Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus/Spyware/Trojan Invasion!


  • Please log in to reply
125 replies to this topic

#1 Basket Chick

Basket Chick

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 02 July 2005 - 04:27 PM

I am not a computer guru, but I'm not a complete moron either and at the moment I am ready to tear my hair out and huck my computer in the nearest dumpster! I am one desperate housewife!

I have needed to install Service Pack 2 for a while, but needed to backup my large music and picture files first, so I've been putting it off for a long time. Finally got an external hard drive - copied all my stuff to it. Then I installed Service Pack 2 and all the other updates. Then I downloaded McAfee Virus Scan from AOL. It was finding a ton of stuff as was Windows, but at the same time my computer went WACKO with virus/trojan/spyware stuff. It was fine before these downloads and this is all I downwloaded. After following the instructions found here, I was finally able to get rid of the Antivirus Gold one. But, I have not been able to get rid of the about:blank one. Also had a Startup-du thin going on. I have downloaded Adware, CWShredder, Hijacker, and more and tried to follow the instructions exactly, but it's not working. I can not get on the internet other than through AOL, my screen saver is messed up, and the computer is slow as a ... well, it's SLOW. I would so appreciate someone taking a look at my log and giving me some advice. I really am desperate!


Logfile of HijackThis v1.99.1
Scan saved at 5:11:18 PM, on 7/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wincy.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
C:\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\America Online 9.0b\aoltray.exe
C:\CConnect\CConnect.exe
C:\HP AllInOne\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\HP AllInOne\Digital Imaging\bin\hposol08.exe
C:\Palm\HOTSYNC.EXE
C:\Microsoft Office\Office10\msoffice.exe
C:\HP AllInOne\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\HP AllInOne\Digital Imaging\Bin\hpoSTS08.exe
C:\America Online 9.0b\waol.exe
C:\America Online 9.0b\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\AOL Companion\companion.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\family\Application Data\Mozilla\Profiles\default\n6650zlg.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {1302E13C-B2E6-4C8C-5FF5-4CF6F791F3F3} - C:\WINDOWS\atlnm.dll (file missing)
O2 - BHO: Class - {27E649AA-B1E7-9539-7E34-3FF3E562716B} - C:\WINDOWS\sdkls32.dll (file missing)
O2 - BHO: Class - {2FD3B816-33C8-BA72-72AA-942B7EBA6762} - C:\WINDOWS\mshk.dll
O2 - BHO: Class - {35B3E72A-B6CB-82E0-FCAB-935DEAAF49CD} - C:\WINDOWS\winmh32.dll (file missing)
O2 - BHO: Class - {3D3155DA-D6C7-F9A7-066B-28A3A4796452} - C:\WINDOWS\msca32.dll (file missing)
O2 - BHO: Class - {544D3227-6801-04BD-D909-6292B86D33C3} - C:\WINDOWS\system32\ipvj32.dll (file missing)
O2 - BHO: Class - {56CC0A27-27B4-C934-2722-3683C7345708} - C:\WINDOWS\msjs32.dll (file missing)
O2 - BHO: Class - {63C3B90C-CAE8-913A-DBA5-AC8E0D0896D0} - C:\WINDOWS\system32\crbk32.dll (file missing)
O2 - BHO: Class - {81970AF7-966E-6A37-8990-01F3D1C5C2B2} - C:\WINDOWS\system32\iefk.dll (file missing)
O2 - BHO: Class - {88CA47DE-D491-40E1-D009-5594D634627D} - C:\WINDOWS\syshp.dll (file missing)
O2 - BHO: Class - {A3A23120-7EE4-B1BE-8BCD-755877155DD7} - C:\WINDOWS\appyi32.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {BCBD9A6C-4B22-A8D0-8E90-F47A88F73639} - C:\WINDOWS\ipof32.dll (file missing)
O2 - BHO: Class - {C8C9402D-2260-8492-AA3D-8CEE7DD228B1} - C:\WINDOWS\system32\msud32.dll (file missing)
O2 - BHO: Class - {CDF42652-3705-BFD1-B061-1F21BA9B7A66} - C:\WINDOWS\apiky32.dll (file missing)
O2 - BHO: Class - {D77A96D0-9D84-A958-041B-5181C69B77CF} - C:\WINDOWS\netxh.dll (file missing)
O2 - BHO: Class - {E15C1770-8B06-C7F0-92C3-8514CE8ED8C1} - C:\WINDOWS\crnz32.dll (file missing)
O2 - BHO: Class - {FBF77D9B-CA17-A517-257C-C38A16C5AD4F} - C:\WINDOWS\mfccu32.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [XQAWC1Zg] C:\WINDOWS\qftxx.exe
O4 - HKLM\..\Run: [r28hpdq9] C:\WINDOWS\System32\r28hpdq9.exe
O4 - HKLM\..\Run: [077O3tX] psc3216.exe
O4 - HKLM\..\Run: [wincy.exe] C:\WINDOWS\system32\wincy.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [netjp32.exe] C:\WINDOWS\netjp32.exe
O4 - HKLM\..\RunOnce: [javagz32.exe] C:\WINDOWS\system32\javagz32.exe
O4 - HKLM\..\RunOnce: [apino.exe] C:\WINDOWS\system32\apino.exe
O4 - HKLM\..\RunOnce: [sdkkr32.exe] C:\WINDOWS\system32\sdkkr32.exe
O4 - HKLM\..\RunOnce: [netio32.exe] C:\WINDOWS\netio32.exe
O4 - HKLM\..\RunOnce: [addvi.exe] C:\WINDOWS\system32\addvi.exe
O4 - HKLM\..\RunOnce: [iegp.exe] C:\WINDOWS\iegp.exe
O4 - HKLM\..\RunOnce: [ieag32.exe] C:\WINDOWS\ieag32.exe
O4 - HKLM\..\RunOnce: [javaeo.exe] C:\WINDOWS\javaeo.exe
O4 - HKLM\..\RunOnce: [syswl32.exe] C:\WINDOWS\system32\syswl32.exe
O4 - HKLM\..\RunOnce: [atlkt32.exe] C:\WINDOWS\atlkt32.exe
O4 - HKLM\..\RunOnce: [appsd.exe] C:\WINDOWS\appsd.exe
O4 - HKLM\..\RunOnce: [appkn32.exe] C:\WINDOWS\system32\appkn32.exe
O4 - HKLM\..\RunOnce: [mfckz.exe] C:\WINDOWS\mfckz.exe
O4 - HKLM\..\RunOnce: [sysil.exe] C:\WINDOWS\system32\sysil.exe
O4 - HKLM\..\RunOnce: [ieyj.exe] C:\WINDOWS\system32\ieyj.exe
O4 - HKLM\..\RunOnce: [mfctp32.exe] C:\WINDOWS\system32\mfctp32.exe
O4 - HKLM\..\RunOnce: [apivg.exe] C:\WINDOWS\apivg.exe
O4 - HKLM\..\RunOnce: [atlnv.exe] C:\WINDOWS\system32\atlnv.exe
O4 - HKLM\..\RunOnce: [iesp.exe] C:\WINDOWS\system32\iesp.exe
O4 - HKLM\..\RunOnce: [javawb32.exe] C:\WINDOWS\system32\javawb32.exe
O4 - HKLM\..\RunOnce: [ntoa.exe] C:\WINDOWS\ntoa.exe
O4 - HKLM\..\RunOnce: [iekj32.exe] C:\WINDOWS\iekj32.exe
O4 - HKLM\..\RunOnce: [sdkxl32.exe] C:\WINDOWS\sdkxl32.exe
O4 - HKLM\..\RunOnce: [d3nt.exe] C:\WINDOWS\d3nt.exe
O4 - HKLM\..\RunOnce: [ipsn32.exe] C:\WINDOWS\system32\ipsn32.exe
O4 - HKLM\..\RunOnce: [winbh32.exe] C:\WINDOWS\winbh32.exe
O4 - HKLM\..\RunOnce: [crgd32.exe] C:\WINDOWS\crgd32.exe
O4 - HKLM\..\RunOnce: [apitx32.exe] C:\WINDOWS\apitx32.exe
O4 - HKLM\..\RunOnce: [appsb32.exe] C:\WINDOWS\system32\appsb32.exe
O4 - HKLM\..\RunOnce: [msxv.exe] C:\WINDOWS\msxv.exe
O4 - HKLM\..\RunOnce: [d3gv32.exe] C:\WINDOWS\d3gv32.exe
O4 - HKLM\..\RunOnce: [netlx.exe] C:\WINDOWS\system32\netlx.exe
O4 - HKLM\..\RunOnce: [atlpb.exe] C:\WINDOWS\atlpb.exe
O4 - HKLM\..\RunOnce: [msud32.exe] C:\WINDOWS\system32\msud32.exe
O4 - HKLM\..\RunOnce: [winzi.exe] C:\WINDOWS\winzi.exe
O4 - HKLM\..\RunOnce: [sysii32.exe] C:\WINDOWS\system32\sysii32.exe
O4 - HKLM\..\RunOnce: [mfcbn.exe] C:\WINDOWS\mfcbn.exe
O4 - HKLM\..\RunOnce: [iehp32.exe] C:\WINDOWS\iehp32.exe
O4 - HKLM\..\RunOnce: [javafw.exe] C:\WINDOWS\javafw.exe
O4 - HKLM\..\RunOnce: [apiky32.exe] C:\WINDOWS\apiky32.exe
O4 - HKLM\..\RunOnce: [ntxl32.exe] C:\WINDOWS\system32\ntxl32.exe
O4 - HKLM\..\RunOnce: [atlcn.exe] C:\WINDOWS\system32\atlcn.exe
O4 - HKLM\..\RunOnce: [d3qh.exe] C:\WINDOWS\system32\d3qh.exe
O4 - HKLM\..\RunOnce: [sdkmt32.exe] C:\WINDOWS\sdkmt32.exe
O4 - HKLM\..\RunOnce: [atlzn32.exe] C:\WINDOWS\atlzn32.exe
O4 - HKLM\..\RunOnce: [atlth.exe] C:\WINDOWS\atlth.exe
O4 - HKLM\..\RunOnce: [iezb32.exe] C:\WINDOWS\iezb32.exe
O4 - HKLM\..\RunOnce: [winxl32.exe] C:\WINDOWS\system32\winxl32.exe
O4 - HKLM\..\RunOnce: [apiih.exe] C:\WINDOWS\apiih.exe
O4 - HKLM\..\RunOnce: [mfclb.exe] C:\WINDOWS\mfclb.exe
O4 - HKLM\..\RunOnce: [apphd.exe] C:\WINDOWS\system32\apphd.exe
O4 - HKLM\..\RunOnce: [iefq.exe] C:\WINDOWS\iefq.exe
O4 - HKLM\..\RunOnce: [msow.exe] C:\WINDOWS\system32\msow.exe
O4 - HKLM\..\RunOnce: [ntnm32.exe] C:\WINDOWS\system32\ntnm32.exe
O4 - HKLM\..\RunOnce: [apptg.exe] C:\WINDOWS\system32\apptg.exe
O4 - HKLM\..\RunOnce: [netmf.exe] C:\WINDOWS\system32\netmf.exe
O4 - HKLM\..\RunOnce: [ipfq.exe] C:\WINDOWS\system32\ipfq.exe
O4 - HKLM\..\RunOnce: [javafd.exe] C:\WINDOWS\javafd.exe
O4 - HKLM\..\RunOnce: [iebh.exe] C:\WINDOWS\system32\iebh.exe
O4 - HKLM\..\RunOnce: [ntoc32.exe] C:\WINDOWS\system32\ntoc32.exe
O4 - HKLM\..\RunOnce: [mshg32.exe] C:\WINDOWS\system32\mshg32.exe
O4 - HKLM\..\RunOnce: [ipah32.exe] C:\WINDOWS\ipah32.exe
O4 - HKLM\..\RunOnce: [addgc.exe] C:\WINDOWS\addgc.exe
O4 - HKLM\..\RunOnce: [ntap32.exe] C:\WINDOWS\ntap32.exe
O4 - HKLM\..\RunOnce: [appgk.exe] C:\WINDOWS\appgk.exe
O4 - HKLM\..\RunOnce: [appxy.exe] C:\WINDOWS\system32\appxy.exe
O4 - HKLM\..\RunOnce: [crla.exe] C:\WINDOWS\crla.exe
O4 - HKLM\..\RunOnce: [sdkbv.exe] C:\WINDOWS\sdkbv.exe
O4 - HKLM\..\RunOnce: [mfcgp32.exe] C:\WINDOWS\system32\mfcgp32.exe
O4 - HKLM\..\RunOnce: [appjb.exe] C:\WINDOWS\system32\appjb.exe
O4 - HKLM\..\RunOnce: [d3ov.exe] C:\WINDOWS\system32\d3ov.exe
O4 - HKLM\..\RunOnce: [winzw.exe] C:\WINDOWS\system32\winzw.exe
O4 - HKLM\..\RunOnce: [crmq32.exe] C:\WINDOWS\system32\crmq32.exe
O4 - HKLM\..\RunOnce: [addmt32.exe] C:\WINDOWS\system32\addmt32.exe
O4 - HKLM\..\RunOnce: [appnz32.exe] C:\WINDOWS\system32\appnz32.exe
O4 - HKLM\..\RunOnce: [d3at.exe] C:\WINDOWS\d3at.exe
O4 - HKLM\..\RunOnce: [ipao32.exe] C:\WINDOWS\system32\ipao32.exe
O4 - HKLM\..\RunOnce: [ntzw32.exe] C:\WINDOWS\system32\ntzw32.exe
O4 - HKLM\..\RunOnce: [appnr.exe] C:\WINDOWS\appnr.exe
O4 - HKLM\..\RunOnce: [winrj.exe] C:\WINDOWS\system32\winrj.exe
O4 - HKLM\..\RunOnce: [apikf.exe] C:\WINDOWS\apikf.exe
O4 - HKLM\..\RunOnce: [iepj32.exe] C:\WINDOWS\system32\iepj32.exe
O4 - HKLM\..\RunOnce: [sdkue.exe] C:\WINDOWS\system32\sdkue.exe
O4 - HKLM\..\RunOnce: [appjg.exe] C:\WINDOWS\appjg.exe
O4 - HKLM\..\RunOnce: [iefu.exe] C:\WINDOWS\iefu.exe
O4 - HKLM\..\RunOnce: [netnc.exe] C:\WINDOWS\netnc.exe
O4 - HKLM\..\RunOnce: [wintf32.exe] C:\WINDOWS\system32\wintf32.exe
O4 - HKLM\..\RunOnce: [apicx32.exe] C:\WINDOWS\system32\apicx32.exe
O4 - HKLM\..\RunOnce: [javabq.exe] C:\WINDOWS\system32\javabq.exe
O4 - HKLM\..\RunOnce: [iejh32.exe] C:\WINDOWS\system32\iejh32.exe
O4 - HKLM\..\RunOnce: [addom.exe] C:\WINDOWS\system32\addom.exe
O4 - HKLM\..\RunOnce: [sdkbf32.exe] C:\WINDOWS\sdkbf32.exe
O4 - HKLM\..\RunOnce: [msiw.exe] C:\WINDOWS\msiw.exe
O4 - HKLM\..\RunOnce: [d3ai.exe] C:\WINDOWS\system32\d3ai.exe
O4 - HKLM\..\RunOnce: [ieaq.exe] C:\WINDOWS\ieaq.exe
O4 - HKLM\..\RunOnce: [appkr32.exe] C:\WINDOWS\appkr32.exe
O4 - HKLM\..\RunOnce: [ipdn32.exe] C:\WINDOWS\system32\ipdn32.exe
O4 - HKLM\..\RunOnce: [wingd.exe] C:\WINDOWS\system32\wingd.exe
O4 - HKLM\..\RunOnce: [javalf32.exe] C:\WINDOWS\javalf32.exe
O4 - HKLM\..\RunOnce: [sysks.exe] C:\WINDOWS\sysks.exe
O4 - HKLM\..\RunOnce: [javavj32.exe] C:\WINDOWS\javavj32.exe
O4 - HKLM\..\RunOnce: [atlma.exe] C:\WINDOWS\system32\atlma.exe
O4 - HKLM\..\RunOnce: [mfcsx.exe] C:\WINDOWS\system32\mfcsx.exe
O4 - HKLM\..\RunOnce: [sysxr32.exe] C:\WINDOWS\sysxr32.exe
O4 - HKLM\..\RunOnce: [netrf32.exe] C:\WINDOWS\netrf32.exe
O4 - HKLM\..\RunOnce: [addwz32.exe] C:\WINDOWS\system32\addwz32.exe
O4 - HKLM\..\RunOnce: [appep32.exe] C:\WINDOWS\appep32.exe
O4 - HKLM\..\RunOnce: [ipnh32.exe] C:\WINDOWS\system32\ipnh32.exe
O4 - HKLM\..\RunOnce: [sysnp.exe] C:\WINDOWS\sysnp.exe
O4 - HKLM\..\RunOnce: [atlml32.exe] C:\WINDOWS\atlml32.exe
O4 - HKLM\..\RunOnce: [sysrn32.exe] C:\WINDOWS\sysrn32.exe
O4 - HKLM\..\RunOnce: [atlkm.exe] C:\WINDOWS\atlkm.exe
O4 - HKLM\..\RunOnce: [javaex.exe] C:\WINDOWS\javaex.exe
O4 - HKLM\..\RunOnce: [ntum.exe] C:\WINDOWS\system32\ntum.exe
O4 - HKLM\..\RunOnce: [atlef.exe] C:\WINDOWS\system32\atlef.exe
O4 - HKLM\..\RunOnce: [netrh.exe] C:\WINDOWS\system32\netrh.exe
O4 - HKLM\..\RunOnce: [appvt.exe] C:\WINDOWS\appvt.exe
O4 - HKLM\..\RunOnce: [ntlj32.exe] C:\WINDOWS\system32\ntlj32.exe
O4 - HKLM\..\RunOnce: [atlwz32.exe] C:\WINDOWS\atlwz32.exe
O4 - HKLM\..\RunOnce: [atlkw32.exe] C:\WINDOWS\system32\atlkw32.exe
O4 - HKLM\..\RunOnce: [sysjj32.exe] C:\WINDOWS\sysjj32.exe
O4 - HKLM\..\RunOnce: [sdkog32.exe] C:\WINDOWS\sdkog32.exe
O4 - HKLM\..\RunOnce: [winjr32.exe] C:\WINDOWS\winjr32.exe
O4 - HKLM\..\RunOnce: [msby.exe] C:\WINDOWS\system32\msby.exe
O4 - HKLM\..\RunOnce: [atlqn32.exe] C:\WINDOWS\system32\atlqn32.exe
O4 - HKLM\..\RunOnce: [netgu.exe] C:\WINDOWS\system32\netgu.exe
O4 - HKLM\..\RunOnce: [d3eq32.exe] C:\WINDOWS\d3eq32.exe
O4 - HKLM\..\RunOnce: [mspb32.exe] C:\WINDOWS\mspb32.exe
O4 - HKLM\..\RunOnce: [ntux32.exe] C:\WINDOWS\system32\ntux32.exe
O4 - HKLM\..\RunOnce: [sdkdl32.exe] C:\WINDOWS\system32\sdkdl32.exe
O4 - HKLM\..\RunOnce: [atlwe32.exe] C:\WINDOWS\atlwe32.exe
O4 - HKLM\..\RunOnce: [ipag32.exe] C:\WINDOWS\system32\ipag32.exe
O4 - HKLM\..\RunOnce: [iehv32.exe] C:\WINDOWS\system32\iehv32.exe
O4 - HKLM\..\RunOnce: [nethd.exe] C:\WINDOWS\nethd.exe
O4 - HKLM\..\RunOnce: [ieqj32.exe] C:\WINDOWS\ieqj32.exe
O4 - HKLM\..\RunOnce: [appab32.exe] C:\WINDOWS\appab32.exe
O4 - HKLM\..\RunOnce: [crak32.exe] C:\WINDOWS\system32\crak32.exe
O4 - HKLM\..\RunOnce: [sdkxf.exe] C:\WINDOWS\system32\sdkxf.exe
O4 - HKLM\..\RunOnce: [atlxm32.exe] C:\WINDOWS\system32\atlxm32.exe
O4 - HKLM\..\RunOnce: [javadb32.exe] C:\WINDOWS\javadb32.exe
O4 - HKLM\..\RunOnce: [applj32.exe] C:\WINDOWS\applj32.exe
O4 - HKLM\..\RunOnce: [sdkgv32.exe] C:\WINDOWS\sdkgv32.exe
O4 - HKLM\..\RunOnce: [atlgi32.exe] C:\WINDOWS\atlgi32.exe
O4 - HKLM\..\RunOnce: [mszc32.exe] C:\WINDOWS\system32\mszc32.exe
O4 - HKLM\..\RunOnce: [iehk.exe] C:\WINDOWS\system32\iehk.exe
O4 - HKLM\..\RunOnce: [mshk.exe] C:\WINDOWS\mshk.exe
O4 - HKLM\..\RunOnce: [appxh32.exe] C:\WINDOWS\system32\appxh32.exe
O4 - HKLM\..\RunOnce: [netvo32.exe] C:\WINDOWS\system32\netvo32.exe
O4 - HKLM\..\RunOnce: [mfcqs.exe] C:\WINDOWS\mfcqs.exe
O4 - HKLM\..\RunOnce: [appmc.exe] C:\WINDOWS\appmc.exe
O4 - HKLM\..\RunOnce: [netqg32.exe] C:\WINDOWS\system32\netqg32.exe
O4 - HKLM\..\RunOnce: [atlzg.exe] C:\WINDOWS\atlzg.exe
O4 - HKLM\..\RunOnce: [mfcfd32.exe] C:\WINDOWS\system32\mfcfd32.exe
O4 - HKLM\..\RunOnce: [atlta32.exe] C:\WINDOWS\atlta32.exe
O4 - HKLM\..\RunOnce: [ieyw32.exe] C:\WINDOWS\ieyw32.exe
O4 - HKLM\..\RunOnce: [d3wr32.exe] C:\WINDOWS\d3wr32.exe
O4 - HKLM\..\RunOnce: [winmz.exe] C:\WINDOWS\winmz.exe
O4 - HKLM\..\RunOnce: [mfcqd32.exe] C:\WINDOWS\system32\mfcqd32.exe
O4 - HKLM\..\RunOnce: [addad.exe] C:\WINDOWS\addad.exe
O4 - HKLM\..\RunOnce: [appfa32.exe] C:\WINDOWS\system32\appfa32.exe
O4 - HKLM\..\RunOnce: [addux32.exe] C:\WINDOWS\addux32.exe
O4 - HKLM\..\RunOnce: [mfcuc.exe] C:\WINDOWS\system32\mfcuc.exe
O4 - HKLM\..\RunOnce: [addjr.exe] C:\WINDOWS\system32\addjr.exe
O4 - HKLM\..\RunOnce: [d3tk32.exe] C:\WINDOWS\d3tk32.exe
O4 - HKLM\..\RunOnce: [msnv.exe] C:\WINDOWS\msnv.exe
O4 - HKLM\..\RunOnce: [appjz.exe] C:\WINDOWS\system32\appjz.exe
O4 - HKLM\..\RunOnce: [apiba32.exe] C:\WINDOWS\apiba32.exe
O4 - HKLM\..\RunOnce: [sdkri.exe] C:\WINDOWS\sdkri.exe
O4 - HKLM\..\RunOnce: [msvm.exe] C:\WINDOWS\system32\msvm.exe
O4 - HKLM\..\RunOnce: [crlh.exe] C:\WINDOWS\system32\crlh.exe
O4 - HKLM\..\RunOnce: [d3zd32.exe] C:\WINDOWS\system32\d3zd32.exe
O4 - HKLM\..\RunOnce: [crfa32.exe] C:\WINDOWS\crfa32.exe
O4 - HKLM\..\RunOnce: [netkw32.exe] C:\WINDOWS\system32\netkw32.exe
O4 - HKLM\..\RunOnce: [d3ni.exe] C:\WINDOWS\d3ni.exe
O4 - HKLM\..\RunOnce: [sdkrm32.exe] C:\WINDOWS\system32\sdkrm32.exe
O4 - HKLM\..\RunOnce: [apihc.exe] C:\WINDOWS\system32\apihc.exe
O4 - HKLM\..\RunOnce: [javamt.exe] C:\WINDOWS\system32\javamt.exe
O4 - HKLM\..\RunOnce: [atlzq32.exe] C:\WINDOWS\atlzq32.exe
O4 - HKLM\..\RunOnce: [mfclb32.exe] C:\WINDOWS\system32\mfclb32.exe
O4 - HKLM\..\RunOnce: [syspf32.exe] C:\WINDOWS\system32\syspf32.exe
O4 - HKLM\..\RunOnce: [apisr.exe] C:\WINDOWS\apisr.exe
O4 - HKLM\..\RunOnce: [appwv32.exe] C:\WINDOWS\appwv32.exe
O4 - HKLM\..\RunOnce: [ieml.exe] C:\WINDOWS\system32\ieml.exe
O4 - HKLM\..\RunOnce: [ntla32.exe] C:\WINDOWS\system32\ntla32.exe
O4 - HKLM\..\RunOnce: [mfckq32.exe] C:\WINDOWS\mfckq32.exe
O4 - HKLM\..\RunOnce: [appfr.exe] C:\WINDOWS\appfr.exe
O4 - HKLM\..\RunOnce: [netjv.exe] C:\WINDOWS\system32\netjv.exe
O4 - HKLM\..\RunOnce: [javauw32.exe] C:\WINDOWS\javauw32.exe
O4 - HKLM\..\RunOnce: [iese.exe] C:\WINDOWS\iese.exe
O4 - HKLM\..\RunOnce: [appoi32.exe] C:\WINDOWS\system32\appoi32.exe
O4 - HKLM\..\RunOnce: [sysxi.exe] C:\WINDOWS\sysxi.exe
O4 - HKLM\..\RunOnce: [winlf32.exe] C:\WINDOWS\system32\winlf32.exe
O4 - HKLM\..\RunOnce: [syssc32.exe] C:\WINDOWS\syssc32.exe
O4 - HKLM\..\RunOnce: [addzh.exe] C:\WINDOWS\system32\addzh.exe
O4 - HKLM\..\RunOnce: [syshw.exe] C:\WINDOWS\system32\syshw.exe
O4 - HKLM\..\RunOnce: [javazp32.exe] C:\WINDOWS\javazp32.exe
O4 - HKLM\..\RunOnce: [netyd32.exe] C:\WINDOWS\system32\netyd32.exe
O4 - HKLM\..\RunOnce: [ipjo.exe] C:\WINDOWS\system32\ipjo.exe
O4 - HKLM\..\RunOnce: [d3ns.exe] C:\WINDOWS\d3ns.exe
O4 - HKLM\..\RunOnce: [sysyt32.exe] C:\WINDOWS\sysyt32.exe
O4 - HKLM\..\RunOnce: [atloa.exe] C:\WINDOWS\atloa.exe
O4 - HKLM\..\RunOnce: [ipse32.exe] C:\WINDOWS\ipse32.exe
O4 - HKLM\..\RunOnce: [mfcbf.exe] C:\WINDOWS\mfcbf.exe
O4 - HKLM\..\RunOnce: [apihb32.exe] C:\WINDOWS\apihb32.exe
O4 - HKLM\..\RunOnce: [sysbs.exe] C:\WINDOWS\sysbs.exe
O4 - HKLM\..\RunOnce: [ipve.exe] C:\WINDOWS\ipve.exe
O4 - HKLM\..\RunOnce: [mfckt.exe] C:\WINDOWS\mfckt.exe
O4 - HKLM\..\RunOnce: [sysdm32.exe] C:\WINDOWS\system32\sysdm32.exe
O4 - HKLM\..\RunOnce: [winox.exe] C:\WINDOWS\winox.exe
O4 - HKLM\..\RunOnce: [apisb.exe] C:\WINDOWS\apisb.exe
O4 - HKLM\..\RunOnce: [ntdc32.exe] C:\WINDOWS\ntdc32.exe
O4 - HKLM\..\RunOnce: [appwv.exe] C:\WINDOWS\system32\appwv.exe
O4 - HKLM\..\RunOnce: [netax.exe] C:\WINDOWS\netax.exe
O4 - HKLM\..\RunOnce: [mfcqe.exe] C:\WINDOWS\mfcqe.exe
O4 - HKLM\..\RunOnce: [sysax32.exe] C:\WINDOWS\system32\sysax32.exe
O4 - HKLM\..\RunOnce: [winuq.exe] C:\WINDOWS\system32\winuq.exe
O4 - HKLM\..\RunOnce: [apiqu32.exe] C:\WINDOWS\apiqu32.exe
O4 - HKLM\..\RunOnce: [appzu.exe] C:\WINDOWS\system32\appzu.exe
O4 - HKLM\..\RunOnce: [mssl.exe] C:\WINDOWS\mssl.exe
O4 - HKLM\..\RunOnce: [javawx.exe] C:\WINDOWS\javawx.exe
O4 - HKLM\..\RunOnce: [sysmm32.exe] C:\WINDOWS\system32\sysmm32.exe
O4 - HKLM\..\RunOnce: [atlcu.exe] C:\WINDOWS\system32\atlcu.exe
O4 - HKLM\..\RunOnce: [ipgy32.exe] C:\WINDOWS\system32\ipgy32.exe
O4 - HKLM\..\RunOnce: [mfcpy.exe] C:\WINDOWS\system32\mfcpy.exe
O4 - HKLM\..\RunOnce: [apivv32.exe] C:\WINDOWS\system32\apivv32.exe
O4 - HKLM\..\RunOnce: [syspm.exe] C:\WINDOWS\system32\syspm.exe
O4 - HKLM\..\RunOnce: [ipjx.exe] C:\WINDOWS\system32\ipjx.exe
O4 - HKLM\..\RunOnce: [mfcyn.exe] C:\WINDOWS\system32\mfcyn.exe
O4 - HKLM\..\RunOnce: [sysjf32.exe] C:\WINDOWS\sysjf32.exe
O4 - HKLM\..\RunOnce: [addcr.exe] C:\WINDOWS\system32\addcr.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HwoERjbtU] prokcs32.exe
O4 - HKCU\..\Run: [DWHeartbeatMonitor] C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\America Online 9.0b\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: CorrectConnect.lnk = C:\CConnect\CConnect.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: PopupPopper Control Panel - {3E94F358-9537-4BBA-8D12-D7F8A0136973} - C:\PopupPopper\SiteList.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1250/ftp.../v6/brix6ie.cab
O16 - DPF: {4418DD4D-7265-4C32-BC0A-3FDB3C2DA938} (Protecter Class) - http://www.slotchbar.com/ist/softwares/v4....ect_regular.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://hgtv3.view22.com/app/view22rte.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/share...,20/McGDMgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/12119/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{625AE17E-C1EB-4B12-A90B-A6D32360595C}: NameServer = 205.188.146.145
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:42 AM

Posted 02 July 2005 - 04:45 PM

Hello Basket Chick,

This is going to take several steps, as this computer is quite a mess. You probably have a trojan. :thumbsup:

Lets take care of your Internet problem first.


Please download LSP-Fix from the following link and save it to a location you can find later if necessary. Do not run it yet. We may need it later.

LSP-Fix Download Link

To remove New.net, please go to Add/Remove Programs via
Control Panel, look for and remove New.Net.

If you can't find it, then please go here and follow the removal instructions in Procedure 4 at the bottom of the page.

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s


Then reboot and see if the Internet works.

******************************************

Adaware has recently been updated. Are you running Adaware SE 1.06r1?

If not, then download it, and update it here: http://www.lavasoft.de/support/download/

Be sure to run Adaware SE with a Full Scan in the Safe Mode. It will remove more malware that way.

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.


The following explains how to set Ad-aware's settings to perform a "Full Scan."

In Ad-aware click the Gear to go to the Settings area.

The following items should be on a green check, not on a red X.

Under the Scanning button:
Scan within archives
Under Memory & Registry, Check EVERYTHING
In Check Drives & Folders, make sure all of your hard drives are selected

Under the Advanced button, check ALL under Log detail level.

Under the Tweak button...

Some of these may not be an available option, depending on your version of Ad-aware and your version of Windows. Do not be concerned if you cannot select a certain item.

In Scanning Engine:
Unload recognized processes during scanning
Include info about ignored objects in logfile, if detected in scan
Include basic Ad-aware settings in logfile
Include additional Ad-aware settings in logfile
Include used command line parameters in logfile

In Cleaning Engine:
XP/2000: Allow unloading explorer to unload shell extensions prior to deletion
Let Windows remove files in use at next reboot
UNCHECK: Automatically try to unregister objects prior to deletion

Click Proceed to save these settings. When you would like to perform a "Full Scan," switch the scan mode from SmartScan to Custom.


***************************************************


Please download, update and run the free A2 (A squared) anti-trojan

Let it fix whatever it wants to. Save the log file by clicking on "Save HTML-Report".

***************************************************


I know you may have anti-virus software, but sometimes its definitions are corrupted due to malware. Online scans are the best resort in this case.
Run this pc through the
Trend Micro Housecall Online virus scanner (Beta)
or
Panda Scan Online virus scanner


***************************************************


O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto


I see that you are running msconfig in /auto mode which means that you may have selectively removed some items in the past from the startup procedure. This can be bad if they are malware, so we would like you to reenable those startup entries by doing the following:

Please click on start, then run, and type msconfig and then press enter. When the window opens click on the startup tab and make sure there are checkmarks in every entry. Then press ok until you are out of the program.
If it asks to reboot, do not reboot.


Now please create a new Hijackthis Log and post it as a reply.

Edited by SifuMike, 02 July 2005 - 05:35 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Basket Chick

Basket Chick
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 03 July 2005 - 12:04 AM

Okay, I have done the remove of new.net through the Procedure 4. Didn't solve the internet explorer program. If it comes up at all, it is for a few seconds to about: blank and then it disappears.

Yes, I do have the current version of Ad-aware and I went ahead and ran it in Safe mode.

Went ahead and downloaded A squared and will run that after this posting. I went to Panda Scan and this was their report:

Incident Status Location
Adware:Adware/Apropos No disinfected C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Manager\Downloads\AlertSWF\contents\Exec.exe
Adware:Adware/Antivirus-gold No disinfected C:\Documents and Settings\family\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusGold 2.0.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\family\Favorites\Fun & Games\Betting.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\family\Favorites\Fun & Games\Casino Palace.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\family\Favorites\Fun & Games\Casino.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\family\Favorites\Fun & Games\Games.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\family\Favorites\Fun & Games\Horoscope.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\family\Favorites\Going Places\Air Tickets.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\family\Favorites\Going Places\Car Rentals.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\family\Favorites\Going Places\Hotel Deals.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\family\Favorites\Going Places\Luggage.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\family\Favorites\Going Places\Travel.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\family\Favorites\Living\Dating.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\family\Favorites\Living\Find a Degree.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\family\Favorites\Living\Find a job.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\family\Favorites\Living\Home.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\family\Favorites\Living\Insurance.lnk
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\family\Favorites\Only sex website.url
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\family\Favorites\Search the web.url
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\family\Favorites\Seven days of free porn.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\family\Favorites\Shop\Auctions.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\family\Favorites\Shop\Books.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\family\Favorites\Shop\Computers.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\family\Favorites\Shop\Discount.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\family\Favorites\Shop\Flowers.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\family\Favorites\Shop\Golf.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\family\Favorites\Shop\Jewelry.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\family\Favorites\Shop\Movies.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\family\Favorites\Shop\Music.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\family\Favorites\Shop\Online Store.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\family\Favorites\Shop\Perfume.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\family\Favorites\Shop\Sleepwear.lnk
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\family\Favorites\Sites about\Ab scissor.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\family\Favorites\Sites about\Broadband comparison.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\family\Favorites\Sites about\Credit counseling.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\family\Favorites\Sites about\Credit report.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\family\Favorites\Sites about\Crm software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\family\Favorites\Sites about\Debt credit card.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\family\Favorites\Sites about\Escorts.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\family\Favorites\Sites about\Fha.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\family\Favorites\Sites about\Health insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\family\Favorites\Sites about\Help desk software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\family\Favorites\Sites about\Insurance home.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\family\Favorites\Sites about\Loan for debt consolidation.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\family\Favorites\Sites about\Loan for people with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\family\Favorites\Sites about\Marketing email.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\family\Favorites\Sites about\Mortgage insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\family\Favorites\Sites about\Mortgage life insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\family\Favorites\Sites about\Nevada corporations.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\family\Favorites\Sites about\Online Betting Site.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\family\Favorites\Sites about\Online gambling casino.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\family\Favorites\Sites about\Online instant loan.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\family\Favorites\Sites about\Order phentermine.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\family\Favorites\Sites about\Payroll advance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\family\Favorites\Sites about\Personal loans online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\family\Favorites\Sites about\Personal loans with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\family\Favorites\Sites about\Prescription Drugs Rx Online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\family\Favorites\Sites about\Refinancing my mortgage.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\family\Favorites\Sites about\Tahoe vacation rental.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\family\Favorites\Sites about\Unsecured bad credit loans.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\family\Favorites\Sites about\Videos.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\family\Favorites\Sites about\What is hydrocodone.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\family\Favorites\Technology\Adware Remover.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\family\Favorites\Technology\Anti-Virus.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\family\Favorites\Technology\PC Cleaner.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\family\Favorites\Technology\Tech & gadgets.lnk
Adware:Adware/Gator No disinfected C:\GatorPatch.log
Adware:Adware/BrilliantDigitalNo disinfected C:\KaZaA\bdcore.dll
Spyware:Spyware/New.net No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\43113153.asw
Adware:Adware/Apropos No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\QFle06032005100312321676.asw
Adware:Adware/Apropos No disinfected C:\Program Files\CxtPls\uninstaller.exe
Spyware:Spyware/Support No disinfected C:\Program Files\Support.com\bin\tgcmd.exe
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\Downloaded Program Files\ISTprotect.dll
Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.dll
Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.inf
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall4_80.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall4_88.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall4_94.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall5_40.exe Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall5_48.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall5_58.exe Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall5_62.exe Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall5_64.exe Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_10.exe Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_22.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_30.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_38.exe
Adware:Adware/Envolo No disinfected C:\WINDOWS\SYSTEM32\auto_update_uninstall.log
Virus:Trj/Trexe.A Renamed C:\WINDOWS\SYSTEM32\netda.exe

Here is the Hijack this log after I was done:

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:42 AM

Posted 03 July 2005 - 09:23 AM

Here is the Hijack this log after I was done:


Hello Basket Chick,

Many of those adwares Panda found are in you temp files. :thumbsup:

Let's empty the temp files:

Download CCleaner and install it. (default location is best).
Select the Windows Tab, Run CCleaner ,(click Run Cleaner (bottom right) then, when it finishes scanning click Exit.)
When you see "Complete" on the top line, it's done. It's very fast.

I recommend that you DO NOT run anything under the Issues Tab and the Applications Tab. To prevent accidently running the Issues Tab and Applicatons tabs, clear all check boxes are under them.

**************************************

Spyware:Spyware/New.net

This shows it is still there. :flowers: It is preventing your Interent access.

Lets try the to fix it again.

To remove New.net, please go to Add/Remove Programs via Control Panel, look for and remove New.Net.
If you can't find it, then please go here and follow the removal instructions in Procedure 4 at the bottom of the page.


Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s

If you can not connect to the Internet after removing New.net, please run the [b]LSP-Fix
program I had you download earlier, and click on the finish button. Reboot and you should be able to get back on.

Post the [b]A2 scan log
.


You forgot the Hijackthis log. :trumpet:

Edited by SifuMike, 03 July 2005 - 12:07 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Basket Chick

Basket Chick
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 03 July 2005 - 12:38 PM

Thanks for hanging in there with me. Day 3 with this stuff and I'm close to just reformatting the drive! No matter what I do it just won't get rid of this stuff. I spend hours just doing each scan and no matter what I remove it doesn't clear it up. Just did the CCleaner and rebooted. Here is my latest Hijack scan (I did include one last night - don't know where it went cause I did see it in preview):

Logfile of HijackThis v1.99.1
Scan saved at 1:07:30 PM, on 7/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ntzn32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wincy.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Netropa\OSD.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\a2\a2guard.exe
C:\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\America Online 9.0b\aoltray.exe
C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
C:\CConnect\CConnect.exe
C:\HP AllInOne\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\HP AllInOne\Digital Imaging\bin\hposol08.exe
C:\Palm\HOTSYNC.EXE
C:\Webshots\WebshotsTray.exe
C:\Microsoft Office\Office10\msoffice.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\HP AllInOne\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\AOL Companion\companion.exe
C:\HP AllInOne\Digital Imaging\Bin\hpoSTS08.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wxghg.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wxghg.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wxghg.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wxghg.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wxghg.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wxghg.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\family\Application Data\Mozilla\Profiles\default\n6650zlg.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {57144AA3-0FE9-EE66-80BF-16B036B04F47} - C:\WINDOWS\ienx32.dll
O2 - BHO: Class - {7DCC3AC2-6B28-C176-22B6-A69A9AAB539B} - C:\WINDOWS\system32\appzn32.dll
O2 - BHO: Class - {883EDD1C-FC42-B1BC-75A1-920AD1D28523} - C:\WINDOWS\addph32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {AF2EB4D4-A0C1-3ADB-30D6-6AA430E5C447} - C:\WINDOWS\system32\sdkle32.dll
O2 - BHO: Class - {C7209353-F81A-D69B-DE2C-D0D6E19DD9E3} - C:\WINDOWS\sysyb.dll
O2 - BHO: Class - {EC75CF19-AEBA-7CE1-AE4E-A24982FB1141} - C:\WINDOWS\system32\d3fp.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [XQAWC1Zg] C:\WINDOWS\qftxx.exe
O4 - HKLM\..\Run: [r28hpdq9] C:\WINDOWS\System32\r28hpdq9.exe
O4 - HKLM\..\Run: [077O3tX] psc3216.exe
O4 - HKLM\..\Run: [wincy.exe] C:\WINDOWS\system32\wincy.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [AntivirusGold] C:\Program Files\AntivirusGold\AntivirusGold.exe /h
O4 - HKLM\..\RunOnce: [netjp32.exe] C:\WINDOWS\netjp32.exe
O4 - HKLM\..\RunOnce: [javagz32.exe] C:\WINDOWS\system32\javagz32.exe
O4 - HKLM\..\RunOnce: [ntzn32.exe] C:\WINDOWS\ntzn32.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HwoERjbtU] prokcs32.exe
O4 - HKCU\..\Run: [DWHeartbeatMonitor] C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [a-squared] "C:\a2\a2guard.exe"
O4 - Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Webshots.lnk = C:\Webshots\WebshotsTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\America Online 9.0b\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: CorrectConnect.lnk = C:\CConnect\CConnect.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: PopupPopper Control Panel - {3E94F358-9537-4BBA-8D12-D7F8A0136973} - C:\PopupPopper\SiteList.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1250/ftp.../v6/brix6ie.cab
O16 - DPF: {4418DD4D-7265-4C32-BC0A-3FDB3C2DA938} (Protecter Class) - http://www.slotchbar.com/ist/softwares/v4....ect_regular.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://hgtv3.view22.com/app/view22rte.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/share...,20/McGDMgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/12119/CTPID.cab
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\netjp32.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

I am not seeing the new.net one on Hijackthis so I can't fix it there (unless I'm just totally glassy eyed and not seeing it). It wasn't on there yesterday either. It only showed up on the A2 scan and I did fix it there. For all that it worked! Anyway, I'm off to do another A2 scan for you as requested. It takes a few hours, but I'll be back when it's done. Thanks again!

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:42 AM

Posted 03 July 2005 - 12:56 PM

Hi Basket Chick,

Hang in there! :thumbsup: We are making good progress.
Your log is looking much better, as you had hundreds of O4's previously and now you only have a few. The New.net infection is gone. :flowers:
Also, now I see now that you have a nasty CWS infection causing your problems. I have removed many of these infections, so things are looking up.

Never mind about the new A2 trojan scan, I do not need to see it. I can see what I need to in the log.

We will use a CWS fix, courtesty of LineOFile.

You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.
  • Prepare CWShredder for use:
    • Download CWShredder.
    • Save CWShredder.exe to a convenient location.
    • Please do not do anything with it yet.
  • Prepare AboutBuster for use:
    • Download AboutBuster.
    • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
    • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
    • Click "OK" at the prompt with instructions.
    • Click "Update" and then "Check For Update" to begin the update process.
    • If any updates exist please download them by clicking "Download Update".
    • You should not run the program yet so click "Exit".
  • Prepare cwsserviceremove.reg for use:
    • Download cwsserviceremove.zip.
    • Unzip the contents of cwsserviceremove.zip (cwsserviceremove.reg) to your desktop.
    • Please do not do anything with it yet.
Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.
  • Run CWShredder:
    • Double-click on CWShredder.exe.
    • Click "Fix ->" and click "OK" at the prompt.
    • CWShredder will scan and clean your system of CWS files.
    • Click "Next->" and then "Exit".
  • Remove the offending service:
    • Double-click on cwsserviceremove.reg you downloaded earlier.
    • When it asks you to merge the information to the registry click "Yes".
  • Run AboutBuster and save the logs:
    • Browse to where you saved AboutBuster and run AboutBuster.exe.
    • Click OK at the directions prompt.
    • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
    • Click Yes to allow it to shutdown explorer.exe.
    • It will begin to your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
    • When it has finished, click Save Log. Make sure you save it as I need a copy of it.
  • Clean out temporary files:
    • Start | Run | type cleanmgr | OK
    • Let it scan your system for files to remove.
    • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
    • Click "OK" to remove them.
    • Click "Yes" to confirm the deletion.
  • Restart your computer normally to return to normal mode.
  • Free TrendMicro Housecall scan:
    • Vist the TrendMicro Housecall website.
    • Select your country from the drop-down list and click "Go".
    • Choose "Yes" at the ActiveX Security Warning prompt.
    • Please wait while the Housecall engine is updated.
    • Select the drives to be scanned by placing a check in their respective boxes.
    • Check the "Auto Clean" box.
    • Click "SCAN" in order to begin scanning your system.
    • Please be patient while Housecall scans your system for malicious files.
    • If not auto-cleaned, remove anything it finds.
    • Click "Close" to exit the Housecall scanner.
    • Choose "Yes" at the HouseCall message prompt.
  • Prepare your reply:
    • Please post a fresh HijackThis log
    • Please post the AboutBuster log.
    • Please note any complications you had.

Edited by SifuMike, 03 July 2005 - 01:23 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Basket Chick

Basket Chick
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 04 July 2005 - 12:51 AM

Ok, I ran CW Shredder several times. It keeps coming up as none present - system completely clean. As it did yesterday. Went on to About Buster and ran it a few times, although it did not work as instructions stated, basically just hit run and that was it - no alternate Data Streams, etc. Here is the log for that:

boutBuster 5.0 reference file 30
Scan started on [7/3/2005] at [7:44:05 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\attmsg.ini:axnrv
Removed Stream! C:\WINDOWS\NetwkCfg.txt:tnmyq
Removed Stream! C:\WINDOWS\randseed.bin:psdcfa
Removed Stream! C:\WINDOWS\Soap Bubbles.bmp:taihj
Removed Stream! C:\WINDOWS\WindowsUpdate.log:eupnfz
Removed Stream! C:\WINDOWS\WMSysPrx.prx:ldariu
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:abmhm
------------------------------------------------
Removed File! : C:\Windows\csnyd.dat
Removed File! : C:\Windows\uodez.dat
Removed File! : C:\Windows\System32\rveaf.dat
Removed File! : C:\Windows\System32\sghmw.dat
Removed File! : C:\Windows\System32\xpqrn.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 7:46:43 PM


AboutBuster 5.0 reference file 30
Scan started on [7/3/2005] at [7:48:23 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:ammipj
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:aqavn
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 7:49:01 PM


AboutBuster 5.0 reference file 30
Scan started on [7/3/2005] at [7:50:29 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:arzdmd
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 7:51:08 PM


AboutBuster 5.0 reference file 30
Scan started on [7/3/2005] at [7:51:33 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:brjkg
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 7:52:12 PM


AboutBuster 5.0 reference file 30
Scan started on [7/3/2005] at [7:52:39 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:ckcpu
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 7:53:17 PM

I then ran the cleanmgr and all that had was some cookies. I then ran the TrendMicro Housecall which took several hours, but was clean. You'd think this sounds good, but no such luck. The entire time I am being baraged with VirusScan messages about a trojan SpyAgent.d and backdoor warnings, etc. from a2. AGHHHHHHH!!!! Anyway, I will be right back with the HijackThis log. Didn't want to put them in the same replay in case it's too long for the post and that is why it didn't post last night.

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:42 AM

Posted 04 July 2005 - 10:35 AM

Hello Basket Chick

You forgot the Hijackthis log. :thumbsup:

The fact that you could run TrendMicro is a good sign. :flowers:
It means we have killed most of the CWS infection.

Edited by SifuMike, 04 July 2005 - 12:12 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Basket Chick

Basket Chick
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 04 July 2005 - 12:58 PM

Wow, I swear I really did post it last night! I even checked it to make sure. Drats and double drats! I am also seeing Antivirus Gold in my Startup menu and in the Add/Remove section of Control Panel. Does that mean it's not really gone even though I am not seeing it's effects? A lot of the files are reappearing after they've already been deleted. Did you ever feel like you were in the Twilight Zone? LOL. Anyway, here is the log I did from last night:

Logfile of HijackThis v1.99.1
Scan saved at 1:58:42 AM, on 7/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\nettx32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE
C:\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\America Online 9.0b\aoltray.exe
C:\CConnect\CConnect.exe
C:\Palm\HOTSYNC.EXE
C:\HP AllInOne\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\HP AllInOne\Digital Imaging\bin\hposol08.exe
C:\Webshots\WebshotsTray.exe
C:\Microsoft Office\Office10\msoffice.exe
C:\HP AllInOne\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\HP AllInOne\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\AOL Companion\companion.exe
c:\program files\mcafee.com\vso\mcmnhdlr.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wxghg.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wxghg.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wxghg.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wxghg.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wxghg.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wxghg.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\family\Application Data\Mozilla\Profiles\default\n6650zlg.slt\prefs.js)
O2 - BHO: Class - {031211BF-70AC-72ED-883D-C47AC7D80AB0} - C:\WINDOWS\addbj.dll
O2 - BHO: Class - {0619904A-3C71-5AF3-23E3-03703516D199} - C:\WINDOWS\system32\ntga32.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {3B0881BE-E2CD-7DAC-3F7A-E7DDA714883E} - C:\WINDOWS\mspb.dll
O2 - BHO: Class - {57144AA3-0FE9-EE66-80BF-16B036B04F47} - C:\WINDOWS\ienx32.dll
O2 - BHO: Class - {7DCC3AC2-6B28-C176-22B6-A69A9AAB539B} - C:\WINDOWS\system32\appzn32.dll
O2 - BHO: Class - {883EDD1C-FC42-B1BC-75A1-920AD1D28523} - C:\WINDOWS\addph32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {AF2EB4D4-A0C1-3ADB-30D6-6AA430E5C447} - C:\WINDOWS\system32\sdkle32.dll
O2 - BHO: Class - {C7209353-F81A-D69B-DE2C-D0D6E19DD9E3} - C:\WINDOWS\sysyb.dll
O2 - BHO: Class - {EC75CF19-AEBA-7CE1-AE4E-A24982FB1141} - C:\WINDOWS\system32\d3fp.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [XQAWC1Zg] C:\WINDOWS\qftxx.exe
O4 - HKLM\..\Run: [r28hpdq9] C:\WINDOWS\System32\r28hpdq9.exe
O4 - HKLM\..\Run: [077O3tX] psc3216.exe
O4 - HKLM\..\Run: [wincy.exe] C:\WINDOWS\system32\wincy.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [AntivirusGold] C:\Program Files\AntivirusGold\AntivirusGold.exe /h
O4 - HKLM\..\Run: [ieii.exe] C:\WINDOWS\ieii.exe
O4 - HKLM\..\Run: [sdkxy32.exe] C:\WINDOWS\sdkxy32.exe
O4 - HKLM\..\Run: [nettx32.exe] C:\WINDOWS\nettx32.exe
O4 - HKLM\..\RunOnce: [netjp32.exe] C:\WINDOWS\netjp32.exe
O4 - HKLM\..\RunOnce: [javagz32.exe] C:\WINDOWS\system32\javagz32.exe
O4 - HKLM\..\RunOnce: [ntzn32.exe] C:\WINDOWS\ntzn32.exe
O4 - HKLM\..\RunOnce: [appah32.exe] C:\WINDOWS\system32\appah32.exe
O4 - HKLM\..\RunOnce: [crjn.exe] C:\WINDOWS\crjn.exe
O4 - HKLM\..\RunOnce: [mfcfq.exe] C:\WINDOWS\system32\mfcfq.exe
O4 - HKLM\..\RunOnce: [apiuw.exe] C:\WINDOWS\apiuw.exe
O4 - HKLM\..\RunOnce: [atlqp.exe] C:\WINDOWS\system32\atlqp.exe
O4 - HKLM\..\RunOnce: [sdkqk.exe] C:\WINDOWS\system32\sdkqk.exe
O4 - HKLM\..\RunOnce: [apiwc.exe] C:\WINDOWS\apiwc.exe
O4 - HKLM\..\RunOnce: [ieuq32.exe] C:\WINDOWS\ieuq32.exe
O4 - HKLM\..\RunOnce: [addky.exe] C:\WINDOWS\addky.exe
O4 - HKLM\..\RunOnce: [msjl.exe] C:\WINDOWS\system32\msjl.exe
O4 - HKLM\..\RunOnce: [crbh.exe] C:\WINDOWS\system32\crbh.exe
O4 - HKLM\..\RunOnce: [ntft.exe] C:\WINDOWS\ntft.exe
O4 - HKLM\..\RunOnce: [msvj32.exe] C:\WINDOWS\system32\msvj32.exe
O4 - HKLM\..\RunOnce: [msow.exe] C:\WINDOWS\system32\msow.exe
O4 - HKLM\..\RunOnce: [ipei.exe] C:\WINDOWS\system32\ipei.exe
O4 - HKLM\..\RunOnce: [sdkxw.exe] C:\WINDOWS\system32\sdkxw.exe
O4 - HKLM\..\RunOnce: [ieje32.exe] C:\WINDOWS\ieje32.exe
O4 - HKLM\..\RunOnce: [winfe.exe] C:\WINDOWS\winfe.exe
O4 - HKLM\..\RunOnce: [mslr32.exe] C:\WINDOWS\mslr32.exe
O4 - HKLM\..\RunOnce: [addfo32.exe] C:\WINDOWS\addfo32.exe
O4 - HKLM\..\RunOnce: [atltw32.exe] C:\WINDOWS\atltw32.exe
O4 - HKLM\..\RunOnce: [sysmt32.exe] C:\WINDOWS\system32\sysmt32.exe
O4 - HKLM\..\RunOnce: [apinv32.exe] C:\WINDOWS\system32\apinv32.exe
O4 - HKLM\..\RunOnce: [sdkuh32.exe] C:\WINDOWS\system32\sdkuh32.exe
O4 - HKLM\..\RunOnce: [ntvp.exe] C:\WINDOWS\system32\ntvp.exe
O4 - HKLM\..\RunOnce: [mfcmk.exe] C:\WINDOWS\system32\mfcmk.exe
O4 - HKLM\..\RunOnce: [mfclg32.exe] C:\WINDOWS\system32\mfclg32.exe
O4 - HKLM\..\RunOnce: [sdkyu.exe] C:\WINDOWS\system32\sdkyu.exe
O4 - HKLM\..\RunOnce: [ntwf32.exe] C:\WINDOWS\system32\ntwf32.exe
O4 - HKLM\..\RunOnce: [netxp.exe] C:\WINDOWS\netxp.exe
O4 - HKLM\..\RunOnce: [apiyf32.exe] C:\WINDOWS\apiyf32.exe
O4 - HKLM\..\RunOnce: [d3xe32.exe] C:\WINDOWS\system32\d3xe32.exe
O4 - HKLM\..\RunOnce: [mfcxe.exe] C:\WINDOWS\mfcxe.exe
O4 - HKLM\..\RunOnce: [d3nt32.exe] C:\WINDOWS\system32\d3nt32.exe
O4 - HKLM\..\RunOnce: [wingl32.exe] C:\WINDOWS\wingl32.exe
O4 - HKLM\..\RunOnce: [javatq.exe] C:\WINDOWS\javatq.exe
O4 - HKLM\..\RunOnce: [addjr.exe] C:\WINDOWS\system32\addjr.exe
O4 - HKLM\..\RunOnce: [appir32.exe] C:\WINDOWS\appir32.exe
O4 - HKLM\..\RunOnce: [mfcrk32.exe] C:\WINDOWS\system32\mfcrk32.exe
O4 - HKLM\..\RunOnce: [ntkj.exe] C:\WINDOWS\system32\ntkj.exe
O4 - HKLM\..\RunOnce: [apphp32.exe] C:\WINDOWS\apphp32.exe
O4 - HKLM\..\RunOnce: [crcp32.exe] C:\WINDOWS\crcp32.exe
O4 - HKLM\..\RunOnce: [netvf32.exe] C:\WINDOWS\system32\netvf32.exe
O4 - HKLM\..\RunOnce: [d3ib32.exe] C:\WINDOWS\system32\d3ib32.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HwoERjbtU] prokcs32.exe
O4 - HKCU\..\Run: [DWHeartbeatMonitor] C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [a-squared] "C:\a2\a2guard.exe"
O4 - Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Webshots.lnk = C:\Webshots\WebshotsTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\America Online 9.0b\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: CorrectConnect.lnk = C:\CConnect\CConnect.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: PopupPopper Control Panel - {3E94F358-9537-4BBA-8D12-D7F8A0136973} - C:\PopupPopper\SiteList.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1250/ftp.../v6/brix6ie.cab
O16 - DPF: {4418DD4D-7265-4C32-BC0A-3FDB3C2DA938} (Protecter Class) - http://www.slotchbar.com/ist/softwares/v4....ect_regular.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://hgtv3.view22.com/app/view22rte.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/share...,20/McGDMgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/12119/CTPID.cab
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\netjp32.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:42 AM

Posted 04 July 2005 - 01:11 PM

Hello Basket Chick,

I am also seeing Antivirus Gold in my Startup menu and in the Add/Remove section of Control Panel. Does that mean it's not really gone even though I am not seeing it's effects?


Yes, it means it is not gone.

What it means is that we killed most of it, but left the part that reloads it.
This is the bad boy

O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\netjp32.exe" /s (file missing)


These CWS infections are resistant to removal, but they always can be removed. :thumbsup:

I will be back in short time, after I do the analysis of your log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:42 AM

Posted 04 July 2005 - 02:00 PM

Hello Basket Chick,

You may want to print out these directions as the Internet will not be available. Please continue with the next step if you run into a problem with the current one. Just be sure to let us know what the problem was when you reply.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please download About:Buster from here: http://www.downloads.subratam.org/AboutBuster.zip
Once it is downloaded extract it to c:\aboutbuster.
We will use that program later in this process.

Reboot your computer into Safe Mode and follow these steps:

Step 1:

Click on start, then control panel, then administrative programs, then services. Look for a service called Workstation NetLogon Service.
Double click on the that service and click stop and then set the startup to disabled.

Step 2:

Press control-alt-delete to get into the task manager and end the follow processes if they exist:
C:\WINDOWS\nettx32.exe


Step 3:

Using Windows Explorer, delete the following files (please do NOT try to find them by "search" because they will not show up that way)

C:\WINDOWS\nettx32.exe
C:\WINDOWS\wxghg.dll
C:\WINDOWS\netjp32.exe
C:\WINDOWS\addbj.dll
C:\WINDOWS\system32\ntga32.dll
C:\WINDOWS\mspb.dll
C:\WINDOWS\ienx32.dll
C:\WINDOWS\system32\appzn32.dll
C:\WINDOWS\addph32.dll
C:\WINDOWS\system32\sdkle32.dll
C:\WINDOWS\sysyb.dll
C:\WINDOWS\system32\d3fp.dll
C:\WINDOWS\qftxx.exe
C:\WINDOWS\System32\r28hpdq9.exe
C:\WINDOWS\System32\psc3216.exe
C:\WINDOWS\system32\wincy.exe
C:\Program Files\AntivirusGold\AntivirusGold.exe
C:\WINDOWS\ieii.exe
C:\WINDOWS\sdkxy32.exe
C:\WINDOWS\nettx32.exe
C:\WINDOWS\system32\javagz32.exe
C:\WINDOWS\ntzn32.exe
C:\WINDOWS\system32\appah32.exe
C:\WINDOWS\crjn.exe
C:\WINDOWS\system32\mfcfq.exe
C:\WINDOWS\apiuw.exe
C:\WINDOWS\system32\atlqp.exe
C:\WINDOWS\system32\sdkqk.exe
C:\WINDOWS\apiwc.exe
C:\WINDOWS\ieuq32.exe
C:\WINDOWS\addky.exe
C:\WINDOWS\system32\msjl.exe
C:\WINDOWS\system32\crbh.exe
C:\WINDOWS\ntft.exe
C:\WINDOWS\system32\msvj32.exe
C:\WINDOWS\system32\msow.exe
C:\WINDOWS\system32\ipei.exe
C:\WINDOWS\system32\sdkxw.exe
C:\WINDOWS\ieje32.exe
C:\WINDOWS\winfe.exe
C:\WINDOWS\mslr32.exe
C:\WINDOWS\addfo32.exe
C:\WINDOWS\atltw32.exe
C:\WINDOWS\system32\sysmt32.exe
C:\WINDOWS\system32\apinv32.exe
C:\WINDOWS\system32\sdkuh32.exe
C:\WINDOWS\system32\ntvp.exe
C:\WINDOWS\system32\mfcmk.exe
C:\WINDOWS\system32\mfclg32.exe
C:\WINDOWS\system32\sdkyu.exe
C:\WINDOWS\system32\ntwf32.exe
C:\WINDOWS\netxp.exe
C:\WINDOWS\apiyf32.exe
C:\WINDOWS\system32\d3xe32.exe
C:\WINDOWS\mfcxe.exe
C:\WINDOWS\system32\d3nt32.exe
C:\WINDOWS\wingl32.exe
C:\WINDOWS\javatq.exe
C:\WINDOWS\system32\addjr.exe
C:\WINDOWS\appir32.exe
C:\WINDOWS\system32\mfcrk32.exe
C:\WINDOWS\system32\ntkj.exe
C:\WINDOWS\apphp32.exe
C:\WINDOWS\crcp32.exe
C:\WINDOWS\system32\netvf32.exe
C:\WINDOWS\system32\d3ib32.exe
prokcs32.exe
you will need to search for this file. It wil be in either C:\WINDOWS\system32\ or C:\WINDOWS\

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Step 4:
Then close all programs and windows and run hijackthis. Put a checkmark next to each of these entries and press the fix button when ready:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wxghg.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wxghg.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wxghg.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wxghg.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wxghg.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wxghg.dll/sp.html#10001
O2 - BHO: Class - {031211BF-70AC-72ED-883D-C47AC7D80AB0} - C:\WINDOWS\addbj.dll
O2 - BHO: Class - {0619904A-3C71-5AF3-23E3-03703516D199} - C:\WINDOWS\system32\ntga32.dll
O2 - BHO: Class - {3B0881BE-E2CD-7DAC-3F7A-E7DDA714883E} - C:\WINDOWS\mspb.dll
O2 - BHO: Class - {57144AA3-0FE9-EE66-80BF-16B036B04F47} - C:\WINDOWS\ienx32.dll
O2 - BHO: Class - {7DCC3AC2-6B28-C176-22B6-A69A9AAB539B} - C:\WINDOWS\system32\appzn32.dll
O2 - BHO: Class - {883EDD1C-FC42-B1BC-75A1-920AD1D28523} - C:\WINDOWS\addph32.dll
O2 - BHO: Class - {AF2EB4D4-A0C1-3ADB-30D6-6AA430E5C447} - C:\WINDOWS\system32\sdkle32.dll
O2 - BHO: Class - {C7209353-F81A-D69B-DE2C-D0D6E19DD9E3} - C:\WINDOWS\sysyb.dll
O2 - BHO: Class - {EC75CF19-AEBA-7CE1-AE4E-A24982FB1141} - C:\WINDOWS\system32\d3fp.dll
O4 - HKLM\..\Run: [XQAWC1Zg] C:\WINDOWS\qftxx.exe
O4 - HKLM\..\Run: [r28hpdq9] C:\WINDOWS\System32\r28hpdq9.exe
O4 - HKLM\..\Run: [077O3tX] psc3216.exe
O4 - HKLM\..\Run: [wincy.exe] C:\WINDOWS\system32\wincy.exe
O4 - HKLM\..\Run: [AntivirusGold] C:\Program Files\AntivirusGold\AntivirusGold.exe /h
O4 - HKLM\..\Run: [ieii.exe] C:\WINDOWS\ieii.exe
O4 - HKLM\..\Run: [sdkxy32.exe] C:\WINDOWS\sdkxy32.exe
O4 - HKLM\..\Run: [nettx32.exe] C:\WINDOWS\nettx32.exe
O4 - HKLM\..\RunOnce: [netjp32.exe] C:\WINDOWS\netjp32.exe
O4 - HKLM\..\RunOnce: [javagz32.exe] C:\WINDOWS\system32\javagz32.exe
O4 - HKLM\..\RunOnce: [ntzn32.exe] C:\WINDOWS\ntzn32.exe
O4 - HKLM\..\RunOnce: [appah32.exe] C:\WINDOWS\system32\appah32.exe
O4 - HKLM\..\RunOnce: [crjn.exe] C:\WINDOWS\crjn.exe
O4 - HKLM\..\RunOnce: [mfcfq.exe] C:\WINDOWS\system32\mfcfq.exe
O4 - HKLM\..\RunOnce: [apiuw.exe] C:\WINDOWS\apiuw.exe
O4 - HKLM\..\RunOnce: [atlqp.exe] C:\WINDOWS\system32\atlqp.exe
O4 - HKLM\..\RunOnce: [sdkqk.exe] C:\WINDOWS\system32\sdkqk.exe
O4 - HKLM\..\RunOnce: [apiwc.exe] C:\WINDOWS\apiwc.exe
O4 - HKLM\..\RunOnce: [ieuq32.exe] C:\WINDOWS\ieuq32.exe
O4 - HKLM\..\RunOnce: [addky.exe] C:\WINDOWS\addky.exe
O4 - HKLM\..\RunOnce: [msjl.exe] C:\WINDOWS\system32\msjl.exe
O4 - HKLM\..\RunOnce: [crbh.exe] C:\WINDOWS\system32\crbh.exe
O4 - HKLM\..\RunOnce: [ntft.exe] C:\WINDOWS\ntft.exe
O4 - HKLM\..\RunOnce: [msvj32.exe] C:\WINDOWS\system32\msvj32.exe
O4 - HKLM\..\RunOnce: [msow.exe] C:\WINDOWS\system32\msow.exe
O4 - HKLM\..\RunOnce: [ipei.exe] C:\WINDOWS\system32\ipei.exe
O4 - HKLM\..\RunOnce: [sdkxw.exe] C:\WINDOWS\system32\sdkxw.exe
O4 - HKLM\..\RunOnce: [ieje32.exe] C:\WINDOWS\ieje32.exe
O4 - HKLM\..\RunOnce: [winfe.exe] C:\WINDOWS\winfe.exe
O4 - HKLM\..\RunOnce: [mslr32.exe] C:\WINDOWS\mslr32.exe
O4 - HKLM\..\RunOnce: [addfo32.exe] C:\WINDOWS\addfo32.exe
O4 - HKLM\..\RunOnce: [atltw32.exe] C:\WINDOWS\atltw32.exe
O4 - HKLM\..\RunOnce: [sysmt32.exe] C:\WINDOWS\system32\sysmt32.exe
O4 - HKLM\..\RunOnce: [apinv32.exe] C:\WINDOWS\system32\apinv32.exe
O4 - HKLM\..\RunOnce: [sdkuh32.exe] C:\WINDOWS\system32\sdkuh32.exe
O4 - HKLM\..\RunOnce: [ntvp.exe] C:\WINDOWS\system32\ntvp.exe
O4 - HKLM\..\RunOnce: [mfcmk.exe] C:\WINDOWS\system32\mfcmk.exe
O4 - HKLM\..\RunOnce: [mfclg32.exe] C:\WINDOWS\system32\mfclg32.exe
O4 - HKLM\..\RunOnce: [sdkyu.exe] C:\WINDOWS\system32\sdkyu.exe
O4 - HKLM\..\RunOnce: [ntwf32.exe] C:\WINDOWS\system32\ntwf32.exe
O4 - HKLM\..\RunOnce: [netxp.exe] C:\WINDOWS\netxp.exe
O4 - HKLM\..\RunOnce: [apiyf32.exe] C:\WINDOWS\apiyf32.exe
O4 - HKLM\..\RunOnce: [d3xe32.exe] C:\WINDOWS\system32\d3xe32.exe
O4 - HKLM\..\RunOnce: [mfcxe.exe] C:\WINDOWS\mfcxe.exe
O4 - HKLM\..\RunOnce: [d3nt32.exe] C:\WINDOWS\system32\d3nt32.exe
O4 - HKLM\..\RunOnce: [wingl32.exe] C:\WINDOWS\wingl32.exe
O4 - HKLM\..\RunOnce: [javatq.exe] C:\WINDOWS\javatq.exe
O4 - HKLM\..\RunOnce: [addjr.exe] C:\WINDOWS\system32\addjr.exe
O4 - HKLM\..\RunOnce: [appir32.exe] C:\WINDOWS\appir32.exe
O4 - HKLM\..\RunOnce: [mfcrk32.exe] C:\WINDOWS\system32\mfcrk32.exe
O4 - HKLM\..\RunOnce: [ntkj.exe] C:\WINDOWS\system32\ntkj.exe
O4 - HKLM\..\RunOnce: [apphp32.exe] C:\WINDOWS\apphp32.exe
O4 - HKLM\..\RunOnce: [crcp32.exe] C:\WINDOWS\crcp32.exe
O4 - HKLM\..\RunOnce: [netvf32.exe] C:\WINDOWS\system32\netvf32.exe
O4 - HKLM\..\RunOnce: [d3ib32.exe] C:\WINDOWS\system32\d3ib32.exe
O4 - HKCU\..\Run: [HwoERjbtU] prokcs32.exe
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1250/ftp.../v6/brix6ie.cab
O16 - DPF: {4418DD4D-7265-4C32-BC0A-3FDB3C2DA938} (Protecter Class) - http://www.slotchbar.com/ist/softwares/v4....ect_regular.cab
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\netjp32.exe" /s (file missing)


Step 5:

In the next step we are going to remove a service that gets installed by this malware.

Go to Start>Run and type regedit.

Press enter.

Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ 11F#`I

If 11F#`I exists , right click on it and choose delete from the menu.

Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ 11F#`I

If LEGACY_ 11F#`I exists then right click on it and choose delete from the menu.

If you have trouble deleting a key.
Then click once on the key name to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy.
Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.


Step 6:

This is the step where we will use About:Buster that you had downloaded previously.

Navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button.
It will start scanning your computer for files.

If it asks if you would like to do a second pass, allow it to do so.

When it completed move on to step 7.

Step 7:

Copy the contents of the Quote Box below to Notepad.
Name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]


Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.

Step 8:
Reboot your computer back to normal mode so that we can see if we need to restore some deleted files:
  • Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.
  • If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll.
    Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy).
    Then click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button
  • Open IE, go to Tools>Internet Options>then click on the security tab, then click on custon label. Check the following settings:
  • Download Signed ActiveX controls-set to Prompt.
  • Download Un-Signed ActiveX controls-set to Disable.
  • Initialize and script ActiveX controls marked as unsafe-set to disable.

Step 9:

Run an online antivirus scan at:

http://housecall.antivirus.com/

Reboot and post a Hijackthis log

Edited by SifuMike, 04 July 2005 - 02:06 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 Basket Chick

Basket Chick
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 04 July 2005 - 02:09 PM

Two quick questions before I start:

1. I did the show hidden files things early on in this. Do I need to repeat every time? I never went back and changed them back to hidden.

2. Is this the same About:Buster you had me download earlier or a different one I need to download again?

Thanks again for all the help!

#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:42 AM

Posted 04 July 2005 - 02:20 PM

Hi Basket Chick,

1. I did the show hidden files things early on in this. Do I need to repeat every time? I never went back and changed them back to hidden

.

No, you do not have to do it each time. Sorry, I was in a rush and forgot to take that out. :thumbsup:

2. Is this the same About:Buster you had me download earlier or a different one I need to download again?


No, you do not have to download it again. Use the version you have. :flowers:

Edited by SifuMike, 04 July 2005 - 02:20 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 Basket Chick

Basket Chick
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 04 July 2005 - 02:22 PM

Thanks for getting back to me so quick! Off to start!

#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:42 AM

Posted 04 July 2005 - 02:51 PM

Good luck! :thumbsup: This is a rather long fix.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users