|
sdkfj.exe error..trojan virus?
|
lloyd
mac_whereareyou@hotmail.com
08/14/04
|
hello, lloyd here again. i forgot to mention when i sent my hijackthis report earlier that you had requested a report in order to determine an error that keeps occuring when i start windows. i'm not even on the net and an error repeatedly occurs saying that something called sdkfj.exe has encountered an error and needs to close. how do i fix this problem and what is sdkfj.exe? i'm new to the pc world and do not know a real lot about these awesome machines, i hope you can help, here's my report:
Logfile of HijackThis v1.98.2
Scan saved at 2:04:10 PM, on 15/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\netai.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\essspk.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\system32\iedo32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\SpamBayes\bin\sb_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Adam\LOCALS~1\Temp\Rar$EX00.047\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rcaos.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hzmmp.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hzmmp.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hzmmp.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ktwfp.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hzmmp.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ktwfp.dll/sp.html#96676
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {146F3AC5-1175-324D-8BA9-B14C18C5BA5A} - C:\WINDOWS\addvs.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft-Updates] svxhost.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [iedo32.exe] C:\WINDOWS\system32\iedo32.exe
O4 - HKLM\..\RunServices: [Microsoft-Updates] svxhost.exe
O4 - HKLM\..\RunOnce: [ipqp.exe] C:\WINDOWS\ipqp.exe
O4 - HKLM\..\RunOnce: [sdkfj.exe] C:\WINDOWS\system32\sdkfj.exe
O4 - HKLM\..\RunOnce: [javayl.exe] C:\WINDOWS\system32\javayl.exe
O4 - HKLM\..\RunOnce: [atlgj32.exe] C:\WINDOWS\system32\atlgj32.exe
O4 - HKLM\..\RunOnce: [crzk.exe] C:\WINDOWS\system32\crzk.exe
O4 - HKLM\..\RunOnce: [apiyv.exe] C:\WINDOWS\system32\apiyv.exe
O4 - HKLM\..\RunOnce: [sdkvf32.exe] C:\WINDOWS\system32\sdkvf32.exe
O4 - HKLM\..\RunOnce: [ntzu.exe] C:\WINDOWS\system32\ntzu.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: SpamBayes Tray Icon.lnk = C:\Program Files\SpamBayes\bin\sb_tray.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF7F57D9-9F33-4193-807A-0EBC375F4623}: NameServer = 203.49.70.92 139.134.2.190
|
Mark
08/14/04
|
Hey Lloyd ; thanks for starting your own thread. You have a nasty Coolweb infection, which may require lots of work. Roll up your sleeves dude !!
I'll be back shortly, with more on the fix..
|
Mark
08/14/04
|
Ok, here goes...
Download this tool : AboutBuster
Create a new folder (on your Desktop, for convenience, and name it "Buster"). Double-click the zipped AboutBuster install file, then double-click on aboutbuster.exe ; extract all files to your new "Buster" folder. Double-click AboutBuster.exe and click Ok. Next, hit update. A new screen should popup. On that screen hit Check for Updates. If it says it found an update hit Download Updates. Exit the tool for now. If it doesn't need updating, it will automatically tell you and exit. Better to print these instructions out.
Now, have ONLY HijackThis! running (it is critical that IE be closed during this fix), and check to fix these entries, then click on "Fix checked" :
O2 - BHO: (no name) - {146F3AC5-1175-324D-8BA9-B14C18C5BA5A} - C:\WINDOWS\addvs.dll
O4 - HKLM\..\Run: [Microsoft-Updates] svxhost.exe
O4 - HKLM\..\Run: [iedo32.exe] C:\WINDOWS\system32\iedo32.exe
O4 - HKLM\..\RunServices: [Microsoft-Updates] svxhost.exe
O4 - HKLM\..\RunOnce: [ipqp.exe] C:\WINDOWS\ipqp.exe
O4 - HKLM\..\RunOnce: [sdkfj.exe] C:\WINDOWS\system32\sdkfj.exe
O4 - HKLM\..\RunOnce: [javayl.exe] C:\WINDOWS\system32\javayl.exe
O4 - HKLM\..\RunOnce: [atlgj32.exe] C:\WINDOWS\system32\atlgj32.exe
O4 - HKLM\..\RunOnce: [crzk.exe] C:\WINDOWS\system32\crzk.exe
O4 - HKLM\..\RunOnce: [apiyv.exe] C:\WINDOWS\system32\apiyv.exe
O4 - HKLM\..\RunOnce: [sdkvf32.exe] C:\WINDOWS\system32\sdkvf32.exe
O4 - HKLM\..\RunOnce: [ntzu.exe] C:\WINDOWS\system32\ntzu.exe
Now, open your "Buster" folder again and run the tool : Hit Start and then Ok. The program should start scanning. Once the scan is complete, copy/paste the report into NotePad and save it. Then hit Exit and reboot. Run the tool a second time for good measure, and save the new report to NotePad as well. Reboot if any new files were detected by the tool.. Scan with HijackThis!, then post the new log, along with the AboutBuster reports. Good luck !
|
lloyd
mac_whereareyou@hotmail.com
08/14/04
|
hi, i did what you said and the error did not appear at re-boot, i think it may be fixed. would this coolweb thing be the reason i keep getting stupid pop ups and my home page keeps getting changed to a site trying to sell me stuff? i'm guessing it is. here's the scan results you requested of the buster scan before and after re-boot and of the hijackthis scans. thanks.
Scan 1 --
About:Buster Version 3.0
Reference List : 15
No ADS found on system
Removed 10 Random Key Entries
Deleted 2 Service Keys Successfully!
Removed! : C:\WINDOWS\aefrt.dat
Removed! : C:\WINDOWS\affitl.dat
Removed! : C:\WINDOWS\ajnfo.dat
Removed! : C:\WINDOWS\apihr.exe
Removed! : C:\WINDOWS\appbh32.exe
Removed! : C:\WINDOWS\appoi32.exe
Removed! : C:\WINDOWS\appoz32.exe
Removed! : C:\WINDOWS\atiej.dat
Removed! : C:\WINDOWS\atlcg.exe
Removed! : C:\WINDOWS\bcmrv.dat
Removed! : C:\WINDOWS\bdyqf.dat
Removed! : C:\WINDOWS\bgbtr.dat
Removed! : C:\WINDOWS\bmaon.dat
Removed! : C:\WINDOWS\bmksy.dat
Removed! : C:\WINDOWS\bpzrk.dat
Removed! : C:\WINDOWS\chxno.dll
Removed! : C:\WINDOWS\cifgl.dat
Removed! : C:\WINDOWS\ctsar.dat
Removed! : C:\WINDOWS\cxfcg.dat
Removed! : C:\WINDOWS\cxnlos.dat
Removed! : C:\WINDOWS\czdlo.dat
Removed! : C:\WINDOWS\czktr.dat
Removed! : C:\WINDOWS\d3be32.exe
Removed! : C:\WINDOWS\dwndi.dll
Removed! : C:\WINDOWS\dzkpz.dat
Removed! : C:\WINDOWS\dznpc.dat
Removed! : C:\WINDOWS\eixeo.dat
Removed! : C:\WINDOWS\eixeo.dll
Removed! : C:\WINDOWS\essiy.dat
Removed! : C:\WINDOWS\etqcu.dat
Removed! : C:\WINDOWS\ffnvy.dat
Removed! : C:\WINDOWS\frcwwk.dat
Removed! : C:\WINDOWS\fzptv.dat
Removed! : C:\WINDOWS\gcryh.dat
Removed! : C:\WINDOWS\gdkma.dat
Removed! : C:\WINDOWS\gfnxg.dll
Removed! : C:\WINDOWS\gjotb.dat
Removed! : C:\WINDOWS\gnjci.dat
Removed! : C:\WINDOWS\gtpof.dll
Removed! : C:\WINDOWS\gwbqc.dat
Removed! : C:\WINDOWS\hcgjj.dat
Removed! : C:\WINDOWS\hdfoev.dat
Removed! : C:\WINDOWS\hjlco.dat
Removed! : C:\WINDOWS\huvekg.dat
Removed! : C:\WINDOWS\hzmmp.dll
Removed! : C:\WINDOWS\icbve.dat
Removed! : C:\WINDOWS\idhws.dll
Removed! : C:\WINDOWS\ieen32.exe
Removed! : C:\WINDOWS\irfqt.dat
Removed! : C:\WINDOWS\irhag.dll
Removed! : C:\WINDOWS\itdyb.dat
Removed! : C:\WINDOWS\itvnv.dat
Removed! : C:\WINDOWS\jtrtr.dll
Removed! : C:\WINDOWS\jvymh.dat
Removed! : C:\WINDOWS\jxzpy.dat
Removed! : C:\WINDOWS\ktwfp.dll
Removed! : C:\WINDOWS\kuyno.dll
Removed! : C:\WINDOWS\kwukb.dat
Removed! : C:\WINDOWS\laevih.dat
Removed! : C:\WINDOWS\lkmzn.dat
Removed! : C:\WINDOWS\lozfm.dat
Removed! : C:\WINDOWS\lqvhe.dat
Removed! : C:\WINDOWS\lsgnn.dat
Removed! : C:\WINDOWS\ltxgv.dll
Removed! : C:\WINDOWS\ltzef.dat
Removed! : C:\WINDOWS\luseq.dat
Removed! : C:\WINDOWS\mfcjw32.exe
Removed! : C:\WINDOWS\mfckh.exe
Removed! : C:\WINDOWS\mlsaeh.dat
Removed! : C:\WINDOWS\mmpuzj.dat
Removed! : C:\WINDOWS\mrkic.dat
Removed! : C:\WINDOWS\msqe32.exe
Removed! : C:\WINDOWS\msxj.exe
Removed! : C:\WINDOWS\mszsc.dat
Removed! : C:\WINDOWS\nbyom.dat
Removed! : C:\WINDOWS\netfi32.exe
Removed! : C:\WINDOWS\ngkxk.dat
Removed! : C:\WINDOWS\nktma.dat
Removed! : C:\WINDOWS\nltfb.dll
Removed! : C:\WINDOWS\ostrs.dat
Removed! : C:\WINDOWS\ozoax.dat
Removed! : C:\WINDOWS\pgrkx.dll
Removed! : C:\WINDOWS\pinjs.dat
Removed! : C:\WINDOWS\prske.dll
Removed! : C:\WINDOWS\psyior.dat
Removed! : C:\WINDOWS\pwvel.dat
Removed! : C:\WINDOWS\qfkkv.dat
Removed! : C:\WINDOWS\qjids.dat
Removed! : C:\WINDOWS\qomyx.dat
Removed! : C:\WINDOWS\qorip.dat
Removed! : C:\WINDOWS\qztct.dat
Removed! : C:\WINDOWS\rcaos.dll
Removed! : C:\WINDOWS\rcnva.dll
Removed! : C:\WINDOWS\rsbdl.dll
Removed! : C:\WINDOWS\rscnn.dll
Removed! : C:\WINDOWS\sdkbn.exe
Removed! : C:\WINDOWS\sdkqc.exe
Removed! : C:\WINDOWS\shcsk.dat
Removed! : C:\WINDOWS\spkzd.dat
Removed! : C:\WINDOWS\sspym.dat
Removed! : C:\WINDOWS\svvqy.dat
Removed! : C:\WINDOWS\sysdd.exe
Removed! : C:\WINDOWS\systa32.exe
Removed! : C:\WINDOWS\sysvk32.exe
Removed! : C:\WINDOWS\syszs.exe
Removed! : C:\WINDOWS\tdbfb.dll
Removed! : C:\WINDOWS\tefve.dll
Removed! : C:\WINDOWS\thhst.dat
Removed! : C:\WINDOWS\tjvkf.dat
Removed! : C:\WINDOWS\tnptd.dat
Removed! : C:\WINDOWS\tpqxn.dat
Removed! : C:\WINDOWS\ttiys.dat
Removed! : C:\WINDOWS\tzxvj.dat
Removed! : C:\WINDOWS\ukaqa.dll
Removed! : C:\WINDOWS\ulkbp.dat
Removed! : C:\WINDOWS\ulkbp.dll
Removed! : C:\WINDOWS\utmac.dll
Removed! : C:\WINDOWS\uvjao.dat
Removed! : C:\WINDOWS\vdlgg.dll
Removed! : C:\WINDOWS\vimcm.dat
Removed! : C:\WINDOWS\vipvx.dat
Removed! : C:\WINDOWS\vtsmk.dat
Removed! : C:\WINDOWS\wcclu.dll
Removed! : C:\WINDOWS\wqumt.dat
Removed! : C:\WINDOWS\wxkhs.dat
Removed! : C:\WINDOWS\wzfon.dat
Removed! : C:\WINDOWS\xflja.dat
Removed! : C:\WINDOWS\xgcqv.dat
Removed! : C:\WINDOWS\xgzht.dat
Removed! : C:\WINDOWS\xjden.dll
Removed! : C:\WINDOWS\xnger.dat
Removed! : C:\WINDOWS\xnrgj.dat
Removed! : C:\WINDOWS\xuiht.dat
Removed! : C:\WINDOWS\xxwej.dat
Removed! : C:\WINDOWS\ykzdj.dat
Removed! : C:\WINDOWS\yqown.dat
Removed! : C:\WINDOWS\ywoxq.dat
Removed! : C:\WINDOWS\zbjzx.dll
Removed! : C:\WINDOWS\zdtjw.dat
Removed! : C:\WINDOWS\zewmo.dat
Removed! : C:\WINDOWS\zhfih.dat
Removed! : C:\WINDOWS\zjduo.dll
Removed! : C:\WINDOWS\zlzsj.dat
Removed! : C:\WINDOWS\zsgpm.dat
Removed! : C:\WINDOWS\System32\addqb.exe
Removed! : C:\WINDOWS\System32\ahlgj.dll
Removed! : C:\WINDOWS\System32\ahxdm.dat
Removed! : C:\WINDOWS\System32\algea.dat
Removed! : C:\WINDOWS\System32\apiyc32.exe
Removed! : C:\WINDOWS\System32\apprx.exe
Removed! : C:\WINDOWS\System32\asnlr.dat
Removed! : C:\WINDOWS\System32\atlde32.exe
Removed! : C:\WINDOWS\System32\atlhn.exe
Removed! : C:\WINDOWS\System32\bgygf.dat
Removed! : C:\WINDOWS\System32\bkriy.dat
Removed! : C:\WINDOWS\System32\bvrlz.dll
Removed! : C:\WINDOWS\System32\cbatz.dat
Removed! : C:\WINDOWS\System32\cctch.dat
Removed! : C:\WINDOWS\System32\cjrda.dll
Removed! : C:\WINDOWS\System32\cqtlc.dat
Removed! : C:\WINDOWS\System32\crhqt.dat
Removed! : C:\WINDOWS\System32\crkcr.dat
Removed! : C:\WINDOWS\System32\cvton.dll
Removed! : C:\WINDOWS\System32\cwevm.dat
Removed! : C:\WINDOWS\System32\cwevm.dll
Removed! : C:\WINDOWS\System32\czclr.dat
Removed! : C:\WINDOWS\System32\d3zc32.exe
Removed! : C:\WINDOWS\System32\ddrvy.dat
Removed! : C:\WINDOWS\System32\dgrjd.dll
Removed! : C:\WINDOWS\System32\dmkqm.dll
Removed! : C:\WINDOWS\System32\dnlvf.dat
Removed! : C:\WINDOWS\System32\dogoh.dat
Removed! : C:\WINDOWS\System32\dpgda.dat
Removed! : C:\WINDOWS\System32\ecglx.dll
Removed! : C:\WINDOWS\System32\emcjl.dat
Removed! : C:\WINDOWS\System32\esdhn.dat
Removed! : C:\WINDOWS\System32\etmlt.dll
Removed! : C:\WINDOWS\System32\fkwcx.dll
Removed! : C:\WINDOWS\System32\fmsas.dat
Removed! : C:\WINDOWS\System32\fwizs.dat
Removed! : C:\WINDOWS\System32\gfufj.dat
Removed! : C:\WINDOWS\System32\gjjuc.dat
Removed! : C:\WINDOWS\System32\gvlwt.dll
Removed! : C:\WINDOWS\System32\gyxwf.dat
Removed! : C:\WINDOWS\System32\hapxe.dat
Removed! : C:\WINDOWS\System32\hcioh.dat
Removed! : C:\WINDOWS\System32\hirrb.dat
Removed! : C:\WINDOWS\System32\iecd.exe
Removed! : C:\WINDOWS\System32\iedo32.exe
Removed! : C:\WINDOWS\System32\iegw32.exe
Removed! : C:\WINDOWS\System32\ieoqs.dat
Removed! : C:\WINDOWS\System32\iivme.dat
Removed! : C:\WINDOWS\System32\ijkvg.dat
Removed! : C:\WINDOWS\System32\ipbhu.dll
Removed! : C:\WINDOWS\System32\iunis.dll
Removed! : C:\WINDOWS\System32\javaub32.exe
Removed! : C:\WINDOWS\System32\jcpbu.dat
Removed! : C:\WINDOWS\System32\jfmjv.dat
Removed! : C:\WINDOWS\System32\jlind.dat
Removed! : C:\WINDOWS\System32\jnyqo.dat
Removed! : C:\WINDOWS\System32\jvgxo.dll
Removed! : C:\WINDOWS\System32\kncdn.dll
Removed! : C:\WINDOWS\System32\ktllp.dat
Removed! : C:\WINDOWS\System32\kyiiu.dll
Removed! : C:\WINDOWS\System32\lebxf.dll
Removed! : C:\WINDOWS\System32\lhgrj.dat
Removed! : C:\WINDOWS\System32\lhyxu.dat
Removed! : C:\WINDOWS\System32\lnulh.dat
Removed! : C:\WINDOWS\System32\lvezv.dat
Removed! : C:\WINDOWS\System32\mfcxh.exe
Removed! : C:\WINDOWS\System32\mgwwp.dll
Removed! : C:\WINDOWS\System32\misud.dat
Removed! : C:\WINDOWS\System32\mlfgj.dat
Removed! : C:\WINDOWS\System32\mlwdc.dat
Removed! : C:\WINDOWS\System32\mnfzb.dll
Removed! : C:\WINDOWS\System32\mssv32.exe
Removed! : C:\WINDOWS\System32\msul32.exe
Removed! : C:\WINDOWS\System32\naifp.dat
Removed! : C:\WINDOWS\System32\ncjbm.dat
Removed! : C:\WINDOWS\System32\ndgok.dat
Removed! : C:\WINDOWS\System32\njuly.dat
Removed! : C:\WINDOWS\System32\nqfhb.dll
Removed! : C:\WINDOWS\System32\ohdbj.dat
Removed! : C:\WINDOWS\System32\ojwxq.dat
Removed! : C:\WINDOWS\System32\ojyva.dat
Removed! : C:\WINDOWS\System32\onkla.dat
Removed! : C:\WINDOWS\System32\ooxiz.dll
Removed! : C:\WINDOWS\System32\opydn.dat
Removed! : C:\WINDOWS\System32\ovtqm.dat
Removed! : C:\WINDOWS\System32\oxtgu.dat
Removed! : C:\WINDOWS\System32\pcuyf.dat
Removed! : C:\WINDOWS\System32\perrf.dat
Removed! : C:\WINDOWS\System32\pfnaj.dat
Removed! : C:\WINDOWS\System32\qjiby.dat
Removed! : C:\WINDOWS\System32\qjsow.dat
Removed! : C:\WINDOWS\System32\qmcug.dat
Removed! : C:\WINDOWS\System32\qrrhk.dat
Removed! : C:\WINDOWS\System32\qtrxs.dat
Removed! : C:\WINDOWS\System32\qtwtk.dll
Removed! : C:\WINDOWS\System32\qugka.dat
Removed! : C:\WINDOWS\System32\qusrg.dat
Removed! : C:\WINDOWS\System32\qznjb.dat
Removed! : C:\WINDOWS\System32\rblrh.dat
Removed! : C:\WINDOWS\System32\recvk.dat
Removed! : C:\WINDOWS\System32\rnban.dll
Removed! : C:\WINDOWS\System32\rsbli.dll
Removed! : C:\WINDOWS\System32\sdkyl32.exe
Removed! : C:\WINDOWS\System32\sqnru.dat
Removed! : C:\WINDOWS\System32\swqta.dat
Removed! : C:\WINDOWS\System32\sysvs.exe
Removed! : C:\WINDOWS\System32\tcubx.dll
Removed! : C:\WINDOWS\System32\tloau.dll
Removed! : C:\WINDOWS\System32\tpuzb.dat
Removed! : C:\WINDOWS\System32\ucntj.dat
Removed! : C:\WINDOWS\System32\ugpsa.dat
Removed! : C:\WINDOWS\System32\uibei.dat
Removed! : C:\WINDOWS\System32\uizug.dat
Removed! : C:\WINDOWS\System32\uszxv.dat
Removed! : C:\WINDOWS\System32\vgpgv.dll
Removed! : C:\WINDOWS\System32\vpqhg.dat
Removed! : C:\WINDOWS\System32\vvfls.dat
Removed! : C:\WINDOWS\System32\wexkd.dat
Removed! : C:\WINDOWS\System32\wezuf.dat
Removed! : C:\WINDOWS\System32\wfcua.dat
Removed! : C:\WINDOWS\System32\wowah.dll
Removed! : C:\WINDOWS\System32\wrzzl.dll
Removed! : C:\WINDOWS\System32\xcicp.dat
Removed! : C:\WINDOWS\System32\xivlz.dat
Removed! : C:\WINDOWS\System32\xngdo.dat
Removed! : C:\WINDOWS\System32\xodml.dat
Removed! : C:\WINDOWS\System32\xvniq.dll
Removed! : C:\WINDOWS\System32\xylkg.dat
Removed! : C:\WINDOWS\System32\yawld.dat
Removed! : C:\WINDOWS\System32\ydeel.dat
Removed! : C:\WINDOWS\System32\yeffk.dat
Removed! : C:\WINDOWS\System32\yjdgt.dll
Removed! : C:\WINDOWS\System32\ypidh.dll
Removed! : C:\WINDOWS\System32\ypqfd.dat
Removed! : C:\WINDOWS\System32\yqemj.dat
Removed! : C:\WINDOWS\System32\yxpvt.dat
Removed! : C:\WINDOWS\System32\yyqnp.dat
Removed! : C:\WINDOWS\System32\zjeul.dll
Removed! : C:\WINDOWS\System32\zkzsg.dat
Removed! : C:\WINDOWS\System32\zsgpq.dll
Removed! : C:\WINDOWS\System32\ztflu.dll
Removed! : C:\WINDOWS\System32\ztuzj.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
-- Scan 2 --
About:Buster Version 3.0
Reference List : 15
No ADS found on system
Removed 8 Random Key Entries
Attempted Clean Of Temp folder.
Pages Reset... Done!
Scanned at: 4:16:34 PM on: 15/08/2004
-- Scan 1 --
About:Buster Version 3.0
Reference List : 15
No ADS found on system
Removed 8 Random Key Entries
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
Logfile of HijackThis v1.98.2
Scan saved at 4:26:41 PM, on 15/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\essspk.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\SpamBayes\bin\sb_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\netai.exe
C:\WINDOWS\system32\sdklc32.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Adam\LOCALS~1\Temp\Rar$EX00.657\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jnsdq.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jnsdq.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jnsdq.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jnsdq.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jnsdq.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jnsdq.dll/sp.html#96676
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {146F3AC5-1175-324D-8BA9-B14C18C5BA5A} - C:\WINDOWS\addvs.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [sdklc32.exe] C:\WINDOWS\system32\sdklc32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: SpamBayes Tray Icon.lnk = C:\Program Files\SpamBayes\bin\sb_tray.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF7F57D9-9F33-4193-807A-0EBC375F4623}: NameServer = 203.49.70.92 139.134.2.190
i hope my comp is fixable.
|
Mark
08/14/04
|
Good work Lloyd. Time for round two... (these things need some time to fix, but are often fixable !).
Follow this link, to be able to See hidden files and folders. Next, fire up Task Manager (press CTRL+ALT+DEL), "Processes" tab, and END these two processes :
netai.exe
sdklc32.exe
Next, locate and delete these files :
C:\WINDOWS\system32\netai.exe <<< this one
C:\WINDOWS\system32\sdklc32.exe <<< this one
Now, have ONLY HijackThis! running, and fix these :
O2 - BHO: (no name) - {146F3AC5-1175-324D-8BA9-B14C18C5BA5A} - C:\WINDOWS\addvs.dll
O4 - HKLM\..\Run: [sdklc32.exe] C:\WINDOWS\system32\sdklc32.exe
You can run AboutBuster again. Twice ! and save the logs to NotePad. Reboot your machine once done. Scan with HijackThis! once again, then post the new log + reports. I'm going to bed, but will check up on you in the morning. We may still need to go at it, but that's fine... I hate this hijack, and want it GONE !! Good luck, and see ya tomorrow..
|
lloyd
mac_whereareyou@hotmail.com
08/15/04
|
hi, lloyd again. i again did what you said. i located both files and deleted them but only one came up in the hijackthis scan results. i scanned again but could still only find sdklc32.exe, so i fixed that one. i could not see netai.exe in the report. i scanned with buster before i rebooted and here is the scan log of hijackthis after rebooting. i can't wait until this prick of a hijacker is gone from my (new) computer!! thanks!
-- Scan 1 --
About:Buster Version 3.0
Reference List : 15
No ADS found on system
Removed 5 Random Key Entries
Deleted 1 Service Keys Successfully!
Removed! : C:\WINDOWS\aksvf.dll
Removed! : C:\WINDOWS\dzmzi.dll
Error Removing! : C:\WINDOWS\javanm32.exe
Removed! : C:\WINDOWS\jnsdq.dll
Removed! : C:\WINDOWS\mfcoq.exe
Removed! : C:\WINDOWS\mivjr.dat
Removed! : C:\WINDOWS\qkghf.dat
Removed! : C:\WINDOWS\sysxx.exe
Removed! : C:\WINDOWS\System32\apijf.exe
Removed! : C:\WINDOWS\System32\ezsjh.dll
Removed! : C:\WINDOWS\System32\iexz32.exe
Removed! : C:\WINDOWS\System32\javagu32.exe
Removed! : C:\WINDOWS\System32\jzcoj.dll
Removed! : C:\WINDOWS\System32\qiwmt.dll
Removed! : C:\WINDOWS\System32\sdklc32.exe
Removed! : C:\WINDOWS\System32\syscy32.exe
Removed! : C:\WINDOWS\System32\winzg.exe
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
-- Scan 2 --
About:Buster Version 3.0
Reference List : 15
No ADS found on system
Removed 4 Random Key Entries
Removed! : C:\WINDOWS\javanm32.exe
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
Logfile of HijackThis v1.98.2
Scan saved at 8:07:13 PM, on 15/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\essspk.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\SpamBayes\bin\sb_tray.exe
C:\DOCUME~1\Adam\LOCALS~1\Temp\Rar$EX00.234\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\dzmzi.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\dzmzi.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\dzmzi.dll/sp.html#96676
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {E4EDC898-7094-9C0B-426A-F49CDE0BAD64} - C:\WINDOWS\mscp32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: SpamBayes Tray Icon.lnk = C:\Program Files\SpamBayes\bin\sb_tray.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
|
Mark
08/15/04
|
I think we're getting there Lloyd. This time, we'll do it in Safe Mode. First, I'd like you to run AboutBuster and hit the "Update" button, just to be sure (you can't update in "Safe Mode") ; then exit. Now, please Reboot your computer in Safe Mode. Have HijackThis! fix these :
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\dzmzi.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\dzmzi.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\dzmzi.dll/sp.html#96676
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {E4EDC898-7094-9C0B-426A-F49CDE0BAD64} - C:\WINDOWS\mscp32.dll
Still in Safe Mode, run AboutBuster and save the report. Reboot normally. Scan with HJT once more, and post the new log + report. We're getting there Lloyd...
|
lloyd
08/15/04
|
hi, lloyd yet again. all instructions carried out successfully. i have the buster report from safe mode, and the hjt log from after i re-booted it in normal mode. thanks!
-- Scan 1 --
About:Buster Version 3.0
Reference List : 15
No ADS found on system
Removed 2 Random Key Entries
Deleted 1 Service Keys Successfully!
Removed! : C:\WINDOWS\addbo32.exe
Removed! : C:\WINDOWS\bcaej.dll
Removed! : C:\WINDOWS\bdfnt.dll
Removed! : C:\WINDOWS\cnchk.dll
Removed! : C:\WINDOWS\dhifg.dll
Removed! : C:\WINDOWS\dobtl.dll
Removed! : C:\WINDOWS\epikz.dll
Removed! : C:\WINDOWS\hzifn.dll
Removed! : C:\WINDOWS\ipft.exe
Removed! : C:\WINDOWS\javaoc32.exe
Removed! : C:\WINDOWS\kdhif.dat
Removed! : C:\WINDOWS\lwqxx.dat
Removed! : C:\WINDOWS\System32\addfy32.exe
Removed! : C:\WINDOWS\System32\atlbt.exe
Removed! : C:\WINDOWS\System32\ihzif.dat
Removed! : C:\WINDOWS\System32\ipae.exe
Removed! : C:\WINDOWS\System32\ubocc.dll
Removed! : C:\WINDOWS\System32\wqxxa.dll
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
-- Scan 2 --
About:Buster Version 3.0
Reference List : 15
No ADS found on system
Removed 2 Random Key Entries
Attempted Clean Of Temp folder.
Pages Reset... Done!
Logfile of HijackThis v1.98.2
Scan saved at 1:29:26 PM, on 16/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\essspk.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\SpamBayes\bin\sb_tray.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Adam\LOCALS~1\Temp\Rar$EX00.766\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: SpamBayes Tray Icon.lnk = C:\Program Files\SpamBayes\bin\sb_tray.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF7F57D9-9F33-4193-807A-0EBC375F4623}: NameServer = 203.49.70.92 139.134.2.190
|
Mark
08/15/04
|
Sorry Lloyd, I had to scoot for most of the day..
Clean log there, nice work !! This thing can come back once you've opened/closed IE a few times within 48 hours, but I'd be surprised here. One thing we like to do after cleaning these CWS hijacks is to run Ad-Aware (it's probably better at this stuff than SpyBot and SpySweeper).. just to be safe ! Link here : Ad-Aware (this is the new "SE" version, which will uninstall any previous version while installing). Do a full scan. I'll leave this thread open for a few days, just in case. Safe surfing dude !
|
|
