blahh.

Discussion in 'adware, spyware & hijack cleaning' started by heyy, Feb 13, 2004.

Thread Status:
Not open for further replies.
  1. heyy

    heyy Guest

    blah, stupid comp acting up. wont let me send images on AIM, (when you connect ) comp lagging like crazy, and ads pop up evrywhere, ( even though i have seemed to have fized that problem with search & destroy ) thanks.

    Logfile of HijackThis v1.97.7
    Scan saved at 7:10:47 PM, on 2/13/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\IdnMail.exe
    C:\WINDOWS\System32\capp.exe
    C:\WINDOWS\System32\msrexe.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Common Files\PSD Tools\ChannelUp.exe
    C:\Program Files\Common Files\PSD Tools\blengine.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\Documents and Settings\Kara\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lmwoap.t.muxa.cc/s.php?aid=33 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://lmwoap.t.muxa.cc/s.php?aid=33 (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://lmwoap.t.muxa.cc/s.php?aid=33 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lmwoap.t.muxa.cc/h.php?aid=33 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lmwoap.t.muxa.cc/s.php?aid=33 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://lmwoap.t.muxa.cc/s.php?aid=33 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://lmwoap.t.muxa.cc/s.php?aid=33 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.blazefind.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://lmwoap.t.muxa.cc/h.php?aid=33 (obfuscated)
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\System32\CdnIEHlp.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: IE Search Bar - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [tjdghik] "C:\WINDOWS\System32\tjdghik.exe"
    O4 - HKLM\..\Run: [IdnMail] C:\WINDOWS\System32\IdnMail.exe
    O4 - HKLM\..\Run: [CApp] C:\WINDOWS\System32\capp.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [systray] C:\WINDOWS\System32\a.exe
    O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
    O4 - HKLM\..\Run: [sys] regedit -s sys.reg
    O4 - HKLM\..\Run: [zzb2] c:\WINDOWS\System32\zzb2.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [zzb2] c:\WINDOWS\System32\zzb2.exe
    O4 - HKCU\..\Run: [PSD Tools Channel] C:\Program Files\Common Files\PSD Tools\ChannelUp.exe
    O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
    O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Kara\Application Data\DownloadPlus.exe
    O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: ¤¤¤å°ì¦W (HKLM)
    O9 - Extra 'Tools' menuitem: ¤¤¤å°ì¦W (HKLM)
    O9 - Extra button: AIM (HKLM)
    O15 - Trusted Zone: http://ad.searchsquire.com
    O15 - Trusted Zone: http://search.searchsquire.com
    O15 - Trusted Zone: http://update.searchsquire.com
    O15 - Trusted Zone: http://www.searchsquire.com
    O16 - DPF: Helper - https://www.ubspwmobile.com/CWM/helper.cab
    O16 - DPF: Java Mainframe Display (MFD) - https://www.ubspwmobile.com/CW/w2h/applet/wdmfd.cab
    O16 - DPF: PCGMC Client - https://www.ubspwmobile.com/PCGMC/PCGMCClient.CAB
    O16 - DPF: {10DB6D21-8915-11D2-8E3A-006008D1E01C} (Reuters Plus - Web 1.5.1.1:cool: - https://www.ubspwmobile.com/md/jnavigator.cab
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {138A4B11-6BBA-4EF3-B333-0515F67729DB} (Reuters PlusWeb Agent Java Classes - 1.0.0.2:cool: - https://www.ubspwmobile.com/md/pluswebagentjava.cab
    O16 - DPF: {18D29F69-AD28-450E-8EC4-AD3F8632D4FE} (qqagent Class) - https://www.ubspwmobile.com/md/pluswebagent.cab
    O16 - DPF: {24F7A9CC-4EEB-49A7-8592-95E66A7C24A8} (Java ScrollingHeadlines Widget - 1.0.0.1) - https://www.ubspwmobile.com/md/classes/java/shdown.cab
    O16 - DPF: {2FCFDAB1-F134-11D2-97C6-00104B659322} (Java Monitor - 1.0.2.14) - https://www.ubspwmobile.com/md/classes/monitor/monclassdown.cab
    O16 - DPF: {3005838E-2A00-11D2-B701-006008D1E01C} (webctl Class) - https://www.ubspwmobile.com/md/Navigator.cab
    O16 - DPF: {3D5F4B42-A6AD-4F31-BC6B-C4BA6AAEF08B} (Reuters PlusWeb Excel Macro 1,5,0,1) - https://www.ubspwmobile.com/md/plugin/excel_mobil/excel.cab
    O16 - DPF: {766190C9-CF9B-11D5-92EA-00805FC7E991} (Java MarketAtGlance - 1.0.0.5) - https://www.ubspwmobile.com/md/classes/java/dyncompdown.cab
    O16 - DPF: {77E94DB3-EF12-40BE-9AC5-96E2A140900E} (Java jExit - 1.0.0.4) - https://www.ubspwmobile.com/md/jexitdown.cab
    O16 - DPF: {7B70A888-E8AC-4757-B454-766DA6B0B761} (Reuters PlusWeb Excel PreCheck 1,5,0,1) - https://www.ubspwmobile.com/md/plugin/excel_mobil/precheck.cab
    O16 - DPF: {89F7D494-DA30-4207-9318-49D6E60BD805} (Reuters Webchart Class) - https://www.ubspwmobile.com/md/webchart.cab
    O16 - DPF: {93972343-C012-11D4-A8E1-0060976A74AE} (Java Quote Widget - 1.0.1.16) - https://www.ubspwmobile.com/md/classes/java/jquotedown.cab
    O16 - DPF: {9A578C98-3C2F-4630-890B-FC04196EF420} (CNNIC_IDN) - http://cdn2.cnnic.cn/ad/china/cdn.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37866.9012962963
    O16 - DPF: {B5C6E4C0-F9DB-11D2-B126-00104B0EB7AE} (Java Dialogs - 1.0.1.1) - https://www.ubspwmobile.com/md/classes/java/dialogsdown.cab
    O16 - DPF: {C0966447-1276-46EF-A5BB-1D5BCB6E8935} (PWSweep Class) - https://www.ubspwmobile.com/CWM/pluswebsweeper.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D439B6E0-1838-11D2-A461-00A0C968EE5F} (Java QQagent) - https://www.ubspwmobile.com/md/classes/java/qqagentdown.cab
    O16 - DPF: {E041DA00-21AF-11D2-A465-00A0C968EE5F} (Java MLSOFT package) - https://www.ubspwmobile.com/md/classes/monitor/mlsoftdown.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
    O16 - DPF: {F822CC94-9D2F-4914-9CBB-8FBB9EDB1BF0} (PWAgent Class) - https://www.ubspwmobile.com/md/pwagentclient.cab
    O16 - DPF: {FDDCE9FE-1FC6-413C-80B1-37B101FDA1D4} (ShellInstaller Control) - http://download.buddylinks.net/ShellInstallerRaptor.cab
    O16 - DPF: {FF2B96CA-23B8-4B6F-8B90-873770F0D537} (PlusWebLocator Class) - https://www.ubspwmobile.com/md/plusweblocator.cab
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi there,

    Sounds like bin laden aim virus

    First, download the REMOVAL TOOL and simply double click it.
    http://www.jayloden.com/BlmiFix.exe

    Then have only HijackThis running and fix

    (be careful not to fix your yahoo startpage)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lmwoap.t.muxa.cc/s.php?aid=33 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://lmwoap.t.muxa.cc/s.php?aid=33 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://lmwoap.t.muxa.cc/s.php?aid=33 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lmwoap.t.muxa.cc/h.php?aid=33 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lmwoap.t.muxa.cc/s.php?aid=33 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://lmwoap.t.muxa.cc/s.php?aid=33 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://lmwoap.t.muxa.cc/s.php?aid=33 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.blazefind.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://lmwoap.t.muxa.cc/h.php?aid=33 (obfuscated)
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL

    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com

    O2 - BHO: (no name) - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\System32\CdnIEHlp.dll
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll

    O3 - Toolbar: IE Search Bar - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll

    O4 - HKLM\..\Run: [tjdghik] "C:\WINDOWS\System32\tjdghik.exe"
    O4 - HKLM\..\Run: [IdnMail] C:\WINDOWS\System32\IdnMail.exe
    O4 - HKLM\..\Run: [CApp] C:\WINDOWS\System32\capp.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [systray] C:\WINDOWS\System32\a.exe
    O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
    O4 - HKLM\..\Run: [sys] regedit -s sys.reg
    O4 - HKLM\..\Run: [zzb2] c:\WINDOWS\System32\zzb2.exe
    O4 - HKCU\..\Run: [zzb2] c:\WINDOWS\System32\zzb2.exe

    O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Kara\Application Data\DownloadPlus.exe
    O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe

    O15 - Trusted Zone: http://ad.searchsquire.com
    O15 - Trusted Zone: http://search.searchsquire.com
    O15 - Trusted Zone: http://update.searchsquire.com
    O15 - Trusted Zone: http://www.searchsquire.com

    O16 - DPF: {FDDCE9FE-1FC6-413C-80B1-37B101FDA1D4} (ShellInstaller Control) - http://download.buddylinks.net/ShellInstallerRaptor.cab

    Next make sure you have set hidden files/folders to show : Here's how

    Then restart the PC in : SAFE MODE and remove :

    c:\progra~1\iesearchbar\iesearchbar.dll

    C:\WINDOWS\System32\tjdghik.exe <- this file
    C:\WINDOWS\System32\IdnMail.exe <- this file
    C:\WINDOWS\System32\capp.exe <- this file
    C:\WINDOWS\System32\bridge.dll <- if still present
    C:\WINDOWS\System32\a.exe <- this file
    C:\WINDOWS\System32\msrexe.exe <- this file
    c:\WINDOWS\System32\zzb2.exe <- this file
    C:\Documents and Settings\Kara\Application Data\DownloadPlus.exe <- this file
    C:\Program Files\VBouncer\ <- this folder

    restart again in normal mode and run this program for additional cleanup :

    CWShredder

    Open -> 'fix' -> click 'next'

    Also do a checkup scan here :

    BitDefender

    Keep us posted

    Cheers,
     
Thread Status:
Not open for further replies.