Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Worm (win32/winshow I Think) That I Can't Remove Is Killlin Me

  • Please log in to reply
3 replies to this topic

#1 joeyg1111


  • Members
  • 2 posts
  • Local time:12:31 PM

Posted 31 December 2005 - 01:45 PM

Hi BC,

I believe I have a worm that is part of the winshow family. I have been getting error dialogue boxes which say that a program has performed an illegal operation and has to be shut down. When I go to "view details" I get something like this:

NETKV32 caused an invalid page fault in
module KERNEL32.DLL at 0187:bff7b9a6.
EAX=00000000 CS=0187 EIP=bff7b9a6 EFLGS=00000246
EBX=100426b8 SS=018f ESP=0063c5f4 EBP=0063c630
ECX=10084700 DS=018f ESI=100426b8 FS=2687
EDX=bffc9490 ES=018f EDI=00000000 GS=0000
Bytes at CS:EIP:
ff 76 04 e8 13 89 ff ff 5e c2 04 00 56 8b 74 24
Stack dump:
10084700 1001c229 100426b8 00000000 00764af8 10000000 1001caf3 00000000 1001cb88 10000000 00000000 00000000 00000000 10000000 81f015f8 0063c7f8

I have tried to delete the NETKV32 file because from my research I understand it is a virus but when I do so it simply renames itself. There are currently two of these programs that boot up as soon as I turn on the computer and that give me error messages similar to the ones above: SYSBM and NETNM32. I also get the following error from EXPLORER:

EXPLORER caused an invalid page fault in
module KERNEL32.DLL at 0187:bff7b9a6.
EAX=00000000 CS=0187 EIP=bff7b9a6 EFLGS=00000246
EBX=05f12708 SS=018f ESP=05ebdba8 EBP=05ebdbe4
ECX=05f54750 DS=018f ESI=05f12708 FS=260f
EDX=bffc9490 ES=018f EDI=00000000 GS=0000
Bytes at CS:EIP:
ff 76 04 e8 13 89 ff ff 5e c2 04 00 56 8b 74 24
Stack dump:
05f54750 05eec255 05f12708 00000000 006d80a8 05ed0000 05eecb23 00000001 05eecba7 05ed0000 00000000 00000000 00000000 05ed0000 81fa30bc 05ebddac

Nothing really seems to happen when the first two meassages come up: I just close the dialogue box and carry on. When the EXPLORER message comes up I can sometimes get rid of it, the rest of the time it causes IE to quit on me. This is happening more and more quickly into my session.

So far I've downloaded and run Ad-Aware, Spybot, Bit Defender and McAffee Stinger. Ad-Aware and BD have found and deleted some questionable files, but have not detected others which I am assuming are problematic. I also got HijackThis and have included my log below. Anyhelp you can give me in getting rid of this problem would be HUGELY appreciated!

Thanks BC!

