Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HomeSearch, URLSearchHook.Atlpz, about:blank PROBLEMS

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

HomeSearch, URLSearchHook.Atlpz, about:blank PROBLEMS

Unread postby ken8809 » May 17th, 2005, 10:38 am

I've got the same spyware problems that many people seeking help in this forum appear to have. My homepage repeatedly is reset to about:blank and AOL IM will no longer work properly. An online virus scan revealed 277 infected files (I've got that log saved if it needs to be posted) but no viruses. Help is much appreciated!



Logfile of HijackThis v1.98.2
Scan saved at 9:32:01 AM, on 5/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\mshh.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Kenny\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vkuph.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vkuph.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vkuph.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vkuph.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vkuph.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vkuph.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vkuph.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F70277D-289E-55DF-CC2E-2ED795705AF8} - (no file)
O2 - BHO: Class - {482ED513-8F9F-5049-FF7A-8FB035464E5F} - C:\WINDOWS\system32\crnf32.dll
O2 - BHO: (no name) - {4C586B1B-6256-BDCF-44D6-F0436A542593} - (no file)
O2 - BHO: (no name) - {5130E8BC-9CAA-2FD0-FBA4-5C75D8103678} - (no file)
O2 - BHO: (no name) - {5B86A516-4121-F602-C428-DD7BCCE4EE39} - (no file)
O2 - BHO: (no name) - {69D74EF1-A99E-49CB-BA6C-079035E64ABD} - (no file)
O2 - BHO: (no name) - {6F839401-73C6-491F-12E1-322A9B568C20} - (no file)
O2 - BHO: Class - {A5365394-C0D5-0936-EEBA-1BEC0A99D851} - C:\WINDOWS\system32\iesu32.dll
O2 - BHO: (no name) - {A7282035-D21A-406F-F9D7-CBB7C3A1B094} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {B32D8461-B24C-D626-990B-16F9A99073D4} - C:\WINDOWS\system32\mfcfa.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C0E29FD4-F512-9647-CA15-C8EB9E72B58B} - (no file)
O2 - BHO: (no name) - {E394341A-2ED9-EFE0-6516-4B65343512E4} - (no file)
O2 - BHO: Class - {E6226C29-4068-EB26-B869-9B4C7E50B3E9} - C:\WINDOWS\javapj.dll
O2 - BHO: (no name) - {E699A80F-C737-7F27-8229-0B4D3F150CA9} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LSASS Authority] lshosts32.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [mshh.exe] C:\WINDOWS\system32\mshh.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\RunServices: [LSASS Authority] lshosts32.exe
O4 - HKLM\..\RunOnce: [winpc.exe] C:\WINDOWS\system32\winpc.exe
O4 - HKLM\..\RunOnce: [ipbw32.exe] C:\WINDOWS\system32\ipbw32.exe
O4 - HKLM\..\RunOnce: [winfk32.exe] C:\WINDOWS\system32\winfk32.exe
O4 - HKLM\..\RunOnce: [mscy.exe] C:\WINDOWS\mscy.exe
O4 - HKLM\..\RunOnce: [ieqv32.exe] C:\WINDOWS\system32\ieqv32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Webshots.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/a267eae4/enter.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
ken8809
Regular Member
 
Posts: 17
Joined: May 17th, 2005, 9:47 am
Advertisement
Register to Remove

Unread postby Bertha » May 17th, 2005, 10:58 am

Hey Ken,

Update your version of Hijackthis here - http://downloads.malwareremoval.com/hijackthis.zip

Unzip it into its own folder, this is important so that it can make backups

Post a New Log back here

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

new log from newer Hijackthis

Unread postby ken8809 » May 17th, 2005, 12:12 pm

Logfile of HijackThis v1.99.1
Scan saved at 11:10:21 AM, on 5/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\mshh.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kenny\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\njwax.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\njwax.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\njwax.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\njwax.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\njwax.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\njwax.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\njwax.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {E6226C29-4068-EB26-B869-9B4C7E50B3E9} - C:\WINDOWS\javapj.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LSASS Authority] lshosts32.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [mshh.exe] C:\WINDOWS\system32\mshh.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\RunServices: [LSASS Authority] lshosts32.exe
O4 - HKLM\..\RunOnce: [winpc.exe] C:\WINDOWS\system32\winpc.exe
O4 - HKLM\..\RunOnce: [ipbw32.exe] C:\WINDOWS\system32\ipbw32.exe
O4 - HKLM\..\RunOnce: [winfk32.exe] C:\WINDOWS\system32\winfk32.exe
O4 - HKLM\..\RunOnce: [mscy.exe] C:\WINDOWS\mscy.exe
O4 - HKLM\..\RunOnce: [ieqv32.exe] C:\WINDOWS\system32\ieqv32.exe
O4 - HKLM\..\RunOnce: [d3gq32.exe] C:\WINDOWS\d3gq32.exe
O4 - HKLM\..\RunOnce: [sysku.exe] C:\WINDOWS\system32\sysku.exe
O4 - HKLM\..\RunOnce: [apioe.exe] C:\WINDOWS\system32\apioe.exe
O4 - HKLM\..\RunOnce: [winnu32.exe] C:\WINDOWS\system32\winnu32.exe
O4 - HKLM\..\RunOnce: [d3dj32.exe] C:\WINDOWS\d3dj32.exe
O4 - HKLM\..\RunOnce: [mslr.exe] C:\WINDOWS\system32\mslr.exe
O4 - HKLM\..\RunOnce: [crmr.exe] C:\WINDOWS\crmr.exe
O4 - HKLM\..\RunOnce: [addbh32.exe] C:\WINDOWS\system32\addbh32.exe
O4 - HKLM\..\RunOnce: [apizo32.exe] C:\WINDOWS\apizo32.exe
O4 - HKLM\..\RunOnce: [atlua.exe] C:\WINDOWS\atlua.exe
O4 - HKLM\..\RunOnce: [mstp32.exe] C:\WINDOWS\mstp32.exe
O4 - HKLM\..\RunOnce: [sdksf32.exe] C:\WINDOWS\system32\sdksf32.exe
O4 - HKLM\..\RunOnce: [javarn.exe] C:\WINDOWS\system32\javarn.exe
O4 - HKLM\..\RunOnce: [crxj32.exe] C:\WINDOWS\system32\crxj32.exe
O4 - HKLM\..\RunOnce: [javamg32.exe] C:\WINDOWS\javamg32.exe
O4 - HKLM\..\RunOnce: [mfcqd32.exe] C:\WINDOWS\system32\mfcqd32.exe
O4 - HKLM\..\RunOnce: [crlo32.exe] C:\WINDOWS\crlo32.exe
O4 - HKLM\..\RunOnce: [ieyt.exe] C:\WINDOWS\system32\ieyt.exe
O4 - HKLM\..\RunOnce: [d3zt32.exe] C:\WINDOWS\d3zt32.exe
O4 - HKLM\..\RunOnce: [d3nq32.exe] C:\WINDOWS\system32\d3nq32.exe
O4 - HKLM\..\RunOnce: [netsm32.exe] C:\WINDOWS\netsm32.exe
O4 - HKLM\..\RunOnce: [mfcih.exe] C:\WINDOWS\mfcih.exe
O4 - HKLM\..\RunOnce: [iehp32.exe] C:\WINDOWS\iehp32.exe
O4 - HKLM\..\RunOnce: [apiwe.exe] C:\WINDOWS\apiwe.exe
O4 - HKLM\..\RunOnce: [ipvl32.exe] C:\WINDOWS\system32\ipvl32.exe
O4 - HKLM\..\RunOnce: [addgf32.exe] C:\WINDOWS\addgf32.exe
O4 - HKLM\..\RunOnce: [appov32.exe] C:\WINDOWS\appov32.exe
O4 - HKLM\..\RunOnce: [ipxn32.exe] C:\WINDOWS\system32\ipxn32.exe
O4 - HKLM\..\RunOnce: [sysxv32.exe] C:\WINDOWS\sysxv32.exe
O4 - HKLM\..\RunOnce: [netsh32.exe] C:\WINDOWS\system32\netsh32.exe
O4 - HKLM\..\RunOnce: [sdkxl.exe] C:\WINDOWS\system32\sdkxl.exe
O4 - HKLM\..\RunOnce: [ipgl32.exe] C:\WINDOWS\system32\ipgl32.exe
O4 - HKLM\..\RunOnce: [ipui.exe] C:\WINDOWS\system32\ipui.exe
O4 - HKLM\..\RunOnce: [ipaf.exe] C:\WINDOWS\system32\ipaf.exe
O4 - HKLM\..\RunOnce: [addgb.exe] C:\WINDOWS\addgb.exe
O4 - HKLM\..\RunOnce: [msrg.exe] C:\WINDOWS\system32\msrg.exe
O4 - HKLM\..\RunOnce: [mfcwl.exe] C:\WINDOWS\mfcwl.exe
O4 - HKLM\..\RunOnce: [ntan.exe] C:\WINDOWS\system32\ntan.exe
O4 - HKLM\..\RunOnce: [d3cf.exe] C:\WINDOWS\d3cf.exe
O4 - HKLM\..\RunOnce: [apipc.exe] C:\WINDOWS\system32\apipc.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Webshots.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/a267eae4/enter.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\winpc.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
ken8809
Regular Member
 
Posts: 17
Joined: May 17th, 2005, 9:47 am

Unread postby Bertha » May 17th, 2005, 1:41 pm

Hey Ken,

Ok lets cut this Log down a some shall we

Run some online scans

Housecall - http://housecall.trendmicro.com/houseca ... t_corp.asp

Panda - http://www.pandasoftware.com/activescan ... ncipal.htm

Allow them to remove anything they find and note down anything they find but cannot rmeove and its location and post back here in your reply

Also go to this link and download - http://www.malwareremoval.com/forum/viewtopic.php?t=13

Spybot S&D
AdAware SE


Set them up as shown and run them,deleting all that they find

Then reboot and post a new log back here, and we will tackle the About Blank problem

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

new log

Unread postby ken8809 » May 17th, 2005, 4:22 pm

Thanks for your help so far.

I ran the online scan and I do not beleive any of the Adware items were deleted but numerous virus items may have been. I can attach that log as well if you would like. Only the second virus scan worked. I ran S&D and Adaware SE and rebooted...here is the latest log.

Logfile of HijackThis v1.99.1
Scan saved at 3:19:30 PM, on 5/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\mshh.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\atlug.exe
C:\Documents and Settings\Kenny\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\omubk.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\omubk.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\omubk.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\omubk.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\omubk.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\omubk.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\omubk.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {316D6034-8672-118C-728F-D9D78EFEA265} - C:\WINDOWS\atlfs.dll
O2 - BHO: (no name) - {4C586B1B-6256-BDCF-44D6-F0436A542593} - (no file)
O2 - BHO: (no name) - {5B86A516-4121-F602-C428-DD7BCCE4EE39} - (no file)
O2 - BHO: (no name) - {6F839401-73C6-491F-12E1-322A9B568C20} - (no file)
O2 - BHO: (no name) - {A7282035-D21A-406F-F9D7-CBB7C3A1B094} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E394341A-2ED9-EFE0-6516-4B65343512E4} - (no file)
O2 - BHO: (no name) - {E699A80F-C737-7F27-8229-0B4D3F150CA9} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LSASS Authority] lshosts32.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [mshh.exe] C:\WINDOWS\system32\mshh.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\RunServices: [LSASS Authority] lshosts32.exe
O4 - HKLM\..\RunOnce: [winpc.exe] C:\WINDOWS\system32\winpc.exe
O4 - HKLM\..\RunOnce: [mscy.exe] C:\WINDOWS\mscy.exe
O4 - HKLM\..\RunOnce: [ieqv32.exe] C:\WINDOWS\system32\ieqv32.exe
O4 - HKLM\..\RunOnce: [apixr.exe] C:\WINDOWS\apixr.exe
O4 - HKLM\..\RunOnce: [winhk32.exe] C:\WINDOWS\system32\winhk32.exe
O4 - HKLM\..\RunOnce: [appbv.exe] C:\WINDOWS\system32\appbv.exe
O4 - HKLM\..\RunOnce: [netxz.exe] C:\WINDOWS\netxz.exe
O4 - HKLM\..\RunOnce: [javapa32.exe] C:\WINDOWS\system32\javapa32.exe
O4 - HKLM\..\RunOnce: [msfh.exe] C:\WINDOWS\msfh.exe
O4 - HKLM\..\RunOnce: [addbl32.exe] C:\WINDOWS\addbl32.exe
O4 - HKLM\..\RunOnce: [sdkyo32.exe] C:\WINDOWS\sdkyo32.exe
O4 - HKLM\..\RunOnce: [iptr.exe] C:\WINDOWS\system32\iptr.exe
O4 - HKLM\..\RunOnce: [appsh32.exe] C:\WINDOWS\appsh32.exe
O4 - HKLM\..\RunOnce: [ierx.exe] C:\WINDOWS\system32\ierx.exe
O4 - HKLM\..\RunOnce: [javamb.exe] C:\WINDOWS\system32\javamb.exe
O4 - HKLM\..\RunOnce: [crps.exe] C:\WINDOWS\crps.exe
O4 - HKLM\..\RunOnce: [crvo32.exe] C:\WINDOWS\system32\crvo32.exe
O4 - HKLM\..\RunOnce: [crjl32.exe] C:\WINDOWS\crjl32.exe
O4 - HKLM\..\RunOnce: [apioi32.exe] C:\WINDOWS\apioi32.exe
O4 - HKLM\..\RunOnce: [ieoy32.exe] C:\WINDOWS\system32\ieoy32.exe
O4 - HKLM\..\RunOnce: [ipwg.exe] C:\WINDOWS\ipwg.exe
O4 - HKLM\..\RunOnce: [crut32.exe] C:\WINDOWS\crut32.exe
O4 - HKLM\..\RunOnce: [d3uj32.exe] C:\WINDOWS\system32\d3uj32.exe
O4 - HKLM\..\RunOnce: [addec32.exe] C:\WINDOWS\addec32.exe
O4 - HKLM\..\RunOnce: [sdkek.exe] C:\WINDOWS\system32\sdkek.exe
O4 - HKLM\..\RunOnce: [netio.exe] C:\WINDOWS\netio.exe
O4 - HKLM\..\RunOnce: [d3xl32.exe] C:\WINDOWS\d3xl32.exe
O4 - HKLM\..\RunOnce: [sysns.exe] C:\WINDOWS\sysns.exe
O4 - HKLM\..\RunOnce: [atlrw32.exe] C:\WINDOWS\atlrw32.exe
O4 - HKLM\..\RunOnce: [addbx.exe] C:\WINDOWS\addbx.exe
O4 - HKLM\..\RunOnce: [addvi32.exe] C:\WINDOWS\system32\addvi32.exe
O4 - HKLM\..\RunOnce: [cram32.exe] C:\WINDOWS\cram32.exe
O4 - HKLM\..\RunOnce: [appvy32.exe] C:\WINDOWS\system32\appvy32.exe
O4 - HKLM\..\RunOnce: [apiic32.exe] C:\WINDOWS\apiic32.exe
O4 - HKLM\..\RunOnce: [msic.exe] C:\WINDOWS\system32\msic.exe
O4 - HKLM\..\RunOnce: [javalo32.exe] C:\WINDOWS\system32\javalo32.exe
O4 - HKLM\..\RunOnce: [netce.exe] C:\WINDOWS\netce.exe
O4 - HKLM\..\RunOnce: [winbu32.exe] C:\WINDOWS\system32\winbu32.exe
O4 - HKLM\..\RunOnce: [d3zb32.exe] C:\WINDOWS\d3zb32.exe
O4 - HKLM\..\RunOnce: [mszr.exe] C:\WINDOWS\mszr.exe
O4 - HKLM\..\RunOnce: [d3zr.exe] C:\WINDOWS\system32\d3zr.exe
O4 - HKLM\..\RunOnce: [addxh.exe] C:\WINDOWS\addxh.exe
O4 - HKLM\..\RunOnce: [iemw.exe] C:\WINDOWS\iemw.exe
O4 - HKLM\..\RunOnce: [javaxp32.exe] C:\WINDOWS\system32\javaxp32.exe
O4 - HKLM\..\RunOnce: [atllr32.exe] C:\WINDOWS\atllr32.exe
O4 - HKLM\..\RunOnce: [apprg.exe] C:\WINDOWS\system32\apprg.exe
O4 - HKLM\..\RunOnce: [atlfc.exe] C:\WINDOWS\atlfc.exe
O4 - HKLM\..\RunOnce: [d3lh.exe] C:\WINDOWS\system32\d3lh.exe
O4 - HKLM\..\RunOnce: [d3zc32.exe] C:\WINDOWS\d3zc32.exe
O4 - HKLM\..\RunOnce: [mfchc.exe] C:\WINDOWS\system32\mfchc.exe
O4 - HKLM\..\RunOnce: [adddo.exe] C:\WINDOWS\adddo.exe
O4 - HKLM\..\RunOnce: [nettd32.exe] C:\WINDOWS\system32\nettd32.exe
O4 - HKLM\..\RunOnce: [crlb.exe] C:\WINDOWS\crlb.exe
O4 - HKLM\..\RunOnce: [nthf.exe] C:\WINDOWS\nthf.exe
O4 - HKLM\..\RunOnce: [ieed32.exe] C:\WINDOWS\system32\ieed32.exe
O4 - HKLM\..\RunOnce: [adduk32.exe] C:\WINDOWS\system32\adduk32.exe
O4 - HKLM\..\RunOnce: [syspo.exe] C:\WINDOWS\system32\syspo.exe
O4 - HKLM\..\RunOnce: [javaod32.exe] C:\WINDOWS\system32\javaod32.exe
O4 - HKLM\..\RunOnce: [mshc32.exe] C:\WINDOWS\system32\mshc32.exe
O4 - HKLM\..\RunOnce: [d3ra32.exe] C:\WINDOWS\d3ra32.exe
O4 - HKLM\..\RunOnce: [sysbn32.exe] C:\WINDOWS\system32\sysbn32.exe
O4 - HKLM\..\RunOnce: [sdkxs32.exe] C:\WINDOWS\sdkxs32.exe
O4 - HKLM\..\RunOnce: [winad.exe] C:\WINDOWS\system32\winad.exe
O4 - HKLM\..\RunOnce: [d3eh32.exe] C:\WINDOWS\system32\d3eh32.exe
O4 - HKLM\..\RunOnce: [appkd32.exe] C:\WINDOWS\appkd32.exe
O4 - HKLM\..\RunOnce: [atlug.exe] C:\WINDOWS\atlug.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Webshots.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/a267eae4/enter.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\winpc.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
ken8809
Regular Member
 
Posts: 17
Joined: May 17th, 2005, 9:47 am

Unread postby Bertha » May 18th, 2005, 5:07 am

Hey Ken,

Copy the following to a notepad file for reference

First of all I need you to download some programs for use later.

Download this file and unzip it to your desktop

Download About:Buster from here. Once it is downloaded extract it to c:\aboutbuster and check for updates. Do NOT use it yet

Download CWShredder from here, install it, check for updates but again, don't use it yet.

Ensure hidden files and folders are set to show;

  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.


Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called:

Workstation Net Logon

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

Please disconnect from the Internet and unplug your modem for the duration of this fix

You may want to print the rest of these instructions.

Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE

While in safe mode, double click on the cwsserviceemove.reg file you downloaded at the beginning. Grant it permission to add the registry items.

Then Open cwshredder that you downloaded in the first step. Close all browser windows and click on the fix/next button.

Bring up task manager Ctrl-Alt-Del and end these processes if they are present

mshh.exe
atlug.exe


Now find and delete these files, if you can't find one then don't worry.. just move on to the next one.


C:\WINDOWS\omubk.dll
C:\WINDOWS\atlfs.dll

C:\WINDOWS\system32\mshh.exe
C:\WINDOWS\atlug.exe
C:\WINDOWS\omubk.dll
C:\WINDOWS\atlfs.dll
C:\WINDOWS\system32\winpc.exe
C:\WINDOWS\mscy.exe
C:\WINDOWS\system32\ieqv32.exe
C:\WINDOWS\apixr.exe
C:\WINDOWS\system32\winhk32.exe
C:\WINDOWS\system32\appbv.exe
C:\WINDOWS\netxz.exe
C:\WINDOWS\system32\javapa32.exe
C:\WINDOWS\msfh.exe
C:\WINDOWS\addbl32.exe
C:\WINDOWS\sdkyo32.exe
C:\WINDOWS\system32\iptr.exe
C:\WINDOWS\appsh32.exe
C:\WINDOWS\system32\ierx.exe
C:\WINDOWS\system32\javamb.exe
C:\WINDOWS\crps.exe
C:\WINDOWS\system32\crvo32.exe
C:\WINDOWS\crjl32.exe
C:\WINDOWS\apioi32.exe
C:\WINDOWS\system32\ieoy32.exe
C:\WINDOWS\ipwg.exe
C:\WINDOWS\crut32.exe
C:\WINDOWS\system32\d3uj32.exe
C:\WINDOWS\addec32.exe
C:\WINDOWS\system32\sdkek.exe
C:\WINDOWS\netio.exe
C:\WINDOWS\d3xl32.exe
C:\WINDOWS\sysns.exe
C:\WINDOWS\atlrw32.exe
C:\WINDOWS\addbx.exe
C:\WINDOWS\system32\addvi32.exe
C:\WINDOWS\cram32.exe
C:\WINDOWS\system32\appvy32.exe
C:\WINDOWS\apiic32.exe
C:\WINDOWS\system32\msic.exe
C:\WINDOWS\system32\javalo32.exe
C:\WINDOWS\netce.exe
C:\WINDOWS\system32\winbu32.exe
C:\WINDOWS\d3zb32.exe
C:\WINDOWS\mszr.exe
C:\WINDOWS\system32\d3zr.exe
C:\WINDOWS\addxh.exe
C:\WINDOWS\iemw.exe
C:\WINDOWS\system32\javaxp32.exe
C:\WINDOWS\atllr32.exe
C:\WINDOWS\system32\apprg.exe
C:\WINDOWS\atlfc.exe
C:\WINDOWS\system32\d3lh.exe
C:\WINDOWS\d3zc32.exe
C:\WINDOWS\system32\mfchc.exe
C:\WINDOWS\adddo.exe
C:\WINDOWS\system32\nettd32.exe
C:\WINDOWS\crlb.exe
C:\WINDOWS\nthf.exe
C:\WINDOWS\system32\ieed32.exe
C:\WINDOWS\system32\adduk32.exe
C:\WINDOWS\system32\syspo.exe
C:\WINDOWS\system32\javaod32.exe
C:\WINDOWS\system32\mshc32.exe
C:\WINDOWS\d3ra32.exe
C:\WINDOWS\system32\sysbn32.exe
C:\WINDOWS\sdkxs32.exe
C:\WINDOWS\system32\winad.exe
C:\WINDOWS\system32\d3eh32.exe
C:\WINDOWS\appkd32.exe


We'll need to unload Spybot's Teatimer before we begin. To do this, right-click on the icon in the quick launch toolbar at the bottom on the screen, then select "Exit".


Now run hijackthis and click the scan button, when it has finished scanning put a check against the following and click 'fix checked'




R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\omubk.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\omubk.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\omubk.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\omubk.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\omubk.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\omubk.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\omubk.dll/sp.html#44768

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {316D6034-8672-118C-728F-D9D78EFEA265} - C:\WINDOWS\atlfs.dll
O2 - BHO: (no name) - {4C586B1B-6256-BDCF-44D6-F0436A542593} - (no file)
O2 - BHO: (no name) - {5B86A516-4121-F602-C428-DD7BCCE4EE39} - (no file)
O2 - BHO: (no name) - {6F839401-73C6-491F-12E1-322A9B568C20} - (no file)
O2 - BHO: (no name) - {A7282035-D21A-406F-F9D7-CBB7C3A1B094} - (no file)
O2 - BHO: (no name) - {E394341A-2ED9-EFE0-6516-4B65343512E4} - (no file)
O2 - BHO: (no name) - {E699A80F-C737-7F27-8229-0B4D3F150CA9} - (no file)

O4 - HKLM\..\Run: [LSASS Authority] lshosts32.exe
O4 - HKLM\..\Run: [mshh.exe] C:\WINDOWS\system32\mshh.exe
O4 - HKLM\..\RunServices: [LSASS Authority] lshosts32.exe
O4 - HKLM\..\RunOnce: [winpc.exe] C:\WINDOWS\system32\winpc.exe
O4 - HKLM\..\RunOnce: [mscy.exe] C:\WINDOWS\mscy.exe
O4 - HKLM\..\RunOnce: [ieqv32.exe] C:\WINDOWS\system32\ieqv32.exe
O4 - HKLM\..\RunOnce: [apixr.exe] C:\WINDOWS\apixr.exe
O4 - HKLM\..\RunOnce: [winhk32.exe] C:\WINDOWS\system32\winhk32.exe
O4 - HKLM\..\RunOnce: [appbv.exe] C:\WINDOWS\system32\appbv.exe
O4 - HKLM\..\RunOnce: [netxz.exe] C:\WINDOWS\netxz.exe
O4 - HKLM\..\RunOnce: [javapa32.exe] C:\WINDOWS\system32\javapa32.exe
O4 - HKLM\..\RunOnce: [msfh.exe] C:\WINDOWS\msfh.exe
O4 - HKLM\..\RunOnce: [addbl32.exe] C:\WINDOWS\addbl32.exe
O4 - HKLM\..\RunOnce: [sdkyo32.exe] C:\WINDOWS\sdkyo32.exe
O4 - HKLM\..\RunOnce: [iptr.exe] C:\WINDOWS\system32\iptr.exe
O4 - HKLM\..\RunOnce: [appsh32.exe] C:\WINDOWS\appsh32.exe
O4 - HKLM\..\RunOnce: [ierx.exe] C:\WINDOWS\system32\ierx.exe
O4 - HKLM\..\RunOnce: [javamb.exe] C:\WINDOWS\system32\javamb.exe
O4 - HKLM\..\RunOnce: [crps.exe] C:\WINDOWS\crps.exe
O4 - HKLM\..\RunOnce: [crvo32.exe] C:\WINDOWS\system32\crvo32.exe
O4 - HKLM\..\RunOnce: [crjl32.exe] C:\WINDOWS\crjl32.exe
O4 - HKLM\..\RunOnce: [apioi32.exe] C:\WINDOWS\apioi32.exe
O4 - HKLM\..\RunOnce: [ieoy32.exe] C:\WINDOWS\system32\ieoy32.exe
O4 - HKLM\..\RunOnce: [ipwg.exe] C:\WINDOWS\ipwg.exe
O4 - HKLM\..\RunOnce: [crut32.exe] C:\WINDOWS\crut32.exe
O4 - HKLM\..\RunOnce: [d3uj32.exe] C:\WINDOWS\system32\d3uj32.exe
O4 - HKLM\..\RunOnce: [addec32.exe] C:\WINDOWS\addec32.exe
O4 - HKLM\..\RunOnce: [sdkek.exe] C:\WINDOWS\system32\sdkek.exe
O4 - HKLM\..\RunOnce: [netio.exe] C:\WINDOWS\netio.exe
O4 - HKLM\..\RunOnce: [d3xl32.exe] C:\WINDOWS\d3xl32.exe
O4 - HKLM\..\RunOnce: [sysns.exe] C:\WINDOWS\sysns.exe
O4 - HKLM\..\RunOnce: [atlrw32.exe] C:\WINDOWS\atlrw32.exe
O4 - HKLM\..\RunOnce: [addbx.exe] C:\WINDOWS\addbx.exe
O4 - HKLM\..\RunOnce: [addvi32.exe] C:\WINDOWS\system32\addvi32.exe
O4 - HKLM\..\RunOnce: [cram32.exe] C:\WINDOWS\cram32.exe
O4 - HKLM\..\RunOnce: [appvy32.exe] C:\WINDOWS\system32\appvy32.exe
O4 - HKLM\..\RunOnce: [apiic32.exe] C:\WINDOWS\apiic32.exe
O4 - HKLM\..\RunOnce: [msic.exe] C:\WINDOWS\system32\msic.exe
O4 - HKLM\..\RunOnce: [javalo32.exe] C:\WINDOWS\system32\javalo32.exe
O4 - HKLM\..\RunOnce: [netce.exe] C:\WINDOWS\netce.exe
O4 - HKLM\..\RunOnce: [winbu32.exe] C:\WINDOWS\system32\winbu32.exe
O4 - HKLM\..\RunOnce: [d3zb32.exe] C:\WINDOWS\d3zb32.exe
O4 - HKLM\..\RunOnce: [mszr.exe] C:\WINDOWS\mszr.exe
O4 - HKLM\..\RunOnce: [d3zr.exe] C:\WINDOWS\system32\d3zr.exe
O4 - HKLM\..\RunOnce: [addxh.exe] C:\WINDOWS\addxh.exe
O4 - HKLM\..\RunOnce: [iemw.exe] C:\WINDOWS\iemw.exe
O4 - HKLM\..\RunOnce: [javaxp32.exe] C:\WINDOWS\system32\javaxp32.exe
O4 - HKLM\..\RunOnce: [atllr32.exe] C:\WINDOWS\atllr32.exe
O4 - HKLM\..\RunOnce: [apprg.exe] C:\WINDOWS\system32\apprg.exe
O4 - HKLM\..\RunOnce: [atlfc.exe] C:\WINDOWS\atlfc.exe
O4 - HKLM\..\RunOnce: [d3lh.exe] C:\WINDOWS\system32\d3lh.exe
O4 - HKLM\..\RunOnce: [d3zc32.exe] C:\WINDOWS\d3zc32.exe
O4 - HKLM\..\RunOnce: [mfchc.exe] C:\WINDOWS\system32\mfchc.exe
O4 - HKLM\..\RunOnce: [adddo.exe] C:\WINDOWS\adddo.exe
O4 - HKLM\..\RunOnce: [nettd32.exe] C:\WINDOWS\system32\nettd32.exe
O4 - HKLM\..\RunOnce: [crlb.exe] C:\WINDOWS\crlb.exe
O4 - HKLM\..\RunOnce: [nthf.exe] C:\WINDOWS\nthf.exe
O4 - HKLM\..\RunOnce: [ieed32.exe] C:\WINDOWS\system32\ieed32.exe
O4 - HKLM\..\RunOnce: [adduk32.exe] C:\WINDOWS\system32\adduk32.exe
O4 - HKLM\..\RunOnce: [syspo.exe] C:\WINDOWS\system32\syspo.exe
O4 - HKLM\..\RunOnce: [javaod32.exe] C:\WINDOWS\system32\javaod32.exe
O4 - HKLM\..\RunOnce: [mshc32.exe] C:\WINDOWS\system32\mshc32.exe
O4 - HKLM\..\RunOnce: [d3ra32.exe] C:\WINDOWS\d3ra32.exe
O4 - HKLM\..\RunOnce: [sysbn32.exe] C:\WINDOWS\system32\sysbn32.exe
O4 - HKLM\..\RunOnce: [sdkxs32.exe] C:\WINDOWS\sdkxs32.exe
O4 - HKLM\..\RunOnce: [winad.exe] C:\WINDOWS\system32\winad.exe
O4 - HKLM\..\RunOnce: [d3eh32.exe] C:\WINDOWS\system32\d3eh32.exe
O4 - HKLM\..\RunOnce: [appkd32.exe] C:\WINDOWS\appkd32.exe
O4 - HKLM\..\RunOnce: [atlug.exe] C:\WINDOWS\atlug.exe

O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\winpc.exe" /s (file missing)

The following step is important as you may have several malware files in your temp directories.

Then browse to the C:\documents and settings\Your User Name (repeat for all other user names in documents and settings)\local settings\temp folder and delete all files and folders in it.
Then browse to the C:\Window\Temp folder and delete all files and folders in it.
Then in internet explore click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

Now navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so. Post the log file in your next reply.

Now reboot,and run hijackthis again and post a fresh log along with the about buster log. :)

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

new logs

Unread postby ken8809 » May 18th, 2005, 12:59 pm

Followed all of your instructions from last post. could not update aboutbuster or cwshredder. CWShredder showed that CoolWebSearch was not present. The two processes were not present. All of the files to be deleted were found and deleted. In safe mode I did not have s&d teatimer in quicklaunch bar. Ran highjackthis...only one R1 entry was there, the R3 entry, none of the 02BHO's and only the first six 04's, none other in the list. Here are the two requested logs.....

Scanned at: 11:50:20 AM on: 5/18/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Removed 2 Random Key Entries
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!


Logfile of HijackThis v1.99.1
Scan saved at 11:53:08 AM, on 5/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\d3ft32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\appbl32.exe
C:\Documents and Settings\Kenny\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jwbcw.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jwbcw.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jwbcw.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jwbcw.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jwbcw.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jwbcw.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jwbcw.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {02CC75F3-8484-D1DD-2BFB-DC68547A67BA} - (no file)
O2 - BHO: Class - {0661D7C2-371C-C623-4982-2277DF99E129} - C:\WINDOWS\addny32.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {08AA5DB2-A44F-8F76-711C-956A8C663487} - C:\WINDOWS\craa.dll
O2 - BHO: Class - {0A9AC70B-D55C-F5E0-B29D-89941C454F9E} - C:\WINDOWS\apies32.dll
O2 - BHO: Class - {0B49DBF5-766B-A933-707E-C0D543F141BB} - C:\WINDOWS\crqy.dll
O2 - BHO: (no name) - {0C0E2D3F-3AE9-2ABB-7656-AA2FC932ED6E} - (no file)
O2 - BHO: (no name) - {0F70277D-289E-55DF-CC2E-2ED795705AF8} - (no file)
O2 - BHO: (no name) - {11762563-B790-AC99-735F-1EA21A0E2E42} - (no file)
O2 - BHO: Class - {16A9AC51-3EDE-D225-D2B3-4F97BAC686BE} - C:\WINDOWS\system32\addxh32.dll
O2 - BHO: (no name) - {24EE5EA2-F68D-798A-5236-BCF1C98BD30E} - (no file)
O2 - BHO: (no name) - {26EAA016-982E-F4A7-13E4-B58C5CF0FDD0} - (no file)
O2 - BHO: Class - {282032FC-C6CA-9E36-F009-345A15203683} - C:\WINDOWS\javamf.dll
O2 - BHO: (no name) - {316D6034-8672-118C-728F-D9D78EFEA265} - (no file)
O2 - BHO: (no name) - {32FB26E0-5AAE-5652-AD0F-F42254309CD1} - (no file)
O2 - BHO: Class - {3DFCBD99-678C-4058-78A2-A1A16A8A15F3} - C:\WINDOWS\system32\cras.dll
O2 - BHO: Class - {4097E29E-2A74-3EEA-7090-0E73AF19AC3E} - C:\WINDOWS\apipy32.dll
O2 - BHO: (no name) - {482ED513-8F9F-5049-FF7A-8FB035464E5F} - (no file)
O2 - BHO: (no name) - {4C586B1B-6256-BDCF-44D6-F0436A542593} - (no file)
O2 - BHO: (no name) - {5130E8BC-9CAA-2FD0-FBA4-5C75D8103678} - (no file)
O2 - BHO: Class - {517564DA-70D9-1F28-3710-89856CB474C4} - C:\WINDOWS\system32\netgc.dll
O2 - BHO: Class - {53D3238B-64AB-2309-6B42-5DFB1EF3F534} - C:\WINDOWS\system32\javake.dll
O2 - BHO: Class - {55FF138B-75CF-C09E-5E79-49F7277CDB38} - C:\WINDOWS\winju32.dll
O2 - BHO: (no name) - {5B86A516-4121-F602-C428-DD7BCCE4EE39} - (no file)
O2 - BHO: (no name) - {5C24F68F-330D-3834-5594-F52CB787AE93} - (no file)
O2 - BHO: Class - {62B528F1-C07D-B10C-F50A-0AF9FF61D0BF} - C:\WINDOWS\winhl32.dll
O2 - BHO: (no name) - {69D74EF1-A99E-49CB-BA6C-079035E64ABD} - (no file)
O2 - BHO: (no name) - {6F839401-73C6-491F-12E1-322A9B568C20} - (no file)
O2 - BHO: (no name) - {795BB343-30B6-2B4F-FA68-F174D498229E} - (no file)
O2 - BHO: (no name) - {7E7E29DB-D5D8-8F9C-04D0-1F78794D1C99} - (no file)
O2 - BHO: Class - {83EF55DB-6787-8204-BD91-03202E65FD32} - C:\WINDOWS\addnf32.dll
O2 - BHO: (no name) - {86809FC5-8CA2-8DED-5B65-7DA0AD19966C} - (no file)
O2 - BHO: (no name) - {88EFDEE3-0CB7-1C95-AB61-56AA3EB9D50A} - (no file)
O2 - BHO: Class - {88F58E91-2349-CEB7-A893-765E5171E648} - C:\WINDOWS\netkn.dll
O2 - BHO: (no name) - {893180C0-5F10-202B-1AE8-1D36D4846035} - (no file)
O2 - BHO: (no name) - {8F602CAF-ED9C-5DE3-54F4-0D9DCC6602BF} - (no file)
O2 - BHO: (no name) - {A5365394-C0D5-0936-EEBA-1BEC0A99D851} - (no file)
O2 - BHO: (no name) - {A7282035-D21A-406F-F9D7-CBB7C3A1B094} - (no file)
O2 - BHO: (no name) - {A7669601-1B82-CF1B-BA2E-ADF97AF7322F} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {B0957B29-6605-0ACF-0683-0B29FEADFBE3} - C:\WINDOWS\system32\sysfc.dll
O2 - BHO: (no name) - {B1B856A8-E2CF-6D0D-E2E2-6F519F010848} - (no file)
O2 - BHO: (no name) - {B32D8461-B24C-D626-990B-16F9A99073D4} - (no file)
O2 - BHO: Class - {BC265548-7E29-C369-414D-740E3D1BFFD7} - C:\WINDOWS\netid.dll
O2 - BHO: Class - {BCE7D6C6-91F7-121B-8DD6-E434352088D3} - C:\WINDOWS\system32\winlw32.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {BFA9AA21-50C4-1BA5-0F30-DCA239B508A3} - (no file)
O2 - BHO: (no name) - {C0E29FD4-F512-9647-CA15-C8EB9E72B58B} - (no file)
O2 - BHO: (no name) - {C46F610F-69B8-0E43-0278-24EDA37E1513} - (no file)
O2 - BHO: Class - {CDD0D83D-50AC-5BD8-C45A-EA169A5DD659} - C:\WINDOWS\system32\apicj32.dll
O2 - BHO: (no name) - {D8F6292A-632E-2FF8-816D-45BA7630E2DA} - (no file)
O2 - BHO: (no name) - {DF69CD81-6A3B-4A3D-064D-824D55DE3A0A} - (no file)
O2 - BHO: (no name) - {E394341A-2ED9-EFE0-6516-4B65343512E4} - (no file)
O2 - BHO: Class - {E6226C29-4068-EB26-B869-9B4C7E50B3E9} - C:\WINDOWS\javapj.dll
O2 - BHO: (no name) - {E699A80F-C737-7F27-8229-0B4D3F150CA9} - (no file)
O2 - BHO: Class - {EC43F6F8-5AA1-8014-25AE-50C174FA1822} - C:\WINDOWS\system32\crcj32.dll
O2 - BHO: Class - {F62510CB-ED83-E3EF-9E28-73519F1B7A0C} - C:\WINDOWS\d3ft32.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [d3ft32.exe] C:\WINDOWS\d3ft32.exe
O4 - HKLM\..\Run: [LSASS Authority] lshosts32.exe
O4 - HKLM\..\RunOnce: [atluc.exe] C:\WINDOWS\atluc.exe
O4 - HKLM\..\RunOnce: [appyt32.exe] C:\WINDOWS\appyt32.exe
O4 - HKLM\..\RunOnce: [ipni.exe] C:\WINDOWS\system32\ipni.exe
O4 - HKLM\..\RunOnce: [iewr.exe] C:\WINDOWS\system32\iewr.exe
O4 - HKLM\..\RunOnce: [addvm32.exe] C:\WINDOWS\system32\addvm32.exe
O4 - HKLM\..\RunOnce: [javama32.exe] C:\WINDOWS\system32\javama32.exe
O4 - HKLM\..\RunOnce: [appbl32.exe] C:\WINDOWS\system32\appbl32.exe
O4 - HKLM\..\RunOnce: [appkt.exe] C:\WINDOWS\system32\appkt.exe
O4 - HKLM\..\RunOnce: [crxy32.exe] C:\WINDOWS\system32\crxy32.exe
O4 - HKLM\..\RunOnce: [atlrr32.exe] C:\WINDOWS\system32\atlrr32.exe
O4 - HKLM\..\RunOnce: [apppm32.exe] C:\WINDOWS\system32\apppm32.exe
O4 - HKLM\..\RunOnce: [winek32.exe] C:\WINDOWS\system32\winek32.exe
O4 - HKLM\..\RunOnce: [javayd32.exe] C:\WINDOWS\system32\javayd32.exe
O4 - HKLM\..\RunOnce: [mfclp.exe] C:\WINDOWS\mfclp.exe
O4 - HKLM\..\RunOnce: [appan.exe] C:\WINDOWS\appan.exe
O4 - HKLM\..\RunOnce: [mslf32.exe] C:\WINDOWS\mslf32.exe
O4 - HKLM\..\RunOnce: [ieqw.exe] C:\WINDOWS\system32\ieqw.exe
O4 - HKLM\..\RunOnce: [syswt.exe] C:\WINDOWS\system32\syswt.exe
O4 - HKLM\..\RunOnce: [crgt32.exe] C:\WINDOWS\crgt32.exe
O4 - HKLM\..\RunOnce: [d3ok.exe] C:\WINDOWS\d3ok.exe
O4 - HKLM\..\RunOnce: [javapk.exe] C:\WINDOWS\javapk.exe
O4 - HKLM\..\RunOnce: [msqs.exe] C:\WINDOWS\msqs.exe
O4 - HKLM\..\RunOnce: [ipmk32.exe] C:\WINDOWS\system32\ipmk32.exe
O4 - HKLM\..\RunOnce: [apifu.exe] C:\WINDOWS\apifu.exe
O4 - HKLM\..\RunOnce: [ntzv32.exe] C:\WINDOWS\system32\ntzv32.exe
O4 - HKLM\..\RunOnce: [addny32.exe] C:\WINDOWS\addny32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Webshots.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/a267eae4/enter.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\atluc.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe


Thank you.
ken8809
Regular Member
 
Posts: 17
Joined: May 17th, 2005, 9:47 am

Unread postby Bertha » May 18th, 2005, 3:37 pm

Ken,

Let's continue on with the fix...

Please read through the fix first a few times to be sure you know what you need to do and that you have downloaded any required tools

Copy this to notepad for reference

You already have the tools in the fix so no need to download them again, however I included the download links incase you have removed them from your system.

Please try to update them (what happens when you click update?)


DO NOT REBOOT YOUR COMPUTER UNLESS ADVISED AS THE MALWARE WILL ONLY MUTATE AND WE WILL BE CHASING OUR TAILS-

We'll need to unload Spybot's Teatimer before we begin. To do this, right-click on the icon in the quick launch toolbar at the bottom on the screen, then select "Exit".

===============

Next, locate CWShredder that you downloaded earlier and run it, then:

1. Click "Check For Update"

(If an update isn't a'ailable, skip to step #4.)

2. Click "Click here to Download the upate".
3. When the new version has been downloaded, click "Save".

4. Click "Fix ->"

===============

Download, unzip to your desktop About:Buster and run it, then:
Locate About:Buster that you downloaded earlier and run it, then:

1. Click "Update".
2. Click "Check For Update"

(If no new 'ersion is available, skip to step #4.)

3. Click "Download Update", and wait for it to be installed.
4. Click "Start".

(Wait for the initial ADS scan to complete.)

5. Click "Yes", to shutdown any IE session currently open.

(Wait for the about:blank scan to complete.)

6. Click "Ok", to scan once more.
7. Click "Yes", to shutdown any IE sessions currently open.
8. Click "Yes", to begin the second pass.

9. Click "Save log", and post this log back along with your new log.
10. Click "Exit".
11. Click "Exit".

===============

Reboot your computer normally.

===============

Run HiJackThis then:

1. Click "Config..."
2. Click "Misc Tools"
3. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\WINDOWS\d3ft32.exe
C:\WINDOWS\system32\appbl32.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u addny32.dll
regsvr32 /u craa.dll
regsvr32 /u apies32.dll
regsvr32 /u crqy.dll
regsvr32 /u addxh32.dll
regsvr32 /u javamf.dll
regsvr32 /u cras.dll
regsvr32 /u apipy32.dll
regsvr32 /u netgc.dll
regsvr32 /u javake.dll
regsvr32 /u winju32.dll
regsvr32 /u winhl32.dll
regsvr32 /u addnf32.dll
regsvr32 /u netkn.dll
regsvr32 /u sysfc.dll
regsvr32 /u netid.dll
regsvr32 /u winlw32.dll
regsvr32 /u apicj32.dll
regsvr32 /u javapj.dll
regsvr32 /u crcj32.dll
regsvr32 /u d3ft32.dll

It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.

Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called:


Network Security Service

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jwbcw.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jwbcw.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jwbcw.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jwbcw.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jwbcw.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jwbcw.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jwbcw.dll/sp.html#44768

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {02CC75F3-8484-D1DD-2BFB-DC68547A67BA} - (no file)
O2 - BHO: Class - {0661D7C2-371C-C623-4982-2277DF99E129} - C:\WINDOWS\addny32.dll
O2 - BHO: Class - {08AA5DB2-A44F-8F76-711C-956A8C663487} - C:\WINDOWS\craa.dll
O2 - BHO: Class - {0A9AC70B-D55C-F5E0-B29D-89941C454F9E} - C:\WINDOWS\apies32.dll
O2 - BHO: Class - {0B49DBF5-766B-A933-707E-C0D543F141BB} - C:\WINDOWS\crqy.dll
O2 - BHO: (no name) - {0C0E2D3F-3AE9-2ABB-7656-AA2FC932ED6E} - (no file)
O2 - BHO: (no name) - {0F70277D-289E-55DF-CC2E-2ED795705AF8} - (no file)
O2 - BHO: (no name) - {11762563-B790-AC99-735F-1EA21A0E2E42} - (no file)
O2 - BHO: Class - {16A9AC51-3EDE-D225-D2B3-4F97BAC686BE} - C:\WINDOWS\system32\addxh32.dll
O2 - BHO: (no name) - {24EE5EA2-F68D-798A-5236-BCF1C98BD30E} - (no file)
O2 - BHO: (no name) - {26EAA016-982E-F4A7-13E4-B58C5CF0FDD0} - (no file)
O2 - BHO: Class - {282032FC-C6CA-9E36-F009-345A15203683} - C:\WINDOWS\javamf.dll
O2 - BHO: (no name) - {316D6034-8672-118C-728F-D9D78EFEA265} - (no file)
O2 - BHO: (no name) - {32FB26E0-5AAE-5652-AD0F-F42254309CD1} - (no file)
O2 - BHO: Class - {3DFCBD99-678C-4058-78A2-A1A16A8A15F3} - C:\WINDOWS\system32\cras.dll
O2 - BHO: Class - {4097E29E-2A74-3EEA-7090-0E73AF19AC3E} - C:\WINDOWS\apipy32.dll
O2 - BHO: (no name) - {482ED513-8F9F-5049-FF7A-8FB035464E5F} - (no file)
O2 - BHO: (no name) - {4C586B1B-6256-BDCF-44D6-F0436A542593} - (no file)
O2 - BHO: (no name) - {5130E8BC-9CAA-2FD0-FBA4-5C75D8103678} - (no file)
O2 - BHO: Class - {517564DA-70D9-1F28-3710-89856CB474C4} - C:\WINDOWS\system32\netgc.dll
O2 - BHO: Class - {53D3238B-64AB-2309-6B42-5DFB1EF3F534} - C:\WINDOWS\system32\javake.dll
O2 - BHO: Class - {55FF138B-75CF-C09E-5E79-49F7277CDB38} - C:\WINDOWS\winju32.dll
O2 - BHO: (no name) - {5B86A516-4121-F602-C428-DD7BCCE4EE39} - (no file)
O2 - BHO: (no name) - {5C24F68F-330D-3834-5594-F52CB787AE93} - (no file)
O2 - BHO: Class - {62B528F1-C07D-B10C-F50A-0AF9FF61D0BF} - C:\WINDOWS\winhl32.dll
O2 - BHO: (no name) - {69D74EF1-A99E-49CB-BA6C-079035E64ABD} - (no file)
O2 - BHO: (no name) - {6F839401-73C6-491F-12E1-322A9B568C20} - (no file)
O2 - BHO: (no name) - {795BB343-30B6-2B4F-FA68-F174D498229E} - (no file)
O2 - BHO: (no name) - {7E7E29DB-D5D8-8F9C-04D0-1F78794D1C99} - (no file)
O2 - BHO: Class - {83EF55DB-6787-8204-BD91-03202E65FD32} - C:\WINDOWS\addnf32.dll
O2 - BHO: (no name) - {86809FC5-8CA2-8DED-5B65-7DA0AD19966C} - (no file)
O2 - BHO: (no name) - {88EFDEE3-0CB7-1C95-AB61-56AA3EB9D50A} - (no file)
O2 - BHO: Class - {88F58E91-2349-CEB7-A893-765E5171E648} - C:\WINDOWS\netkn.dll
O2 - BHO: (no name) - {893180C0-5F10-202B-1AE8-1D36D4846035} - (no file)
O2 - BHO: (no name) - {8F602CAF-ED9C-5DE3-54F4-0D9DCC6602BF} - (no file)
O2 - BHO: (no name) - {A5365394-C0D5-0936-EEBA-1BEC0A99D851} - (no file)
O2 - BHO: (no name) - {A7282035-D21A-406F-F9D7-CBB7C3A1B094} - (no file)
O2 - BHO: (no name) - {A7669601-1B82-CF1B-BA2E-ADF97AF7322F} - (no file)
O2 - BHO: Class - {B0957B29-6605-0ACF-0683-0B29FEADFBE3} - C:\WINDOWS\system32\sysfc.dll
O2 - BHO: (no name) - {B1B856A8-E2CF-6D0D-E2E2-6F519F010848} - (no file)
O2 - BHO: (no name) - {B32D8461-B24C-D626-990B-16F9A99073D4} - (no file)
O2 - BHO: Class - {BC265548-7E29-C369-414D-740E3D1BFFD7} - C:\WINDOWS\netid.dll
O2 - BHO: Class - {BCE7D6C6-91F7-121B-8DD6-E434352088D3} - C:\WINDOWS\system32\winlw32.dll
O2 - BHO: (no name) - {BFA9AA21-50C4-1BA5-0F30-DCA239B508A3} - (no file)
O2 - BHO: (no name) - {C0E29FD4-F512-9647-CA15-C8EB9E72B58B} - (no file)
O2 - BHO: (no name) - {C46F610F-69B8-0E43-0278-24EDA37E1513} - (no file)
O2 - BHO: Class - {CDD0D83D-50AC-5BD8-C45A-EA169A5DD659} - C:\WINDOWS\system32\apicj32.dll
O2 - BHO: (no name) - {D8F6292A-632E-2FF8-816D-45BA7630E2DA} - (no file)
O2 - BHO: (no name) - {DF69CD81-6A3B-4A3D-064D-824D55DE3A0A} - (no file)
O2 - BHO: (no name) - {E394341A-2ED9-EFE0-6516-4B65343512E4} - (no file)
O2 - BHO: Class - {E6226C29-4068-EB26-B869-9B4C7E50B3E9} - C:\WINDOWS\javapj.dll
O2 - BHO: (no name) - {E699A80F-C737-7F27-8229-0B4D3F150CA9} - (no file)
O2 - BHO: Class - {EC43F6F8-5AA1-8014-25AE-50C174FA1822} - C:\WINDOWS\system32\crcj32.dll
O2 - BHO: Class - {F62510CB-ED83-E3EF-9E28-73519F1B7A0C} - C:\WINDOWS\d3ft32.dll

O4 - HKLM\..\Run: [d3ft32.exe] C:\WINDOWS\d3ft32.exe
O4 - HKLM\..\Run: [LSASS Authority] lshosts32.exe
O4 - HKLM\..\RunOnce: [atluc.exe] C:\WINDOWS\atluc.exe
O4 - HKLM\..\RunOnce: [appyt32.exe] C:\WINDOWS\appyt32.exe
O4 - HKLM\..\RunOnce: [ipni.exe] C:\WINDOWS\system32\ipni.exe
O4 - HKLM\..\RunOnce: [iewr.exe] C:\WINDOWS\system32\iewr.exe
O4 - HKLM\..\RunOnce: [addvm32.exe] C:\WINDOWS\system32\addvm32.exe
O4 - HKLM\..\RunOnce: [javama32.exe] C:\WINDOWS\system32\javama32.exe
O4 - HKLM\..\RunOnce: [appbl32.exe] C:\WINDOWS\system32\appbl32.exe
O4 - HKLM\..\RunOnce: [appkt.exe] C:\WINDOWS\system32\appkt.exe
O4 - HKLM\..\RunOnce: [crxy32.exe] C:\WINDOWS\system32\crxy32.exe
O4 - HKLM\..\RunOnce: [atlrr32.exe] C:\WINDOWS\system32\atlrr32.exe
O4 - HKLM\..\RunOnce: [apppm32.exe] C:\WINDOWS\system32\apppm32.exe
O4 - HKLM\..\RunOnce: [winek32.exe] C:\WINDOWS\system32\winek32.exe
O4 - HKLM\..\RunOnce: [javayd32.exe] C:\WINDOWS\system32\javayd32.exe
O4 - HKLM\..\RunOnce: [mfclp.exe] C:\WINDOWS\mfclp.exe
O4 - HKLM\..\RunOnce: [appan.exe] C:\WINDOWS\appan.exe
O4 - HKLM\..\RunOnce: [mslf32.exe] C:\WINDOWS\mslf32.exe
O4 - HKLM\..\RunOnce: [ieqw.exe] C:\WINDOWS\system32\ieqw.exe
O4 - HKLM\..\RunOnce: [syswt.exe] C:\WINDOWS\system32\syswt.exe
O4 - HKLM\..\RunOnce: [crgt32.exe] C:\WINDOWS\crgt32.exe
O4 - HKLM\..\RunOnce: [d3ok.exe] C:\WINDOWS\d3ok.exe
O4 - HKLM\..\RunOnce: [javapk.exe] C:\WINDOWS\javapk.exe
O4 - HKLM\..\RunOnce: [msqs.exe] C:\WINDOWS\msqs.exe
O4 - HKLM\..\RunOnce: [ipmk32.exe] C:\WINDOWS\system32\ipmk32.exe
O4 - HKLM\..\RunOnce: [apifu.exe] C:\WINDOWS\apifu.exe
O4 - HKLM\..\RunOnce: [ntzv32.exe] C:\WINDOWS\system32\ntzv32.exe
O4 - HKLM\..\RunOnce: [addny32.exe] C:\WINDOWS\addny32.exe

O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\atluc.exe" /s (file missing)


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders: see here - http://www.xtra.co.nz/help/0,,4155-1916458,00.html

files...

C:\WINDOWS\d3ft32.exe
C:\WINDOWS\system32\appbl32.exe
C:\WINDOWS\jwbcw.dll
C:\WINDOWS\addny32.dll
C:\WINDOWS\craa.dll
C:\WINDOWS\apies32.dll
C:\WINDOWS\crqy.dll
C:\WINDOWS\system32\addxh32.dll
C:\WINDOWS\javamf.dll
C:\WINDOWS\system32\cras.dll
C:\WINDOWS\apipy32.dll
C:\WINDOWS\system32\netgc.dll
C:\WINDOWS\system32\javake.dll
C:\WINDOWS\winju32.dll
C:\WINDOWS\winhl32.dll
C:\WINDOWS\addnf32.dll
C:\WINDOWS\netkn.dll
C:\WINDOWS\system32\sysfc.dll
C:\WINDOWS\netid.dll
C:\WINDOWS\system32\winlw32.dll
C:\WINDOWS\system32\apicj32.dll
C:\WINDOWS\javapj.dll
C:\WINDOWS\system32\crcj32.dll
C:\WINDOWS\d3ft32.dll
C:\WINDOWS\atluc.exe
C:\WINDOWS\appyt32.exe
C:\WINDOWS\system32\ipni.exe
C:\WINDOWS\system32\iewr.exe
C:\WINDOWS\system32\addvm32.exe
C:\WINDOWS\system32\javama32.exe
C:\WINDOWS\system32\appkt.exe
C:\WINDOWS\system32\crxy32.exe
C:\WINDOWS\system32\atlrr32.exe
C:\WINDOWS\system32\apppm32.exe
C:\WINDOWS\system32\winek32.exe
C:\WINDOWS\system32\javayd32.exe
C:\WINDOWS\mfclp.exe
C:\WINDOWS\appan.exe
C:\WINDOWS\mslf32.exe
C:\WINDOWS\system32\ieqw.exe
C:\WINDOWS\system32\syswt.exe
C:\WINDOWS\crgt32.exe
C:\WINDOWS\d3ok.exe
C:\WINDOWS\javapk.exe
C:\WINDOWS\msqs.exe
C:\WINDOWS\system32\ipmk32.exe
C:\WINDOWS\apifu.exe
C:\WINDOWS\system32\ntzv32.exe
C:\WINDOWS\addny32.exe

Search for...

lshosts32.exe

...using "Start | Search...".

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode" see here - http://service1.symantec.com/SUPPORT/ts ... ec_doc_nam

Run Cleanup to empty all your
Temporary Internet Folders as Hijackthis and other programs
leave a lot of junk behind:


http://cleanup.stevengould.org

===============

Post back a new log, and let me know how everything goes.

-

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

still unable to update

Unread postby ken8809 » May 18th, 2005, 4:56 pm

For CWShredder, its reads "Unable to update"

For AboutBuster it begins to update and then a critical error box appears and reads "An error has occured while updating"


shall I continue through your steps anyway?
ken8809
Regular Member
 
Posts: 17
Joined: May 17th, 2005, 9:47 am

Unread postby Bertha » May 18th, 2005, 5:00 pm

Just hang on a tick Ken,

Let me find out why you cant update, bear with me

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Unread postby Bertha » May 18th, 2005, 5:14 pm

Ken try this for me (thanks budfred/insipid)

Delete all copies that you have of AboutBuster and CWshredder (search for them to make sure you get them all)

Then once you have done that download them again from the links I gave and try to update them, let me know if this works before carrying on with the fix

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

no update

Unread postby ken8809 » May 18th, 2005, 5:29 pm

deleted both then downloaded both from the sites you provided, saved botht to desktop then unzipped aboutbuster into c:\aboutbuster

same errors when updating as before



Should I begin to consider just reformatting my hard drive?
ken8809
Regular Member
 
Posts: 17
Joined: May 17th, 2005, 9:47 am

Unread postby ChrisRLG » May 18th, 2005, 6:28 pm

ken8809

Try the downloads from the top of this forum again - I have updated the file so it contains the latest version (asa at todays date - v26) so you will not need to update it to have its latest ref file.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

cwshredder

Unread postby ken8809 » May 18th, 2005, 6:51 pm

i got the latest aboutbuster from the top of the forum...under the downloads tab


can you point me in the direction to the latest Cwshredder link

thanks
ken8809
ken8809
Regular Member
 
Posts: 17
Joined: May 17th, 2005, 9:47 am

Unread postby ChrisRLG » May 18th, 2005, 6:55 pm

http://cwshredder.net/bin/CWShredder.exe

Not sure if that does store the latest ref file inside that download, BUT the About Buster was the important one to have updated.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 35 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware