Another HJT log...

Discussion in 'adware, spyware & hijack cleaning' started by robo, Feb 21, 2004.

Thread Status:
Not open for further replies.
  1. robo

    robo Registered Member

    Joined:
    Dec 18, 2003
    Posts:
    4
    Hi, again, guys!

    Need some quick help - the customer is getting this as an IE start page: C:\WINDOWS\gstvlieiexie.htm#http...

    Here's his HJT log:

    **************

    Scan saved at 2:27:19 AM, on 2/22/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\WinServices.exe
    C:\WINDOWS\System32\tcpsvs32.exe
    C:\PROGRA~1\MICROS~2\Mouse\point32.exe
    C:\PROGRA~1\MESSEN~1\msmsgs.exe
    C:\PROGRA~1\NoAds\NoAds.exe
    C:\PROGRA~1\MSNMES~1\msnmsgr.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\ICQ\ICQ.exe
    C:\DOCUME~1\rm\LOCALS~1\Temp\TE2E74~1.ZIP\HIJACK~1.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about_:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about_:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about_:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about_:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.locators.com/search.php?que=%s
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5efd808a-2b06-4b25-8774-633b65c56159} - C:\DOCUME~1\rm\APPLIC~1\prckllblefz.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: BigPond Toolbar - {7A431EC4-CC21-4DF7-9DB1-A2CF74C4CC98} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
    O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-AA8E-8E1CA787AD2D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrs0108.dll (file missing)
    O3 - Toolbar: vllkquiefie - {12982abd-05e0-442b-8061-9b46e4085427} - C:\DOCUME~1\rm\APPLIC~1\prckllblefz.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQNet.exe
    O4 - HKLM\..\Run: [pmpibke] "C:\WINDOWS\System32\pmpibke.exe"
    O4 - HKLM\..\Run: [WinServices] C:\WINDOWS\System32\WinServices.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [NoAds] "C:\PROGRA~1\NoAds\NoAds.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [winpopup] C:\WINDOWS\winupie.exe
    O4 - HKCU\..\Run: [regsrv32.exe] regsrv32.exe
    O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
    O4 - HKCU\..\RunOnce: [ICQ] C:\PROGRA~1\ICQ\ICQ.exe -trayboot
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Locators.com Search Bar (HKLM)
    O9 - Extra 'Tools' menuitem: Locators.com Search Bar (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...director/sw.cab
    O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
    O16 - DPF: {522F629A-4DFE-43FA-8311-6F9C871016C5} - http://media.euniverse.com/cursorzo...setup_td035.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptem...iveSecurity.cab
    O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://akamai.downloadv3.com/binari...TML_pack_XP.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://www.goinnow.com/tl4000.dll
    O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binari...UTH_pack_XP.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
    O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Insta...rsinstaller.cab

    **************

    I'm swamped here - any help will be greatly appreciated!
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi robo,

    Before you start please unzip hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. In a Temp folder they easily disappear.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.locators.com/search.php?que=%s

    O2 - BHO: (no name) - {5efd808a-2b06-4b25-8774-633b65c56159} - C:\DOCUME~1\rm\APPLIC~1\prckllblefz.dll

    O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-AA8E-8E1CA787AD2D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrs0108.dll (file missing)
    O3 - Toolbar: vllkquiefie - {12982abd-05e0-442b-8061-9b46e4085427} - C:\DOCUME~1\rm\APPLIC~1\prckllblefz.dll

    O4 - HKLM\..\Run: [pmpibke] "C:\WINDOWS\System32\pmpibke.exe"
    O4 - HKLM\..\Run: [WinServices] C:\WINDOWS\System32\WinServices.exe

    O4 - HKCU\..\Run: [winpopup] C:\WINDOWS\winupie.exe
    O4 - HKCU\..\Run: [regsrv32.exe] regsrv32.exe

    O9 - Extra button: Locators.com Search Bar (HKLM)
    O9 - Extra 'Tools' menuitem: Locators.com Search Bar (HKLM)

    O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
    O16 - DPF: {522F629A-4DFE-43FA-8311-6F9C871016C5} - http://media.euniverse.com/cursorzo...setup_td035.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptem...iveSecurity.cab
    O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://akamai.downloadv3.com/binari...TML_pack_XP.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://www.goinnow.com/tl4000.dll
    O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binari...UTH_pack_XP.cab

    O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Insta...rsinstaller.cab

    Then reboot and delete:
    C:\WINDOWS\winupie.exe

    And download and run:
    http://securityresponse.symantec.com/avcenter/venc/data/w32.yaha.removal.tool.html

    It would not hurt to run AdAware or Spybot S&D (see the sticky post in this forum for more information) as well.

    Regards,

    Pieter
     
  3. robo

    robo Registered Member

    Joined:
    Dec 18, 2003
    Posts:
    4
    Thanks, Pieter - I just forwarded your recommendations...
    Appreciate the quick response!
    ;)
     
Thread Status:
Not open for further replies.