Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

sdkvz32.exe, syspx32.exe, coolwwwsearch.homesearch

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

sdkvz32.exe, syspx32.exe, coolwwwsearch.homesearch

Unread postby bluecaribe » February 4th, 2006, 6:11 pm

all these are coming up, popups, eventually lose navagation capability as well. I've run ad-aware, spybot, pestpatrol, then restarted my computer, but there still coming back. Also getting blank_this for my internet home page.


please advise. below is my hijack diagnostic.

Logfile of HijackThis v1.99.1
Scan saved at 1:53:48 PM, on 2/4/06
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\3CMLNKW.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST ANTI-SPAM\QSP-2.1.215.5\QOELOADER.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVRID.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST PESTPATROL\PPACTIVEDETECTION.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNDAL.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACRORD32.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\45C1E3G5\HIJACKTHIS[1].EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\jrpat.dll/sp.html#87649%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\jrpat.dll/sp.html#87649%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\jrpat.dll/sp.html#87649%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\jrpat.dll/sp.html#87649%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\jrpat.dll/sp.html#87649%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\jrpat.dll/sp.html#87649%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\jrpat.dll/sp.html#87649%resultposition.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O2 - BHO: Class - {0FC8BB02-4196-EB40-B32D-FA768266DEA8} - C:\WINDOWS\SYSTEM\SDKKI32.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O4 - HKLM\..\Run: [3Cmlink] c:\windows\SYSTEM\3cmlnkW.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QOELOADER] "C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST ANTI-SPAM\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VETMSG.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [eTrustPPAP] "C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST PESTPATROL\PPACTIVEDETECTION.EXE"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://www.vivo.com/ie/vvweb.cab
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} (MSN Chat Control 4.1) - http://sc.communities.msn.com/controls/ ... chat41.cab
O16 - DPF: {73954DC6-A1B2-4157-966F-D9914A39F59C} (Vividence Connector Launcher) - http://task.vividence.com/download/Conn ... uncher.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-3.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/d ... gctlcm.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = tabs.com
bluecaribe
Active Member
 
Posts: 1
Joined: February 4th, 2006, 4:19 pm
Advertisement
Register to Remove

Unread postby Piney » February 5th, 2006, 1:32 am

Hello bluecaribe and welcome to Malware Removal :)

Please move HJT into its own permanent folder so backups can be made and found.
example: C:\MyHJT\HJT.exe or C:\MyDocuments\MyHJT\HJT.exe

Please print out this post so that you have a hard copy of these instructions. You will need to keep Internet Explorer and Windows Explorer (including My Computer) closed throughout the entire process.
=======
Please download Intermute's CWShredder from here
Save it to the desktop
Open CWShredder and click I AGREE
Click Check For Update
Close CWShredder
Do NOT run it yet.
=======
Then please download About:Buster from here:

Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
Click "OK" at the prompt with instructions.
Click "Update" and then "Check For Update" to begin the update process.
If any updates exist please download them by clicking "Download Update" then click the X to close that window.
Now close About:Buster
=======
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
=======
Please run about:buster by RubbeRDuckY

Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
Click Yes to allow it to shutdown explorer.exe.
It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
Reboot your computer into safe mode again

Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.
=======
Run HijackThis!, press Do A System Scan Only, and put a check mark next to all these:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\jrpat.dll/sp.html#87649%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\jrpat.dll/sp.html#87649%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\jrpat.dll/sp.html#87649%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\jrpat.dll/sp.html#87649%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\jrpat.dll/sp.html#87649%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\jrpat.dll/sp.html#87649%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\jrpat.dll/sp.html#87649%resultposition.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0FC8BB02-4196-EB40-B32D-FA768266DEA8} - C:\WINDOWS\SYSTEM\SDKKI32.DLL



Close all other windows and browsers, and press the Fix Checked button.
========
Double-click My Computer, right-click the hard disk on which you want to free space, click Properties, and then click Disk Cleanup on the General tab.

On the Disk Cleanup tab, click to select the check boxes of the files that you want to remove, click OK, click Yes, and then click OK.

Make sure these are selected:
Temporary Files
Temporary Internet Files
Recycle Bin

========

Then restart your computer in Normal Mode.

Please run an on-line virus scan at Kaspersky OnLine Scan
Begin by clicking on the Online Virus Scan at the top right of the page.
Please post the results of the scan with your next post.

When finished with the online scan, reboot normally.

Open HJT and scan. Save the log and paste it here with the About Buster log and the results from the online scan.
Please let me know if you had any problems, and if your computer is running better.
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Unread postby NonSuch » February 15th, 2006, 4:44 am

Whilst we appreciate that you may be busy, it has been 10 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum.

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27221
Joined: February 23rd, 2005, 7:08 am
Location: California


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 22 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware