Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

New Poly Win 32 - I'm going nuts!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

New Poly Win 32 - I'm going nuts!

Unread postby walshie » December 17th, 2005, 3:52 pm

Hi,
Can anyone help me with this please.
I seem to have collected a virus. I have used A squared and also McAfee to clean what I can but many of the files that this virus seems to have attached to are system files so that I can't delete, quarantine or remove them.

I also seem to have a problem with explorer randomly changing my home page. Other than that things are just dandy!

This is the log detail:
Logfile of HijackThis v1.99.1
Scan saved at 19:22:39, on 17/12/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSEN32.EXE
C:\WINDOWS\SYSTEM\SYSGR.EXE
C:\WINDOWS\IEWH.EXE
C:\WINDOWS\SYSTEM\APIJN.EXE
C:\WINDOWS\JAVAUI.EXE
C:\WINDOWS\MFCTP32.EXE
C:\WINDOWS\SYSTEM\IEJS32.EXE
C:\WINDOWS\SYSTEM\IEZZ.EXE
C:\WINDOWS\SYSTEM\MFCWX32.EXE
C:\WINDOWS\SYSTEM\ATLCI.EXE
C:\WINDOWS\SYSTEM\MSGB32.EXE
C:\WINDOWS\D3ED.EXE
C:\WINDOWS\APPPQ32.EXE
C:\WINDOWS\SYSTEM\D3MG.EXE
C:\WINDOWS\SYSTEM\IPHH.EXE
C:\WINDOWS\SYSTEM\MFCJX.EXE
C:\WINDOWS\SYSTEM\NETYY.EXE
C:\WINDOWS\SYSTEM\JAVAHK.EXE
C:\WINDOWS\SDKRG32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\APPZO.EXE
C:\WINDOWS\IEJC.EXE
C:\WINDOWS\SYSTEM\NTKL.EXE
C:\WINDOWS\NTAC.EXE
C:\WINDOWS\SYSTEM\MFCCI.EXE
C:\WINDOWS\NTWB.EXE
C:\WINDOWS\IPQG32.EXE
C:\WINDOWS\CRUI32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\CTLAUNCHER.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\PROGRAM\CTAVTRAY.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\COMMON\SWTRAYV4.EXE
C:\WINDOWS\SYSTEM\CARPSERV.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\PROGRAM FILES\BROWSER MOUSE\BROWSER MOUSE\1.1\MOUSE32A.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLSTAT.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLAGENT.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\NTFB.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\AOL 9.0A\AOLTRAY.EXE
C:\PROGRAM FILES\NIKON\NKVIEW6\NKVMON.EXE
C:\WINDOWS\IEJC.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\TASKGUIDE\UPDTRAY.EXE
C:\PROGRAM FILES\BT BROADBAND BASIC HELP\BIN\MPBTN.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\rtejq.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\rtejq.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\rtejq.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\rtejq.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\rtejq.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\rtejq.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {A72C0FFC-C2D7-47B8-44CD-DA44AC623334} - C:\WINDOWS\APITB32.DLL
O2 - BHO: Class - {5175B4A8-F350-1A51-E0B4-A9973C9837CC} - C:\WINDOWS\APPHL32.DLL
O2 - BHO: Class - {6D572FF5-36CB-A644-5C74-9CB819A647A1} - C:\WINDOWS\D3ZC32.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Class - {21BB89CF-BE0E-AEC1-B7D9-DBB05AD005C8} - C:\WINDOWS\SYSTEM\IPMN.DLL
O2 - BHO: Class - {2AB07CAC-2D55-4A38-8D00-5229FCA0DBED} - C:\WINDOWS\SYSTEM\NETNV.DLL
O2 - BHO: Class - {6D1EBC15-FDF8-ABE4-9FF6-9D847E8A31CB} - C:\WINDOWS\APPCP.DLL
O2 - BHO: Class - {A5AC7366-36E2-7400-BED8-41EC50B36BEC} - C:\WINDOWS\SDKIA32.DLL
O2 - BHO: Class - {2DB262AA-4A6D-CE6F-F9B2-2286EEA3F5FA} - C:\WINDOWS\IEUC.DLL
O2 - BHO: Class - {5CE2DA69-80D8-5FD1-46F9-7E4FCBBECD9B} - C:\WINDOWS\CRGK.DLL
O2 - BHO: Class - {D00908A5-5942-1682-9878-32F6BFB2878C} - C:\WINDOWS\SYSTEM\IEYU.DLL
O2 - BHO: Class - {2622A7EE-A486-8EBC-94F7-84B63486BC92} - C:\WINDOWS\SYSTEM\MSOE.DLL
O2 - BHO: Class - {8F765402-FBA8-5739-9CF1-844D6DEC0CC2} - C:\WINDOWS\CRBX32.DLL
O2 - BHO: Class - {69D8DEB3-07FD-97C0-2B34-3F24005B874C} - C:\WINDOWS\SYSTEM\APPUN32.DLL
O2 - BHO: Class - {588A083D-3EC5-A393-A9A0-E5DD1BC3F762} - C:\WINDOWS\SYSTEM\CREG32.DLL
O2 - BHO: Class - {A992910C-ED06-1A17-A389-6EE7DD6C9071} - C:\WINDOWS\IPQK.DLL
