0

Hello,

I'm not really sure what I am doing, but I know I need HELP!!!! Here is my hijacker log

Logfile of HijackThis v1.97.7
Scan saved at 11:04:39 AM, on 6/18/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\IEAI.EXE
C:\WINDOWS\ATLQK.EXE
C:\WINDOWS\SYSTEM\IPLZ.EXE
C:\WINDOWS\SYSCO.EXE
C:\WINDOWS\SDKRH32.EXE
C:\WINDOWS\D3HW32.EXE
C:\WINDOWS\SYSTEM\MSZD32.EXE
C:\WINDOWS\SYSTEM\NTCY.EXE
C:\WINDOWS\WINLA.EXE
C:\WINDOWS\SYSTEM\SDKXD32.EXE
C:\WINDOWS\SYSTEM\NTTK.EXE
C:\WINDOWS\SYSTEM\SDKGH32.EXE
C:\WINDOWS\SYSTEM\WINRY32.EXE
C:\WINDOWS\SYSTEM\APPXO32.EXE
C:\WINDOWS\SYSTEM\D3BF32.EXE
C:\WINDOWS\MSYS.EXE
C:\WINDOWS\SYSTEM\SYSHN32.EXE
C:\WINDOWS\SYSTEM\IPJQ32.EXE
C:\WINDOWS\D3XU32.EXE
C:\WINDOWS\SYSTEM\CRRY.EXE
C:\WINDOWS\SYSTEM\IPNE.EXE
C:\WINDOWS\SYSTEM\JAVAPT32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\IEAT.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\NTTK.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\CRGX32.EXE
C:\PROGRAM FILES\DR_S\DR_S.EXE
C:\WINDOWS\SYSTEM\WINRY32.EXE
C:\WINDOWS\IPGO.EXE
C:\WINDOWS\IPGO.EXE
C:\WINDOWS\SYSTEM\ATLZM.EXE
C:\WINDOWS\WINLA.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\D3BF32.EXE
C:\WINDOWS\D3XU32.EXE
C:\WINDOWS\SYSTEM\D3BF32.EXE
C:\WINDOWS\WINLA.EXE
C:\WINDOWS\SYSTEM\IEAI.EXE
C:\WINDOWS\SYSTEM\IEAI.EXE
C:\WINDOWS\SYSTEM\NTTK.EXE
C:\WINDOWS\SYSTEM\CRRY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\D3BF32.EXE
C:\WINDOWS\SYSTEM\IEAI.EXE
C:\WINDOWS\SYSTEM\SDKXD32.EXE
C:\WINDOWS\SYSTEM\D3BF32.EXE
C:\WINDOWS\D3XU32.EXE
C:\WINDOWS\WINLA.EXE
C:\WINDOWS\SYSTEM\D3BF32.EXE
C:\WINDOWS\SYSTEM\NTCY.EXE
C:\WINDOWS\SYSTEM\WINRY32.EXE
C:\WINDOWS\SYSTEM\SDKXD32.EXE
C:\WINDOWS\SYSTEM\JAVAPT32.EXE
C:\WINDOWS\WINLA.EXE
C:\WINDOWS\WINLA.EXE
C:\WINDOWS\SYSTEM\IPJQ32.EXE
C:\WINDOWS\D3XU32.EXE
C:\WINDOWS\SYSTEM\NTTK.EXE
C:\WINDOWS\SYSTEM\NTTK.EXE
C:\WINDOWS\IPGO.EXE
C:\WINDOWS\SYSTEM\SDKXD32.EXE
C:\WINDOWS\SYSTEM\WINRY32.EXE
C:\WINDOWS\D3XU32.EXE
C:\WINDOWS\CRGX32.EXE
C:\WINDOWS\SDKRH32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.yahoo.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.yahoo.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ynvdc.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ynvdc.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.yahoo.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = NOT USED (OK)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ynvdc.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ynvdc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ynvdc.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ynvdc.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = www.yahoo.ca
O2 - BHO: (no name) - {BD0BA5CD-7C8E-47ED-935E-1ABBAC9B29E0} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - (no file)
O2 - BHO: (no name) - {77E69D80-242D-AC8A-1B03-B1DD62569CE4} - C:\WINDOWS\SYSTEM\NTPR32.DLL
O2 - BHO: (no name) - {EFF80427-F837-4B74-8834-BAF18E0553FD} - (no file)
O2 - BHO: GuardWall - {D2F719F3-106A-402B-9996-3A5B12ACA564} - (no file)
O2 - BHO: Popup Blocker Pro - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - (no file)
O2 - BHO: Core Library - {D4D505DF-D582-400c-91B6-84921012AFE3} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\EN-US\MSNTB.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IEAT.EXE] C:\WINDOWS\IEAT.EXE
O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\SYSTEM\PDFUPD.DLL
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKLM\..\RunServices: [12Ghosts TrayProtect] C:\PROGRAM FILES\12GHOSTS\12srvc.exe
