Host's comp Hijack this Log

Discussion in 'adware, spyware & hijack cleaning' started by Frequency, Dec 28, 2003.

Thread Status:
Not open for further replies.
  1. Frequency

    Frequency Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    6
    Logfile of HijackThis v1.97.7
    Scan saved at 6:18:31 PM, on 12/28/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\STOPzilla!\szntsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Winamp3\winampa.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\LVComS.exe
    C:\Program Files\Sqwire\cc.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
    C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe
    C:\Program Files\ICQLite\ICQLite.exe
    C:\Program Files\STOPzilla!\Stopzilla.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Documents and Settings\ahjo\Application Data\DownloadPlus.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\NetAssistant\bin\mpbtn.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
    C:\Program Files\NJStar Communicator\NJCOM32.EXE
    C:\Program Files\Real\RealPlayer\realplay.exe
    C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
    C:\Program Files\MicroFinder\mcf.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\ahjo\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.kazaa-lite.ws/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.kazaa-lite.ws/results.php?show=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.kazaa-lite.ws/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.kazaa-lite.ws/results.php?show=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.ieplugin.com/search.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.ieplugin.com/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.ieplugin.com/q.cgi?q=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.kazaa-lite.ws/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.kazaa-lite.ws/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\systb.dll
    O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINDOWS\hhU.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {C12FE5DE-A5DA-5C93-C1F2-8BC2F6847ED7} - C:\WINDOWS\system32\zsazzldt.dll
    O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\CnsHook.dll
    O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\StopzillaBHO.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Intelligent Explorer - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\systb.dll
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
    O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
    O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\System32\LVComS.exe
    O4 - HKLM\..\Run: [SQUpdatesChecker] C:\Program Files\Sqwire\uc.exe
    O4 - HKLM\..\Run: [SQConfigChecker] C:\Program Files\Sqwire\cc.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe"
    O4 - HKLM\..\Run: [pyhhoeje] C:\WINDOWS\mqeebyux.exe
    O4 - HKLM\..\Run: [mcf 0l7084] "C:\Program Files\MicroFinder\mcf.exe"
    O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
    O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
    O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
    O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
    O4 - HKCU\..\Run: [Forbes] C:\Program Files\Forbes\ForbesAlerts.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
    O4 - Startup: Download Plus.lnk = C:\Documents and Settings\ahjo\Application Data\DownloadPlus.exe
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
    O9 - Extra button: Short Message (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: 3721 Assistant (HKLM)
    O9 - Extra 'Tools' menuitem: IMI (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra 'Tools' menuitem: Repair Browser (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Clean Internet access record (HKLM)
    O11 - Options group: [!CNS] Chinese keywords
    O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
    O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
    O16 - DPF: Video Poker - http://download.games.yahoo.com/games/clients/y/vpt0_x.cab
    O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
    O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
    O16 - DPF: Yahoo! Bridge - http://download.games.yahoo.com/games/clients/y/bt0_x.cab
    O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
    O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it0_x.cab
    O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct2_x.cab
    O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et0_x.cab
    O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt0_x.cab
    O16 - DPF: Yahoo! GoStop - http://download.games.yahoo.com/games/clients/y/gst1_x.cab
    O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt4_x.cab
    O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab
    O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
    O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
    O16 - DPF: Yahoo! Pinochle - http://download.games.yahoo.com/games/clients/y/ut2_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
    O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
    O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
    O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50017/btiein.cab
    O16 - DPF: {54771E6F-A5A2-4413-8FB8-7B8F85398174} - http://dl.lygo.com/Sidesearch/en_US/angelfire/Sidesearch.cab
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
    O16 - DPF: {986DDE35-E955-11D0-A707-000000521958} - http://69.56.176.75/webplugin.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37920.7732986111
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://spweb.whenu.com/WUInstSYNC.cab
    O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSignedAdvertisingcom.cab
    O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://www.getweathercast.com/WeatherAutoCAST0010.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = H12531.wabu.com
    O17 - HKLM\Software\..\Telephony: DomainName = H12531.wabu.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2CA41407-1AE2-4FEF-B3F1-645DA600FC2A}: Domain = H12531.wabu.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{61CC7F10-169C-4057-8D27-48FDE3BB03E4}: NameServer = 207.236.176.13 206.47.244.12
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = H12531.wabu.com
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2CA41407-1AE2-4FEF-B3F1-645DA600FC2A}: Domain = H12531.wabu.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = H12531.wabu.com
    O17 - HKLM\System\CS2\Services\Tcpip\..\{2CA41407-1AE2-4FEF-B3F1-645DA600FC2A}: Domain = H12531.wabu.com