O2 - BHO: Class - {F31A6D6C-9147-7FEE-6174-C5B84A6AA151} - C:\WINDOWS\SDKUL32.DLL
O2 - BHO: Class - {738E938C-0376-DF66-9DCA-6F6A9AC3C996} - C:\WINDOWS\MSIL.DLL
O2 - BHO: Class - {DF7AF568-EF3E-A828-A764-D93713B760D7} - C:\WINDOWS\NETOR32.DLL
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [LNK_ALL] C:\WINDOWS\rundll.exe setupx.dll,InstallHinfSection DefaultInstall 132 C:\windows\LNK_ALL.INF
O4 - HKLM\..\Run: [Creative Launcher] C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\CTLAUNCHER.EXE
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CTAVTray] C:\PROGRAM FILES\CREATIVE\SBLIVE\PROGRAM\CTAvTray.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~1\GAMECO~1\COMMON\SWTRAYV4.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SystemService] C:\WINDOWS\ssvr.exe /i
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\expIorer.exe /i
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [APPGV32.EXE] C:\WINDOWS\APPGV32.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [MFCPB.EXE] C:\WINDOWS\SYSTEM\MFCPB.EXE
O4 - HKLM\..\Run: [NTFB.EXE] C:\WINDOWS\SYSTEM\NTFB.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [Devldr16] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [IEXI32.EXE] C:\WINDOWS\IEXI32.EXE /s
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [SYSEN32.EXE] C:\WINDOWS\SYSEN32.EXE /s
O4 - HKLM\..\RunServices: [SYSGR.EXE] C:\WINDOWS\SYSTEM\SYSGR.EXE /s
O4 - HKLM\..\RunServices: [NETAP.EXE] C:\WINDOWS\NETAP.EXE /s
O4 - HKLM\..\RunServices: [IEWH.EXE] C:\WINDOWS\IEWH.EXE /s
O4 - HKLM\..\RunServices: [APIJN.EXE] C:\WINDOWS\SYSTEM\APIJN.EXE /s
O4 - HKLM\..\RunServices: [D3RL32.EXE] C:\WINDOWS\D3RL32.EXE /s
O4 - HKLM\..\RunServices: [JAVAUI.EXE] C:\WINDOWS\JAVAUI.EXE /s
O4 - HKLM\..\RunServices: [MFCTP32.EXE] C:\WINDOWS\MFCTP32.EXE /s
O4 - HKLM\..\RunServices: [IEJS32.EXE] C:\WINDOWS\SYSTEM\IEJS32.EXE /s
O4 - HKLM\..\RunServices: [IEZZ.EXE] C:\WINDOWS\SYSTEM\IEZZ.EXE /s
O4 - HKLM\..\RunServices: [MFCWX32.EXE] C:\WINDOWS\SYSTEM\MFCWX32.EXE /s
O4 - HKLM\..\RunServices: [ATLCI.EXE] C:\WINDOWS\SYSTEM\ATLCI.EXE /s
O4 - HKLM\..\RunServices: [MSGB32.EXE] C:\WINDOWS\SYSTEM\MSGB32.EXE /s
O4 - HKLM\..\RunServices: [D3ED.EXE] C:\WINDOWS\D3ED.EXE /s
O4 - HKLM\..\RunServices: [APPPQ32.EXE] C:\WINDOWS\APPPQ32.EXE /s
O4 - HKLM\..\RunServices: [D3MG.EXE] C:\WINDOWS\SYSTEM\D3MG.EXE /s
O4 - HKLM\..\RunServices: [IPHH.EXE] C:\WINDOWS\SYSTEM\IPHH.EXE /s
O4 - HKLM\..\RunServices: [MFCJX.EXE] C:\WINDOWS\SYSTEM\MFCJX.EXE /s
O4 - HKLM\..\RunServices: [NETYY.EXE] C:\WINDOWS\SYSTEM\NETYY.EXE /s
O4 - HKLM\..\RunServices: [JAVAHK.EXE] C:\WINDOWS\SYSTEM\JAVAHK.EXE /s
O4 - HKLM\..\RunServices: [SDKRG32.EXE] C:\WINDOWS\SDKRG32.EXE /s
O4 - HKLM\..\RunServices: [APPZO.EXE] C:\WINDOWS\APPZO.EXE /s
O4 - HKLM\..\RunServices: [IEJC.EXE] C:\WINDOWS\IEJC.EXE /s
O4 - HKLM\..\RunServices: [NTKL.EXE] C:\WINDOWS\SYSTEM\NTKL.EXE /s
O4 - HKLM\..\RunServices: [NTAC.EXE] C:\WINDOWS\NTAC.EXE /s
O4 - HKLM\..\RunServices: [MFCCI.EXE] C:\WINDOWS\SYSTEM\MFCCI.EXE /s
O4 - HKLM\..\RunServices: [NTWB.EXE] C:\WINDOWS\NTWB.EXE /s
O4 - HKLM\..\RunServices: [IPQG32.EXE] C:\WINDOWS\IPQG32.EXE /s
O4 - HKLM\..\RunServices: [CRUI32.EXE] C:\WINDOWS\CRUI32.EXE /s
O4 - HKLM\..\RunOnce: [CTAVTray] C:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
O4 - Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\MSOffice\Office\MSOFFICE.EXE
O4 - Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20010 ... taller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computerc ... diagcc.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadband/ ... reQual.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} (mailhelper Class) - https://register.btinternet.com/templat ... rol013.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/templat ... rol024.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
walshie
Regular Member
 
