with About:Buster again. And do them correctly this time. Follow steps exactly in the order written and don't skip anything. The only difference will be that last time you had this line:

    O4 - HKLM\..\Run: [atlag32.exe] C:\WINNT\system32\atlag32.exe

    And this time you have a different O4 - HKLM line:
    O4 - HKLM\..\Run: [ntlr.exe] C:\WINNT\system32\ntlr.exe
     
    chaslang, Jul 21, 2004
    #55
  6. Computer Elliterat

    Computer Elliterat Private E-2

    Here it be. I am not sure of the Hijacker is gone or not. I will open and close my browser a few times to see if it comes back. If it doesn't I want to buy you a beer if I ever travel to New Jersey.


    Scan 2 --------
    About:Buster Version 1.31
    Removed! : C:\WINNT\mepimw.dat
    Attempted Clean Of Temp folder.
    Removed Uninstall Key (HSA)
    Removed Uninstall Key (SE)
    Removed Uninstall Key (SW)
    Pages Reset... Done!


    -- Scan 1 --------
    About:Buster Version 1.31
    Removed! : C:\WINNT\mepimw.dat
    Removed! : C:\WINNT\nbmkr.dat
    Removed! : C:\WINNT\nbmkr.dll
    Removed! : C:\WINNT\system32\ntlr.exe
    Attempted Clean Of Temp folder.
    Removed Uninstall Key (HSA)
    Removed Uninstall Key (SE)
    Removed Uninstall Key (SW)
    Pages Reset... Done!




    Logfile of HijackThis v1.98.0
    Scan saved at 6:36:28 PM, on 7/21/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\atlem32.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\WebEraser\weraser.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINNT\System32\HPZipm12.exe
    C:\unzipped\hijackthis\HijackThis.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {6B07DBD2-6506-D6F3-F19B-88A0B3F17062} - C:\WINNT\system32\sdkjh.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKCU\..\Run: [Web Eraser] C:\Program Files\WebEraser\weraser.exe min
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/expressview/webinstall/isetup.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
     
    Computer Elliterat, Jul 21, 2004
    #56
  7. Computer Elliterat

    Computer Elliterat Private E-2

    It is back with a vengence. Help!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
     
    Computer Elliterat, Jul 21, 2004
    #57
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I don't think we got it all yet. I still see:
    C:\WINNT\system32\atlem32.exe
    O2 - BHO: (no name) - {6B07DBD2-6506-D6F3-F19B-88A0B3F17062} - C:\WINNT\system32\sdkjh.dll

    Quick boot into safe mode and run HSremove
     
    chaslang, Jul 21, 2004
    #58
  9. Computer Elliterat

    Computer Elliterat Private E-2

    Ran HSRemove in Safe mode and it is still here. Here is a new HijackThis Log



    Logfile of HijackThis v1.98.0
    Scan saved at 7:04:25 PM, on 7/21/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\atlem32.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\WebEraser\weraser.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINNT\javacx.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINNT\System32\HPZipm12.exe
    C:\WINNT\system32\wuauclt.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rmyin.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rmyin.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rmyin.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\rmyin.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rmyin.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rmyin.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {6B07DBD2-6506-D6F3-F19B-88A0B3F17062} - C:\WINNT\system32\sdkjh.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [javacx.exe] C:\WINNT\javacx.exe
    O4 - HKCU\..\Run: [Web Eraser] C:\Program Files\WebEraser\weraser.exe min
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/expressview/webinstall/isetup.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
     
    Computer Elliterat, Jul 21, 2004
    #59
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run that Registrar Lite program I had you download awhile ago and then click Search
    In the "Text to search for" box enter:
    sdkjh.dll

    Then hit your enter key.
    It should give you all matching registry keys to the right. I need this info. You can easily paste that back here by double click on the key which brings you back to the main screen with the Address field populated with the full key. Just click in the Address field and hit CTRL-C to copy the path and paste (CTRL-V) it back here. Do it for each item found in the search.
    Tell me where it is located the full registry path key info
     
    chaslang, Jul 21, 2004
    #60
  11. Computer Elliterat

    Computer Elliterat Private E-2

    Nothing found in Registrar Lite. The search did not find anything.
     
    Computer Elliterat, Jul 21, 2004
    #61
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do the search again but instead of the filename try pasting in this line:

    6B07DBD2-6506-D6F3-F19B-88A0B3F17062
     
    chaslang, Jul 21, 2004
    #62
  13. Computer Elliterat

    Computer Elliterat Private E-2

    Snake Eyes again my man.(6B07DBD2-6506-D6F3-F19B-88A0B3F17062 not found in registrar Lite Search).
     
    Computer Elliterat, Jul 21, 2004
    #63
  14. Computer Elliterat

    Computer Elliterat Private E-2

    I have to run to Lowes. I shall return @ 9:30P.M. EST
     
    Computer Elliterat, Jul 21, 2004
    #64
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Can you work a little faster on these! It seems to take a long time in between your answers.

    This does not sound possible. HijackThis is showing it in your registry. Are you sure that you HijackThis is still showing this line exactly:
    O2 - BHO: (no name) - {6B07DBD2-6506-D6F3-F19B-88A0B3F17062} - C:\WINNT\system32\sdkjh.dll
     
    chaslang, Jul 21, 2004
    #65
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I also want you to look for the following.

    Close the search window of RegLite and go back to the main screen of RegLite
    and in the Address field past the below in and hit enter:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service

    Tell me if it finds anything similar to that like something with __NS_Service_3
    for an example.

    Repeat for the below key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service

    Tell me if it finds anything similar to that.
     
    chaslang, Jul 21, 2004
    #66
  17. Computer Elliterat

    Computer Elliterat Private E-2

    I am positive that my HijackThis Logs are up to date I will post another on at the end of this post to show exactly what is on the computyer literally seconds before this message is posted on the internet. I copied and pasited both key's into the address bar of Registrar Lite and did not find anything similar to what you described.


    Logfile of HijackThis v1.98.0
    Scan saved at 9:23:31 PM, on 7/21/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\atlem32.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\WebEraser\weraser.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINNT\javacx.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINNT\System32\HPZipm12.exe
    C:\WINNT\system32\wuauclt.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rmyin.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rmyin.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rmyin.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\rmyin.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rmyin.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rmyin.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {6B07DBD2-6506-D6F3-F19B-88A0B3F17062} - C:\WINNT\system32\sdkjh.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [javacx.exe] C:\WINNT\javacx.exe
    O4 - HKCU\..\Run: [Web Eraser] C:\Program Files\WebEraser\weraser.exe min
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/expressview/webinstall/isetup.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
     
    Computer Elliterat, Jul 21, 2004
    #67
  18. ThaKilla

    ThaKilla Private E-2

    have Hijackthis fix the following then reboot and post your log here.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rmyin.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rmyin.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rmyin.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\rmyin.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rmyin.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rmyin.dll/index.html#96676
    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {6B07DBD2-6506-D6F3-F19B-88A0B3F17062} - C:\WINNT\system32\sdkjh.dll

    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [javacx.exe] C:\WINNT\javacx.exe
    O4 - HKCU\..\Run: [Web Eraser] C:\Program Files\WebEraser\weraser.exe min

    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/...tall/isetup.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
     
    ThaKilla, Jul 21, 2004
    #68
  19. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Fixing these lines will do nothing. They will return. This was just discussed in another thread you were reading and talking in. Please be careful, or his log will look like the other guys. Do some reading around, maybe infect yourself so you understand how this works. Also, why do you have him removing items for online virus scans and his hewlett packard products. Please refrain from offering help for a while.

