Tech Support banner
Status
Not open for further replies.
1 - 3 of 3 Posts

·
Registered
Joined
·
1 Posts
Discussion Starter · #1 ·
hi ... i've got some pbs with my pc and the hijackthis log don't seem right... can you help me ? ty

Logfile of HijackThis v1.99.1
Scan saved at 17:44:42, on 29/10/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\ATLTQ.EXE
C:\WINDOWS\D3IG.EXE
C:\WINDOWS\SYSTEM\CRRJ.EXE
C:\WINDOWS\SYSTEM\NTGY.EXE
C:\WINDOWS\ATLWA.EXE
C:\WINDOWS\IPYR.EXE
C:\WINDOWS\CRCT.EXE
C:\WINDOWS\SYSTEM\ADDRY32.EXE
C:\WINDOWS\SYSTEM\SDKZR.EXE
C:\WINDOWS\SYSTEM\WINFI32.EXE
C:\WINDOWS\CRRE32.EXE
C:\WINDOWS\SYSTEM\APIIY32.EXE
C:\WINDOWS\SYSTEM\JAVAQN.EXE
C:\WINDOWS\NETPY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\NTEE32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\TEMP\C383.TMP.EXE
C:\WINDOWS\TEMP\C3B4.TMP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINSTALL.EXE
C:\PROGRAM FILES\SAGEM\SAGEM [email protected] 800-840\DSLMON.EXE
C:\WINDOWS\D3IG.EXE
C:\WINDOWS\SYSTEM\CRRJ.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\CRCT.EXE
C:\WINDOWS\D3IG.EXE
C:\WINDOWS\SYSTEM\SDKZR.EXE
C:\WINDOWS\MSGE32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\MSGE32.EXE
C:\WINDOWS\D3IG.EXE
C:\WINDOWS\SYSTEM\SDKZR.EXE
C:\WINDOWS\SYSTEM\NETRR32.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\yvidn.dll/sp.html#12047
*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\yvidn.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
*R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
res://C:\WINDOWS\yvidn.dll/sp.html#12047
*R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\yvidn.dll/sp.html#12047
*R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\yvidn.dll/sp.html#12047
*R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\yvidn.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.tiscali.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
Liens
*R3 - Default URLSearchHook is missing
O2 - BHO: Class - {BB37280E-3BA4-0CF4-3710-D1E7E658044E} -
C:\WINDOWS\APIHV.DLL
O2 - BHO: Class - {04D5AFE8-78D5-35DB-B1C3-0D55D79600C6} -
C:\WINDOWS\SYSTEM\CRNF.DLL
O2 - BHO: Class - {4906171F-79FE-C5B4-02A8-FE9366B05984} -
C:\WINDOWS\SYSTEM\SYSOD32.DLL
O2 - BHO: Class - {CBA95868-A744-3AF3-A50C-963AC455EAE7} -
C:\WINDOWS\NTPO.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [autoclk] autoclk.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NTEE32.EXE] C:\WINDOWS\SYSTEM\NTEE32.EXE
O4 - HKLM\..\Run: [C383.TMP] C:\WINDOWS\TEMP\C383.TMP.exe
O4 - HKLM\..\Run: [C3B4.TMP] C:\WINDOWS\TEMP\C3B4.TMP.exe
O4 - HKLM\..\Run: [C383.TMP.EXE] C:\WINDOWS\TEMP\C383.TMP.EXE
O4 - HKLM\..\Run: [C3B4.TMP.EXE] C:\WINDOWS\TEMP\C3B4.TMP.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKLM\..\RunServices: [ATLTQ.EXE] C:\WINDOWS\SYSTEM\ATLTQ.EXE /s
O4 - HKLM\..\RunServices: [D3IG.EXE] C:\WINDOWS\D3IG.EXE /s
O4 - HKLM\..\RunServices: [CRRJ.EXE] C:\WINDOWS\SYSTEM\CRRJ.EXE /s
O4 - HKLM\..\RunServices: [NTGY.EXE] C:\WINDOWS\SYSTEM\NTGY.EXE /s
O4 - HKLM\..\RunServices: [ATLWA.EXE] C:\WINDOWS\ATLWA.EXE /s
O4 - HKLM\..\RunServices: [IPYR.EXE] C:\WINDOWS\IPYR.EXE /s
O4 - HKLM\..\RunServices: [CRCT.EXE] C:\WINDOWS\CRCT.EXE /s
O4 - HKLM\..\RunServices: [ADDRY32.EXE] C:\WINDOWS\SYSTEM\ADDRY32.EXE /s
O4 - HKLM\..\RunServices: [SDKZR.EXE] C:\WINDOWS\SYSTEM\SDKZR.EXE /s
O4 - HKLM\..\RunServices: [WINFI32.EXE] C:\WINDOWS\SYSTEM\WINFI32.EXE /s
O4 - HKLM\..\RunServices: [CRRE32.EXE] C:\WINDOWS\CRRE32.EXE /s
O4 - HKLM\..\RunServices: [APIIY32.EXE] C:\WINDOWS\SYSTEM\APIIY32.EXE /s
O4 - HKLM\..\RunServices: [JAVAQN.EXE] C:\WINDOWS\SYSTEM\JAVAQN.EXE /s
O4 - HKLM\..\RunServices: [NETPY.EXE] C:\WINDOWS\NETPY.EXE /s
O4 - HKLM\..\RunServices: [MSGE32.EXE] C:\WINDOWS\MSGE32.EXE /s
O4 - HKLM\..\RunServices: [NETRR32.EXE] C:\WINDOWS\SYSTEM\NETRR32.EXE /s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe"
/background
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected]
800-840\dslmon.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O18 - Protocol: bt2 - {1730B77B-F429-498F-9B15-4514D83C8294} -
C:\PROGRA~1\BT2NET\BT2PLU~1.DLL (file missing)
O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} -
C:\PROGRA~1\BT2NET\BT2PLU~1.DLL
 

