Browser Hijack + Spyware

Discussion in 'adware, spyware & hijack cleaning' started by polini38, Jul 13, 2004.

Thread Status:
Not open for further replies.
  1. polini38

    polini38 Registered Member

    Joined:
    Jul 13, 2004
    Posts:
    1
    Hi,

    I'm having problems with my Web browser (Internet Explorer). I'm being redirected to a web address such as res://qtry.dll/.......etc. Each time I open IE the adress changes but always in the form res://rspg.dll/.......
    I have loads of these dlls in my WINDOWS folder and I cannot get rid of
    them. I have run Spysweeper and it flags up about 20 .exe programs but
    when I try to remove them they keep reappearing......HELP!!!!!!

    I've attached a log produced with HijackThis

    Please help if you can

    Thanks,

    Gordon


    Logfile of HijackThis v1.97.7
    Scan saved at 22:39:03, on 13/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    c:\program files\norton antivirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\ScsiAccess.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ieas.exe
    C:\WINDOWS\system32\sdkfp.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\javaja32.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Gordon\Local Settings\Temporary Internet Files\Content.IE5\1BV3AY43\HijackThis[1].exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\afyna.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://afyna.dll/index.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchweb2.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://afyna.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\afyna.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://afyna.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\afyna.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
    F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {2B877C0A-9AA5-A75B-5F21-A1984B658EB9} - C:\WINDOWS\system32\sysee.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll (file missing)
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [javaja32.exe] C:\WINDOWS\system32\javaja32.exe
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKLM\..\RunOnce: [javata.exe] C:\WINDOWS\system32\javata.exe
    O4 - HKLM\..\RunOnce: [iemg.exe] C:\WINDOWS\system32\iemg.exe
    O4 - HKLM\..\RunOnce: [sdkqw.exe] C:\WINDOWS\system32\sdkqw.exe
    O4 - HKLM\..\RunOnce: [d3ow.exe] C:\WINDOWS\d3ow.exe
    O4 - HKLM\..\RunOnce: [crgp32.exe] C:\WINDOWS\system32\crgp32.exe
    O4 - HKLM\..\RunOnce: [netcm32.exe] C:\WINDOWS\system32\netcm32.exe
    O4 - HKLM\..\RunOnce: [sdkao32.exe] C:\WINDOWS\sdkao32.exe
    O4 - HKLM\..\RunOnce: [sdkks32.exe] C:\WINDOWS\sdkks32.exe
    O4 - HKLM\..\RunOnce: [crie32.exe] C:\WINDOWS\crie32.exe
    O4 - HKLM\..\RunOnce: [msmb.exe] C:\WINDOWS\system32\msmb.exe
    O4 - HKLM\..\RunOnce: [apiyu.exe] C:\WINDOWS\system32\apiyu.exe
    O4 - HKLM\..\RunOnce: [netvt32.exe] C:\WINDOWS\system32\netvt32.exe
    O4 - HKLM\..\RunOnce: [crzx.exe] C:\WINDOWS\system32\crzx.exe
    O4 - HKLM\..\RunOnce: [mfcjh32.exe] C:\WINDOWS\system32\mfcjh32.exe
