Malware/Spyware Infestation

Discussion in 'Computer Support' started by Mike, Apr 27, 2005.

  1. Mike

    Mike Guest

    Latitude D800 W2K PRo SP4, McAfee Virus Scan w/ latest .dat file, just
    installed google toolbar w/o advanced options, no firewall - infested with
    spyware/malware and trojans. Ran Spy Bot Search and Destroy, Immunize;
    CWshredder, Ad-Aware and McAfee with latest virus definition files. Removed
    >50 infections. Still lots of pop ups and stuff I can't remove eg.

    caxbxnc.exe, rzavap.exe, YH.dr, daun.exe. Here's my HiHack This log:

    Thanks, Mikke

    Logfile of HijackThis v1.99.1
    Scan saved at 10:00:31 PM, on 04/26/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\SCardSvr.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
    C:\WINNT\System32\basfipm.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\WINNT\system32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Dell\QuickSet\QuickSet.exe
    C:\WINNT\system32\PRPCUI.exe
    C:\WINNT\System32\DSentry.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINNT\system32\RUNDLL32.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\bju3w2ep\bju3w2ep.exe
    C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMan1.exe
    C:\winnt\system32\ksvobjr.exe
    C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMan.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\NetZero\exec.exe
    C:\winnt\system32\calc.exe
    C:\Program Files\D-Link AirPlus Xtreme G DWL-G650\AirPlus.exe
    C:\Program Files\bju3w2ep\77134336.exe
    C:\Program Files\bju3w2ep\bju3w2ep.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Oemji\Toolbar\PopupBlocker\OemjiPopupBlocker.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINNT\system32\rzavap.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\wzqkpick.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://government.dellnet.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://www.oemji.com/side_search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    http://www.oemji.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://red.clientapps.yahoo.com/customize/.../search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    http://www.oemji.com/side_search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    http://www.oemji.com/side_search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} -
    C:\WINNT\dlmax.dll
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
    C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
    O2 - BHO: PBHelper - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program
    Files\Oemji\Toolbar\PopupBlocker\PBHelper.dll
    O2 - BHO: OemjiSearchPlus - {D240DC29-C093-4388-B71F-A7103C796B0C} -
    C:\Program Files\Oemji\OemjiSearchPlus\OemjiPls.dll
    O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
    C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
    O3 - Toolbar: Oemji - {804DB5C7-31E6-4885-850A-F1941B58A4C7} - C:\Program
    Files\Oemji\Toolbar\OemjiSrc.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
    C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program
    Files\Dell\QuickSet\QuickSet.exe
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe
    O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Documents and
    Settings\vhabaldixonl\Desktop\AirPlusCFG.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint
    Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
    AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [bju3w2ep] C:\Program Files\bju3w2ep\bju3w2ep.exe
    O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliteyrs32.exe
    O4 - HKLM\..\Run: [BMan] C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMan1.exe
    O4 - HKLM\..\Run: [ksvobjr] c:\winnt\system32\ksvobjr.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rzavap.exe
    O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
    O4 - HKCU\..\Run: [sfmpbk] C:\WINNT\system32\sfmpbk.exe
    O4 - Global Startup: D-Link AirPlus Xtreme G DWL-G650 Adapter Utility.lnk =
    C:\Program Files\D-Link AirPlus Xtreme G DWL-G650\AirPlus.exe
    O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line
    Detect\DLG.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
    Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
    Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program
    files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program
    files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program
    files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program
    files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program
    files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program
    Files\AIM\aim.exe
    O16 - DPF: Yahoo! Dots -
    http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
    O16 - DPF: Yahoo! Go Fish -
    http://download.games.yahoo.com/games/clients/y/zt3_x.cab
    O16 - DPF: Yahoo! Pool 2 -
    http://download.games.yahoo.com/games/clients/y/pote_x.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
    Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
    http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
    http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -
    http://download.games.yahoo.com/games/web_...aploader_v6.cab
    O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program
    Files\Network Associates\VirusScan\Avsynmgr.exe
    O23 - Service: Broadcom ASF IP monitoring service v3.0.1 (BAsfIpM) -
    Broadcom Corp. - C:\WINNT\System32\basfipm.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) -
    VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: McShield - Unknown owner - C:\Program Files\Common
    Files\Network Associates\McShield\Mcshield.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -
    C:\WINNT\System32\nvsvc32.exe
    Mike, Apr 27, 2005
    #1
    1. Advertising

  2. Mike

    °Mike° Guest

    In <BXCbe.8166$yc.758@trnddc04>,
    Mike took 166 lines to utter:

    > Latitude D800 W2K PRo SP4, McAfee Virus Scan w/ latest .dat file, just
    >installed google toolbar w/o advanced options, no firewall - infested with
    >spyware/malware and trojans. Ran Spy Bot Search and Destroy, Immunize;
    >CWshredder, Ad-Aware and McAfee with latest virus definition files. Removed
    > >50 infections. Still lots of pop ups and stuff I can't remove eg.

    >caxbxnc.exe, rzavap.exe, YH.dr, daun.exe. Here's my HiHack This log:
    >
    >Thanks, Mikke
    >
    >Logfile of HijackThis v1.99.1
    >Scan saved at 10:00:31 PM, on 04/26/2005
    >Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    >MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    >
    >Running processes:


    <snip>

    >C:\Program Files\bju3w2ep\bju3w2ep.exe
    >C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMan1.exe
    >C:\winnt\system32\ksvobjr.exe
    >C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMan.exe
    >C:\Program Files\bju3w2ep\77134336.exe
    >C:\Program Files\bju3w2ep\bju3w2ep.exe
    >C:\Program Files\Oemji\Toolbar\PopupBlocker\OemjiPopupBlocker.exe
    >C:\WINNT\system32\rzavap.exe


    Terminate all of the ABOVE running processes (CTRL+ALT+DEL).


    >R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    >http://www.oemji.com/side_search.html


    >R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    >http://www.oemji.com


    >R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    >http://www.oemji.com/side_search.html


    >R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    >http://www.oemji.com/side_search.html


    Have HijackThis fix the above 4 entries.


    >O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} -
    >C:\WINNT\dlmax.dll


    >O2 - BHO: PBHelper - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program
    >Files\Oemji\Toolbar\PopupBlocker\PBHelper.dll


    >O2 - BHO: OemjiSearchPlus - {D240DC29-C093-4388-B71F-A7103C796B0C} -
    >C:\Program Files\Oemji\OemjiSearchPlus\OemjiPls.dll


    >O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)


    Have HijackThis fix the above 4 entries.


    >O3 - Toolbar: Oemji - {804DB5C7-31E6-4885-850A-F1941B58A4C7} - C:\Program
    >Files\Oemji\Toolbar\OemjiSrc.dll


    Have HijackThis fix the above entry.


    >O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16


    >O4 - HKLM\..\Run: [bju3w2ep] C:\Program Files\bju3w2ep\bju3w2ep.exe


    >O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliteyrs32.exe


    >O4 - HKLM\..\Run: [BMan] C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMan1.exe


    >O4 - HKLM\..\Run: [ksvobjr] c:\winnt\system32\ksvobjr.exe


    >O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rzavap.exe


    >O4 - HKCU\..\Run: [sfmpbk] C:\WINNT\system32\sfmpbk.exe


    Have HijackThis fix the above 7 entries and delete the associated files.


    >O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
    >Office\Office\OSA9.EXE


    The above is not needed (it's not nasty), and can be disabled (fixed).


    >O16 - DPF:


    Have HijackThis fix all of the 016-DPF entries. They are ActiveX
    controls, and will be re-downloaded if and when necessary.


    --
    Basic computer maintenance
    http://uk.geocities.com/personel44/maintenance.html
    °Mike°, Apr 27, 2005
    #2
    1. Advertising

  3. Mike

    elaich Guest

    "Mike" <> wrote in news:BXCbe.8166$yc.758@trnddc04:

    > C:\Program Files\Internet Explorer\iexplore.exe


    You people will NEVER learn, will you?

    --
    "No sports writers were harmed during the making of this post. And what I
    want to know is - why not?"
    elaich, Apr 27, 2005
    #3
  4. Mike

    Mike Guest

    Will do.

    Mike

    "°Mike°" <> wrote in message
    news:...
    > In <BXCbe.8166$yc.758@trnddc04>,
    > Mike took 166 lines to utter:
    >
    >> Latitude D800 W2K PRo SP4, McAfee Virus Scan w/ latest .dat file, just
    >>installed google toolbar w/o advanced options, no firewall - infested with
    >>spyware/malware and trojans. Ran Spy Bot Search and Destroy, Immunize;
    >>CWshredder, Ad-Aware and McAfee with latest virus definition files.
    >>Removed
    >> >50 infections. Still lots of pop ups and stuff I can't remove eg.

    >>caxbxnc.exe, rzavap.exe, YH.dr, daun.exe. Here's my HiHack This log:
    >>
    >>Thanks, Mikke
    >>
    >>Logfile of HijackThis v1.99.1
    >>Scan saved at 10:00:31 PM, on 04/26/2005
    >>Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    >>MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    >>
    >>Running processes:

    >
    > <snip>
    >
    >>C:\Program Files\bju3w2ep\bju3w2ep.exe
    >>C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMan1.exe
    >>C:\winnt\system32\ksvobjr.exe
    >>C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMan.exe
    >>C:\Program Files\bju3w2ep\77134336.exe
    >>C:\Program Files\bju3w2ep\bju3w2ep.exe
    >>C:\Program Files\Oemji\Toolbar\PopupBlocker\OemjiPopupBlocker.exe
    >>C:\WINNT\system32\rzavap.exe

    >
    > Terminate all of the ABOVE running processes (CTRL+ALT+DEL).
    >
    >
    >>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    >>http://www.oemji.com/side_search.html

    >
    >>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    >>http://www.oemji.com

    >
    >>R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    >>http://www.oemji.com/side_search.html

    >
    >>R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    >>http://www.oemji.com/side_search.html

    >
    > Have HijackThis fix the above 4 entries.
    >
    >
    >>O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} -
    >>C:\WINNT\dlmax.dll

    >
    >>O2 - BHO: PBHelper - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program
    >>Files\Oemji\Toolbar\PopupBlocker\PBHelper.dll

    >
    >>O2 - BHO: OemjiSearchPlus - {D240DC29-C093-4388-B71F-A7103C796B0C} -
    >>C:\Program Files\Oemji\OemjiSearchPlus\OemjiPls.dll

    >
    >>O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)

    >
    > Have HijackThis fix the above 4 entries.
    >
    >
    >>O3 - Toolbar: Oemji - {804DB5C7-31E6-4885-850A-F1941B58A4C7} - C:\Program
    >>Files\Oemji\Toolbar\OemjiSrc.dll

    >
    > Have HijackThis fix the above entry.
    >
    >
    >>O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16

    >
    >>O4 - HKLM\..\Run: [bju3w2ep] C:\Program Files\bju3w2ep\bju3w2ep.exe

    >
    >>O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliteyrs32.exe

    >
    >>O4 - HKLM\..\Run: [BMan] C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMan1.exe

    >
    >>O4 - HKLM\..\Run: [ksvobjr] c:\winnt\system32\ksvobjr.exe

    >
    >>O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rzavap.exe

    >
    >>O4 - HKCU\..\Run: [sfmpbk] C:\WINNT\system32\sfmpbk.exe

    >
    > Have HijackThis fix the above 7 entries and delete the associated files.
    >
    >
    >>O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
    >>Office\Office\OSA9.EXE

    >
    > The above is not needed (it's not nasty), and can be disabled (fixed).
    >
    >
    >>O16 - DPF:

    >
    > Have HijackThis fix all of the 016-DPF entries. They are ActiveX
    > controls, and will be re-downloaded if and when necessary.
    >
    >
    > --
    > Basic computer maintenance
    > http://uk.geocities.com/personel44/maintenance.html
    Mike, Apr 27, 2005
    #4
  5. Mike

    Guest

    On 27 Apr 2005 03:59:34 GMT, elaich <> wrote:

    |>"Mike" <> wrote in news:BXCbe.8166$yc.758@trnddc04:
    |>
    |>> C:\Program Files\Internet Explorer\iexplore.exe

    |>You people will NEVER learn, will you?

    Just today on Slashdot
    http://slashdot.org/articles/05/04/26/203211.shtml?tid=154&tid=95&tid=1
    Firefox nears 50 Million Downloads.

    And nobody offered to swim across the Atlantic to get it that high :)
    http://www.opera.com/swim/



    --
    The Eagle Nebula image release on Hubble's 15th birthday
    http://tinyurl.com/982nm (space.com)
    , Apr 27, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Lukus

    Virus Infestation

    Lukus, May 16, 2004, in forum: Computer Support
    Replies:
    20
    Views:
    2,234
    °Mike°
    May 17, 2004
  2. Mike

    Spyware/Virus Infestation

    Mike, Mar 5, 2005, in forum: Computer Support
    Replies:
    12
    Views:
    881
  3. Sens Fan Happy In OH

    Trojan Infestation!

    Sens Fan Happy In OH, Jun 20, 2005, in forum: Computer Support
    Replies:
    11
    Views:
    628
    ellis_jay
    Jun 27, 2005
  4. Johnny8977
    Replies:
    2
    Views:
    622
    =?ISO-8859-1?Q?R=F4g=EAr?=
    Nov 14, 2005
  5. spyware infestation--help

    , Mar 7, 2006, in forum: Computer Support
    Replies:
    4
    Views:
    456
    Leythos
    Mar 7, 2006
Loading...

Share This Page