Posts: 61
Joined: December 17th, 2005, 1:06 pm
Advertisement
Register to Remove

Unread postby ChrisRLG » December 18th, 2005, 8:45 am

Please read through the instructions before you start (you may want to print this out or copy it into a word program).

Please download and install these programs - don't run them yet!!



Please download and unzip
AboutBuster to a folder.
AboutBuster MUST be updated before you use it.
Check the AboutBuster Tutorial for instructions.
Don't run it yet.

Download CW-Shredder at the link below:
http://www.trendmicro.com/ftp/products/ ... redder.exe

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Reboot into SafeMode. <---MAKE SURE YOU KNOW HOW TO DO THIS!!

+++++++++++++++++++++++++++++++++++++++++++++++++

Here's the fix:


1. Reboot into safe mode

2. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for:

ANY from the HJT fix below (except explorer.exe)

If you find the files, click on them, and then click End Process => Exit the Task Manager.

3. CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

[B]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\rtejq.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\rtejq.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\rtejq.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\rtejq.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\rtejq.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\rtejq.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Class - {A72C0FFC-C2D7-47B8-44CD-DA44AC623334} - C:\WINDOWS\APITB32.DLL
O2 - BHO: Class - {5175B4A8-F350-1A51-E0B4-A9973C9837CC} - C:\WINDOWS\APPHL32.DLL
O2 - BHO: Class - {6D572FF5-36CB-A644-5C74-9CB819A647A1} - C:\WINDOWS\D3ZC32.DLL (file missing)
O2 - BHO: Class - {21BB89CF-BE0E-AEC1-B7D9-DBB05AD005C8} - C:\WINDOWS\SYSTEM\IPMN.DLL
O2 - BHO: Class - {2AB07CAC-2D55-4A38-8D00-5229FCA0DBED} - C:\WINDOWS\SYSTEM\NETNV.DLL
O2 - BHO: Class - {6D1EBC15-FDF8-ABE4-9FF6-9D847E8A31CB} - C:\WINDOWS\APPCP.DLL
O2 - BHO: Class - {A5AC7366-36E2-7400-BED8-41EC50B36BEC} - C:\WINDOWS\SDKIA32.DLL
O2 - BHO: Class - {2DB262AA-4A6D-CE6F-F9B2-2286EEA3F5FA} - C:\WINDOWS\IEUC.DLL
O2 - BHO: Class - {5CE2DA69-80D8-5FD1-46F9-7E4FCBBECD9B} - C:\WINDOWS\CRGK.DLL
O2 - BHO: Class - {D00908A5-5942-1682-9878-32F6BFB2878C} - C:\WINDOWS\SYSTEM\IEYU.DLL
O2 - BHO: Class - {2622A7EE-A486-8EBC-94F7-84B63486BC92} - C:\WINDOWS\SYSTEM\MSOE.DLL
O2 - BHO: Class - {8F765402-FBA8-5739-9CF1-844D6DEC0CC2} - C:\WINDOWS\CRBX32.DLL
O2 - BHO: Class - {69D8DEB3-07FD-97C0-2B34-3F24005B874C} - C:\WINDOWS\SYSTEM\APPUN32.DLL
O2 - BHO: Class - {588A083D-3EC5-A393-A9A0-E5DD1BC3F762} - C:\WINDOWS\SYSTEM\CREG32.DLL
O2 - BHO: Class - {A992910C-ED06-1A17-A389-6EE7DD6C9071} - C:\WINDOWS\IPQK.DLL
O2 - BHO: Class - {F31A6D6C-9147-7FEE-6174-C5B84A6AA151} - C:\WINDOWS\SDKUL32.DLL
O2 - BHO: Class - {738E938C-0376-DF66-9DCA-6F6A9AC3C996} - C:\WINDOWS\MSIL.DLL
O2 - BHO: Class - {DF7AF568-EF3E-A828-A764-D93713B760D7} - C:\WINDOWS\NETOR32.DLL
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\expIorer.exe /i
O4 - HKLM\..\Run: [APPGV32.EXE] C:\WINDOWS\APPGV32.EXE
O4 - HKLM\..\Run: [MFCPB.EXE] C:\WINDOWS\SYSTEM\MFCPB.EXE
O4 - HKLM\..\Run: [NTFB.EXE] C:\WINDOWS\SYSTEM\NTFB.EXE
O4 - HKLM\..\RunServices: [IEXI32.EXE] C:\WINDOWS\IEXI32.EXE /s
O4 - HKLM\..\RunServices: [SYSEN32.EXE] C:\WINDOWS\SYSEN32.EXE /s
O4 - HKLM\..\RunServices: [SYSGR.EXE] C:\WINDOWS\SYSTEM\SYSGR.EXE /s
O4 - HKLM\..\RunServices: [NETAP.EXE] C:\WINDOWS\NETAP.EXE /s
O4 - HKLM\..\RunServices: [IEWH.EXE] C:\WINDOWS\IEWH.EXE /s
O4 - HKLM\..\RunServices: [APIJN.EXE] C:\WINDOWS\SYSTEM\APIJN.EXE /s
O4 - HKLM\..\RunServices: [D3RL32.EXE] C:\WINDOWS\D3RL32.EXE /s
O4 - HKLM\..\RunServices: [JAVAUI.EXE] C:\WINDOWS\JAVAUI.EXE /s
O4 - HKLM\..\RunServices: [MFCTP32.EXE] C:\WINDOWS\MFCTP32.EXE /s
O4 - HKLM\..\RunServices: [IEJS32.EXE] C:\WINDOWS\SYSTEM\IEJS32.EXE /s
O4 - HKLM\..\RunServices: [IEZZ.EXE] C:\WINDOWS\SYSTEM\IEZZ.EXE /s
O4 - HKLM\..\RunServices: [MFCWX32.EXE] C:\WINDOWS\SYSTEM\MFCWX32.EXE /s
O4 - HKLM\..\RunServices: [ATLCI.EXE] C:\WINDOWS\SYSTEM\ATLCI.EXE /s
O4 - HKLM\..\RunServices: [MSGB32.EXE] C:\WINDOWS\SYSTEM\MSGB32.EXE /s
O4 - HKLM\..\RunServices: [D3ED.EXE] C:\WINDOWS\D3ED.EXE /s
O4 - HKLM\..\RunServices: [APPPQ32.EXE] C:\WINDOWS\APPPQ32.EXE /s
O4 - HKLM\..\RunServices: [D3MG.EXE] C:\WINDOWS\SYSTEM\D3MG.EXE /s
O4 - HKLM\..\RunServices: [IPHH.EXE] C:\WINDOWS\SYSTEM\IPHH.EXE /s
O4 - HKLM\..\RunServices: [MFCJX.EXE] C:\WINDOWS\SYSTEM\MFCJX.EXE /s
O4 - HKLM\..\RunServices: [NETYY.EXE] C:\WINDOWS\SYSTEM\NETYY.EXE /s
O4 - HKLM\..\RunServices: [JAVAHK.EXE] C:\WINDOWS\SYSTEM\JAVAHK.EXE /s
O4 - HKLM\..\RunServices: [SDKRG32.EXE] C:\WINDOWS\SDKRG32.EXE /s
O4 - HKLM\..\RunServices: [APPZO.EXE] C:\WINDOWS\APPZO.EXE /s
O4 - HKLM\..\RunServices: [IEJC.EXE] C:\WINDOWS\IEJC.EXE /s
O4 - HKLM\..\RunServices: [NTKL.EXE] C:\WINDOWS\SYSTEM\NTKL.EXE /s
O4 - HKLM\..\RunServices: [NTAC.EXE] C:\WINDOWS\NTAC.EXE /s
O4 - HKLM\..\RunServices: [MFCCI.EXE] C:\WINDOWS\SYSTEM\MFCCI.EXE /s
O4 - HKLM\..\RunServices: [NTWB.EXE] C:\WINDOWS\NTWB.EXE /s
O4 - HKLM\..\RunServices: [IPQG32.EXE] C:\WINDOWS\IPQG32.EXE /s
O4 - HKLM\..\RunServices: [CRUI32.EXE] C:\WINDOWS\CRUI32.EXE /s


PLUS any onteh 04 entries that have the /s at the end. They will all be bad.

Click on Fix Checked and exit HijackThis.

4. Delete the following files using windows explorer if present:

C:\WINDOWS\system\rtejq.dll
C:\WINDOWS\APITB32.DLL
C:\WINDOWS\APPHL32.DLL
C:\WINDOWS\D3ZC32.DLL
C:\WINDOWS\SYSTEM\IPMN.DLL
C:\WINDOWS\SYSTEM\NETNV.DLL
C:\WINDOWS\APPCP.DLL
C:\WINDOWS\SDKIA32.DLL
C:\WINDOWS\IEUC.DLL
C:\WINDOWS\CRGK.DLL
C:\WINDOWS\SYSTEM\IEYU.DLL
C:\WINDOWS\SYSTEM\MSOE.DLL
C:\WINDOWS\CRBX32.DLL
C:\WINDOWS\SYSTEM\APPUN32.DLL
C:\WINDOWS\SYSTEM\CREG32.DLL
C:\WINDOWS\IPQK.DLL
C:\WINDOWS\SDKUL32.DLL
C:\WINDOWS\MSIL.DLL
C:\WINDOWS\NETOR32.DLL
C:\WINDOWS\APPGV32.EXE
C:\WINDOWS\SYSTEM\MFCPB.EXE
C:\WINDOWS\SYSTEM\NTFB.EXE
C:\WINDOWS\IEXI32.EXE
C:\WINDOWS\SYSEN32.EXE
C:\WINDOWS\SYSTEM\SYSGR.EXE
C:\WINDOWS\NETAP.EXE
C:\WINDOWS\IEWH.EXE
C:\WINDOWS\SYSTEM\APIJN.EXE
C:\WINDOWS\D3RL32.EXE
C:\WINDOWS\JAVAUI.EXE
C:\WINDOWS\MFCTP32.EXE
C:\WINDOWS\SYSTEM\IEJS32.EXE
C:\WINDOWS\SYSTEM\IEZZ.EXE
C:\WINDOWS\SYSTEM\MFCWX32.EXE
C:\WINDOWS\SYSTEM\ATLCI.EXE
C:\WINDOWS\SYSTEM\MSGB32.EXE
C:\WINDOWS\D3ED.EXE
C:\WINDOWS\APPPQ32.EXE
C:\WINDOWS\SYSTEM\D3MG.EXE
C:\WINDOWS\SYSTEM\IPHH.EXE
C:\WINDOWS\SYSTEM\MFCJX.EXE
C:\WINDOWS\SYSTEM\NETYY.EXE
C:\WINDOWS\SYSTEM\JAVAHK.EXE
C:\WINDOWS\SDKRG32.EXE
C:\WINDOWS\APPZO.EXE
C:\WINDOWS\IEJC.EXE
C:\WINDOWS\SYSTEM\NTKL.EXE
C:\WINDOWS\NTAC.EXE
C:\WINDOWS\SYSTEM\MFCCI.EXE
C:\WINDOWS\NTWB.EXE
C:\WINDOWS\IPQG32.EXE
C:\WINDOWS\CRUI32.EXE

(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

5. Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

6. Run AboutBuster . This will scan your computer for the bad files and delete them. It will ask to scan the system again, let it. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.


7. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

8. Reboot into normal mode and open up Internet Explorer

9. Download and run this online virus scan if you can:<---Important
http://housecall.trendmicro.com/houseca ... t_corp.asp
Make sure you check "AutoClean"

10. Reboot and post a fresh HJT log back here by using the add reply button below, and lets see how we did. [/b]
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Thanks for the information!

Unread postby walshie » December 18th, 2005, 6:45 pm

You are a gentleman and a genius.
I have completed all the steps you have suggested and everything went fine. I have attached a new HJT log below.

There is just one issue which the Housecall was not able to resolve.
The file c:\windows\system\sysou32.exe is still infected with TROJ_DLOADER.BBL. The Housecall was able to resolve this and suggested that I manually remove the file. Not sure what the file is or does so was a bit cautious. Can you shed any light on this please?

Here is the HJT log created after all steps completed.

I can't thank you enough for the help and time you've given already - it really is appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 22:35:03, on 18/12/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\IPWP.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\CTLAUNCHER.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\PROGRAM\CTAVTRAY.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\COMMON\SWTRAYV4.EXE
C:\WINDOWS\SYSTEM\CARPSERV.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\PROGRAM FILES\BROWSER MOUSE\BROWSER MOUSE\1.1\MOUSE32A.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLSTAT.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLAGENT.EXE
C:\WINDOWS\SYSTEM\SYSOU32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\AOL 9.0A\AOLTRAY.EXE
C:\MSOFFICE\OFFICE\MSOFFICE.EXE
C:\PROGRAM FILES\NIKON\NKVIEW6\NKVMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\PROGRAM FILES\BT BROADBAND BASIC HELP\BIN\MPBTN.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\TASKGUIDE\UPDTRAY.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btinternet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [LNK_ALL] C:\WINDOWS\rundll.exe setupx.dll,InstallHinfSection DefaultInstall 132 C:\windows\LNK_ALL.INF
O4 - HKLM\..\Run: [Creative Launcher] C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\CTLAUNCHER.EXE
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CTAVTray] C:\PROGRAM FILES\CREATIVE\SBLIVE\PROGRAM\CTAvTray.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~1\GAMECO~1\COMMON\SWTRAYV4.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SystemService] C:\WINDOWS\ssvr.exe /i
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [IEEC32.EXE] C:\WINDOWS\IEEC32.EXE
O4 - HKLM\..\Run: [SYSOU32.EXE] C:\WINDOWS\SYSTEM\SYSOU32.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [Devldr16] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [IPWP.EXE] C:\WINDOWS\SYSTEM\IPWP.EXE /s
O4 - HKLM\..\RunOnce: [CTAVTray] C:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
O4 - Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\MSOffice\Office\MSOFFICE.EXE
O4 - Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20010 ... taller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computerc ... diagcc.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadband/ ... reQual.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} (mailhelper Class) - https://register.btinternet.com/templat ... rol013.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/templat ... rol024.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
walshie
Regular Member
 
Posts: 61
Joined: December 17th, 2005, 1:06 pm

Unread postby ChrisRLG » December 18th, 2005, 7:21 pm

With winXP/2k this infection goes deeper, but is in some ways easier to remove.

With winME/98 the fix can sometimes leave a few things behind.

Some things for you to know, each time you reboot it gives the infection a chance to mutate to new files, that was why you had so many files last time to fix, this time you have a lot fewer. It might go this time, or it might need another one or two goes. Lets hope luck is with us.

=======

Boot to safe mode.

Please set your system to show all files; please see here if you're unsure how to do this.

Press Control-Alt-Del to enter the Task Manager.
Click on the Processes tab and end the following processes:

C:\WINDOWS\SYSTEM\IPWP.EXE
C:\WINDOWS\SYSTEM\SYSOU32.EXE


Exit the Task Manager when finished.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [SystemService] C:\WINDOWS\ssvr.exe /i
O4 - HKLM\..\Run: [IEEC32.EXE] C:\WINDOWS\IEEC32.EXE
O4 - HKLM\..\Run: [SYSOU32.EXE] C:\WINDOWS\SYSTEM\SYSOU32.EXE
O4 - HKLM\..\RunServices: [IPWP.EXE] C:\WINDOWS\SYSTEM\IPWP.EXE /s


Click on Fix Checked when finished and exit HijackThis.

Stay in Safe Mode: please

Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\ssvr.exe
C:\WINDOWS\IEEC32.EXE
C:\WINDOWS\SYSTEM\SYSOU32.EXE
C:\WINDOWS\SYSTEM\IPWP.EXE


Exit Explorer,

Re run CWShredder and about:buster

clear your tempary folders again.

and reboot as normal afterwards.

Then try another go with the housecall scanner.

Post back a fresh HijackThis log and a copy of the about:buster log, then I will take another look.

when you have produced the HJT scan please try to leave the machine turned on, so that it does not reboot before you run the next set of instructions. Try to use internet explorer as little as possible.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Thanks again!

Unread postby walshie » December 20th, 2005, 3:24 pm

I'll do as you suggest and get a HJT log back to you asap.
Again, can't thank you enough for the help you have given me so far!
W
walshie
Regular Member
 
Posts: 61
Joined: December 17th, 2005, 1:06 pm

Second outcome

Unread postby walshie » December 20th, 2005, 4:10 pm

Hi,
I have run though the steps you suggested and have the following update.

All went ok.

I removed the suggested files and folders although a couple of the files:

ssvr.exe and ieec32.exe had already been quarantined by housecall - so I thought that this would probably be ok?

AboutBuster did not find any files: Log below..

AboutBuster 5.1, reference file 32
Scan started on [18/12/2005] at [19:34:42]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
Removed File! : C:\WINDOWS\gfdrl.dat
Removed File! : C:\WINDOWS\dktnzo.dat
Removed File! : C:\WINDOWS\dbjdhe.dat
Removed File! : C:\WINDOWS\pfcflw.dat
Removed File! : C:\WINDOWS\ifplu.dat
Removed File! : C:\WINDOWS\jnmoog.dat
Removed File! : C:\WINDOWS\rffabv.dat
Removed File! : C:\WINDOWS\SYSTEM\ggqtj.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 19:35:41


AboutBuster 5.1, reference file 32
Scan started on [18/12/2005] at [19:36:25]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 19:37:19


AboutBuster 5.1, reference file 32
Scan started on [20/12/2005] at [19:43:29]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 19:44:24


HJT Log as follows:

Logfile of HijackThis v1.99.1
Scan saved at 20:06:29, on 20/12/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\CTLAUNCHER.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\PROGRAM\CTAVTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\COMMON\SWTRAYV4.EXE
C:\WINDOWS\SYSTEM\CARPSERV.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\PROGRAM FILES\BROWSER MOUSE\BROWSER MOUSE\1.1\MOUSE32A.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLSTAT.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLAGENT.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\AOL 9.0A\AOLTRAY.EXE
C:\MSOFFICE\OFFICE\MSOFFICE.EXE
C:\PROGRAM FILES\NIKON\NKVIEW6\NKVMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\TASKGUIDE\UPDTRAY.EXE
C:\PROGRAM FILES\BT BROADBAND BASIC HELP\BIN\MPBTN.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\WINXR32.EXE
C:\WINDOWS\APIQN.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\juaus.dll/sp.html#93256%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\juaus.dll/sp.html#93256%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\juaus.dll/sp.html#93256%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\juaus.dll/sp.html#93256%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\juaus.dll/sp.html#93256%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\juaus.dll/sp.html#93256%resultposition.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {980E64CD-AF79-300D-D6F9-CA197FEC4945} - C:\WINDOWS\SYSTEM\SDKZL32.DLL
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [LNK_ALL] C:\WINDOWS\rundll.exe setupx.dll,InstallHinfSection DefaultInstall 132 C:\windows\LNK_ALL.INF
O4 - HKLM\..\Run: [Creative Launcher] C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\CTLAUNCHER.EXE
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CTAVTray] C:\PROGRAM FILES\CREATIVE\SBLIVE\PROGRAM\CTAvTray.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~1\GAMECO~1\COMMON\SWTRAYV4.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [APIQN.EXE] C:\WINDOWS\APIQN.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [Devldr16] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [WINXR32.EXE] C:\WINDOWS\SYSTEM\WINXR32.EXE /s
O4 - HKLM\..\RunOnce: [CTAVTray] C:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
O4 - Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\MSOffice\Office\MSOFFICE.EXE
O4 - Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20010 ... taller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computerc ... diagcc.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadband/ ... reQual.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} (mailhelper Class) - https://register.btinternet.com/templat ... rol013.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/templat ... rol024.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab

Thanks again for your time and help!
W
walshie
Regular Member
 
Posts: 61
Joined: December 17th, 2005, 1:06 pm

Unread postby wng_z3r0 » December 21st, 2005, 9:32 am

Hi there. Chris has some time issues and needs some help. If it's not a problem with you, I'll continue to help you out. Looks like the about:blank infection is back. Let's try to get rid of it. It we are lucky, it will stay gone next time, but it may not. Sometimes it takes several cleaning attempts before about:blank goes away.


  • Download AboutBuster

    Unzip it to your desktop but don't run it yet we'll do that later on down in this list in SAFE MODE.
  • Download CWShredder from here, install it, check for updates but again, don't use it yet.
  • Download Ad-aware Second Edition here and install it. If you already have Ad-aware Second Edition skip to the next step.

    Open adaware and Click the "Check for updates now" line on the main screen. CLick the "Connect" button on the webupdate screen.

    If an update is available download it and install it. Click the "Finish" button to go back to the main screen.

    Click on the "Settings" button (gear symbol in the upper right corner of the main status screen) in the quick launch toolbar to open the General settings screen. Make sure the "Automatically quarantine objects prior to removal" setting is checked green and then click "Proceed" to save your changes.
    DON'T SCAN WITH AD-AWARE YET!
  • Please print these instructions and make sure you understand everything before moving on. It is critical to NOT open up any internet browsers until instructed to.
  • After you have printed, please close all the programs running on your computer (especially internet browsers and email clients)
  • Make sure your PC is configured to show hidden files.How do I show hidden files?
  • run cwshredder and click the fix button.
  • Restart your computer in Safe Mode. How do I Safe Boot my computer?
  • Scan with Hijack This and put check the following:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\juaus.dll/sp.html#93256%resultposition.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\juaus.dll/sp.html#93256%resultposition.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\juaus.dll/sp.html#93256%resultposition.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\juaus.dll/sp.html#93256%resultposition.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\juaus.dll/sp.html#93256%resultposition.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\juaus.dll/sp.html#93256%resultposition.net
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {980E64CD-AF79-300D-D6F9-CA197FEC4945} - C:\WINDOWS\SYSTEM\SDKZL32.DLL
    O4 - HKLM\..\Run: [APIQN.EXE] C:\WINDOWS\APIQN.EXE
    O4 - HKLM\..\RunServices: [WINXR32.EXE] C:\WINDOWS\SYSTEM\WINXR32.EXE /s


    Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

    Delete the following files (it could be that they are deleted already):
    C:\WINDOWS\SYSTEM\WINXR32.EXE << This file
    C:\WINDOWS\APIQN.EXE << This file
    C:\WINDOWS\SYSTEM\SDKZL32.DLL << This file
    C:\WINDOWS\system\juaus.dll <<This file
  • Double click on the AboutBuster tool you downloaded earlier. Follow the instruction prompts to use the program and let it do two scans (it will ask). When finished, press the "Save log" button. I will want a copy of that log after all steps are completed here.
  • Open up ad-aware, and run a full scan.
  • Clean out temporary and tif files. Go to "Start" -> "Run" and type in the box: "cleanmgr". Let it scan your system for files to remove. Make sure these 3 are checked and then press "Ok" to remove:

    Temporary Files
    Temporary Internet Files
    Recycle Bin
  • Then do this:
    Copy the contents of the Quote Box below to Notepad.

    Name the file as fix.reg
    Change the Save as Type to All Files
    and Save it on the desktop


    Code: Select all
    REGEDIT4 
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA] 
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE] 
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]



    Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process

  • restart in normal mode
  • NOTE: Two possibly three or four files may have been deleted from your computer by the hijacker and may need to be replaced.

    Control.exe
    Shell.dll
    SDHelper.dll (if you are using Spybot Search & Destroy)
    Hosts file (no extension)

    If control.exe, shell.dll or SDHelper is missing
    Go here: http://spywareinfo.com/~merijn/winfiles.html and download the needed file.

    For a missing Hosts file:
    Download Hoster
    Press "Restore Original Hosts" and press "OK"
    Exit Program.
    Note: if you were using a custom Hosts file you will need to replace any of those entries yourself!

    If you have Spybot S&D installed and SDHelper.dll is missing, replace it here:
    http://www.spywareinfo.com/~merijn/winfiles.html#sdhelper and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)
  • Additional: Check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your ActiveX security settings in Internet Explorer as recommended.

    ActiveX controls and plug-ins:
    • Download signed ActiveX controls (Prompt)
    • Download unsigned ActiveX controls (Disable)
    • Initialize and script ActiveX controls not marked as safe (Disable)
    • Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
    • Script ActiveX controls marked safe for scripting (Prompt)


    Do an online scan at the following site. Let it remove any infected files found.
    Trend Micro (PC-Cillin) - Free On-line Scan

When you are all done, post the new HijackThis log and the AboutBuster log here for review.

wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Hi

Unread postby walshie » December 21st, 2005, 3:36 pm

Thanks for stepping in. I really appreciate your help and that of Chris also.
I will run through the steps suggested and get back to you once I'm done.
Thanks again!
W
walshie
Regular Member
 
Posts: 61
Joined: December 17th, 2005, 1:06 pm

Hi

Unread postby walshie » December 21st, 2005, 4:59 pm

I have run all the steps that you have recommended and all seemed to go fine!

1. cwshredder found nothing

2. I ran HJT and removed all the files which you suggested that were present. There were some which you had listed which were not in the HJT listing - so I was unbale to check them and remove them? I assume that this is because they were removed previously??

3. Ad-Aware only found a minor problem which I removed.

4. Don't appear to have to replace nay files.

5. Here is the AboutBuster log

AboutBuster 5.1, reference file 32
Scan started on [18/12/2005] at [19:34:42]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
Removed File! : C:\WINDOWS\gfdrl.dat
Removed File! : C:\WINDOWS\dktnzo.dat
Removed File! : C:\WINDOWS\dbjdhe.dat
Removed File! : C:\WINDOWS\pfcflw.dat
Removed File! : C:\WINDOWS\ifplu.dat
Removed File! : C:\WINDOWS\jnmoog.dat
Removed File! : C:\WINDOWS\rffabv.dat
Removed File! : C:\WINDOWS\SYSTEM\ggqtj.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 19:35:41


AboutBuster 5.1, reference file 32
Scan started on [18/12/2005] at [19:36:25]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 19:37:19


AboutBuster 5.1, reference file 32
Scan started on [20/12/2005] at [19:43:29]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 19:44:24


AboutBuster 5.1, reference file 32
Scan started on [21/12/2005] at [20:06:50]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
Removed File! : C:\WINDOWS\askrza.dat
Removed File! : C:\WINDOWS\rwesx.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 20:07:46


AboutBuster 5.1, reference file 32
Scan started on [21/12/2005] at [20:09:06]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 20:09:59

6. Here is the HJT log

Logfile of HijackThis v1.99.1
Scan saved at 19:53:48, on 21/12/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {980E64CD-AF79-300D-D6F9-CA197FEC4945} - C:\WINDOWS\SYSTEM\SDKZL32.DLL
O2 - BHO: Class - {7133F302-4755-78D3-A8F2-7D74FEF0E4FB} - C:\WINDOWS\NTUJ.DLL
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [LNK_ALL] C:\WINDOWS\rundll.exe setupx.dll,InstallHinfSection DefaultInstall 132 C:\windows\LNK_ALL.INF
O4 - HKLM\..\Run: [Creative Launcher] C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\CTLAUNCHER.EXE
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CTAVTray] C:\PROGRAM FILES\CREATIVE\SBLIVE\PROGRAM\CTAvTray.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~1\GAMECO~1\COMMON\SWTRAYV4.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [APIQN.EXE] C:\WINDOWS\APIQN.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [Devldr16] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [WINXR32.EXE] C:\WINDOWS\SYSTEM\WINXR32.EXE /s
O4 - HKLM\..\RunOnce: [CTAVTray] C:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
O4 - Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\MSOffice\Office\MSOFFICE.EXE
O4 - Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20010 ... taller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computerc ... diagcc.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadband/ ... reQual.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} (mailhelper Class) - https://register.btinternet.com/templat ... rol013.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/templat ... rol024.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab

Thanks again for sticking with this and for your time!
All the best,
W
walshie
Regular Member
 
Posts: 61
Joined: December 17th, 2005, 1:06 pm

Unread postby wng_z3r0 » December 21st, 2005, 6:33 pm

We have to repeat the process again. But this log is looking better than the last.

Hi there. Chris has some time issues and needs some help. If it's not a problem with you, I'll continue to help you out. Looks like the about:blank infection is back. Let's try to get rid of it. It we are lucky, it will stay gone next time, but it may not. Sometimes it takes several cleaning attempts before about:blank goes away.


  • Download AboutBuster

    Unzip it to your desktop but don't run it yet we'll do that later on down in this list in SAFE MODE.
  • Download CWShredder from here, install it, check for updates but again, don't use it yet.
  • Download Ad-aware Second Edition here and install it. If you already have Ad-aware Second Edition skip to the next step.

    Open adaware and Click the "Check for updates now" line on the main screen. CLick the "Connect" button on the webupdate screen.

    If an update is available download it and install it. Click the "Finish" button to go back to the main screen.

    Click on the "Settings" button (gear symbol in the upper right corner of the main status screen) in the quick launch toolbar to open the General settings screen. Make sure the "Automatically quarantine objects prior to removal" setting is checked green and then click "Proceed" to save your changes.
    DON'T SCAN WITH AD-AWARE YET!
  • Please print these instructions and make sure you understand everything before moving on. It is critical to NOT open up any internet browsers until instructed to.
  • After you have printed, please close all the programs running on your computer (especially internet browsers and email clients)
  • Make sure your PC is configured to show hidden files.How do I show hidden files?
  • run cwshredder and click the fix button.
  • Restart your computer in Safe Mode. How do I Safe Boot my computer?
  • Scan with Hijack This and put check the following:
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {980E64CD-AF79-300D-D6F9-CA197FEC4945} - C:\WINDOWS\SYSTEM\SDKZL32.DLL
    O2 - BHO: Class - {7133F302-4755-78D3-A8F2-7D74FEF0E4FB} - C:\WINDOWS\NTUJ.DLL
    O4 - HKLM\..\Run: [APIQN.EXE] C:\WINDOWS\APIQN.EXE
    O4 - HKLM\..\RunServices: [WINXR32.EXE] C:\WINDOWS\SYSTEM\WINXR32.EXE /s


    Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

    Delete the following files (it could be that they are deleted already):
    C:\WINDOWS\SYSTEM\WINXR32.EXE << This file
    C:\WINDOWS\APIQN.EXE << This file
    C:\WINDOWS\SYSTEM\SDKZL32.DLL << This file
    C:\WINDOWS\system\juaus.dll <<This file
    C:\WINDOWS\NTUJ.DLL <<this file
  • Double click on the AboutBuster tool you downloaded earlier. Follow the instruction prompts to use the program and let it do two scans (it will ask). When finished, press the "Save log" button. I will want a copy of that log after all steps are completed here.
  • Open up ad-aware, and run a full scan.
  • Clean out temporary and tif files. Go to "Start" -> "Run" and type in the box: "cleanmgr". Let it scan your system for files to remove. Make sure these 3 are checked and then press "Ok" to remove:

    Temporary Files
    Temporary Internet Files
    Recycle Bin
  • Then do this:
    Copy the contents of the Quote Box below to Notepad.

    Name the file as fix.reg
    Change the Save as Type to All Files
    and Save it on the desktop


    Code: Select all
    REGEDIT4 
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA] 
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE] 
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]



    Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process

  • restart in normal mode
  • NOTE: Two possibly three or four files may have been deleted from your computer by the hijacker and may need to be replaced.

    Control.exe
    Shell.dll
    SDHelper.dll (if you are using Spybot Search & Destroy)
    Hosts file (no extension)

    If control.exe, shell.dll or SDHelper is missing
    Go here: http://spywareinfo.com/~merijn/winfiles.html and download the needed file.

    For a missing Hosts file:
    Download Hoster
    Press "Restore Original Hosts" and press "OK"
    Exit Program.
    Note: if you were using a custom Hosts file you will need to replace any of those entries yourself!

    If you have Spybot S&D installed and SDHelper.dll is missing, replace it here:
    http://www.spywareinfo.com/~merijn/winfiles.html#sdhelper and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)
  • Additional: Check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your ActiveX security settings in Internet Explorer as recommended.

    ActiveX controls and plug-ins:
    • Download signed ActiveX controls (Prompt)
    • Download unsigned ActiveX controls (Disable)
    • Initialize and script ActiveX controls not marked as safe (Disable)
    • Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
    • Script ActiveX controls marked safe for scripting (Prompt)


    Do an online scan at the following site. Let it remove any infected files found.
    Trend Micro (PC-Cillin) - Free On-line Scan

When you are all done, post the new HijackThis log and the AboutBuster log here for review.

wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Hi

Unread postby walshie » December 22nd, 2005, 7:03 am

I have complete all the steps as suggested..

A couple of things though:

I could find none of the lines which you suggested that I get HJT to remove. I checked all the HJT listing carefully.

The About Buster log is:

AboutBuster 5.1, reference file 32
Scan started on [18/12/2005] at [19:34:42]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
Removed File! : C:\WINDOWS\gfdrl.dat
Removed File! : C:\WINDOWS\dktnzo.dat
Removed File! : C:\WINDOWS\dbjdhe.dat
Removed File! : C:\WINDOWS\pfcflw.dat
Removed File! : C:\WINDOWS\ifplu.dat
Removed File! : C:\WINDOWS\jnmoog.dat
Removed File! : C:\WINDOWS\rffabv.dat
Removed File! : C:\WINDOWS\SYSTEM\ggqtj.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 19:35:41


AboutBuster 5.1, reference file 32
Scan started on [18/12/2005] at [19:36:25]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 19:37:19


AboutBuster 5.1, reference file 32
Scan started on [20/12/2005] at [19:43:29]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 19:44:24


AboutBuster 5.1, reference file 32
Scan started on [21/12/2005] at [20:06:50]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
Removed File! : C:\WINDOWS\askrza.dat
Removed File! : C:\WINDOWS\rwesx.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 20:07:46


AboutBuster 5.1, reference file 32
Scan started on [21/12/2005] at [20:09:06]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 20:09:59


AboutBuster 5.1, reference file 33
Scan started on [22/12/2005] at [08:34:26]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 08:36:05


AboutBuster 5.1, reference file 33
Scan started on [22/12/2005] at [08:36:33]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 08:38:09

The HJT log is:

Logfile of HijackThis v1.99.1
Scan saved at 08:23:32, on 22/12/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btinternet.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [LNK_ALL] C:\WINDOWS\rundll.exe setupx.dll,InstallHinfSection DefaultInstall 132 C:\windows\LNK_ALL.INF
O4 - HKLM\..\Run: [Creative Launcher] C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\CTLAUNCHER.EXE
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CTAVTray] C:\PROGRAM FILES\CREATIVE\SBLIVE\PROGRAM\CTAvTray.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~1\GAMECO~1\COMMON\SWTRAYV4.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [Devldr16] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunOnce: [CTAVTray] C:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
O4 - Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\MSOffice\Office\MSOFFICE.EXE
O4 - Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20010 ... taller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computerc ... diagcc.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadband/ ... reQual.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} (mailhelper Class) - https://register.btinternet.com/templat ... rol013.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/templat ... rol024.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab

Once again, I really appreciate your time and help!
Thanks,
W
walshie
Regular Member
 
Posts: 61
Joined: December 17th, 2005, 1:06 pm

Unread postby wng_z3r0 » December 22nd, 2005, 6:18 pm

can you reboot a couple of times, and then post a new hijackthis log? Also are you still getting hijacked?
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

I think that you've cracked it!!

Unread postby walshie » December 22nd, 2005, 6:56 pm

Hi,
I have re-booted a few times and attach the HJT log as requested.
The browser now seems to be ok - at least I'm not getting the re-directions and I can now set my own homepage!

If this is now me clean, is there anything that you can recommend in terms of prevention. Although you have been really brialliant and very helpful, and I have learnt quite abit, I'd quite like to now try to stay virus/malware free!!

Here's the log posy re-boots.

Please let me know if you think I'm now ok - and thanks yet again!


Logfile of HijackThis v1.99.1
Scan saved at 22:42:49, on 22/12/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\CTLAUNCHER.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\PROGRAM\CTAVTRAY.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\COMMON\SWTRAYV4.EXE
C:\WINDOWS\SYSTEM\CARPSERV.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\BROWSER MOUSE\BROWSER MOUSE\1.1\MOUSE32A.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLSTAT.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLAGENT.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\AOL 9.0A\AOLTRAY.EXE
C:\MSOFFICE\OFFICE\MSOFFICE.EXE
C:\PROGRAM FILES\NIKON\NKVIEW6\NKVMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\TASKGUIDE\UPDTRAY.EXE
C:\PROGRAM FILES\BT BROADBAND BASIC HELP\BIN\MPBTN.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btinternet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [LNK_ALL] C:\WINDOWS\rundll.exe setupx.dll,InstallHinfSection DefaultInstall 132 C:\windows\LNK_ALL.INF
O4 - HKLM\..\Run: [Creative Launcher] C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\CTLAUNCHER.EXE
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CTAVTray] C:\PROGRAM FILES\CREATIVE\SBLIVE\PROGRAM\CTAvTray.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~1\GAMECO~1\COMMON\SWTRAYV4.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [Devldr16] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunOnce: [CTAVTray] C:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
O4 - Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\MSOffice\Office\MSOFFICE.EXE
O4 - Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20010 ... taller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computerc ... diagcc.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadband/ ... reQual.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} (mailhelper Class) - https://register.btinternet.com/templat ... rol013.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/templat ... rol024.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
walshie
Regular Member
 
Posts: 61
Joined: December 17th, 2005, 1:06 pm

Unread postby wng_z3r0 » December 22nd, 2005, 9:23 pm

Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Lets reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis



We need to re hide system files. To do so, please follow the steps below:
  1. Double-click My Computer.
  2. Click the Tools menu, and then click Folder Options.
  3. Click the View tab.
  4. Put a check by "Hide file extensions for known file types."
  5. Under the "Hidden files" folder, select "Show hidden files and folders."
  6. Check "Hide protected operating system files."
  7. Click Apply, and then click OK.



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
Change the allow paste operations via script to Disable
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

  • Download Adaware
    Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks. For more information, see this tutorial
    The program is available for download here
  • Download Spybot
    Spybot is a scanner like adaware. It scans for spyware and other malicious programs. It is important to have both Adaware and Spybot on your computer because each program provides unique detection and pretection measures. Spybot has preventitive tools that stop programs from even installing on your computer.
    To see how to set this up as well as more spybot features, see here
    Spybot can be downloaded at this location
  • Download SpywareBlaster
    Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes "kill bits" in the registry, so that certain activex controls can't install.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster here here
  • Download iespyad
    It puts many bad webpages on your restricted zones list. This means that you can still view the "bad" webpages, but the webpages cannot do certain things (such as use javascripts and cookies).
    If you need help understanding how it works, there is a tutorial here
    Download it here
  • hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!
    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    1. Click the start button (at the lower left hand corner of your screen)
    2. Click run
    3. In the dialog box, type services.msc
    4. hit enter, then locate dns client
    5. Highlight it, then double-click it.
    6. On the dropdown box, change the setting from automatic to manual.
    7. Click ok

  • Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
    Computer Safety On line - List of free Anti virus programs
  • Update your Anti Virus Software - It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. See here to choose one
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
    See here to choose one



Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Run the spybot and adaware regularly. (Once or twice a week minimum.)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.




Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
wng 8)

(Parts of all clean speech courtesy of Chris RLG)
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

You guys should be wearing capes!!

Unread postby walshie » December 23rd, 2005, 6:12 am

Thanks for sticking with thihs amateur through this!
I really appreciate your help and patience.

I will do as you have suggested and will let you how it all works out.
Once - again - THANK YOU
Have a brilliant Christmas and new Year!
W
walshie
Regular Member
 
Posts: 61
Joined: December 17th, 2005, 1:06 pm
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 294 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware