Options
Yet another case of Home Search
I tried getting rid of it.. but it just came back. Here's the log:
Logfile of HijackThis v1.98.1
Scan saved at 9:22:37 PM, on 8/9/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\iebm32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\msiexec.exe
C:\WINNT\system32\devldr32.exe
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
H:\Babylon\Babylon.exe
C:\iTunes\iTunesHelper.exe
C:\Program Files\Tavultesoft\Keyman\keyman.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\UltraMon\UltraMon.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Gaim\gaim.exe
C:\WINNT\sdkeq.exe
C:\Program Files\Mozilla Firefox\firefox.exe
H:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\vftwd.dll/sp.html#10213
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\vftwd.dll/sp.html#10213
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://vftwd.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vftwd.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\vftwd.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\vftwd.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\vftwd.dll/sp.html#10213
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://vftwd.dll/index.html#10213
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\vftwd.dll/sp.html#10213
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\vftwd.dll/sp.html#10213
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {985E72C1-9E10-3D4F-1A43-9AEA9347DA52} - C:\WINNT\atlks.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] "mobsync.exe " /logon
O4 - HKLM\..\Run: [nwiz] "nwiz.exe " /install
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup"
O4 - HKLM\..\Run: [AtiPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe"
O4 - HKLM\..\Run: [Run StartupMonitor] "StartupMonitor.exe"
O4 - HKLM\..\Run: [Babylon Client] H:\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [iTunesHelper] C:\iTunes\iTunesHelper.exe
O4 - HKLM\..\RunOnce: [netvw.exe] C:\WINNT\system32\netvw.exe
O4 - HKLM\..\RunOnce: [d3cf.exe] C:\WINNT\system32\d3cf.exe
O4 - HKLM\..\RunOnce: [d3gq32.exe] C:\WINNT\system32\d3gq32.exe
O4 - HKLM\..\RunOnce: [apigp.exe] C:\WINNT\apigp.exe
O4 - HKLM\..\RunOnce: [addrz.exe] C:\WINNT\system32\addrz.exe
O4 - HKLM\..\RunOnce: [mfcpi32.exe] C:\WINNT\mfcpi32.exe
O4 - HKLM\..\RunOnce: [mfcpd32.exe] C:\WINNT\mfcpd32.exe
O4 - HKLM\..\RunOnce: [sysxw.exe] C:\WINNT\sysxw.exe
O4 - HKLM\..\RunOnce: [ipie32.exe] C:\WINNT\ipie32.exe
O4 - HKLM\..\RunOnce: [sdkop.exe] C:\WINNT\sdkop.exe
O4 - HKLM\..\RunOnce: [mfced32.exe] C:\WINNT\system32\mfced32.exe
O4 - HKLM\..\RunOnce: [mfckd.exe] C:\WINNT\mfckd.exe
O4 - HKLM\..\RunOnce: [iefb.exe] C:\WINNT\iefb.exe
O4 - HKCU\..\Run: [keyman.exe] "C:\Program Files\Tavultesoft\Keyman\keyman.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NvMediaCenter] "RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit"
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Startup: Run Time.exe
O4 - Global Startup: UltraMon.lnk = C:\UltraMon\UltraMon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://eq2beta.station.sony.com/beta_reg/soesysinfo.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4877620A-42ED-4664-A8D1-7FC278EDEC1E}: NameServer = 24.204.0.4
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
Thanks!
Logfile of HijackThis v1.98.1
Scan saved at 9:22:37 PM, on 8/9/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\iebm32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\msiexec.exe
C:\WINNT\system32\devldr32.exe
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
H:\Babylon\Babylon.exe
C:\iTunes\iTunesHelper.exe
C:\Program Files\Tavultesoft\Keyman\keyman.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\UltraMon\UltraMon.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Gaim\gaim.exe
C:\WINNT\sdkeq.exe
C:\Program Files\Mozilla Firefox\firefox.exe
H:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\vftwd.dll/sp.html#10213
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\vftwd.dll/sp.html#10213
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://vftwd.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vftwd.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\vftwd.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\vftwd.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\vftwd.dll/sp.html#10213
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://vftwd.dll/index.html#10213
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\vftwd.dll/sp.html#10213
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\vftwd.dll/sp.html#10213
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {985E72C1-9E10-3D4F-1A43-9AEA9347DA52} - C:\WINNT\atlks.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] "mobsync.exe " /logon
O4 - HKLM\..\Run: [nwiz] "nwiz.exe " /install
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup"
O4 - HKLM\..\Run: [AtiPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe"
O4 - HKLM\..\Run: [Run StartupMonitor] "StartupMonitor.exe"
O4 - HKLM\..\Run: [Babylon Client] H:\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [iTunesHelper] C:\iTunes\iTunesHelper.exe
O4 - HKLM\..\RunOnce: [netvw.exe] C:\WINNT\system32\netvw.exe
O4 - HKLM\..\RunOnce: [d3cf.exe] C:\WINNT\system32\d3cf.exe
O4 - HKLM\..\RunOnce: [d3gq32.exe] C:\WINNT\system32\d3gq32.exe
O4 - HKLM\..\RunOnce: [apigp.exe] C:\WINNT\apigp.exe
O4 - HKLM\..\RunOnce: [addrz.exe] C:\WINNT\system32\addrz.exe
O4 - HKLM\..\RunOnce: [mfcpi32.exe] C:\WINNT\mfcpi32.exe
O4 - HKLM\..\RunOnce: [mfcpd32.exe] C:\WINNT\mfcpd32.exe
O4 - HKLM\..\RunOnce: [sysxw.exe] C:\WINNT\sysxw.exe
O4 - HKLM\..\RunOnce: [ipie32.exe] C:\WINNT\ipie32.exe
O4 - HKLM\..\RunOnce: [sdkop.exe] C:\WINNT\sdkop.exe
O4 - HKLM\..\RunOnce: [mfced32.exe] C:\WINNT\system32\mfced32.exe
O4 - HKLM\..\RunOnce: [mfckd.exe] C:\WINNT\mfckd.exe
O4 - HKLM\..\RunOnce: [iefb.exe] C:\WINNT\iefb.exe
O4 - HKCU\..\Run: [keyman.exe] "C:\Program Files\Tavultesoft\Keyman\keyman.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NvMediaCenter] "RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit"
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Startup: Run Time.exe
O4 - Global Startup: UltraMon.lnk = C:\UltraMon\UltraMon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://eq2beta.station.sony.com/beta_reg/soesysinfo.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4877620A-42ED-4664-A8D1-7FC278EDEC1E}: NameServer = 24.204.0.4
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
Thanks!
0
Comments
Steps To Take Before Posting a hijack This Log
SVT Forum Etiquette
Please read those links, then update your post with the required information.
Dexter...
I ran ad-aware and spybot before posting (I use both regularly anyway).
Appreciate the help.
Yes, you were missing:
-telling us that you had run Ad-Aware and Spybot S&D with the latest defnitions (which you have done now); and
- saying please, or something along those lines...
But at least you said thanks way down there at the end.....that's better than nothing
Stand by for your reply...
Dexter...
Look for a service called "Network Security Service"... If it's there, click on it, click properties, and set the thing to "disabled" and then STOP the service.
If you do not have that service, I want you to manually do a hard-power down or restart on your computer. Do not select shutdown from your menu, just reach over and shut it off, then back on, or hit the restart button on your case. When it starts to boot, tap the F8 key to get the boot options menu, and select SAFE MODE.
If you did have the "Network Security Service, and you stopped it, then you can either do the hard reboot or a normal reboot through the Start menu. Reboot the computer into SAFE MODE.
(Make sure to let me know which situation applied to you.)
Either way, once you are in SAFE MODE, run HijackThis, and FIX these entries:
***NOTE: This Hijack appears to have the ability to rename its files, apparently when the computer is shutdown or the task has been ended. If you have rebooted your computer since you posted this log, check Hijack This to make sure that the file names are indentical to what you have posted. Otherwise, you need to post a new log, and NOT SHUT DOWN YOUR COMPUTER until you have gotten a reply from one of us as to what files you need to remove.*****
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\vftwd.dll/sp.html#10213
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\vftwd.dll/sp.html#10213
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://vftwd.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vftwd.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\vftwd.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\vftwd.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\vftwd.dll/sp.html#10213
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://vftwd.dll/index.html#10213
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\vftwd.dll/sp.html#10213
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\vftwd.dll/sp.html#10213
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {985E72C1-9E10-3D4F-1A43-9AEA9347DA52} - C:\WINNT\atlks.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\RunOnce: [netvw.exe] C:\WINNT\system32\netvw.exe
O4 - HKLM\..\RunOnce: [d3cf.exe] C:\WINNT\system32\d3cf.exe
O4 - HKLM\..\RunOnce: [d3gq32.exe] C:\WINNT\system32\d3gq32.exe
O4 - HKLM\..\RunOnce: [apigp.exe] C:\WINNT\apigp.exe
O4 - HKLM\..\RunOnce: [addrz.exe] C:\WINNT\system32\addrz.exe
O4 - HKLM\..\RunOnce: [mfcpi32.exe] C:\WINNT\mfcpi32.exe
O4 - HKLM\..\RunOnce: [mfcpd32.exe] C:\WINNT\mfcpd32.exe
O4 - HKLM\..\RunOnce: [sysxw.exe] C:\WINNT\sysxw.exe
O4 - HKLM\..\RunOnce: [ipie32.exe] C:\WINNT\ipie32.exe
O4 - HKLM\..\RunOnce: [sdkop.exe] C:\WINNT\sdkop.exe
O4 - HKLM\..\RunOnce: [mfced32.exe] C:\WINNT\system32\mfced32.exe
O4 - HKLM\..\RunOnce: [mfckd.exe] C:\WINNT\mfckd.exe
O4 - HKLM\..\RunOnce: [iefb.exe] C:\WINNT\iefb.exe
Next, stay in SAFE MODE, and locate all of the .exe files and .dll files mentioned above. Make sure you are set to show hidden files and folders on your system, instructions to do that are in the link above "Steps to take before posting a Hijack This log."
These are the files you need to look for:
C:\WINNT\system32\vftwd.dll
C:\WINNT\atlks.dll
C:\WINNT\system32\netvw.exe
C:\WINNT\system32\d3cf.exe
C:\WINNT\system32\d3gq32.exe
C:\WINNT\apigp.exe
C:\WINNT\system32\addrz.exe
C:\WINNT\mfcpi32.exe
C:\WINNT\mfcpd32.exe
C:\WINNT\sysxw.exe
C:\WINNT\ipie32.exe
C:\WINNT\sdkop.exe
C:\WINNT\system32\mfced32.exe
C:\WINNT\mfckd.exe
C:\WINNT\iefb.exe
Move these files to a new folder called :C:\Quarantine. Rename the the .exe's to .xxx. and the dll's to .ddd. That way you can always replace them if it somehow turns out that one or more of these are necessary files....which is not likely, but quarantining is safer than deleting them.
Now, reboot normally, and check things out. Come let us know how it worked. Run a new HJT scan, and post the log here for further review.
Dexter...
Any ideas?
Dexter...
Yep, it renamed itself, but I can't find that dll either.
Here it is:
Logfile of HijackThis v1.98.1
Scan saved at 6:12:59 PM, on 8/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\devldr32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
H:\Babylon\Babylon.exe
C:\iTunes\iTunesHelper.exe
C:\WINNT\sdkeq.exe
C:\Program Files\Tavultesoft\Keyman\keyman.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\UltraMon\UltraMon.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\WINNT\netig32.exe
C:\Program Files\Gaim\gaim.exe
C:\Documents and Settings\nadav\Desktop\putty.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\mIRC\mirc.exe
C:\iTunes\iTunes.exe
H:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\zgyut.dll/sp.html#10213
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\zgyut.dll/sp.html#10213
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zgyut.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zgyut.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\zgyut.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\zgyut.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\zgyut.dll/sp.html#10213
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zgyut.dll/index.html#10213
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\zgyut.dll/sp.html#10213
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\zgyut.dll/sp.html#10213
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {9346227A-2F77-86D0-C117-F3B49D541ADF} - C:\WINNT\system32\javanm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] "mobsync.exe " /logon
O4 - HKLM\..\Run: [nwiz] "nwiz.exe " /install
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup"
O4 - HKLM\..\Run: [AtiPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe"
O4 - HKLM\..\Run: [Run StartupMonitor] "StartupMonitor.exe"
O4 - HKLM\..\Run: [Babylon Client] H:\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [iTunesHelper] C:\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [sdkeq.exe] C:\WINNT\sdkeq.exe
O4 - HKCU\..\Run: [keyman.exe] "C:\Program Files\Tavultesoft\Keyman\keyman.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NvMediaCenter] "RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit"
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Startup: Run Time.exe
O4 - Global Startup: UltraMon.lnk = C:\UltraMon\UltraMon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://eq2beta.station.sony.com/beta_reg/soesysinfo.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4877620A-42ED-4664-A8D1-7FC278EDEC1E}: NameServer = 24.204.0.4
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
This thing is sneaky!
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\zgyut.dll/sp.html#10213
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\zgyut.dll/sp.html#10213
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zgyut.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zgyut.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\zgyut.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\zgyut.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\zgyut.dll/sp.html#10213
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zgyut.dll/index.html#10213
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\zgyut.dll/sp.html#10213
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\zgyut.dll/sp.html#10213
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {9346227A-2F77-86D0-C117-F3B49D541ADF} - C:\WINNT\system32\javanm.dll
O4 - HKLM\..\Run: [sdkeq.exe] C:\WINNT\sdkeq.exe
C:\WINNT\zgyut.dll
C:\WINNT\system32\javanm.dll
C:\WINNT\sdkeq.exe
In your folder options, also set to show Protected Operating System Files. Also remember to Apply to All Folders.
If you still cannot manually find them, try opening your C:\WINNT\ folder and your C:\WINNT\system32\ folder, and sort the files by date, looking for the most recently modified. Look for one that fits the name pattern (5 or 6 random letters) and see when it was last modified. If it was today, that is your target. Quarantine it.
Reboot and check things out, post a fresh log.
Dexter...