Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please help me get rid of coolWWWSearch


  • Please log in to reply
13 replies to this topic

#1 chillinb

chillinb

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 30 August 2005 - 04:56 AM

Hi, I am having trouble getting rid of CoolWWWSearch.Aff.Winshow and Trek Blue Error Nuker. I have run Spybot and ad-aware and run HIjack this. The logfile is below. When using IE my homepage keeps getting reset to About.Blank and I get pop ups.
Please help.


Logfile of HijackThis v1.99.1
Scan saved at 10:34:49, on 30/08/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\IPSQ.EXE
C:\WINDOWS\IECZ.EXE
C:\WINDOWS\APIVH32.EXE
C:\WINDOWS\APPBU32.EXE
C:\WINDOWS\SYSTEM\ATLVC32.EXE
C:\WINDOWS\SYSTEM\IPXX32.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
C:\WINDOWS\APIHY32.EXE
C:\WINDOWS\JAVAFA32.EXE
C:\WINDOWS\SYSTEM\MSNJ32.EXE
C:\WINDOWS\SYSTEM\JAVAKS.EXE
C:\WINDOWS\SYSTEM\WINFC.EXE
C:\WINDOWS\IEXS32.EXE
C:\WINDOWS\WINCR.EXE
C:\WINDOWS\APPFM32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\IPRW32.EXE
C:\WINDOWS\APIJN.EXE
C:\WINDOWS\APPWS32.EXE
C:\WINDOWS\SYSTEM\IPWX.EXE
C:\WINDOWS\MFCLF.EXE
C:\WINDOWS\JAVAVG32.EXE
C:\WINDOWS\ADDOG.EXE
C:\WINDOWS\CRLE32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVRID.EXE
C:\WINDOWS\WINNS32.EXE
C:\WINDOWS\APPFM32.EXE
C:\WINDOWS\SYSTEM\IPSQ.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\SAMSUNG\DIGIMAX VIEWER 2.1\STIMGBROWSER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\IECZ.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.oceanfree.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {A22E1013-83C1-DCC1-C0B0-A96565205F55} - C:\WINDOWS\SYSRO32.DLL
O2 - BHO: Class - {6C4F9A94-4854-1F26-89B4-8A77FF2F7674} - C:\WINDOWS\IPJM.DLL
O2 - BHO: Class - {F8F78A55-0101-C0E3-D286-3EADE0CB6313} - C:\WINDOWS\ADDEJ32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETMSG.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [WINNS32.EXE] C:\WINDOWS\WINNS32.EXE
O4 - HKLM\..\Run: [JAVADR32.EXE] C:\WINDOWS\JAVADR32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [IPSQ.EXE] C:\WINDOWS\SYSTEM\IPSQ.EXE /s
O4 - HKLM\..\RunServices: [IECZ.EXE] C:\WINDOWS\IECZ.EXE /s
O4 - HKLM\..\RunServices: [APIVH32.EXE] C:\WINDOWS\APIVH32.EXE /s
O4 - HKLM\..\RunServices: [APPBU32.EXE] C:\WINDOWS\APPBU32.EXE /s
O4 - HKLM\..\RunServices: [ATLVC32.EXE] C:\WINDOWS\SYSTEM\ATLVC32.EXE /s
O4 - HKLM\..\RunServices: [IPXX32.EXE] C:\WINDOWS\SYSTEM\IPXX32.EXE /s
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O4 - HKLM\..\RunServices: [APIHY32.EXE] C:\WINDOWS\APIHY32.EXE /s
O4 - HKLM\..\RunServices: [JAVAFA32.EXE] C:\WINDOWS\JAVAFA32.EXE /s
O4 - HKLM\..\RunServices: [MSNJ32.EXE] C:\WINDOWS\SYSTEM\MSNJ32.EXE /s
O4 - HKLM\..\RunServices: [JAVAKS.EXE] C:\WINDOWS\SYSTEM\JAVAKS.EXE /s
O4 - HKLM\..\RunServices: [WINFC.EXE] C:\WINDOWS\SYSTEM\WINFC.EXE /s
O4 - HKLM\..\RunServices: [IEXS32.EXE] C:\WINDOWS\IEXS32.EXE /s
O4 - HKLM\..\RunServices: [WINCR.EXE] C:\WINDOWS\WINCR.EXE /s
O4 - HKLM\..\RunServices: [APPFM32.EXE] C:\WINDOWS\APPFM32.EXE /s
O4 - HKLM\..\RunServices: [IPRW32.EXE] C:\WINDOWS\IPRW32.EXE /s
O4 - HKLM\..\RunServices: [APIJN.EXE] C:\WINDOWS\APIJN.EXE /s
O4 - HKLM\..\RunServices: [APPWS32.EXE] C:\WINDOWS\APPWS32.EXE /s
O4 - HKLM\..\RunServices: [IPWX.EXE] C:\WINDOWS\SYSTEM\IPWX.EXE /s
O4 - HKLM\..\RunServices: [MFCLF.EXE] C:\WINDOWS\MFCLF.EXE /s
O4 - HKLM\..\RunServices: [JAVAVG32.EXE] C:\WINDOWS\JAVAVG32.EXE /s
O4 - HKLM\..\RunServices: [ADDOG.EXE] C:\WINDOWS\ADDOG.EXE /s
O4 - HKLM\..\RunServices: [CRLE32.EXE] C:\WINDOWS\CRLE32.EXE /s
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Digimax Viewer 2.1.lnk = C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.euro.dell.com/countries/ie/enu/gen/default.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.euro.dell.com/countries/ie/enu/gen/default.htm
O16 - DPF: Visual Studio 6 Extensibility Libraries - file://E:\VJ98\VSTUDIO6.CAB
O16 - DPF: Microsoft WFC Forms Designer - file://E:\VJ98\WFCFORMS.CAB
O16 - DPF: {615A03F8-74F1-4497-8789-45E92308E208} (VivioAX Control) - http://www.cs.tcd.ie/Jeremy.Jones/vivio/vivioAX.cab
O16 - DPF: {F04F4F32-6457-401A-8169-D2773DDFF930} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_3uk.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37240.cab

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:08 AM

Posted 01 September 2005 - 11:51 AM

Hello chillinb and welcome to the BC HijackThis forum. After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.

Step #1

Download CCleaner and install it but do not run it yet.

Step #2

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {A22E1013-83C1-DCC1-C0B0-A96565205F55} - C:\WINDOWS\SYSRO32.DLL
O2 - BHO: Class - {6C4F9A94-4854-1F26-89B4-8A77FF2F7674} - C:\WINDOWS\IPJM.DLL
O2 - BHO: Class - {F8F78A55-0101-C0E3-D286-3EADE0CB6313} - C:\WINDOWS\ADDEJ32.DLL
O4 - HKLM\..\Run: [WINNS32.EXE] C:\WINDOWS\WINNS32.EXE
O4 - HKLM\..\Run: [JAVADR32.EXE] C:\WINDOWS\JAVADR32.EXE
O4 - HKLM\..\RunServices: [IPSQ.EXE] C:\WINDOWS\SYSTEM\IPSQ.EXE /s
O4 - HKLM\..\RunServices: [IECZ.EXE] C:\WINDOWS\IECZ.EXE /s
O4 - HKLM\..\RunServices: [APIVH32.EXE] C:\WINDOWS\APIVH32.EXE /s
O4 - HKLM\..\RunServices: [APPBU32.EXE] C:\WINDOWS\APPBU32.EXE /s
O4 - HKLM\..\RunServices: [ATLVC32.EXE] C:\WINDOWS\SYSTEM\ATLVC32.EXE /s
O4 - HKLM\..\RunServices: [IPXX32.EXE] C:\WINDOWS\SYSTEM\IPXX32.EXE /s
O4 - HKLM\..\RunServices: [APIHY32.EXE] C:\WINDOWS\APIHY32.EXE /s
O4 - HKLM\..\RunServices: [JAVAFA32.EXE] C:\WINDOWS\JAVAFA32.EXE /s
O4 - HKLM\..\RunServices: [MSNJ32.EXE] C:\WINDOWS\SYSTEM\MSNJ32.EXE /s
O4 - HKLM\..\RunServices: [JAVAKS.EXE] C:\WINDOWS\SYSTEM\JAVAKS.EXE /s
O4 - HKLM\..\RunServices: [WINFC.EXE] C:\WINDOWS\SYSTEM\WINFC.EXE /s
O4 - HKLM\..\RunServices: [IEXS32.EXE] C:\WINDOWS\IEXS32.EXE /s
O4 - HKLM\..\RunServices: [WINCR.EXE] C:\WINDOWS\WINCR.EXE /s
O4 - HKLM\..\RunServices: [APPFM32.EXE] C:\WINDOWS\APPFM32.EXE /s
O4 - HKLM\..\RunServices: [IPRW32.EXE] C:\WINDOWS\IPRW32.EXE /s
O4 - HKLM\..\RunServices: [APIJN.EXE] C:\WINDOWS\APIJN.EXE /s
O4 - HKLM\..\RunServices: [APPWS32.EXE] C:\WINDOWS\APPWS32.EXE /s
O4 - HKLM\..\RunServices: [IPWX.EXE] C:\WINDOWS\SYSTEM\IPWX.EXE /s
O4 - HKLM\..\RunServices: [MFCLF.EXE] C:\WINDOWS\MFCLF.EXE /s
O4 - HKLM\..\RunServices: [JAVAVG32.EXE] C:\WINDOWS\JAVAVG32.EXE /s
O4 - HKLM\..\RunServices: [ADDOG.EXE] C:\WINDOWS\ADDOG.EXE /s
O4 - HKLM\..\RunServices: [CRLE32.EXE] C:\WINDOWS\CRLE32.EXE /s

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\SYSRO32.DLL
C:\WINDOWS\IPJM.DLL
C:\WINDOWS\ADDEJ32.DLL
C:\WINDOWS\WINNS32.EXE
C:\WINDOWS\JAVADR32.EXE
C:\WINDOWS\IEXS32.EXE
C:\WINDOWS\WINCR.EXE
C:\WINDOWS\APPFM32.EXE
C:\WINDOWS\IPRW32.EXE
C:\WINDOWS\APIJN.EXE
C:\WINDOWS\APPWS32.EXE
C:\WINDOWS\IECZ.EXE
C:\WINDOWS\APIVH32.EXE
C:\WINDOWS\APPBU32.EXE
C:\WINDOWS\APIHY32.EXE
C:\WINDOWS\JAVAFA32.EXE
C:\WINDOWS\MFCLF.EXE
C:\WINDOWS\JAVAVG32.EXE
C:\WINDOWS\ADDOG.EXE
C:\WINDOWS\CRLE32.EXE
C:\WINDOWS\SYSTEM\IPSQ.EXE
C:\WINDOWS\SYSTEM\ATLVC32.EXE
C:\WINDOWS\SYSTEM\IPXX32.EXE
C:\WINDOWS\SYSTEM\MSNJ32.EXE
C:\WINDOWS\SYSTEM\JAVAKS.EXE
C:\WINDOWS\SYSTEM\WINFC.EXE
C:\WINDOWS\SYSTEM\IPWX.EXE

Step #5

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #6

Reboot normally and run at least 2 of the following on-line virus scans:Bitdefender <<<Add a check by 'Autoclean'.
RAV <<<Add a check by 'Autoclean', leave everything else as is.
eTrust <<<'Cure' whatever is found, then delete if unsuccessful
Housecall <<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan <<<Accept default settings
If there are any files that cannot be automatically disinfected or quarantined then you will need to delete them manually.

Step #7

If you do not already have Ad-Aware SE 1.06 then follow these download and setup instructions: Ad-Aware SE Setup. Otherwise, just check for updates.

Start Ad-aware SE, click the Start button and choose Perform Full System Scan. Click the Next button and wait for the scan to complete. If anything was found, right-click on the list and choose Select All and remove all it finds.

Step #8

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 chillinb

chillinb
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 05 September 2005 - 08:04 PM

Thanks for getting back to me. I have done everything listed. Below is the new log file.

I had a couple of problems.When using the Bit defender online scan the following Files could not be deleted.
Windows\system\msnj32.exe
Windows\alter32.exe
Windows\sdkxg32.exe
Windows\apivh32.exe
Windows\addit32.exe
Windows\sysrb.exe

I deleted them by rebooting in safe mode and deleting them manually.
When I tried to use the scan on Trend Micro I was redirected to some adult site! The othe online scans came back clean. Ad-aware found 19 critical objects all were coolwebsearch. The first time I used ad-aware it froze at the delete stage but I redit the scan and it deleted teh second time. I would appreciate any more advice,
Thanks again


Logfile of HijackThis v1.99.1
Scan saved at 01:51:19, on 06/09/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
C:\WINDOWS\APIVH32.EXE
C:\WINDOWS\D3SJ32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVRID.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
C:\WINDOWS\D3KH.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\SAMSUNG\DIGIMAX VIEWER 2.1\STIMGBROWSER.EXE
C:\WINDOWS\APIVH32.EXE
C:\WINDOWS\D3SJ32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.oceanfree.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xgwux.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xgwux.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xgwux.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xgwux.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {71F3E61A-9FC2-684B-270A-33AEBC0E2EC0} - C:\WINDOWS\CRWG32.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SDKXG32.EXE] C:\WINDOWS\SDKXG32.EXE
O4 - HKLM\..\Run: [D3KH.EXE] C:\WINDOWS\D3KH.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O4 - HKLM\..\RunServices: [SYSRB.EXE] C:\WINDOWS\SYSRB.EXE /s
O4 - HKLM\..\RunServices: [MSNJ32.EXE] C:\WINDOWS\SYSTEM\MSNJ32.EXE /s
O4 - HKLM\..\RunServices: [APIVH32.EXE] C:\WINDOWS\APIVH32.EXE /s
O4 - HKLM\..\RunServices: [ATLER32.EXE] C:\WINDOWS\ATLER32.EXE /s
O4 - HKLM\..\RunServices: [ADDIT32.EXE] C:\WINDOWS\ADDIT32.EXE /s
O4 - HKLM\..\RunServices: [D3SJ32.EXE] C:\WINDOWS\D3SJ32.EXE /s
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Digimax Viewer 2.1.lnk = C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {F04F4F32-6457-401A-8169-D2773DDFF930} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_3uk.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37240.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:08 AM

Posted 06 September 2005 - 02:05 PM

Hi chillinb. Ok, now we have a CWS infection showing so let's do a fix for that. Please print these directions and then proceed with the following steps in order.

Step #1

Download Cwshredder.exe and save it to a folder of its own. Start the program and click on the Check for Update button. If an update is available then download and install it. Close the program (do not run it yet).

Download CCleaner and install it but do not run it yet.

Step #2

Restart in Safe Mode
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xgwux.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xgwux.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xgwux.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xgwux.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {71F3E61A-9FC2-684B-270A-33AEBC0E2EC0} - C:\WINDOWS\CRWG32.DLL
O4 - HKLM\..\Run: [SDKXG32.EXE] C:\WINDOWS\SDKXG32.EXE
O4 - HKLM\..\Run: [D3KH.EXE] C:\WINDOWS\D3KH.EXE
O4 - HKLM\..\RunServices: [SYSRB.EXE] C:\WINDOWS\SYSRB.EXE /s
O4 - HKLM\..\RunServices: [MSNJ32.EXE] C:\WINDOWS\SYSTEM\MSNJ32.EXE /s
O4 - HKLM\..\RunServices: [APIVH32.EXE] C:\WINDOWS\APIVH32.EXE /s
O4 - HKLM\..\RunServices: [ATLER32.EXE] C:\WINDOWS\ATLER32.EXE /s
O4 - HKLM\..\RunServices: [ADDIT32.EXE] C:\WINDOWS\ADDIT32.EXE /s
O4 - HKLM\..\RunServices: [D3SJ32.EXE] C:\WINDOWS\D3SJ32.EXE /s

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

We need to make sure all hidden files are showing so please:
  • Open My Computer.
  • Select the View menu and click Folder Options.
  • Select the View tab.
  • In the Hidden files section select Show all files.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\xgwux.dll
C:\WINDOWS\CRWG32.DLL
C:\WINDOWS\SDKXG32.EXE
C:\WINDOWS\D3KH.EXE
C:\WINDOWS\SYSRB.EXE
C:\WINDOWS\APIVH32.EXE
C:\WINDOWS\ATLER32.EXE
C:\WINDOWS\ADDIT32.EXE
C:\WINDOWS\D3SJ32.EXE
C:\WINDOWS\SYSTEM\MSNJ32.EXE

Step #5

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #6

Run CWShredder
  • Double-click on CWShredder.exe.
  • Click "Fix ->" and click "OK" at the prompt.
  • CWShredder will scan and clean your system of CWS files.
  • Click "Next->" and then "Exit".
Step #7

Reboot normally and run at least 2 of the following on-line virus scans:Bitdefender <<<Add a check by 'Autoclean'.
RAV <<<Add a check by 'Autoclean', leave everything else as is.
eTrust <<<'Cure' whatever is found, then delete if unsuccessful
Housecall <<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan <<<Accept default settings
If there are any files that cannot be automatically disinfected or quarantined then you will need to delete them manually.

Step #8

If you do not already have Ad-Aware SE 1.06 then follow these download and setup instructions: Ad-Aware SE Setup. Otherwise, just check for updates.

Start Ad-aware SE, click the Start button and choose Perform Full System Scan. Click the Next button and wait for the scan to complete. If anything was found, right-click on the list and choose Select All and remove all it finds.

Step #9

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 chillinb

chillinb
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 06 September 2005 - 07:48 PM

Thanks for getting back to be Old Timer
I followed your instructions but am afraid that there is more to be done. The new logfile is below

This is the report from the online scan
Rav scan
Scan started at 06/09/2005 23:59:36

Scanning memory...
c:\WINDOWS\iyjda.dll - TrojanDownloader:Win32/WinShow.AK -> Suspicious
c:\WINDOWS\wkfeg.dll - TrojanDownloader:Win32/WinShow.AK -> Suspicious
c:\WINDOWS\SYSTEM\eyfwj.dll - TrojanDownloader:Win32/WinShow.AK -> Suspicious
c:\WINDOWS\SYSTEM\fmazn.dll - TrojanDownloader:Win32/WinShow.AK -> Suspicious

Scanned
============================
Objects: 33038
Directories: 2373
Archives: 1854
Size(Kb): 287584
Infected files: 0

Found
============================
Viruses found: 0
Suspicious files: 4
Disinfected files: 0
Mail files: 50


Bit defender. Got an “only the best” pop up and then the link was redirected to a dating service

E-trust came back clean. Still getting “only the best” pop ups though!

Unfortunately
Ad-Aware found SearchClick(1 object)
CoolWebSearch(22 objects)
Possible Browsser Hijack attempt (3 object)
It also hung when deleting and would not delete.




Logfile of HijackThis v1.99.1
Scan saved at 01:44:41, on 07/09/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
C:\WINDOWS\ADDBP.EXE
C:\WINDOWS\SYSTEM\ADDRH32.EXE
C:\WINDOWS\SYSTEM\APIAF32.EXE
C:\WINDOWS\WINHN.EXE
C:\WINDOWS\NETQP.EXE
C:\WINDOWS\SYSTEM\ATLAC32.EXE
C:\WINDOWS\SYSTEM\MFCQT.EXE
C:\WINDOWS\SYSTEM\ATLYN32.EXE
C:\WINDOWS\SYSTEM\NTHQ32.EXE
C:\WINDOWS\APPOW32.EXE
C:\WINDOWS\D3QA32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVRID.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\NETTQ.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\SAMSUNG\DIGIMAX VIEWER 2.1\STIMGBROWSER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\ADDBP.EXE
C:\WINDOWS\SYSTEM\APIAF32.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.oceanfree.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wkfeg.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wkfeg.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wkfeg.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wkfeg.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wkfeg.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wkfeg.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {C894B059-CEE7-1741-7C08-266F6BEF1A2D} - C:\WINDOWS\APISG32.DLL
O2 - BHO: Class - {F3DD3090-9A8D-48DE-8F6E-AE7FDD4BEE46} - C:\WINDOWS\SYSTEM\IPBW.DLL
O2 - BHO: Class - {6B2A6824-C446-FEC4-8D1A-8CBE12C7CF34} - C:\WINDOWS\SYSTEM\APISX32.DLL
O2 - BHO: Class - {23F25594-3C68-A00C-823F-16795B480CEC} - C:\WINDOWS\NTBO.DLL
O2 - BHO: Class - {E14556F1-B376-A147-DB1E-756794286698} - C:\WINDOWS\SYSTEM\IECJ.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NETTQ.EXE] C:\WINDOWS\SYSTEM\NETTQ.EXE
O4 - HKLM\..\Run: [APPRA.EXE] C:\WINDOWS\APPRA.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O4 - HKLM\..\RunServices: [ADDBP.EXE] C:\WINDOWS\ADDBP.EXE /s
O4 - HKLM\..\RunServices: [ADDRH32.EXE] C:\WINDOWS\SYSTEM\ADDRH32.EXE /s
O4 - HKLM\..\RunServices: [APIAF32.EXE] C:\WINDOWS\SYSTEM\APIAF32.EXE /s
O4 - HKLM\..\RunServices: [WINHN.EXE] C:\WINDOWS\WINHN.EXE /s
O4 - HKLM\..\RunServices: [NETQP.EXE] C:\WINDOWS\NETQP.EXE /s
O4 - HKLM\..\RunServices: [ATLAC32.EXE] C:\WINDOWS\SYSTEM\ATLAC32.EXE /s
O4 - HKLM\..\RunServices: [MFCQT.EXE] C:\WINDOWS\SYSTEM\MFCQT.EXE /s
O4 - HKLM\..\RunServices: [ATLYN32.EXE] C:\WINDOWS\SYSTEM\ATLYN32.EXE /s
O4 - HKLM\..\RunServices: [NTHQ32.EXE] C:\WINDOWS\SYSTEM\NTHQ32.EXE /s
O4 - HKLM\..\RunServices: [APPOW32.EXE] C:\WINDOWS\APPOW32.EXE /s
O4 - HKLM\..\RunServices: [D3QA32.EXE] C:\WINDOWS\D3QA32.EXE /s
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Digimax Viewer 2.1.lnk = C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {F04F4F32-6457-401A-8169-D2773DDFF930} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_3uk.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37240.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:08 AM

Posted 07 September 2005 - 05:43 AM

Hi chillinb. I think there is more here than what the HijackThis log is showing us. Let's run a different scanner and see what it shows us.

Download WinPFind.zip and unzip the contents to the C:\ folder.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here along with a new HijackThis log and I will review the information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 chillinb

chillinb
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 30 September 2005 - 09:18 AM

Hi OldTimer

Hope you can continue helping me. Since your last post I have re-installed windows but did not reformat the disk. Things seem to be getting worse rather than better. Here are the two scans you requested. Any more help will be very appreciated
Thanks

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Windows Millennium Edition Version: 4.90.3000
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 03/05/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll

Checking %System% folder...
PTech 09/11/1999 10:55:54 PM 88571 C:\WINDOWS\SYSTEM\MDACRDME.HTM
PEC2 17/06/1998 3944448 C:\WINDOWS\SYSTEM\MFC42D.PDB
PEC2 17/06/1998 2052096 C:\WINDOWS\SYSTEM\MFCD42D.PDB
PEC2 17/06/1998 1454080 C:\WINDOWS\SYSTEM\MFCN42D.PDB
PEC2 17/06/1998 4395008 C:\WINDOWS\SYSTEM\MFCO42D.PDB
PEC2 17/06/1998 8015872 C:\WINDOWS\SYSTEM\MFC42.PDB

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
30/09/2005 02:11:42 PM RH 6668320 C:\WINDOWS\CLASSES.DAT
30/09/2005 02:29:24 PM RH 1372192 C:\WINDOWS\USER.DAT
30/09/2005 02:35:04 PM RH 3366944 C:\WINDOWS\SYSTEM.DAT
12/09/2005 10:47:50 PM H 271 C:\WINDOWS\DESKTOP.INI
12/09/2005 10:47:50 PM H 23155 C:\WINDOWS\FOLDER.HTT
12/09/2005 10:49:04 PM RH 344096 C:\WINDOWS\HWINFO.DAT
30/09/2005 02:11:26 PM H 1107874 C:\WINDOWS\ShellIconCache
14/09/2005 04:33:44 PM H 33310 C:\WINDOWS\ttfCache
30/09/2005 02:29:04 PM H 8314 C:\WINDOWS\PCHEALTH\HELPCTR\DATABASE\HelpSessionHistory.stream
12/09/2005 10:47:50 PM H 23155 C:\WINDOWS\SYSTEM\FOLDER.HTT
12/09/2005 10:47:50 PM H 271 C:\WINDOWS\SYSTEM\DESKTOP.INI
12/09/2005 10:45:56 PM H 9793 C:\WINDOWS\HELP\windows.GID
12/09/2005 10:45:56 PM H 4753 C:\WINDOWS\WEB\WIADEV.HTT
12/09/2005 10:45:56 PM H 18952 C:\WINDOWS\WEB\WIACAM.HTT
12/09/2005 10:45:56 PM H 1574 C:\WINDOWS\WEB\WIASTYLE.CSS
12/09/2005 10:45:56 PM H 2998 C:\WINDOWS\WEB\PICTURES.ICO
12/09/2005 10:45:56 PM H 10134 C:\WINDOWS\WEB\CAMERA.ICO
12/09/2005 10:45:56 PM H 10134 C:\WINDOWS\WEB\STREAM.ICO
12/09/2005 10:47:50 PM H 1535 C:\WINDOWS\WEB\WEBVIEW.CSS
12/09/2005 10:47:50 PM H 18163 C:\WINDOWS\WEB\CONTROLP.HTT
12/09/2005 10:47:50 PM H 4780 C:\WINDOWS\WEB\DEFAULT.HTT
12/09/2005 10:47:50 PM H 3191 C:\WINDOWS\WEB\FOLDER.HTT
12/09/2005 10:47:50 PM H 16287 C:\WINDOWS\WEB\NETHOOD.HTT
12/09/2005 10:47:50 PM H 11034 C:\WINDOWS\WEB\RECYCLE.HTT
12/09/2005 10:47:50 PM H 6391 C:\WINDOWS\WEB\SCHEDULE.HTT
12/09/2005 10:47:50 PM H 9227 C:\WINDOWS\WEB\DIALUP.HTT
12/09/2005 10:47:50 PM H 8246 C:\WINDOWS\WEB\WVLEFT.BMP
12/09/2005 10:47:50 PM H 1749 C:\WINDOWS\WEB\WVLEFT.GIF
12/09/2005 10:47:50 PM H 54 C:\WINDOWS\WEB\WVLINE.GIF
12/09/2005 10:47:50 PM H 9439 C:\WINDOWS\WEB\WVLOGO.GIF
12/09/2005 10:47:50 PM H 90056 C:\WINDOWS\WEB\CLASSIC.BMP
12/09/2005 10:47:50 PM H 641 C:\WINDOWS\WEB\CLASSIC.HTT
12/09/2005 10:47:50 PM H 18100 C:\WINDOWS\WEB\FOLDER.BMP
12/09/2005 10:47:50 PM H 1031 C:\WINDOWS\WEB\STARTER.HTT
12/09/2005 10:47:50 PM H 31080 C:\WINDOWS\WEB\STARTER.BMP
12/09/2005 10:47:50 PM H 18100 C:\WINDOWS\WEB\PREVIEW.BMP
12/09/2005 10:47:50 PM H 18276 C:\WINDOWS\WEB\IMGVIEW.HTT
12/09/2005 10:47:50 PM H 830 C:\WINDOWS\WEB\DESKMOVR.HTT
12/09/2005 10:47:50 PM H 3469 C:\WINDOWS\WEB\SAFEMODE.HTT
12/09/2005 10:47:50 PM H 20510 C:\WINDOWS\WEB\FSRESULT.HTT
12/09/2005 10:47:50 PM H 29797 C:\WINDOWS\WEB\STANDARD.HTT
12/09/2005 10:47:50 PM H 33916 C:\WINDOWS\WEB\WEBVIEW.JS
12/09/2005 10:47:50 PM H 2642 C:\WINDOWS\WEB\EXCLAM.GIF
12/09/2005 10:47:50 PM H 842 C:\WINDOWS\WEB\BULLET.GIF
12/09/2005 10:47:50 PM H 80 C:\WINDOWS\WEB\PLUSHOT.GIF
12/09/2005 10:47:50 PM H 59 C:\WINDOWS\WEB\PLUSCOLD.GIF
12/09/2005 10:47:50 PM H 77 C:\WINDOWS\WEB\MINHOT.GIF
12/09/2005 10:47:50 PM H 56 C:\WINDOWS\WEB\MINCOLD.GIF
12/09/2005 10:47:50 PM H 11870 C:\WINDOWS\WEB\PRINTERS.HTT
12/09/2005 10:47:50 PM H 25217 C:\WINDOWS\WEB\SYSROOT.HTT
12/09/2005 10:47:50 PM H 2848 C:\WINDOWS\WEB\BRFCASE.HTT
12/09/2005 10:47:52 PM H 11083 C:\WINDOWS\WEB\FTP.HTT
12/09/2005 10:45:56 PM H 20150 C:\WINDOWS\WEB\wiastream.htt
27/08/2005 09:44:28 AM H 159 C:\WINDOWS\Desktop\My Briefcase\Briefcase Database
24/08/2005 11:40:22 AM HS 4096 C:\WINDOWS\DRM\DRMV2.SST
06/09/2005 11:53:56 PM HS 118 C:\WINDOWS\RECENT\Desktop.ini
30/09/2005 09:57:48 AM H 6 C:\WINDOWS\TASKS\SA.DAT
30/09/2005 02:02:46 PM HS 2196 C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Desktop.htt
27/08/2005 03:01:34 PM H 209408 C:\WINDOWS\Application Data\Microsoft\Templates\~WRL2546.tmp
12/09/2005 08:20:12 PM H 232448 C:\WINDOWS\Application Data\Microsoft\Templates\~WRL3110.tmp
21/09/2005 09:54:26 PM H 237056 C:\WINDOWS\Application Data\Microsoft\Templates\~WRL3547.tmp
05/09/2005 10:47:44 PM H 1560 C:\WINDOWS\Application Data\Microsoft\MSN Messenger\4008071562\sqmdata00.sqm
06/09/2005 07:03:02 PM H 1192 C:\WINDOWS\Application Data\Microsoft\MSN Messenger\4008071562\sqmdata01.sqm
06/09/2005 07:04:58 PM H 412 C:\WINDOWS\Application Data\Microsoft\MSN Messenger\4008071562\sqmdata02.sqm
06/09/2005 07:08:36 PM H 424 C:\WINDOWS\Application Data\Microsoft\MSN Messenger\4008071562\sqmdata03.sqm
06/09/2005 11:35:12 PM H 1084 C:\WINDOWS\Application Data\Microsoft\MSN Messenger\4008071562\sqmdata04.sqm
07/09/2005 10:26:02 PM H 1204 C:\WINDOWS\Application Data\Microsoft\MSN Messenger\4008071562\sqmdata05.sqm
08/09/2005 12:05:54 PM H 1920 C:\WINDOWS\Application Data\Microsoft\MSN Messenger\4008071562\sqmdata06.sqm
08/09/2005 02:08:16 PM H 496 C:\WINDOWS\Application Data\Microsoft\MSN Messenger\4008071562\sqmdata07.sqm
09/09/2005 12:40:44 AM H 1964 C:\WINDOWS\Application Data\Microsoft\MSN Messenger\4008071562\sqmdata08.sqm
09/09/2005 10:24:32 PM H 2032 C:\WINDOWS\Application Data\Microsoft\MSN Messenger\4008071562\sqmdata09.sqm
12/09/2005 04:41:18 PM H 1764 C:\WINDOWS\Application Data\Microsoft\MSN Messenger\3073016941\sqmdata00.sqm
12/09/2005 04:55:44 PM H 2352 C:\WINDOWS\Application Data\Microsoft\MSN Messenger\3073016941\sqmdata01.sqm
06/09/2005 11:54:44 PM HS 67 C:\WINDOWS\Temporary Internet Files\desktop.ini
06/09/2005 11:54:44 PM HS 67 C:\WINDOWS\Temporary Internet Files\CONTENT.IE5\desktop.ini
06/09/2005 11:56:58 PM HS 67 C:\WINDOWS\Temporary Internet Files\CONTENT.IE5\HHRJWZY8\desktop.ini
06/09/2005 11:56:58 PM HS 67 C:\WINDOWS\Temporary Internet Files\CONTENT.IE5\4TEV6NAF\desktop.ini
06/09/2005 11:56:58 PM HS 67 C:\WINDOWS\Temporary Internet Files\CONTENT.IE5\6F3VHHEM\desktop.ini
06/09/2005 11:56:58 PM HS 67 C:\WINDOWS\Temporary Internet Files\CONTENT.IE5\EPUT63WL\desktop.ini

Checking for CPL files...
Microsoft Corporation 29/08/2002 07:07:38 AM 292352 C:\WINDOWS\SYSTEM\INETCPL.CPL
Microsoft Corporation 08/06/2000 05:00:00 PM 62464 C:\WINDOWS\SYSTEM\INTL.CPL
Microsoft Corporation 08/06/2000 05:00:00 PM 104368 C:\WINDOWS\SYSTEM\MODEM.CPL
Microsoft Corporation 08/06/2000 05:00:00 PM 41232 C:\WINDOWS\SYSTEM\ODBCCP32.CPL
Microsoft Corporation 08/06/2000 05:00:00 PM 61200 C:\WINDOWS\SYSTEM\POWERCFG.CPL
Microsoft Corporation 08/06/2000 05:00:00 PM 66560 C:\WINDOWS\SYSTEM\ACCESS.CPL
Apple Computer, Inc. 20/06/2001 04:34:36 PM 287232 C:\WINDOWS\SYSTEM\QuickTime.cpl
Microsoft Corporation 08/06/2000 05:00:00 PM 79872 C:\WINDOWS\SYSTEM\APPWIZ.CPL
Microsoft Corporation 08/06/2000 05:00:00 PM 221280 C:\WINDOWS\SYSTEM\DESK.CPL
Microsoft Corporation 08/06/2000 05:00:00 PM 250128 C:\WINDOWS\SYSTEM\JOY.CPL
Microsoft Corporation 08/06/2000 05:00:00 PM 408576 C:\WINDOWS\SYSTEM\MMSYS.CPL
Microsoft Corporation 08/06/2000 05:00:00 PM 14448 C:\WINDOWS\SYSTEM\NETCPL.CPL
Microsoft Corporation 08/06/2000 05:00:00 PM 47104 C:\WINDOWS\SYSTEM\PASSWORD.CPL
Microsoft Corporation 08/06/2000 05:00:00 PM 389872 C:\WINDOWS\SYSTEM\SYSDM.CPL
Microsoft Corporation 08/06/2000 05:00:00 PM 15360 C:\WINDOWS\SYSTEM\TELEPHON.CPL
Microsoft Corporation 31/05/2000 01:17:14 PM 15152 C:\WINDOWS\SYSTEM\WUAUCPL.CPL
Symantec Corporation 15/06/2000 11:43:14 AM 32768 C:\WINDOWS\SYSTEM\S32LUCP1.CPL
Microsoft Corporation 08/06/2000 05:00:00 PM 15360 C:\WINDOWS\SYSTEM\THEMES.CPL
Microsoft Corporation 10/02/1999 11:48:46 AM 40960 C:\WINDOWS\SYSTEM\FINDFAST.CPL
Microsoft Corporation 08/06/2000 05:00:00 PM 111616 C:\WINDOWS\SYSTEM\MAIN.CPL
Microsoft Corporation 08/06/2000 05:00:00 PM 36864 C:\WINDOWS\SYSTEM\TIMEDATE.CPL
Sun Microsystems, Inc. 03/06/2005 03:52:54 AM 49265 C:\WINDOWS\SYSTEM\jpicpl32.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
04/04/2005 05:09:20 PM 560 C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
04/04/2005 05:09:22 PM 585 C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Works Calendar Reminders.lnk

Checking files in %USERPROFILE%\Application Data folder...
21/01/2003 03:27:38 PM 3584 C:\WINDOWS\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
30/09/2005 10:07:22 AM 3895 C:\WINDOWS\Application Data\dw.log

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{FEF10FA2-355E-4e06-9381-9B24D7F7CC88} = C:\WINDOWS\SYSTEM\SHELL32.DLL
{53C74826-AB99-4d33-ACA4-3117F51D3788} = C:\WINDOWS\SYSTEM\SHELL32.DLL
{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31} = C:\WINDOWS\SYSTEM\ZIPFLDR.DLL
{BD472F60-27FA-11cf-B8B4-444553540000} = C:\WINDOWS\SYSTEM\ZIPFLDR.DLL
{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} = C:\WINDOWS\SYSTEM\ZIPFLDR.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\NortonAntivirus
{067DF822-EAB6-11cf-B56E-00A0244D5087} = C:\Program Files\Norton AntiVirus\navshell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\CA_AntiVirus
{1CE2AA40-1317-11D3-9922-00104B0AD431} = C:\WINDOWS\avshlext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\NortonAntivirus
{067DF822-EAB6-11cf-B56E-00A0244D5087} = C:\Program Files\Norton AntiVirus\navshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\CA_AntiVirus
{1CE2AA40-1317-11D3-9922-00104B0AD431} = C:\WINDOWS\avshlext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]

<<< WARNING! - NOT A VALID WIN98 KEY! (ME is Ok) >>>
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7ab770c7-0e23-4d7a-8aa2-19bfad479829}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINDOWS\SYSTEM\DOCPROP2.DLL

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FBB123E6-E2CE-6741-1DBE-B3E56227E7FF}
Class = C:\WINDOWS\NTTG32.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B7AD3452-25A0-547B-3C52-8198986D560C}
Class = C:\WINDOWS\NETXF.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B1F6A6B3-485F-E594-2F72-FE93992E3461}
Class = C:\WINDOWS\SYSTEM\D3FO.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{32F73678-6041-1897-4AED-8486EC24EFEE}
Class = C:\WINDOWS\ATLYR.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = C:\WINDOWS\SYSTEM\SHDOCVW.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = @msdxmLC.dll,-1@1033,&Radio : C:\WINDOWS\SYSTEM\MSDXM.OCX

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
ButtonText = @shdoclc.dll,-866 :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File and Folders Search ActiveX Control = C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = C:\WINDOWS\SYSTEM\BROWSEUI.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ScanRegistry C:\WINDOWS\scanregw.exe /autorun
TaskMonitor C:\WINDOWS\taskmon.exe
SystemTray SysTray.Exe
AdaptecDirectCD "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
POINTER point32.exe
MULTIMEDIA KEYBOARD C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
Microsoft Works Update Detection C:\Program Files\Microsoft Works\WkDetect.exe
CaAvTray "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
CAVRID "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
LoadQM loadqm.exe
JAVAPQ32.EXE C:\WINDOWS\SYSTEM\JAVAPQ32.EXE
VetAlert C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETMSG.EXE
PCHealth C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
MSFS Installed = 1
MAPI Installed = 1
IMAIL Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
ATIPOLAB ati2evxx.exe
Machine Debug Manager C:\WINDOWS\SYSTEM\MDM.EXE
KB891711 C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
ADDBP.EXE C:\WINDOWS\ADDBP.EXE /s
ADDRH32.EXE C:\WINDOWS\SYSTEM\ADDRH32.EXE /s
APIAF32.EXE C:\WINDOWS\SYSTEM\APIAF32.EXE /s
WINHN.EXE C:\WINDOWS\WINHN.EXE /s
NETQP.EXE C:\WINDOWS\NETQP.EXE /s
ATLAC32.EXE C:\WINDOWS\SYSTEM\ATLAC32.EXE /s
MFCQT.EXE C:\WINDOWS\SYSTEM\MFCQT.EXE /s
ATLYN32.EXE C:\WINDOWS\SYSTEM\ATLYN32.EXE /s
NTHQ32.EXE C:\WINDOWS\SYSTEM\NTHQ32.EXE /s
APPOW32.EXE C:\WINDOWS\APPOW32.EXE /s
D3QA32.EXE C:\WINDOWS\D3QA32.EXE /s
CRCB.EXE C:\WINDOWS\CRCB.EXE /s
MFCGS.EXE C:\WINDOWS\SYSTEM\MFCGS.EXE /s
NTPR32.EXE C:\WINDOWS\SYSTEM\NTPR32.EXE /s
IPPU.EXE C:\WINDOWS\IPPU.EXE /s
CRFF.EXE C:\WINDOWS\CRFF.EXE /s
APISD.EXE C:\WINDOWS\APISD.EXE /s
IPFB32.EXE C:\WINDOWS\SYSTEM\IPFB32.EXE /s
APIJF.EXE C:\WINDOWS\SYSTEM\APIJF.EXE /s
ADDKA32.EXE C:\WINDOWS\SYSTEM\ADDKA32.EXE /s
ATLIE.EXE C:\WINDOWS\ATLIE.EXE /s
CRAU.EXE C:\WINDOWS\SYSTEM\CRAU.EXE /s
CRUF32.EXE C:\WINDOWS\SYSTEM\CRUF32.EXE /s
APPEE.EXE C:\WINDOWS\SYSTEM\APPEE.EXE /s
ADDYJ32.EXE C:\WINDOWS\SYSTEM\ADDYJ32.EXE /s
IPUQ.EXE C:\WINDOWS\SYSTEM\IPUQ.EXE /s
IEPA32.EXE C:\WINDOWS\IEPA32.EXE /s
SDKSS.EXE C:\WINDOWS\SYSTEM\SDKSS.EXE /s
ADDPL.EXE C:\WINDOWS\SYSTEM\ADDPL.EXE /s
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent mstask.exe
SSDPSRV C:\WINDOWS\SYSTEM\ssdpsrv.exe
*StateMgr C:\WINDOWS\System\Restore\StateMgr.exe
IENH32.EXE C:\WINDOWS\IENH32.EXE /s
CAISafe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
SYSVM32.EXE C:\WINDOWS\SYSTEM\SYSVM32.EXE /s
MSOM32.EXE C:\WINDOWS\SYSTEM\MSOM32.EXE /s
WINYZ.EXE C:\WINDOWS\SYSTEM\WINYZ.EXE /s
ATLZQ32.EXE C:\WINDOWS\ATLZQ32.EXE /s
NTVU.EXE C:\WINDOWS\NTVU.EXE /s
SYSEA.EXE C:\WINDOWS\SYSTEM\SYSEA.EXE /s
ADDCU.EXE C:\WINDOWS\SYSTEM\ADDCU.EXE /s
NETNR32.EXE C:\WINDOWS\NETNR32.EXE /s
APPOI.EXE C:\WINDOWS\APPOI.EXE /s
D3ZT32.EXE C:\WINDOWS\SYSTEM\D3ZT32.EXE /s
JAVATT32.EXE C:\WINDOWS\SYSTEM\JAVATT32.EXE /s
IEZE32.EXE C:\WINDOWS\IEZE32.EXE /s

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MoneyAgent "C:\Program Files\Microsoft Money\System\Money Express.exe"
MsnMsgr "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WinOldApp
NoRealMode 1


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\Web Folders\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun •
CDRAutoRun
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\SYSTEM\WEBCHECK.DLL
UPnPMonitor {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\SYSTEM\UPNPUI.DLL
AUHook {BCBCD383-3E06-11D3-91A9-00C04F68105C} = C:\WINDOWS\SYSTEM\AUHOOK.DLL


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 30/09/2005 03:02:45 PM





Logfile of HijackThis v1.99.1
Scan saved at 03:15:27, on 30/09/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\ADDBP.EXE
C:\WINDOWS\SYSTEM\ADDRH32.EXE
C:\WINDOWS\SYSTEM\APIAF32.EXE
C:\WINDOWS\WINHN.EXE
C:\WINDOWS\NETQP.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ATLAC32.EXE
C:\WINDOWS\SYSTEM\MFCQT.EXE
C:\WINDOWS\SYSTEM\ATLYN32.EXE
C:\WINDOWS\SYSTEM\NTHQ32.EXE
C:\WINDOWS\APPOW32.EXE
C:\WINDOWS\D3QA32.EXE
C:\WINDOWS\CRCB.EXE
C:\WINDOWS\SYSTEM\MFCGS.EXE
C:\WINDOWS\SYSTEM\NTPR32.EXE
C:\WINDOWS\IPPU.EXE
C:\WINDOWS\CRFF.EXE
C:\WINDOWS\APISD.EXE
C:\WINDOWS\SYSTEM\IPFB32.EXE
C:\WINDOWS\SYSTEM\APIJF.EXE
C:\WINDOWS\SYSTEM\ADDKA32.EXE
C:\WINDOWS\ATLIE.EXE
C:\WINDOWS\SYSTEM\CRAU.EXE
C:\WINDOWS\SYSTEM\CRUF32.EXE
C:\WINDOWS\SYSTEM\APPEE.EXE
C:\WINDOWS\SYSTEM\ADDYJ32.EXE
C:\WINDOWS\SYSTEM\IPUQ.EXE
C:\WINDOWS\IEPA32.EXE
C:\WINDOWS\SYSTEM\SDKSS.EXE
C:\WINDOWS\SYSTEM\ADDPL.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\IENH32.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
C:\WINDOWS\SYSTEM\SYSVM32.EXE
C:\WINDOWS\SYSTEM\MSOM32.EXE
C:\WINDOWS\SYSTEM\WINYZ.EXE
C:\WINDOWS\ATLZQ32.EXE
C:\WINDOWS\NTVU.EXE
C:\WINDOWS\SYSTEM\SYSEA.EXE
C:\WINDOWS\SYSTEM\ADDCU.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\NETNR32.EXE
C:\WINDOWS\APPOI.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\D3ZT32.EXE
C:\WINDOWS\SYSTEM\JAVATT32.EXE
C:\WINDOWS\IEZE32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVTRAY.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVRID.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\JAVAPQ32.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\ADDBP.EXE
C:\WINDOWS\IEZE32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.oceanfree.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\xartm.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\xartm.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.oceanfree.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\xartm.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\xartm.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\xartm.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\xartm.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {FBB123E6-E2CE-6741-1DBE-B3E56227E7FF} - C:\WINDOWS\NTTG32.DLL
O2 - BHO: Class - {B7AD3452-25A0-547B-3C52-8198986D560C} - C:\WINDOWS\NETXF.DLL
O2 - BHO: Class - {B1F6A6B3-485F-E594-2F72-FE93992E3461} - C:\WINDOWS\SYSTEM\D3FO.DLL
O2 - BHO: Class - {32F73678-6041-1897-4AED-8486EC24EFEE} - C:\WINDOWS\ATLYR.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [JAVAPQ32.EXE] C:\WINDOWS\SYSTEM\JAVAPQ32.EXE
O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETMSG.EXE
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [ADDBP.EXE] C:\WINDOWS\ADDBP.EXE /s
O4 - HKLM\..\RunServices: [ADDRH32.EXE] C:\WINDOWS\SYSTEM\ADDRH32.EXE /s
O4 - HKLM\..\RunServices: [APIAF32.EXE] C:\WINDOWS\SYSTEM\APIAF32.EXE /s
O4 - HKLM\..\RunServices: [WINHN.EXE] C:\WINDOWS\WINHN.EXE /s
O4 - HKLM\..\RunServices: [NETQP.EXE] C:\WINDOWS\NETQP.EXE /s
O4 - HKLM\..\RunServices: [ATLAC32.EXE] C:\WINDOWS\SYSTEM\ATLAC32.EXE /s
O4 - HKLM\..\RunServices: [MFCQT.EXE] C:\WINDOWS\SYSTEM\MFCQT.EXE /s
O4 - HKLM\..\RunServices: [ATLYN32.EXE] C:\WINDOWS\SYSTEM\ATLYN32.EXE /s
O4 - HKLM\..\RunServices: [NTHQ32.EXE] C:\WINDOWS\SYSTEM\NTHQ32.EXE /s
O4 - HKLM\..\RunServices: [APPOW32.EXE] C:\WINDOWS\APPOW32.EXE /s
O4 - HKLM\..\RunServices: [D3QA32.EXE] C:\WINDOWS\D3QA32.EXE /s
O4 - HKLM\..\RunServices: [CRCB.EXE] C:\WINDOWS\CRCB.EXE /s
O4 - HKLM\..\RunServices: [MFCGS.EXE] C:\WINDOWS\SYSTEM\MFCGS.EXE /s
O4 - HKLM\..\RunServices: [NTPR32.EXE] C:\WINDOWS\SYSTEM\NTPR32.EXE /s
O4 - HKLM\..\RunServices: [IPPU.EXE] C:\WINDOWS\IPPU.EXE /s
O4 - HKLM\..\RunServices: [CRFF.EXE] C:\WINDOWS\CRFF.EXE /s
O4 - HKLM\..\RunServices: [APISD.EXE] C:\WINDOWS\APISD.EXE /s
O4 - HKLM\..\RunServices: [IPFB32.EXE] C:\WINDOWS\SYSTEM\IPFB32.EXE /s
O4 - HKLM\..\RunServices: [APIJF.EXE] C:\WINDOWS\SYSTEM\APIJF.EXE /s
O4 - HKLM\..\RunServices: [ADDKA32.EXE] C:\WINDOWS\SYSTEM\ADDKA32.EXE /s
O4 - HKLM\..\RunServices: [ATLIE.EXE] C:\WINDOWS\ATLIE.EXE /s
O4 - HKLM\..\RunServices: [CRAU.EXE] C:\WINDOWS\SYSTEM\CRAU.EXE /s
O4 - HKLM\..\RunServices: [CRUF32.EXE] C:\WINDOWS\SYSTEM\CRUF32.EXE /s
O4 - HKLM\..\RunServices: [APPEE.EXE] C:\WINDOWS\SYSTEM\APPEE.EXE /s
O4 - HKLM\..\RunServices: [ADDYJ32.EXE] C:\WINDOWS\SYSTEM\ADDYJ32.EXE /s
O4 - HKLM\..\RunServices: [IPUQ.EXE] C:\WINDOWS\SYSTEM\IPUQ.EXE /s
O4 - HKLM\..\RunServices: [IEPA32.EXE] C:\WINDOWS\IEPA32.EXE /s
O4 - HKLM\..\RunServices: [SDKSS.EXE] C:\WINDOWS\SYSTEM\SDKSS.EXE /s
O4 - HKLM\..\RunServices: [ADDPL.EXE] C:\WINDOWS\SYSTEM\ADDPL.EXE /s
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [IENH32.EXE] C:\WINDOWS\IENH32.EXE /s
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O4 - HKLM\..\RunServices: [SYSVM32.EXE] C:\WINDOWS\SYSTEM\SYSVM32.EXE /s
O4 - HKLM\..\RunServices: [MSOM32.EXE] C:\WINDOWS\SYSTEM\MSOM32.EXE /s
O4 - HKLM\..\RunServices: [WINYZ.EXE] C:\WINDOWS\SYSTEM\WINYZ.EXE /s
O4 - HKLM\..\RunServices: [ATLZQ32.EXE] C:\WINDOWS\ATLZQ32.EXE /s
O4 - HKLM\..\RunServices: [NTVU.EXE] C:\WINDOWS\NTVU.EXE /s
O4 - HKLM\..\RunServices: [SYSEA.EXE] C:\WINDOWS\SYSTEM\SYSEA.EXE /s
O4 - HKLM\..\RunServices: [ADDCU.EXE] C:\WINDOWS\SYSTEM\ADDCU.EXE /s
O4 - HKLM\..\RunServices: [NETNR32.EXE] C:\WINDOWS\NETNR32.EXE /s
O4 - HKLM\..\RunServices: [APPOI.EXE] C:\WINDOWS\APPOI.EXE /s
O4 - HKLM\..\RunServices: [D3ZT32.EXE] C:\WINDOWS\SYSTEM\D3ZT32.EXE /s
O4 - HKLM\..\RunServices: [JAVATT32.EXE] C:\WINDOWS\SYSTEM\JAVATT32.EXE /s
O4 - HKLM\..\RunServices: [IEZE32.EXE] C:\WINDOWS\IEZE32.EXE /s
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {F04F4F32-6457-401A-8169-D2773DDFF930} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_3uk.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37240.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:08 AM

Posted 02 October 2005 - 06:37 AM

Hi chillinb. That probably was not a good thing to do. The CWS infection is now back with a vengence. Let's start over. Please print these directions and then proceed with the following steps in order.

Step #1

Download Cwshredder.exe and save it to a folder of its own. Start the program and click on the Check for Update button. If an update is available then download and install it. Close the program (do not run it yet).

Download About:Buster.zip and unzip it to its own directory. Start AboutBuster and click the Ok button. Now click the Update button and then the Check for Update button. If an update is available click the Download Update button. When the updates have been downloaded close AboutBuster (do not run it yet).

Download CCleaner and install it but do not run it yet.

Step #2

Restart in Safe Mode
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\xartm.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\xartm.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\xartm.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\xartm.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\xartm.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\xartm.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {FBB123E6-E2CE-6741-1DBE-B3E56227E7FF} - C:\WINDOWS\NTTG32.DLL
O2 - BHO: Class - {B7AD3452-25A0-547B-3C52-8198986D560C} - C:\WINDOWS\NETXF.DLL
O2 - BHO: Class - {B1F6A6B3-485F-E594-2F72-FE93992E3461} - C:\WINDOWS\SYSTEM\D3FO.DLL
O2 - BHO: Class - {32F73678-6041-1897-4AED-8486EC24EFEE} - C:\WINDOWS\ATLYR.DLL
O4 - HKLM\..\Run: [JAVAPQ32.EXE] C:\WINDOWS\SYSTEM\JAVAPQ32.EXE
O4 - HKLM\..\RunServices: [ADDBP.EXE] C:\WINDOWS\ADDBP.EXE /s
O4 - HKLM\..\RunServices: [ADDRH32.EXE] C:\WINDOWS\SYSTEM\ADDRH32.EXE /s
O4 - HKLM\..\RunServices: [APIAF32.EXE] C:\WINDOWS\SYSTEM\APIAF32.EXE /s
O4 - HKLM\..\RunServices: [WINHN.EXE] C:\WINDOWS\WINHN.EXE /s
O4 - HKLM\..\RunServices: [NETQP.EXE] C:\WINDOWS\NETQP.EXE /s
O4 - HKLM\..\RunServices: [ATLAC32.EXE] C:\WINDOWS\SYSTEM\ATLAC32.EXE /s
O4 - HKLM\..\RunServices: [MFCQT.EXE] C:\WINDOWS\SYSTEM\MFCQT.EXE /s
O4 - HKLM\..\RunServices: [ATLYN32.EXE] C:\WINDOWS\SYSTEM\ATLYN32.EXE /s
O4 - HKLM\..\RunServices: [NTHQ32.EXE] C:\WINDOWS\SYSTEM\NTHQ32.EXE /s
O4 - HKLM\..\RunServices: [APPOW32.EXE] C:\WINDOWS\APPOW32.EXE /s
O4 - HKLM\..\RunServices: [D3QA32.EXE] C:\WINDOWS\D3QA32.EXE /s
O4 - HKLM\..\RunServices: [CRCB.EXE] C:\WINDOWS\CRCB.EXE /s
O4 - HKLM\..\RunServices: [MFCGS.EXE] C:\WINDOWS\SYSTEM\MFCGS.EXE /s
O4 - HKLM\..\RunServices: [NTPR32.EXE] C:\WINDOWS\SYSTEM\NTPR32.EXE /s
O4 - HKLM\..\RunServices: [IPPU.EXE] C:\WINDOWS\IPPU.EXE /s
O4 - HKLM\..\RunServices: [CRFF.EXE] C:\WINDOWS\CRFF.EXE /s
O4 - HKLM\..\RunServices: [APISD.EXE] C:\WINDOWS\APISD.EXE /s
O4 - HKLM\..\RunServices: [IPFB32.EXE] C:\WINDOWS\SYSTEM\IPFB32.EXE /s
O4 - HKLM\..\RunServices: [APIJF.EXE] C:\WINDOWS\SYSTEM\APIJF.EXE /s
O4 - HKLM\..\RunServices: [ADDKA32.EXE] C:\WINDOWS\SYSTEM\ADDKA32.EXE /s
O4 - HKLM\..\RunServices: [ATLIE.EXE] C:\WINDOWS\ATLIE.EXE /s
O4 - HKLM\..\RunServices: [CRAU.EXE] C:\WINDOWS\SYSTEM\CRAU.EXE /s
O4 - HKLM\..\RunServices: [CRUF32.EXE] C:\WINDOWS\SYSTEM\CRUF32.EXE /s
O4 - HKLM\..\RunServices: [APPEE.EXE] C:\WINDOWS\SYSTEM\APPEE.EXE /s
O4 - HKLM\..\RunServices: [ADDYJ32.EXE] C:\WINDOWS\SYSTEM\ADDYJ32.EXE /s
O4 - HKLM\..\RunServices: [IPUQ.EXE] C:\WINDOWS\SYSTEM\IPUQ.EXE /s
O4 - HKLM\..\RunServices: [IEPA32.EXE] C:\WINDOWS\IEPA32.EXE /s
O4 - HKLM\..\RunServices: [SDKSS.EXE] C:\WINDOWS\SYSTEM\SDKSS.EXE /s
O4 - HKLM\..\RunServices: [ADDPL.EXE] C:\WINDOWS\SYSTEM\ADDPL.EXE /s
O4 - HKLM\..\RunServices: [IENH32.EXE] C:\WINDOWS\IENH32.EXE /s
O4 - HKLM\..\RunServices: [SYSVM32.EXE] C:\WINDOWS\SYSTEM\SYSVM32.EXE /s
O4 - HKLM\..\RunServices: [MSOM32.EXE] C:\WINDOWS\SYSTEM\MSOM32.EXE /s
O4 - HKLM\..\RunServices: [WINYZ.EXE] C:\WINDOWS\SYSTEM\WINYZ.EXE /s
O4 - HKLM\..\RunServices: [ATLZQ32.EXE] C:\WINDOWS\ATLZQ32.EXE /s
O4 - HKLM\..\RunServices: [NTVU.EXE] C:\WINDOWS\NTVU.EXE /s
O4 - HKLM\..\RunServices: [SYSEA.EXE] C:\WINDOWS\SYSTEM\SYSEA.EXE /s
O4 - HKLM\..\RunServices: [ADDCU.EXE] C:\WINDOWS\SYSTEM\ADDCU.EXE /s
O4 - HKLM\..\RunServices: [NETNR32.EXE] C:\WINDOWS\NETNR32.EXE /s
O4 - HKLM\..\RunServices: [APPOI.EXE] C:\WINDOWS\APPOI.EXE /s
O4 - HKLM\..\RunServices: [D3ZT32.EXE] C:\WINDOWS\SYSTEM\D3ZT32.EXE /s
O4 - HKLM\..\RunServices: [JAVATT32.EXE] C:\WINDOWS\SYSTEM\JAVATT32.EXE /s
O4 - HKLM\..\RunServices: [IEZE32.EXE] C:\WINDOWS\IEZE32.EXE /s
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\NTTG32.DLL
C:\WINDOWS\NETXF.DLL
C:\WINDOWS\ATLYR.DLL
C:\WINDOWS\ADDBP.EXE
C:\WINDOWS\WINHN.EXE
C:\WINDOWS\NETQP.EXE
C:\WINDOWS\APPOW32.EXE
C:\WINDOWS\D3QA32.EXE
C:\WINDOWS\CRCB.EXE
C:\WINDOWS\IPPU.EXE
C:\WINDOWS\CRFF.EXE
C:\WINDOWS\APISD.EXE
C:\WINDOWS\ATLIE.EXE
C:\WINDOWS\IEPA32.EXE
C:\WINDOWS\IENH32.EXE
C:\WINDOWS\ATLZQ32.EXE
C:\WINDOWS\NTVU.EXE
C:\WINDOWS\NETNR32.EXE
C:\WINDOWS\APPOI.EXE
C:\WINDOWS\IEZE32.EXE
C:\WINDOWS\SYSTEM\D3FO.DLL
C:\WINDOWS\system\xartm.dll
C:\WINDOWS\SYSTEM\JAVAPQ32.EXE
C:\WINDOWS\SYSTEM\ADDRH32.EXE
C:\WINDOWS\SYSTEM\APIAF32.EXE
C:\WINDOWS\SYSTEM\ATLAC32.EXE
C:\WINDOWS\SYSTEM\MFCQT.EXE
C:\WINDOWS\SYSTEM\ATLYN32.EXE
C:\WINDOWS\SYSTEM\NTHQ32.EXE
C:\WINDOWS\SYSTEM\MFCGS.EXE
C:\WINDOWS\SYSTEM\NTPR32.EXE
C:\WINDOWS\SYSTEM\IPFB32.EXE
C:\WINDOWS\SYSTEM\APIJF.EXE
C:\WINDOWS\SYSTEM\ADDKA32.EXE
C:\WINDOWS\SYSTEM\CRAU.EXE
C:\WINDOWS\SYSTEM\CRUF32.EXE
C:\WINDOWS\SYSTEM\APPEE.EXE
C:\WINDOWS\SYSTEM\ADDYJ32.EXE
C:\WINDOWS\SYSTEM\IPUQ.EXE
C:\WINDOWS\SYSTEM\SDKSS.EXE
C:\WINDOWS\SYSTEM\ADDPL.EXE
C:\WINDOWS\SYSTEM\SYSVM32.EXE
C:\WINDOWS\SYSTEM\MSOM32.EXE
C:\WINDOWS\SYSTEM\WINYZ.EXE
C:\WINDOWS\SYSTEM\SYSEA.EXE
C:\WINDOWS\SYSTEM\ADDCU.EXE
C:\WINDOWS\SYSTEM\D3ZT32.EXE
C:\WINDOWS\SYSTEM\JAVATT32.EXE

Step #5

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #6

Run AboutBuster and save the logs:
  • Browse to where you saved AboutBuster and run AboutBuster.exe.
  • Click "OK" at the directions Read: Important! prompt.
  • Click the Update button to check for updates and install any that are available.
  • Click "Start" and then "OK" to allow AboutBuster to scan for Alternate Data Streams.
  • Click "Yes" at the About:Buster prompt to allow it to shutdown explorer.exe.
  • Please wait while AboutBuster scans your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click "Save Log...". Make sure you save it as I will need a copy of it.
  • Click "Exit" and "Exit" again to exit AboutBuster.
Run CWShredder
  • Double-click on CWShredder.exe.
  • Click "Fix ->" and click "OK" at the prompt.
  • CWShredder will scan and clean your system of CWS files.
  • Click "Next->" and then "Exit".
Step #7

Reboot normally and run at least 2 of the following on-line virus scans:Bitdefender <<<Add a check by 'Autoclean'.
RAV <<<Add a check by 'Autoclean', leave everything else as is.
eTrust <<<'Cure' whatever is found, then delete if unsuccessful
Housecall <<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan <<<Accept default settings
If there are any files that cannot be automatically disinfected or quarantined then you will need to delete them manually.

Step #8

If you do not already have Ad-Aware SE 1.06 then follow these download and setup instructions: Ad-Aware SE Setup. Otherwise, just check for updates.

Start Ad-aware SE, click the Start button and choose Perform Full System Scan. Click the Next button and wait for the scan to complete. If anything was found, right-click on the list and choose Select All and remove all it finds.

Step #9

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with the AbaoutBuster log and details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 chillinb

chillinb
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 03 October 2005 - 05:05 PM

HI OLDTIMER,

Did as much as I could. Had some problems though.
Firstly with about buster. I was getting a runtime error 5 Invalid procedure call when I tried to get updates.

I did the hijack this scan. Then I tried to run the aboutbuster without the updates. I stopped it after 21 hours! the log file is below


AboutBuster 5.0 reference file 28
Scan started on [02/10/2005] at [09:17:24 PM]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
Removed File! : C:\Windows\reopyt.dat
Removed File! : C:\Windows\artlyz.dat
Removed File! : C:\Windows\kixzy.dat
Removed File! : C:\Windows\pdrjmc.dat
Removed File! : C:\Windows\kbyen.dat
Removed File! : C:\Windows\eubuk.dat
Removed File! : C:\Windows\uerkx.dat
Removed File! : C:\Windows\yrctf.dat
Removed File! : C:\Windows\aumfd.dat
Removed File! : C:\Windows\ickgg.dat
Removed File! : C:\Windows\rxhbz.dat
Removed File! : C:\Windows\ikdkj.dat
Removed File! : C:\Windows\knoat.dll
------------------------------------------------
Scan was ABORTED at 06:38:24 PM


I ran cws shredder and it detected and deleted

cws.svcinit

rav scan produced the following

Rav scan
Scanned
============================
Objects: 32655
Directories: 2219
Archives: 2775
Size(Kb): 663802
Infected files: 0

Found
============================
Viruses found: 0
Suspicious files: 7
Disinfected files: 0
Mail files: 111

Bit defender produced

BitDefender Online Scanner



Scan report generated at: Mon, Oct 03, 2005 - 19:34:01





Scan path: A:\;C:\;D:\;E:\;F:\;







Statistics

Time
00:40:15

Files
164107

Folders
2218

Boot Sectors
2

Archives
726

Packed Files
22597




Results

Identified Viruses
3

Infected Files
8

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
8




Engines Info

Virus Definitions
214662

Engine build
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)

Scan plugins
13

Archive plugins
38

Unpack plugins
4

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
exe;com;dll;ocx;scr;bin;dat;386;vxd;sys;wdm;cla;class;ovl;ole;hlp;doc;dot;xls;ppt;wbk;wiz;pot;ppa;xla;xlt;vbs;vbe;mdb;rtf;htm;hta;html;xml;xtp;php;asp;js;shs;chm;lnk;pif;prc;url;smm;pfd;msi;ini;csc;cmd;bas;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\WINDOWS\SYSTEM\lkytx.dll
Infected with: Trojan.Downloader.Winshow.AK

C:\WINDOWS\SYSTEM\lkytx.dll
Disinfection failed

C:\WINDOWS\SYSTEM\lkytx.dll
Deleted

C:\WINDOWS\SYSTEM\eymbm.dll
Infected with: Trojan.Downloader.Winshow.AK

C:\WINDOWS\SYSTEM\eymbm.dll
Disinfection failed

C:\WINDOWS\SYSTEM\eymbm.dll
Deleted

C:\WINDOWS\SYSTEM\lacuc.dll
Infected with: Trojan.Downloader.Winshow.AK

C:\WINDOWS\SYSTEM\lacuc.dll
Disinfection failed

C:\WINDOWS\SYSTEM\lacuc.dll
Deleted

C:\WINDOWS\Favorites\Search the web.url
Infected with: Trojan.Downloader.Agent.BQ

C:\WINDOWS\Favorites\Search the web.url
Disinfection failed

C:\WINDOWS\Favorites\Search the web.url
Deleted

C:\WINDOWS\Favorites\Only sex website.url
Infected with: Trojan.Downloader.Agent.BQ

C:\WINDOWS\Favorites\Only sex website.url
Disinfection failed

C:\WINDOWS\Favorites\Only sex website.url
Deleted

C:\WINDOWS\Favorites\Seven days of free porn.url
Infected with: Trojan.Downloader.Agent.BQ

C:\WINDOWS\Favorites\Seven days of free porn.url
Disinfection failed

C:\WINDOWS\Favorites\Seven days of free porn.url
Deleted

C:\WINDOWS\ecrsy.dll
Infected with: Trojan.Downloader.Winshow.AK

C:\WINDOWS\ecrsy.dll
Disinfection failed

C:\WINDOWS\ecrsy.dll
Deleted

C:\WINDOWS\atlej.exe
Infected with: GenPack:Trojan.Downloader.Agent.BQ

C:\WINDOWS\atlej.exe
Disinfection failed

C:\WINDOWS\atlej.exe
Deleted



The first time I ran adaware it froze when deleting, the second time it said that some items could not be removed and gave the following path

C:\_restore\archive\fs788.cab

the log file was

Ad-Aware SE Build 1.06r1
Logfile Created on:Monday, October 03, 2005 10:15:20 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R68 28.09.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Alexa(TAC index:5):1 total references
CoolWebSearch(TAC index:10):24 total references
SearchClick(TAC index:10):14 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R68 28.09.2005
Internal build : 80
File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\defs.ref
File size : 526954 Bytes
Total size : 1581029 Bytes
Signature data size : 1547745 Bytes
Reference data size : 32772 Bytes
Signatures total : 43961
CSI Fingerprints total : 1047
CSI data size : 37307 Bytes
Target categories : 15
Target families : 753


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:0 %
Total physical memory:130004 kb
Available physical memory:3364 kb
Total page file size:1967144 kb
Available on page file:1711028 kb
Total virtual memory:2093056 kb
Available virtual memory:2043456 kb
OS:Microsoft Windows Millennium Edition

Ad-Aware SE Settings
===========================
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Don't log streams smaller than 0 Bytes
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


03-10-2005 10:15:20 PM - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [KERNEL32.DLL]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293888705
Threads : 4
Priority : High
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
LegalCopyright : Copyright © Microsoft Corp. 1991-2000
OriginalFilename : KERNEL32.DLL

#:2 [MSGSRV32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294921425
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
LegalCopyright : Copyright © Microsoft Corp. 1992-1998
OriginalFilename : MSGSRV32.EXE

#:3 [mmtask.tsk]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294913245
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft Windows
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
LegalCopyright : Copyright © Microsoft Corp. 1991-2000
OriginalFilename : mmtask.tsk

#:4 [MPREXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294911617
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
LegalCopyright : Copyright © Microsoft Corp. 1993-2000
OriginalFilename : MPREXE.EXE

#:5 [MDM.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294760941
Threads : 2
Priority : Normal
FileVersion : 6.00.8149
ProductVersion : 6.00.8149
ProductName : Microsoft ® Visual Studio
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : Copyright © Microsoft Corp. 1997-1998
OriginalFilename : mdm.exe

#:6 [KB891711.EXE]
FilePath : C:\WINDOWS\SYSTEM\KB891711\
ProcessID : 4294764725
Threads : 1
Priority : Normal
FileVersion : 4.10.2223
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows KB891711 component
InternalName : KB891711
LegalCopyright : Copyright © Microsoft Corp. 1991-2005
OriginalFilename : KB891711.EXE

#:7 [MSTASK.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294768669
Threads : 3
Priority : Normal
FileVersion : 4.71.2721.1
ProductVersion : 4.71.2721.1
ProductName : Microsoft® Windows® Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright © Microsoft Corp. 2000
OriginalFilename : mstask.exe

#:8 [SSDPSRV.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294767957
Threads : 4
Priority : Normal
FileVersion : 4.90.3003.0
ProductVersion : 4.90.3003.0
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : SSDP Service on Windows Millennium
InternalName : ssdpsrv.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : ssdpsrv.exe

#:9 [ISAFE.EXE]
FilePath : C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\
ProcessID : 4294736849
Threads : 5
Priority : Normal
FileVersion : Version 11.0.6.7
ProductVersion : Version 11.0.6.7
ProductName : Computer Associates Antivirus
CompanyName : Computer Associates International, Inc.
FileDescription : CA ISafe Service
InternalName : ISafe
LegalCopyright : © 2004 Computer Associates International, Inc.
LegalTrademarks : Trademark of Computer Associates International, Inc.
OriginalFilename : ISafe.exe

#:10 [ATLYT32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294735529
Threads : 1
Priority : Normal


#:11 [APPIP.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294708229
Threads : 1
Priority : Normal


#:12 [ADDDE32.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294711585
Threads : 1
Priority : Normal


#:13 [STMGR.EXE]
FilePath : C:\WINDOWS\SYSTEM\RESTORE\
ProcessID : 4294814097
Threads : 4
Priority : Normal
FileVersion : 4.90.0.2533
ProductVersion : 4.90.0.2533
ProductName : Microsoft ® PCHealth
CompanyName : Microsoft Corporation
FileDescription : Microsoft ® PC State Manager
InternalName : StateMgr.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : StateMgr.exe

#:14 [EXPLORER.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4293050037
Threads : 11
Priority : Normal
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : EXPLORER.EXE

#:15 [TASKMON.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4292923293
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Task Monitor
InternalName : TaskMon
LegalCopyright : Copyright © Microsoft Corp. 1998
OriginalFilename : TASKMON.EXE

#:16 [SYSTRAY.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4292934445
Threads : 2
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
LegalCopyright : Copyright © Microsoft Corp. 1993-2000
OriginalFilename : SYSTRAY.EXE

#:17 [DIRECTCD.EXE]
FilePath : C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\
ProcessID : 4292915517
Threads : 1
Priority : Normal
FileVersion : 5.01 (195)
ProductVersion : 5.01 (195)
ProductName : DirectCD
CompanyName : Roxio
FileDescription : DirectCD Application
InternalName : DirectCD
LegalCopyright : Copyright © 2001, Roxio, Inc.
OriginalFilename : Directcd.exe

#:18 [POINT32.EXE]
FilePath : C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\
ProcessID : 4293099245
Threads : 1
Priority : Normal


#:19 [WMIEXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4292872293
Threads : 3
Priority : Normal
FileVersion : 4.90.2452.1
ProductVersion : 4.90.2452.1
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : wmiexe.exe

#:20 [MMKEYBD.EXE]
FilePath : C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\
ProcessID : 4292880873
Threads : 1
Priority : Normal
FileVersion : 1.00
ProductVersion : 1.00
ProductName : DellTouch Programmable Keys
CompanyName : Netropa Corp.
FileDescription : Netropa™ Hot Key
InternalName : DellTouch Programmable Keys
LegalCopyright : Copyright © 2000 Netropa Corp.
OriginalFilename : nhk.exe

#:21 [CAVTRAY.EXE]
FilePath : C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\
ProcessID : 4292986685
Threads : 6
Priority : Normal
FileVersion : Version 11.0.6.7
ProductVersion : Version 11.0.6.7
ProductName : Computer Associates Antivirus
CompanyName : Computer Associates International, Inc.
FileDescription : CA Antivirus System Tray Application
InternalName : CAVTray
LegalCopyright : © 2004 Computer Associates International, Inc.
LegalTrademarks : Trademark of Computer Associates International, Inc.
OriginalFilename : CAVTray.exe

#:22 [CAVRID.EXE]
FilePath : C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\
ProcessID : 4292882729
Threads : 3
Priority : Normal
FileVersion : Version 11.0.6.7
ProductVersion : Version 11.0.6.7
ProductName : Computer Associates Antivirus
CompanyName : Computer Associates International, Inc.
FileDescription : CA Antivirus Realtime Infection Report
InternalName : CAVRid
LegalCopyright : © 2004 Computer Associates International, Inc.
LegalTrademarks : Trademark of Computer Associates International, Inc.
OriginalFilename : CAVRid.exe

#:23 [LOADQM.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4292980301
Threads : 3
Priority : Normal
FileVersion : 5.4.1103.3
ProductVersion : 5.4.1103.3
ProductName : QMgr Loader
CompanyName : Microsoft Corporation
FileDescription : Microsoft QMgr
InternalName : LOADQM.EXE
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : LOADQM.EXE

#:24 [MMUSBKB2.EXE]
FilePath : C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\
ProcessID : 4292981469
Threads : 1
Priority : Normal
FileVersion : 1.70
ProductVersion : 1.70
ProductName : USB Multimedia Keyboard Driver 2
CompanyName : Netropa Corporation
FileDescription : USB Multimedia Keyboard Driver 2
InternalName : mmusbkb2
LegalCopyright : Copyright © 1998-2000 Netropa Corporation
OriginalFilename : mmusbkb2.exe

#:25 [TRAYMON.EXE]
FilePath : C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\
ProcessID : 4292960285
Threads : 1
Priority : Normal


#:26 [WKCALREM.EXE]
FilePath : C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\
ProcessID : 4293273993
Threads : 2
Priority : Normal
FileVersion : 6.00.1828.1
ProductVersion : 6.00.1828.1
ProductName : Microsoft® Works 6.0
CompanyName : Microsoft® Corporation
FileDescription : Microsoft® Works Calendar Reminder Service
InternalName : WkCalRem
LegalCopyright : Copyright © Microsoft Corporation 1987-2000. All rights reserved.
OriginalFilename : WKCALREM.EXE

#:27 [OSD.EXE]
FilePath : C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\
ProcessID : 4293378217
Threads : 1
Priority : Normal
FileVersion : 2.01
ProductVersion : 2.01
ProductName : Onscreen Display
CompanyName : Netropa Corp.
FileDescription : Netropa™ Onscreen Display
InternalName : OSD
LegalCopyright : Copyright © 2000 Netropa Corp.
OriginalFilename : osd.exe

#:28 [PSTORES.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293264713
Threads : 3
Priority : Normal
FileVersion : 5.00.2133.2
ProductVersion : 5.00.2133.2
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Protected storage server
InternalName : Protected storage server
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : Protected storage server

#:29 [WINWORD.EXE]
FilePath : C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\
ProcessID : 4292935977
Threads : 4
Priority : Normal


#:30 [MSWORKS.EXE]
FilePath : C:\PROGRAM FILES\MICROSOFT WORKS\
ProcessID : 4293273321
Threads : 2
Priority : Normal
FileVersion : 6.00.1828.1
ProductVersion : 6.00.1828.1
ProductName : Microsoft® Works 6.0
CompanyName : Microsoft® Corporation
FileDescription : Microsoft® Works Task Launcher
InternalName : MSWORKS
LegalCopyright : Copyright © Microsoft Corporation 1987-2000. All rights reserved.
OriginalFilename : MSWorks.exe

#:31 [JAVAWU.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4293234721
Threads : 1
Priority : Normal


#:32 [VETMSG.EXE]
FilePath : C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\
ProcessID : 4292941877
Threads : 5
Priority : Normal
FileVersion : Version 11.0.6.7
ProductVersion : Version 11.0.6.7
ProductName : Computer Associates Antivirus
CompanyName : Computer Associates International, Inc.
FileDescription : CA Antivirus Realtime Messaging Service
InternalName : vetmsg
LegalCopyright : © 2004 Computer Associates International, Inc.
LegalTrademarks : Trademark of Computer Associates International, Inc.
OriginalFilename : vetmsg.exe

#:33 [ADDDE32.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4293200145
Threads : 1
Priority : Normal


#:34 [SPOOL32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293217153
Threads : 2
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler Sub System Process
InternalName : spool32
LegalCopyright : Copyright © Microsoft Corp. 1994 - 1998
OriginalFilename : spool32.exe

#:35 [ADDDE32.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4293614477
Threads : 1
Priority : Normal


#:36 [IPOX32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293625581
Threads : 1
Priority : Normal


#:37 [DDHELP.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293595309
Threads : 2
Priority : Realtime
FileVersion : 4.07.01.3000
ProductVersion : 4.07.01.3000
ProductName : Microsoft® DirectX for Windows® 95 and 98
CompanyName : Microsoft Corporation
FileDescription : Microsoft DirectX Helper
InternalName : DDHelp.exe
LegalCopyright : Copyright © Microsoft Corp. 1994-2000
OriginalFilename : DDHelp.exe

#:38 [JAVAWU.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4293429697
Threads : 1
Priority : Normal


#:39 [ADDDE32.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4293440217
Threads : 1
Priority : Normal


#:40 [JAVAWU.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4293425501
Threads : 1
Priority : Normal


#:41 [ADDDE32.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4293410785
Threads : 1
Priority : Normal


#:42 [ADDDE32.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4293514849
Threads : 1
Priority : Normal


#:43 [IPOX32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293250925
Threads : 1
Priority : Normal


#:44 [APPWJ32.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4293564269
Threads : 1
Priority : Normal


#:45 [ADDDE32.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4293545237
Threads : 1
Priority : Normal


#:46 [IPOX32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293160953
Threads : 1
Priority : Normal


#:47 [ADDDE32.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4293400645
Threads : 1
Priority : Normal


#:48 [D3YE32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293849761
Threads : 1
Priority : Normal


#:49 [WINMGMT.EXE]
FilePath : C:\WINDOWS\SYSTEM\WBEM\
ProcessID : 4100505681
Threads : 3
Priority : Normal
FileVersion : 1.50.1164.0000
ProductVersion : 1.50.1164.0000
ProductName : Windows Management Instrumentation
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
LegalCopyright : Copyright © Microsoft Corp. 1995-1999

#:50 [APPWJ32.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4293254793
Threads : 1
Priority : Normal


#:51 [ADDDE32.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4293464665
Threads : 1
Priority : Normal


#:52 [D3WO32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293460029
Threads : 1
Priority : Normal


#:53 [AD-AWARE.EXE]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\
ProcessID : 4293586021
Threads : 2
Priority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : .DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 2


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 2


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 2



Deep scanning and examining files (c:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

SearchClick Object Recognized!
Type : File
Data : ywusd.dll
TAC Rating : 10
Category : Malware
Comment :
Object : c:\WINDOWS\SYSTEM\



SearchClick Object Recognized!
Type : File
Data : eymbm.dll
TAC Rating : 10
Category : Malware
Comment :
Object : c:\WINDOWS\SYSTEM\



SearchClick Object Recognized!
Type : File
Data : ldanj.dll
TAC Rating : 10
Category : Malware
Comment :
Object : c:\WINDOWS\SYSTEM\



SearchClick Object Recognized!
Type : File
Data : ecrsy.dll
TAC Rating : 10
Category : Malware
Comment :
Object : c:\WINDOWS\



SearchClick Object Recognized!
Type : File
Data : jghxqo.txt
TAC Rating : 10
Category : Malware
Comment :
Object : c:\WINDOWS\



SearchClick Object Recognized!
Type : File
Data : chalky.txt
TAC Rating : 10
Category : Malware
Comment :
Object : c:\WINDOWS\



SearchClick Object Recognized!
Type : File
Data : qdytfi.dat
TAC Rating : 10
Category : Malware
Comment :
Object : c:\WINDOWS\



SearchClick Object Recognized!
Type : File
Data : qjier.dll
TAC Rating : 10
Category : Malware
Comment :
Object : c:\WINDOWS\



SearchClick Object Recognized!
Type : File
Data : ajxdz.dll
TAC Rating : 10
Category : Malware
Comment :
Object : c:\WINDOWS\



SearchClick Object Recognized!
Type : File
Data : zdsit.dll
TAC Rating : 10
Category : Malware
Comment :
Object : c:\WINDOWS\



SearchClick Object Recognized!
Type : File
Data : tzjkg.dll
TAC Rating : 10
Category : Malware
Comment :
Object : c:\WINDOWS\



SearchClick Object Recognized!
Type : File
Data : upvfz.dll
TAC Rating : 10
Category : Malware
Comment :
Object : c:\WINDOWS\



SearchClick Object Recognized!
Type : File
Data : lpiiut.log
TAC Rating : 10
Category : Malware
Comment :
Object : c:\WINDOWS\


Object "A0101094.CPY" found in this archive.

SearchClick Object Recognized!
Type : File
Data : FS788.CAB
TAC Rating : 10
Category : Malware
Comment : Object "A0101094.CPY" found in this archive.
Object : c:\_RESTORE\ARCHIVE\



Disk Scan Result for c:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 16


Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\urlsearchhooks

CoolWebSearch Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa
Value : UninstallString

CoolWebSearch Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se
Value : UninstallString

CoolWebSearch Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw
Value : UninstallString

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Use Custom Search URL

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Use Search Asst

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft
Value : set

CoolWebSearch Object Recognized!
Type : RegData
Data : no
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Data : no

CoolWebSearch Object Recognized!
Type : RegData
Data : about:blank
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Start Page
Data : about:blank

CoolWebSearch Object Recognized!
Type : RegData
Data : no
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Data : no

CoolWebSearch Object Recognized!
Type : RegData
Data : about:blank
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Start Page
Data : about:blank

CoolWebSearch Object Recognized!
Type : File
Data : apiiv32.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\WINDOWS\SYSTEM\



CoolWebSearch Object Recognized!
Type : File
Data : crga.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\WINDOWS\SYSTEM\



CoolWebSearch Object Recognized!
Type : File
Data : d3db.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\WINDOWS\SYSTEM\



CoolWebSearch Object Recognized!
Type : File
Data : d3pr32.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\WINDOWS\SYSTEM\



CoolWebSearch Object Recognized!
Type : File
Data : msde.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\WINDOWS\SYSTEM\



CoolWebSearch Object Recognized!
Type : File
Data : apiiv32.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\WINDOWS\



CoolWebSearch Object Recognized!
Type : File
Data : apijm32.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\WINDOWS\



CoolWebSearch Object Recognized!
Type : File
Data : crga.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\WINDOWS\



CoolWebSearch Object Recognized!
Type : File
Data : mshp.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\WINDOWS\



Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 23
Objects found so far: 39

10:26:51 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:11:31.70
Objects scanned:184164
Objects identified:39
Objects ignored:0
New critical objects:39






I then ran anothe Hijack this log.

Logfile of HijackThis v1.99.1
Scan saved at 10:51:27, on 03/10/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
C:\WINDOWS\SYSTEM\ATLYT32.EXE
C:\WINDOWS\APPIP.EXE
C:\WINDOWS\ADDDE32.EXE
C:\WINDOWS\JAVAWU.EXE
C:\WINDOWS\SYSTEM\IPOX32.EXE
C:\WINDOWS\APPWJ32.EXE
C:\WINDOWS\SYSTEM\D3YE32.EXE
C:\WINDOWS\SYSTEM\D3WO32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVRID.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\MFCZM32.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.oceanfree.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\upvfz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\upvfz.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\upvfz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\upvfz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\upvfz.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\upvfz.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {0D986CF8-2CE9-4F81-C868-236758D1D348} - C:\WINDOWS\SYSTEM\ATLWV.DLL
O2 - BHO: Class - {2650658C-F99F-02C1-E8D5-C3827C0ABD4C} - C:\WINDOWS\SYSTEM\ADDLG.DLL (file missing)
O2 - BHO: Class - {81F7674D-8F16-7206-6CA1-93B05668EDDF} - C:\WINDOWS\SYSWA.DLL
O2 - BHO: Class - {7E09F9CE-E9E1-BBEC-D763-07065593678A} - C:\WINDOWS\SYSTEM\MFCQY32.DLL
O2 - BHO: Class - {64B7CF25-A72D-D62B-C29E-603B124EB935} - C:\WINDOWS\SYSTEM\MFCFX.DLL
O2 - BHO: Class - {436CC2D6-13C5-6564-C2F0-1E89CB49E703} - C:\WINDOWS\NTPX.DLL
O2 - BHO: Class - {4042A8E0-BAA2-710A-F824-37FCA490315F} - C:\WINDOWS\ADDTD32.DLL
O2 - BHO: Class - {C0ABA3B1-1D31-5501-C7B5-68D02849D3DC} - C:\WINDOWS\IELJ32.DLL
O2 - BHO: Class - {74343E32-9027-9936-7DCF-73D4C7D77C90} - C:\WINDOWS\APPOC32.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETMSG.EXE
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MFCZM32.EXE] C:\WINDOWS\MFCZM32.EXE
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O4 - HKLM\..\RunServices: [ATLYT32.EXE] C:\WINDOWS\SYSTEM\ATLYT32.EXE /s
O4 - HKLM\..\RunServices: [APPIP.EXE] C:\WINDOWS\APPIP.EXE /s
O4 - HKLM\..\RunServices: [ADDDE32.EXE] C:\WINDOWS\ADDDE32.EXE /s
O4 - HKLM\..\RunServices: [JAVAWU.EXE] C:\WINDOWS\JAVAWU.EXE /s
O4 - HKLM\..\RunServices: [IPOX32.EXE] C:\WINDOWS\SYSTEM\IPOX32.EXE /s
O4 - HKLM\..\RunServices: [APPWJ32.EXE] C:\WINDOWS\APPWJ32.EXE /s
O4 - HKLM\..\RunServices: [D3YE32.EXE] C:\WINDOWS\SYSTEM\D3YE32.EXE /s
O4 - HKLM\..\RunServices: [D3WO32.EXE] C:\WINDOWS\SYSTEM\D3WO32.EXE /s
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {F04F4F32-6457-401A-8169-D2773DDFF930} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_3uk.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37240.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab


Thanks in advance,
Ben

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:08 AM

Posted 04 October 2005 - 07:56 AM

Hi chillinb. We still have a CWS infection here. Let's try a different approach. Please print these directions and then proceed with the following steps in order.

Step #1

Download Pocket Killbox and unzip it to your desktop.

Double-click on KillBox.exe to launch the program.
  • Highlight the files in bold below and press the Ctrl key and the C key at the same time to copy them to the clipboard
    • C:\WINDOWS\upvfz.dll
      C:\WINDOWS\SYSTEM\ATLWV.DLL
      C:\WINDOWS\SYSTEM\ADDLG.DLL
      C:\WINDOWS\SYSWA.DLL
      C:\WINDOWS\SYSTEM\MFCQY32.DLL
      C:\WINDOWS\SYSTEM\MFCFX.DLL
      C:\WINDOWS\NTPX.DLL
      C:\WINDOWS\ADDTD32.DLL
      C:\WINDOWS\IELJ32.DLL
      C:\WINDOWS\APPOC32.DLL
      C:\WINDOWS\MFCZM32.EXE
      C:\WINDOWS\SYSTEM\ATLYT32.EXE
      C:\WINDOWS\APPIP.EXE
      C:\WINDOWS\ADDDE32.EXE
      C:\WINDOWS\JAVAWU.EXE
      C:\WINDOWS\SYSTEM\IPOX32.EXE
      C:\WINDOWS\APPWJ32.EXE
      C:\WINDOWS\SYSTEM\D3YE32.EXE
      C:\WINDOWS\SYSTEM\D3WO32.EXE
  • In Killbox click on the File menu and then the Paste from Clipboard item
  • In the Full Path of File to Delete field drop down the arrow and make sure that all of the files are listed
  • Click the option to Delete on Reboot
  • If not greyed out click the checkbox for Unregister .dll Before Deleting
  • Now click on the red button with a white 'X' in the middle to delete the files
  • Click Yes when it says all files will be deleted on the next reboot
  • Click Yes when it asks if you want to reboot now
  • If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just reboot manually
Your system will reboot now.

Step #2

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Run AboutBuster and save the logs:
  • Browse to where you saved AboutBuster and run AboutBuster.exe.
  • Click "OK" at the directions Read: Important! prompt.
  • Click the Update button to check for updates and install any that are available.
  • Click "Start" and then "OK" to allow AboutBuster to scan for Alternate Data Streams.
  • Click "Yes" at the About:Buster prompt to allow it to shutdown explorer.exe.
  • Please wait while AboutBuster scans your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click "Save Log...". Make sure you save it as I will need a copy of it.
  • Click "Exit" and "Exit" again to exit AboutBuster.
Run CWShredder
  • Double-click on CWShredder.exe.
  • Click "Fix ->" and click "OK" at the prompt.
  • CWShredder will scan and clean your system of CWS files.
  • Click "Next->" and then "Exit".
Step #3

Roboot normally and run AboutBuster and CWShredder again.

Step #4

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\upvfz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\upvfz.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\upvfz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\upvfz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\upvfz.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\upvfz.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0D986CF8-2CE9-4F81-C868-236758D1D348} - C:\WINDOWS\SYSTEM\ATLWV.DLL
O2 - BHO: Class - {2650658C-F99F-02C1-E8D5-C3827C0ABD4C} - C:\WINDOWS\SYSTEM\ADDLG.DLL (file missing)
O2 - BHO: Class - {81F7674D-8F16-7206-6CA1-93B05668EDDF} - C:\WINDOWS\SYSWA.DLL
O2 - BHO: Class - {7E09F9CE-E9E1-BBEC-D763-07065593678A} - C:\WINDOWS\SYSTEM\MFCQY32.DLL
O2 - BHO: Class - {64B7CF25-A72D-D62B-C29E-603B124EB935} - C:\WINDOWS\SYSTEM\MFCFX.DLL
O2 - BHO: Class - {436CC2D6-13C5-6564-C2F0-1E89CB49E703} - C:\WINDOWS\NTPX.DLL
O2 - BHO: Class - {4042A8E0-BAA2-710A-F824-37FCA490315F} - C:\WINDOWS\ADDTD32.DLL
O2 - BHO: Class - {C0ABA3B1-1D31-5501-C7B5-68D02849D3DC} - C:\WINDOWS\IELJ32.DLL
O2 - BHO: Class - {74343E32-9027-9936-7DCF-73D4C7D77C90} - C:\WINDOWS\APPOC32.DLL
O4 - HKLM\..\Run: [MFCZM32.EXE] C:\WINDOWS\MFCZM32.EXE
O4 - HKLM\..\RunServices: [ATLYT32.EXE] C:\WINDOWS\SYSTEM\ATLYT32.EXE /s
O4 - HKLM\..\RunServices: [APPIP.EXE] C:\WINDOWS\APPIP.EXE /s
O4 - HKLM\..\RunServices: [ADDDE32.EXE] C:\WINDOWS\ADDDE32.EXE /s
O4 - HKLM\..\RunServices: [JAVAWU.EXE] C:\WINDOWS\JAVAWU.EXE /s
O4 - HKLM\..\RunServices: [IPOX32.EXE] C:\WINDOWS\SYSTEM\IPOX32.EXE /s
O4 - HKLM\..\RunServices: [APPWJ32.EXE] C:\WINDOWS\APPWJ32.EXE /s
O4 - HKLM\..\RunServices: [D3YE32.EXE] C:\WINDOWS\SYSTEM\D3YE32.EXE /s
O4 - HKLM\..\RunServices: [D3WO32.EXE] C:\WINDOWS\SYSTEM\D3WO32.EXE /s

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #5

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 chillinb

chillinb
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 04 October 2005 - 06:29 PM

Hi Oldtimer.
I think we made some progress. Still not there yet I fear though!

The two scans with cws shredder came back clean. The 2nd aboutbuster also did.

Here is the log file from about buster and the latest hjt logfile
Thanks again


AboutBuster 5.0 reference file 28
Scan started on [04/10/2005] at [11:35:46 PM]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
Removed File! : C:\Windows\lajaml.dat
Removed File! : C:\Windows\qassqa.dat
Removed File! : C:\Windows\wwegg.dat
Removed File! : C:\Windows\jqqvs.dat
Removed File! : C:\Windows\jsffhz.dat
Removed File! : C:\Windows\snyvx.dat
Removed File! : C:\Windows\xyxfe.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 11:56:21 PM


AboutBuster 5.0 reference file 28
Scan started on [05/10/2005] at [12:01:32 AM]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 12:13:16 AM




Logfile of HijackThis v1.99.1
Scan saved at 12:27:20, on 05/10/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
C:\WINDOWS\IPCO32.EXE
C:\WINDOWS\SYSTEM\IPLS32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVRID.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.oceanfree.net
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {2286BD80-35D8-4FB2-C180-3AB794C5BB56} - C:\WINDOWS\SYSTEM\SDKCL.DLL (file missing)
O2 - BHO: Class - {79FED68F-557B-E50C-4282-87434007B6F9} - C:\WINDOWS\ATLLU32.DLL
O2 - BHO: Class - {AC207AC9-F483-0DB0-4915-0CE2B63FC765} - C:\WINDOWS\SYSTEM\APIYQ.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"


O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETMSG.EXE
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O4 - HKLM\..\RunServices: [IPCO32.EXE] C:\WINDOWS\IPCO32.EXE /s
O4 - HKLM\..\RunServices: [IPLS32.EXE] C:\WINDOWS\SYSTEM\IPLS32.EXE /s
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {F04F4F32-6457-401A-8169-D2773DDFF930} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_3uk.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37240.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:08 AM

Posted 05 October 2005 - 07:17 AM

Hi chillinb. We still have a couple of items to fix. Please print these directions and then proceed with the following steps in order.

Step #1

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #2

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R3 - Default URLSearchHook is missing
O2 - BHO: Class - {2286BD80-35D8-4FB2-C180-3AB794C5BB56} - C:\WINDOWS\SYSTEM\SDKCL.DLL (file missing)
O2 - BHO: Class - {79FED68F-557B-E50C-4282-87434007B6F9} - C:\WINDOWS\ATLLU32.DLL
O2 - BHO: Class - {AC207AC9-F483-0DB0-4915-0CE2B63FC765} - C:\WINDOWS\SYSTEM\APIYQ.DLL
O4 - HKLM\..\RunServices: [IPCO32.EXE] C:\WINDOWS\IPCO32.EXE /s
O4 - HKLM\..\RunServices: [IPLS32.EXE] C:\WINDOWS\SYSTEM\IPLS32.EXE /s

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #3

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\SYSTEM\SDKCL.DLL
C:\WINDOWS\SYSTEM\IPLS32.EXE
C:\WINDOWS\SYSTEM\APIYQ.DLL
C:\WINDOWS\ATLLU32.DLL
C:\WINDOWS\IPCO32.EXE

Step #4

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #5

Reboot normally and run at least 2 of the following on-line virus scans:Bitdefender <<<Add a check by 'Autoclean'.
RAV <<<Add a check by 'Autoclean', leave everything else as is.
eTrust <<<'Cure' whatever is found, then delete if unsuccessful
Housecall <<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan <<<Accept default settings
If there are any files that cannot be automatically disinfected or quarantined then you will need to delete them manually.

Step #6

If you do not already have Ad-Aware SE 1.06 then follow these download and setup instructions: Ad-Aware SE Setup. Otherwise, just check for updates.

Start Ad-aware SE, click the Start button and choose Perform Full System Scan. Click the Next button and wait for the scan to complete. If anything was found, right-click on the list and choose Select All and remove all it finds.

Step #7

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#13 chillinb

chillinb
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 06 October 2005 - 12:40 PM

Hi,
Most things went smoothly

The eTrust scan and the adware scan discovered quite a few files such as the ones below that could not be deleted

A0090779.CPY Win32.Winshow.FT cannot delete C:\_RESTORE\TEMP\
A0090786.CPY Win32.Winshow.FT cannot delete C:\_RESTORE\TEMP
Here is the latest HJT log file

Logfile of HijackThis v1.99.1
Scan saved at 06:32:52, on 06/10/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVRID.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.oceanfree.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETMSG.EXE
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {F04F4F32-6457-401A-8169-D2773DDFF930} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_3uk.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37240.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

#14 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:08 AM

Posted 07 October 2005 - 08:02 AM

Hi chillinb. The log is clean. How are things running?

The files that could not be cleaned are in the restore points. The operating system does not allow other applications to touch files in the restore area. We will clean those out below.

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
  • CHECK the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.Right-click My Computer and then click Properties.
On the Performance tab, click File System
On the Troubleshooting tab, click to select Disable System Restore
Click OK twice.
2. Restart your computer.

3. Turn on System Restore.Right-click My Computer and again click Properties
On the Performance tab, click File System
Clear the check mark in Disable System Restore check box.
[/list]
System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You already have a good anti-virus, and you should also have a good firewall for blocking unwanted access to and from your computer. These also are free for personal use:It is best to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit Microsoft Windows Update monthly. Microsoft puts out new updates on the 2nd Tuesday of every month so be sure to check regularly.

And to keep your system clean be aware of what emails you open, what websites you visit, and update and run these free malware scanners once a week:To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users