re: Spyware problems Friday, May 27, 2005 at 2:51 pm Windows XP Annoyances Discussion Forum Posted by Vincent (14 messages posted) Think we're back to square one...everything still there: Logfile of HijackThis v1.99.1 Scan saved at 23:44:33, on 27-05-2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\Explorer.EXE C:\Program Files\FSI\F-Prot\fpavupdm.exe C:\WINDOWS\system32\HPConfig.exe C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Dantz\Retrospect\retrorun.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\carpserv.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\HPQ\One-Touch\OneTouch.EXE C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe C:\Program Files\ASUS\WLAN Card Utilities\Center.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\InterMute\SpySubtract\SpySub.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\MyBuster\AboutBuster.exe C:\WINDOWS\system32\appap32.exe C:\MyHJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qyztn.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qyztn.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qyztn.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qyztn.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qyztn.dll/sp.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qyztn.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Class - {FF5B4CBC-CE93-4290-8860-69D7C23478BE} - C:\WINDOWS\system32\mfcue32.dll O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe" O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe O4 - HKLM\..\Run: [appap32.exe] C:\WINDOWS\system32\appap32.exe O4 - HKLM\..\RunOnce: [apihv.exe] C:\WINDOWS\apihv.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\d3rl32.exe" /s (file missing) O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe and this is from AboutBuster: Scanned at: 21:42:14 on: 27-5-2005 -- Scan 1 --------------------------- About:Buster Version 4.0 Reference List : 26 No ADS found on system Attempted Clean Of Temp folder. Pages Reset... Done! -- Scan 2 --------------------------- About:Buster Version 4.0 Reference List : 26 No ADS found on system Attempted Clean Of Temp folder. Pages Reset... Done! Scanned at: 23:31:05 on: 27-05-2005 -- Scan 1 --------------------------- About:Buster Version 4.0 Reference List : 26 No ADS found on system Removed 4 Random Key Entries Removed! : C:\WINDOWS\system32\mtgbt.dat Removed! : C:\WINDOWS\system32\zimxj.dat Attempted Clean Of Temp folder. Removed Uninstall Key (HSA) Removed Uninstall Key (SE) Removed Uninstall Key (SW) Pages Reset... Done! -- Scan 2 --------------------------- About:Buster Version 4.0 Reference List : 26 No ADS found on system Attempted Clean Of Temp folder. Removed Uninstall Key (HSA) Removed Uninstall Key (SE) Removed Uninstall Key (SW) Pages Reset... Done! Scanned at: 23:41:17 on: 27-05-2005 -- Scan 1 --------------------------- About:Buster Version 4.0 Reference List : 26 No ADS found on system Attempted Clean Of Temp folder. Removed Uninstall Key (HSA) Removed Uninstall Key (SE) Removed Uninstall Key (SW) Pages Reset... Done! -- Scan 2 --------------------------- About:Buster Version 4.0 Reference List : 26 No ADS found on system Attempted Clean Of Temp folder. Removed Uninstall Key (HSA) Removed Uninstall Key (SE) Removed Uninstall Key (SW) Pages Reset... Done! What's our next move... On Friday, May 27, 2005 at 1:56 pm, MrCharlie wrote: > >Like I said it's going to take several steps to nail this hijacker. > >Try this in regular mode > > Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click >the Image Name column header to alphabetically sort the processes => Scroll through >the list and look for: > >windn32.exe > >If you find the files, click on them, and then click End Process => Exit the Task >Manager. > > > CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all >the following, then click "Fix Checked" > >R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mrtqm.dll/sp.html#37049 >R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mrtqm.dll/sp.html#37049 >R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank >R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\mrtqm.dll/sp.html#37049 >R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mrtqm.dll/sp.html#37049 >R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mrtqm.dll/sp.html#37049 >R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mrtqm.dll/sp.html#37049 >R3 - Default URLSearchHook is missing >O2 - BHO: Class - {172A767E-22AD-09EE-8C96-720970A7FA45} - C:\WINDOWS\system32\crqw32.dll >O2 - BHO: Class - {CAEBAB9D-5B6A-D04D-3DF1-1992B30E11BB} - C:\WINDOWS\system32\appnh.dll >O2 - BHO: Class - {FCBEFCA2-4337-C522-B757-2FED10040650} - C:\WINDOWS\apivy.dll >O2 - BHO: Class - {FF5B4CBC-CE93-4290-8860-69D7C23478BE} - C:\WINDOWS\system32\mfcue32.dll >O4 - HKLM\..\RunOnce: [mfcta.exe] C:\WINDOWS\mfcta.exe >O4 - HKLM\..\RunOnce: [ietk.exe] C:\WINDOWS\system32\ietk.exe >O4 - HKLM\..\RunOnce: [ipib.exe] C:\WINDOWS\ipib.exe >O4 - HKLM\..\RunOnce: [d3rt.exe] C:\WINDOWS\d3rt.exe >O4 - HKLM\..\RunOnce: [apihv.exe] C:\WINDOWS\apihv.exe >O4 - HKLM\..\RunOnce: [netgv.exe] C:\WINDOWS\netgv.exe >O4 - HKLM\..\RunOnce: [mssb32.exe] C:\WINDOWS\system32\mssb32.exe >O4 - HKLM\..\RunOnce: [winbs32.exe] C:\WINDOWS\winbs32.exe >O4 - HKLM\..\RunOnce: [ntjy.exe] C:\WINDOWS\system32\ntjy.exe >O4 - HKLM\..\RunOnce: [netzn.exe] C:\WINDOWS\system32\netzn.exe >O4 - HKLM\..\RunOnce: [sdkep.exe] C:\WINDOWS\sdkep.exe >O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner >- C:\WINDOWS\system32\d3rl32.exe" /s (file missing) > > > Delete the following files if present: > >C:\WINDOWS\system32\windn32.exe<----Typical >C:\WINDOWS\system32\crqw32.dll > C:\WINDOWS\system32\appnh.dll > C:\WINDOWS\system32\mfcue32.dll >C:\WINDOWS\system32\ietk.exe > C:\WINDOWS\system32\mssb32.exe >C:\WINDOWS\system32\ntjy.exe > C:\WINDOWS\system32\netzn.exe >C:\WINDOWS\system32\d3rl32.exe >C:\WINDOWS\mrtqm.dll >C:\WINDOWS\apivy.dll >C:\WINDOWS\mfcta.exe > C:\WINDOWS\ipib.exe > C:\WINDOWS\d3rt.exe >C:\WINDOWS\apihv.exe >C:\WINDOWS\netgv.exe > C:\WINDOWS\sdkep.exe >C:\WINDOWS\winbs32.exe > > (and any other files with the same name that end in .dll, .exe or .dat, you may >find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat) > >If you get an error when deleting a file. Right click on the file and check to see >if the read only attribute is checked. if it is uncheck it and try again. > > > Run AboutBuster . This will scan your computer for the bad files and delete them. >It will ask to scan the system again, let it. Save the report (copy and paste into >notepad or wordpad and save as a .txt file) and post a copy back here when you are >done with all the steps. > > Run CW-Shredder - Hit the FIX button - let it run and fix what it finds. > > Reboot and post a fresh HJT log back here and lets see how we did, MrC > > > > > > Written in response to: re: Spyware problems (MrCharlie: Friday, May 27, 2005 at 1:56 pm) Responses to this message: re: Spyware problems (MrCharlie: Friday, May 27, 2005 at 3:10 pm) All messages in this thread [show all] Spyware problems (Vincent: Fri, May 27, 2005, 10:39 am) re: Spyware problems (David: Fri, May 27, 2005, 10:56 am) re: Spyware problems (MrCharlie: Fri, May 27, 2005, 11:06 am) re: Spyware problems (Vincent: Fri, May 27, 2005, 11:22 am) re: Spyware problems (MrCharlie: Fri, May 27, 2005, 11:49 am) re: Spyware problems (Vincent: Fri, May 27, 2005, 1:19 pm) re: Spyware problems (MrCharlie: Fri, May 27, 2005, 1:56 pm) re: Spyware problems (Vincent: Fri, May 27, 2005, 2:51 pm) re: Spyware problems (MrCharlie: Fri, May 27, 2005, 3:10 pm) re: Spyware problems (Vincent: Fri, May 27, 2005, 3:31 pm) re: Spyware problems (MrCharlie: Fri, May 27, 2005, 3:59 pm) re: Spyware problems (Vincent: Fri, May 27, 2005, 4:18 pm) re: Spyware problems (MrCharlie: Fri, May 27, 2005, 4:43 pm) re: Spyware problems (Vincent: Fri, May 27, 2005, 4:53 pm) re: Spyware problems (MrCharlie: Fri, May 27, 2005, 5:41 pm) Reply or follow-up to this message Search this forum Start a new thread on a different subject Report abuse of the forum Return to the Windows XP Discussion Forum