Logfile of HijackThis v1.99.1
Scan saved at 1:11:06 PM, on 12/31/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.red.clientapps.yahoo.com/customi...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ca.red.clientapps.yahoo.com/customi...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customi.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.red.clientapps.yahoo.com/customi...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\xxdmb.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/customi...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL
O2 - BHO: Class - {7A1D7B3D-9E0A-8D1C-848C-C93372C7CB57} - C:\WINDOWS\SYSTEM\NTOU32.DLL (file missing)
O2 - BHO: Class - {3F288EDC-10F3-D1F7-A116-88258A23509B} - C:\WINDOWS\WINFN.DLL
O2 - BHO: Class - {19913E95-A735-1D29-E5FF-4B344CAAF7D0} - C:\WINDOWS\SYSTEM\APIKN32.DLL (file missing)
O2 - BHO: Class - {C396D0E0-9E0A-542C-DF8F-ADEA8A5525B8} - C:\WINDOWS\APPIR32.DLL
O2 - BHO: Class - {A21291D3-FB9A-C738-0034-769E8D26575C} - C:\WINDOWS\WINCT.DLL
O2 - BHO: Class - {87C41B12-AEC3-199D-DD6E-BBC70C2063DD} - C:\WINDOWS\SYSTEM\IPKH32.DLL (file missing)
O2 - BHO: Class - {9A66A15E-898C-9DA3-D6C8-99D8483E402D} - C:\WINDOWS\CRGD32.DLL
O2 - BHO: Class - {AAEAF0EF-4CCD-6801-830D-30AC3AB7C39B} - C:\WINDOWS\CRMI32.DLL
O2 - BHO: Class - {176F5667-507B-D312-EB30-B11BE22E37C9} - C:\WINDOWS\SYSTEM\MSHJ.DLL (file missing)
O2 - BHO: Class - {47E63E67-6034-F28A-4E05-E5EB90541D10} - C:\WINDOWS\SYSTEM\ATLVJ32.DLL (file missing)
O2 - BHO: Class - {77B86BBF-FCC3-25D0-2E11-6F763F235228} - C:\WINDOWS\SYSTEM\SYSCB32.DLL (file missing)
O2 - BHO: Class - {A509D6E9-56A4-E7FB-521F-C592CDA7424E} - C:\WINDOWS\SYSTEM\CRTW32.DLL (file missing)
O2 - BHO: Class - {B64CB541-B9B3-7208-2322-902C0C3B8DD6} - C:\WINDOWS\SDKFR.DLL
O2 - BHO: Class - {4D3C6B10-D548-DB27-A2D5-DE1550FD2B6D} - C:\WINDOWS\SYSTEM\NETIA.DLL
O2 - BHO: Class - {27CFD0FE-F6F8-65DA-3A16-9CD04E397E50} - C:\WINDOWS\SYSTEM\D3LE32.DLL (file missing)
O2 - BHO: Class - {594E2F72-FE93-92E3-61EE-B8A6B35055AD} - C:\WINDOWS\SYSTEM\APPDO.DLL (file missing)
O2 - BHO: Class - {A0143008-D257-1264-D990-7C6BFBD3F2AF} - C:\WINDOWS\MFCSH.DLL
O2 - BHO: Class - {AE955B54-A6B3-5BA7-2ECD-07F18D7ABCC2} - C:\WINDOWS\SYSTEM\ADDCN32.DLL (file missing)
O2 - BHO: Class - {19B904A4-12CC-BD9F-F9CE-8EE949E72065} - C:\WINDOWS\SYSTEM\NETUT32.DLL (file missing)
O2 - BHO: Class - {1BD77AAE-7932-ECDC-AEE6-B8F00908205C} - C:\WINDOWS\SDKLG.DLL
O2 - BHO: Class - {97D8F50B-95BD-9DC8-F960-465723737426} - C:\WINDOWS\SYSTEM\APIET32.DLL (file missing)
O2 - BHO: Class - {39407E41-E7C0-FB5C-B1D6-C8C738A6CDC8} - C:\WINDOWS\SYSTEM\D3SF32.DLL (file missing)
O2 - BHO: Class - {FC63F0E5-80B2-2AB7-B2CE-B7C3C66A175A} - C:\WINDOWS\SYSTEM\IPOS32.DLL (file missing)
O2 - BHO: Class - {E36B35F1-5FD2-0677-46DF-D1A5161CFD19} - C:\WINDOWS\SYSTEM\MFCGH32.DLL (file missing)
O2 - BHO: Class - {B9FCA0E1-7B64-E16E-A3DC-00928170618E} - C:\WINDOWS\CRKJ.DLL
O2 - BHO: Class - {08509CEC-F489-6823-B92D-43C1206F82F8} - C:\WINDOWS\SYSTEM\APPMU.DLL (file missing)
O2 - BHO: Class - {EB795AAF-E5F0-6EDA-6EE0-C8D5661F84AB} - C:\WINDOWS\SYSTEM\APIEP32.DLL (file missing)
O2 - BHO: Class - {D3E805B7-2324-55D1-0F70-3C591172B586} - C:\WINDOWS\SYSTEM\MSDU.DLL (file missing)
O2 - BHO: Class - {C238C683-A743-3212-3433-F697A9B9F706} - C:\WINDOWS\APIOW32.DLL
O2 - BHO: Class - {0ED8226B-008B-EF31-29A8-03538BFB2D9B} - C:\WINDOWS\SYSTEM\NTLW32.DLL
O2 - BHO: Class - {B56238F2-8210-2541-0E0A-BDA948E58949} - C:\WINDOWS\SYSTEM\WINQI.DLL (file missing)
O2 - BHO: Class - {07F26066-3006-3B6A-C0B6-286EB575DC93} - C:\WINDOWS\SYSTEM\ADDEH.DLL (file missing)
O2 - BHO: Class - {B544E061-68EE-A762-9D51-17437988E92B} - C:\WINDOWS\SYSTEM\APPYA32.DLL (file missing)
O2 - BHO: Class - {4CC0A8A4-E4C5-6742-27C3-C153BB6598A6} - C:\WINDOWS\IPQO32.DLL
O2 - BHO: Class - {729CB7F2-58D6-3B6F-AF9E-AF3E680D8538} - C:\WINDOWS\JAVAPI.DLL
O2 - BHO: Class - {4E13D08B-8C7F-2D80-572A-D6E907D83EB5} - C:\WINDOWS\D3FZ32.DLL
O2 - BHO: Class - {AF7C2B05-CA54-9CC5-461A-50E8D24EB543} - C:\WINDOWS\ATLOF.DLL
O2 - BHO: Class - {D321DC4E-C5C1-733A-6B36-D1F22AA3BC87} - C:\WINDOWS\JAVATS32.DLL
O2 - BHO: Class - {C39846EA-E45C-F6C4-9160-FBF430FD30AC} - C:\WINDOWS\SYSTEM\NETQE32.DLL (file missing)
O2 - BHO: Class - {3B9CE314-9AD4-9792-05A7-D033A0AC7FC8} - C:\WINDOWS\MFCSC.DLL
O2 - BHO: Class - {652D794B-763F-83DD-FAFE-5ACFEB85DA45} - C:\WINDOWS\SYSTEM\SYSUU32.DLL (file missing)
O2 - BHO: Class - {EFC4F699-F19A-6D2A-3A0D-DA6A6848205C} - C:\WINDOWS\NTKQ.DLL
O2 - BHO: Class - {94F04059-6E7E-66D6-541C-B1B81A2E0CF0} - C:\WINDOWS\SYSTEM\APPOY32.DLL (file missing)
O2 - BHO: Class - {03BE1512-1B77-7315-6103-520BC2285F2A} - C:\WINDOWS\SYSTEM\IEBI32.DLL (file missing)
O2 - BHO: Class - {0E07F1CC-6044-9AB8-86B3-B33F53CA4787} - C:\WINDOWS\JAVARX.DLL
O2 - BHO: Class - {623E5DF9-CC25-2935-D4FF-B90A1C705AE7} - C:\WINDOWS\SYSTEM\NTUH.DLL (file missing)
O2 - BHO: Class - {9094044E-D64B-52BF-2293-CE35E7D82337} - C:\WINDOWS\SYSTEM\ADDQS.DLL (file missing)
O2 - BHO: Class - {0FFA2FFB-016C-B9FD-455F-DEDD005C2ECE} - C:\WINDOWS\SYSTEM\SDKMQ32.DLL (file missing)
O2 - BHO: Class - {AEC0A5D0-B2FD-1C6C-5FED-D4522D6ED9D6} - C:\WINDOWS\SYSTEM\JAVAPS32.DLL (file missing)
O2 - BHO: Class - {8C64AEC0-374E-EFF7-DA12-C97865DA9CF1} - C:\WINDOWS\IPCI.DLL
O2 - BHO: Class - {06479FBD-B7F4-E4BF-7FBF-CDD5E2D81431} - C:\WINDOWS\MSKH.DLL
O2 - BHO: Class - {C8B6A180-C5E4-EE72-CE5B-CFE9122CE82F} - C:\WINDOWS\NTLU32.DLL
O2 - BHO: Class - {A52D4B25-E1F1-2569-07DB-62AE8430CB3D} - C:\WINDOWS\SYSTEM\D3HZ32.DLL (file missing)
O2 - BHO: Class - {C9FA9D8C-A5E5-7AC4-0C08-3BFBB0434540} - C:\WINDOWS\SYSTEM\NETMW32.DLL (file missing)
O2 - BHO: Class - {BC02D259-67DA-83B7-2FC8-477907FF5440} - C:\WINDOWS\SYSTEM\MFCCR.DLL (file missing)
O2 - BHO: Class - {1989CDA8-1898-9E66-F3AF-1C7B4EFF9DBD} - C:\WINDOWS\MSKX32.DLL
O2 - BHO: Class - {EBCE955D-55C2-1BA9-E75B-9E4D6197FF79} - C:\WINDOWS\SYSTEM\MSBC32.DLL (file missing)
O2 - BHO: Class - {0B569D60-0427-A8B1-7DD5-82369A5DFB13} - C:\WINDOWS\SYSTEM\CRXC32.DLL (file missing)
O2 - BHO: Class - {BFB5D2CE-194B-C74E-63C1-C2F668F52093} - C:\WINDOWS\MSZU.DLL
O2 - BHO: Class - {6A9852CC-FCBB-61A5-41A1-2EDA8230AEC5} - C:\WINDOWS\APITM32.DLL
O2 - BHO: Class - {DF830A8B-2B04-8D4A-DBFD-030D08B38E93} - C:\WINDOWS\SYSTEM\MSWB32.DLL (file missing)
O2 - BHO: Class - {69114293-30CF-A231-E8A2-3F59AB77AD32} - C:\WINDOWS\SYSTEM\APIZQ.DLL (file missing)
O2 - BHO: Class - {38A6A56C-B9D7-1248-1235-9AAE4EFF2286} - C:\WINDOWS\SYSTEM\IEZG.DLL (file missing)
O2 - BHO: Class - {E2A94F9F-7AED-6BE3-46D5-174F791F1A84} - C:\WINDOWS\ADDAH32.DLL
O2 - BHO: Class - {CC2DA680-96EA-5AED-42B8-F54D249B35DD} - C:\WINDOWS\IERC32.DLL
O2 - BHO: Class - {BABD9DA6-1A9E-2FD5-636D-C0DB378E00C3} - C:\WINDOWS\SYSWX32.DLL
O2 - BHO: Class - {5427C122-41DC-07F0-770B-7D0652D91511} - C:\WINDOWS\SDKYO.DLL
O2 - BHO: Class - {480F3093-85F1-45A2-F3FD-5DC8ECE8C707} - C:\WINDOWS\NETPJ.DLL
O2 - BHO: Class - {C427C212-46BD-6448-5115-374EE8736E22} - C:\WINDOWS\SYSTEM\SDKMI32.DLL (file missing)
O2 - BHO: Class - {86BFEDB1-B790-4F94-1BD7-43263EAC2D9B} - C:\WINDOWS\SYSTEM\WINHJ.DLL (file missing)
O2 - BHO: Class - {685140D7-7B60-A183-0DE1-E8A78EE741C5} - C:\WINDOWS\SYSTEM\APIUH.DLL (file missing)
O2 - BHO: Class - {E738FA69-B912-B059-1394-230F1BB7CC13} - C:\WINDOWS\APIEU32.DLL
O2 - BHO: Class - {78D27D91-786C-6028-B4FE-85DD82E2102D} - C:\WINDOWS\SYSTEM\ATLAC32.DLL (file missing)
O2 - BHO: Class - {0C507AC8-9CC4-1970-BE39-A99F9532D512} - C:\WINDOWS\CRAR.DLL
O2 - BHO: Class - {403509E3-D9CE-508B-8DD5-FF9CC2A69F1B} - C:\WINDOWS\SYSTEM\CRPS32.DLL (file missing)
O2 - BHO: Class - {09E50A9A-9573-86A5-4ABD-5E38F81CBDB3} - C:\WINDOWS\SDKKL.DLL
O2 - BHO: Class - {24D61A15-3D8F-0712-8763-1448233335C0} - C:\WINDOWS\SYSTEM\D3MF.DLL (file missing)
O2 - BHO: Class - {83B3DFD2-55F0-F84B-F991-C6762249DB38} - C:\WINDOWS\SYSTEM\APIFT32.DLL (file missing)
O2 - BHO: Class - {F86ECE37-FEB5-58C4-D253-6026DF47F1BD} - C:\WINDOWS\SYSTEM\NTLN32.DLL (file missing)
O2 - BHO: Class - {8BC61747-3461-EFEE-D05D-964D875677AB} - C:\WINDOWS\SYSTEM\MSWC.DLL (file missing)
O2 - BHO: Class - {5465646E-5FF3-A3F7-5FDF-E65961926291} - C:\WINDOWS\SYSTEM\IPVK32.DLL (file missing)
O2 - BHO: Class - {093680F4-6D7A-144A-D33E-DC9B538D581B} - C:\WINDOWS\SYSTEM\JAVAPJ32.DLL (file missing)
O2 - BHO: Class - {C8BC9065-AF44-BC87-B7F3-1B9DA5C3979C} - C:\WINDOWS\SYSTEM\D3GY32.DLL (file missing)
O2 - BHO: Class - {6522CC06-085B-0152-B86B-5DEFD59319F2} - C:\WINDOWS\APPWL.DLL
O2 - BHO: Class - {E8A39625-B6BE-1D18-1BE0-EDB00316FA68} - C:\WINDOWS\SYSJR32.DLL
O2 - BHO: Class - {1739822B-FCAD-E0B7-8AE6-A7FA3ADF9CE7} - C:\WINDOWS\SYSIU32.DLL
O2 - BHO: Class - {4478A40E-095C-9113-16CA-AAE4FCB0841A} - C:\WINDOWS\NETZB32.DLL
O2 - BHO: Class - {D26AE4F7-8228-80E6-B5BD-8F1418D6EC44} - C:\WINDOWS\MSQD.DLL
O2 - BHO: Class - {71830F4A-94D4-BF99-5461-26532B36A737} - C:\WINDOWS\SDKPB32.DLL
O2 - BHO: Class - {592B61B9-A46D-A8A0-A1A1-872D72758FBE} - C:\WINDOWS\SYSTEM\JAVAAH32.DLL (file missing)
O2 - BHO: Class - {6F5238D0-58CA-ADF4-63DE-FD4A5FF51173} - C:\WINDOWS\MFCIQ32.DLL (file missing)
O2 - BHO: Class - {2B7A9AEC-0149-716C-4A8D-7E2764CEBB1E} - C:\WINDOWS\SYSTEM\NTMF.DLL (file missing)
O2 - BHO: Class - {97853963-D003-7871-69E2-70710B4A6915} - C:\WINDOWS\ADDBO.DLL
O2 - BHO: Class - {C2FA3656-27E9-CB48-07E2-4EDCB9A9B231} - C:\WINDOWS\SYSTEM\WINVK.DLL (file missing)
O2 - BHO: Class - {5AF2F991-F97B-E7F8-D81E-1803A0C1992A} - C:\WINDOWS\WINYZ.DLL (file missing)
O2 - BHO: Class - {147C3991-75D0-4E05-AEAD-19ADC9932F97} - C:\WINDOWS\SYSTEM\ADDCJ.DLL (file missing)
O2 - BHO: Class - {2AA0D77D-C8A5-66CE-BC1B-8F3AAE9652B5} - C:\WINDOWS\ADDFB.DLL (file missing)
O2 - BHO: Class - {47591DF9-B1C5-A655-83A0-C44A38A47B22} - C:\WINDOWS\SYSTEM\JAVAEN32.DLL (file missing)
O2 - BHO: Class - {E0CF7DEE-BB7D-CD36-4AD3-EDD755AC3BD8} - C:\WINDOWS\SYSTEM\SYSVC32.DLL (file missing)
O2 - BHO: Class - {2FCAB757-46CB-EDBA-2F82-3DEE958BC1B1} - C:\WINDOWS\SYSTEM\SDKOM.DLL (file missing)
O2 - BHO: Class - {3827C3F7-DFA4-9D8D-9E66-CC737E5E91FF} - C:\WINDOWS\CRZP.DLL (file missing)
O2 - BHO: Class - {FB29FD22-44EE-499C-C5FF-ECF26EE29F07} - C:\WINDOWS\APPDX32.DLL
O2 - BHO: Class - {427AEE96-C35B-9EDB-F194-BFD657FECF4C} - C:\WINDOWS\SYSTEM\CRLT32.DLL (file missing)
O2 - BHO: Class - {A898391D-BAC4-F3C2-199A-5D01DFD7C0CF} - C:\WINDOWS\SYSTEM\JAVAFF32.DLL (file missing)
O2 - BHO: Class - {0ADF9A41-9649-BEC0-B58D-372E2E397B8A} - C:\WINDOWS\CRDX32.DLL (file missing)
O2 - BHO: Class - {2794292C-4490-D271-09E1-C39277C2D52A} - C:\WINDOWS\ADDHN32.DLL (file missing)
O2 - BHO: Class - {DFD60C9F-2B34-B4BD-B915-227AB606A962} - C:\WINDOWS\NTQS.DLL (file missing)
O2 - BHO: Class - {70958982-9286-4C4E-3FD3-FEC16A115FBF} - C:\WINDOWS\JAVAJC.DLL
O2 - BHO: Class - {5C4938F7-4F76-B565-345B-F5460D9DB10E} - C:\WINDOWS\MSOC.DLL
O2 - BHO: Class - {A8022F1F-3F6C-3EEC-407E-F52D3DE155EA} - C:\WINDOWS\ADDJH.DLL (file missing)
O2 - BHO: Class - {2881C9AB-5FEC-0F19-DD77-C5AF6BA4405C} - C:\WINDOWS\ADDHP.DLL (file missing)
O2 - BHO: Class - {FEB60709-1DBC-A983-CAF9-5B4983929436} - C:\WINDOWS\SYSTEM\ADDLZ.DLL
O2 - BHO: Class - {B0E16A49-042E-3717-CC45-E16960066D25} - C:\WINDOWS\SYSTEM\CROV.DLL (file missing)
O2 - BHO: Class - {B541A086-258E-C3A1-55DB-D4A3C5C12413} - C:\WINDOWS\APPWG.DLL (file missing)
O2 - BHO: Class - {C2155B4A-24CE-2402-04EE-789AC43241E7} - C:\WINDOWS\SYSTEM\ATLZY32.DLL (file missing)
O2 - BHO: Class - {A8D4B1C3-E455-C463-9A68-674D56A5CE31} - C:\WINDOWS\SYSTEM\CRXQ32.DLL (file missing)
O2 - BHO: Class - {FDD4FBB4-1A6E-F986-21EA-95A477FBA69C} - C:\WINDOWS\ADDQC.DLL
O2 - BHO: Class - {A21EB7C4-13E9-BD64-FCEC-35F1D630907B} - C:\WINDOWS\MSEF32.DLL (file missing)
O2 - BHO: Class - {822B2B88-090B-6F77-48D0-7FD0661E875D} - C:\WINDOWS\SYSTEM\SYSCU.DLL (file missing)
O2 - BHO: Class - {EF263DC7-41C9-3707-2316-99CC7321210F} - C:\WINDOWS\SYSTEM\SDKIZ32.DLL (file missing)
O2 - BHO: Class - {4A6990AE-EDB5-69DD-25C5-D906008ED823} - C:\WINDOWS\SYSTEM\ADDSS32.DLL
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRAM FILES\YAHOO!\COMMON\YIETAGBM.DLL
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\PROGRAM FILES\YAHOO!\BROWSER\YSIDEBARIEBHO.DLL
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O2 - BHO: Class - {624BD64C-7B24-5F1B-09E1-0AE0E69C16B0} - C:\WINDOWS\SYSTEM\JAVAME32.DLL
O2 - BHO: Class - {D4DB5654-7123-6004-6034-D008447594E0} - C:\WINDOWS\SYSTEM\CRDM.DLL
O2 - BHO: Class - {B1DFD850-1394-A24D-5D2D-C5FC74E2403C} - C:\WINDOWS\SYSTEM\NETEB32.DLL
O2 - BHO: Class - {DF6FA459-DEB5-1461-C7D8-1C69ABCE95BD} - C:\WINDOWS\SYSTEM\MSUM32.DLL (file missing)
O2 - BHO: Class - {B901C34F-49B0-8A0B-D0FC-6B347CE1F3F0} - C:\WINDOWS\SYSTEM\SDKZC32.DLL (file missing)
O2 - BHO: Class - {D2C22B7F-8DD3-0C16-DA5B-AF1BC159FCC4} - C:\WINDOWS\SDKTR32.DLL (file missing)
O2 - BHO: Class - {7B7E8B10-6756-BD84-FE94-D223E97DE22B} - C:\WINDOWS\SYSTEM\NTZL32.DLL (file missing)
O2 - BHO: Class - {82346319-02A9-3198-1E7F-3397C07BAD2C} - C:\WINDOWS\SYSTEM\MSLD32.DLL (file missing)
O2 - BHO: Class - {8D7E8A22-1DF9-344A-CD1D-755BCB540709} - C:\WINDOWS\SYSTEM\SYSQL32.DLL
O2 - BHO: Class - {C8BCDBEF-C301-AF55-7F17-561668DBE389} - C:\WINDOWS\NETIZ.DLL
O2 - BHO: Class - {FF6CDC7E-2CF3-9F95-E938-825B9DA9B55C} - C:\WINDOWS\SYSTEM\MSTZ.DLL
O2 - BHO: Class - {4E2D9B2A-678A-3C50-21E8-21BCDE17708A} - C:\WINDOWS\SYSTEM\IEOY32.DLL
O2 - BHO: Class - {5E7FD18D-5FEA-6619-B437-C70562F75F24} - C:\WINDOWS\SYSTEM\IECV.DLL
O2 - BHO: Class - {A474FF8F-0B4E-55D9-286B-F9A9C3D1BFC7} - C:\WINDOWS\SYSTEM\MSAS.DLL (file missing)
O2 - BHO: Class - {91C44800-0214-FBD3-43F5-73434349FC66} - C:\WINDOWS\D3CF32.DLL (file missing)
O2 - BHO: Class - {6B2D80F8-44B2-F821-FDED-675C2E32BF69} - C:\WINDOWS\SYSTEM\MFCSC32.DLL (file missing)
O2 - BHO: Class - {B57D4547-53A2-CE5F-B929-72FEAA007FF8} - C:\WINDOWS\IEHK32.DLL (file missing)
O2 - BHO: Class - {74D1C96C-F82E-6A38-6FD8-197941DBEFAD} - C:\WINDOWS\SYSTEM\MSID32.DLL (file missing)
O2 - BHO: Class - {DE9FBD9F-312E-4200-618D-E3C65130FD10} - C:\WINDOWS\MSYC.DLL (file missing)
O2 - BHO: Class - {FE62602C-9AF7-60E5-6ED8-8DED73476E90} - C:\WINDOWS\SYSTEM\SDKBR.DLL (file missing)
O2 - BHO: Class - {B255CF17-988E-8993-4B11-EE0312E09D84} - C:\WINDOWS\JAVARU.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [BitDefender Virus Shield] "C:\Program Files\Softwin\BitDefender9\vsserv.exe"
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BitDefender Live Service] "C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\PROGRAM FILES\SOFTWIN\BITDEFENDER9\bdnagent.exe"
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [BitDefender Communicator] "C:\Program Files\Common Files\Softwin\BitDefender Communicator\\xcommsvr.exe"
O4 - HKLM\..\RunServices: [BitDefender Scan Server] "C:\Program Files\Common Files\Softwin\BitDefender Scan Server\\bdss.exe"
O4 - HKLM\..\RunServices: [BitDefender Live! Init] "C:\Program Files\Softwin\BitDefender9\bdinit.exe"
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\PROGRAM FILES\YAHOO!\YPSR\PPCLEAN.EXE" "clean" "smartfinder" "2"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe" -quiet
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WInzip\WZQKPICK.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range:
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/access/sdcco...ad/IbmEgath.cab
O16 - DPF: {237F3A38-E718-4FE3-AB18-BCF0AF75B34A} (DownloadScanEngine.ctlDSE300663) - http://downloads.rogershelp.com/updates.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200411...meInstaller.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility.com/ins...ckerutility.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...rcabinstall.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...657/mcfscan.cab

BC AdBot (Login to Remove)


#2 Papakid


    Guru at being a Newbie

  • Malware Response Team
  • 6,595 posts
  • Gender:Male
  • Local time:12:31 PM

Posted 08 January 2006 - 12:41 AM

Hi joeyg1111,

Sorry for the delay, we've really been swamped lately. If you still need help, please start out by posting a new log in this thread. Please describe what you may have done to fix the problem and what is happening with your system now (since you posted your last log) if anything has changed.

The thing about people

is they change

when they walk away.--Mipso

#3 joeyg1111

  • Topic Starter

  • Members
  • 2 posts
  • Local time:12:31 PM

Posted 08 January 2006 - 04:06 PM

Hi Papakid,

Thanks for checking back in. I read through some other postings with similar problems and think I was able to get rid of most of the baddies with HJT, especially the two .exe programs that were running and causing the errors. I also deleted most of the BHOs, and few other items that I cross-checked with other postings.

The result is that things are working really well right now, but I am a bit worried the problems aren't gone for good.

There are thousands of "phantom files" in my c:\Windows and c:\windows/system folders. They all have names like the problem programs I managed to delete (i.e. netkv, netlm, appsi, etc...). Some are .exe and some are .dll. All of them list the file size as zero bytes, and when I scan them directly with bit defender and a number of other anti-virus programs they check out as clean. There are literally 15,000 files in those two folders and I can only account for a handful of them. Are they just waiting to host the next wave?

I am running Bit Defender now and it has picked up a couple of other viruses that I have deleted, but nothing that is affecting the running of IE or the computer as a whole (yet!). I am at a different computer now and can't post a log...I will do so next chance I get. If you have any feedback based on the above I'd love to hear it.

Thanks again. BC is an amazing resource - I wish I had known about it earlier!

#4 Papakid


    Guru at being a Newbie

  • Malware Response Team
  • 6,595 posts
  • Gender:Male
  • Local time:12:31 PM

Posted 10 January 2006 - 10:40 PM

Hi joeyg1111, sorry again for the delay. I got sidetracked.

You have a variant of a CoolWebSearch infection that is fairly rare. You may have cleaned most of it up but if you miss some parts of it it will come back. And we can clean up some of those leftovers you are talking about along with some other entries in the HijackThis log. But I won't know what exactly needs to be done until I can see a new log. If I'm not mistaken, the names of some of the key files may change when you reboot, so be ready to leave your system on until you receive instructions from me.

One thing you need to address beforehand is the fact you are running two anti-virus (AV) programs. One from your ISP software and BitDefender. It's recommended that you run only one redsident AV, as two will only slow your system and actually reduce your security. For a second opinion use online scans.

I'm not really sure which one you should keep, but I would guess BitDefender is better. The ISP one is powered by eTrust, which is a reputable AV vendor, but I mistrust ISP software in the first place and they usually don't give you enough control over the program. I think BitDefender has a better detection rate. There are other factors to consider, such as are you running the free version of BitDefender, or the trial commercial version? You'll have to decide if you want to uninstall something you may have paid for or if you want to buy a subscription when you can get a fair AV for free from your ISP. And if you want to get rid of eTrust, check with your ISP to be sure that their software isn't required for a connection and for help in uninstalling eTrust.

When that's straightened out, please post a new log.

The thing about people

is they change

when they walk away.--Mipso

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users