Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

started with trojan-spy.html.smitfraud.c

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

started with trojan-spy.html.smitfraud.c

Unread postby evp » May 17th, 2005, 9:19 pm

First deleted c:\wp.exe & c:\wp.bmp.

Spybot & Ad-Aware got rid of 101 items, TrojanHorse and a-squared got rid of some more, NAV got rid of two viruses and more adware. Desktop shortcuts still unusable. Nothing shows in "All Programs". Nothing shows in Add/Remove programs. Can connect to internet but can't go anywhere.

I am REALLY annoyed at the people who write these things....

Please note that any fixes will have to be able to be downloaded then copied to CD, because the sick computer can't get online!

Here's the Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 6:18:08 PM, on 5/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ojhny.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ojhny.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ojhny.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ojhny.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ojhny.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ojhny.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ojhny.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Class - {462ABAC7-66E3-5660-8CBA-66D2878BA39A} - C:\WINDOWS\system32\mfche.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [ntfc32.exe] C:\WINDOWS\ntfc32.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [winnr32.exe] C:\WINDOWS\system32\winnr32.exe
O4 - HKLM\..\Run: [apibv32.exe] C:\WINDOWS\apibv32.exe
O4 - HKLM\..\Run: [syswp32.exe] C:\WINDOWS\syswp32.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\dmgzzp.exe
O4 - HKLM\..\Run: [mfcay32.exe] C:\WINDOWS\system32\mfcay32.exe
O4 - HKLM\..\Run: [sdkvo32.exe] C:\WINDOWS\system32\sdkvo32.exe
O4 - HKLM\..\Run: [crpk32.exe] C:\WINDOWS\system32\crpk32.exe
O4 - HKLM\..\Run: [javavl.exe] C:\WINDOWS\system32\javavl.exe
O4 - HKLM\..\Run: [apiyu32.exe] C:\WINDOWS\system32\apiyu32.exe
O4 - HKLM\..\Run: [iecx.exe] C:\WINDOWS\iecx.exe
O4 - HKLM\..\Run: [atlbg32.exe] C:\WINDOWS\atlbg32.exe
O4 - HKLM\..\Run: [atlis32.exe] C:\WINDOWS\atlis32.exe
O4 - HKLM\..\Run: [apifj.exe] C:\WINDOWS\system32\apifj.exe
O4 - HKLM\..\Run: [addsd32.exe] C:\WINDOWS\system32\addsd32.exe
O4 - HKLM\..\Run: [mfcyn.exe] C:\WINDOWS\system32\mfcyn.exe
O4 - HKLM\..\Run: [atlyq.exe] C:\WINDOWS\atlyq.exe
O4 - HKLM\..\Run: [ipxj.exe] C:\WINDOWS\ipxj.exe
O4 - HKLM\..\Run: [ntpt.exe] C:\WINDOWS\system32\ntpt.exe
O4 - HKLM\..\Run: [mfctn32.exe] C:\WINDOWS\system32\mfctn32.exe
O4 - HKLM\..\Run: [nthj32.exe] C:\WINDOWS\nthj32.exe
O4 - HKLM\..\Run: [ntmn32.exe] C:\WINDOWS\system32\ntmn32.exe
O4 - HKLM\..\Run: [netbo.exe] C:\WINDOWS\system32\netbo.exe
O4 - HKLM\..\Run: [sysat32.exe] C:\WINDOWS\sysat32.exe
O4 - HKLM\..\Run: [mstt32.exe] C:\WINDOWS\system32\mstt32.exe
O4 - HKLM\..\Run: [iezf32.exe] C:\WINDOWS\iezf32.exe
O4 - HKLM\..\Run: [appls.exe] C:\WINDOWS\appls.exe
O4 - HKLM\..\Run: [sdkwh.exe] C:\WINDOWS\system32\sdkwh.exe
O4 - HKLM\..\Run: [sdkmu.exe] C:\WINDOWS\sdkmu.exe
O4 - HKLM\..\Run: [ntuh.exe] C:\WINDOWS\system32\ntuh.exe
O4 - HKLM\..\Run: [ipxz32.exe] C:\WINDOWS\system32\ipxz32.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: AutoTBar.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Microsoft AntiSpyware helper - {45504614-1DFC-45FF-8171-0BAFFDFC29F2} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {45504614-1DFC-45FF-8171-0BAFFDFC29F2} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Microsoft AntiSpyware helper - {45504614-1DFC-45FF-8171-0BAFFDFC29F2} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {45504614-1DFC-45FF-8171-0BAFFDFC29F2} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/ ... 1/chat.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O21 - SSODL: HIDCBFED - {5905540B-6FD8-3704-0E34-4D3D224C0CCF} - C:\WINDOWS\System32\Oapiaqhh.dll (file missing)
O21 - SSODL: mtklef - {6E3C200D-8256-4559-9897-482BE9236A53} - C:\WINDOWS\System32\nxqd32.dll (file missing)
O21 - SSODL: mtkle - {C7A17401-AC3D-4873-B698-3306E31CDDDF} - C:\WINDOWS\System32\aarapo32.dll (file missing)
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\atlxp.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
evp
Active Member
 
