blahh.

Discussion in 'adware, spyware & hijack cleaning' started by heyy, Feb 13, 2004.

Thread Status:
Not open for further replies.
  1. heyy

    heyy Guest

    blah, stupid comp acting up. wont let me send images on AIM, (when you connect ) comp lagging like crazy, and ads pop up evrywhere, ( even though i have seemed to have fized that problem with search & destroy ) thanks.

    Logfile of HijackThis v1.97.7
    Scan saved at 7:10:47 PM, on 2/13/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\IdnMail.exe
    C:\WINDOWS\System32\capp.exe
    C:\WINDOWS\System32\msrexe.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Common Files\PSD Tools\ChannelUp.exe
    C:\Program Files\Common Files\PSD Tools\blengine.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\Documents and Settings\Kara\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lmwoap.t.muxa.cc/s.php?aid=33 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://lmwoap.t.muxa.cc/s.php?aid=33 (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://lmwoap.t.muxa.cc/s.php?aid=33 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lmwoap.t.muxa.cc/h.php?aid=33 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lmwoap.t.muxa.cc/s.php?aid=33 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://lmwoap.t.muxa.cc/s.php?aid=33 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://lmwoap.t.muxa.cc/s.php?aid=33 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.blazefind.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://lmwoap.t.muxa.cc/h.php?aid=33 (obfuscated)
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\System32\CdnIEHlp.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: IE Search Bar - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [tjdghik] "C:\WINDOWS\System32\tjdghik.exe"
    O4 - HKLM\..\Run: [IdnMail] C:\WINDOWS\System32\IdnMail.exe
    O4 - HKLM\..\Run: [CApp] C:\WINDOWS\System32\capp.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [systray] C:\WINDOWS\System32\a.exe
    O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
    O4 - HKLM\..\Run: [sys] regedit -s sys.reg
    O4 - HKLM\..\Run: [zzb2] c:\WINDOWS\System32\zzb2.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [zzb2] c:\WINDOWS\System32\zzb2.exe
    O4 - HKCU\..\Run: [PSD Tools Channel] C:\Program Files\Common Files\PSD Tools\ChannelUp.exe
    O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
    O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Kara\Application Data\DownloadPlus.exe
    O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: ¤¤¤å°ì¦W (HKLM)
    O9 - Extra 'Tools' menuitem: ¤¤¤å°ì¦W (HKLM)
    O9 - Extra button: AIM (HKLM)
    O15 - Trusted Zone: http://ad.searchsquire.com
    O15 - Trusted Zone: http://search.searchsquire.com
    O15 - Trusted Zone: http://update.searchsquire.com
    O15 - Trusted Zone: http://www.searchsquire.com
    O16 - DPF: Helper - https://www.ubspwmobile.com/CWM/helper.cab
    O16 - DPF: Java Mainframe Display (MFD) - https://www.ubspwmobile.com/CW/w2h/applet/wdmfd.cab
    O16 - DPF: PCGMC Client - https://www.ubspwmobile.com/PCGMC/PCGMCClient.CAB
    O16 - DPF: {10DB6D21-8915-11D2-8E3A-006008D1E01C} (Reuters Plus - Web 1.5.1.1:cool: - https://www.ubspwmobile.com/md/jnavigator.cab
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {138A4B11-6BBA-4EF3-B333-0515F67729DB} (Reuters PlusWeb Agent Java Classes - 1.0.0.2:cool: - https://www.ubspwmobile.com/md/pluswebagentjava.cab
    O16 - DPF: {18D29F69-AD28-450E-8EC4-AD3F8632D4FE} (qqagent Class) - https://www.ubspwmobile.com/md/pluswebagent.cab
    O16 - DPF: {24F7A9CC-4EEB-49A7-8592-95E66A7C24A8} (Java ScrollingHeadlines Widget - 1.0.0.1) - https://www.ubspwmobile.com/md/classes/java/shdown.cab
    O16 - DPF: {2FCFDAB1-F134-11D2-97C6-00104B659322} (Java Monitor - 1.0.2.14) - https://www.ubspwmobile.com/md/classes/monitor/monclassdown.cab
    O16 - DPF: {3005838E-2A00-11D2-B701-006008D1E01C} (webctl Class) - https://www.ubspwmobile.com/md/Navigator.cab
    O16 - DPF: {3D5F4B42-A6AD-4F31-BC6B-C4BA6AAEF08B} (Reuters PlusWeb Excel Macro 1,5,0,1) - https://www.ubspwmobile.com/md/plugin/excel_mobil/excel.cab
    O16 - DPF: {766190C9-CF9B-11D5-92EA-00805FC7E991} (Java MarketAtGlance - 1.0.0.5) - https://www.ubspwmobile.com/md/classes/java/dyncompdown.cab
    O16 - DPF: {77E94DB3-EF12-40BE-9AC5-96E2A140900E} (Java jExit - 1.0.0.4) - https://www.ubspwmobile.com/md/jexitdown.cab
    O16 - DPF: {7B70A888-E8AC-4757-B454-766DA6B0B761} (Reuters PlusWeb Excel PreCheck 1,5,0,1) - https://www.ubspwmobile.com/md/plugin/excel_mobil/precheck.cab
    O16 - DPF: {89F7D494-DA30-4207-9318-49D6E60BD805} (Reuters Webchart Class) - https://www.ubspwmobile.com/md/webchart.cab
    O16 - DPF: {93972343-C012-11D4-A8E1-0060976A74AE} (Java Quote Widget - 1.0.1.16) - https://www.ubspwmobile.com/md/classes/java/jquotedown.cab
    O16 - DPF: {9A578C98-3C2F-4630-890B-FC04196EF420} (CNNIC_IDN) - http://cdn2.cnnic.cn/ad/china/cdn.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37866.9012962963
    O16 - DPF: {B5C6E4C0-F9DB-11D2-B126-00104B0EB7AE} (Java Dialogs - 1.0.1.1) - https://www.ubspwmobile.com/md/classes/java/dialogsdown.cab
    O16 - DPF: {C0966447-1276-46EF-A5BB-1D5BCB6E8935} (PWSweep Class) - https://www.ubspwmobile.com/CWM/pluswebsweeper.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D439B6E0-1838-11D2-A461-00A0C968EE5F} (Java QQagent) - https://www.ubspwmobile.com/md/classes/java/qqagentdown.cab
    O16 - DPF: {E041DA00-21AF-11D2-A465-00A0C968EE5F} (Java MLSOFT package) - https://www.ubspwmobile.com/md/classes/monitor/mlsoftdown.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
    O16 - DPF: {F822CC94-9D2F-4914-9CBB-8FBB9EDB1BF0} (PWAgent Class) - https://www.ubspwmobile.com/md/pwagentclient.cab
    O16 - DPF: {FDDCE9FE-1FC6-413C-80B1-37B101FDA1D4} (ShellInstaller Control) - http://download.buddylinks.net/ShellInstallerRaptor.cab
    O16 - DPF: {FF2B96CA-23B8-4B6F-8B90-873770F0D537} (PlusWebLocator Class) - https://www.ubspwmobile.com/md/plusweblocator.cab
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi there,

    Sounds like bin laden aim virus

    First, download the REMOVAL TOOL and simply double click it.
    http://www.jayloden.com/BlmiFix.exe

    Then have only HijackThis running and fix

    (be careful not to fix your yahoo startpage)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lmwoap.t.muxa.cc/s.php?aid=33 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://lmwoap.t.muxa.cc/s.php?aid=33 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://lmwoap.t.muxa.cc/s.php?aid=33 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lmwoap.t.muxa.cc/h.php?aid=33 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lmwoap.t.muxa.cc/s.php?aid=33 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://lmwoap.t.muxa.cc/s.php?aid=33 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://lmwoap.t.muxa.cc/s.php?aid=33 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.blazefind.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://lmwoap.t.muxa.cc/h.php?aid=33 (obfuscated)
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL

    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com

    O2 - BHO: (no name) - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\System32\CdnIEHlp.dll
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll

    O3 - Toolbar: IE Search Bar - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll

    O4 - HKLM\..\Run: [tjdghik] "C:\WINDOWS\System32\tjdghik.exe"
    O4 - HKLM\..\Run: [IdnMail] C:\WINDOWS\System32\IdnMail.exe
    O4 - HKLM\..\Run: [CApp] C:\WINDOWS\System32\capp.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [systray] C:\WINDOWS\System32\a.exe
    O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
    O4 - HKLM\..\Run: [sys] regedit -s sys.reg
    O4 - HKLM\..\Run: [zzb2] c:\WINDOWS\System32\zzb2.exe
    O4 - HKCU\..\Run: [zzb2] c:\WINDOWS\System32\zzb2.exe

    O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Kara\Application Data\DownloadPlus.exe
    O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe

    O15 - Trusted Zone: http://ad.searchsquire.com
    O15 - Trusted Zone: http://search.searchsquire.com
    O15 - Trusted Zone: http://update.searchsquire.com
    O15 - Trusted Zone: http://www.searchsquire.com

    O16 - DPF: {FDDCE9FE-1FC6-413C-80B1-37B101FDA1D4} (ShellInstaller Control) - http://download.buddylinks.net/ShellInstallerRaptor.cab

    Next make sure you have set hidden files/folders to show : Here's how

    Then restart the PC in : SAFE MODE and remove :

    c:\progra~1\iesearchbar\iesearchbar.dll

    C:\WINDOWS\System32\tjdghik.exe <- this file
    C:\WINDOWS\System32\IdnMail.exe <- this file
    C:\WINDOWS\System32\capp.exe <- this file
    C:\WINDOWS\System32\bridge.dll <- if still present
    C:\WINDOWS\System32\a.exe <- this file
    C:\WINDOWS\System32\msrexe.exe <- this file
    c:\WINDOWS\System32\zzb2.exe <- this file
    C:\Documents and Settings\Kara\Application Data\DownloadPlus.exe <- this file
    C:\Program Files\VBouncer\ <- this folder

    restart again in normal mode and run this program for additional cleanup :

    CWShredder

    Open -> 'fix' -> click 'next'

    Also do a checkup scan here :

    BitDefender

    Keep us posted

    Cheers,
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.