    Also, i am very concerned about my internet. Because i currently have a network of two computer, this is the host, but my secondary cannot access to many sites this host can. i wonder if hijack was the problem and i was referred by a friend. Thanks for reading and helping and i hope i can find a cure asap
     
  2. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Frequency,

    Welcome to Wilders!

    Please terminate the following processes;

    C:\Program Files\Sqwire\cc.exe
    C:\Documents and Settings\ahjo\Application Data\DownloadPlus.exe
    C:\Program Files\MicroFinder\mcf.exe

    and then download and run RapidBlaster Killer from

    http://www.wilderssecurity.net/downloads/rbkiller.exe

    and then close all other programs and windows and select and fix the following from HijackThis (some items may have been removed by RBKiller)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.ieplugin.com/search.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.ieplugin.com/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.ieplugin.com/q.cgi?q=%s


    O2 - BHO: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\systb.dll
    O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINDOWS\hhU.dll
    O2 - BHO: (no name) - {C12FE5DE-A5DA-5C93-C1F2-8BC2F6847ED7} - C:\WINDOWS\system32\zsazzldt.dll
    O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\CnsHook.dll

    O3 - Toolbar: Intelligent Explorer - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\systb.dll

    O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
    O4 - HKLM\..\Run: [SQUpdatesChecker] C:\Program Files\Sqwire\uc.exe
    O4 - HKLM\..\Run: [SQConfigChecker] C:\Program Files\Sqwire\cc.exe
    O4 - HKLM\..\Run: [pyhhoeje] C:\WINDOWS\mqeebyux.exe
    O4 - HKLM\..\Run: [mcf 0l7084] "C:\Program Files\MicroFinder\mcf.exe"
    O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
    O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
    O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
    O4 - Startup: Download Plus.lnk = C:\Documents and Settings\ahjo\Application Data\DownloadPlus.exe
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50017/btiein.cab
    O16 - DPF: {54771E6F-A5A2-4413-8FB8-7B8F85398174} - http://dl.lygo.com/Sidesearch/en_US/angelfire/Sidesearch.cab
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
    O16 - DPF: {986DDE35-E955-11D0-A707-000000521958} - http://69.56.176.75/webplugin.cab

    After a reboot please delete the following;

    C:\WINDOWS\systb.dll
    C:\WINDOWS\hhU.dll
    C:\WINDOWS\system32\zsazzldt.dll
    C:\WINDOWS\DOWNLO~1\CnsHook.dll
    C:\WINDOWS\DOWNLO~1\CnsMin.dll
    C:\Program Files\Sqwire <-- entire folder
    C:\WINDOWS\mqeebyux.exe
    C:\Program Files\MicroFinder <-- entire folder
    C:\Program Files\syslaunch.exe
    C:\WINDOWS\Belt.exe
    C:\WINDOWS\wupdt.exe
    C:\Documents and Settings\ahjo\Application Data\DownloadPlus.exe
    C:\Program Files\Common Files\GMT <-- entire folder

    once this is done please rescan with HijackThis and post a fresh log so we can be sure everything was removed okay

    Thanks,

    Dan
     
  3. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Good job Dan :)

    BHO and asociated dll files are normaly removed by HijackThis, so it can be you don't find them after fixing them, Frequency

    Also after running RapidBlaster, the MicroFinder folder should be gone as well

    Cheers,
     
  4. Frequency

    Frequency Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    6
    Logfile of HijackThis v1.97.7
    Scan saved at 8:11:46 PM, on 12/28/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\STOPzilla!\szntsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Winamp3\winampa.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\LVComS.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
    C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe
    C:\Program Files\ICQLite\ICQLite.exe
    C:\Program Files\STOPzilla!\Stopzilla.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\NetAssistant\bin\mpbtn.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
    C:\Program Files\NJStar Communicator\NJCOM32.EXE
    C:\Program Files\Real\RealPlayer\realplay.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\ahjo\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.kazaa-lite.ws/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.kazaa-lite.ws/results.php?show=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.kazaa-lite.ws/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.kazaa-lite.ws/results.php?show=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.kazaa-lite.ws/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.kazaa-lite.ws/
    R3 - URLSearchHook: (no name) - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\StopzillaBHO.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
    O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\System32\LVComS.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe"
    O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
    O9 - Extra button: Short Message (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: 3721 Assistant (HKLM)
    O9 - Extra 'Tools' menuitem: IMI (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra 'Tools' menuitem: Repair Browser (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Clean Internet access record (HKLM)
    O11 - Options group: [!CNS] Chinese keywords
    O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
    O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
    O16 - DPF: Video Poker - http://download.games.yahoo.com/games/clients/y/vpt0_x.cab
    O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
    O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
    O16 - DPF: Yahoo! Bridge - http://download.games.yahoo.com/games/clients/y/bt0_x.cab
    O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
    O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it0_x.cab
    O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct2_x.cab
    O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et0_x.cab
    O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt0_x.cab
    O16 - DPF: Yahoo! GoStop - http://download.games.yahoo.com/games/clients/y/gst1_x.cab
    O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt4_x.cab
    O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab
    O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
    O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
    O16 - DPF: Yahoo! Pinochle - http://download.games.yahoo.com/games/clients/y/ut2_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
    O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
    O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
    O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37920.7732986111
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = H12531.wabu.com
    O17 - HKLM\Software\..\Telephony: DomainName = H12531.wabu.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2CA41407-1AE2-4FEF-B3F1-645DA600FC2A}: Domain = H12531.wabu.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{61CC7F10-169C-4057-8D27-48FDE3BB03E4}: NameServer = 207.236.176.13 206.47.244.12
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = H12531.wabu.com
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2CA41407-1AE2-4FEF-B3F1-645DA600FC2A}: Domain = H12531.wabu.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = H12531.wabu.com
    O17 - HKLM\System\CS2\Services\Tcpip\..\{2CA41407-1AE2-4FEF-B3F1-645DA600FC2A}: Domain = H12531.wabu.com

    Btw, after fixing all the stuff u told me. My secondary comp is still enable to access to many websites. How come? its like that every since i changed my isp and network. I used to be the host at my secondary and this right now is the secondary. but i never had that problem before. now i am very frustrated because my secondary is kinda useless when half of the websites on the net cannot be loaded.
     
  5. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Frequency,

    regarding this system you have one leftover (non-active) that should be selected and fixed

    R3 - URLSearchHook: (no name) - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - (no file)

    Regarding the other PC, can you explain more about how the network is setup? Is this PC the one connected to the net and the other accesses it through this one via ICS? Can you post a HijackThis log from the other PC?

    Thanks
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Check the items quoted above in HijackThis, close all windows except HijackThis and click Fix checked.

    Regards,

    Pieter
     
  7. yokenny

    yokenny Registered Member

    Joined:
    Apr 8, 2003
    Posts:
    27
    Location:
    Toronto, Canada
    You need to install Windows Service Pack 1 and all Critical Updates.
    In IE go to Tools then Windows Updates and install them one at a time rebooting when necessary.

    HijackThis should be installed in a permanent folder called something like C:\HJT. Go to My Computer (Windows key+e) and open C: then right click then choose New then Folder and call it HJT. Move HijackThis into this folder.

    C:\Documents and Settings\ahjo\Local Settings\Temp should be cleaned out every once in a while as installing applications leave a lot of junk in this folder.
     
  8. Frequency

    Frequency Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    6
    OK, i did everything u guys told me now. Except the service pack part, mine unfortunitely is a pirated copy so that function is not available :/
    About my network setup, i dont use any router or hub. I just have a network card on each computer and connect them to each other. Its done using the window network thingy. The problem is as followed:
    This main comp, that i just post my hijack this log is currently connecting to the DSL modem, it is the host that gives internet connection to my secondary.
    Everything work fine, like ping are very stable, server never been down in months. HOWEVER, my secondary computer is unable to load many of the webpages on the internet. Like i type in the url, and it just keep on loading and loading. Whereas this host comp can access to it anytime very quickly. I aint sure why this happen and if reformating my host comp will help. Because i just recently formated my secondary and it didnt help. And i dont really wanna format this host comp cuz it belongs to my sis. ANyway, see what u know about this problem and i will post my hijack this log for my 2nd comp in a sec
     
  9. Frequency

    Frequency Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    6
    My 2nd Comp, the one that has problem

    Logfile of HijackThis v1.97.7
    Scan saved at 12:47:45 PM, on 29/12/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Winamp3\winampa.exe
    C:\Program Files\Common Files\CMEII\CMESys.exe
    C:\Program Files\Hmonitor\hmonitor.exe
    C:\Program Files\Steam\Steam.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Common Files\GMT\GMT.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\mIRC\mirc.exe
    C:\Documents and Settings\Will\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [gbzjcbn] rundll32 C:\WINDOWS\System32:gbzjcbn.dll,Init 1
    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
    O4 - HKLM\..\Run: [System Loader] SMSS32.exe
    O4 - HKLM\..\Run: [hmonitor] C:\Program Files\Hmonitor\hmonitor.exe
    O4 - HKLM\..\RunServices: [mmtask0] C:\WINDOWS\System32\mmtask0.exe
    O4 - HKLM\..\RunServices: [mmtask1] C:\WINDOWS\System32\mmtask1.exe
    O4 - HKLM\..\RunServices: [System Loader] SMSS32.exe
    O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKLM\..\RunOnce: [*gbzjcbn] rundll32 C:\WINDOWS\System32:gbzjcbn.dll,Init 1
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {BD9B72E4-DC9C-4922-80E9-2D3315E3AADC} (UAClientControl Control) - http://www.ultimatearena.com/UAClientControl.ocx
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Frequency,

    First, click "Start" > "Run" > type or copy&paste rundll32 C:\WINDOWS\System32:gbzjcbn.dllUninstall > "OK"

    Then check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [gbzjcbn] rundll32 C:\WINDOWS\System32:gbzjcbn.dll,Init 1
    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
    O4 - HKLM\..\Run: [System Loader] SMSS32.exe

    O4 - HKLM\..\RunOnce: [*gbzjcbn] rundll32 C:\WINDOWS\System32:gbzjcbn.dll,Init 1
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

    Then reboot and delete:
    C:\Program Files\Common Files\GMT
    C:\Program Files\Common Files\CMEII

    Could you please mail SMSS32.exe to the address in my profile. Looks like a virus or trojan and I would like to have it analyzed.

    I'm not sure about these two:
    O4 - HKLM\..\RunServices: [mmtask0] C:\WINDOWS\System32\mmtask0.exe
    O4 - HKLM\..\RunServices: [mmtask1] C:\WINDOWS\System32\mmtask1.exe
    I would suggest fixing them, unless you know what they are for.

    Regards,

    Pieter
     
  11. Frequency

    Frequency Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    6
    I just reformatted my host comp, but it seems very weird and laggy as before. a process name DLLHOST.exe seems to take alot of memoery and cpu, what is it?

    Logfile of HijackThis v1.97.7
    Scan saved at 7:06:35 PM, on 30/12/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\STOPzilla!\szntsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\ICQLite\ICQLite.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\lttime.exe
    C:\Program Files\STOPzilla!\Stopzilla.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\NetAssistant\bin\mpbtn.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\wins\DLLHOST.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Kazaa Lite\kazaalite.kpp
    C:\Documents and Settings\Jo\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.sympatico.ca/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\StopzillaBHO.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Configuration Loader] lttime.exe
    O4 - HKLM\..\Run: [qmzlhpj] rundll32 C:\WINDOWS\System32:qmzlhpj.dll,Init 1
    O4 - HKLM\..\Run: [windows auto update] msblast.exe
    O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
    O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
    O4 - HKLM\..\RunServices: [Configuration Loader] lttime.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKLM\..\RunOnce: [*qmzlhpj] rundll32 C:\WINDOWS\System32:qmzlhpj.dll,Init 1
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/3014cc137412f0ce6b00/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37985.4917824074
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{55F8A7D7-5440-4B1A-B59C-2416A39C48C6}: NameServer = 207.236.176.13 206.47.244.12
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Frequency,

    First, click "Start" > "Run" > type or copy&paste rundll32 C:\WINDOWS\System32:qmzlhpj.dll,Uninstall > "OK"

    Then download and run http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

    Then download and run
    http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

    Then check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [Configuration Loader] lttime.exe
    O4 - HKLM\..\Run: [qmzlhpj] rundll32 C:\WINDOWS\System32:qmzlhpj.dll,Init 1
    O4 - HKLM\..\Run: [windows auto update] msblast.exe
    O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
    O4 - HKLM\..\RunServices: [Configuration Loader] lttime.exe

    O4 - HKLM\..\RunOnce: [*qmzlhpj] rundll32 C:\WINDOWS\System32:qmzlhpj.dll,Init 1

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/3014cc137412f0ce6b00/netzip/RdxIE601.cab

    Then reboot and delete:
    lttime.exe

    Take care to get the patches advised at the closing of the removal tools.

    Regards,

    Pieter
     
  13. Frequency

    Frequency Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    6
    Ok, my host comp is fine now, however, my second comp feels kinda laggy all of the sudden during the middle of something. also, that gbz..dll kept on appearing, i tried start > run > ...uninstall, but it said that the module is not found, what can i do.

    Logfile of HijackThis v1.97.7
    Scan saved at 4:17:08 PM, on 31/12/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Winamp3\winampa.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Hmonitor\hmonitor.exe
    C:\Documents and Settings\Will\Local Settings\Temp\Temporary Directory 12 for hijackthis.zip\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [hmonitor] C:\Program Files\Hmonitor\hmonitor.exe
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [gbzjcbn] rundll32 C:\WINDOWS\System32:gbzjcbn.dll,Init 1
    O4 - HKLM\..\RunServices: [System Loader] SMSS32.exe
    O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKLM\..\RunOnce: [*gbzjcbn] rundll32 C:\WINDOWS\System32:gbzjcbn.dll,Init 1
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {00000000-CDDC-0704-0B53-2C8830E9FAEC} (IELoaderCtl Class) - http://install.global-netcom.de/ieloader.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37985.4840277778
    O16 - DPF: {BD9B72E4-DC9C-4922-80E9-2D3315E3AADC} (UAClientControl Control) - http://www.ultimatearena.com/UAClientControl.ocx
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Frequency,

    Before using "Start" > "Run" > type or copy&paste rundll32 C:\WINDOWS\System32:gbzjcbn.dll,Uninstall > "OK"
    run HijackThis and check if the filename corresponds with these entries:
    O4 - HKLM\..\Run: [gbzjcbn] rundll32 C:\WINDOWS\System32:gbzjcbn.dll,Init 1

    O4 - HKLM\..\RunOnce: [*gbzjcbn] rundll32 C:\WINDOWS\System32:gbzjcbn.dll,Init 1

    Also surf to http://www.kaspersky.com/remoteviruschk.html and upload SMSS32.exe
    Let us know the results.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.