·
Bearded Tech Monkey
Joined
·
1,058 Posts
Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back to address your problem A.S.A.P.

Please Subscribe to this thread, (Thread Tools->Subscribe to this Thread) so that you are notified when a reply has been made.

Please be patient with me during this time.

Thanks,

RavenMind
 

·
Bearded Tech Monkey
Joined
·
1,058 Posts
Hello, gandalf. Thank you for being patient while I reviewed your log!

I apologize for the delay in getting this fix to you. It looks like you have a couple different infections at work here.

Important: Copy this page into Notepad & save it. You may also want to print out a copy of these instructions in case you are unable to access Notepad during the fix. Make sure to work through the fixes in the exact order they are presented. If there is anything that you don't understand, ask me about it before proceeding with the fixes.


  1. Enable the viewing of hidden files/folders:

    Go to My Computer > View > Folder Options > “View” tab, and make sure that “Show all files” is checked under the “Hidden Files” section. Also make sure there is no checkmark beside “Hide file extensions for known file types”.



  2. Downloads:

    CWShredder

    Download CWShredder to Desktop, but do not run it yet.
    Note: V.2.15 should be used, as Trend Micro failed to make future versions compatable with Win ME.


    AboutBuster

    Download About Buster, and unzip it to a folder on your Desktop. Run the program and click OK. Click Update > Check For Update then exit About Buster once the update is complete.



    smitRem.exe

    Dowload to Desktop, then double click on the file to extract it to it's own folder on the desktop.



    AdAware
    If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
    Ad-Aware SE Setup
    Don't run it yet!



  3. Reboot into Safe Mode.

    Restart the computer. While it’s booting up, tap the F8 key until a numbered menu appears. Choose “Safe Mode”, press Enter, and Windows will continue to load.



  4. SmitRem:

    Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
    Wait for the tool to complete and disk cleanup to finish.

    The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.



  5. HiJackThis Entries:

    Run a scan in HijackThis. Place a check mark next to the following entries if they still exist:

    *R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    res://C:\WINDOWS\yvidn.dll/sp.html#12047
    *R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    res://C:\WINDOWS\yvidn.dll/sp.html#12047
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    about:blank
    *R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    res://C:\WINDOWS\yvidn.dll/sp.html#12047
    *R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    res://C:\WINDOWS\yvidn.dll/sp.html#12047
    *R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    res://C:\WINDOWS\yvidn.dll/sp.html#12047
    *R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    res://C:\WINDOWS\yvidn.dll/sp.html#12047
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    Liens
    *R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {BB37280E-3BA4-0CF4-3710-D1E7E658044E} -
    C:\WINDOWS\APIHV.DLL
    O2 - BHO: Class - {04D5AFE8-78D5-35DB-B1C3-0D55D79600C6} -
    C:\WINDOWS\SYSTEM\CRNF.DLL
    O2 - BHO: Class - {4906171F-79FE-C5B4-02A8-FE9366B05984} -
    C:\WINDOWS\SYSTEM\SYSOD32.DLL
    O2 - BHO: Class - {CBA95868-A744-3AF3-A50C-963AC455EAE7} -
    C:\WINDOWS\NTPO.DLL
    O4 - HKLM\..\Run: [NTEE32.EXE] C:\WINDOWS\SYSTEM\NTEE32.EXE
    O4 - HKLM\..\Run: [C383.TMP] C:\WINDOWS\TEMP\C383.TMP.exe
    O4 - HKLM\..\Run: [C3B4.TMP] C:\WINDOWS\TEMP\C3B4.TMP.exe
    O4 - HKLM\..\Run: [C383.TMP.EXE] C:\WINDOWS\TEMP\C383.TMP.EXE
    O4 - HKLM\..\Run: [C3B4.TMP.EXE] C:\WINDOWS\TEMP\C3B4.TMP.EXE
    O4 - HKLM\..\RunServices: [ATLTQ.EXE] C:\WINDOWS\SYSTEM\ATLTQ.EXE /s
    O4 - HKLM\..\RunServices: [D3IG.EXE] C:\WINDOWS\D3IG.EXE /s
    O4 - HKLM\..\RunServices: [CRRJ.EXE] C:\WINDOWS\SYSTEM\CRRJ.EXE /s
    O4 - HKLM\..\RunServices: [NTGY.EXE] C:\WINDOWS\SYSTEM\NTGY.EXE /s
    O4 - HKLM\..\RunServices: [ATLWA.EXE] C:\WINDOWS\ATLWA.EXE /s
    O4 - HKLM\..\RunServices: [IPYR.EXE] C:\WINDOWS\IPYR.EXE /s
    O4 - HKLM\..\RunServices: [CRCT.EXE] C:\WINDOWS\CRCT.EXE /s
    O4 - HKLM\..\RunServices: [ADDRY32.EXE] C:\WINDOWS\SYSTEM\ADDRY32.EXE /s
    O4 - HKLM\..\RunServices: [SDKZR.EXE] C:\WINDOWS\SYSTEM\SDKZR.EXE /s
    O4 - HKLM\..\RunServices: [WINFI32.EXE] C:\WINDOWS\SYSTEM\WINFI32.EXE /s
    O4 - HKLM\..\RunServices: [CRRE32.EXE] C:\WINDOWS\CRRE32.EXE /s
    O4 - HKLM\..\RunServices: [APIIY32.EXE] C:\WINDOWS\SYSTEM\APIIY32.EXE /s
    O4 - HKLM\..\RunServices: [JAVAQN.EXE] C:\WINDOWS\SYSTEM\JAVAQN.EXE /s
    O4 - HKLM\..\RunServices: [NETPY.EXE] C:\WINDOWS\NETPY.EXE /s
    O4 - HKLM\..\RunServices: [MSGE32.EXE] C:\WINDOWS\MSGE32.EXE /s
    O4 - HKLM\..\RunServices: [NETRR32.EXE] C:\WINDOWS\SYSTEM\NETRR32.EXE /s
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O18 - Protocol: bt2 - {1730B77B-F429-498F-9B15-4514D83C8294} -
    C:\PROGRA~1\BT2NET\BT2PLU~1.DLL (file missing)
    O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} -
    C:\PROGRA~1\BT2NET\BT2PLU~1.DLL

    Please make sure to close all open windows & browsers, then click Fix Checked.



  6. About:Buster:

    Close all Browsers/Explorer windows & run About:Buster. Click Start to begin the scan. If prompted to end the Explorer.exe process, click Yes. Your desktop may disappear --- this is normal. Allow the program to scan twice, and when complete click "Save Log". This will create a text file called "AB Logfile.txt" in the folder where About:Buster is saved.



  7. CWShredder:

    Run CWShredder and click on Fix (it will automatically fix anything it finds for you).



  8. File Deletions:

    Delete the following FILES indicated in RED and FOLDERS indicated in BLUE, if they still exist.
    • NOTE: If the full path to the file is not listed, then you should do a Search. (”Start” > “Search” > “For files or folders…” > “All files & folders”)

    C:\WINDOWS\yvidn.dll
    C:\WINDOWS\APIHV.DLL
    C:\WINDOWS\SYSTEM\CRNF.DLL
    C:\WINDOWS\SYSTEM\SYSOD32.DLL
    C:\WINDOWS\NTPO.DLL
    C:\WINDOWS\SYSTEM\ATLTQ.EXE
    C:\WINDOWS\SYSTEM\NTGY.EXE
    C:\WINDOWS\ATLWA.EXE
    C:\WINDOWS\IPYR.EXE
    C:\WINDOWS\CRCT.EXE
    C:\WINDOWS\SYSTEM\ADDRY32.EXE
    C:\WINDOWS\SYSTEM\WINFI32.EXE
    C:\WINDOWS\CRRE32.EXE
    C:\WINDOWS\SYSTEM\APIIY32.EXE
    C:\WINDOWS\SYSTEM\JAVAQN.EXE
    C:\WINDOWS\NETPY.EXE
    C:\WINDOWS\SYSTEM\NTEE32.EXE
    C:\WINDOWS\TEMP\C383.TMP.EXE
    C:\WINDOWS\TEMP\C3B4.TMP.EXE
    C:\WINSTALL.EXE
    C:\WINDOWS\SYSTEM\CRRJ.EXE
    C:\WINDOWS\MSGE32.EXE
    C:\WINDOWS\D3IG.EXE
    C:\WINDOWS\SYSTEM\SDKZR.EXE
    C:\WINDOWS\SYSTEM\NETRR32.EXE
    C:\PROGRAM FILES\BT2NET



  9. AdAware:

    Open Ad-aware and do a full scan. Remove all it finds.



  10. Reboot into Normal Mode.



  11. Online Scan:

    Be sure to turn off the real-time scanner of any existing antivirus program while performing the online scan. (e.g., Norton, McAfee, etc.)

    Using Internet Explorer, perform an online scan with Kaspersky WebScanner:

    • Click on “Launch Kaspersky Anti-Virus Web Scanner
    • Click Yes when prompted to install an ActiveX component.

      The program will launch, and begin downloading the definitions.

    • Click “NEXT” once the files have been downloaded.
    • Now click on Scan Settings:

    • Select the following under Scan Settings:
      • Scan using the following Anti-Virus database:
        • Standard
      • Scan Options:
        • Scan Archives
          Scan Mail Bases
    • Click OK
    • Now, under Select a Target to Scan:
      • Select My Computer

      This will start the system scan. (It may take a while, so please be patient)

    Once the scan is complete it will tell you if your system has been infected.
    • Click on the Save as Text button.
    • Save the file to your desktop. (We will need it later)



Please post the following items in your next reply:
  1. Fresh HJT log, run in Normal Mode
  2. ABlogfile.txt
  3. SmitFiles.txt
  4. Kaspersky scan results
 
1 - 3 of 3 Posts
Status
Not open for further replies.
Top