JAVA & TROJ pests

Discussion in 'adware, spyware & hijack cleaning' started by jimmj43, Jun 16, 2004.

Thread Status:
Not open for further replies.
  1. jimmj43

    jimmj43 Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    9
    I visited the Trend site for a virus scan which uncovered some pests:

    JAVA...
    BYTEVER.A
    BYTEVER.A-1

    TROJAN...
    STILEN.A

    I then ran AdAware, followed by Spybot S & D, followed by SpywareBlaster, followed by running AVG anti-virus, then returned to the Trend site only to find the pests still there. I then ran a Belarc audit so you guys'll know ALL there is to know about my machine. What follows is the Belarc audit, then the HiJackThis log.


    This is a Belarc Advisor audit of my system:




    --------------------------------------------------------------------------------

    The license associated with the Belarc Advisor product allows for free personal use only. Use on multiple PCs in a corporate, educational, military or government installation is prohibited. See the license agreement for details. The information on this page was created locally on your PC by the Belarc Advisor. Your computer profile was not sent to a web server. Click here for more info.

    --------------------------------------------------------------------------------


    About Belarc

    PC Management Products

    Your Privacy



    In page Links:

    Installed Hotfixes

    Software Licenses

    Software Versions



    Computer Profile Summary
    Computer Name: Na-lfcwddk1htv9 (in WORKGROUP)
    Profile Date: Wednesday, June 16, 2004 10:26:52 PM
    Advisor Version: 6.1
    Windows Logon: na


    Click here for Belarc's PC Management products, for large and small companies.

    Operating System System Model
    Windows 2000 Professional Service Pack 4 (build 2195) Intel Corporation Whitney System CR Board Revision A0
    Processor a Main Circuit Board b
    567 megahertz Intel Celeron
    32 kilobyte primary memory cache
    128 kilobyte secondary memory cache Board: Intel Corporation Whitney System CR Platform
    BIOS: Phoenix Technologies LTD 6.00 08/29/2001
    Drives Memory Modules c,d
    6.49 Gigabytes Usable Hard Drive Capacity
    3.06 Gigabytes Hard Drive Free Space

    ATAPI COMBO48XMAX [CD-ROM drive]
    3.5" format removeable media [Floppy drive]

    QUANTUM BIGFOOT_CY6480A [Hard drive] (6.50 GB) -- drive 0, s/n 166764921676, rev A03.0800, SMART Status: Healthy 128 Megabytes Installed Memory

    Slot 'M1' has 128 MB
    Slot 'M2' is Empty
    Local Drive Volumes

    c: (on drive 0) 6.49 GB 3.06 GB free

    Network Drives


    Users Printers
    local user accounts last logon
    na 6/16/2004 5:34:50 PM (admin)
    local system accounts
    admin1 never (admin)
    Administrator 5/17/2004 9:19:58 PM (admin)
    Guest never


    Marks a disabled account; Marks a locked account CAPTURE FAX BVRP on NUL:
    HP DeskJet 722C on LPT1:
    Lexmark X1100 Series on USB001

