Tech Support Guy banner
Cancel

Virus Problem - HJT Log Eval

Jump to Latest Follow
Status
Not open for further replies.
1 - 2 of 2 Posts
L

· Registered
Joined
·
34 Posts
Discussion Starter · #1 ·
Hello,
Thank you in advance for any assistance you can provide. I am trying to cleanup a machine running Windows 2000 (not sure what release).

I've run AntiVir, Spybot, Adaware, and CWShredder, but am still experiencig problems. For example, I can't change the default home URL from 'about:blank'.

AntiVir found many archieves (probably more than 30) with 'infected file' that couldn't be deleted. Most of them appeared to be .dat files, but one was a .cab file (polmx2), which I suspect is part of the problem. I'm also guessing there may be hidden files becuase I couldn't 'find' them in Windows.

Below is my HJT log file. Any suggestions are welcome.
Thanks,

Lulie

Logfile of HijackThis v1.99.0
Scan saved at 4:37:35 PM, on 01/13/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\WINDOWS\system32\javabm.exe
C:\WINDOWS\system32\syssz32.exe
C:\My Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rfyep.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rfyep.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rfyep.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rfyep.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rfyep.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rfyep.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rfyep.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {D2C22B7F-8DD3-0C16-DA5B-AF1BC159FCC4} - C:\WINDOWS\sdktr32.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPMon32.exe"
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvinf32.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [syssz32.exe] C:\WINDOWS\system32\syssz32.exe
O4 - HKLM\..\RunOnce: [javabm.exe] C:\WINDOWS\system32\javabm.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - Global Startup: Verizon Online.lnk = C:\Program Files\Verizon Online\VOLSW\Verizon Online.exe
O9 - Extra button: Corel Network monitor worker - {31BD003B-7F81-466C-B6F7-609161BE19BF} - C:\WINDOWS\system32\intlmain.dll
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {31BD003B-7F81-466C-B6F7-609161BE19BF} - C:\WINDOWS\system32\intlmain.dll
O9 - Extra button: Corel Network monitor worker - {31BD003B-7F81-466C-B6F7-609161BE19BF} - C:\WINDOWS\system32\intlmain.dll (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {31BD003B-7F81-466C-B6F7-609161BE19BF} - C:\WINDOWS\system32\intlmain.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\oemji\oemjisearchplus\sfbnsp.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{E0F134EA-506E-454A-AA10-225E02B46A58}: NameServer = 151.197.0.39 151.198.0.39
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\netmw.exe (file missing)
 
M

· Registered
Joined
·
49,013 Posts
#2 ·
3 Downloads, do not run them yet

Download http://www.mvps.org/winhelp2002/DelDomains.inf

Download About:Buster from:
http://downloads.subratam.org/AboutBuster.zip unzip it

Download http://www.cexx.org/lspfix.htm

Print this out and boot to safe mode

Right click the DelDomains.inf file and click Install, making sure Internet Explorer is closed. You won't see anything happen.

Note, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.

Double click aboutbuster.exe, click Update, click OK, click Start, then click OK.
This will scan your computer for the bad files and delete them.

Launch the lspfix application, and click the "I know what I'm doing" checkbox.

Check all instances of sfbnsp.dll (and nothing else), and move them to
the "Remove" pane.
Then click Finish.

Add/remove programs – remove Search Assistant and Windows ControlAd if present

Fix these with HJT

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rfyep.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rfyep.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rfyep.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rfyep.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rfyep.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rfyep.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rfyep.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {D2C22B7F-8DD3-0C16-DA5B-AF1BC159FCC4} - C:\WINDOWS\sdktr32.dll

O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvinf32.exe

O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe

O4 - HKLM\..\Run: [syssz32.exe] C:\WINDOWS\system32\syssz32.exe

O4 - HKLM\..\RunOnce: [javabm.exe] C:\WINDOWS\system32\javabm.exe

O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe

O10 - Unknown file in Winsock LSP: c:\program files\oemji\oemjisearchplus\sfbnsp.dll

O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)

O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\netmw.exe (file missing)

View Hidden Files
Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
Make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files".
Now click "Apply to all folders", Click "Apply" then "OK"

Delete these files

C:\WINDOWS\sdktr32.dll
C:\WINDOWS\rfyep.dll
C:\WINDOWS\system32\syssz32.exe
C:\WINDOWS\system32\javabm.exe

Delete These folders
C:\PROGRAM FILES\COMMON FILES\tsa
C:\Program Files\Windows ControlAd

Empty the recycle bin
Boot and post a new log
 
1 - 2 of 2 Posts
Status
Not open for further replies.
About this Discussion
1 Reply
2 Participants
Last post:
MFDnNC
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Windows XP Off Topic Lounge Thread Games & Discussion
Top