Yet another "only the best" bugger

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by GiomBee, Jun 24, 2004.

  1. GiomBee

    GiomBee Private E-2

    Hello everyone !

    I'm posting this thread (my very first one on majorgeeks, hehe) because I've been "infected" with the "Only The Best" spyware. Of course, spybot and AdAware were of no use at all so I started browsing around the forums to see if anyone encountered the same problems and I came across a few threads here.

    I've read the HijackThis FAQ and the other threads posted here about this nasty little bastard and, accordingly, I've scanned my computer with HijackThis to see what was wrong. I can see some suspicious items in the log (my latest windows setup was about 4 days ago so it's still pretty clean) but I'm a little scared to mess up my system so I'd really appreciate if someone could take a look at my log and tell me how to proceed from here (what to fix, what to delete in safe mode, and things like that).

    Here is the log (I have highlighted the items that look suspicious to me or that I have simply never noticed):

    Logfile of HijackThis v1.97.7
    Scan saved at 19:53:57, on 24/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\WINDOWS\Mixer.exe
    C:\Program Files\Messenger Plus! 3\MsgPlus.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    D:\mIRC\mirc.exe
    C:\WINDOWS\system32\craz32.exe
    C:\WINDOWS\system32\crjb32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\GiomBee\Desktop\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lojpd.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://lojpd.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://lojpd.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lojpd.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://lojpd.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lojpd.dll/sp.html#96676
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = wmplayer.exe
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {5C234103-94D8-FE86-BF5F-D52FD6347B89} - C:\WINDOWS\system32\addlh32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [craz32.exe] C:\WINDOWS\system32\craz32.exe
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKLM\..\RunOnce: [crjb32.exe] C:\WINDOWS\system32\crjb32.exe
    O4 - HKLM\..\RunOnce: [sdkek.exe] C:\WINDOWS\sdkek.exe
    O4 - HKLM\..\RunOnce: [d3zp32.exe] C:\WINDOWS\system32\d3zp32.exe
    O4 - HKLM\..\RunOnce: [appth.exe] C:\WINDOWS\system32\appth.exe
    O4 - HKLM\..\RunOnce: [sdkgy32.exe] C:\WINDOWS\sdkgy32.exe
    O4 - HKLM\..\RunOnce: [appzw32.exe] C:\WINDOWS\appzw32.exe
    O4 - Startup: e-Backup 1.42 Scheduler.lnk = ?
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38158.4978587963
    O17 - HKLM\System\CCS\Services\Tcpip\..\{11684315-C776-43CC-BA0E-A4A374C4BC57}: NameServer = 80.10.246.130 80.10.246.3
    O17 - HKLM\System\CS1\Services\Tcpip\..\{11684315-C776-43CC-BA0E-A4A374C4BC57}: NameServer = 80.10.246.130 80.10.246.3
     
    GiomBee, Jun 24, 2004
    #1
  2. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Major Attitude, Jun 24, 2004
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    See this thread. Follow from the beginning to the end and you will see the kind of steps required to fix this sucker. Also note two other items not mentioned in that thread that can be helpful:

    1) disconnect from the internet while doing all the cleaning, deleting and rebooting
    2) also look for strange named .dat files (they may also even match the names of the .DLL or .EXE files that are problems).
     
    chaslang, Jun 24, 2004
    #3

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds