Unwanted starting page & pop-ups

Discussion in 'adware, spyware & hijack cleaning' started by Doom, Jun 15, 2004.

Thread Status:
Not open for further replies.
  1. Doom

    Doom Registered Member

    Joined:
    Jun 15, 2004
    Posts:
    5
    Hi,

    I've got a problem. My starting page has changed unwanted and I can't change it back. I already used Ad-aware. I read on a dutch forum to use Hi-Jack This and post the log on this forum. I hope somebody can help me. I don't know what to check to fix.

    (Excuse me for my bad english)

    This is the log:

    Logfile of HijackThis v1.97.7
    Scan saved at 19:40:34, on 15-6-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\Tablet.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\atllc.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\LXSUPMON.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\iecp32.exe
    C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
    C:\WINDOWS\NCLAUNCH.EXe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Wacom\TabUserW.exe
    C:\Documents and Settings\Tjerk Lugthart\Local Settings\Temp\Tijdelijke map 2 voor hijackthis1977.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yvkcu.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://yvkcu.dll/index.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://yvkcu.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yvkcu.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://yvkcu.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\yvkcu.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.euro.dell.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {D8249B4E-958A-B03F-2C17-480C0BABA6A6} - C:\WINDOWS\system32\atlnm.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [iecp32.exe] C:\WINDOWS\iecp32.exe
    O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
    O4 - HKLM\..\RunOnce: [Setup] "C:\Documents and Settings\Tjerk Lugthart\Bureaublad\setup.exe" /k /l1043 /t"C:\Documents and Settings\Tjerk Lugthart\Bureaublad" /e"C:\DOCUME~1\TJERKL~1\LOCALS~1\Temp\_is6F" /w /v"NOTADDREMOVE=1 REINSTALLMODE=vomus REINSTALL=ALL TRANSFORMS=C:\DOCUME~1\TJERKL~1\LOCALS~1\Temp\_is6F\1043.MST SETUPEXEDIR=C:\Documents and Settings\Tjerk Lugthart\Bureaublad" /c
    O4 - Startup: BUREAUBLADACHTERGROND-KIEZER.lnk = C:\Program Files\f-zero_gx_wpc\wpc.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qplace.hshaarlem.nl/qp2.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/04ba8f44590819f0e006/netzip/RdxIE601.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://activex.webcam.nl/AxisCamControl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) - http://install.anark.com/client/version2/windows-ie/en/AMClient.cab
     
  2. Doom

    Doom Registered Member

    Joined:
    Jun 15, 2004
    Posts:
    5
    Hello,

    I hope this is not a stupid question, but I was wondering: is it safe to use an email program or log on to sites, while my browser is hijacked?

    Thank you for your time!
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi Doom,

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder.

    Click Start > Run > Services.msc > OK
    In the services window find Network Security Service.
    Rightclick and stop it. Put the Startup type to disabled under Properties > General tab

    Then open TaskManager and stop these two processes:
    C:\WINDOWS\atllc.exe
    C:\WINDOWS\iecp32.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yvkcu.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://yvkcu.dll/index.html#96676

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://yvkcu.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yvkcu.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://yvkcu.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\yvkcu.dll/sp.html#96676

    O2 - BHO: (no name) - {D8249B4E-958A-B03F-2C17-480C0BABA6A6} - C:\WINDOWS\system32\atlnm.dll

    O4 - HKLM\..\Run: [iecp32.exe] C:\WINDOWS\iecp32.exe

    O4 - HKLM\..\RunOnce: [Setup] "C:\Documents and Settings\Tjerk Lugthart\Bureaublad\setup.exe" /k /l1043 /t"C:\Documents and Settings\Tjerk Lugthart\Bureaublad" /e"C:\DOCUME~1\TJERKL~1\LOCALS~1\Temp\_is6F" /w /v"NOTADDREMOVE=1 REINSTALLMODE=vomus REINSTALL=ALL TRANSFORMS=C:\DOCUME~1\TJERKL~1\LOCALS~1\Temp\_is6F\1043.MST SETUPEXEDIR=C:\Documents and Settings\Tjerk Lugthart\Bureaublad" /c

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/04ba8f44590819f0e006/netzip/RdxIE601.cab

    Then reboot into safe mode and delete:
    C:\WINDOWS\system32\atlnm.dat
    C:\WINDOWS\atllc.exe
    C:\WINDOWS\iecp32.exe
    C:\WINDOWS\yvkcu.dll

    Log on to a forum (where you have no special rights) is not so bad but logging in to a web-based email account like Hotmail is something I would wait with.

    Regards,

    Pieter
     
  4. Doom

    Doom Registered Member

    Joined:
    Jun 15, 2004
    Posts:
    5
    Hi Pieter,

    Thank you for your reply!
    I followed your instructions. However, TaskManager didn't show atllc.exe as a running process, and I couldn't find C:\WINDOWS\system32\atlnm.dat.

    Also, when I launched IE, and tried to change the starting page, it changed to res://eykup.dll/index.html#96676... So i'm afraid the problem didn't go away :(

    I ran AdAware and it found 4 cookies and 1 file, which I deleted. I don't remember the name of the file exactly, but AdAware identified it as CoolWebSearch malware.

    Should I download and run CWShredder?

    Sorry for the trouble...

    I included a new HiJack This log:

    Logfile of HijackThis v1.97.7
    Scan saved at 14:31:44, on 17-6-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\Tablet.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\netmo32.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\WINDOWS\System32\LXSUPMON.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Wacom\TabUserW.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\appry32.exe
    C:\Documents and Settings\Tjerk Lugthart\Bureaublad\hijackthis1977\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\eykup.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://eykup.dll/index.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://eykup.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\eykup.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://eykup.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\eykup.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.euro.dell.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {4F787897-0AF3-4126-EE8D-96EDB124C98B} - C:\WINDOWS\apiqc32.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [appry32.exe] C:\WINDOWS\appry32.exe
    O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: BUREAUBLADACHTERGROND-KIEZER.lnk = C:\Program Files\f-zero_gx_wpc\wpc.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qplace.hshaarlem.nl/qp2.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://activex.webcam.nl/AxisCamControl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) - http://install.anark.com/client/version2/windows-ie/en/AMClient.cab
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi Doom,

    No use since we found this variant yesterday and CWShredder was last updated over a week ago.

    Assuming you were succesfull in shutting down the service (check if it is still disabled), please open TaskManager and stop these two processes:
    C:\WINDOWS\system32\netmo32.exe
    C:\WINDOWS\appry32.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\eykup.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://eykup.dll/index.html#96676

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://eykup.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\eykup.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://eykup.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\eykup.dll/sp.html#96676

    O2 - BHO: (no name) - {4F787897-0AF3-4126-EE8D-96EDB124C98B} - C:\WINDOWS\apiqc32.dll

    O4 - HKLM\..\Run: [appry32.exe] C:\WINDOWS\appry32.exe

    Then reboot into safe mode and delete:
    C:\WINDOWS\system32\netmo32.exe
    C:\WINDOWS\appry32.exe
    C:\WINDOWS\system32\eykup.dll

    Regards,

    Pieter
     
  6. Doom

    Doom Registered Member

    Joined:
    Jun 15, 2004
    Posts:
    5
    Hi!

    I stopped the two processes, and deleted the three files. Only eykup wasn't a .dll file but a .dat file. I deleted that one (I searched for eykup.dll just to be sure, but it didn't show up).

    Here's a fresh log:

    Logfile of HijackThis v1.97.7
    Scan saved at 15:08:02, on 17-6-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\Tablet.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\WINDOWS\System32\LXSUPMON.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Wacom\TabUserW.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Tjerk Lugthart\Bureaublad\hijackthis1977\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.euro.dell.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: BUREAUBLADACHTERGROND-KIEZER.lnk = C:\Program Files\f-zero_gx_wpc\wpc.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qplace.hshaarlem.nl/qp2.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://activex.webcam.nl/AxisCamControl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) - http://install.anark.com/client/version2/windows-ie/en/AMClient.cab


    offtopic: are you going to the Metallica concert in the Arena the 21st?
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi Doom,

    Good job. :cool:
    That should take care of it.

    Please read: Why did I get infected in the first place

    If you have spare tickets. :p

    Already seen them in the Gelredome. Once a year is more then enough when you're my age. ;)

    Regards,

    Pieter
     
  8. Doom

    Doom Registered Member

    Joined:
    Jun 15, 2004
    Posts:
    5
    Ah great!

    I checked IE and it doesn't change the start page anymore!

    Thank you VERY, VERY much!!!


    Unfortunately I don't have any tickets (I won't be going myself). But the reason I asked is because a friend of mine (who is going), told me they are going to show the 'Metallica: Some Kind of Monster' documentary at the Pathe ArenA the same day.


    Thanks again!
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.