Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log: please help diagnose


  • Please log in to reply
12 replies to this topic

#1 wisebigguy

wisebigguy

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 02 October 2004 - 07:47 PM

Logfile of HijackThis v1.98.2
Scan saved at 8:19:00 PM, on 10/2/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\APICG.EXE
C:\WINDOWS\SYSTEM\JAVAEF.EXE
C:\WINDOWS\SYSTEM\NTGD32.EXE
C:\WINDOWS\SYSTEM\ATLPC.EXE
C:\WINDOWS\SYSTEM\MFCDJ.EXE
C:\WINDOWS\SYSTEM\MFCGF32.EXE
C:\WINDOWS\SYSTEM\ATLBM32.EXE
C:\WINDOWS\JAVALF.EXE
C:\WINDOWS\MSYK.EXE
C:\WINDOWS\SDKLK.EXE
C:\WINDOWS\SYSTEM\ATLFZ.EXE
C:\WINDOWS\SYSTEM\SDKOC32.EXE
C:\WINDOWS\IPVZ32.EXE
C:\WINDOWS\SYSTEM\NTRJ32.EXE
C:\WINDOWS\SYSTEM\IPDB.EXE
C:\WINDOWS\SYSTEM\WINJG32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\CTFBEZQ.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\ATLFZ.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\ATLFZ.EXE
C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCONNECT.EXE
C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCSMSERVER.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\ATLFZ.EXE
C:\WINDOWS\SYSTEM\IPPG32.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\grzxw.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\grzxw.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\grzxw.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\grzxw.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\grzxw.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\grzxw.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\grzxw.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {8BE43CFA-0CDE-5991-8567-44A8E60E22B5} - C:\WINDOWS\SYSTEM\JAVASQ32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ptdhpo] C:\WINDOWS\SYSTEM\ctfbezq.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [MSEG32.EXE] C:\WINDOWS\SYSTEM\MSEG32.EXE
O4 - HKLM\..\RunServices: [IPBE32.EXE] C:\WINDOWS\SYSTEM\IPBE32.EXE
O4 - HKLM\..\RunServices: [D3LL.EXE] C:\WINDOWS\SYSTEM\D3LL.EXE
O4 - HKLM\..\RunServices: [ADDTA32.EXE] C:\WINDOWS\SYSTEM\ADDTA32.EXE
O4 - HKLM\..\RunServices: [SDKWC.EXE] C:\WINDOWS\SDKWC.EXE
O4 - HKLM\..\RunServices: [IEEZ32.EXE] C:\WINDOWS\IEEZ32.EXE
O4 - HKLM\..\RunServices: [WINGY32.EXE] C:\WINDOWS\SYSTEM\WINGY32.EXE
O4 - HKLM\..\RunServices: [IEHY32.EXE] C:\WINDOWS\IEHY32.EXE
O4 - HKLM\..\RunServices: [IPOA32.EXE] C:\WINDOWS\IPOA32.EXE
O4 - HKLM\..\RunServices: [IEQN32.EXE] C:\WINDOWS\SYSTEM\IEQN32.EXE
O4 - HKLM\..\RunServices: [NETRT.EXE] C:\WINDOWS\NETRT.EXE
O4 - HKLM\..\RunServices: [CRIQ32.EXE] C:\WINDOWS\SYSTEM\CRIQ32.EXE
O4 - HKLM\..\RunServices: [NETMM32.EXE] C:\WINDOWS\SYSTEM\NETMM32.EXE
O4 - HKLM\..\RunServices: [WINHH.EXE] C:\WINDOWS\SYSTEM\WINHH.EXE
O4 - HKLM\..\RunServices: [NTNM.EXE] C:\WINDOWS\NTNM.EXE
O4 - HKLM\..\RunServices: [MSHU32.EXE] C:\WINDOWS\MSHU32.EXE
O4 - HKLM\..\RunServices: [SDKGF32.EXE] C:\WINDOWS\SYSTEM\SDKGF32.EXE
O4 - HKLM\..\RunServices: [MSEL.EXE] C:\WINDOWS\SYSTEM\MSEL.EXE
O4 - HKLM\..\RunServices: [D3XE32.EXE] C:\WINDOWS\SYSTEM\D3XE32.EXE
O4 - HKLM\..\RunServices: [IEWS32.EXE] C:\WINDOWS\IEWS32.EXE
O4 - HKLM\..\RunServices: [NETPU.EXE] C:\WINDOWS\SYSTEM\NETPU.EXE
O4 - HKLM\..\RunServices: [ADDEQ32.EXE] C:\WINDOWS\ADDEQ32.EXE
O4 - HKLM\..\RunServices: [NETIQ.EXE] C:\WINDOWS\NETIQ.EXE
O4 - HKLM\..\RunServices: [MSTK32.EXE] C:\WINDOWS\SYSTEM\MSTK32.EXE
O4 - HKLM\..\RunServices: [APIIO.EXE] C:\WINDOWS\SYSTEM\APIIO.EXE
O4 - HKLM\..\RunServices: [APIBU.EXE] C:\WINDOWS\SYSTEM\APIBU.EXE
O4 - HKLM\..\RunServices: [D3UW32.EXE] C:\WINDOWS\D3UW32.EXE
O4 - HKLM\..\RunServices: [SYSMZ.EXE] C:\WINDOWS\SYSMZ.EXE
O4 - HKLM\..\RunServices: [IETW.EXE] C:\WINDOWS\IETW.EXE
O4 - HKLM\..\RunServices: [IPDV32.EXE] C:\WINDOWS\IPDV32.EXE
O4 - HKLM\..\RunServices: [APPKK32.EXE] C:\WINDOWS\APPKK32.EXE
O4 - HKLM\..\RunServices: [MSPH32.EXE] C:\WINDOWS\SYSTEM\MSPH32.EXE
O4 - HKLM\..\RunServices: [ATLPC.EXE] C:\WINDOWS\SYSTEM\ATLPC.EXE
O4 - HKLM\..\RunServices: [MFCDJ.EXE] C:\WINDOWS\SYSTEM\MFCDJ.EXE
O4 - HKLM\..\RunServices: [APICG.EXE] C:\WINDOWS\APICG.EXE
O4 - HKLM\..\RunServices: [MFCGF32.EXE] C:\WINDOWS\SYSTEM\MFCGF32.EXE
O4 - HKLM\..\RunServices: [NTGD32.EXE] C:\WINDOWS\SYSTEM\NTGD32.EXE
O4 - HKLM\..\RunServices: [JAVAEF.EXE] C:\WINDOWS\SYSTEM\JAVAEF.EXE
O4 - HKLM\..\RunServices: [JAVALF.EXE] C:\WINDOWS\JAVALF.EXE
O4 - HKLM\..\RunServices: [ATLBM32.EXE] C:\WINDOWS\SYSTEM\ATLBM32.EXE
O4 - HKLM\..\RunServices: [ATLFZ.EXE] C:\WINDOWS\SYSTEM\ATLFZ.EXE
O4 - HKLM\..\RunServices: [MSYK.EXE] C:\WINDOWS\MSYK.EXE
O4 - HKLM\..\RunServices: [SDKOC32.EXE] C:\WINDOWS\SYSTEM\SDKOC32.EXE
O4 - HKLM\..\RunServices: [SDKLK.EXE] C:\WINDOWS\SDKLK.EXE
O4 - HKLM\..\RunServices: [IPDB.EXE] C:\WINDOWS\SYSTEM\IPDB.EXE
O4 - HKLM\..\RunServices: [NTRJ32.EXE] C:\WINDOWS\SYSTEM\NTRJ32.EXE
O4 - HKLM\..\RunServices: [WINJG32.EXE] C:\WINDOWS\SYSTEM\WINJG32.EXE
O4 - HKLM\..\RunServices: [IPVZ32.EXE] C:\WINDOWS\IPVZ32.EXE
O4 - HKLM\..\RunServices: [IPPG32.EXE] C:\WINDOWS\SYSTEM\IPPG32.EXE
O4 - HKCU\..\Run: [Emf] C:\WINDOWS\SYSTEM\ujham.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.scoobidoo.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...8a29296baabe1d6
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

:thumbsup: I think my hosts file got shanghaied also. Can't seem to find it!

BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:06:40 PM

Posted 03 October 2004 - 08:29 AM

Hi wisebigguy

Please post a fresh HijackThis log.

From the moment you post your log, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, some files will have changed and the fix provided will not work.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 wisebigguy

wisebigguy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 04 October 2004 - 12:21 AM

I'm trying to help a friend to remove some malware on his computer. I posted on October 3rd around 8:40pm. I couldn't stay to get a response. Posted as Wisebigguy. I have tried Spybot S&D and Ad-Adware but they could not remove most of the problems. I will be visiting my friend again on Wednesday the 6th. I will logon and post a fresh HJT log then. I just wanted to give you a "heads-up" regarding some strange behavior on his computer and let you know that we will still be needing some help.

His computer is a Pentium III running Windows98 SE and I noticed that it is loading over 40 processes from the Services registry key. Used small utility called "Start-upCPL" to get this scan of start-up activity. Also notice while viewing files in his Root Directory\Windows that the Swap file, User.dat, and Sys.dat files were being constantly modified while numerous 0 byte .dll files were being created at intervals and adding up in this directory. Ok, will contact again on Wednesday with a fresh HJT log. Thanks. :thumbsup:

#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:06:40 PM

Posted 04 October 2004 - 01:02 AM

I just wanted to give you a "heads-up" regarding some strange behavior on his computer and let you know that we will still be needing some help.

Hi wisebigguy,

Thanks, I will be away on Wednesday the 6th, but someone else will help you.

Your friend has a nasty CoolWebSearch infection.

Please don't open a new topic, click Add Reply and post the new log in this topic.

Edited by cryo, 04 October 2004 - 01:05 AM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#5 wisebigguy

wisebigguy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 04 October 2004 - 01:16 AM

Thanks cryo. You guys are the best. Will post again on Wednesday from the affected computer. :thumbsup:

#6 wisebigguy

wisebigguy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 08 October 2004 - 09:51 AM

I have finally gotten back to my friend's computer to help him clean-up his computer. I hope you can help. Here is a fresh HJT log I just scanned.
Logfile of HijackThis v1.98.2
Scan saved at 10:33:15 AM, on 10/8/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\ATLPC.EXE
C:\WINDOWS\APICG.EXE
C:\WINDOWS\JAVALF.EXE
C:\WINDOWS\SYSTEM\NTGD32.EXE
C:\WINDOWS\SYSTEM\MFCDJ.EXE
C:\WINDOWS\SYSTEM\ATLBM32.EXE
C:\WINDOWS\SYSTEM\MFCGF32.EXE
C:\WINDOWS\MSYK.EXE
C:\WINDOWS\SYSTEM\ATLFZ.EXE
C:\WINDOWS\SYSTEM\JAVAEF.EXE
C:\WINDOWS\SYSTEM\SDKOC32.EXE
C:\WINDOWS\SYSTEM\NTRJ32.EXE
C:\WINDOWS\SYSTEM\IPDB.EXE
C:\WINDOWS\SYSTEM\WINJG32.EXE
C:\WINDOWS\IPVZ32.EXE
C:\WINDOWS\SDKLK.EXE
C:\WINDOWS\SYSTEM\APISG32.EXE
C:\WINDOWS\SYSTEM\IPPG32.EXE
C:\WINDOWS\CRIT.EXE
C:\WINDOWS\SDKQM.EXE
C:\WINDOWS\SYSTEM\MSKJ.EXE
C:\WINDOWS\ATLJG.EXE
C:\WINDOWS\IEUF32.EXE
C:\WINDOWS\SYSWF.EXE
C:\WINDOWS\ADDDD32.EXE
C:\WINDOWS\ADDVL32.EXE
C:\WINDOWS\SYSTEM\IEFR32.EXE
C:\WINDOWS\JAVAJI.EXE
C:\WINDOWS\NTZB.EXE
C:\WINDOWS\SYSTEM\JAVAQY.EXE
C:\WINDOWS\SYSTEM\ATLWI32.EXE
C:\WINDOWS\NTNL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\CTFBEZQ.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\antah.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\antah.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\antah.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\antah.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\antah.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\antah.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\antah.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {7054F996-46A4-C58A-5B63-C16827E1FE86} - C:\WINDOWS\SYSTEM\SDKJM32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ptdhpo] C:\WINDOWS\SYSTEM\ctfbezq.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [MSEG32.EXE] C:\WINDOWS\SYSTEM\MSEG32.EXE
O4 - HKLM\..\RunServices: [IPBE32.EXE] C:\WINDOWS\SYSTEM\IPBE32.EXE
O4 - HKLM\..\RunServices: [D3LL.EXE] C:\WINDOWS\SYSTEM\D3LL.EXE
O4 - HKLM\..\RunServices: [ADDTA32.EXE] C:\WINDOWS\SYSTEM\ADDTA32.EXE
O4 - HKLM\..\RunServices: [SDKWC.EXE] C:\WINDOWS\SDKWC.EXE
O4 - HKLM\..\RunServices: [IEEZ32.EXE] C:\WINDOWS\IEEZ32.EXE
O4 - HKLM\..\RunServices: [WINGY32.EXE] C:\WINDOWS\SYSTEM\WINGY32.EXE
O4 - HKLM\..\RunServices: [IEHY32.EXE] C:\WINDOWS\IEHY32.EXE
O4 - HKLM\..\RunServices: [IPOA32.EXE] C:\WINDOWS\IPOA32.EXE
O4 - HKLM\..\RunServices: [IEQN32.EXE] C:\WINDOWS\SYSTEM\IEQN32.EXE
O4 - HKLM\..\RunServices: [NETRT.EXE] C:\WINDOWS\NETRT.EXE
O4 - HKLM\..\RunServices: [CRIQ32.EXE] C:\WINDOWS\SYSTEM\CRIQ32.EXE
O4 - HKLM\..\RunServices: [NETMM32.EXE] C:\WINDOWS\SYSTEM\NETMM32.EXE
O4 - HKLM\..\RunServices: [WINHH.EXE] C:\WINDOWS\SYSTEM\WINHH.EXE
O4 - HKLM\..\RunServices: [NTNM.EXE] C:\WINDOWS\NTNM.EXE
O4 - HKLM\..\RunServices: [MSHU32.EXE] C:\WINDOWS\MSHU32.EXE
O4 - HKLM\..\RunServices: [SDKGF32.EXE] C:\WINDOWS\SYSTEM\SDKGF32.EXE
O4 - HKLM\..\RunServices: [MSEL.EXE] C:\WINDOWS\SYSTEM\MSEL.EXE
O4 - HKLM\..\RunServices: [D3XE32.EXE] C:\WINDOWS\SYSTEM\D3XE32.EXE
O4 - HKLM\..\RunServices: [IEWS32.EXE] C:\WINDOWS\IEWS32.EXE
O4 - HKLM\..\RunServices: [NETPU.EXE] C:\WINDOWS\SYSTEM\NETPU.EXE
O4 - HKLM\..\RunServices: [ADDEQ32.EXE] C:\WINDOWS\ADDEQ32.EXE
O4 - HKLM\..\RunServices: [NETIQ.EXE] C:\WINDOWS\NETIQ.EXE
O4 - HKLM\..\RunServices: [MSTK32.EXE] C:\WINDOWS\SYSTEM\MSTK32.EXE
O4 - HKLM\..\RunServices: [APIIO.EXE] C:\WINDOWS\SYSTEM\APIIO.EXE
O4 - HKLM\..\RunServices: [APIBU.EXE] C:\WINDOWS\SYSTEM\APIBU.EXE
O4 - HKLM\..\RunServices: [D3UW32.EXE] C:\WINDOWS\D3UW32.EXE
O4 - HKLM\..\RunServices: [SYSMZ.EXE] C:\WINDOWS\SYSMZ.EXE
O4 - HKLM\..\RunServices: [IETW.EXE] C:\WINDOWS\IETW.EXE
O4 - HKLM\..\RunServices: [IPDV32.EXE] C:\WINDOWS\IPDV32.EXE
O4 - HKLM\..\RunServices: [APPKK32.EXE] C:\WINDOWS\APPKK32.EXE
O4 - HKLM\..\RunServices: [MSPH32.EXE] C:\WINDOWS\SYSTEM\MSPH32.EXE
O4 - HKLM\..\RunServices: [ATLPC.EXE] C:\WINDOWS\SYSTEM\ATLPC.EXE
O4 - HKLM\..\RunServices: [MFCDJ.EXE] C:\WINDOWS\SYSTEM\MFCDJ.EXE
O4 - HKLM\..\RunServices: [APICG.EXE] C:\WINDOWS\APICG.EXE
O4 - HKLM\..\RunServices: [MFCGF32.EXE] C:\WINDOWS\SYSTEM\MFCGF32.EXE
O4 - HKLM\..\RunServices: [NTGD32.EXE] C:\WINDOWS\SYSTEM\NTGD32.EXE
O4 - HKLM\..\RunServices: [JAVAEF.EXE] C:\WINDOWS\SYSTEM\JAVAEF.EXE
O4 - HKLM\..\RunServices: [JAVALF.EXE] C:\WINDOWS\JAVALF.EXE
O4 - HKLM\..\RunServices: [ATLBM32.EXE] C:\WINDOWS\SYSTEM\ATLBM32.EXE
O4 - HKLM\..\RunServices: [ATLFZ.EXE] C:\WINDOWS\SYSTEM\ATLFZ.EXE
O4 - HKLM\..\RunServices: [MSYK.EXE] C:\WINDOWS\MSYK.EXE
O4 - HKLM\..\RunServices: [SDKOC32.EXE] C:\WINDOWS\SYSTEM\SDKOC32.EXE
O4 - HKLM\..\RunServices: [SDKLK.EXE] C:\WINDOWS\SDKLK.EXE
O4 - HKLM\..\RunServices: [IPDB.EXE] C:\WINDOWS\SYSTEM\IPDB.EXE
O4 - HKLM\..\RunServices: [NTRJ32.EXE] C:\WINDOWS\SYSTEM\NTRJ32.EXE
O4 - HKLM\..\RunServices: [WINJG32.EXE] C:\WINDOWS\SYSTEM\WINJG32.EXE
O4 - HKLM\..\RunServices: [IPVZ32.EXE] C:\WINDOWS\IPVZ32.EXE
O4 - HKLM\..\RunServices: [IPPG32.EXE] C:\WINDOWS\SYSTEM\IPPG32.EXE
O4 - HKLM\..\RunServices: [CRIT.EXE] C:\WINDOWS\CRIT.EXE
O4 - HKLM\..\RunServices: [APISG32.EXE] C:\WINDOWS\SYSTEM\APISG32.EXE
O4 - HKLM\..\RunServices: [SDKQM.EXE] C:\WINDOWS\SDKQM.EXE
O4 - HKLM\..\RunServices: [MSKJ.EXE] C:\WINDOWS\SYSTEM\MSKJ.EXE
O4 - HKLM\..\RunServices: [IEUF32.EXE] C:\WINDOWS\IEUF32.EXE
O4 - HKLM\..\RunServices: [ATLJG.EXE] C:\WINDOWS\ATLJG.EXE
O4 - HKLM\..\RunServices: [ATLWI32.EXE] C:\WINDOWS\SYSTEM\ATLWI32.EXE
O4 - HKLM\..\RunServices: [IEFR32.EXE] C:\WINDOWS\SYSTEM\IEFR32.EXE
O4 - HKLM\..\RunServices: [ADDDD32.EXE] C:\WINDOWS\ADDDD32.EXE
O4 - HKLM\..\RunServices: [SYSWF.EXE] C:\WINDOWS\SYSWF.EXE
O4 - HKLM\..\RunServices: [JAVAJI.EXE] C:\WINDOWS\JAVAJI.EXE
O4 - HKLM\..\RunServices: [ADDVL32.EXE] C:\WINDOWS\ADDVL32.EXE
O4 - HKLM\..\RunServices: [NTZB.EXE] C:\WINDOWS\NTZB.EXE
O4 - HKLM\..\RunServices: [JAVAQY.EXE] C:\WINDOWS\SYSTEM\JAVAQY.EXE
O4 - HKLM\..\RunServices: [NTNL32.EXE] C:\WINDOWS\NTNL32.EXE
O4 - HKCU\..\Run: [Emf] C:\WINDOWS\SYSTEM\ujham.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.scoobidoo.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...8a29296baabe1d6
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

#7 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:06:40 PM

Posted 08 October 2004 - 11:30 AM

You may want to print out these directions as the Internet will not be available. Please continue with the next step if you run into a problem with the current one. Just be sure to let us know what the problem was when you reply.

Internet Explorer should remain closed during the cleanup. If you open Internet Explorer the fix will fail. (step 1 - 9

Please make sure that you can view all hidden files:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

Please download About:Buster from here: About:Buster Download. Once it is downloaded extract it to
c:\aboutbuster. We will use that program later in this process. Don't use it yet.

Download Ad-aware SE: here
Install it. When you get the last screen, with the "Finish" button and 3 options, uncheck those three items.
Open AdAware and click the "Check for updates now" link. Close AdAware. Don't use it yet.

Copy the contents of the Quote Box below to Notepad.
Click File menu -> Save and name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop. Don't use it yet.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]


Step 1:
Reboot your computer into Safe Mode and follow these steps:

Step 2:
Then close all programs and windows and run hijackthis. Put a checkmark next to each of these entries and press the fix button when ready:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\antah.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\antah.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\antah.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\antah.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\antah.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\antah.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\antah.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing

O2 - BHO: Class - {7054F996-46A4-C58A-5B63-C16827E1FE86} - C:\WINDOWS\SYSTEM\SDKJM32.DLL

O4 - HKLM\..\Run: [ptdhpo] C:\WINDOWS\SYSTEM\ctfbezq.exe
O4 - HKLM\..\RunServices: [MSEG32.EXE] C:\WINDOWS\SYSTEM\MSEG32.EXE
O4 - HKLM\..\RunServices: [IPBE32.EXE] C:\WINDOWS\SYSTEM\IPBE32.EXE
O4 - HKLM\..\RunServices: [D3LL.EXE] C:\WINDOWS\SYSTEM\D3LL.EXE
O4 - HKLM\..\RunServices: [ADDTA32.EXE] C:\WINDOWS\SYSTEM\ADDTA32.EXE
O4 - HKLM\..\RunServices: [SDKWC.EXE] C:\WINDOWS\SDKWC.EXE
O4 - HKLM\..\RunServices: [IEEZ32.EXE] C:\WINDOWS\IEEZ32.EXE
O4 - HKLM\..\RunServices: [WINGY32.EXE] C:\WINDOWS\SYSTEM\WINGY32.EXE
O4 - HKLM\..\RunServices: [IEHY32.EXE] C:\WINDOWS\IEHY32.EXE
O4 - HKLM\..\RunServices: [IPOA32.EXE] C:\WINDOWS\IPOA32.EXE
O4 - HKLM\..\RunServices: [IEQN32.EXE] C:\WINDOWS\SYSTEM\IEQN32.EXE
O4 - HKLM\..\RunServices: [NETRT.EXE] C:\WINDOWS\NETRT.EXE
O4 - HKLM\..\RunServices: [CRIQ32.EXE] C:\WINDOWS\SYSTEM\CRIQ32.EXE
O4 - HKLM\..\RunServices: [NETMM32.EXE] C:\WINDOWS\SYSTEM\NETMM32.EXE
O4 - HKLM\..\RunServices: [WINHH.EXE] C:\WINDOWS\SYSTEM\WINHH.EXE
O4 - HKLM\..\RunServices: [NTNM.EXE] C:\WINDOWS\NTNM.EXE
O4 - HKLM\..\RunServices: [MSHU32.EXE] C:\WINDOWS\MSHU32.EXE
O4 - HKLM\..\RunServices: [SDKGF32.EXE] C:\WINDOWS\SYSTEM\SDKGF32.EXE
O4 - HKLM\..\RunServices: [MSEL.EXE] C:\WINDOWS\SYSTEM\MSEL.EXE
O4 - HKLM\..\RunServices: [D3XE32.EXE] C:\WINDOWS\SYSTEM\D3XE32.EXE
O4 - HKLM\..\RunServices: [IEWS32.EXE] C:\WINDOWS\IEWS32.EXE
O4 - HKLM\..\RunServices: [NETPU.EXE] C:\WINDOWS\SYSTEM\NETPU.EXE
O4 - HKLM\..\RunServices: [ADDEQ32.EXE] C:\WINDOWS\ADDEQ32.EXE
O4 - HKLM\..\RunServices: [NETIQ.EXE] C:\WINDOWS\NETIQ.EXE
O4 - HKLM\..\RunServices: [MSTK32.EXE] C:\WINDOWS\SYSTEM\MSTK32.EXE
O4 - HKLM\..\RunServices: [APIIO.EXE] C:\WINDOWS\SYSTEM\APIIO.EXE
O4 - HKLM\..\RunServices: [APIBU.EXE] C:\WINDOWS\SYSTEM\APIBU.EXE
O4 - HKLM\..\RunServices: [D3UW32.EXE] C:\WINDOWS\D3UW32.EXE
O4 - HKLM\..\RunServices: [SYSMZ.EXE] C:\WINDOWS\SYSMZ.EXE
O4 - HKLM\..\RunServices: [IETW.EXE] C:\WINDOWS\IETW.EXE
O4 - HKLM\..\RunServices: [IPDV32.EXE] C:\WINDOWS\IPDV32.EXE
O4 - HKLM\..\RunServices: [APPKK32.EXE] C:\WINDOWS\APPKK32.EXE
O4 - HKLM\..\RunServices: [MSPH32.EXE] C:\WINDOWS\SYSTEM\MSPH32.EXE
O4 - HKLM\..\RunServices: [ATLPC.EXE] C:\WINDOWS\SYSTEM\ATLPC.EXE
O4 - HKLM\..\RunServices: [MFCDJ.EXE] C:\WINDOWS\SYSTEM\MFCDJ.EXE
O4 - HKLM\..\RunServices: [APICG.EXE] C:\WINDOWS\APICG.EXE
O4 - HKLM\..\RunServices: [MFCGF32.EXE] C:\WINDOWS\SYSTEM\MFCGF32.EXE
O4 - HKLM\..\RunServices: [NTGD32.EXE] C:\WINDOWS\SYSTEM\NTGD32.EXE
O4 - HKLM\..\RunServices: [JAVAEF.EXE] C:\WINDOWS\SYSTEM\JAVAEF.EXE
O4 - HKLM\..\RunServices: [JAVALF.EXE] C:\WINDOWS\JAVALF.EXE
O4 - HKLM\..\RunServices: [ATLBM32.EXE] C:\WINDOWS\SYSTEM\ATLBM32.EXE
O4 - HKLM\..\RunServices: [ATLFZ.EXE] C:\WINDOWS\SYSTEM\ATLFZ.EXE
O4 - HKLM\..\RunServices: [MSYK.EXE] C:\WINDOWS\MSYK.EXE
O4 - HKLM\..\RunServices: [SDKOC32.EXE] C:\WINDOWS\SYSTEM\SDKOC32.EXE
O4 - HKLM\..\RunServices: [SDKLK.EXE] C:\WINDOWS\SDKLK.EXE
O4 - HKLM\..\RunServices: [IPDB.EXE] C:\WINDOWS\SYSTEM\IPDB.EXE
O4 - HKLM\..\RunServices: [NTRJ32.EXE] C:\WINDOWS\SYSTEM\NTRJ32.EXE
O4 - HKLM\..\RunServices: [WINJG32.EXE] C:\WINDOWS\SYSTEM\WINJG32.EXE
O4 - HKLM\..\RunServices: [IPVZ32.EXE] C:\WINDOWS\IPVZ32.EXE
O4 - HKLM\..\RunServices: [IPPG32.EXE] C:\WINDOWS\SYSTEM\IPPG32.EXE
O4 - HKLM\..\RunServices: [CRIT.EXE] C:\WINDOWS\CRIT.EXE
O4 - HKLM\..\RunServices: [APISG32.EXE] C:\WINDOWS\SYSTEM\APISG32.EXE
O4 - HKLM\..\RunServices: [SDKQM.EXE] C:\WINDOWS\SDKQM.EXE
O4 - HKLM\..\RunServices: [MSKJ.EXE] C:\WINDOWS\SYSTEM\MSKJ.EXE
O4 - HKLM\..\RunServices: [IEUF32.EXE] C:\WINDOWS\IEUF32.EXE
O4 - HKLM\..\RunServices: [ATLJG.EXE] C:\WINDOWS\ATLJG.EXE
O4 - HKLM\..\RunServices: [ATLWI32.EXE] C:\WINDOWS\SYSTEM\ATLWI32.EXE
O4 - HKLM\..\RunServices: [IEFR32.EXE] C:\WINDOWS\SYSTEM\IEFR32.EXE
O4 - HKLM\..\RunServices: [ADDDD32.EXE] C:\WINDOWS\ADDDD32.EXE
O4 - HKLM\..\RunServices: [SYSWF.EXE] C:\WINDOWS\SYSWF.EXE
O4 - HKLM\..\RunServices: [JAVAJI.EXE] C:\WINDOWS\JAVAJI.EXE
O4 - HKLM\..\RunServices: [ADDVL32.EXE] C:\WINDOWS\ADDVL32.EXE
O4 - HKLM\..\RunServices: [NTZB.EXE] C:\WINDOWS\NTZB.EXE
O4 - HKLM\..\RunServices: [JAVAQY.EXE] C:\WINDOWS\SYSTEM\JAVAQY.EXE
O4 - HKLM\..\RunServices: [NTNL32.EXE] C:\WINDOWS\NTNL32.EXE
O4 - HKCU\..\Run: [Emf] C:\WINDOWS\SYSTEM\ujham.exe

O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.scoobidoo.com

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...8a29296baabe1d6
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab


Step 3:
I now need you to delete the following files:

C:\WINDOWS\system\antah.dl <-- this file
C:\WINDOWS\SYSTEM\SDKJM32.DLL <-- this file
C:\WINDOWS\SYSTEM\ctfbezq.exe <-- this file
C:\WINDOWS\SYSTEM\ctfbezq.exe <-- this file
C:\WINDOWS\SYSTEM\MSEG32.EXE <-- this file
C:\WINDOWS\SYSTEM\IPBE32.EXE <-- this file
C:\WINDOWS\SYSTEM\D3LL.EXE <-- this file
C:\WINDOWS\SYSTEM\ADDTA32.EXE <-- this file
C:\WINDOWS\SDKWC.EXE <-- this file
C:\WINDOWS\IEEZ32.EXE <-- this file
C:\WINDOWS\SYSTEM\WINGY32.EXE <-- this file
C:\WINDOWS\IEHY32.EXE <-- this file
C:\WINDOWS\IPOA32.EXE <-- this file
C:\WINDOWS\SYSTEM\IEQN32.EXE <-- this file
C:\WINDOWS\NETRT.EXE <-- this file
C:\WINDOWS\SYSTEM\CRIQ32.EXE <-- this file
C:\WINDOWS\SYSTEM\NETMM32.EXE <-- this file
C:\WINDOWS\SYSTEM\WINHH.EXE <-- this file
C:\WINDOWS\NTNM.EXE <-- this file
C:\WINDOWS\MSHU32.EXE <-- this file
C:\WINDOWS\SYSTEM\SDKGF32.EXE <-- this file
C:\WINDOWS\SYSTEM\MSEL.EXE <-- this file
C:\WINDOWS\SYSTEM\D3XE32.EXE <-- this file
C:\WINDOWS\IEWS32.EXE <-- this file
C:\WINDOWS\SYSTEM\NETPU.EXE <-- this file
C:\WINDOWS\ADDEQ32.EXE <-- this file
C:\WINDOWS\NETIQ.EXE <-- this file
C:\WINDOWS\SYSTEM\MSTK32.EXE <-- this file
C:\WINDOWS\SYSTEM\APIIO.EXE <-- this file
C:\WINDOWS\SYSTEM\APIBU.EXE <-- this file
C:\WINDOWS\D3UW32.EXE <-- this file
C:\WINDOWS\SYSMZ.EXE <-- this file
C:\WINDOWS\IETW.EXE <-- this file
C:\WINDOWS\IPDV32.EXE <-- this file
C:\WINDOWS\APPKK32.EXE <-- this file
C:\WINDOWS\SYSTEM\MSPH32.EXE <-- this file
C:\WINDOWS\SYSTEM\ATLPC.EXE <-- this file
C:\WINDOWS\SYSTEM\MFCDJ.EXE <-- this file
C:\WINDOWS\APICG.EXE <-- this file
C:\WINDOWS\SYSTEM\MFCGF32.EXE <-- this file
C:\WINDOWS\SYSTEM\NTGD32.EXE <-- this file
C:\WINDOWS\SYSTEM\JAVAEF.EXE <-- this file
C:\WINDOWS\JAVALF.EXE <-- this file
C:\WINDOWS\SYSTEM\ATLBM32.EXE <-- this file
C:\WINDOWS\SYSTEM\ATLFZ.EXE <-- this file
C:\WINDOWS\MSYK.EXE <-- this file
C:\WINDOWS\SYSTEM\SDKOC32.EXE <-- this file
C:\WINDOWS\SDKLK.EXE <-- this file
C:\WINDOWS\SYSTEM\IPDB.EXE <-- this file
C:\WINDOWS\SYSTEM\NTRJ32.EXE <-- this file
C:\WINDOWS\SYSTEM\WINJG32.EXE <-- this file
C:\WINDOWS\IPVZ32.EXE <-- this file
C:\WINDOWS\SYSTEM\IPPG32.EXE <-- this file
C:\WINDOWS\CRIT.EXE <-- this file
C:\WINDOWS\SYSTEM\APISG32.EXE <-- this file
C:\WINDOWS\SDKQM.EXE <-- this file
C:\WINDOWS\SYSTEM\MSKJ.EXE <-- this file
C:\WINDOWS\IEUF32.EXE <-- this file
C:\WINDOWS\ATLJG.EXE <-- this file
C:\WINDOWS\SYSTEM\ATLWI32.EXE <-- this file
C:\WINDOWS\SYSTEM\IEFR32.EXE <-- this file
C:\WINDOWS\ADDDD32.EXE <-- this file
C:\WINDOWS\SYSWF.EXE <-- this file
C:\WINDOWS\JAVAJI.EXE <-- this file
C:\WINDOWS\ADDVL32.EXE <-- this file
C:\WINDOWS\NTZB.EXE <-- this file
C:\WINDOWS\SYSTEM\JAVAQY.EXE <-- this file
C:\WINDOWS\NTNL32.EXE <-- this file
C:\WINDOWS\SYSTEM\ujham.exe <-- this file

If you get an error when deleting a file, right click on the file and check to see if the read only attribute is checked. if it is, uncheck it and try again.

Step 4:

Double-click on the fix.reg file you saved earlier on your desktop, and when it prompts to merge say Yes, and this will clear some registry entries left behind by the process.

Step 5:

This is the step where we will use About:Buster that you had downloaded previously.

Navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so.

Run AboutBuster again two or three times and follow the above instructions

When it completed move on to step 6.

Step 6:

Run AdAware, press the Start button, uncheck Scan for negligible risk entries, select Perform full system scan and press Next. Let AdAware remove anything it finds.

Step 7:

Clean out temporary and Temporary Internet Files. Go to Start -> Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

Step 8:
Reboot your computer back to normal mode so that we can restore files that were deleted by this infection:
  • it is possible that the malware deleted your control.exe. Please check for the existence of this file by going to to Merijn Files control.exe and examine where the file should be for your operating system. If the file is missing then download the appropriate file and place it in the proper place according to this information.
  • Download the Hoster from here. Press Restore Original Hosts and press OK. Exit Program. This will restore the original deleted Hosts file.
  • If you have Spybot S&D installed you will also need to replace one file. Go here: SDHelper.zip and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start -> Run -> type regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll and press the OK button
Step 9:

Run an online antivirus scan at:
http://housecall.antivirus.com/
Please make sure that AutoClean is checked.

Reboot and post a new HJT log.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#8 wisebigguy

wisebigguy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 08 October 2004 - 01:15 PM

Thanks for your reply cryo. Unfortunately, I tried to print your instructions while online and apparently it loaded up one more process to an already overburdened computer. Yeah the puter crashed and I had to reboot. All is not lost though; I got the "aboutbuster" program and I had already installed Ad-aware PE. I also printed your instructions off-line. I assume these steps will still be needed so I think if you just supply the updated changes from this HJT log I just scanned then we be cool!


Logfile of HijackThis v1.98.2
Scan saved at 2:02:18 PM, on 10/8/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\MFCDJ.EXE
C:\WINDOWS\APICG.EXE
C:\WINDOWS\SYSTEM\ATLPC.EXE
C:\WINDOWS\SYSTEM\ATLBM32.EXE
C:\WINDOWS\SYSTEM\NTGD32.EXE
C:\WINDOWS\SYSTEM\JAVAEF.EXE
C:\WINDOWS\SYSTEM\ATLFZ.EXE
C:\WINDOWS\SYSTEM\MFCGF32.EXE
C:\WINDOWS\JAVALF.EXE
C:\WINDOWS\IPVZ32.EXE
C:\WINDOWS\MSYK.EXE
C:\WINDOWS\SYSTEM\SDKOC32.EXE
C:\WINDOWS\SDKLK.EXE
C:\WINDOWS\SYSTEM\NTRJ32.EXE
C:\WINDOWS\SYSTEM\WINJG32.EXE
C:\WINDOWS\SYSTEM\IPPG32.EXE
C:\WINDOWS\SYSTEM\IPDB.EXE
C:\WINDOWS\SYSTEM\APISG32.EXE
C:\WINDOWS\SYSTEM\MSKJ.EXE
C:\WINDOWS\CRIT.EXE
C:\WINDOWS\SDKQM.EXE
C:\WINDOWS\IEUF32.EXE
C:\WINDOWS\SYSTEM\ATLWI32.EXE
C:\WINDOWS\ATLJG.EXE
C:\WINDOWS\SYSTEM\IEFR32.EXE
C:\WINDOWS\ADDDD32.EXE
C:\WINDOWS\SYSWF.EXE
C:\WINDOWS\JAVAJI.EXE
C:\WINDOWS\NTZB.EXE
C:\WINDOWS\ADDVL32.EXE
C:\WINDOWS\SYSTEM\APIAP32.EXE
C:\WINDOWS\NTNL32.EXE
C:\WINDOWS\SYSTEM\JAVAQY.EXE
C:\WINDOWS\SYSTEM\APPQG32.EXE
C:\WINDOWS\SYSTEM\IPEU.EXE
C:\WINDOWS\APICX.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\CTFBEZQ.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\sdqpu.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\sdqpu.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\sdqpu.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\sdqpu.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\sdqpu.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\sdqpu.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\sdqpu.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {9131A68E-E236-1D25-EC50-DCDB09286B27} - C:\WINDOWS\SYSTEM\ADDSZ.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ptdhpo] C:\WINDOWS\SYSTEM\ctfbezq.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [MSEG32.EXE] C:\WINDOWS\SYSTEM\MSEG32.EXE
O4 - HKLM\..\RunServices: [IPBE32.EXE] C:\WINDOWS\SYSTEM\IPBE32.EXE
O4 - HKLM\..\RunServices: [D3LL.EXE] C:\WINDOWS\SYSTEM\D3LL.EXE
O4 - HKLM\..\RunServices: [ADDTA32.EXE] C:\WINDOWS\SYSTEM\ADDTA32.EXE
O4 - HKLM\..\RunServices: [SDKWC.EXE] C:\WINDOWS\SDKWC.EXE
O4 - HKLM\..\RunServices: [IEEZ32.EXE] C:\WINDOWS\IEEZ32.EXE
O4 - HKLM\..\RunServices: [WINGY32.EXE] C:\WINDOWS\SYSTEM\WINGY32.EXE
O4 - HKLM\..\RunServices: [IEHY32.EXE] C:\WINDOWS\IEHY32.EXE
O4 - HKLM\..\RunServices: [IPOA32.EXE] C:\WINDOWS\IPOA32.EXE
O4 - HKLM\..\RunServices: [IEQN32.EXE] C:\WINDOWS\SYSTEM\IEQN32.EXE
O4 - HKLM\..\RunServices: [NETRT.EXE] C:\WINDOWS\NETRT.EXE
O4 - HKLM\..\RunServices: [CRIQ32.EXE] C:\WINDOWS\SYSTEM\CRIQ32.EXE
O4 - HKLM\..\RunServices: [NETMM32.EXE] C:\WINDOWS\SYSTEM\NETMM32.EXE
O4 - HKLM\..\RunServices: [WINHH.EXE] C:\WINDOWS\SYSTEM\WINHH.EXE
O4 - HKLM\..\RunServices: [NTNM.EXE] C:\WINDOWS\NTNM.EXE
O4 - HKLM\..\RunServices: [MSHU32.EXE] C:\WINDOWS\MSHU32.EXE
O4 - HKLM\..\RunServices: [SDKGF32.EXE] C:\WINDOWS\SYSTEM\SDKGF32.EXE
O4 - HKLM\..\RunServices: [MSEL.EXE] C:\WINDOWS\SYSTEM\MSEL.EXE
O4 - HKLM\..\RunServices: [D3XE32.EXE] C:\WINDOWS\SYSTEM\D3XE32.EXE
O4 - HKLM\..\RunServices: [IEWS32.EXE] C:\WINDOWS\IEWS32.EXE
O4 - HKLM\..\RunServices: [NETPU.EXE] C:\WINDOWS\SYSTEM\NETPU.EXE
O4 - HKLM\..\RunServices: [ADDEQ32.EXE] C:\WINDOWS\ADDEQ32.EXE
O4 - HKLM\..\RunServices: [NETIQ.EXE] C:\WINDOWS\NETIQ.EXE
O4 - HKLM\..\RunServices: [MSTK32.EXE] C:\WINDOWS\SYSTEM\MSTK32.EXE
O4 - HKLM\..\RunServices: [APIIO.EXE] C:\WINDOWS\SYSTEM\APIIO.EXE
O4 - HKLM\..\RunServices: [APIBU.EXE] C:\WINDOWS\SYSTEM\APIBU.EXE
O4 - HKLM\..\RunServices: [D3UW32.EXE] C:\WINDOWS\D3UW32.EXE
O4 - HKLM\..\RunServices: [SYSMZ.EXE] C:\WINDOWS\SYSMZ.EXE
O4 - HKLM\..\RunServices: [IETW.EXE] C:\WINDOWS\IETW.EXE
O4 - HKLM\..\RunServices: [IPDV32.EXE] C:\WINDOWS\IPDV32.EXE
O4 - HKLM\..\RunServices: [APPKK32.EXE] C:\WINDOWS\APPKK32.EXE
O4 - HKLM\..\RunServices: [MSPH32.EXE] C:\WINDOWS\SYSTEM\MSPH32.EXE
O4 - HKLM\..\RunServices: [ATLPC.EXE] C:\WINDOWS\SYSTEM\ATLPC.EXE
O4 - HKLM\..\RunServices: [MFCDJ.EXE] C:\WINDOWS\SYSTEM\MFCDJ.EXE
O4 - HKLM\..\RunServices: [APICG.EXE] C:\WINDOWS\APICG.EXE
O4 - HKLM\..\RunServices: [MFCGF32.EXE] C:\WINDOWS\SYSTEM\MFCGF32.EXE
O4 - HKLM\..\RunServices: [NTGD32.EXE] C:\WINDOWS\SYSTEM\NTGD32.EXE
O4 - HKLM\..\RunServices: [JAVAEF.EXE] C:\WINDOWS\SYSTEM\JAVAEF.EXE
O4 - HKLM\..\RunServices: [JAVALF.EXE] C:\WINDOWS\JAVALF.EXE
O4 - HKLM\..\RunServices: [ATLBM32.EXE] C:\WINDOWS\SYSTEM\ATLBM32.EXE
O4 - HKLM\..\RunServices: [ATLFZ.EXE] C:\WINDOWS\SYSTEM\ATLFZ.EXE
O4 - HKLM\..\RunServices: [MSYK.EXE] C:\WINDOWS\MSYK.EXE
O4 - HKLM\..\RunServices: [SDKOC32.EXE] C:\WINDOWS\SYSTEM\SDKOC32.EXE
O4 - HKLM\..\RunServices: [SDKLK.EXE] C:\WINDOWS\SDKLK.EXE
O4 - HKLM\..\RunServices: [IPDB.EXE] C:\WINDOWS\SYSTEM\IPDB.EXE
O4 - HKLM\..\RunServices: [NTRJ32.EXE] C:\WINDOWS\SYSTEM\NTRJ32.EXE
O4 - HKLM\..\RunServices: [WINJG32.EXE] C:\WINDOWS\SYSTEM\WINJG32.EXE
O4 - HKLM\..\RunServices: [IPVZ32.EXE] C:\WINDOWS\IPVZ32.EXE
O4 - HKLM\..\RunServices: [IPPG32.EXE] C:\WINDOWS\SYSTEM\IPPG32.EXE
O4 - HKLM\..\RunServices: [CRIT.EXE] C:\WINDOWS\CRIT.EXE
O4 - HKLM\..\RunServices: [APISG32.EXE] C:\WINDOWS\SYSTEM\APISG32.EXE
O4 - HKLM\..\RunServices: [SDKQM.EXE] C:\WINDOWS\SDKQM.EXE
O4 - HKLM\..\RunServices: [MSKJ.EXE] C:\WINDOWS\SYSTEM\MSKJ.EXE
O4 - HKLM\..\RunServices: [IEUF32.EXE] C:\WINDOWS\IEUF32.EXE
O4 - HKLM\..\RunServices: [ATLJG.EXE] C:\WINDOWS\ATLJG.EXE
O4 - HKLM\..\RunServices: [ATLWI32.EXE] C:\WINDOWS\SYSTEM\ATLWI32.EXE
O4 - HKLM\..\RunServices: [IEFR32.EXE] C:\WINDOWS\SYSTEM\IEFR32.EXE
O4 - HKLM\..\RunServices: [ADDDD32.EXE] C:\WINDOWS\ADDDD32.EXE
O4 - HKLM\..\RunServices: [SYSWF.EXE] C:\WINDOWS\SYSWF.EXE
O4 - HKLM\..\RunServices: [JAVAJI.EXE] C:\WINDOWS\JAVAJI.EXE
O4 - HKLM\..\RunServices: [ADDVL32.EXE] C:\WINDOWS\ADDVL32.EXE
O4 - HKLM\..\RunServices: [NTZB.EXE] C:\WINDOWS\NTZB.EXE
O4 - HKLM\..\RunServices: [JAVAQY.EXE] C:\WINDOWS\SYSTEM\JAVAQY.EXE
O4 - HKLM\..\RunServices: [NTNL32.EXE] C:\WINDOWS\NTNL32.EXE
O4 - HKLM\..\RunServices: [APIAP32.EXE] C:\WINDOWS\SYSTEM\APIAP32.EXE
O4 - HKLM\..\RunServices: [APPQG32.EXE] C:\WINDOWS\SYSTEM\APPQG32.EXE
O4 - HKLM\..\RunServices: [IPEU.EXE] C:\WINDOWS\SYSTEM\IPEU.EXE
O4 - HKLM\..\RunServices: [APICX.EXE] C:\WINDOWS\APICX.EXE
O4 - HKCU\..\Run: [Emf] C:\WINDOWS\SYSTEM\ujham.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.scoobidoo.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...8a29296baabe1d6
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

#9 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:06:40 PM

Posted 08 October 2004 - 01:21 PM

You can use Mozilla FireFox Browser: Download FireFox
Please install it and use it.

I'll be back with the instructions :thumbsup:

Edited by cryo, 08 October 2004 - 01:22 PM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#10 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:06:40 PM

Posted 08 October 2004 - 01:37 PM

You may want to print out these directions as the Internet will not be available. Please continue with the next step if you run into a problem with the current one. Just be sure to let us know what the problem was when you reply.

Internet Explorer should remain closed during the cleanup. If you open Internet Explorer the fix will fail. (step 1 - 9)

Please make sure that you can view all hidden files:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

Please download About:Buster from here: About:Buster Download. Once it is downloaded extract it to
c:\aboutbuster. We will use that program later in this process. Don't use it yet.

Download Ad-aware SE: here
Install it. When you get the last screen, with the "Finish" button and 3 options, uncheck those three items.
Open AdAware and click the "Check for updates now" link. Close AdAware. Don't use it yet.

Copy the contents of the Quote Box below to Notepad.
Click File menu -> Save and name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop. Don't use it yet.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]


Step 1:
Reboot your computer into Safe Mode and follow these steps:

Step 2:
Then close all programs and windows and run hijackthis. Put a checkmark next to each of these entries and press the fix button when ready:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\sdqpu.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\sdqpu.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\sdqpu.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\sdqpu.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\sdqpu.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\sdqpu.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\sdqpu.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing

O2 - BHO: Class - {9131A68E-E236-1D25-EC50-DCDB09286B27} - C:\WINDOWS\SYSTEM\ADDSZ.DLL

O4 - HKLM\..\Run: [ptdhpo] C:\WINDOWS\SYSTEM\ctfbezq.exe
O4 - HKLM\..\RunServices: [MSEG32.EXE] C:\WINDOWS\SYSTEM\MSEG32.EXE
O4 - HKLM\..\RunServices: [IPBE32.EXE] C:\WINDOWS\SYSTEM\IPBE32.EXE
O4 - HKLM\..\RunServices: [D3LL.EXE] C:\WINDOWS\SYSTEM\D3LL.EXE
O4 - HKLM\..\RunServices: [ADDTA32.EXE] C:\WINDOWS\SYSTEM\ADDTA32.EXE
O4 - HKLM\..\RunServices: [SDKWC.EXE] C:\WINDOWS\SDKWC.EXE
O4 - HKLM\..\RunServices: [IEEZ32.EXE] C:\WINDOWS\IEEZ32.EXE
O4 - HKLM\..\RunServices: [WINGY32.EXE] C:\WINDOWS\SYSTEM\WINGY32.EXE
O4 - HKLM\..\RunServices: [IEHY32.EXE] C:\WINDOWS\IEHY32.EXE
O4 - HKLM\..\RunServices: [IPOA32.EXE] C:\WINDOWS\IPOA32.EXE
O4 - HKLM\..\RunServices: [IEQN32.EXE] C:\WINDOWS\SYSTEM\IEQN32.EXE
O4 - HKLM\..\RunServices: [NETRT.EXE] C:\WINDOWS\NETRT.EXE
O4 - HKLM\..\RunServices: [CRIQ32.EXE] C:\WINDOWS\SYSTEM\CRIQ32.EXE
O4 - HKLM\..\RunServices: [NETMM32.EXE] C:\WINDOWS\SYSTEM\NETMM32.EXE
O4 - HKLM\..\RunServices: [WINHH.EXE] C:\WINDOWS\SYSTEM\WINHH.EXE
O4 - HKLM\..\RunServices: [NTNM.EXE] C:\WINDOWS\NTNM.EXE
O4 - HKLM\..\RunServices: [MSHU32.EXE] C:\WINDOWS\MSHU32.EXE
O4 - HKLM\..\RunServices: [SDKGF32.EXE] C:\WINDOWS\SYSTEM\SDKGF32.EXE
O4 - HKLM\..\RunServices: [MSEL.EXE] C:\WINDOWS\SYSTEM\MSEL.EXE
O4 - HKLM\..\RunServices: [D3XE32.EXE] C:\WINDOWS\SYSTEM\D3XE32.EXE
O4 - HKLM\..\RunServices: [IEWS32.EXE] C:\WINDOWS\IEWS32.EXE
O4 - HKLM\..\RunServices: [NETPU.EXE] C:\WINDOWS\SYSTEM\NETPU.EXE
O4 - HKLM\..\RunServices: [ADDEQ32.EXE] C:\WINDOWS\ADDEQ32.EXE
O4 - HKLM\..\RunServices: [NETIQ.EXE] C:\WINDOWS\NETIQ.EXE
O4 - HKLM\..\RunServices: [MSTK32.EXE] C:\WINDOWS\SYSTEM\MSTK32.EXE
O4 - HKLM\..\RunServices: [APIIO.EXE] C:\WINDOWS\SYSTEM\APIIO.EXE
O4 - HKLM\..\RunServices: [APIBU.EXE] C:\WINDOWS\SYSTEM\APIBU.EXE
O4 - HKLM\..\RunServices: [D3UW32.EXE] C:\WINDOWS\D3UW32.EXE
O4 - HKLM\..\RunServices: [SYSMZ.EXE] C:\WINDOWS\SYSMZ.EXE
O4 - HKLM\..\RunServices: [IETW.EXE] C:\WINDOWS\IETW.EXE
O4 - HKLM\..\RunServices: [IPDV32.EXE] C:\WINDOWS\IPDV32.EXE
O4 - HKLM\..\RunServices: [APPKK32.EXE] C:\WINDOWS\APPKK32.EXE
O4 - HKLM\..\RunServices: [MSPH32.EXE] C:\WINDOWS\SYSTEM\MSPH32.EXE
O4 - HKLM\..\RunServices: [ATLPC.EXE] C:\WINDOWS\SYSTEM\ATLPC.EXE
O4 - HKLM\..\RunServices: [MFCDJ.EXE] C:\WINDOWS\SYSTEM\MFCDJ.EXE
O4 - HKLM\..\RunServices: [APICG.EXE] C:\WINDOWS\APICG.EXE
O4 - HKLM\..\RunServices: [MFCGF32.EXE] C:\WINDOWS\SYSTEM\MFCGF32.EXE
O4 - HKLM\..\RunServices: [NTGD32.EXE] C:\WINDOWS\SYSTEM\NTGD32.EXE
O4 - HKLM\..\RunServices: [JAVAEF.EXE] C:\WINDOWS\SYSTEM\JAVAEF.EXE
O4 - HKLM\..\RunServices: [JAVALF.EXE] C:\WINDOWS\JAVALF.EXE
O4 - HKLM\..\RunServices: [ATLBM32.EXE] C:\WINDOWS\SYSTEM\ATLBM32.EXE
O4 - HKLM\..\RunServices: [ATLFZ.EXE] C:\WINDOWS\SYSTEM\ATLFZ.EXE
O4 - HKLM\..\RunServices: [MSYK.EXE] C:\WINDOWS\MSYK.EXE
O4 - HKLM\..\RunServices: [SDKOC32.EXE] C:\WINDOWS\SYSTEM\SDKOC32.EXE
O4 - HKLM\..\RunServices: [SDKLK.EXE] C:\WINDOWS\SDKLK.EXE
O4 - HKLM\..\RunServices: [IPDB.EXE] C:\WINDOWS\SYSTEM\IPDB.EXE
O4 - HKLM\..\RunServices: [NTRJ32.EXE] C:\WINDOWS\SYSTEM\NTRJ32.EXE
O4 - HKLM\..\RunServices: [WINJG32.EXE] C:\WINDOWS\SYSTEM\WINJG32.EXE
O4 - HKLM\..\RunServices: [IPVZ32.EXE] C:\WINDOWS\IPVZ32.EXE
O4 - HKLM\..\RunServices: [IPPG32.EXE] C:\WINDOWS\SYSTEM\IPPG32.EXE
O4 - HKLM\..\RunServices: [CRIT.EXE] C:\WINDOWS\CRIT.EXE
O4 - HKLM\..\RunServices: [APISG32.EXE] C:\WINDOWS\SYSTEM\APISG32.EXE
O4 - HKLM\..\RunServices: [SDKQM.EXE] C:\WINDOWS\SDKQM.EXE
O4 - HKLM\..\RunServices: [MSKJ.EXE] C:\WINDOWS\SYSTEM\MSKJ.EXE
O4 - HKLM\..\RunServices: [IEUF32.EXE] C:\WINDOWS\IEUF32.EXE
O4 - HKLM\..\RunServices: [ATLJG.EXE] C:\WINDOWS\ATLJG.EXE
O4 - HKLM\..\RunServices: [ATLWI32.EXE] C:\WINDOWS\SYSTEM\ATLWI32.EXE
O4 - HKLM\..\RunServices: [IEFR32.EXE] C:\WINDOWS\SYSTEM\IEFR32.EXE
O4 - HKLM\..\RunServices: [ADDDD32.EXE] C:\WINDOWS\ADDDD32.EXE
O4 - HKLM\..\RunServices: [SYSWF.EXE] C:\WINDOWS\SYSWF.EXE
O4 - HKLM\..\RunServices: [JAVAJI.EXE] C:\WINDOWS\JAVAJI.EXE
O4 - HKLM\..\RunServices: [ADDVL32.EXE] C:\WINDOWS\ADDVL32.EXE
O4 - HKLM\..\RunServices: [NTZB.EXE] C:\WINDOWS\NTZB.EXE
O4 - HKLM\..\RunServices: [JAVAQY.EXE] C:\WINDOWS\SYSTEM\JAVAQY.EXE
O4 - HKLM\..\RunServices: [NTNL32.EXE] C:\WINDOWS\NTNL32.EXE
O4 - HKLM\..\RunServices: [APIAP32.EXE] C:\WINDOWS\SYSTEM\APIAP32.EXE
O4 - HKLM\..\RunServices: [APPQG32.EXE] C:\WINDOWS\SYSTEM\APPQG32.EXE
O4 - HKLM\..\RunServices: [IPEU.EXE] C:\WINDOWS\SYSTEM\IPEU.EXE
O4 - HKLM\..\RunServices: [APICX.EXE] C:\WINDOWS\APICX.EXE
O4 - HKCU\..\Run: [Emf] C:\WINDOWS\SYSTEM\ujham.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.scoobidoo.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...8a29296baabe1d6
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab


Step 3:
I now need you to delete the following files:

C:\WINDOWS\system\sdqpu.dll <-- this file
C:\WINDOWS\SYSTEM\ADDSZ.DLL <-- this file

C:\WINDOWS\SYSTEM\ctfbezq.exe <-- this file
C:\WINDOWS\SYSTEM\MSEG32.EXE <-- this file
C:\WINDOWS\SYSTEM\IPBE32.EXE <-- this file
C:\WINDOWS\SYSTEM\D3LL.EXE <-- this file
C:\WINDOWS\SYSTEM\ADDTA32.EXE <-- this file
C:\WINDOWS\SDKWC.EXE <-- this file
C:\WINDOWS\IEEZ32.EXE <-- this file
C:\WINDOWS\SYSTEM\WINGY32.EXE <-- this file
C:\WINDOWS\IEHY32.EXE <-- this file
C:\WINDOWS\IPOA32.EXE <-- this file
C:\WINDOWS\SYSTEM\IEQN32.EXE <-- this file
C:\WINDOWS\NETRT.EXE <-- this file
C:\WINDOWS\SYSTEM\CRIQ32.EXE <-- this file
C:\WINDOWS\SYSTEM\NETMM32.EXE <-- this file
C:\WINDOWS\SYSTEM\WINHH.EXE <-- this file
C:\WINDOWS\NTNM.EXE <-- this file
C:\WINDOWS\MSHU32.EXE <-- this file
C:\WINDOWS\SYSTEM\SDKGF32.EXE <-- this file
C:\WINDOWS\SYSTEM\MSEL.EXE <-- this file
C:\WINDOWS\SYSTEM\D3XE32.EXE <-- this file
C:\WINDOWS\IEWS32.EXE <-- this file
C:\WINDOWS\SYSTEM\NETPU.EXE <-- this file
C:\WINDOWS\ADDEQ32.EXE <-- this file
C:\WINDOWS\NETIQ.EXE <-- this file
C:\WINDOWS\SYSTEM\MSTK32.EXE <-- this file
C:\WINDOWS\SYSTEM\APIIO.EXE <-- this file
C:\WINDOWS\SYSTEM\APIBU.EXE <-- this file
C:\WINDOWS\D3UW32.EXE <-- this file
C:\WINDOWS\SYSMZ.EXE <-- this file
C:\WINDOWS\IETW.EXE <-- this file
C:\WINDOWS\IPDV32.EXE <-- this file
C:\WINDOWS\APPKK32.EXE <-- this file
C:\WINDOWS\SYSTEM\MSPH32.EXE <-- this file
C:\WINDOWS\SYSTEM\ATLPC.EXE <-- this file
C:\WINDOWS\SYSTEM\MFCDJ.EXE <-- this file
C:\WINDOWS\APICG.EXE <-- this file
C:\WINDOWS\SYSTEM\MFCGF32.EXE <-- this file
C:\WINDOWS\SYSTEM\NTGD32.EXE <-- this file
C:\WINDOWS\SYSTEM\JAVAEF.EXE <-- this file
C:\WINDOWS\JAVALF.EXE <-- this file
C:\WINDOWS\SYSTEM\ATLBM32.EXE <-- this file
C:\WINDOWS\SYSTEM\ATLFZ.EXE <-- this file
C:\WINDOWS\MSYK.EXE <-- this file
C:\WINDOWS\SYSTEM\SDKOC32.EX <-- this fileE
C:\WINDOWS\SDKLK.EXE <-- this file
C:\WINDOWS\SYSTEM\IPDB.EXE <-- this file
C:\WINDOWS\SYSTEM\NTRJ32.EXE <-- this file
C:\WINDOWS\SYSTEM\WINJG32.EXE <-- this file
C:\WINDOWS\IPVZ32.EXE <-- this file
C:\WINDOWS\SYSTEM\IPPG32.EXE <-- this file
C:\WINDOWS\CRIT.EXE <-- this file
C:\WINDOWS\SYSTEM\APISG32.EXE <-- this file
C:\WINDOWS\SDKQM.EXE <-- this file
C:\WINDOWS\SYSTEM\MSKJ.EXE <-- this file
C:\WINDOWS\IEUF32.EXE <-- this file
C:\WINDOWS\ATLJG.EXE <-- this file
C:\WINDOWS\SYSTEM\ATLWI32.EXE <-- this file
C:\WINDOWS\SYSTEM\IEFR32.EXE <-- this file
C:\WINDOWS\ADDDD32.EXE <-- this file
C:\WINDOWS\SYSWF.EXE <-- this file
C:\WINDOWS\JAVAJI.EXE <-- this file
C:\WINDOWS\ADDVL32.EXE <-- this file
C:\WINDOWS\NTZB.EXE <-- this file
C:\WINDOWS\SYSTEM\JAVAQY.EXE <-- this file
C:\WINDOWS\NTNL32.EXE <-- this file
C:\WINDOWS\SYSTEM\APIAP32.EXE <-- this file
C:\WINDOWS\SYSTEM\APPQG32.EXE <-- this file
C:\WINDOWS\SYSTEM\IPEU.EXE <-- this file
C:\WINDOWS\APICX.EXE <-- this file
C:\WINDOWS\SYSTEM\ujham.exe <-- this file

If you get an error when deleting a file, right click on the file and check to see if the read only attribute is checked. if it is, uncheck it and try again.

Step 4:

Double-click on the fix.reg file you saved earlier on your desktop, and when it prompts to merge say Yes, and this will clear some registry entries left behind by the process.

Step 5:

This is the step where we will use About:Buster that you had downloaded previously.

Navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so.

Run AboutBuster again two or three times and follow the above instructions

When it completed move on to step 6.

Step 6:

Run AdAware, press the Start button, uncheck Scan for negligible risk entries, select Perform full system scan and press Next. Let AdAware remove anything it finds.

Step 7:

Clean out temporary and Temporary Internet Files. Go to Start -> Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

Step 8:
Reboot your computer back to normal mode so that we can restore files that were deleted by this infection:
  • it is possible that the malware deleted your control.exe. Please check for the existence of this file by going to to Merijn Files control.exe and examine where the file should be for your operating system. If the file is missing then download the appropriate file and place it in the proper place according to this information.
  • Download the Hoster from here. Press Restore Original Hosts and press OK. Exit Program. This will restore the original deleted Hosts file.
  • If you have Spybot S&D installed you will also need to replace one file. Go here: SDHelper.zip and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start -> Run -> type regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll and press the OK button
Step 9:

Run an online antivirus scan at:
http://housecall.antivirus.com/
Please make sure that AutoClean is checked.

Reboot and post a new HJT log.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#11 wisebigguy

wisebigguy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 09 October 2004 - 03:49 PM

This message for CRYO. Thanks for all your help in trying to clear-up the CWS infection on my friend's computer. I was not able to follow through all of the 9 steps of the instructions given above. When I tried to find the correct files to delete in the Windows and Windows\System directories some of the file names had already changed and could not be found. I deleted all of the suspecious ".exe" and "0byte .dll" files from these directories. Also there were ".log" and ".txt" files being generated with random names. I must have deleted over (and this is no lie) 4000 files from these two directories. I then tried to run the "aboutbuster" program and got error messages.

Also could not merge the registry repair file. I probably copied it wrong and it was a text file and not a registry entry file. At this point I was giving up and booted the computer back into Windows and it reported a missing file, "Javasup.vxd".

As a final step before quitting for the day I ran a Scandisk and it reported errors on the disk which I had the program repair. I'm sure this problem is not cleared-up yet but it's time for a reality check.

I've spent two days wrestling with this problem and my friend has had to feed me and put up with me. He also had paid a "computer tech" guy to come out and work the computer when it had frozen-up and refused to boot-up. He spent $200 on that. My friend already lost all his "unsaved" data as the tech guy had reformatted his hard drive and reinstalled Windows.

In short, this problem and "other Spyware" programs have cost my friend a considerable amount of time and money. And in retrospect, had I known just how diffacult this CWS problem was going to be I would have just pulled out the hard drive and replaced it with a new one;after I had taken a baseball bat to the old one of course! In the end, this is likely to be our solution as I cannot see putting in more time and effort to repair something that has cost more than a new hard drive.

So I hope this experience will benefit some of you that are thinking of starting the process of cleaning up a nasty CWS infection on your hard drive. Consider your options first.

#12 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:06:40 PM

Posted 09 October 2004 - 04:46 PM

Yes wisebigguy, this is sad. CoolWebSearch has made this time a victim. It's not mission impossible if it is removed quickly with the right tools and knowledge.

Follow this list below and the potential for being infected again will reduce dramatically.

First: use another browser. FireFox is safer. Tell your friend to keep it up to date.
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Edited by cryo, 09 October 2004 - 05:29 PM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#13 Father Jack

Father Jack

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 15 June 2005 - 11:26 AM

I tried all of the above to no avail on a machine similarly infected. I finally cured it by removing randomly named exe files of 0k size which were numerous in the \windows and \windows\system folders. Finally I had a suspect DLL file that kept croping up in the HJT scans - IEOG.DLL to which I could find no reference in google. I also noticed another odd DLL called MOAA.DLL which was modified at about the same time that I was running scans, and could find no reference to it on google either. I simply deleted all suspect files. All of this was done in safe mode after executing all of the instructions in the previous post by Daisuke.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users