    Controllers Display
    Standard floppy disk controller
    Intel(r) 82801AA Bus Master IDE Controller
    Primary IDE Channel [Controller]
    Secondary IDE Channel [Controller] Intel Corporation 810 Graphics Controller Hub [Display adapter]
    GATEWAY EV700 [Monitor] (16.1"vis, October 1997)
    Bus Adapters Multimedia
    Intel(r) 82801AA USB Universal Host Controller AC'97 Driver for Intel(r) 82801AA Controller
    MPU-401 Compatible MIDI Device
    Standard Game Port
    Communications Other Devices
    ADMtek AN983 10/100Mbps Fast Ethernet Adapter
    Network Card MAC Address: 00:00:E8:12:BC:CD
    Network IP Address: 64.254.216.134 / 24 Dual-Mode DSC(2770)
    Lexmark X1100 Series
    Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
    Microsoft PS/2 Port Mouse (IntelliPoint)
    Generic USB Hub
    Generic USB Hub
    USB Printing Support
    USB Root Hub
    Virus Protection
    No AntiVirus details available
    Installed Microsoft Hotfixes [Back to Top]
    DataAccess
    Q329414-25 on 3/20/2004 (details...)
    Q832483 on 3/20/2004 (details...)
    Internet Explorer
    Q330994 (details...)
    Q832894 (details...)
    SP1 (SP1)
    Windows 2000
    SP2
    KB833330 on 3/20/2004 (details...)
    SP4
    Q327194[SP] on 3/20/2004 (details...)
    SP5
    KB329115 on 3/20/2004 (details...)
    KB820888 on 3/20/2004 (details...)
    KB822831 on 3/20/2004 (details...)
    KB823182 on 3/20/2004 (details...)
    Windows 2000
    SP5 (continued)
    KB823559 on 3/20/2004 (details...)
    KB824105 on 3/20/2004 (details...)
    KB824141 on 3/20/2004 (details...)
    KB824146 on 3/20/2004 (details...)
    KB825119 on 3/20/2004 (details...)
    KB826232 on 3/20/2004 (details...)
    KB828028 on 3/20/2004 (details...)
    KB828035 on 3/20/2004 (details...)
    KB828749 on 3/20/2004 (details...)
    KB829558 on 3/20/2004 (details...)
    Q818043 on 3/20/2004 (details...)
    Windows Media Player
    WM819639 (details...)
    SP0
    Q828026 on 3/20/2004 (details...) Reinstall!



    Click here to see all available Microsoft security hotfixes for this computer.

    Marks a HotFix that verifies correctly
    Marks a HotFix that fails verification
    (note that failing hotfixes need to be reinstalled)
    Unmarked HotFixes lack the data to allow verification

    Software Licenses [Back to Top]

    Microsoft - IntelliPoint 11111-111-1111111-11111
    Microsoft - Internet Explorer 55736-355-7993545-04348 (Key: R2D43-3DHG9-DQ79W-W3DXQ-929DY)
    Microsoft - MediaPlayer 69808-520-8044282-04673
    Microsoft - WebFldrs 12345-111-1111111-18200
    Microsoft - Windows 2000 Professional 51873-270-7738296-09607 (Key: HB9CF-JTKJF-722HV-VPBRF-9VKVM)

    Software Versions [Back to Top]
    ABBYY (BIT Software) - FineReader Version 5.0.0.482 (private) *
    Adobe Acrobat Version 4.05 *
    Agnitum - Outpost Firewall Version 1.0 *
    Ahead Software AG Karlsbad Germany Phone: +49-7248-911-800 Fax: +49-7248-911-888 e-mail: info@nero.com - LANGUAGE_English2 Version 5, 5, 10, 45 *
    Ahead Software AG - InCD Version 4, 0, 1, 18 *
    Ahead Software AG - InfoTool Application Version 1, 0, 3, 3 *
    Ahead Software AG - Nero CD Speed Application Version 1, 0, 2, 1 *
    Ahead Software Gmbh NeroCheck Version 1, 0, 0, 2 *
    ahead software gmbh, karlsbad - Cover Designer Version 2, 2, 1, 11 *
    AHEAD Software incdsrv Version 4, 0, 1, 18 *
    ArcSoft Inc. - Multimedia Email Version 3.0.0.29 *
    ArcSoft Inc. - PhotoPrinter 2000Pro Version 3, 0, 100, 5 *
    ArcSoft PhotoStudio Version 4, 1, 0, 0 *
    ArcSoft PhotoStudio Version 4,3,0,24 *
    AvatarSoft - Back2zip Version 1.0.0.0 *
    AvatarSoft - JustZIPit Version 1.0.0.0 *
    Belarc, Inc. - BelManage Client Version 6.1 *
    BVRP Software - FaxTools Version 1.00 *
    Caere Corporation - OmniPage Pro Version 9.0 *
    CANON INC. - ScanGear Toolbox CS Application Version 2.2.0 *
    Cinematronics - 3D Pinball Version 5.00.2134.1 *
    crwl.exe *
    CyberLink Corp. - CLDMA Version 1, 0, 0, 2502 *
    CyberLink Corp. - PowerDVD Version 5.00.0711 *
    d3ux.exe *
    Decoder Configuration Utility *
    DivX Player *
    dvdplay Application Version 1, 0, 0, 1 *
    Eastman Software, Inc., A Kodak Business - Imaging for Windows® Version 5.00.2138.1 *
    Erik Deppe - DriveSpeed Version 1, 6, 1, 0 *
    Gabest - Media Player Classic Version 6, 4, 8, 2 *
    GRISOFT s.r.o - AVG6 Version 6.0.1.696 *
    GRISOFT s.r.o. - AVG Anti-Virus System Version 6, 0, 0, 0 *
    GRISOFT(c) SOFTWARE - AVG Anti-Virus System Version 6, 0, 0, 0 *
    GRISOFT, s.r.o. - AVG Anti-Virus System Version 6, 0, 0, 0 *
    Inkjet Printer Version 1.0.0.0 *
    Inno Setup *
    Java Web Start *
    javaw.exe *
    Lavasoft Ad-aware Plus Version 6.0.0.0 *
    Lexmark International Inc. - AIO exe Version 2.0.2.2 *
    Lexmark International, Inc. - Button Manager Executable Version 0.1.1.1 *
    Lexmark International, Inc. - MarkVision for Windows (32 bit) Version 8.29 * Lexmark Photo Editor Version 0.1.1.1 *
    Logitech QuickCam Version 5.2.0.2099 *
    mfckt.exe *
    Microsoft (r) Windows Script Host Version 5.6.0.6626 *
    Microsoft Corporation - Internet Explorer Version 6.00.2800.1106 *
    Microsoft Corporation - Messenger Version 6.1 *
    Microsoft Corporation - Windows Installer - Unicode Version 2.0.2600.1183 *
    Microsoft Corporation - Windows Journal Viewer Version 1.5.2315.3 *
    Microsoft Corporation - Windows® NetMeeting® Version 3.01 *
    Microsoft Data Access Components Version 3.525.1022.0 *
    Microsoft Pointing Device Software Version 3.10.0393 *
    Microsoft PowerPoint Viewer for Windows Version 8.0 *
    Microsoft Windows Media Player Version 6.4.09.1125 *
    Microsoft® NetShow Version 2.0.0.912 *
    Mozilla - Firefox Personal *
    Mozilla.org - Thunderbird Version 1.7: 2004050210 *
    NEATO - MediaFACE Version 3, 0, 0, 0 *
    Network Security Service *
    PCCam *
    PepiMK Software - Spybot - Search & Destroy Version 1, 3, 0, 12 *
    PhotoBase 2.0 *
    Remove the DivX Bundle *
    Remove the DivX Codec *
    Remove the DivX Player *
    Safer Networking Limited - SpyBot-S&D Version 1, 3, 0, 12 *
    Script Defender *
    Shoot The Messenger, by Steve Gibson Version 1.0 *
    Shortcut to hjsplit.exe Version 1.0.0.0 *
    Shortcut to sdefendi.exe *
    Soeperman Enterprises Ltd. - HijackThis Version 1.97.0007 *
    SpywareBlaster AutoUpdate Version 3.01 *
    SpywareBlaster Version 3.01 *
    Stop StartupMonitor *
    SunJavaUpdateSched *
    Symantec Corporation - LiveUpdate Version 1.62.17.0 *
    Symantec Corporation - Norton Utilities for Windows Version 14.00.0.28 *
    Symantec Corporation - Norton Utilities Version 14.00.0.28 *
    UpdateIPR.exe *
    USB DSC Version 1, 7, 2, 8 *
    Viewer.exe *
    Virtos GmbH - WaveEdit DLL Version 1, 0, 5, 0 *
    wmplayer.exe *
    Yahoo! Messenger Version 5, 6, 0, 1358 *

    --------------------------------------------------------------------------------

    * Click to see where software is installed.
    a. Megahertz measurement may be inaccurate if other programs were busy during last analysis.
    b. Data may be transferred on the bus at one, two, or four times the Bus Clock rate.
    c. Memory slot contents may not add up to Installed Memory if some memory is not recognized by Windows.
    d. Memory slot contents is reported by the motherboard BIOS. Contact system vendor if slot contents are wrong.
    e. This may be the manufacturer's factory installed product key rather than yours.
    Copyright 2000-4, Belarc, Inc. All rights reserved.
    Legal notice. U.S. Patents 6085229, 5665951 and Patents pending.

    --------------------------------------------------------------------------------




    Logfile of HijackThis v1.97.7
    Scan saved at 10:12:23 PM, on 6/16/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINNT\StartupMonitor.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINNT\system32\d3ux.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\WINNT\system32\wuauclt.exe
    C:\WINNT\ieua.exe
    C:\WINNT\netmk.exe
    C:\Documents and Settings\na\My Documents\Flix\HijackThis.exe

    O2 - BHO: (no name) - {3E68846A-B6CA-BDA8-E434-82EC1BEE2FC5} - C:\WINNT\system32\netlw32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
    O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
    O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [crwl.exe] C:\WINNT\system32\crwl.exe
    O4 - HKLM\..\Run: [mfckt.exe] C:\WINNT\system32\mfckt.exe
    O4 - HKLM\..\Run: [d3ux.exe] C:\WINNT\system32\d3ux.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17c72f8587c4d72b0e23/netzip/RdxIE601.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38066.3549768519
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/mail/autocomplete.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab

    You guys are :cool: ! And I'm :D you're available to those of us who are \strike{computer dumbasses} technically challenged . Thanks
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi jimmj43,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {3E68846A-B6CA-BDA8-E434-82EC1BEE2FC5} - C:\WINNT\system32\netlw32.dll

    O4 - HKLM\..\Run: [crwl.exe] C:\WINNT\system32\crwl.exe
    O4 - HKLM\..\Run: [mfckt.exe] C:\WINNT\system32\mfckt.exe
    O4 - HKLM\..\Run: [d3ux.exe] C:\WINNT\system32\d3ux.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17c72f8587c4d72b0e23/netzip/RdxIE601.cab

    Then reboot into safe mode and delete:
    C:\WINNT\system32\crwl.exe
    C:\WINNT\system32\mfckt.exe
    C:\WINNT\system32\d3ux.exe

    Post a new log when you are done, so we can see if everything worked out as planned.

    Regards,

    Pieter
     
  3. jimmj43

    jimmj43 Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    9
    My apologies.... I neglected to mention that I am a \strike{certifiable} certified Computer Dumbass.

    After following the HijackThis instructions I was able to reboot into safe mode.
    Unfortunately, I was faced with 2 options to proceed - one said something about command prompts so I selected that one. Tsk, tsk,.... I had NO idea what do do from there!

    Accordingly, I'm back for more detailed instructions. Please include the specifics with respect to HOW one goes about deleting stuff in safe mode.

    Thanks.

    Again, sorry I failed to alert you to my level of ignorance.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Maybe it's not necessary to do that.
    Can you post a new HijackThis log?

    Regards,

    Pieter
     
  5. jimmj43

    jimmj43 Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    9
    It's necessary. :'(

    My homepage got re-hijacked and I continue getting a popup window asking me if I want a certain file to execute. If images can be posted here, I'll do a printscreen save the next time it pops up, then convert it to a jpg with a civilized filesize.

    It just poped up, courtesy of my Startup Monitor program. I doubt you'll need the image.

    "The program crwl.exe has registered the executable C:\WINNT\System32\crwl.exe to run at startup. Do you wish to allow this change?"

    I click "no", but that same popup will return again and again.
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    I will need to see a fresh HijackThis log in order to help you.

    Regards,

    Pieter
     
  7. jimmj43

    jimmj43 Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    9
    Here's the latest HijackThis log - mere minutes old:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:12:23 PM, on 6/16/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINNT\StartupMonitor.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINNT\system32\d3ux.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\WINNT\system32\wuauclt.exe
    C:\WINNT\ieua.exe
    C:\WINNT\netmk.exe
    C:\Documents and Settings\na\My Documents\Flix\HijackThis.exe

    O2 - BHO: (no name) - {3E68846A-B6CA-BDA8-E434-82EC1BEE2FC5} - C:\WINNT\system32\netlw32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
    O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
    O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [crwl.exe] C:\WINNT\system32\crwl.exe
    O4 - HKLM\..\Run: [mfckt.exe] C:\WINNT\system32\mfckt.exe
    O4 - HKLM\..\Run: [d3ux.exe] C:\WINNT\system32\d3ux.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17c72f8587c4d72b0e23/netzip/RdxIE601.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38066.3549768519
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/mail/autocomplete.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi jimmj43,

    Bring up TaskManager (Ctrl-Alt-Del) and stop these processes:
    C:\WINNT\system32\d3ux.exe
    C:\WINNT\ieua.exe
    C:\WINNT\netmk.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:
    O2 - BHO: (no name) - {3E68846A-B6CA-BDA8-E434-82EC1BEE2FC5} - C:\WINNT\system32\netlw32.dll

    O4 - HKLM\..\Run: [crwl.exe] C:\WINNT\system32\crwl.exe
    O4 - HKLM\..\Run: [mfckt.exe] C:\WINNT\system32\mfckt.exe
    O4 - HKLM\..\Run: [d3ux.exe] C:\WINNT\system32\d3ux.exe

    Then surf to http://www.kaspersky.com/scanforvirus
    and have C:\WINNT\system32\d3ux.exe checked there. Let me know the results.

    Regards,

    Pieter
     
  9. jimmj43

    jimmj43 Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    9
    Upon bringing up the Task Manager, only the irau.exe was shown. After twice attempting to shut it down, the results were the same: "The opera could not be completed. Access denied."

    The HijackThis scan did not display the [mfckt.exe] or the [3dux.exe].

    The visit to the virus scan site appears to have been unproductive. I entered:
    C:\WINNT\system32\d3ux.exe
    into the browse window twice with the same result --> a new, blank browse window.
     
  10. jimmj43

    jimmj43 Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    9
    "opera" = operation

    That lousy popup interrupted my typing and I couldn't figure out how to get in and edit/correct.
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Either the file is hiding:
    To "unhide" hidden files and folders:
    Launch My Computer from the Desktop Icon.
    Select View, Details.
    Select the Folders button.
    Select Tools, Folder Options. Then select the View Tab. Select the Show hidden files and folders radio button is selected
    and that the Hide file extensions for known file types check box is unchecked. Once this is done, select Apply and then
    Like Current Folder (located near the top of the Folder Options box). Then select OK.

    Or it is name changing: Post a new HijackThis log.

    Regards,

    Pieter
     
  12. jimmj43

    jimmj43 Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    9
    Following your instructions with respect to opening "My Computer", no changes were necessary since the existing settings complies with your instructions.

    Here's the latest HijackThis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:18:54 AM, on 6/18/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\ieua.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINNT\StartupMonitor.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\WINNT\system32\wuauclt.exe
    C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
    C:\Documents and Settings\na\My Documents\regprot\regprot.exe
    C:\WINNT\System32\crwl.exe
    C:\Documents and Settings\na\My Documents\Flix\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\epuxp.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://epuxp.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://epuxp.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\epuxp.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://epuxp.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\epuxp.dll/sp.html#37049
    O2 - BHO: (no name) - {938F6D91-A9B6-716B-ADA4-3BD801E94290} - C:\WINNT\system32\ntkt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
    O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: PopupPopper Control Panel (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38066.3549768519
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/mail/autocomplete.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    OK This is my last attempt for today.
    If it does not work I posted general instructions here:
    https://www.wilderssecurity.com/showthread.php?p=198412#post198412

    Click Start > Run > Services.msc > OK
    In the services window find Network Security Service.
    Rightclick and stop it. Put the Startup type to disabled under Properties > General tab

    Then open TaskManager and stop these two processes:
    C:\WINNT\ieua.exe
    C:\WINNT\System32\crwl.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\epuxp.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://epuxp.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://epuxp.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\epuxp.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://epuxp.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\epuxp.dll/sp.html#37049
    O2 - BHO: (no name) - {938F6D91-A9B6-716B-ADA4-3BD801E94290} - C:\WINNT\system32\ntkt.dll

    Then reboot into safe mode and delete:
    C:\WINNT\ieua.exe
    C:\WINNT\System32\crwl.exe
    C:\WINNT\system32\ntkt.dat
    C:\WINNT\system32\epuxp.dll

    Regards,

    Pieter
     
  14. jimmj43

    jimmj43 Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    9
    Pieter, I sincerely appreciate your patience. Thank you!

    I'll do as you suggested and report back...

    Thanks again,

    Jim
     
Thread Status:
Not open for further replies.