     
    Major Attitude, Jul 21, 2004
    #69
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Computer_Elliterat,

    Please ignore the info in ThaKilla's message. As Major said, it is not going to help you. And you should not be removing some of those items anyway.
     
    chaslang, Jul 22, 2004
    #70
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I do not understand why you cannot find these items. Please try searching for this "avgemc.exe"
    without the quotes. Tell me what you get.
     
    chaslang, Jul 22, 2004
    #71
  22. Computer Elliterat

    Computer Elliterat Private E-2

    I ran the search for avgemc.exe in Registrar Lite Search for text and found the results below.

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C9EFEC1-8D1A-11D5-989F-0000E87B4FB1}\LocalServer32

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\avgemc.exe

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
     
    Computer Elliterat, Jul 22, 2004
    #72
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! That's what I wanted to see. I was checkin to make sure you are doing the searches correctly.

    Please run HijackThis and save the current log (call it Log1.txt):

    Then in HijackThis select the two lines (if log is still the same as previous) below but before clicking fix shutdown all Internet Explorer sessions. Then click Fix.
    O2 - BHO: (no name) - {6B07DBD2-6506-D6F3-F19B-88A0B3F17062} - C:\WINNT\system32\sdkjh.dll
    O4 - HKLM\..\Run: [javacx.exe] C:\WINNT\javacx.exe

    Now run another HijackThis scan save the log (call it Log2.txt)
    Now run Internet Explorer to just come here to MG's home page and exit Internet Explorer.
    Run another HijackThis scan and save the log (call it Log3.txt)

    Connect back here to MG's and post all three logs labeled as I requested so I can tell which is which.
     
    chaslang, Jul 22, 2004
    #73
  24. Computer Elliterat

    Computer Elliterat Private E-2

    Hijack This Logs ran and posted as advised

    Hijack This Log 1
    Logfile of HijackThis v1.98.0
    Scan saved at 6:17:59 PM, on 7/22/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\atlem32.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINNT\javacx.exe
    C:\WINNT\System32\HPZipm12.exe
    C:\WINNT\system32\wuauclt.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rmyin.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rmyin.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rmyin.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\rmyin.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rmyin.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rmyin.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {6B07DBD2-6506-D6F3-F19B-88A0B3F17062} - C:\WINNT\system32\sdkjh.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [javacx.exe] C:\WINNT\javacx.exe
    O4 - HKCU\..\Run: [Web Eraser] C:\Program Files\WebEraser\weraser.exe min
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/expressview/webinstall/isetup.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

    Hijack This Log 2
    Logfile of HijackThis v1.98.0
    Scan saved at 6:18:53 PM, on 7/22/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\atlem32.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINNT\javacx.exe
    C:\WINNT\System32\HPZipm12.exe
    C:\WINNT\system32\wuauclt.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rmyin.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rmyin.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rmyin.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\rmyin.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rmyin.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rmyin.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKCU\..\Run: [Web Eraser] C:\Program Files\WebEraser\weraser.exe min
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/expressview/webinstall/isetup.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

    Hijack This log 3

    Logfile of HijackThis v1.98.0
    Scan saved at 6:19:50 PM, on 7/22/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\atlem32.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINNT\javacx.exe
    C:\WINNT\System32\HPZipm12.exe
    C:\WINNT\system32\wuauclt.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\mjvvt.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mjvvt.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mjvvt.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\mjvvt.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\mjvvt.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mjvvt.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {6AE347EA-720B-8C90-92FD-E61B12875D37} - C:\WINNT\system32\d3tm.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [javacx.exe] C:\WINNT\javacx.exe
    O4 - HKCU\..\Run: [Web Eraser] C:\Program Files\WebEraser\weraser.exe min
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/expressview/webinstall/isetup.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
     
    Computer Elliterat, Jul 22, 2004
    #74
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If we have not download this already download and run CCleaner (formerly called CrapCleaner) on this PC. Get it here
    Just run it and on the Windows tab (you'll see when you run it) leave the defaults and click Run Cleaner. Exit CCleaner.

    Print these so you can remain disconnected:

    - Physically Disconnect from the Internet

    - Please close all windows especially browsers like Internet Explorer.

    - Run HSremove

    - Now please run HijackThis and fix the following (DO NOT HAVE INTERNET EXPLORER RUNNING)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\mjvvt.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mjvvt.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mjvvt.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\mjvvt.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\mjvvt.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mjvvt.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {6AE347EA-720B-8C90-92FD-E61B12875D37} - C:\WINNT\system32\d3tm.dll
    O4 - HKLM\..\Run: [javacx.exe] C:\WINNT\javacx.exe

    - Run About:Buster
    - Make a copy of the log it creates for posting later. (ABLog1.txt)
    - Then run the about:Buster a second time just to be sure it got everything.
    - Make a copy of the log it creates again. (ABLog2.txt)

    - Reboot into safe mode
    - Run HSremove
    - Run About:Buster Again
    - Make a copy of the log it creates again. (ABLog3.txt)
    - Reset Web Settings: By right clicking on your Internet Explorer desktop icon and select Properties, Then Programs and Click the Reset Wen Settings Button.
    - The go back to the General tab and set your home page to www.majorgeeks.com Click OK
    - reconnect your cables for the internet
    - reboot in normal mode
    - create a new HijackThis log
    - Post the 3 about buster logs and the HijackThis log
     
    chaslang, Jul 22, 2004
    #75
  26. Computer Elliterat

    Computer Elliterat Private E-2

    Dear Chaslang,

    I did all the steps that you advised in your last down to the ltter except, I did not delete the following files in HijackThis becuase upon running HS Remove they were not there to be deleted.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\mjvvt.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mjvvt.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mjvvt.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\mjvvt.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\mjvvt.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mjvvt.dll/index.html#96676
    R3 - Default URLSearchHook is missing

    Here are the HijackThis log and the About:Buster Logs. Please hang in there with me and help get this damn thing off my computer. I do not wnat to have to take it in to get it stripped down and rebuilt. Thanks.


    -- Scan 1 --------
    About:Buster Version 1.31
    Attempted Clean Of Temp folder.
    Removed Uninstall Key (HSA)
    Removed Uninstall Key (SE)
    Removed Uninstall Key (SW)
    Pages Reset... Done!

    -- Scan 2 --------
    About:Buster Version 1.31
    Attempted Clean Of Temp folder.
    Pages Reset... Done!


    -- Scan 3 --------
    About:Buster Version 1.31
    Attempted Clean Of Temp folder.
    Pages Reset... Done!

    Logfile of HijackThis v1.98.0
    Scan saved at 7:04:36 PM, on 7/22/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\atlem32.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\WebEraser\weraser.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINNT\System32\HPZipm12.exe
    C:\WINNT\mfcup32.exe
    C:\unzipped\hijackthis\HijackThis.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\xarch.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xarch.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xarch.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\xarch.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\xarch.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xarch.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {6AE347EA-720B-8C90-92FD-E61B12875D37} - C:\WINNT\system32\d3tm.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [mfcup32.exe] C:\WINNT\mfcup32.exe
    O4 - HKCU\..\Run: [Web Eraser] C:\Program Files\WebEraser\weraser.exe min
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/expressview/webinstall/isetup.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
     
    Computer Elliterat, Jul 22, 2004
    #76
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Man this one is a pane. I going to have to workup a very long procedure for you to do it is going to take me awhile and I need to get some sleep now (3:33 am here). But in the meantime here is what I need you to do. After you connect back here and see this message do this:
    1) Make sure you have the current Ad-aware fully updated
    2) Make sure you have the latest version of both HSremove and About:Buster. Check here:
    http://www.majorgeeks.com/download4286.html
    http://www.majorgeeks.com/download4289.html

    3) post a new HijackThis log
    4) promise me you will not shutdown or reboot your PC or try to clean anything up. It will cause the problem to change and I need to know the HijackThis log values have remained constant.

    You can disconnect anyway you want from the Internet. You can shutoff you monitor to save power. But do not reboot or shutdown. When I work up the procedure and then get your log I will add in specific steps for you. Be warned it will be long!
     
    chaslang, Jul 23, 2004
    #77
  28. Computer Elliterat

    Computer Elliterat Private E-2

    I'm back. I've got the two downloads updateed and am waiting to hear from you.
     
    Computer Elliterat, Jul 25, 2004
    #78
  29. Computer Elliterat

    Computer Elliterat Private E-2

    Logfile of HijackThis v1.98.0
    Scan saved at 8:10:14 PM, on 7/25/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\atlem32.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINNT\mfcup32.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgw.exe
    C:\WINNT\System32\HPZipm12.exe
    C:\WINNT\system32\wuauclt.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\xarch.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xarch.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xarch.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\xarch.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\xarch.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xarch.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {6AE347EA-720B-8C90-92FD-E61B12875D37} - C:\WINNT\system32\d3tm.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [mfcup32.exe] C:\WINNT\mfcup32.exe
    O4 - HKCU\..\Run: [Web Eraser] C:\Program Files\WebEraser\weraser.exe min
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/expressview/webinstall/isetup.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll




    Computer will stay on until I hear from you.
     
    Computer Elliterat, Jul 25, 2004
    #79
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Before starting the steps below, I want you to make sure you have Ad-aware and SpyBot S&D installed. Double check for updates. Ad-aware updates frequently and you must be current to make sure fixes work. Also, make sure you know how to configure Ad-aware for a fullscan. Read this: http://www.lavahelp.com/howto/fullscan/index.html

    Make sure you have current version of both HSremove and about:buster.


    Okay, below are the steps we are going to use. Make sure you print these or save them to a file on your PC because I am going to have you disconnect your PC from the internet at a certain point (Not Yet!). Once disconnected, do not connect again until I tell you to do so.

    1) Make sure you have enabled viewing of Hidden Files and Folders with
    Windows Explorer. To see how to do that, see this:
    http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    2) Make sure you know how to boot in safe mode too (but don't do it yet!):
    http://service1.symantec.com/SUPPOR...01052409420406?OpenDocument&src=sec_doc_nam

    3) Disconnect from the internet (pull your ethernet cable if you have DSL or
    cable modem. If you have an analog modem, drop your connection!)

    4) Bring up Task Manager (using CTRL-ALT-DEL) select Processes and End this processes if you find them:
    C:\WINNT\system32\atlem32.exe
    C:\WINNT\mfcup32.exe

    5) Now we are going to use notepad to erase the contents of the DLL file shown
    in the R0 & R1 lines of your HijaakThis log. To do this click Start, Run, and
    enter the following command "notepad C:\WINNT\xarch.dll" (without the quotes)
    and click OK.

    Now in the notepad window, hit CTRL-A to select all contents of the file
    then hit the Delete key to delete all lines of the file. Now save the file
    (yes as an empty file). Now using Windows Explorer, locate the file
    C:\WINNT\xarch.dll and right click on it and select Properties and change the
    attributes to Read Only and click OK.

    6) You may have already tried this step before but do it anyway just to double check.
    Check to see if a Windows service name "Network Security Service" is
    running. To do this, click Start, Run, and enter the following in the Open
    box: "services.msc" (without the quotes). Then click OK. Now in the
    Services window that pops up look for Network Security Service. If you find
    that service, you must stop it by right clicking on it then select stop. Now
    disable it by right clicking on it and selecting Properties. Then in the
    General tab see the area that says "Startup type: " click on the pull down
    arrow and change it to Disabled. Also on the Properties page, make note of
    the information in the "Path to executable" box. You are going to use this
    later.

    If you do not find this service running, just continue with the next steps.

    7) Shutdown (not minimize) all applications (especially IE and Windows explorer) and using HijackThis, fix the BHO (Browser Helper Object) line added by the hijacker and loading of EXE's at startup:

    O2 - BHO: (no name) - {6AE347EA-720B-8C90-92FD-E61B12875D37} - C:\WINNT\system32\d3tm.dll
    O4 - HKLM\..\Run: [mfcup32.exe] C:\WINNT\mfcup32.exe


    8) Now reboot in safe mode (via method given in step 2) and then delete all
    the DLL and EXE file names found in steps 7.
    And also if you found the Network Security Service runnning in step 6,
    delete the file indicated in the Path to executable!
    Be careful here the Path to the executable always contains a trailing /s.
    The /s is not part of the filename. For example, the Path to executable
    could be C:\WINNT\\system32\javajt32.exe /s but the filename (with path)
    is C:\WINNT\\system32\javajt32.exe

    9) This step is for WinXP only. Now also look in c:\windows\Prefetch for
    all of the above files deleted in steps 7 and 8. If found, delete them too.

    10) Empty your Recyle bin

    11) Now while still in safe mode, run only Hijaak This and have it fix all
    the R0 and R1 lines that have the typical symptom information.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\xarch.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xarch.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xarch.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\xarch.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\xarch.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xarch.dll/index.html#96676
    R3 - Default URLSearchHook is missing

    12) Right click on your desktop Internet Explorer icon and select Properties.
    Then click the Programs tab and then click "Reset Web Settings". Now go back
    to the General tab and set your home page address to something useful like
    www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and
    select Delete all Offline content too, Click OK. When it finishes Click OK.

    13A) Search the registry for every instance of xarch.dll and delete them.
    13B) Search the registry for every instance of the suspicious exe files found by Hijack This from step 7. Delete every instance.
    13C) Search your computer for xarch.dll. Delete each instance.
    13D) Search your computer for the suspicious exe files. (any file names the same as what we have been fixing above but they could be ending in .DAT, .DLL, or .EXE). Delete each instance.
    13E) If found, delete Memory.dmp in C:\WINNT or in C:\WINNT\System32
    13F) Run HSRemover save log to HSlog1.txt
    13G) Run about:Buster save log to ABlog1.txt
    13H) Run about:Buster again save log to ABlog2.txt

    13I) Also while still in Safe Mode to finish the cleanup process, please do the following:
    Go to Start --> Run and type Regedit then click Ok.
    Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    and highlight Services in the left pane. In the right pane, look for any of these entries:
    __NS_Service
    __NS_Service_2
    __NS_Service_3
    If any are listed, right-click that entry in the right pane and choose Delete.

    13J) Now navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
    and highlight Root in the Left Pane. In the right pane, look for these entries:
    LEGACY___NS_Service
    LEGACY___NS_Service_2
    LEGACY___NS_Service_3

    If you find it, right-click it in the right-pane and choose delete.

    If you have trouble deleting a key from steps 13I or 13J. Then click once on the key name (LEGACY__NS_SERVICE_ or another name that starts with LEGACY__NS_SERVICE) to highlight it. Then click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.

    14) Now (still in safe mode) run Ad-aware fullscan and then SpyBot S&D and clean what they find.

    15) Now click Start, Run, and in the Open box enter "regedit" (without the quotes). Now navigate thru the registry to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

    Click the [+] next to uninstall. Scroll down until you see the NAMES of
    programs (skip past the lines with numbers in {,} ). See if you can find
    any of the following listed:
    HSA = Home Search Agent or Home_Search_Assistent (yes, the spelling of
    assistant is wrong)
    SA = Search Assistant
    SW = Shopping Wizzard

    If you find any of them, select one at a time, and hit your delete key.
    Once you delete all three, you can exit the registry editor.

    As an alternate approach save the following 4 lines to a file called
    hsafix.reg, then using windows explorer double click on the hsafix.reg file
    a merge the fix into the registry.
    REGEDIT4
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

    16) Now reboot normal mode (do not connect to internet yet)
    17) Reboot Before running anything else run HijaakThis and save a log.
    18) Reconnect your internet connection and connect here to MG's and post all of the HSremove, about:Buster, and HijackThis logs.
    Please post all of the on one text attachment. Then continue running and let's see how everything is working.

