Another HJT log...

Discussion in 'adware, spyware & hijack cleaning' started by robo, Feb 21, 2004.

Thread Status:
Not open for further replies.
  1. robo

    robo Registered Member

    Joined:
    Dec 18, 2003
    Posts:
    4
    Hi, again, guys!

    Need some quick help - the customer is getting this as an IE start page: C:\WINDOWS\gstvlieiexie.htm#http...

    Here's his HJT log:

    **************

    Scan saved at 2:27:19 AM, on 2/22/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\WinServices.exe
    C:\WINDOWS\System32\tcpsvs32.exe
    C:\PROGRA~1\MICROS~2\Mouse\point32.exe
    C:\PROGRA~1\MESSEN~1\msmsgs.exe
    C:\PROGRA~1\NoAds\NoAds.exe
    C:\PROGRA~1\MSNMES~1\msnmsgr.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\ICQ\ICQ.exe
    C:\DOCUME~1\rm\LOCALS~1\Temp\TE2E74~1.ZIP\HIJACK~1.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about_:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about_:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about_:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about_:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.locators.com/search.php?que=%s
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5efd808a-2b06-4b25-8774-633b65c56159} - C:\DOCUME~1\rm\APPLIC~1\prckllblefz.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: BigPond Toolbar - {7A431EC4-CC21-4DF7-9DB1-A2CF74C4CC98} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
    O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-AA8E-8E1CA787AD2D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrs0108.dll (file missing)
    O3 - Toolbar: vllkquiefie - {12982abd-05e0-442b-8061-9b46e4085427} - C:\DOCUME~1\rm\APPLIC~1\prckllblefz.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQNet.exe
    O4 - HKLM\..\Run: [pmpibke] "C:\WINDOWS\System32\pmpibke.exe"
    O4 - HKLM\..\Run: [WinServices] C:\WINDOWS\System32\WinServices.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [NoAds] "C:\PROGRA~1\NoAds\NoAds.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [winpopup] C:\WINDOWS\winupie.exe
    O4 - HKCU\..\Run: [regsrv32.exe] regsrv32.exe
    O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
    O4 - HKCU\..\RunOnce: [ICQ] C:\PROGRA~1\ICQ\ICQ.exe -trayboot
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Locators.com Search Bar (HKLM)
    O9 - Extra 'Tools' menuitem: Locators.com Search Bar (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...director/sw.cab
    O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
    O16 - DPF: {522F629A-4DFE-43FA-8311-6F9C871016C5} - http://media.euniverse.com/cursorzo...setup_td035.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptem...iveSecurity.cab
    O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://akamai.downloadv3.com/binari...TML_pack_XP.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://www.goinnow.com/tl4000.dll
    O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binari...UTH_pack_XP.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
    O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Insta...rsinstaller.cab

    **************

    I'm swamped here - any help will be greatly appreciated!
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi robo,

    Before you start please unzip hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. In a Temp folder they easily disappear.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.locators.com/search.php?que=%s

    O2 - BHO: (no name) - {5efd808a-2b06-4b25-8774-633b65c56159} - C:\DOCUME~1\rm\APPLIC~1\prckllblefz.dll

    O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-AA8E-8E1CA787AD2D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrs0108.dll (file missing)
    O3 - Toolbar: vllkquiefie - {12982abd-05e0-442b-8061-9b46e4085427} - C:\DOCUME~1\rm\APPLIC~1\prckllblefz.dll

    O4 - HKLM\..\Run: [pmpibke] "C:\WINDOWS\System32\pmpibke.exe"
    O4 - HKLM\..\Run: [WinServices] C:\WINDOWS\System32\WinServices.exe

    O4 - HKCU\..\Run: [winpopup] C:\WINDOWS\winupie.exe
    O4 - HKCU\..\Run: [regsrv32.exe] regsrv32.exe

    O9 - Extra button: Locators.com Search Bar (HKLM)
    O9 - Extra 'Tools' menuitem: Locators.com Search Bar (HKLM)

    O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
    O16 - DPF: {522F629A-4DFE-43FA-8311-6F9C871016C5} - http://media.euniverse.com/cursorzo...setup_td035.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptem...iveSecurity.cab
    O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://akamai.downloadv3.com/binari...TML_pack_XP.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://www.goinnow.com/tl4000.dll
    O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binari...UTH_pack_XP.cab

    O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Insta...rsinstaller.cab

    Then reboot and delete:
    C:\WINDOWS\winupie.exe

    And download and run:
    http://securityresponse.symantec.com/avcenter/venc/data/w32.yaha.removal.tool.html

    It would not hurt to run AdAware or Spybot S&D (see the sticky post in this forum for more information) as well.

    Regards,

    Pieter
     
  3. robo

    robo Registered Member

    Joined:
    Dec 18, 2003
    Posts:
    4
    Thanks, Pieter - I just forwarded your recommendations...
    Appreciate the quick response!
    ;)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.