Posts: 8
Joined: May 14th, 2005, 1:43 pm
Location: north dakota
Advertisement
Register to Remove

Unread postby askey127 » May 18th, 2005, 9:46 am

Hi. I'm askey127

I'll be helping you with your computer.
Give me a while to research your log and I will be back with you.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby askey127 » May 18th, 2005, 4:25 pm

Hi evp,

This fix will take some patience on your part since it's now an offline machine.
Disconnect the infected computer from the internet and unplug the modem. Please don't re-attach until instructed to do so.
We will do all the downloads at once, so the online computer can write all the downloads to CD for transfer.
I would suggest printing a copy of this page to follow along.

===========================================================

Download these programs from these locations to your online computer, copy to CD, and install, unzip and/or copy ALL of them to the infected computer. Note your final install locations for each one so they will be easy to find when you need them.

===========================================================
Disable Microsoft Anti-Spyware
- Open Microsoft AntiSpyware. Click on Tools, Settings.
- In the left pane, Click on Real-time Protection.
- Under Startup Options, Uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
- Under Real-time spyware threat protection, Uncheck Enable real-time spyware threat protection (recommended).
- After you uncheck these, Click on the Save button and close Microsoft AntiSpyware.

- Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.
(Reverse this process after your malware removal is complete).

===========================================================
Change Ad-Aware SE Settings
Open Ad-aware and click on the "Settings" button (gear symbol in the upper right corner of the main status screen) in the quick launch toolbar to open the General settings screen.
Check the "Automatically quarantine objects prior to removal" setting and then click "Proceed" to save your changes.

Click the "Scan now" button in the main menu on the left side of the main status screen or use the "Start" button in lower right corner. This will open the Preparing System Scan screen.
Please Uncheck "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
Then select "Use custom scanning options" and click "CUstomize".
This will open the "Scan Settings Page.
Make sure ALL of the following are ON with a Green checkmark:
Scan within archives
Scan active processes
Scan Registry
Deep-scan Registry
Scan my IE Favorites for banned URLs
Scan my Hosts File


Then click on the "Tweak" Button to open up the tweak settings.
Open up the Scanning Engine section and make sure the following is ON with a Green checkmark:
Scan registry for all users instead of current user only

Make sure the following is Unchecked with a "red" X:
Unload recognized processes & modules during scan.

Open up the Cleaning Engine section and make sure ALL of the following are ON with a Green checkmark
Always try to unload modules before deletion
During Removal, unload Explorer and IE if necessary
Let Windows remove files in use at next reboot


Click the "Proceed" button to save settings.

Don't Scan yet. We will do it in Safe Mode.
===========================================================
Set Windows Explorer to see all files. (Start, My Computer, double click C:\ should get you into Windows Explorer)
For Win XP: you will not always be able to see hidden files and folders by default. Go to Start > Search, and under "All Files and Folders" choose "More advanced options". Make sure there are checks on "Search System Folders", "Search hidden files and folders", and "Search system subfolders".
Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and uncheck "Hide extensions for known file types" . Now click "Apply to all folders".
Click "Apply", then "OK".
===========================================================
Disable the Malware Service
Go to Start, Run and type Services.msc and click OK.
Scroll down and find the service called Network Security Service and double-click it.
In the next window that opens, click the Stop button, then click on Properties, and under the General Tab, change the Startup Type to Disabled.
Now choose Apply and OK.

Close ALL open windows.
===========================================================
Start Your Computer in Safe Mode. Tap F8 repeatedly while booting and select Safe Mode.
We will run the rest of the fix in Safe Mode.
===========================================================
Double click on the cwsserviceemove.reg file from your downloaded copy. Grant it permission to add the registry items.
===========================================================
Open CWShredder from your downloaded copy. Close all browser windows and click on the fix/next button.
===========================================================
Malware file deletion.
In Windows Explorer, find (F3) and delete just these files if present. The reported locations are given. If you can't find one, then just move on to the next one. TAKE EXTRA CARE NOT TO DELETE THE C:\WINDOWS\ OR C:\WINDOWS\SYSTEM32\ FOLDERS
C:\Windows\System32\ojhny.dll
C:\WINDOWS\system32\mfche.dll
C:\WINDOWS\ntfc32.exe
C:\WINDOWS\system32\winnr32.exe
C:\WINDOWS\apibv32.exe
C:\WINDOWS\syswp32.exe
C:\WINDOWS\System32\dmgzzp.exe
C:\WINDOWS\system32\mfcay32.exe
C:\WINDOWS\system32\sdkvo32.exe
C:\WINDOWS\system32\crpk32.exe
C:\WINDOWS\system32\javavl.exe
C:\WINDOWS\system32\apiyu32.exe
C:\WINDOWS\iecx.exe
C:\WINDOWS\atlbg32.exe
C:\WINDOWS\atlis32.exe
C:\WINDOWS\system32\apifj.exe
C:\WINDOWS\system32\addsd32.exe
C:\WINDOWS\system32\mfcyn.exe
C:\WINDOWS\atlyq.exe
C:\WINDOWS\ipxj.exe
C:\WINDOWS\system32\ntpt.exe
C:\WINDOWS\system32\mfctn32.exe
C:\WINDOWS\nthj32.exe
C:\WINDOWS\system32\ntmn32.exe
C:\WINDOWS\system32\netbo.exe
C:\WINDOWS\sysat32.exe
C:\WINDOWS\system32\mstt32.exe
C:\WINDOWS\iezf32.exe
C:\WINDOWS\appls.exe
C:\WINDOWS\system32\sdkwh.exe
C:\WINDOWS\sdkmu.exe
C:\WINDOWS\system32\ntuh.exe
C:\WINDOWS\system32\ipxz32.exe
C:\WINDOWS\System32\Oapiaqhh.dll
C:\WINDOWS\System32\nxqd32.dll
C:\WINDOWS\System32\aarapo32.dll
C:\WINDOWS\atlxp.exe

If you get an error when attempting to delete a file, Right click on the file and select Properties. Then check to see if the Read Only attribute is checked. If it is, Uncheck it, click Apply and OK. Then try deleting the file again. Please Note the names and folder locations of any files you cannot delete.
===========================================================
Remove log items with HighjackThis. Start HijackThis. If the opening screen shows, choose None of the above, just start the program.
Click Scan. When the Scan is complete, Check the following entries:
(Some of these line items may have already been removed. - do not be surprised if they are missing)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ojhny.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ojhny.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ojhny.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ojhny.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ojhny.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ojhny.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ojhny.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Class - {462ABAC7-66E3-5660-8CBA-66D2878BA39A} - C:\WINDOWS\system32\mfche.dll (file missing)

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [ntfc32.exe] C:\WINDOWS\ntfc32.exe
O4 - HKLM\..\Run: [winnr32.exe] C:\WINDOWS\system32\winnr32.exe
O4 - HKLM\..\Run: [apibv32.exe] C:\WINDOWS\apibv32.exe
O4 - HKLM\..\Run: [syswp32.exe] C:\WINDOWS\syswp32.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\dmgzzp.exe
O4 - HKLM\..\Run: [mfcay32.exe] C:\WINDOWS\system32\mfcay32.exe
O4 - HKLM\..\Run: [sdkvo32.exe] C:\WINDOWS\system32\sdkvo32.exe
O4 - HKLM\..\Run: [crpk32.exe] C:\WINDOWS\system32\crpk32.exe
O4 - HKLM\..\Run: [javavl.exe] C:\WINDOWS\system32\javavl.exe
O4 - HKLM\..\Run: [apiyu32.exe] C:\WINDOWS\system32\apiyu32.exe
O4 - HKLM\..\Run: [iecx.exe] C:\WINDOWS\iecx.exe
O4 - HKLM\..\Run: [atlbg32.exe] C:\WINDOWS\atlbg32.exe
O4 - HKLM\..\Run: [atlis32.exe] C:\WINDOWS\atlis32.exe
O4 - HKLM\..\Run: [apifj.exe] C:\WINDOWS\system32\apifj.exe
O4 - HKLM\..\Run: [addsd32.exe] C:\WINDOWS\system32\addsd32.exe
O4 - HKLM\..\Run: [mfcyn.exe] C:\WINDOWS\system32\mfcyn.exe
O4 - HKLM\..\Run: [atlyq.exe] C:\WINDOWS\atlyq.exe
O4 - HKLM\..\Run: [ipxj.exe] C:\WINDOWS\ipxj.exe
O4 - HKLM\..\Run: [ntpt.exe] C:\WINDOWS\system32\ntpt.exe
O4 - HKLM\..\Run: [mfctn32.exe] C:\WINDOWS\system32\mfctn32.exe
O4 - HKLM\..\Run: [nthj32.exe] C:\WINDOWS\nthj32.exe
O4 - HKLM\..\Run: [ntmn32.exe] C:\WINDOWS\system32\ntmn32.exe
O4 - HKLM\..\Run: [netbo.exe] C:\WINDOWS\system32\netbo.exe
O4 - HKLM\..\Run: [sysat32.exe] C:\WINDOWS\sysat32.exe
O4 - HKLM\..\Run: [mstt32.exe] C:\WINDOWS\system32\mstt32.exe
O4 - HKLM\..\Run: [iezf32.exe] C:\WINDOWS\iezf32.exe
O4 - HKLM\..\Run: [appls.exe] C:\WINDOWS\appls.exe
O4 - HKLM\..\Run: [sdkwh.exe] C:\WINDOWS\system32\sdkwh.exe
O4 - HKLM\..\Run: [sdkmu.exe] C:\WINDOWS\sdkmu.exe
O4 - HKLM\..\Run: [ntuh.exe] C:\WINDOWS\system32\ntuh.exe
O4 - HKLM\..\Run: [ipxz32.exe] C:\WINDOWS\system32\ipxz32.exe

O21 - SSODL: HIDCBFED - {5905540B-6FD8-3704-0E34-4D3D224C0CCF} - C:\WINDOWS\System32\Oapiaqhh.dll (file missing)
O21 - SSODL: mtklef - {6E3C200D-8256-4559-9897-482BE9236A53} - C:\WINDOWS\System32\nxqd32.dll (file missing)
O21 - SSODL: mtkle - {C7A17401-AC3D-4873-B698-3306E31CDDDF} - C:\WINDOWS\System32\aarapo32.dll (file missing)
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\atlxp.exe (file missing)


Make sure all other windows except HJT are closed, and Click Fix Checked.
===========================================================
Run CCleaner. Choose the Windows tab, and Analyze (be sure to let the Analyze portion finish. In heavily junk-laden older machines it could take up to 15 minutes). Then click Run Cleaner. When cleaning is finished, click Exit.
===========================================================
Run AboutBuster
Navigate to the c:\aboutbuster directory and double-click on AboutBuster.exe
When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so. Post the log file in your next reply.
===========================================================
Scan with Adaware by opening it and clicking the "Next" button to start the scan.
When the scan is completed the Performing System Scan screen will change name to "Scan Complete".
Click the "Next" button to get to the Scanning Results screens where more information about the objects detected during the scan is available.
Click the Critical Objects Tab. In general all of the items listed will be bad. Be carefull with the Hosts file entries. Malware uses the hosts file to redirect you websites. However you can use the hosts file as a way to prevent malware. If the object has 127.0.0.1 in it, it should most likely not be deleted as it is protecting against unwanted sites. For more information on how to use a host file to protect yourself read here. So in short, you may or may not want to fix the hosts file entries.
To fix all the bad critical objects do the following:
Right click on one of them to open up the selection screen. Click the "Select All" button to select all entries. In general all should be selected with the exception of the good hosts file entries.
When all are selected Click "Next" and then "OK" in the pop-up window to confirm the removal.
===========================================================
Post a new log.
Reboot your computer. Start HijackThis.
If the opening screen shows, choose None of the above, just start the program.
Click Scan. When the Scan is complete, click Save Log, and paste the log contents into a reply with the online machine, along with the contents of the AboutBuster log.

After the save the new HJT log, leave the machine ON until I have a chance to review the log, since some of the filenames could change at each reboot.
===========================================================
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

thanks askey

Unread postby evp » May 18th, 2005, 6:42 pm

I may not get all this done tonite, but want to thank you for your help so far!

Elaine
evp
Active Member
 
Posts: 8
Joined: May 14th, 2005, 1:43 pm
Location: north dakota

MS anti-spyware????, Services.msc

Unread postby evp » May 19th, 2005, 10:19 am

I've looked on the computer and can't find MS Anti-Spyware to disable it (looking for it caused me to notice that the Security Center option in Control Panel is missing.)

I'm going to continue with the remaining steps--if I get a message from something that looks like it's MS anti-spyware I'll stop until I hear back from you.

---------

LATER: Also can't run Services.msc. The Run option is not available in the Start menu. Found services.msc in c:\windows\system32, but got an error message: "MMC cannot open the file. This may be because the file does not exist, is not an MMC console, or was created by a later version of MMC. This may also be because you do not have sufficient access rights to the file."

(I then booted to Safe Mode, where I have the option to select "Administrator" or "Owner" users, and Administrator got the same message. I had tried to install SP2 the other day, but it errored out. I suppose it's possible that it may have installed services.msc before it crashed?)

I now will NOT continue working on it until I hear back from you. (I might be able to install SP2 now, since I think it was a constantly reappearing error window that caused it to crash. The error window seems to be gone now. However, I won't do anything until I hear from you.)

Thanks, Elaine
evp
Active Member
 
Posts: 8
Joined: May 14th, 2005, 1:43 pm
Location: north dakota

Unread postby askey127 » May 20th, 2005, 5:30 am

OK, evp,

Don't try to install SP2. It has to wait until the machine is clean.

Print this out for reference.

Boot into Safe Mode.

Run HijackThis. Click Config, Misc Tools, Delete an NT Service. Type the following into the text fieldNetwork Security Service. OK.

Reboot into Safe Mode.

Continue following the original sequence that comes after "Disable Malware Service" and "Start Your Computer in Safe Mode", doing everything you are allowed.

Report back whichever steps don't work.

Post new logs per the last instruction.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

didn't work

Unread postby evp » May 20th, 2005, 12:57 pm

When trying HJT, delete an NT Service, got the message: Service 'Network Security Service' was not found in the Registry. Make sure you entered the short name of the service.

So I went into the registry and found 6 occurrences of Network Security Service.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY__11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I\0000

(Default) REG_SZ (value not set)
Class REG_SZ LegacyDriver
ClassGUID REG_SZ {8ECC055D-047F-11D1-A537-0000F8753ED1}
ConfigFlags REG_DWORD 0x00000000 (0)
DeviceDesc REG_SZ Network Security Service
Legacy REG_DWORD 0x00000000 (1)
Service REG_SZ 11Fßä#•°ÄÖ`I
* Note that there's a space before 11Fßä#•°ÄÖ`I

HKLM\SYSTEM\ControlSet001\Services\ 11Fßä#•°ÄÖ`I

(Default) REG_SZ (value not set)
DisplayName REG_SZ Network Security Service
ErrorControl REG_DWORD 0x00000000 (0)
FailureActions REG_BINARY ff ff ff ff 00 00 00 00 00 00 more that I didn't get
ImagePath REG_EXPAND_SZ C:\WINDOWS\atlxp.exe /s
ObjectName REG_SZ LocalSystem
Start REG_DWORD 0x00000002 (2)
Type REG_DWORD 0x00000020 (32)

There were also identical entries for both for HKLM\SYSTEM\ControlSet003 and HKLM\SYSTEM\CurrentControlSet.


The file atlxp.exe is very similar to several that TrojanHunter renamed (in c:\windows: atlbg32.exe, atlis32.exe, atlyq.exe, atlrn32.exe. In system32: atlyy.exe, atlpn32.exe).

Because of the similarity, I would feel comfortable deleting the entire registry entries in these six instances (after making a backup), and then following the original instructions from "Start Your Computer in Safe Mode".

However, I'm not doing anything until you tell me.

Thanks.
evp
Active Member
 
Posts: 8
Joined: May 14th, 2005, 1:43 pm
Location: north dakota

Unread postby askey127 » May 20th, 2005, 6:11 pm

evp:

I was trying to keep you out of the registry, but you are investigating in the right area.
It may be worth a try to get a command line with Start, Programs, Accessories, Command Prompt and attempt to run services.msc again to disable "Network Security Service".
If that doesn't work:
Try again to get HJT to stop the service first, to improve our chances of success. I would Edit\Copy the 'short' name of the service from the last HJT log, it's the one in parentheses ( 11Fßä#·ºÄÖ`I) without the parentheses. It does have a leading space. Paste it into the HJT 'Delete NT Service' dialog.

In any case, after trying these couple steps, please move on to the cwsserviceremove.reg file and continue with the fix.
When you call cwsserviceremove.reg, next on the list, it will automatically delete those registry entries with less risk for you than regedit.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

new logs

Unread postby evp » May 20th, 2005, 9:22 pm

First, in the "Malware file deletion" section, I found absolutely none of the files. It is set to show hidden files & folders, system files, etc.

CCleaner wouldn't run. Got message "Run-time error '429': ActiveX component can't create object". (I first installed it in Safe Mode, then rebooted and installed over it in normal mode. Anyway, got the message in both Safe and normal modes.)

But everything else ran fine. Here's the AB log and a new HJT log. (However, I didn't update AB, because I didn't want to connect to the internet.)

Uh, I didn't run Killbox or Hoster because you didn't tell me to.... (I hope you're not ready to throttle me quite yet. :? )

Edited 5/21 7:15 a.m. Mountain time - New HJT log posted this morning. Had to turn off the computers last night because of thunderstorms.


Scanned at: 6:42:56 PM on: 5/20/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Removed 2 Random Key Entries
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!


=================================
Logfile of HijackThis v1.99.1
Scan saved at 7:14:29 AM, on 5/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Microsoft AntiSpyware helper - {45504614-1DFC-45FF-8171-0BAFFDFC29F2} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {45504614-1DFC-45FF-8171-0BAFFDFC29F2} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Microsoft AntiSpyware helper - {45504614-1DFC-45FF-8171-0BAFFDFC29F2} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {45504614-1DFC-45FF-8171-0BAFFDFC29F2} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/ ... 1/chat.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
evp
Active Member
 
Posts: 8
Joined: May 14th, 2005, 1:43 pm
Location: north dakota

Unread postby askey127 » May 21st, 2005, 9:23 am

I'm double checking your latest log.
Get back to you shortly.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby askey127 » May 21st, 2005, 12:33 pm

Looks better.
We still do not want to connect to the internet

===========================================================
Do a Manual Cleanup of Temp Files. Delete all files in the following folders. If any files resist deletion, right click and look at properties. If set to read-only, uncheck Read Only box and click Apply, OK. Then try to delete again. Don't delete any of the folders, just try to delete all the files contained therein.
C:\Windows\Temp\
C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\
C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
Empty your "Recycle Bin"

===========================================================
Restore any deleted files
Using your online computer, look at the Merijn's Files site below and note the locations where these files are expected in Win XP SP1. You can download them all onto your online computer, and save in case you need any of them.
This infection frequently destroys or contaminates these system files.
Use Windows Search (Start, Search, All files and folders) to find following files:
control.exe
rundll32.exe
wmplayer.exe
msconfig.exe
notepad.exe
shell.dll
SDHelper.dll

If any are missing or not working properly, then you can download new copies from Merijn's Files here http://www.richardthelionhearted.com/?url=merijn.richardthelionhearted.com Click on "Windows Files" in the navigation box on the left and follow the instructions there to install them where they belong for your WinXP. Note that, in some cases, there may be some different files for WinXP/SP1 than
for XP with no Service packs.
===========================================================
Run the Hoster you downloaded earlier. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.
===========================================================
Post a new log.
Reboot your computer in Normal Mode. Start HijackThis.
If the opening screen shows, choose None of the above, just start the program.
Click Scan and Save Log. When the Scan is complete, paste the log contents in a reply, just to be sure there is nothing left to fix.
===========================================================
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

new log, one file wouldn't be deleted

Unread postby evp » May 21st, 2005, 3:10 pm

First, there was one file I could not delete in C:\Docs & Settings\<profile>\Local Settings\Temporary Internet Files. I was not given an option to change attributes, and couldn't even do it at the C: prompt. At the command prompt, it didn't even find any files (attrib -h didn't work). The file as displayed in Windows is named 01, no extension. (It's a Shockwave Flash Object and its internet address = http://spe.atdmt.com/ds/about a gazillion more characters that include yahoo_survey_win_grey_and a lot more chars.)

But I did everything else, and here's the new log:


Logfile of HijackThis v1.99.1
Scan saved at 1:01:16 PM, on 5/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Microsoft AntiSpyware helper - {45504614-1DFC-45FF-8171-0BAFFDFC29F2} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {45504614-1DFC-45FF-8171-0BAFFDFC29F2} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Microsoft AntiSpyware helper - {45504614-1DFC-45FF-8171-0BAFFDFC29F2} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {45504614-1DFC-45FF-8171-0BAFFDFC29F2} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/ ... 1/chat.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe

=============
I still have the following problems. I didn't mention them before because I assumed getting rid of the malware would fix them. (I downloaded all the files from the Merijn site and installed as instructed.) I may need to reinstall Windows to fix everything?
-Control Panel - Security option still missing
-Control Panel - Add/Remove Programs list still does not populate
-Control Panel - title bar shows the name "Folder" (that can be fixed in the Registry, just letting you know)
-Control Panel - for every option but Add/Remove Programs, title bar shows the name "Folder"
-Control Panel - User Accounts option does not work
-Control Panel - first entry seems to be a blank folder that does nothing when I click on it
-Desktop - shortcuts don't work, except by Rt Click and Open
-Start, All Programs does nothing
-Start Menu still missing Run, Search, and Help & Support options

Now do you want to throttle me? ;) Anyway, if the malware is all gone, thanks very much for your help and I'll reinstall Windows to fix the above problems.
evp
Active Member
 
Posts: 8
Joined: May 14th, 2005, 1:43 pm
Location: north dakota

Unread postby askey127 » May 21st, 2005, 6:22 pm

Your log looks clean.

And, no, I don't want to throttle you. We are both working to a common goal-a good working machine, free of malware.
Lets clean up the last item showing. Since the file in \Temporary Internet Files is from adtmt.com, it is surely adware related.
Use Start, Programs, Accessories, System Tools, Disk Cleanup, check everything except "compress files".
Alternatively, in Internet Explorer, click Tools, Internet Options. Under the General tab, choose Clear History.
If the file remains, I would run Killbox, typing in the whole path and filename, and tell it to Delete On Reboot.

You may be able to tell which, if any, of your windows files are still corrupt by either comparing filesizes on the known problem files to those downloaded from Merijn, or by right clicking, looking at properties to see if they show Microsoft ownership properly.

Before you re-install, I would try this: if you can get to a command line by either Start,Run OR Start, Programs, Accessories, Command Prompt:
Type in sfc /scannow (note: there is a space between sfc and /scannow). Hit Enter. This will replace any missing/corrupted system files. You will need your XP disc in your CD-ROM drive for this, as it will restore the files from the disc.

Once your computer behaves reasonably, I would re-connect the internet, and run an online scan immediately from Trend Micro at http://housecall.antivirus.com/

Then for further protection:
Disable and Enable System Restore.
Windows XP System Restore Guide
This disable/re-enable sequence is not to be done regularly, but only once, each time after successful removal of a malware infection.
Secure your Internet Explorer
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
- Change the Download signed ActiveX controls to Prompt
- Change the Download unsigned ActiveX controls to Disable
- Change the Initialize and script ActiveX controls not marked as safe to Disable
- Change the Installation of desktop items to Prompt
- Change the Launching programs and files in an IFRAME to - Prompt
- Change the Navigate sub-frames across different domains to - Prompt
- When all these settings have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Press the Apply button and then the OK to exit the Internet Properties page.

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites to your Internet Explorer settings that will protect you from accidentally running or downloading known malicious programs. An article on anti-malware products with links to this program and others can be found here:
Computer Safety on line - Anti-Malware

Install WinPatrol - Download and Install WinPatrol, and view Instructions here: http://www.winpatrol.com/winpatrol.html
- WinPatrol is an active program that drops a "Scotty Dog" icon into the system tray (right click to check/change status), allows you to monitor/edit startups, services, Browser helpers, and prompts for permission if any program tries to change your system. It also provides selective cookie management.

Get Updated to Service Pack 2. Go to the windows update site to get the critical updates.
If the service pack 2 download is too large, you can get a FREE copy on cd from microsoft here

Let me know of progress, and if there is anything further we can do to help, please add a reply here.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby ChrisRLG » June 1st, 2005, 4:30 pm

Glad we could be of assistance.

This topic is now closed. If you wish it
reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.


You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 61 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware