Options
Hi from New Zealand
Hi Team,
My home PC was losing my Homepage for quite a long time before I realised it was an infection of some sort. Lucjy one of my work mates had been directed to your site and had success removing the bug from his PC. I am currently working through the 'HijackThis' instructions and got to the bit where I am asked to send you an image of my Logfile. Hope this is Ok, I will now carry on with the removal instructions.
Thank you for your assistance
Richard Harding
Logfile of HijackThis v1.98.2
Scan saved at 6:56:32 p.m., on 16/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\sdkpr.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\sysnl32.exe
C:\WINDOWS\System32\apphelp4.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\svdycscv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hlxxl.dll/sp.html#37794
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hlxxl.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hlxxl.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hlxxl.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hlxxl.dll/sp.html#37794
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hlxxl.dll/index.html#37794
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0B7CF0C1-AE5A-B428-6229-E649815FF71C} - C:\WINDOWS\mfcoj32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [BrowserBrand] C:\Program Files\ONLINE~1\XTRA\brand.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [sysnl32.exe] C:\WINDOWS\system32\sysnl32.exe
O4 - HKLM\..\Run: [d9cd406dcf36] C:\WINDOWS\System32\apphelp4.exe
O4 - HKLM\..\RunOnce: [d3ar32.exe] C:\WINDOWS\system32\d3ar32.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Zuehcae] C:\WINDOWS\System32\svdycscv.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093935654646
O17 - HKLM\System\CCS\Services\Tcpip\..\{75CF8B1E-8355-4B55-B335-63B4BB76A709}: NameServer = 202.27.158.40 202.27.184.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{75CF8B1E-8355-4B55-B335-63B4BB76A709}: NameServer = 202.27.158.40 202.27.184.3
My home PC was losing my Homepage for quite a long time before I realised it was an infection of some sort. Lucjy one of my work mates had been directed to your site and had success removing the bug from his PC. I am currently working through the 'HijackThis' instructions and got to the bit where I am asked to send you an image of my Logfile. Hope this is Ok, I will now carry on with the removal instructions.
Thank you for your assistance
Richard Harding
Logfile of HijackThis v1.98.2
Scan saved at 6:56:32 p.m., on 16/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\sdkpr.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\sysnl32.exe
C:\WINDOWS\System32\apphelp4.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\svdycscv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hlxxl.dll/sp.html#37794
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hlxxl.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hlxxl.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hlxxl.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hlxxl.dll/sp.html#37794
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hlxxl.dll/index.html#37794
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0B7CF0C1-AE5A-B428-6229-E649815FF71C} - C:\WINDOWS\mfcoj32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [BrowserBrand] C:\Program Files\ONLINE~1\XTRA\brand.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [sysnl32.exe] C:\WINDOWS\system32\sysnl32.exe
O4 - HKLM\..\Run: [d9cd406dcf36] C:\WINDOWS\System32\apphelp4.exe
O4 - HKLM\..\RunOnce: [d3ar32.exe] C:\WINDOWS\system32\d3ar32.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Zuehcae] C:\WINDOWS\System32\svdycscv.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093935654646
O17 - HKLM\System\CCS\Services\Tcpip\..\{75CF8B1E-8355-4B55-B335-63B4BB76A709}: NameServer = 202.27.158.40 202.27.184.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{75CF8B1E-8355-4B55-B335-63B4BB76A709}: NameServer = 202.27.158.40 202.27.184.3
0
Comments
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hlxxl.dll/sp.html#37794
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hlxxl.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hlxxl.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hlxxl.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hlxxl.dll/sp.html#37794
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hlxxl.dll/index.html#37794
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.ht m
R3 - Default URLSearchHook is missing
Get rid of these and also delete the files listed in safe mode:
mfcoj32.dll
O2 - BHO: (no name) - {0B7CF0C1-AE5A-B428-6229-E649815FF71C} - C:\WINDOWS\mfcoj32.dll
Clean these
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1093935654646
***Have no idea what these are... may want to see if someone else responds as well***
O17 - HKLM\System\CCS\Services\Tcpip\..\{75CF8B1E-8355-4B55-B335-63B4BB76A709}: NameServer = 202.27.158.40 202.27.184.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{75CF8B1E-8355-4B55-B335-63B4BB76A709}: NameServer = 202.27.158.40 202.27.184.3
Let us know if you have more problems or if that seemed to do the trick.
Hi General, I am from NZ too and had one entry in HJT with the same nameserver as the last two entries you mentioned. Two entries with the same nameserver code turned up in Adaware labelled as data miners,but when I deleted them I was denied access to the internet. I reinstated them and all was OK again. As far as I know I do no networking (I am relatively new and not quite sure what networking entails)
What exactly are these things, why does deleting then stop me accessing the net, and are they any real threat?
Thanks
Baz