    O4 - HKLM\..\RunOnce: [ipio.exe] C:\WINDOWS\ipio.exe
    O4 - HKLM\..\RunOnce: [atllr.exe] C:\WINDOWS\system32\atllr.exe
    O4 - HKLM\..\RunOnce: [addzv32.exe] C:\WINDOWS\system32\addzv32.exe
    O4 - HKLM\..\RunOnce: [crnn.exe] C:\WINDOWS\system32\crnn.exe
    O4 - HKLM\..\RunOnce: [apivv.exe] C:\WINDOWS\apivv.exe
    O4 - HKLM\..\RunOnce: [appct32.exe] C:\WINDOWS\appct32.exe
    O4 - HKLM\..\RunOnce: [addkw32.exe] C:\WINDOWS\system32\addkw32.exe
    O4 - HKLM\..\RunOnce: [winwb.exe] C:\WINDOWS\system32\winwb.exe
    O4 - HKLM\..\RunOnce: [apioy32.exe] C:\WINDOWS\system32\apioy32.exe
    O4 - HKLM\..\RunOnce: [javaxk32.exe] C:\WINDOWS\javaxk32.exe
    O4 - HKLM\..\RunOnce: [javaho.exe] C:\WINDOWS\system32\javaho.exe
    O4 - HKLM\..\RunOnce: [atlfl.exe] C:\WINDOWS\system32\atlfl.exe
    O4 - HKLM\..\RunOnce: [javayt32.exe] C:\WINDOWS\system32\javayt32.exe
    O4 - HKLM\..\RunOnce: [javawj32.exe] C:\WINDOWS\javawj32.exe
    O4 - HKLM\..\RunOnce: [sysew32.exe] C:\WINDOWS\sysew32.exe
    O4 - HKLM\..\RunOnce: [iply32.exe] C:\WINDOWS\iply32.exe
    O4 - HKLM\..\RunOnce: [sysww.exe] C:\WINDOWS\sysww.exe
    O4 - HKLM\..\RunOnce: [winvu32.exe] C:\WINDOWS\system32\winvu32.exe
    O4 - HKLM\..\RunOnce: [ntvg32.exe] C:\WINDOWS\system32\ntvg32.exe
    O4 - HKLM\..\RunOnce: [d3ir32.exe] C:\WINDOWS\system32\d3ir32.exe
    O4 - HKLM\..\RunOnce: [mstz32.exe] C:\WINDOWS\system32\mstz32.exe
    O4 - HKLM\..\RunOnce: [sdkve.exe] C:\WINDOWS\system32\sdkve.exe
    O4 - HKLM\..\RunOnce: [netjp32.exe] C:\WINDOWS\netjp32.exe
    O4 - HKLM\..\RunOnce: [crej32.exe] C:\WINDOWS\crej32.exe
    O4 - HKLM\..\RunOnce: [ieqf.exe] C:\WINDOWS\ieqf.exe
    O4 - HKLM\..\RunOnce: [d3kf.exe] C:\WINDOWS\d3kf.exe
    O4 - HKLM\..\RunOnce: [addqi.exe] C:\WINDOWS\system32\addqi.exe
    O4 - HKLM\..\RunOnce: [winhu.exe] C:\WINDOWS\system32\winhu.exe
    O4 - HKLM\..\RunOnce: [d3pf32.exe] C:\WINDOWS\d3pf32.exe
    O4 - HKLM\..\RunOnce: [cril.exe] C:\WINDOWS\cril.exe
    O4 - HKLM\..\RunOnce: [d3cz.exe] C:\WINDOWS\system32\d3cz.exe
    O4 - HKLM\..\RunOnce: [addmp32.exe] C:\WINDOWS\system32\addmp32.exe
    O4 - HKLM\..\RunOnce: [javamv32.exe] C:\WINDOWS\system32\javamv32.exe
    O4 - HKLM\..\RunOnce: [msxm32.exe] C:\WINDOWS\msxm32.exe
    O4 - HKLM\..\RunOnce: [winpg32.exe] C:\WINDOWS\system32\winpg32.exe
    O4 - HKLM\..\RunOnce: [crqp.exe] C:\WINDOWS\crqp.exe
    O4 - HKLM\..\RunOnce: [winjl32.exe] C:\WINDOWS\system32\winjl32.exe
    O4 - HKLM\..\RunOnce: [sysvr.exe] C:\WINDOWS\system32\sysvr.exe
    O4 - HKLM\..\RunOnce: [mfcji32.exe] C:\WINDOWS\system32\mfcji32.exe
    O4 - HKLM\..\RunOnce: [mfcys.exe] C:\WINDOWS\system32\mfcys.exe
    O4 - HKLM\..\RunOnce: [sdkug.exe] C:\WINDOWS\system32\sdkug.exe
    O4 - HKLM\..\RunOnce: [ntse.exe] C:\WINDOWS\ntse.exe
    O4 - HKLM\..\RunOnce: [addyd32.exe] C:\WINDOWS\system32\addyd32.exe
    O4 - HKLM\..\RunOnce: [sdkes32.exe] C:\WINDOWS\system32\sdkes32.exe
    O4 - HKLM\..\RunOnce: [apiry.exe] C:\WINDOWS\system32\apiry.exe
    O4 - HKLM\..\RunOnce: [addql.exe] C:\WINDOWS\addql.exe
    O4 - HKLM\..\RunOnce: [mfcpe32.exe] C:\WINDOWS\mfcpe32.exe