    You need to try a few reboots and performed some typical surfing in order to verify if the fix really works.

    Final note: If you have a system with multiple user accounts on it, you may need to
    perform this procedure for each account inorder to fully rid your system of this problem. Check a HijaakThis log in each user account!
     
    Last edited: Jul 25, 2004
    chaslang, Jul 25, 2004
    #80
  31. Computer Elliterat

    Computer Elliterat Private E-2

    The virus is still here.

    ogfile of HijackThis v1.98.0
    Scan saved at 6:07:33 PM, on 7/26/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\atlem32.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINNT\System32\HPZipm12.exe
    C:\WINNT\system32\wuauclt.exe
    C:\WINNT\appmv32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\kzeob.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://kzeob.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://kzeob.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\kzeob.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\kzeob.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://kzeob.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {38BCB86B-6818-0433-69B1-3DD6E3B9B58F} - C:\WINNT\system32\ipbv32.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [appmv32.exe] C:\WINNT\appmv32.exe
    O4 - HKCU\..\Run: [Web Eraser] C:\Program Files\WebEraser\weraser.exe min
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/expressview/webinstall/isetup.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll



    -- Scan 1 --------
    About:Buster Version 1.31
    Removed! : C:\WINNT\mepimw.dat
    Removed! : C:\WINNT\mfcup32.exe
    Removed! : C:\WINNT\xarch.dat
    Attempted Clean Of Temp folder.
    Pages Reset... Done!

    -- Scan 2 --------
    About:Buster Version 1.31
    Attempted Clean Of Temp folder.
    Pages Reset... Done!




    SHOULD I GIVE UP? I CAN TAKE MY COMPUTER AND HAVE ALL THE PERTINET FILES COPIED OFF OF IT AND THEN STRIP IT DOWN AND REBUILD THE SON A A GUN. I APPRECIATE ALL OF YOUR HARD WORK, BUT IT DOESN'T APPEAR WE ARE GETTING ANY WHERE. I WILL TRY AGAIN IF YOU WANT ME TOO, BUT THIS THING IS STUBBORN. IF YOU HAVE ANY INFORMATION REGADING WHO CREATED THIS AND WHERE THEY CAN BE REACHED LET ME KNOW BECUASE I WOULD LIKE TO HAVE A WORD OF PRAYER.
     
    Computer Elliterat, Jul 26, 2004
    #81
  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Had you rebooted or shut down since you posted the previous log. Not the one just posted. The one from Yesterday 20:07. This is very important.
     
    chaslang, Jul 26, 2004
    #82
  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You also must remember to post logs as a text attachment as I asked. Please see the bold print thread: http://forums.majorgeeks.com/showthread.php?t=35407

    Just change the .log extension to .txt and you can attach the file. A .log file will not upload.
     
    chaslang, Jul 26, 2004
    #83
  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The reason it did not work is because you did not delete one of the files I requested that you delete:
    C:\WINNT\system32\atlem32.exe

    Now things have changed again. But that file is still there. If you had problems along the way with any particular step, I need to know that. For example, if I said to delete a file and you cannot find it, then you should tell that. In the case of atlem32.exe, I believe this is at the root of your problem.

    You are going to have to do the procedure again from start to finish. No steps can be skipped even if you think that they can (for example, you may never have seen the Network Security Service running before so you decide to skip that step. Well it could be running this time and if you don't disable it and later delete the file, the problem will come right back). The steps have not changed but what you need to put in them has since your log had changed. And now I see you are no longer connected. If you have shut your PC down, it may have changed again.
     
    chaslang, Jul 26, 2004
    #84
  35. Computer Elliterat

    Computer Elliterat Private E-2

    Dear Chaslang,

    I am back up now. The .exe file C:\WINNT\system32\atlem32.exe is probably the root of all evil, howevewr I can not seem to delete it in the Registry or End the Process in CTR-ALT-DEL. Also the Network Security Service may be running but I have checked services.msc everytime you have asked and I have not seen it running. Here is a new Hijack This Log I will repeat the steps if necessary.

    Logfile of HijackThis v1.98.0
    Scan saved at 7:16:54 PM, on 7/26/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\atlem32.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINNT\System32\HPZipm12.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINNT\system32\d3nr32.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\kzeob.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://kzeob.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://kzeob.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\kzeob.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\kzeob.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://kzeob.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {38BCB86B-6818-0433-69B1-3DD6E3B9B58F} - C:\WINNT\system32\ipbv32.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [d3nr32.exe] C:\WINNT\system32\d3nr32.exe
    O4 - HKCU\..\Run: [Web Eraser] C:\Program Files\WebEraser\weraser.exe min
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/expressview/webinstall/isetup.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
     
    Computer Elliterat, Jul 26, 2004
    #85
  36. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You are not paying attention. The Admins and Mods (myself included) will be deleting logs soon if rules are not followed. I gave you this info a few posts back:

    "You also must remember to post logs as a text attachment as I asked. Please see the bold print thread: http://forums.majorgeeks.com/showthread.php?t=35407"
    And only when asked to post them.
     
    chaslang, Jul 26, 2004
    #86
  37. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jul 26, 2004
    #87
  38. Computer Elliterat

    Computer Elliterat Private E-2

    Dear Chaslang,

    I was not aware of the new rule regarding Hijack This Logs. I will gladly adhere to the rule. I downoaded http://www.sysinternals.com/files/procexpnt.zip
    and found C:\WINNT\System32\atlen32.exe and killed it. For the first time in a while I can not find atlem32.exe in CTR-ALT-DEL task manager processes. Awaiting command.
     
    Computer Elliterat, Jul 26, 2004
    #88
  39. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try running through those steps I gave you again. Substitute in the appropriate name changes as your log has changed. From your last log, the items of concern were:

    C:\WINNT\system32\atlem32.exe
    C:\WINNT\system32\d3nr32.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\kzeob.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://kzeob.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://kzeob.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\kzeob.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\kzeob.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://kzeob.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {38BCB86B-6818-0433-69B1-3DD6E3B9B58F} - C:\WINNT\system32\ipbv32.dll
    O4 - HKLM\..\Run: [d3nr32.exe] C:\WINNT\system32\d3nr32.exe


    You may need to use ProcessExplorer to kill d3nr32.exe too.

    If you are not sure how to run with the above info, let me know.
     
    chaslang, Jul 26, 2004
    #89
  40. Computer Elliterat

    Computer Elliterat Private E-2

    Chaslang,

    I ran through the steps again and so far 5-10 minutes back online) my browser has not been Hijacked. I will surf around and restart to verify the hopefully good news.
     
    Computer Elliterat, Jul 27, 2004
    #90
  41. Computer Elliterat

    Computer Elliterat Private E-2

    Virus has yet to re-appear. God Bless Major Geeks and God Bless CHASLANG. Thank you so much for all your help. Is their a physical address that I can send a donation to for all the help you have provided.

    P.S. What do I need to do to assure that I never get the virus again????
     
    Computer Elliterat, Jul 27, 2004
    #91
  42. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your welcome!
    This is great news! Sounds like my step by step approach is still the answer for cases like these. I'm always happy when we get one of these fixed.

    No donations are necessary. Just a thank you and a smile on your face is good enough. Spread the word! Majorgeeks is GREAT!

    To keep yourself in good shape, you should read thru this link: http://forums.majorgeeks.com/showthread.php?t=38053

    Pop back in after a couple days just to let us know that it is still okay (or if the problem returns).
     
    chaslang, Jul 27, 2004
    #92
  43. Computer Elliterat

    Computer Elliterat Private E-2

    Thank you once again. I will check back in in a week or so to let you whether the virus is gone for good or not.
     
    Computer Elliterat, Jul 27, 2004
    #93
  44. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That would be great! Good luck! Happy surfing!
     
    chaslang, Jul 28, 2004
    #94
Page 2 of 2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds