Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

CoolWWWSearch Problem

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

CoolWWWSearch Problem

Unread postby Taff36 » August 26th, 2005, 4:19 am

I think all of these are linked because Spybot warns that some are in memory and can`t delete them. CoolWWWSearch.aff.winshow / .homesearch / .SearchKlick / .Yexe plus Trex Blue Error Nuker and Wild Tangent. Error Log follows - Any help appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 08:17:40, on 26/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Documents and Settings\Teresa\My Documents\TEMP\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xpgwv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xpgwv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xpgwv.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xpgwv.dll/sp.html#37049
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {FB9C0E2C-9054-C0EA-4D57-F9CCE6487636} - C:\WINDOWS\system32\ipau.dll
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [OneTouch Monitor] "C:\Program Files\Xerox One Touch\OneTouchMon.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [winrj32.exe] C:\WINDOWS\winrj32.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [d3le32.exe] C:\WINDOWS\system32\d3le32.exe
O4 - HKLM\..\Run: [javaew.exe] C:\WINDOWS\system32\javaew.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\RunOnce: [winbl.exe] C:\WINDOWS\system32\winbl.exe
O4 - HKLM\..\RunOnce: [sdkqq.exe] C:\WINDOWS\sdkqq.exe
O4 - HKLM\..\RunOnce: [atlza.exe] C:\WINDOWS\system32\atlza.exe
O4 - HKLM\..\RunOnce: [javarc32.exe] C:\WINDOWS\system32\javarc32.exe
O4 - HKLM\..\RunOnce: [netvg.exe] C:\WINDOWS\system32\netvg.exe
O4 - HKLM\..\RunOnce: [ievi.exe] C:\WINDOWS\ievi.exe
O4 - HKLM\..\RunOnce: [syslt32.exe] C:\WINDOWS\system32\syslt32.exe
O4 - HKLM\..\RunOnce: [netml.exe] C:\WINDOWS\netml.exe
O4 - HKLM\..\RunOnce: [javatp.exe] C:\WINDOWS\javatp.exe
O4 - HKLM\..\RunOnce: [mszp32.exe] C:\WINDOWS\mszp32.exe
O4 - HKLM\..\RunOnce: [apioc32.exe] C:\WINDOWS\apioc32.exe
O4 - HKLM\..\RunOnce: [sdkgn.exe] C:\WINDOWS\system32\sdkgn.exe
O4 - HKLM\..\RunOnce: [ntfo32.exe] C:\WINDOWS\system32\ntfo32.exe
O4 - HKLM\..\RunOnce: [atlph.exe] C:\WINDOWS\atlph.exe
O4 - HKLM\..\RunOnce: [sdkxw.exe] C:\WINDOWS\system32\sdkxw.exe
O4 - HKLM\..\RunOnce: [msnw32.exe] C:\WINDOWS\msnw32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://portal.ulstercarpets.com/iNotes6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ipwt.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Taff36
Regular Member
 
Posts: 45
Joined: April 21st, 2005, 5:31 pm
Location: Midlands - UK
Advertisement
Register to Remove

About Blank

Unread postby Taff36 » August 26th, 2005, 4:21 am

That`s the main reason for checking this particular system - It keeps coming back too!
Taff36
Regular Member
 
Posts: 45
Joined: April 21st, 2005, 5:31 pm
Location: Midlands - UK

Unread postby NikkJ » August 26th, 2005, 3:46 pm

Hi, :hello2:

Please download About:Buster and unzip it to your desktop. Don´t run it yet.
You currently are running HijackThis from C:\Documents and Settings\Teresa\My Documents\TEMP\HijackThis\HijackThis.exe

Please make a folder here:
c:\HJT and place HijackThis in that folder.

DO NOT follow the steps below until you have moved HijackThis

  1. Print out these instructions so you have them handy as most of the steps need to be done in safe mode and you may not be able to go online.
  2. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok
    Scroll down and find the service called "Remote Procedure Call (RPC) Helper". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. This service is installed by the malware. If this service is not listed go ahead with the next step.
  3. Reboot to Safe Mode
    How to start the computer in Safe mode
  4. Make sure your PC is configured to show hidden files

    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
    Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"
  5. Run a Scan Only with Hijack This and put a check next to all of the following lines.

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xpgwv.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xpgwv.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xpgwv.dll/sp.html#37049
    O2 - BHO: Class - {FB9C0E2C-9054-C0EA-4D57-F9CCE6487636} - C:\WINDOWS\system32\ipau.dll
    O4 - HKLM\..\Run: [winrj32.exe] C:\WINDOWS\winrj32.exe
    O4 - HKLM\..\Run: [d3le32.exe] C:\WINDOWS\system32\d3le32.exe
    O4 - HKLM\..\Run: [javaew.exe] C:\WINDOWS\system32\javaew.exe
    O4 - HKLM\..\RunOnce: [winbl.exe] C:\WINDOWS\system32\winbl.exe
    O4 - HKLM\..\RunOnce: [sdkqq.exe] C:\WINDOWS\sdkqq.exe
    O4 - HKLM\..\RunOnce: [atlza.exe] C:\WINDOWS\system32\atlza.exe
    O4 - HKLM\..\RunOnce: [javarc32.exe] C:\WINDOWS\system32\javarc32.exe
    O4 - HKLM\..\RunOnce: [netvg.exe] C:\WINDOWS\system32\netvg.exe
    O4 - HKLM\..\RunOnce: [ievi.exe] C:\WINDOWS\ievi.exe
    O4 - HKLM\..\RunOnce: [syslt32.exe] C:\WINDOWS\system32\syslt32.exe
    O4 - HKLM\..\RunOnce: [netml.exe] C:\WINDOWS\netml.exe
    O4 - HKLM\..\RunOnce: [javatp.exe] C:\WINDOWS\javatp.exe
    O4 - HKLM\..\RunOnce: [mszp32.exe] C:\WINDOWS\mszp32.exe
    O4 - HKLM\..\RunOnce: [apioc32.exe] C:\WINDOWS\apioc32.exe
    O4 - HKLM\..\RunOnce: [sdkgn.exe] C:\WINDOWS\system32\sdkgn.exe
    O4 - HKLM\..\RunOnce: [ntfo32.exe] C:\WINDOWS\system32\ntfo32.exe
    O4 - HKLM\..\RunOnce: [atlph.exe] C:\WINDOWS\atlph.exe
    O4 - HKLM\..\RunOnce: [sdkxw.exe] C:\WINDOWS\system32\sdkxw.exe
    O4 - HKLM\..\RunOnce: [msnw32.exe] C:\WINDOWS\msnw32.exe
    O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ipwt.exe (file missing)


    CLOSE ALL WINDOWS AND BROWSERS . and then click on Fix Checked.
  6. Delete the following files if present.
    C:\WINDOWS\ipwt.exe << This file
    C:\WINDOWS\msnw32.exe << This file
    C:\WINDOWS\system32\sdkxw.exe << This file
    C:\WINDOWS\atlph.exe << This file
    C:\WINDOWS\system32\ntfo32.exe << This file
    C:\WINDOWS\system32\sdkgn.exe << This file
    C:\WINDOWS\apioc32.exe << This file
    C:\WINDOWS\mszp32.exe << This file
    C:\WINDOWS\javatp.exe << This file
    C:\WINDOWS\netml.exe << This file
    C:\WINDOWS\system32\syslt32.exe << This file
    C:\WINDOWS\ievi.exe << This file
    C:\WINDOWS\system32\netvg.exe << This file
    C:\WINDOWS\system32\javarc32.exe << This file
    C:\WINDOWS\system32\atlza.exe << This file
    C:\WINDOWS\sdkqq.exe << This file
    C:\WINDOWS\system32\winbl.exe << This file
    C:\WINDOWS\system32\javaew.exe << This file
    C:\WINDOWS\system32\d3le32.exe << This file
    C:\WINDOWS\winrj32.exe << This file
    C:\WINDOWS\system32\ipau.dll << This file
    C:\WINDOWS\xpgwv.dll << This file

  7. Make sure your PC is configured to re-hide hidden files

    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is unchecked.
    Also check "Hide protected operating system files" and tick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"
  8. Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.
  9. Scan with Adaware and let it remove any bad files found.
  10. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:
    • Temporary Files
    • Temporary Internet Files
    • Recycle Bin
  11. Reboot to normal mode, scan again with Hijack This and post a new log here.
  12. Finally, do an online scan HERE. Let it remove any infected files found.
  • Replace Deleted Files
  • It is also possible that the infection may have deleted up to three files from your system. If these files are present, to be safe I suggest you overwrite them with a new copy.
  • Go here and download the version of control.exe for your operating system. Copy it to c:\windows\system32\.
  • Download the Hoster from here. Press 'Restore Original Hosts' and press 'OK'
  • Exit Program.
  • You have Spybot S&D installed and you may need to replace one file.
    Go here and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

    Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.
    Go to Internet Options/Security/Internet, press 'default level', then OK.
    Now press "Custom Level."
    In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the
    second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.
User avatar
NikkJ
MRU Honors Grad Emeritus
 
Posts: 413
Joined: June 16th, 2005, 12:26 pm
Location: London

Unread postby Taff36 » August 27th, 2005, 4:33 am

Morning!

Thanks for the response. It seems to make sense to me but I am away for the Bank Holiday weekend. I will follow your instructions on Tuesday and post back as you suggested. Hope the weather`s better in London - pretty grim here in the Midlands! Regards Taff36.
Taff36
Regular Member
 
Posts: 45
Joined: April 21st, 2005, 5:31 pm
Location: Midlands - UK

Unread postby NikkJ » August 27th, 2005, 4:45 am

Image

Just the same here. As you say, it's Bank Holiday Weekend.
User avatar
NikkJ
MRU Honors Grad Emeritus
 
Posts: 413
Joined: June 16th, 2005, 12:26 pm
Location: London

Unread postby Taff36 » August 27th, 2005, 5:01 am

NickJ,

I`ve downloaded all the files I need. Note that the link to Hoster is an AOL link and I can`t get at it. I have a copy of Hoster anyway but I don`t know which version - will it matter? Also I`m using Spybot S&D v1.4 - the last file you suggested is for v1.3 - does this affect anything? I could just copy the file from my other computer that runs v1.4 and replace the potentially infected one. Regards
Taff
Taff36
Regular Member
 
Posts: 45
Joined: April 21st, 2005, 5:31 pm
Location: Midlands - UK

Unread postby NikkJ » August 27th, 2005, 1:26 pm

Try this link for Hoster. It is most, likely the same but you may as well get a new copy.
Stick with your version of Spybot, just make sure that you have updated the definitions before you run it. Edit: If you have the same version on your other machine, do as you suggested and get the files from there.

Nick
User avatar
NikkJ
MRU Honors Grad Emeritus
 
Posts: 413
Joined: June 16th, 2005, 12:26 pm
Location: London

Unread postby Taff36 » August 30th, 2005, 11:48 am

Didn`t go quite as expected. Quite a few of the items in the safe mode HijackThis file were not there to be removed. Similarly with the files to be manually removed. About Buster v5 with ref file 28 that I downloaded doesn`t seem to work quite as you said. The button says "Begin Removal" and there wasn`t a log at the end - I got a "Run time error: File already open" clicked OK and the box behind it disappeared before I could do anything! Anyway log follows but about blank is still there I`m afraid - looking forward to round 2!