    O4 - HKLM\..\RunOnce: [winvm32.exe] C:\WINDOWS\winvm32.exe
    O4 - HKLM\..\RunOnce: [mseq32.exe] C:\WINDOWS\mseq32.exe
    O4 - HKLM\..\RunOnce: [iphd32.exe] C:\WINDOWS\iphd32.exe
    O4 - HKLM\..\RunOnce: [ipwe.exe] C:\WINDOWS\system32\ipwe.exe
    O4 - HKLM\..\RunOnce: [sysie.exe] C:\WINDOWS\system32\sysie.exe
    O4 - HKLM\..\RunOnce: [wintc32.exe] C:\WINDOWS\wintc32.exe
    O4 - HKLM\..\RunOnce: [javakl32.exe] C:\WINDOWS\system32\javakl32.exe
    O4 - HKLM\..\RunOnce: [addtt32.exe] C:\WINDOWS\addtt32.exe
    O4 - HKLM\..\RunOnce: [msky32.exe] C:\WINDOWS\system32\msky32.exe
    O4 - HKLM\..\RunOnce: [ipaw32.exe] C:\WINDOWS\ipaw32.exe
    O4 - HKLM\..\RunOnce: [winze.exe] C:\WINDOWS\winze.exe
    O4 - HKLM\..\RunOnce: [d3ue32.exe] C:\WINDOWS\d3ue32.exe
    O4 - HKLM\..\RunOnce: [sdkfp.exe] C:\WINDOWS\system32\sdkfp.exe
    O4 - HKLM\..\RunOnce: [apijn.exe] C:\WINDOWS\system32\apijn.exe
    O4 - HKLM\..\RunOnce: [mfcqq32.exe] C:\WINDOWS\system32\mfcqq32.exe
    O4 - HKLM\..\RunOnce: [syswi32.exe] C:\WINDOWS\syswi32.exe
    O4 - HKLM\..\RunOnce: [sdktg32.exe] C:\WINDOWS\system32\sdktg32.exe
    O4 - HKLM\..\RunOnce: [ntfm32.exe] C:\WINDOWS\system32\ntfm32.exe
    O4 - HKLM\..\RunOnce: [msxi32.exe] C:\WINDOWS\system32\msxi32.exe
    O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\RunOnce: [ieas.exe] C:\WINDOWS\system32\ieas.exe
    O4 - HKLM\..\RunOnce: [sysuy.exe] C:\WINDOWS\system32\sysuy.exe
    O4 - HKLM\..\RunOnce: [msof.exe] C:\WINDOWS\msof.exe
    O4 - HKLM\..\RunOnce: [sdklo32.exe] C:\WINDOWS\sdklo32.exe
    O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2.0\BHODemon.exe
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm04136
    O9 - Extra button: Erotic (HKLM)
    O9 - Extra 'Tools' menuitem: Erotic... (HKLM)
    O9 - Extra button: ContentDownload (HKLM)
    O9 - Extra button: IQ Test (HKLM)
    O9 - Extra 'Tools' menuitem: IQ Test... (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} (EGEGAUTH Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1015_EN_XP.cab
    O16 - DPF: {11111111-1111-1111-1111-118226242253} - mhtml:file://C:NO_SUCH_MHT.MHT!http://www.008k.com/partner/inst/f10213.exe
    O16 - DPF: {1230CB21-C88D-11CF-B347-000000000000} - http://www.eingang69.de/EroticAccess/Cabs/1843047.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivillage.co.uk/save/makeover.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
    O16 - DPF: {26AFD6EF-C017-4063-B2B1-E515DE98A1B7} - http://download.kodak.com/digital/software/easyShare/v2_1/install.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11c7a6227c7f1c632814/netzip/RdxIE601.cab
    O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
    O16 - DPF: {69432678-2906-2705-1128-068943397621} -
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
    O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/aplicacion.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/budicon.cab
    O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktanks/BTDownloadCtrl.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
     
Thread Status:
Not open for further replies.