hijack this logs..help
this HSA stuff keeps screwing with my computer..I can't even use AIM now that I've been affected..the only problem that I have experienced so far is lots of ads and whenever I try to IM someone it'll crash my AIM. I've looked at the aim.com errors section and it says home search assistant is my problem. here are my logs:
Logfile of HijackThis v1.98.2
Scan saved at 11:25:19 AM, on 10/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\WINDOWS\system32\atloz.exe
C:\WINDOWS\tmlpcert2005:hoxyf
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xoonq.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xoonq.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xoonq.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xoonq.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xoonq.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xoonq.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xoonq.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {69CD759E-4291-29B5-83E5-2B55FF15D74F} - C:\WINDOWS\d3bi32.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_19_0.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [d3wc.exe] C:\WINDOWS\system32\d3wc.exe
O4 - HKLM\..\Run: [WinLoader] #Zt
O4 - HKLM\..\Run: [sdksr.exe] C:\WINDOWS\system32\sdksr.exe
O4 - HKLM\..\Run: [sysmq.exe] C:\WINDOWS\system32\sysmq.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [] C:\WINDOWS\System32\
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [atloz.exe] C:\WINDOWS\system32\atloz.exe
O4 - HKLM\..\RunServices: [WinLoader] #Zt
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v45/pool/pool.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
thanks!
Logfile of HijackThis v1.98.2
Scan saved at 11:25:19 AM, on 10/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\WINDOWS\system32\atloz.exe
C:\WINDOWS\tmlpcert2005:hoxyf
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xoonq.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xoonq.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xoonq.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xoonq.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xoonq.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xoonq.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xoonq.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {69CD759E-4291-29B5-83E5-2B55FF15D74F} - C:\WINDOWS\d3bi32.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_19_0.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [d3wc.exe] C:\WINDOWS\system32\d3wc.exe
O4 - HKLM\..\Run: [WinLoader] #Zt
O4 - HKLM\..\Run: [sdksr.exe] C:\WINDOWS\system32\sdksr.exe
O4 - HKLM\..\Run: [sysmq.exe] C:\WINDOWS\system32\sysmq.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [] C:\WINDOWS\System32\
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [atloz.exe] C:\WINDOWS\system32\atloz.exe
O4 - HKLM\..\RunServices: [WinLoader] #Zt
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v45/pool/pool.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
thanks!
0
Comments
Logfile of HijackThis v1.98.2
Scan saved at 7:51:02 PM, on 10/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\tmlpcert2005:hoxyf
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
C:\WINDOWS\d3qy32.exe
C:\Program Files\AIM\aim.exe
C:\HJT\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mqofa.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mqofa.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\mqofa.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mqofa.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mqofa.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mqofa.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {D1DC71DB-95AD-1742-1B05-0653ADF80398} - C:\WINDOWS\sdkav.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [d3wc.exe] C:\WINDOWS\system32\d3wc.exe
O4 - HKLM\..\Run: [WinLoader] #Zt
O4 - HKLM\..\Run: [sdksr.exe] C:\WINDOWS\system32\sdksr.exe
O4 - HKLM\..\Run: [sysmq.exe] C:\WINDOWS\system32\sysmq.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [] C:\WINDOWS\System32\
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [atloz.exe] C:\WINDOWS\system32\atloz.exe
O4 - HKLM\..\Run: [d3qy32.exe] C:\WINDOWS\d3qy32.exe
O4 - HKLM\..\RunServices: [WinLoader] #Zt
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
thanks for your help..
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mqofa.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\mqofa.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mqofa.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mqofa.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mqofa.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {D1DC71DB-95AD-1742-1B05-0653ADF80398} - C:\WINDOWS\sdkav.dll
O4 - HKLM\..\Run: [d3wc.exe] C:\WINDOWS\system32\d3wc.exe
O4 - HKLM\..\Run: [WinLoader] #Zt
O4 - HKLM\..\Run: [sdksr.exe] C:\WINDOWS\system32\sdksr.exe
O4 - HKLM\..\Run: [sysmq.exe] C:\WINDOWS\system32\sysmq.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [] C:\WINDOWS\System32\
O4 - HKLM\..\Run: [atloz.exe] C:\WINDOWS\system32\atloz.exe
O4 - HKLM\..\Run: [d3qy32.exe] C:\WINDOWS\d3qy32.exe
O4 - HKLM\..\RunServices: [WinLoader] #Zt
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
Fix those entries then find and delete the following files:
C:\WINDOWS\mqofa.dll
C:\WINDOWS\sdkav.dll
C:\WINDOWS\system32\d3wc.exe
C:\WINDOWS\system32\sdksr.exe
C:\WINDOWS\system32\sysmq.exe
C:\WINDOWS\System32\idctup20.exe
C:\WINDOWS\system32\atloz.exe
C:\WINDOWS\d3qy32.exe
Then pull the plug and post a new log.
C:\WINDOWS\d3qy32.exe and C:\WINDOWS\System32\idctup20.exe
I couldn't locate:
C:\WINDOWS\mqofa.dll
C:\WINDOWS\sdkav.dll
C:\WINDOWS\system32\d3wc.exe
C:\WINDOWS\system32\sdksr.exe
C:\WINDOWS\system32\sysmq.exe
C:\WINDOWS\system32\atloz.exe
Is this a problem? Thanks for your patience, by the way.
Logfile of HijackThis v1.98.2
Scan saved at 8:27:44 PM, on 10/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\tmlpcert2005:hoxyf
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\sysxg32.exe
C:\HJT\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\lyyal.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lyyal.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lyyal.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lyyal.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\lyyal.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\lyyal.dll/sp.html#96676
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0C5166B1-769E-6539-9208-12261EAF18EA} - C:\WINDOWS\system32\d3fz.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sysxg32.exe] C:\WINDOWS\system32\sysxg32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
thanks so much...I hope you have an idea of how GRATEFUL I am!
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lyyal.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lyyal.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lyyal.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\lyyal.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\lyyal.dll/sp.html#96676
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0C5166B1-769E-6539-9208-12261EAF18EA} - C:\WINDOWS\system32\d3fz.dll
O4 - HKLM\..\Run: [sysxg32.exe] C:\WINDOWS\system32\sysxg32.exe
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
Fix those entries then find and delete the following files:
C:\WINDOWS\system32\lyyal.dll
C:\WINDOWS\system32\d3fz.dll
C:\WINDOWS\system32\sysxg32.exe
Then pull the plug and post a new log.
Logfile of HijackThis v1.98.2
Scan saved at 7:15:04 PM, on 10/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
O2 - BHO: (no name) - {0F9785C1-F999-8194-47E8-A0F96E941AC1} - C:\WINDOWS\system32\d3gn.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [ipon.exe] C:\WINDOWS\ipon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
Thanks! Thanks.
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
Fix those entries then find and delete the following file:
C:\WINDOWS\system32\d3gn.dll
Then unplug the computer and post a new log.
Logfile of HijackThis v1.98.2
Scan saved at 5:30:16 PM, on 10/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\hijackthis\HijackThis.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [ipon.exe] C:\WINDOWS\ipon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
Thanks! Once again!
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
Also, it bothers me that you have 2 copies of this process:
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
Wuauclt.exe is the Windows Automatic Update program for Windows ME. BUt you are running XP, which uses a service for Windows Updates. Seeing this in Windows XP is not normal....seeing it twice is very odd.
So, my question to you is, was this computer formerly on WIndows ME and upgraded to XP?
Now, you also have this entry:
O4 - HKLM\..\Run: [ipon.exe] C:\WINDOWS\ipon.exe
Which was not there before.
I want you to do the following. Set your system to Show Hidden Files and folders.
Next, Disable System Restore.
Do a hard reboot (pull the power plug out, then plug it back in) and boot into Safe Mode.
Run Hijack This. FIX THE FOLLOWING:
**************
O4 - HKLM\..\Run: [ipon.exe] C:\WINDOWS\ipon.exe
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
**************
Stay in Safe mode, manually locate the exe and dll files in the entries above, and quarantine them.
Also, locate C:\WINDOWS\System32\wuauclt.exe, and quarantine it according to the above instructions as well.
Reboot normally, check things out, and come back to let us know how it turned out. Post a fresh HJT log for review.
When you reboot, check to see if your automatic updates are still on: right-click on My Computer, select the Automatic Updates tab, and check to see that Automatic updates are enabled.
Then, launch Internet Explorer, and click on the Tools Menu -> Internet Options -> Programs -> Reset Web Settings. Keep the Reset Home Page option checked on, and Click the YES button. This will reset all your IE settings to deafult.
Exit IE, launch HJT, run a scan, and post a new log.
Dexter...