O4 - HKLM\..\RunServices: [IPLZ.EXE] C:\WINDOWS\SYSTEM\IPLZ.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ATLQK.EXE] C:\WINDOWS\ATLQK.EXE
O4 - HKLM\..\RunServices: [SYSCO.EXE] C:\WINDOWS\SYSCO.EXE
O4 - HKLM\..\RunServices: [SDKRH32.EXE] C:\WINDOWS\SDKRH32.EXE
O4 - HKLM\..\RunServices: [IEAI.EXE] C:\WINDOWS\SYSTEM\IEAI.EXE
O4 - HKLM\..\RunServices: [D3HW32.EXE] C:\WINDOWS\D3HW32.EXE
O4 - HKLM\..\RunServices: [MSZD32.EXE] C:\WINDOWS\SYSTEM\MSZD32.EXE
O4 - HKLM\..\RunServices: [WINLA.EXE] C:\WINDOWS\WINLA.EXE
O4 - HKLM\..\RunServices: [NTCY.EXE] C:\WINDOWS\SYSTEM\NTCY.EXE
O4 - HKLM\..\RunServices: [NTTK.EXE] C:\WINDOWS\SYSTEM\NTTK.EXE
O4 - HKLM\..\RunServices: [SDKGH32.EXE] C:\WINDOWS\SYSTEM\SDKGH32.EXE
O4 - HKLM\..\RunServices: [SDKXD32.EXE] C:\WINDOWS\SYSTEM\SDKXD32.EXE
O4 - HKLM\..\RunServices: [WINRY32.EXE] C:\WINDOWS\SYSTEM\WINRY32.EXE
O4 - HKLM\..\RunServices: [MSYS.EXE] C:\WINDOWS\MSYS.EXE
O4 - HKLM\..\RunServices: [D3BF32.EXE] C:\WINDOWS\SYSTEM\D3BF32.EXE
O4 - HKLM\..\RunServices: [APPXO32.EXE] C:\WINDOWS\SYSTEM\APPXO32.EXE
O4 - HKLM\..\RunServices: [IPJQ32.EXE] C:\WINDOWS\SYSTEM\IPJQ32.EXE
O4 - HKLM\..\RunServices: [SYSHN32.EXE] C:\WINDOWS\SYSTEM\SYSHN32.EXE
O4 - HKLM\..\RunServices: [D3XU32.EXE] C:\WINDOWS\D3XU32.EXE
O4 - HKLM\..\RunServices: [CRRY.EXE] C:\WINDOWS\SYSTEM\CRRY.EXE
O4 - HKLM\..\RunServices: [IPNE.EXE] C:\WINDOWS\SYSTEM\IPNE.EXE
O4 - HKLM\..\RunServices: [JAVAPT32.EXE] C:\WINDOWS\SYSTEM\JAVAPT32.EXE
O4 - HKLM\..\RunServices: [CRGX32.EXE] C:\WINDOWS\CRGX32.EXE
O4 - HKLM\..\RunServices: [IPGO.EXE] C:\WINDOWS\IPGO.EXE
O4 - HKLM\..\RunServices: [ATLZM.EXE] C:\WINDOWS\SYSTEM\ATLZM.EXE
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers Hi-Speed Internet\RHSI SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: 12Ghosts Clip.lnk = C:\Program Files\12Ghosts\12clip.exe
O4 - Startup: 12Ghosts Startup.lnk = C:\Program Files\DR_S\DR_S.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: @C:\PROGRAM FILES\FAILSAFE\GUARDIE\PNIE.DLL,-100 (HKLM)
O9 - Extra 'Tools' menuitem: @C:\PROGRAM FILES\FAILSAFE\GUARDIE\PNIE.DLL,-100 (HKLM)
O9 - Extra button: Popup Slapdown Options (HKLM)
O9 - Extra button: Bug Swatter Options (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hispeed.rogers.com
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {94F5DCB7-816C-4B94-A2C1-856C6E323C5B} - http://akamai.downloadv3.com/binaries/LiveService/LiveService_4_EN.cab

PLEASE HELP

4
Contributors
3
Replies
4
Views
13 Years
Discussion Span
Last Post by dspnhn
0

:eek: Go here for an on-line scan & set it to autoclean for you.
Go here for an on-line scan & set it to autoclean for you.

Just try CWShredder too plz.

Download CWShredder from here & run it. Select the fix button & it will get rid of everything related to CoolWebSearch that is stored in it's database. Close ALL windows, including IE, before running CWShredder. Reboot.

To help prevent this from happening again, install the patches for the vulnerabilities that this hijacker exploits by going here for your critical updates.

Reboot after doing this & post another log please.

0

a message appears when I start my computer saying: "there was a problem starting winry32 the specified module could not be found" as much as it disturbs me I do not know why it appears and how should I remove it

0

u might wanna try combofix....use it from some other drive (pen,falsh whatever) and follow the instructions. donot worry about the messages just keep going forward....this is what i call the mother of all fixes.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.