Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - godfather


  • This topic is locked This topic is locked
5 replies to this topic

#1 godfather

godfather

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 07 August 2005 - 07:29 AM

please i need help



Logfile of HijackThis v1.99.1
Scan saved at 03:19:31 م, on 07/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\msyc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Spy Emergency 2005\SpyEmergency.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://securityresponse.symantec.com/avcen...ges/US-N95.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8080
R3 - Default URLSearchHook is missing
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {F6ED913D-FAB1-F1A5-C359-4E2B2AC7B284} - C:\WINDOWS\system32\mfcid.dll
O2 - BHO: Class - {F7AAF518-F4CD-02BF-5C23-F0D9E2D6BD30} - C:\WINDOWS\system32\sdkjn.dll
O2 - BHO: Class - {F8008B13-FD1D-9DAB-25AF-95EAB9FA0AC5} - C:\WINDOWS\javaah.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [wingm.exe] C:\WINDOWS\system32\wingm.exe
O4 - HKLM\..\Run: [sdkov.exe] C:\WINDOWS\sdkov.exe
O4 - HKLM\..\Run: [msyc.exe] C:\WINDOWS\msyc.exe
O4 - HKLM\..\RunOnce: [crab32.exe] C:\WINDOWS\crab32.exe
O4 - HKLM\..\RunOnce: [sdkdg32.exe] C:\WINDOWS\system32\sdkdg32.exe
O4 - HKLM\..\RunOnce: [atlnf.exe] C:\WINDOWS\atlnf.exe
O4 - HKLM\..\RunOnce: [netub32.exe] C:\WINDOWS\system32\netub32.exe
O4 - HKLM\..\RunOnce: [ntif32.exe] C:\WINDOWS\system32\ntif32.exe
O4 - HKLM\..\RunOnce: [ipoc32.exe] C:\WINDOWS\ipoc32.exe
O4 - HKLM\..\RunOnce: [addty32.exe] C:\WINDOWS\system32\addty32.exe
O4 - HKLM\..\RunOnce: [crbo.exe] C:\WINDOWS\system32\crbo.exe
O4 - HKLM\..\RunOnce: [mfcpr.exe] C:\WINDOWS\system32\mfcpr.exe
O4 - HKLM\..\RunOnce: [addld.exe] C:\WINDOWS\addld.exe
O4 - HKLM\..\RunOnce: [iecd32.exe] C:\WINDOWS\iecd32.exe
O4 - HKLM\..\RunOnce: [crme.exe] C:\WINDOWS\system32\crme.exe
O4 - HKLM\..\RunOnce: [d3sb32.exe] C:\WINDOWS\d3sb32.exe
O4 - HKLM\..\RunOnce: [netlu32.exe] C:\WINDOWS\system32\netlu32.exe
O4 - HKLM\..\RunOnce: [mfcow32.exe] C:\WINDOWS\mfcow32.exe
O4 - HKLM\..\RunOnce: [winnl.exe] C:\WINDOWS\system32\winnl.exe
O4 - HKLM\..\RunOnce: [crmb32.exe] C:\WINDOWS\system32\crmb32.exe
O4 - HKLM\..\RunOnce: [sdkhf.exe] C:\WINDOWS\system32\sdkhf.exe
O4 - HKLM\..\RunOnce: [atlgu32.exe] C:\WINDOWS\system32\atlgu32.exe
O4 - HKLM\..\RunOnce: [addqb.exe] C:\WINDOWS\system32\addqb.exe
O4 - HKLM\..\RunOnce: [apioq32.exe] C:\WINDOWS\system32\apioq32.exe
O4 - HKLM\..\RunOnce: [addgr32.exe] C:\WINDOWS\system32\addgr32.exe
O4 - HKLM\..\RunOnce: [mswh32.exe] C:\WINDOWS\mswh32.exe
O4 - HKLM\..\RunOnce: [ieep.exe] C:\WINDOWS\ieep.exe
O4 - HKLM\..\RunOnce: [d3fx.exe] C:\WINDOWS\system32\d3fx.exe
O4 - HKLM\..\RunOnce: [sdkok.exe] C:\WINDOWS\system32\sdkok.exe
O4 - HKLM\..\RunOnce: [appum32.exe] C:\WINDOWS\appum32.exe
O4 - HKLM\..\RunOnce: [nettt32.exe] C:\WINDOWS\nettt32.exe
O4 - HKLM\..\RunOnce: [atlox.exe] C:\WINDOWS\system32\atlox.exe
O4 - HKLM\..\RunOnce: [sdksp.exe] C:\WINDOWS\system32\sdksp.exe
O4 - HKLM\..\RunOnce: [winmd32.exe] C:\WINDOWS\winmd32.exe
O4 - HKLM\..\RunOnce: [atlrf32.exe] C:\WINDOWS\system32\atlrf32.exe
O4 - HKLM\..\RunOnce: [mfczn.exe] C:\WINDOWS\system32\mfczn.exe
O4 - HKLM\..\RunOnce: [apido.exe] C:\WINDOWS\apido.exe
O4 - HKLM\..\RunOnce: [sysex32.exe] C:\WINDOWS\system32\sysex32.exe
O4 - HKLM\..\RunOnce: [sdkbv.exe] C:\WINDOWS\sdkbv.exe
O4 - HKLM\..\RunOnce: [mstg.exe] C:\WINDOWS\system32\mstg.exe
O4 - HKLM\..\RunOnce: [ipsw32.exe] C:\WINDOWS\system32\ipsw32.exe
O4 - HKLM\..\RunOnce: [atlru.exe] C:\WINDOWS\system32\atlru.exe
O4 - HKLM\..\RunOnce: [ntgr32.exe] C:\WINDOWS\ntgr32.exe
O4 - HKLM\..\RunOnce: [mfctb32.exe] C:\WINDOWS\mfctb32.exe
O4 - HKLM\..\RunOnce: [ipyf.exe] C:\WINDOWS\system32\ipyf.exe
O4 - HKLM\..\RunOnce: [apihg32.exe] C:\WINDOWS\apihg32.exe
O4 - HKLM\..\RunOnce: [sysaz.exe] C:\WINDOWS\system32\sysaz.exe
O4 - HKLM\..\RunOnce: [addta32.exe] C:\WINDOWS\addta32.exe
O4 - HKLM\..\RunOnce: [atlfl.exe] C:\WINDOWS\atlfl.exe
O4 - HKLM\..\RunOnce: [sdkcq32.exe] C:\WINDOWS\system32\sdkcq32.exe
O4 - HKLM\..\RunOnce: [javacy.exe] C:\WINDOWS\system32\javacy.exe
O4 - HKLM\..\RunOnce: [winlh.exe] C:\WINDOWS\winlh.exe
O4 - HKLM\..\RunOnce: [javakx32.exe] C:\WINDOWS\javakx32.exe
O4 - HKLM\..\RunOnce: [addhc32.exe] C:\WINDOWS\addhc32.exe
O4 - HKLM\..\RunOnce: [msyj32.exe] C:\WINDOWS\system32\msyj32.exe
O4 - HKLM\..\RunOnce: [atlps32.exe] C:\WINDOWS\atlps32.exe
O4 - HKLM\..\RunOnce: [crpa.exe] C:\WINDOWS\system32\crpa.exe
O4 - HKLM\..\RunOnce: [sdkfv.exe] C:\WINDOWS\system32\sdkfv.exe
O4 - HKLM\..\RunOnce: [atlec32.exe] C:\WINDOWS\system32\atlec32.exe
O4 - HKLM\..\RunOnce: [javasr32.exe] C:\WINDOWS\system32\javasr32.exe
O4 - HKLM\..\RunOnce: [d3sp.exe] C:\WINDOWS\system32\d3sp.exe
O4 - HKLM\..\RunOnce: [javapm.exe] C:\WINDOWS\system32\javapm.exe
O4 - HKLM\..\RunOnce: [javavb.exe] C:\WINDOWS\system32\javavb.exe
O4 - HKLM\..\RunOnce: [mfcjg.exe] C:\WINDOWS\mfcjg.exe
O4 - HKLM\..\RunOnce: [crdr.exe] C:\WINDOWS\system32\crdr.exe
O4 - HKLM\..\RunOnce: [ntky.exe] C:\WINDOWS\system32\ntky.exe
O4 - HKLM\..\RunOnce: [mfcdr32.exe] C:\WINDOWS\mfcdr32.exe
O4 - HKLM\..\RunOnce: [apiok.exe] C:\WINDOWS\apiok.exe
O4 - HKLM\..\RunOnce: [winna32.exe] C:\WINDOWS\winna32.exe
O4 - HKLM\..\RunOnce: [d3lp32.exe] C:\WINDOWS\system32\d3lp32.exe
O4 - HKLM\..\RunOnce: [addbh.exe] C:\WINDOWS\addbh.exe
O4 - HKLM\..\RunOnce: [msyq32.exe] C:\WINDOWS\system32\msyq32.exe
O4 - HKLM\..\RunOnce: [sdkvs.exe] C:\WINDOWS\system32\sdkvs.exe
O4 - HKLM\..\RunOnce: [appip.exe] C:\WINDOWS\system32\appip.exe
O4 - HKLM\..\RunOnce: [javawg32.exe] C:\WINDOWS\system32\javawg32.exe
O4 - HKLM\..\RunOnce: [appca32.exe] C:\WINDOWS\system32\appca32.exe
O4 - HKLM\..\RunOnce: [syslv.exe] C:\WINDOWS\syslv.exe
O4 - HKLM\..\RunOnce: [ntmj32.exe] C:\WINDOWS\system32\ntmj32.exe
O4 - HKLM\..\RunOnce: [sdkmu.exe] C:\WINDOWS\system32\sdkmu.exe
O4 - HKLM\..\RunOnce: [winkx32.exe] C:\WINDOWS\winkx32.exe
O4 - HKLM\..\RunOnce: [mfcsm.exe] C:\WINDOWS\mfcsm.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [SpyEmergency] "C:\Program Files\Spy Emergency 2005\SpyEmergency.exe"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &تصدير إلى Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: بحث - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{FAE85ED4-5877-4A91-A05C-7AD2766D30E3}: NameServer = 212.24.224.35 212.24.224.36
O23 - Service: Network Security Service (NSS) ( 11Fكن#؛ؤض`I) - Unknown owner - C:\WINDOWS\crab32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

BC AdBot (Login to Remove)

 


m

#2 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:12:40 AM

Posted 07 August 2005 - 01:09 PM

Hi godfather,
I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

Please do not remove anything until instructed to do so.

Thanks.

:thumbsup:
JC

#3 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:12:40 AM

Posted 08 August 2005 - 05:23 AM

Godfather:

After reviewing your log I see a few items that require our attention. Please print out the instructions here (or save it in Notepad) so that you can follow along more easily. PLEASE FOLLOW THESE STEPS IN THE EXACT ORDER LISTED.

1. Download the following programs:

a. Download Cwshredder.exe and save it to a folder of its own.
Download it from here:
http://www.trendmicro.com/cwshredder/
Start the program, and click on the Check for Update button. If an update is available then download and install it.
DO NOT RUN IT YET.


b. Then please download About:Buster from here:
http://www.malwarebytes.biz/AboutBuster5.zip
Unzip it to the desktop, run it, Check for Updates, and update the files, but do NOT run a scan yet.


c. Download cwsserviceremove.zip and unzip the contents to your desktop.
Locate the cwsserviceremove.reg file and right-click on it. Choose the Merge option and answer Yes or Ok to any further prompts to merge the file into the registry. You should receive a message that the file was merged successfully.


d. Please download ewido security suite it is a free version of the program.
*Install ewido security suite
*When installing, under "Additional Options" uncheck..
*Install background guard
*Install scan via context menu
*Launch ewido, there should be an icon on your desktop, double-click it.
*The program will now open to the main screen.
*When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.

*You will need to update ewido to the latest definition files.
*On the left hand side of the main screen click update.
*Then click on Start Update.

*The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display "Update successful")
*Exit ewido. DO NOT scan yet.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

e. Click here to download Pocket Killbox by Option^Explicit. Save it to a folder. DO NOT RUN IT YET.


f. Download CCleaner and install it, but do not run it yet.


g. Please download/install/configure/update Spybot Search & Destroy and AdAware.

Follow the instructions in the following tutorials, EXCEPT THE SCANS -we will do these in Safe mode in another step:
(You may want to print these for reference)

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers


2. Start in Safe Mode Using the F8 method:
* Restart the computer.
* As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
* Use the arrow keys to select the Safe Mode menu item.
* Press the Enter key.

If you are having problems, additional instructions on how to do this can be found here: How to start Windows in Safe mode.


3. Open CWSShredder:

Click Fix -> and click OK at the prompt.

CWShredder will scan and clean your system of CWS files.

Click Next-> and then Exit.


4. Then please run About:Buster and click Start to begin the scan. If prompted to end the Explorer.exe process, click Yes. Your desktop may disappear --- this is normal. Allow the program to scan twice, and when complete click "Save Log". This will create a text file called "AB Logfile.txt" in the folder where About:Buster is saved. I will want to see this logfile later.


5. Now run CCleaner.
  • Uncheck "Cookies" under "Internet Explorer".
  • If running Firefox: click on the "Applications" tab and uncheck "Cookies" under "Firefox".
  • Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
6. Now open ewido and do a scan of your system.
a. Click on scanner
b. Click on Complete System Scan and the scan will begin.
c. You will be prompted to clean the first infection.
d. Select "Perform action on all infections", then proceed.
e. Once the scan has completed, there will be a button located on the bottom of the screen named Save report
f. Click Save report.
g. Save the report .txt file to your desktop or a location where you can find it easily.


7. Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {F6ED913D-FAB1-F1A5-C359-4E2B2AC7B284} - C:\WINDOWS\system32\mfcid.dll
O2 - BHO: Class - {F7AAF518-F4CD-02BF-5C23-F0D9E2D6BD30} - C:\WINDOWS\system32\sdkjn.dll
O2 - BHO: Class - {F8008B13-FD1D-9DAB-25AF-95EAB9FA0AC5} - C:\WINDOWS\javaah.dll
O4 - HKLM\..\Run: [wingm.exe] C:\WINDOWS\system32\wingm.exe
O4 - HKLM\..\Run: [sdkov.exe] C:\WINDOWS\sdkov.exe
O4 - HKLM\..\Run: [msyc.exe] C:\WINDOWS\msyc.exe
O4 - HKLM\..\RunOnce: [crab32.exe] C:\WINDOWS\crab32.exe
O4 - HKLM\..\RunOnce: [sdkdg32.exe] C:\WINDOWS\system32\sdkdg32.exe
O4 - HKLM\..\RunOnce: [atlnf.exe] C:\WINDOWS\atlnf.exe
O4 - HKLM\..\RunOnce: [netub32.exe] C:\WINDOWS\system32\netub32.exe
O4 - HKLM\..\RunOnce: [ntif32.exe] C:\WINDOWS\system32\ntif32.exe
O4 - HKLM\..\RunOnce: [ipoc32.exe] C:\WINDOWS\ipoc32.exe
O4 - HKLM\..\RunOnce: [addty32.exe] C:\WINDOWS\system32\addty32.exe
O4 - HKLM\..\RunOnce: [crbo.exe] C:\WINDOWS\system32\crbo.exe
O4 - HKLM\..\RunOnce: [mfcpr.exe] C:\WINDOWS\system32\mfcpr.exe
O4 - HKLM\..\RunOnce: [addld.exe] C:\WINDOWS\addld.exe
O4 - HKLM\..\RunOnce: [iecd32.exe] C:\WINDOWS\iecd32.exe
O4 - HKLM\..\RunOnce: [crme.exe] C:\WINDOWS\system32\crme.exe
O4 - HKLM\..\RunOnce: [d3sb32.exe] C:\WINDOWS\d3sb32.exe
O4 - HKLM\..\RunOnce: [netlu32.exe] C:\WINDOWS\system32\netlu32.exe
O4 - HKLM\..\RunOnce: [mfcow32.exe] C:\WINDOWS\mfcow32.exe
O4 - HKLM\..\RunOnce: [winnl.exe] C:\WINDOWS\system32\winnl.exe
O4 - HKLM\..\RunOnce: [crmb32.exe] C:\WINDOWS\system32\crmb32.exe
O4 - HKLM\..\RunOnce: [sdkhf.exe] C:\WINDOWS\system32\sdkhf.exe
O4 - HKLM\..\RunOnce: [atlgu32.exe] C:\WINDOWS\system32\atlgu32.exe
O4 - HKLM\..\RunOnce: [addqb.exe] C:\WINDOWS\system32\addqb.exe
O4 - HKLM\..\RunOnce: [apioq32.exe] C:\WINDOWS\system32\apioq32.exe
O4 - HKLM\..\RunOnce: [addgr32.exe] C:\WINDOWS\system32\addgr32.exe
O4 - HKLM\..\RunOnce: [mswh32.exe] C:\WINDOWS\mswh32.exe
O4 - HKLM\..\RunOnce: [ieep.exe] C:\WINDOWS\ieep.exe
O4 - HKLM\..\RunOnce: [d3fx.exe] C:\WINDOWS\system32\d3fx.exe
O4 - HKLM\..\RunOnce: [sdkok.exe] C:\WINDOWS\system32\sdkok.exe
O4 - HKLM\..\RunOnce: [appum32.exe] C:\WINDOWS\appum32.exe
O4 - HKLM\..\RunOnce: [nettt32.exe] C:\WINDOWS\nettt32.exe
O4 - HKLM\..\RunOnce: [atlox.exe] C:\WINDOWS\system32\atlox.exe
O4 - HKLM\..\RunOnce: [sdksp.exe] C:\WINDOWS\system32\sdksp.exe
O4 - HKLM\..\RunOnce: [winmd32.exe] C:\WINDOWS\winmd32.exe
O4 - HKLM\..\RunOnce: [atlrf32.exe] C:\WINDOWS\system32\atlrf32.exe
O4 - HKLM\..\RunOnce: [mfczn.exe] C:\WINDOWS\system32\mfczn.exe
O4 - HKLM\..\RunOnce: [apido.exe] C:\WINDOWS\apido.exe
O4 - HKLM\..\RunOnce: [sysex32.exe] C:\WINDOWS\system32\sysex32.exe
O4 - HKLM\..\RunOnce: [sdkbv.exe] C:\WINDOWS\sdkbv.exe
O4 - HKLM\..\RunOnce: [mstg.exe] C:\WINDOWS\system32\mstg.exe
O4 - HKLM\..\RunOnce: [ipsw32.exe] C:\WINDOWS\system32\ipsw32.exe
O4 - HKLM\..\RunOnce: [atlru.exe] C:\WINDOWS\system32\atlru.exe
O4 - HKLM\..\RunOnce: [ntgr32.exe] C:\WINDOWS\ntgr32.exe
O4 - HKLM\..\RunOnce: [mfctb32.exe] C:\WINDOWS\mfctb32.exe
O4 - HKLM\..\RunOnce: [ipyf.exe] C:\WINDOWS\system32\ipyf.exe
O4 - HKLM\..\RunOnce: [apihg32.exe] C:\WINDOWS\apihg32.exe
O4 - HKLM\..\RunOnce: [sysaz.exe] C:\WINDOWS\system32\sysaz.exe
O4 - HKLM\..\RunOnce: [addta32.exe] C:\WINDOWS\addta32.exe
O4 - HKLM\..\RunOnce: [atlfl.exe] C:\WINDOWS\atlfl.exe
O4 - HKLM\..\RunOnce: [sdkcq32.exe] C:\WINDOWS\system32\sdkcq32.exe
O4 - HKLM\..\RunOnce: [javacy.exe] C:\WINDOWS\system32\javacy.exe
O4 - HKLM\..\RunOnce: [winlh.exe] C:\WINDOWS\winlh.exe
O4 - HKLM\..\RunOnce: [javakx32.exe] C:\WINDOWS\javakx32.exe
O4 - HKLM\..\RunOnce: [addhc32.exe] C:\WINDOWS\addhc32.exe
O4 - HKLM\..\RunOnce: [msyj32.exe] C:\WINDOWS\system32\msyj32.exe
O4 - HKLM\..\RunOnce: [atlps32.exe] C:\WINDOWS\atlps32.exe
O4 - HKLM\..\RunOnce: [crpa.exe] C:\WINDOWS\system32\crpa.exe
O4 - HKLM\..\RunOnce: [sdkfv.exe] C:\WINDOWS\system32\sdkfv.exe
O4 - HKLM\..\RunOnce: [atlec32.exe] C:\WINDOWS\system32\atlec32.exe
O4 - HKLM\..\RunOnce: [javasr32.exe] C:\WINDOWS\system32\javasr32.exe
O4 - HKLM\..\RunOnce: [d3sp.exe] C:\WINDOWS\system32\d3sp.exe
O4 - HKLM\..\RunOnce: [javapm.exe] C:\WINDOWS\system32\javapm.exe
O4 - HKLM\..\RunOnce: [javavb.exe] C:\WINDOWS\system32\javavb.exe
O4 - HKLM\..\RunOnce: [mfcjg.exe] C:\WINDOWS\mfcjg.exe
O4 - HKLM\..\RunOnce: [crdr.exe] C:\WINDOWS\system32\crdr.exe
O4 - HKLM\..\RunOnce: [ntky.exe] C:\WINDOWS\system32\ntky.exe
O4 - HKLM\..\RunOnce: [mfcdr32.exe] C:\WINDOWS\mfcdr32.exe
O4 - HKLM\..\RunOnce: [apiok.exe] C:\WINDOWS\apiok.exe
O4 - HKLM\..\RunOnce: [winna32.exe] C:\WINDOWS\winna32.exe
O4 - HKLM\..\RunOnce: [d3lp32.exe] C:\WINDOWS\system32\d3lp32.exe
O4 - HKLM\..\RunOnce: [addbh.exe] C:\WINDOWS\addbh.exe
O4 - HKLM\..\RunOnce: [msyq32.exe] C:\WINDOWS\system32\msyq32.exe
O4 - HKLM\..\RunOnce: [sdkvs.exe] C:\WINDOWS\system32\sdkvs.exe
O4 - HKLM\..\RunOnce: [appip.exe] C:\WINDOWS\system32\appip.exe
O4 - HKLM\..\RunOnce: [javawg32.exe] C:\WINDOWS\system32\javawg32.exe
O4 - HKLM\..\RunOnce: [appca32.exe] C:\WINDOWS\system32\appca32.exe
O4 - HKLM\..\RunOnce: [syslv.exe] C:\WINDOWS\syslv.exe
O4 - HKLM\..\RunOnce: [ntmj32.exe] C:\WINDOWS\system32\ntmj32.exe
O4 - HKLM\..\RunOnce: [sdkmu.exe] C:\WINDOWS\system32\sdkmu.exe
O4 - HKLM\..\RunOnce: [winkx32.exe] C:\WINDOWS\winkx32.exe
O4 - HKLM\..\RunOnce: [mfcsm.exe] C:\WINDOWS\mfcsm.exe
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)


Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.


8.Make sure you're able to view hidden files.

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold below in the Full Path of File to Delete box in Killbox, and click the red button with the white X on it after each. (not the close button in the top right corner) Keep track of any files if it tells you either could not be found or could not be deleted, as you'll need those later:

C:\WINDOWS\addta32.exe
C:\WINDOWS\addbh.exe
C:\WINDOWS\addhc32.exe
C:\WINDOWS\addld.exe
C:\WINDOWS\apido.exe
C:\WINDOWS\apiok.exe
C:\WINDOWS\appum32.exe
C:\WINDOWS\apihg32.exe
C:\WINDOWS\atlps32.exe
C:\WINDOWS\atlnf.exe
C:\WINDOWS\atlfl.exe
C:\WINDOWS\crab32.exe
C:\WINDOWS\d3sb32.exe
C:\WINDOWS\ipoc32.exe
C:\WINDOWS\ieep.exe
C:\WINDOWS\iecd32.exe
C:\WINDOWS\javaah.dll
C:\WINDOWS\javakx32.exe
C:\WINDOWS\mfcsm.exe
C:\WINDOWS\msyc.exe
C:\WINDOWS\mfcdr32.exe
C:\WINDOWS\mfcjg.exe
C:\WINDOWS\mfcow32.exe
C:\WINDOWS\mswh32.exe
C:\WINDOWS\mfctb32.exe
C:\WINDOWS\ntgr32.exe
C:\WINDOWS\nettt32.exe
C:\WINDOWS\sdkov.exe
C:\WINDOWS\sdkbv.exe
C:\WINDOWS\syslv.exe
C:\WINDOWS\winkx32.exe
C:\WINDOWS\winna32.exe
C:\WINDOWS\winmd32.exe
C:\WINDOWS\winlh.exe
C:\WINDOWS\system32\atlgu32.exe
C:\WINDOWS\system32\addqb.exe
C:\WINDOWS\system32\apioq32.exe
C:\WINDOWS\system32\addgr32.exe
C:\WINDOWS\system32\atlrf32.exe
C:\WINDOWS\system32\appca32.exe
C:\WINDOWS\system32\appip.exe
C:\WINDOWS\system32\atlox.exe
C:\WINDOWS\system32\atlru.exe
C:\WINDOWS\system32\atlec32.exe
C:\WINDOWS\system32\addty32.exe
C:\WINDOWS\system32\crpa.exe
C:\WINDOWS\system32\crme.exe
C:\WINDOWS\system32\crdr.exe
C:\WINDOWS\system32\crbo.exe
C:\WINDOWS\system32\crmb32.exe
C:\WINDOWS\system32\d3sp.exe
C:\WINDOWS\system32\d3fx.exe
C:\WINDOWS\system32\d3lp32.exe
C:\WINDOWS\system32\ipyf.exe
C:\WINDOWS\system32\ipsw32.exe
C:\WINDOWS\system32\javacy.exe
C:\WINDOWS\system32\javasr32.exe
C:\WINDOWS\system32\javawg32.exe
C:\WINDOWS\system32\javapm.exe
C:\WINDOWS\system32\javavb.exe
C:\WINDOWS\system32\msyj32.exe
C:\WINDOWS\system32\mfcid.dll
C:\WINDOWS\system32\mstg.exe
C:\WINDOWS\system32\mfczn.exe
C:\WINDOWS\system32\mfcpr.exe
C:\WINDOWS\system32\msyq32.exe
C:\WINDOWS\system32\ntky.exe
C:\WINDOWS\system32\ntmj32.exe
C:\WINDOWS\system32\netub32.exe
C:\WINDOWS\system32\ntif32.exe
C:\WINDOWS\system32\netlu32.exe
C:\WINDOWS\system32\sysaz.exe
C:\WINDOWS\system32\sdkcq32.exe
C:\WINDOWS\system32\sdksp.exe
C:\WINDOWS\system32\sdkok.exe
C:\WINDOWS\system32\sdkfv.exe
C:\WINDOWS\system32\sdkvs.exe
C:\WINDOWS\system32\sdkmu.exe
C:\WINDOWS\system32\sdkjn.dll
C:\WINDOWS\system32\sdkdg32.exe
C:\WINDOWS\system32\sdkhf.exe
C:\WINDOWS\system32\sysex32.exe
C:\WINDOWS\system32\wingm.exe
C:\WINDOWS\system32\winnl.exe


For the files that it either couldn't find or couldn't delete, in the killbox again this time, put a mark next to Delete on Reboot. Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again.


9. Run a full scan with Ad-aware and SpyBot. Remove all items that are found in the scans.

Restart your computer.


10. Try this online scan under Firefox:
Trend Micro Housecall - http://uk.trendmicro-europe.com/consumer/h...call_launch.php
(European version, supports Netscape, Mozilla, Firefox and Opera)
Then let us know how things are running.


Then please restart your computer in Normal Mode, and post a new HijackThis log, as well as the logs from AboutBuster and Ewido.
JC

#4 godfather

godfather
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 09 August 2005 - 01:52 AM

:thumbsup: :flowers: :trumpet: :bike:

Thank you for your help

every thing is ok now



:inlove: :cool: :)

#5 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:12:40 AM

Posted 09 August 2005 - 06:04 AM

I am happy everything appears better with your computer. :thumbsup:

Could you paste another HijackThis log, as well as the logs from AboutBuster and the Ewido logs that I requested above. This infection is difficult to remove, so there still might be some items hanging around that will infect your computer again.
JC

#6 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:12:40 AM

Posted 27 August 2005 - 07:57 PM

Since this issue appears to be resolved, this topic is now closed. godfather, if your issues reappear, please contact staff to have this topic reopened. For any new issues please start another thread.

Anyone else with a similar problem, please start a topic of your own.
JC




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users