Logfile of HijackThis v1.99.1
Scan saved at 16:29:18, on 30/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\d3cn.exe
C:\WINDOWS\system32\d3ie.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Xerox One Touch\OneTouchMon.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\awjcj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\awjcj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\awjcj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\awjcj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\awjcj.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\awjcj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Teresa`s Internet Explorer provided by TAFF !!
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {33B83AED-E143-6D33-8C35-97CF4D6BD485} - C:\WINDOWS\system32\mfcri32.dll
O2 - BHO: Class - {FEDEDE09-9933-49F9-EDC7-9EFF9FDECDCB} - C:\WINDOWS\system32\javafo32.dll
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [OneTouch Monitor] "C:\Program Files\Xerox One Touch\OneTouchMon.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [mscd32.exe] C:\WINDOWS\system32\mscd32.exe
O4 - HKLM\..\Run: [iprw32.exe] C:\WINDOWS\system32\iprw32.exe
O4 - HKLM\..\Run: [crqi.exe] C:\WINDOWS\system32\crqi.exe
O4 - HKLM\..\Run: [sdkah.exe] C:\WINDOWS\system32\sdkah.exe
O4 - HKLM\..\Run: [appqq.exe] C:\WINDOWS\system32\appqq.exe
O4 - HKLM\..\Run: [appjy.exe] C:\WINDOWS\appjy.exe
O4 - HKLM\..\Run: [javafv32.exe] C:\WINDOWS\javafv32.exe
O4 - HKLM\..\Run: [d3cn.exe] C:\WINDOWS\system32\d3cn.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\RunOnce: [mskr32.exe] C:\WINDOWS\mskr32.exe
O4 - HKLM\..\RunOnce: [msay32.exe] C:\WINDOWS\msay32.exe
O4 - HKLM\..\RunOnce: [ntmw.exe] C:\WINDOWS\system32\ntmw.exe
O4 - HKLM\..\RunOnce: [winpe32.exe] C:\WINDOWS\system32\winpe32.exe
O4 - HKLM\..\RunOnce: [addxg.exe] C:\WINDOWS\addxg.exe
O4 - HKLM\..\RunOnce: [ntbn32.exe] C:\WINDOWS\ntbn32.exe
O4 - HKLM\..\RunOnce: [mfcsb32.exe] C:\WINDOWS\system32\mfcsb32.exe
O4 - HKLM\..\RunOnce: [netag.exe] C:\WINDOWS\netag.exe
O4 - HKLM\..\RunOnce: [atlyj.exe] C:\WINDOWS\system32\atlyj.exe
O4 - HKLM\..\RunOnce: [javaqy.exe] C:\WINDOWS\system32\javaqy.exe
O4 - HKLM\..\RunOnce: [crkz.exe] C:\WINDOWS\crkz.exe
O4 - HKLM\..\RunOnce: [ipol32.exe] C:\WINDOWS\ipol32.exe
O4 - HKLM\..\RunOnce: [ielj32.exe] C:\WINDOWS\system32\ielj32.exe
O4 - HKLM\..\RunOnce: [sysbp32.exe] C:\WINDOWS\sysbp32.exe
O4 - HKLM\..\RunOnce: [ipqr.exe] C:\WINDOWS\ipqr.exe
O4 - HKLM\..\RunOnce: [sysoq32.exe] C:\WINDOWS\system32\sysoq32.exe
O4 - HKLM\..\RunOnce: [sysvf.exe] C:\WINDOWS\sysvf.exe
O4 - HKLM\..\RunOnce: [netdf32.exe] C:\WINDOWS\system32\netdf32.exe
O4 - HKLM\..\RunOnce: [sdkqh.exe] C:\WINDOWS\sdkqh.exe
O4 - HKLM\..\RunOnce: [mfcnu.exe] C:\WINDOWS\system32\mfcnu.exe
O4 - HKLM\..\RunOnce: [nettw32.exe] C:\WINDOWS\system32\nettw32.exe
O4 - HKLM\..\RunOnce: [apivk32.exe] C:\WINDOWS\system32\apivk32.exe
O4 - HKLM\..\RunOnce: [ntyc32.exe] C:\WINDOWS\system32\ntyc32.exe
O4 - HKLM\..\RunOnce: [ipcs32.exe] C:\WINDOWS\system32\ipcs32.exe
O4 - HKLM\..\RunOnce: [crdj32.exe] C:\WINDOWS\crdj32.exe
O4 - HKLM\..\RunOnce: [winjc32.exe] C:\WINDOWS\system32\winjc32.exe
O4 - HKLM\..\RunOnce: [appfv32.exe] C:\WINDOWS\system32\appfv32.exe
O4 - HKLM\..\RunOnce: [sysvp32.exe] C:\WINDOWS\sysvp32.exe
O4 - HKLM\..\RunOnce: [d3dp.exe] C:\WINDOWS\system32\d3dp.exe
O4 - HKLM\..\RunOnce: [appyv32.exe] C:\WINDOWS\system32\appyv32.exe
O4 - HKLM\..\RunOnce: [d3dx.exe] C:\WINDOWS\d3dx.exe
O4 - HKLM\..\RunOnce: [msyo.exe] C:\WINDOWS\system32\msyo.exe
O4 - HKLM\..\RunOnce: [appbc.exe] C:\WINDOWS\system32\appbc.exe
O4 - HKLM\..\RunOnce: [d3hw32.exe] C:\WINDOWS\d3hw32.exe
O4 - HKLM\..\RunOnce: [ieai.exe] C:\WINDOWS\ieai.exe
O4 - HKLM\..\RunOnce: [crlm32.exe] C:\WINDOWS\crlm32.exe
O4 - HKLM\..\RunOnce: [apihw.exe] C:\WINDOWS\system32\apihw.exe
O4 - HKLM\..\RunOnce: [d3cg32.exe] C:\WINDOWS\system32\d3cg32.exe
O4 - HKLM\..\RunOnce: [javagq.exe] C:\WINDOWS\system32\javagq.exe
O4 - HKLM\..\RunOnce: [winkx32.exe] C:\WINDOWS\system32\winkx32.exe
O4 - HKLM\..\RunOnce: [d3ik32.exe] C:\WINDOWS\d3ik32.exe
O4 - HKLM\..\RunOnce: [appdq.exe] C:\WINDOWS\system32\appdq.exe
O4 - HKLM\..\RunOnce: [nthy32.exe] C:\WINDOWS\system32\nthy32.exe
O4 - HKLM\..\RunOnce: [iece32.exe] C:\WINDOWS\iece32.exe
O4 - HKLM\..\RunOnce: [mfcxn32.exe] C:\WINDOWS\mfcxn32.exe
O4 - HKLM\..\RunOnce: [mfcpd.exe] C:\WINDOWS\system32\mfcpd.exe
O4 - HKLM\..\RunOnce: [netzq.exe] C:\WINDOWS\system32\netzq.exe
O4 - HKLM\..\RunOnce: [sdkzd.exe] C:\WINDOWS\sdkzd.exe
O4 - HKLM\..\RunOnce: [crby.exe] C:\WINDOWS\crby.exe
O4 - HKLM\..\RunOnce: [msbe.exe] C:\WINDOWS\system32\msbe.exe
O4 - HKLM\..\RunOnce: [apien32.exe] C:\WINDOWS\apien32.exe
O4 - HKLM\..\RunOnce: [sysxm.exe] C:\WINDOWS\system32\sysxm.exe
O4 - HKLM\..\RunOnce: [sdksb.exe] C:\WINDOWS\system32\sdksb.exe
O4 - HKLM\..\RunOnce: [atlla32.exe] C:\WINDOWS\atlla32.exe
O4 - HKLM\..\RunOnce: [winaj.exe] C:\WINDOWS\system32\winaj.exe
O4 - HKLM\..\RunOnce: [atlsp.exe] C:\WINDOWS\atlsp.exe
O4 - HKLM\..\RunOnce: [ntkl32.exe] C:\WINDOWS\system32\ntkl32.exe
O4 - HKLM\..\RunOnce: [apidk.exe] C:\WINDOWS\system32\apidk.exe
O4 - HKLM\..\RunOnce: [ipdy32.exe] C:\WINDOWS\ipdy32.exe
O4 - HKLM\..\RunOnce: [ipsu32.exe] C:\WINDOWS\ipsu32.exe
O4 - HKLM\..\RunOnce: [d3mm32.exe] C:\WINDOWS\system32\d3mm32.exe
O4 - HKLM\..\RunOnce: [d3ie.exe] C:\WINDOWS\system32\d3ie.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://portal.ulstercarpets.com/iNotes6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\mskr32.exe" /s (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

By the way - on reboot I got a message that said "d3ie bad image please check against your installation diskette" - Avast seems to be picking something up as well but I don`t see the messages too well something about DCOM?

Regards

Peter
Taff36
Regular Member
 
Posts: 45
Joined: April 21st, 2005, 5:31 pm
Location: Midlands - UK

Unread postby NikkJ » August 30th, 2005, 1:40 pm

Hi Peter
The weather is fantastic here and I'm off out into the garden while I leave you a few things to do.
Enjoy :lol:
EDIT: I want you to download and install another browser, because for the moment I strongly suggest NOT to use Internet Explorer, because everytime you open it, new malware could be downloaded.
I suggestFirefox instead.When your system is clean again, you can go back to IE. : END OF EDIT

If About:Blank ran all the way through it should have created a log file in the directory you ran it from (Desktop, I believe). If it's there please copy it to me here. If not, don't worry.

  • Please download Ewido Security Suite.
    • Now open Ewido. DO NOT RUN IT.
    • Update the definitons for Ewido.
    • Now close Ewido for right now.
  • Please set your system to show all files
    • Click Start.
    • Open My Computer
    • SelectTools menu
    • Click Folder Options.
    • Select the View Tab.
    • Select Show hidden files and foldersin the Hidden files and folders section.
    • Uncheck Hide protected operating system files (recommended) option.
    • Uncheck the Hide file extensions for known file types option.
    • Click Yes.
    • Click OK.

    Disconnect from the internet.

    You are using Avast, which I do not any personal experience of. It is possible that it is interfering with some of the fixes. Could you please disable it from monitoring your system in the background? (DON'T FORGET TO RE-ENABLE IT BEFORE YOU GO BACK ONTO THE INTERNET)

  • Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok
    • Scroll down and find the service called "Remote Procedure Call (RPC) Helper". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. This service is installed by the malware. If this service is not listed go ahead with the next step.
    Reboot in Safe mode
  • Close all programs leaving only HijackThis running. Place a check against each of the following lines:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\awjcj.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\awjcj.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\awjcj.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\awjcj.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\awjcj.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\awjcj.dll/sp.html#37049
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {33B83AED-E143-6D33-8C35-97CF4D6BD485} - C:\WINDOWS\system32\mfcri32.dll
    O2 - BHO: Class - {FEDEDE09-9933-49F9-EDC7-9EFF9FDECDCB} - C:\WINDOWS\system32\javafo32.dll
    O4 - HKLM\..\Run: [mscd32.exe] C:\WINDOWS\system32\mscd32.exe
    O4 - HKLM\..\Run: [iprw32.exe] C:\WINDOWS\system32\iprw32.exe
    O4 - HKLM\..\Run: [crqi.exe] C:\WINDOWS\system32\crqi.exe
    O4 - HKLM\..\Run: [sdkah.exe] C:\WINDOWS\system32\sdkah.exe
    O4 - HKLM\..\Run: [appqq.exe] C:\WINDOWS\system32\appqq.exe
    O4 - HKLM\..\Run: [appjy.exe] C:\WINDOWS\appjy.exe
    O4 - HKLM\..\Run: [javafv32.exe] C:\WINDOWS\javafv32.exe
    O4 - HKLM\..\Run: [d3cn.exe] C:\WINDOWS\system32\d3cn.exe
    O4 - HKLM\..\RunOnce: [mskr32.exe] C:\WINDOWS\mskr32.exe
    O4 - HKLM\..\RunOnce: [msay32.exe] C:\WINDOWS\msay32.exe
    O4 - HKLM\..\RunOnce: [ntmw.exe] C:\WINDOWS\system32\ntmw.exe
    O4 - HKLM\..\RunOnce: [winpe32.exe] C:\WINDOWS\system32\winpe32.exe
    O4 - HKLM\..\RunOnce: [addxg.exe] C:\WINDOWS\addxg.exe
    O4 - HKLM\..\RunOnce: [ntbn32.exe] C:\WINDOWS\ntbn32.exe
    O4 - HKLM\..\RunOnce: [mfcsb32.exe] C:\WINDOWS\system32\mfcsb32.exe
    O4 - HKLM\..\RunOnce: [netag.exe] C:\WINDOWS\netag.exe
    O4 - HKLM\..\RunOnce: [atlyj.exe] C:\WINDOWS\system32\atlyj.exe
    O4 - HKLM\..\RunOnce: [javaqy.exe] C:\WINDOWS\system32\javaqy.exe
    O4 - HKLM\..\RunOnce: [crkz.exe] C:\WINDOWS\crkz.exe
    O4 - HKLM\..\RunOnce: [ipol32.exe] C:\WINDOWS\ipol32.exe
    O4 - HKLM\..\RunOnce: [ielj32.exe] C:\WINDOWS\system32\ielj32.exe
    O4 - HKLM\..\RunOnce: [sysbp32.exe] C:\WINDOWS\sysbp32.exe
    O4 - HKLM\..\RunOnce: [ipqr.exe] C:\WINDOWS\ipqr.exe
    O4 - HKLM\..\RunOnce: [sysoq32.exe] C:\WINDOWS\system32\sysoq32.exe
    O4 - HKLM\..\RunOnce: [sysvf.exe] C:\WINDOWS\sysvf.exe
    O4 - HKLM\..\RunOnce: [netdf32.exe] C:\WINDOWS\system32\netdf32.exe
    O4 - HKLM\..\RunOnce: [sdkqh.exe] C:\WINDOWS\sdkqh.exe
    O4 - HKLM\..\RunOnce: [mfcnu.exe] C:\WINDOWS\system32\mfcnu.exe
    O4 - HKLM\..\RunOnce: [nettw32.exe] C:\WINDOWS\system32\nettw32.exe
    O4 - HKLM\..\RunOnce: [apivk32.exe] C:\WINDOWS\system32\apivk32.exe
    O4 - HKLM\..\RunOnce: [ntyc32.exe] C:\WINDOWS\system32\ntyc32.exe
    O4 - HKLM\..\RunOnce: [ipcs32.exe] C:\WINDOWS\system32\ipcs32.exe
    O4 - HKLM\..\RunOnce: [crdj32.exe] C:\WINDOWS\crdj32.exe
    O4 - HKLM\..\RunOnce: [winjc32.exe] C:\WINDOWS\system32\winjc32.exe
    O4 - HKLM\..\RunOnce: [appfv32.exe] C:\WINDOWS\system32\appfv32.exe
    O4 - HKLM\..\RunOnce: [sysvp32.exe] C:\WINDOWS\sysvp32.exe
    O4 - HKLM\..\RunOnce: [d3dp.exe] C:\WINDOWS\system32\d3dp.exe
    O4 - HKLM\..\RunOnce: [appyv32.exe] C:\WINDOWS\system32\appyv32.exe
    O4 - HKLM\..\RunOnce: [d3dx.exe] C:\WINDOWS\d3dx.exe
    O4 - HKLM\..\RunOnce: [msyo.exe] C:\WINDOWS\system32\msyo.exe
    O4 - HKLM\..\RunOnce: [appbc.exe] C:\WINDOWS\system32\appbc.exe
    O4 - HKLM\..\RunOnce: [d3hw32.exe] C:\WINDOWS\d3hw32.exe
    O4 - HKLM\..\RunOnce: [ieai.exe] C:\WINDOWS\ieai.exe
    O4 - HKLM\..\RunOnce: [crlm32.exe] C:\WINDOWS\crlm32.exe
    O4 - HKLM\..\RunOnce: [apihw.exe] C:\WINDOWS\system32\apihw.exe
    O4 - HKLM\..\RunOnce: [d3cg32.exe] C:\WINDOWS\system32\d3cg32.exe
    O4 - HKLM\..\RunOnce: [javagq.exe] C:\WINDOWS\system32\javagq.exe
    O4 - HKLM\..\RunOnce: [winkx32.exe] C:\WINDOWS\system32\winkx32.exe
    O4 - HKLM\..\RunOnce: [d3ik32.exe] C:\WINDOWS\d3ik32.exe
    O4 - HKLM\..\RunOnce: [appdq.exe] C:\WINDOWS\system32\appdq.exe
    O4 - HKLM\..\RunOnce: [nthy32.exe] C:\WINDOWS\system32\nthy32.exe
    O4 - HKLM\..\RunOnce: [iece32.exe] C:\WINDOWS\iece32.exe
    O4 - HKLM\..\RunOnce: [mfcxn32.exe] C:\WINDOWS\mfcxn32.exe
    O4 - HKLM\..\RunOnce: [mfcpd.exe] C:\WINDOWS\system32\mfcpd.exe
    O4 - HKLM\..\RunOnce: [netzq.exe] C:\WINDOWS\system32\netzq.exe
    O4 - HKLM\..\RunOnce: [sdkzd.exe] C:\WINDOWS\sdkzd.exe
    O4 - HKLM\..\RunOnce: [crby.exe] C:\WINDOWS\crby.exe
    O4 - HKLM\..\RunOnce: [msbe.exe] C:\WINDOWS\system32\msbe.exe
    O4 - HKLM\..\RunOnce: [apien32.exe] C:\WINDOWS\apien32.exe
    O4 - HKLM\..\RunOnce: [sysxm.exe] C:\WINDOWS\system32\sysxm.exe
    O4 - HKLM\..\RunOnce: [sdksb.exe] C:\WINDOWS\system32\sdksb.exe
    O4 - HKLM\..\RunOnce: [atlla32.exe] C:\WINDOWS\atlla32.exe
    O4 - HKLM\..\RunOnce: [winaj.exe] C:\WINDOWS\system32\winaj.exe
    O4 - HKLM\..\RunOnce: [atlsp.exe] C:\WINDOWS\atlsp.exe
    O4 - HKLM\..\RunOnce: [ntkl32.exe] C:\WINDOWS\system32\ntkl32.exe
    O4 - HKLM\..\RunOnce: [apidk.exe] C:\WINDOWS\system32\apidk.exe
    O4 - HKLM\..\RunOnce: [ipdy32.exe] C:\WINDOWS\ipdy32.exe
    O4 - HKLM\..\RunOnce: [ipsu32.exe] C:\WINDOWS\ipsu32.exe
    O4 - HKLM\..\RunOnce: [d3mm32.exe] C:\WINDOWS\system32\d3mm32.exe
    O4 - HKLM\..\RunOnce: [d3ie.exe] C:\WINDOWS\system32\d3ie.exe
    O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\mskr32.exe" /s (file missing)


    Click on Fix Checked when finished and exit HijackThis.


    Using Windows Explorer, locate the following files and delete them:

    C:\WINDOWS\awjcj.dll
    C:\WINDOWS\system32\mfcri32.dll
    C:\WINDOWS\system32\javafo32.dll
    C:\WINDOWS\system32\mscd32.exe
    C:\WINDOWS\system32\iprw32.exe
    C:\WINDOWS\system32\crqi.exe
    C:\WINDOWS\system32\sdkah.exe
    C:\WINDOWS\system32\appqq.exe
    C:\WINDOWS\appjy.exe
    C:\WINDOWS\javafv32.exe
    C:\WINDOWS\system32\d3cn.exe
    C:\WINDOWS\mskr32.exe
    C:\WINDOWS\msay32.exe
    C:\WINDOWS\system32\ntmw.exe
    C:\WINDOWS\system32\winpe32.exe
    C:\WINDOWS\addxg.exe
    C:\WINDOWS\ntbn32.exe
    C:\WINDOWS\system32\mfcsb32.exe
    C:\WINDOWS\netag.exe
    C:\WINDOWS\system32\atlyj.exe
    C:\WINDOWS\system32\javaqy.exe
    C:\WINDOWS\crkz.exe
    C:\WINDOWS\ipol32.exe
    C:\WINDOWS\system32\ielj32.exe
    C:\WINDOWS\sysbp32.exe
    C:\WINDOWS\ipqr.exe
    C:\WINDOWS\system32\sysoq32.exe
    C:\WINDOWS\sysvf.exe
    C:\WINDOWS\system32\netdf32.exe
    C:\WINDOWS\sdkqh.exe
    C:\WINDOWS\system32\mfcnu.exe
    C:\WINDOWS\system32\nettw32.exe
    C:\WINDOWS\system32\apivk32.exe
    C:\WINDOWS\system32\ntyc32.exe
    C:\WINDOWS\system32\ipcs32.exe
    C:\WINDOWS\crdj32.exe
    C:\WINDOWS\system32\winjc32.exe
    C:\WINDOWS\system32\appfv32.exe
    C:\WINDOWS\sysvp32.exe
    C:\WINDOWS\system32\d3dp.exe
    C:\WINDOWS\system32\appyv32.exe
    C:\WINDOWS\d3dx.exe
    C:\WINDOWS\system32\msyo.exe
    C:\WINDOWS\system32\appbc.exe
    C:\WINDOWS\d3hw32.exe
    C:\WINDOWS\ieai.exe
    C:\WINDOWS\crlm32.exe
    C:\WINDOWS\system32\apihw.exe
    C:\WINDOWS\system32\d3cg32.exe
    C:\WINDOWS\system32\javagq.exe
    C:\WINDOWS\system32\winkx32.exe
    C:\WINDOWS\d3ik32.exe
    C:\WINDOWS\system32\appdq.exe
    C:\WINDOWS\system32\nthy32.exe
    C:\WINDOWS\iece32.exe
    C:\WINDOWS\mfcxn32.exe
    C:\WINDOWS\system32\mfcpd.exe
    C:\WINDOWS\system32\netzq.exe
    C:\WINDOWS\sdkzd.exe
    C:\WINDOWS\crby.exe
    C:\WINDOWS\system32\msbe.exe
    C:\WINDOWS\apien32.exe
    C:\WINDOWS\system32\sysxm.exe
    C:\WINDOWS\system32\sdksb.exe
    C:\WINDOWS\atlla32.exe
    C:\WINDOWS\system32\winaj.exe
    C:\WINDOWS\atlsp.exe
    C:\WINDOWS\system32\ntkl32.exe
    C:\WINDOWS\system32\apidk.exe
    C:\WINDOWS\ipdy32.exe
    C:\WINDOWS\ipsu32.exe
    C:\WINDOWS\system32\d3mm32.exe
    C:\WINDOWS\system32\d3ie.exe
    C:\WINDOWS\mskr32.exe


    Exit Explorer, and reboot as normal afterwards.

    You may not find all of the files. If you found, but could not delete, any of the files then please follow these additional instructions:

    Download Pocket Killbox and unzip it; save it to your Desktop.

    Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

    The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

    Let the system reboot as normal.
    Now Reboot into Safe mode again.

    Make sure all other windows are closed.(Important: Don't do anything on the computer while Ewido is running.)
    Run Ewido.
    Click on scanner.
    Click Complete System Scan.
    If you get a prompt asking to clean files then click OK.
    When it cleans the first file put a check by Perform action on all infections and then choose clean and click OK.
    Once the scan is done choose Save Report and save it your desktop.
    Close Ewido.


Post back a fresh HijackThis log and we will take another look.
User avatar
NikkJ
MRU Honors Grad Emeritus
 
Posts: 413
Joined: June 16th, 2005, 12:26 pm
Location: London

Unread postby Taff36 » August 31st, 2005, 3:20 am

Morning NikkJ.

8) Sorry, I was already there! Despite my warning the owner did collect his e-mails over the weekend so I`m not surprised we have a long haul ahead. Will work through the list today and hopefully post back tonight.

Regards

Taff36
Taff36
Regular Member
 
Posts: 45
Joined: April 21st, 2005, 5:31 pm
Location: Midlands - UK

Unread postby Taff36 » September 4th, 2005, 3:15 am

NikkJ - The computer owner has decided to do a fresh system install. I think I frightened them by asking if they had everything backed up. The couple are both teachers and have 31GB of data including personal family photographs never mind their irreplaceable school work. They have backed up to DVD`s so next week I have agreed to save all their mail boxes and settings and reinstall their system. Thanks for your help - I was quite confident but this has spurred them to be more diligent!

Let`s keep this open for a week just in case they change their minds.

Regards

Taff36
Taff36
Regular Member
 
Posts: 45
Joined: April 21st, 2005, 5:31 pm
Location: Midlands - UK

Unread postby NikkJ » September 4th, 2005, 5:47 am

Thanks for letting me know Taff.
Tough luck with the footy yesterday. ;)
User avatar
NikkJ
MRU Honors Grad Emeritus
 
Posts: 413
Joined: June 16th, 2005, 12:26 pm
Location: London

Unread postby Taff36 » September 4th, 2005, 6:02 am

Rugby`s my game so we won`t mention six nations! Anyway it looked like a moral victory for Wales to me. Cheers!
Taff36
Regular Member
 
Posts: 45
Joined: April 21st, 2005, 5:31 pm
Location: Midlands - UK

Unread postby NikkJ » September 4th, 2005, 6:52 am

I agree wholeheartedly. You deserved at least a draw in the footy, as for the rugby. Let me just say four letters JPRW !

All the best

Nick
User avatar
NikkJ
MRU Honors Grad Emeritus
 
Posts: 413
Joined: June 16th, 2005, 12:26 pm
Location: London

Unread postby Nellie2 » September 15th, 2005, 5:29 pm

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

The help you receive here is free but you can help support this site from this link if you wish:
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted
User avatar
Nellie2
Administrator Emeritus
 
Posts: 8737
Joined: December 16th, 2004, 5:01 pm
Location: UK
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 62 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware