PLEASE PLEASE HELP!!!: Only the best Pop Up

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Byxor, Jun 28, 2004.

  1. Byxor

    Byxor Private E-2

    Please help!
    I have read most of the threads about the "only the best" pop up and the other hijackers. I have the same problem and have tried repeatedly to eradicate it. I have ran Spybot, Adaware, Norton, Hijack this, Windows Update, Registrar etc. etc. Have found several dlls e.g. MSHP, BLORP, ZKNVP, USVPI and WVURY. Each time I get rid of one, another will take its place with a different name. My Hijack log is below and frankly, I don't know for sure which items are legit and which are not. Could someone please let me know which files I should delete? THANK YOU, THANK YOU.

    Logfile of HijackThis v1.97.7
    Scan saved at 11:45:14 PM, on 6/25/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\HPConfig.exe
    C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\javajt32.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\HPQ\One-Touch\OneTouch.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\Program Files\Office mouse\1.1\moffice.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\sfpsvr.exe
    C:\WINDOWS\crne32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Office mouse\1.1\MOUSE32A.DAT
    C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Common Files\efax\HotTray.exe
    C:\Program Files\Common Files\efax\Dllcmd32.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Handspring\HOTSYNC.EXE
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Registrar Lite\rl.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Derek Smith\Local Settings\Temp\HijackThis.exe
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
    O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Office mouse\1.1\moffice.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
    O4 - HKLM\..\Run: [sfpsvr] C:\WINDOWS\system32\sfpsvr.exe
    O4 - HKLM\..\Run: [crne32.exe] C:\WINDOWS\crne32.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
    O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...b?1088212129838
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/...bin/AvSniff.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeu...ontent/opuc.cab
    O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} - http://fdl.msn.com/public/investor/v13/invinstl.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...n/bin/cabsa.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_03) -
    O16 - DPF: {CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_03) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
     
    Byxor, Jun 28, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Let's try a possibly the fastest solution. We are going to try using System Restore to restore your system to a point before the problem began. You need to just know about when this problem began a pick a restore point on your system prior to that date. Take a look at this link it will explain System Restore to you:

    http://www.microsoft.com/windowsxp/expertzone/columns/ballew/03may19.asp

    Note that doing this does also have the effect of removing anything else you have installed or setup after the System Restore point too. But since you PC is so new that may not be too big an issue.

    If this does not work, I will post a step by step method to try.
     
    chaslang, Jun 28, 2004
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please ignore this sentence, "But since you PC is so new that may not be too big an issue."

    That's due to me cutting and pasting from another thread. I did not notice this until after the 3 minute Edit timer expired.
     
    chaslang, Jun 28, 2004
    #3
  4. Byxor

    Byxor Private E-2

    Thanks for getting back to me. I tried the system restore. the only listed point that i could restore was today and would not allow me to check any previous dates. I have had the problem for at least a week, so going back to over a week ago, would be great. Am I doing something wrong? Thanks.
     
    Byxor, Jun 28, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! We will not be able to use that method. Did you cleanup (fix or delete any lines from you HijaakThis log previously? I do not see the typical R0 & R1 entries nor the O2 BHO object that this hijacker normally creates. I also only see one of the typical EXEs that run. Somethings seems very different here.
     
    chaslang, Jun 28, 2004
    #5
  6. Byxor

    Byxor Private E-2

    Yes, I have run spybot, adaware, norton etc. etc. I have searched for any of the dll(s) that I could find that were bad and deleted those. Each time (at least 10) I have ran hijack and a new dll will pop up in the list, I fix that and then another will take its place, fix that and so on.
     
    Byxor, Jun 28, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! Stop doing that! It only makes it mutate causing more hidden files. The next time it comes up with R0 & R1 entries and there should be a new O2 BHO too. Post that HijaakThis log. Do not attempt to clean it up by any method yet!
     
    chaslang, Jun 28, 2004
    #7
  8. Byxor

    Byxor Private E-2

    OK, got the point, here it is, see what you think.


    Logfile of HijackThis v1.97.7
    Scan saved at 12:44:05 AM, on 6/28/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\HPConfig.exe
    C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\javajt32.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\HPQ\One-Touch\OneTouch.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\Program Files\Office mouse\1.1\moffice.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\crne32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
    C:\Program Files\Office mouse\1.1\MOUSE32A.DAT
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Common Files\efax\HotTray.exe
    C:\Program Files\Common Files\efax\Dllcmd32.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Handspring\HOTSYNC.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Derek Smith\Local Settings\Temp\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bpecz.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bpecz.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bpecz.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bpecz.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bpecz.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bpecz.dll/sp.html#37049
    O2 - BHO: (no name) - {36791C41-EE2D-4A40-AF45-24A5ABA6D46E} - C:\WINDOWS\d3df32.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
    O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Office mouse\1.1\moffice.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
    O4 - HKLM\..\Run: [crne32.exe] C:\WINDOWS\crne32.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
    O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1088212129838
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} - http://fdl.msn.com/public/investor/v13/invinstl.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_03) -
    O16 - DPF: {CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_03) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    Byxor, Jun 28, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Before starting the steps below I want you to make sure you have Ad-aware and SpyBot S&D installed. Double check for updates. I know Ad-aware just updated today.

    Okay below are the steps we are going to use. Make sure you print these or save them to a file on your PC because I am going to have you disconnect your PC from the internet at a certain point (Not Yet!). Once disconnected, do not connect again until I tell you to do so.

    1) Disable system restore and reboot! Here how to do that: http://www.majorgeeks.com/vb/showthread.php?t=31668
    2) Make sure you have enabled viewing of Hidden Files and Folders with Windows Explorer. To see how to do that, see this:

    http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    3) Make sure you know how to boot in safe mode too (but don't do it yet!):
    http://service1.symantec.com/SUPPOR...src=sec_doc_nam

    4) Disconnect from the internet (pull your ethernet cable if you have DSL or cable modem. If you have an analog mode, drop your connection!)

    5) Now click Start, Run, and enter the following command "notepad C:\WINDOWS\bpecz.dll" (without the quotes) and click OK. Now in the notepad window, hit CTRL-A to select all contents of the file then hit the Delete key to delete all lines of the file. Now save the file (yes as an empty file).

    Now using Windows Explorer, locate the file C:\WINDOWS\bpecz.dll and right click on it and select Properties and change the attributes to Read Only and click OK.

    6) Check to see if a Windows service name "Network Security Service" is running. To do this:
    Click Start, Run, and enter this in the Open box: services.msc Then click OK. Now in the Services window that pops up look for Network Security Service. If you find that service, you must stop it by right clicking on it then select stop. Now disable it by right clicking on it and selecting Properties. Then in the General tab see the area that says "Startup type: " click on the pull down arrow and change it to Disabled. Also on the Properties page, I need to know the info in the "Path to executable" box.


    If you do not find this service running, just continue with the next steps.
    7) Now shut down all applications (especially IE and Windows explorer) and run HijaakThis. Have it fix only what I give you below:

    O2 - BHO: (no name) - {36791C41-EE2D-4A40-AF45-24A5ABA6D46E} - C:\WINDOWS\d3df32.dll
    O4 - HKLM\..\Run: [crne32.exe] C:\WINDOWS\crne32.exe

    Now reboot in safe mode (via method given in step 3) and then delete the following if found:
    C:\WINDOWS\d3df32.dll
    C:\WINDOWS\crne32.exe
    C:\WINDOWS\system32\javajt32.exe

    And also if you found Network Security Service runnning in step 6, delete the file indicated in the Path to executable! Now also look for all of the above files in c:\windows\Prefetch If found, delete them too.
    9) Now while still in safe mode run only Hijaak This and have it fix:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bpecz.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bpecz.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bpecz.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bpecz.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bpecz.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bpecz.dll/sp.html#37049

    10) Right click on your Internet Explorer icon and select Properties. Set your home page address to something useful like www.majorgeeks.com.

    Click Apply. Click Delete Cookies, Clcik Delete Files select Delete all Offline content too, Click OK. When it finishes Click OK.

    11) Now (still in safe mode) run Ad-aware & SpyBot S&D and clean what they find.

    12) Now click Start, Run, and in the Open box enter "regedit" (without the quotes). Now navigate thru the registry to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall.
    Click the [+] next to uninstall. Scroll down until you see the NAMES of programs, not the numbers in {,}. See if you can find any of the following:

    HSA = Home Search Agent or Home_Search_Assistent (yes, the spelling of assistant is wrong)
    SA = Search Assistant
    SW = Shopping Wizzard

    To double check, on the left pane, it will say what they are. Highlight one at a time, and hit your delete key. Once you delete all three, you may exit.

    13) Now reboot normal mode.
    14) Before running anything else run HijaakThis and save a log.
    15) Connect here to MG's and post the new log. Then continue running and let's see how everything is working.
     
    chaslang, Jun 28, 2004
    #9
  10. Byxor

    Byxor Private E-2

    Ok that took a while. I followed everything to the letter and here are the results:

    O2 - BHO: (no name) - {36791C41-EE2D-4A40-AF45-24A5ABA6D46E} - C:\WINDOWS\d3df32.dll
    This file was not found, it was replaced with another with the ntiq.dll file name and could not be found doing a search on C:

    O4 - HKLM\..\Run: [crne32.exe] C:\WINDOWS\crne32.exe
    This file could not be deleted "access denied"

    Under "Network Security Service" this was the Path to executable file- C:Windows\system32\javajt32.exe/s It could not be deleted "access denied", search ws also done and same results

    When I ran Hijack again, all the files that were previously listed from the last log, were not there any longer and had been replaced with the ones listed in my log below.

    Both adaware and spybot found a few more items and deleted those.

    HSA was not located, SA was not there, SW was and was deleted.

    Thanks, I know this is tough without seeing it in real time, appreciate the help.

    Logfile of HijackThis v1.97.7
    Scan saved at 2:04:11 AM, on 6/28/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\HPConfig.exe
    C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\javajt32.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\crne32.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\HPQ\One-Touch\OneTouch.EXE
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\Program Files\Office mouse\1.1\moffice.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Office mouse\1.1\MOUSE32A.DAT
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Common Files\efax\HotTray.exe
    C:\Program Files\Common Files\efax\Dllcmd32.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Handspring\HOTSYNC.EXE
    C:\Documents and Settings\Derek Smith\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://tbtoe.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    O2 - BHO: (no name) - {1C7373CB-D0CC-712E-8CD1-C898172A6764} - C:\WINDOWS\system32\ntiq.dll
    O4 - HKLM\..\Run: [crne32.exe] C:\WINDOWS\crne32.exe
    O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Office mouse\1.1\moffice.exe
    O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
    O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1088212129838
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} - http://fdl.msn.com/public/investor/v13/invinstl.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_03) -
    O16 - DPF: {CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_03) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    Byxor, Jun 28, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    A few questions which are very important:

    1) Are you absolutely positive you stopped and disable the Network Security Service before trying to delete anything? If this had been stopped and disabled, you should have had no problem deleting the javajt32.exe file.
    2) Your message said C:Windows\system32\javajt32.exe/s that is not what I asked you to delete. There is no /s at the end of the file. I said C:Windows\system32\javajt32.exe. That may be what you saw in Network Security Service in the path to the service but the /s is not part of the file name. It is an option. If you do not follow directions exactly, this problem will not get fixed.
    3) Are you absolutely positive you booted in safe mode when trying to delete the files?
    4) Are you sure you remained disconnected from the internet like I asked?


    At this point since, I have no idea what will be in your log anymore, you should download the lastest version of HijaakThis: http://www.majorgeeks.com/download3155.html
    and run it and post a new log. It would be good if you can do this and not reboot until I get back to you on what to do next. You can disconnect from the internet until you have a chance to come back. And you can power down your monitor, but leave the PC running.
    NOTE: This time before you run HijaakThis please follow the instructions mentioned many time before, shutdown everything including all items you see in your system tray. This is even mentioned as a requirement before posting a log here: http://www.majorgeeks.com/vb/showthread.php?t=35407
     
    chaslang, Jun 29, 2004
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    One additional point about where you have been running HijaakThis from. You are running from here:
    C:\Documents and Settings\Derek Smith\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    This is a temporary directory which is susceptable to being cleaned up by cleaning tools like CrapCleaner and the likes. If this happens, you will not only loose HijaakThis.exe but the backups it has made that could be need if something you needed was deleted inadvertantly. Put HijaakThis in its own non-temporary folder. You can make a shortcut to it and put it on your desktop if you desire.
     
    chaslang, Jun 29, 2004
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds