WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

HELP! PC is definitely infected

Started by toshinomiya , Dec 30 2005 07:02 PM

This topic is locked

19 replies to this topic

#1 toshinomiya

New Member

Authentic Member
17 posts

Posted 30 December 2005 - 07:02 PM

I tried to delete them but it seems they are already in the system. Can somebody help me get rid of these bad weeds?

Don't get weird if you see characters other than alphabets as this PC is programmed in Japanese.

Thanks.

Here is the log

Logfile of HijackThis v1.99.1
Scan saved at 9:55:12, on 2005/12/31
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\FTMKEY.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Hitachi\PriusEasy\PriusEasyLauncher\EasyLauncher.exe
C:\Program Files\HITACHI\Prius Navistation\PESCDL.exe
C:\Program Files\DigiOn\DiXiM Media Server\dms_helper.exe
C:\WINDOWS\vsnpstd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\iezm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\FTKDisp.exe
C:\WINDOWS\ftmget.exe
C:\WINDOWS\Ftkbled.exe
C:\WINDOWS\apihp32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\DigiOn\DiXiM Media Server\dmsf.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\HITACHI\Prius Navistation\HPEPGRD.exe
C:\Program Files\HITACHI\Prius Navistation\PriNaviSSrv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\aiko\デスクトップ\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Class - {6F4AC8D3-C91D-2E41-818E-BF91513AB850} - C:\WINDOWS\system32\ntgg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {B88D638F-C266-4667-9E71-F6F857C295AE} - C:\PROGRA~1\goo\stick\goostk.dll
O3 - Toolbar: &gooスティック - {C1724158-90ED-413D-AE2D-6360F0CAA755} - C:\PROGRA~1\goo\stick\goostk.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Multimedia Keyboard] FTMKEY.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PriusEasyLauncher] C:\Program Files\Hitachi\PriusEasy\PriusEasyLauncher\EasyLauncher.exe -T
O4 - HKLM\..\Run: [PESCDL.EXE] "C:\Program Files\HITACHI\Prius Navistation\PESCDL.exe"
O4 - HKLM\..\Run: [dms_helper] "C:\Program Files\DigiOn\DiXiM Media Server\dms_helper.exe"
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG9.0] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [apifo32.exe] C:\WINDOWS\apifo32.exe
O4 - HKLM\..\Run: [B.tmp] C:\DOCUME~1\jane\LOCALS~1\Temp\B.tmp.exe
O4 - HKLM\..\Run: [D.tmp] C:\DOCUME~1\jane\LOCALS~1\Temp\D.tmp.exe
O4 - HKLM\..\Run: [appxz.exe] C:\WINDOWS\appxz.exe
O4 - HKLM\..\Run: [apiyt.exe] C:\WINDOWS\system32\apiyt.exe
O4 - HKLM\..\Run: [javaob32.exe] C:\WINDOWS\javaob32.exe
O4 - HKLM\..\Run: [iezm.exe] C:\WINDOWS\system32\iezm.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Google 検索(&G) - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: このページのキャッシュ - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: リンク元 - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: 翻訳(&T) - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: 関連ページ - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun の Java コンソール - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: リサーチ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://prius.hitachi.co.jp/go/prius/index.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1025B63-5F68-4DCF-B7D4-372946A01791}: NameServer = 221.113.139.138 61.207.11.154
O18 - Protocol: msjwwdat - {BAAB02DC-913E-40AA-B9ED-8068DEE42CFA} - C:\Program Files\Microsoft Office\Home Style\JWW\JWWData.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Workstation NetLogon Service ( 11Fﾟ・#ｷｺﾄﾖ`I) - Unknown owner - C:\WINDOWS\apihp32.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BeatJam Music Server - HTTP (BeatJamMusicStreamingServer) - Justsystem Corporation - C:\Program Files\JUSTSYSTEM\BeatJam Music Server\BeatJamHttpService.exe
O23 - Service: BeatJam Music Server - UPnP (BeatJamUPnPMusicServer) - Justsystem Corporation - C:\Program Files\JUSTSYSTEM\BeatJam Music Server\BeatJamUPnPService.exe
O23 - Service: DiXiM Media Server - DigiOn - C:\Program Files\DigiOn\DiXiM Media Server\dmsf.exe
O23 - Service: HITACHI HPEPGRD (HPEPGRD) - Unknown owner - C:\Program Files\HITACHI\Prius Navistation\HPEPGRD.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Advertisements

Register to Remove

#2 Siggyx

SuperHelper

Authentic Member
6,776 posts

Posted 05 January 2006 - 07:42 PM

Please post a new hijackthis log and try not to reboot once you have.

#3 toshinomiya

New Member

Authentic Member
17 posts

Posted 06 January 2006 - 01:24 AM

Yey! A reply.

Here is the new log file.

Logfile of HijackThis v1.99.1
Scan saved at 16:22:53, on 2006/01/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\FTMKEY.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Hitachi\PriusEasy\PriusEasyLauncher\EasyLauncher.exe
C:\Program Files\HITACHI\Prius Navistation\PESCDL.exe
C:\Program Files\DigiOn\DiXiM Media Server\dms_helper.exe
C:\WINDOWS\vsnpstd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\apihp32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\DigiOn\DiXiM Media Server\dmsf.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\HITACHI\Prius Navistation\HPEPGRD.exe
C:\Program Files\HITACHI\Prius Navistation\PriNaviSSrv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\FTKDisp.exe
C:\WINDOWS\ftmget.exe
C:\WINDOWS\Ftkbled.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\atlcz.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\aiko\デスクトップ\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {2DCB300B-8992-BE39-ABB4-00C240619497} - C:\WINDOWS\winjg32.dll
O2 - BHO: Class - {44BECE92-B7DC-E0A5-2FC8-910FBA5C21AE} - C:\WINDOWS\sdkjk32.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Class - {69DB3800-824F-53AF-DEB5-483DECDC009E} - C:\WINDOWS\d3rc32.dll
O2 - BHO: Class - {6F4AC8D3-C91D-2E41-818E-BF91513AB850} - C:\WINDOWS\system32\ntgg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {B88D638F-C266-4667-9E71-F6F857C295AE} - C:\PROGRA~1\goo\stick\goostk.dll
O2 - BHO: Class - {CC393430-4D4B-1648-E8C8-E18E615C3C4F} - C:\WINDOWS\javabw.dll
O2 - BHO: Class - {DABD84BF-4CE9-79E0-C685-E44A72ED9ADF} - C:\WINDOWS\system32\ntsq.dll
O2 - BHO: Class - {EDB630B0-27AD-32B3-EC50-7032C9436D7D} - C:\WINDOWS\system32\iene.dll
O2 - BHO: Class - {F0F72CB3-714A-ED8F-9D97-127E290AEAF2} - C:\WINDOWS\system32\ipfl.dll
O3 - Toolbar: &gooスティック - {C1724158-90ED-413D-AE2D-6360F0CAA755} - C:\PROGRA~1\goo\stick\goostk.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Multimedia Keyboard] FTMKEY.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PriusEasyLauncher] C:\Program Files\Hitachi\PriusEasy\PriusEasyLauncher\EasyLauncher.exe -T
O4 - HKLM\..\Run: [PESCDL.EXE] "C:\Program Files\HITACHI\Prius Navistation\PESCDL.exe"
O4 - HKLM\..\Run: [dms_helper] "C:\Program Files\DigiOn\DiXiM Media Server\dms_helper.exe"
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG9.0] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [apifo32.exe] C:\WINDOWS\apifo32.exe
O4 - HKLM\..\Run: [B.tmp] C:\DOCUME~1\jane\LOCALS~1\Temp\B.tmp.exe
O4 - HKLM\..\Run: [D.tmp] C:\DOCUME~1\jane\LOCALS~1\Temp\D.tmp.exe
O4 - HKLM\..\Run: [appxz.exe] C:\WINDOWS\appxz.exe
O4 - HKLM\..\Run: [apiyt.exe] C:\WINDOWS\system32\apiyt.exe
O4 - HKLM\..\Run: [javaob32.exe] C:\WINDOWS\javaob32.exe
O4 - HKLM\..\Run: [iezm.exe] C:\WINDOWS\system32\iezm.exe
O4 - HKLM\..\Run: [javabq32.exe] C:\WINDOWS\javabq32.exe
O4 - HKLM\..\Run: [appxk32.exe] C:\WINDOWS\appxk32.exe
O4 - HKLM\..\Run: [atldg.exe] C:\WINDOWS\atldg.exe
O4 - HKLM\..\Run: [sysza.exe] C:\WINDOWS\system32\sysza.exe
O4 - HKLM\..\Run: [iesm.exe] C:\WINDOWS\iesm.exe
O4 - HKLM\..\Run: [atlcz.exe] C:\WINDOWS\system32\atlcz.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Google 検索(&G) - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: このページのキャッシュ - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: リンク元 - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: 翻訳(&T) - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: 関連ページ - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun の Java コンソール - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: リサーチ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://prius.hitachi.co.jp/go/prius/index.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1025B63-5F68-4DCF-B7D4-372946A01791}: NameServer = 221.113.139.138 61.207.11.154
O18 - Protocol: msjwwdat - {BAAB02DC-913E-40AA-B9ED-8068DEE42CFA} - C:\Program Files\Microsoft Office\Home Style\JWW\JWWData.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fﾟ・#ｷｺﾄﾖ`I) - Unknown owner - C:\WINDOWS\apihp32.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BeatJam Music Server - HTTP (BeatJamMusicStreamingServer) - Justsystem Corporation - C:\Program Files\JUSTSYSTEM\BeatJam Music Server\BeatJamHttpService.exe
O23 - Service: BeatJam Music Server - UPnP (BeatJamUPnPMusicServer) - Justsystem Corporation - C:\Program Files\JUSTSYSTEM\BeatJam Music Server\BeatJamUPnPService.exe
O23 - Service: DiXiM Media Server - DigiOn - C:\Program Files\DigiOn\DiXiM Media Server\dmsf.exe
O23 - Service: HITACHI HPEPGRD (HPEPGRD) - Unknown owner - C:\Program Files\HITACHI\Prius Navistation\HPEPGRD.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

#4 Siggyx

SuperHelper

Authentic Member
6,776 posts

Posted 06 January 2006 - 08:19 AM

The Fix:

Step#1:Getting Ready

Please save these instructions to WordPad so that you have them accessible while following the steps. You also may want to print out these directions as the Internet will not be available.

After downloading the tools, you must disconnect from the internet totally, because staying connected while fixing will prevent the fix from working. Also please keep Internet Explorer and Outlook Express closed throughout as opening either will reinstall the infection.

To replace Internet Explorer to use during this fix, please use Internet Explorer once to download and install FireFox, to be used as your alternate browser throughout this fix.

Close Outlook Express and Internet Explorer for the duration of this fix

Read through all the instructions so that you can ask any questions now, before you disconnect from the Internet.

Please start by downloading the tools you will need to clean this infection with FireFox. If you have a problem or question with any please continue to follow the list step by step to the end and ask the questions when you are asked to reply. Just be sure to let us know what the problem was when you finally reply.

Step#2:Show All Hidden Files Very Important

Please download and open the following zip file. Double-click on the file inside the zip and when it asks you if you would like to merge the file into your registry, please answer yes. This will make sure all files are visible on your computer.
http://www.davehigha...ds/xphidden.zip

Step#3:Download CWShredder Do Not Use Yet

1. Please Download the most recent version of CWShredder, from CWSInstall.exe

2. Check for Updates but please Do NOT use it yet

Step#4:Download About Buster Do Not Use Yet

1. Please download About:Buster from here: http://www.malwareby...AboutBuster.zip

2. Once it is downloaded extract it to c:\aboutbuster.

Step#5:Download Registrar Lite Do Not Use Yet

Another program to download is Registrar Lite for use later: Please download Registrar Lite and install it to C:\Program Files\RegLite\ . This is a registry editor that is very easy to use. Caution should be exercised when editing the registry as it is very easy to render a Computer unbootable by deleting the wrong key

Step#6:Download Ewido Security Suite Only For Windows 2000 and XP Do Not Use Yet

Download and install Ewido security suite
Right Click on the “E” icon in your taskbar and open Ewido Security Suite then click “update” to get the most recent definitions for it to use.
When it prompts you to update, click the OK button.
download the updates and when they are finished installing, close the window
Please Do Not Use It Yet

Step#6:Download A Registry File to Remove Registry Entries Do Not Use Yet

Please download the following zip file to your desktop:
HSfix
Double Click on HSfix.zip and it will unzip to a new folder it makes on your desktop, called HSfix
Do Not Use It Yet

Please disconnect from the Internet

Step#7:Disable The Bad Service ** Very Important!!**

Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE
Click on start > control panel > administrative programs > services. Look for a service called Workstation NetLogon Service . Double click on that service and click stop and then set the startup to disabled. Also write down the name and path of the file listed in the Path to executable field. This filename must be deleted below.

Step#8:Stop The Running Processes

Press control-alt-delete to get into the task manager and end the following processes if they exist:

apihp32.exe
vsnpstd.exe
apifo32.exe
appxz.exe
apiyt.exe
javaob32.exe
iezm.exe
javabq32.exe
appxk32.exe
atldg.exe
sysza.exe
iesm.exe
atlcz.exe

Step#9:Use HijackThis to Delete About Blank Bad Files

I now need you to delete the following files:

C:\WINDOWS\winjg32.dll
C:\WINDOWS\sdkjk32.dll
C:\WINDOWS\d3rc32.dll
C:\WINDOWS\system32\ntgg.dll
C:\WINDOWS\javabw.dll
C:\WINDOWS\system32\ntsq.dll
C:\WINDOWS\system32\iene.dll
C:\WINDOWS\system32\ipfl.dll
C:\WINDOWS\vsnpstd.exe
C:\WINDOWS\apifo32.exe
C:\DOCUME~1\jane\LOCALS~1\Temp\B.tmp.exe
C:\DOCUME~1\jane\LOCALS~1\Temp\D.tmp.exe
C:\WINDOWS\appxz.exe
C:\WINDOWS\system32\apiyt.exe
C:\WINDOWS\javaob32.exe
C:\WINDOWS\system32\iezm.exe
C:\WINDOWS\javabq32.exe
C:\WINDOWS\appxk32.exe
C:\WINDOWS\atldg.exe
C:\WINDOWS\system32\sysza.exe
C:\WINDOWS\iesm.exe
C:\WINDOWS\system32\atlcz.exe
C:\WINDOWS\apihp32.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Step#10:Cleaning With HijackThis

Then close all programs and windows and run hijackthis. Put a checkmark next to each of these entries and click 'fix checked' button when ready (some may be gone after uninstalling some programs):

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {2DCB300B-8992-BE39-ABB4-00C240619497} - C:\WINDOWS\winjg32.dll
O2 - BHO: Class - {44BECE92-B7DC-E0A5-2FC8-910FBA5C21AE} - C:\WINDOWS\sdkjk32.dll
O2 - BHO: Class - {69DB3800-824F-53AF-DEB5-483DECDC009E} - C:\WINDOWS\d3rc32.dll
O2 - BHO: Class - {6F4AC8D3-C91D-2E41-818E-BF91513AB850} - C:\WINDOWS\system32\ntgg.dll
O2 - BHO: Class - {CC393430-4D4B-1648-E8C8-E18E615C3C4F} - C:\WINDOWS\javabw.dll
O2 - BHO: Class - {DABD84BF-4CE9-79E0-C685-E44A72ED9ADF} - C:\WINDOWS\system32\ntsq.dll
O2 - BHO: Class - {EDB630B0-27AD-32B3-EC50-7032C9436D7D} - C:\WINDOWS\system32\iene.dll
O2 - BHO: Class - {F0F72CB3-714A-ED8F-9D97-127E290AEAF2} - C:\WINDOWS\system32\ipfl.dll

O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [apifo32.exe] C:\WINDOWS\apifo32.exe
O4 - HKLM\..\Run: [B.tmp] C:\DOCUME~1\jane\LOCALS~1\Temp\B.tmp.exe
O4 - HKLM\..\Run: [D.tmp] C:\DOCUME~1\jane\LOCALS~1\Temp\D.tmp.exe
O4 - HKLM\..\Run: [appxz.exe] C:\WINDOWS\appxz.exe
O4 - HKLM\..\Run: [apiyt.exe] C:\WINDOWS\system32\apiyt.exe
O4 - HKLM\..\Run: [javaob32.exe] C:\WINDOWS\javaob32.exe
O4 - HKLM\..\Run: [iezm.exe] C:\WINDOWS\system32\iezm.exe
O4 - HKLM\..\Run: [javabq32.exe] C:\WINDOWS\javabq32.exe
O4 - HKLM\..\Run: [appxk32.exe] C:\WINDOWS\appxk32.exe
O4 - HKLM\..\Run: [atldg.exe] C:\WINDOWS\atldg.exe
O4 - HKLM\..\Run: [sysza.exe] C:\WINDOWS\system32\sysza.exe
O4 - HKLM\..\Run: [iesm.exe] C:\WINDOWS\iesm.exe
O4 - HKLM\..\Run: [atlcz.exe] C:\WINDOWS\system32\atlcz.exe

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fﾟ・#ｷｺﾄﾖ`I) - Unknown owner - C:\WINDOWS\apihp32.exe

click "fix checked"

Step#11: Backup The Registry

In the next step we are going to remove a service that gets installed by this malware.

1. Open Registrar Lite and run it.

2. Copy and paste the bold text below into the address bar of Registrar Lite:(this is making a Registry backup for safety in case of error)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\

Go to File> Export and and save as (in the C:\Program Files\Registrar Lite (Reglite) folder):

1.) Winkey.reg (Save as type: regedit4 .reg type)
2.) Winkey.hiv (Save as type: Scroll to select-regetd32/WinAPI *hiv *dat files)

Step#12: Use the HSfix.reg file

Navigate to the HSfix folder on your Desktop
Then double-click on the HSfix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.
if you have a popup from any of your protection programs asking if you want to make a change to the registry, say Yes or Accept it

Step#13:Fixing With CWShredder

CLOSE ALL WINDOWS except CWShredder
Run the program by clicking 'fix' and letting it fix all CWS remnants.

Step#14:Fixing With About Buster

This is the step where we will use About:Buster that you had downloaded previously.

Navigate to the c:\aboutbuster directory
double-click on aboutbuster.exe
When the tool opens press the OK button, then Start button, then the OK button
then finally the Yes button. It will start scanning your computer for files.
If it asks if you would like to do a second pass, allow it to do so.
Post the log file in your next reply

Step#15:Scan With Ewido Security Suite

Launch Ewido again
Click on Scanner>Complete System Scan.
Let the program scan your PC.
When the scan asks to clean files click OK.
When scan is completed, click Save report. to your desktop.
Post the report in your next reply.

Reboot your computer back to normal mode and

Reconnect To The Internet

Step#16:Scan and Post a New HJT log with other logs

Scan again with HijackThis.
Post your logs from HijackThis, About Buster, and Ewido Security Suite here in this thread with any questions or problems that you have run into.
There are still some steps that are necessary to clear out all of the malware. There will be necessary files that it has deleted that will need to be replaced.

Good Luck!

#5 toshinomiya

New Member

Authentic Member
17 posts

Posted 06 January 2006 - 08:47 PM

Okay... umm... when you wrote administrative programs, do you mean administrative tools? as I cannot find the former but found the latter and the services. Unfortunately I can't find the Workstation NetLogon Service no matter how hard I look at the list. Right now I feel so stupid. :blink:

#6 Siggyx

SuperHelper

Authentic Member
6,776 posts

Posted 06 January 2006 - 10:07 PM

Yep, admin tools works also

#7 toshinomiya

New Member

Authentic Member
17 posts

Posted 06 January 2006 - 11:53 PM

But I can't find Workstation NetLogon Service.

#8 Siggyx

SuperHelper

Authentic Member
6,776 posts

Posted 06 January 2006 - 11:55 PM

Look for this Remote Procedure Call

#9 toshinomiya

New Member

Authentic Member
17 posts

Posted 07 January 2006 - 01:16 AM

Okay... found it. Should I also disable the Remote Procedure Call helper and remote procedure call locator?

#10 toshinomiya

New Member

Authentic Member
17 posts

Posted 07 January 2006 - 03:01 AM

I can't disable the remote procedure call only the RPC helper and RPC locator.

Advertisements

Register to Remove

#11 Siggyx

SuperHelper

Authentic Member
6,776 posts

Posted 07 January 2006 - 10:28 AM

When you double click on Remote Procedure Call what options do you get?

#12 toshinomiya

New Member

Authentic Member
17 posts

Posted 07 January 2006 - 06:01 PM

Good Morning! No options. All buttons are disabled and even the startup option. Here's the filepath C:\WINDOWS\system32\svchost -k rpcss When I clicked the RPC Helper, the filepath is C:\WINDOWS\apihp32.exe /s. I think this is the one I will disable as apihp32.exe is one of the files you mentioned to be deleted. This is just my opinion. What do you think?

#13 Siggyx

SuperHelper

Authentic Member
6,776 posts

Posted 07 January 2006 - 10:24 PM

Lets skip this step and move onto the rest please.

#14 toshinomiya

New Member

Authentic Member
17 posts

Posted 08 January 2006 - 01:47 AM

Done.

Here is the HiJack This log

Logfile of HijackThis v1.99.1
Scan saved at 16:21:25, on 2006/01/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\FTMKEY.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Hitachi\PriusEasy\PriusEasyLauncher\EasyLauncher.exe
C:\Program Files\HITACHI\Prius Navistation\PESCDL.exe
C:\Program Files\DigiOn\DiXiM Media Server\dms_helper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\FTKDisp.exe
C:\WINDOWS\ftmget.exe
C:\WINDOWS\Ftkbled.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\DigiOn\DiXiM Media Server\dmsf.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\HITACHI\Prius Navistation\HPEPGRD.exe
C:\Program Files\HITACHI\Prius Navistation\PriNaviSSrv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\aiko\デスクトップ\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {B88D638F-C266-4667-9E71-F6F857C295AE} - C:\PROGRA~1\goo\stick\goostk.dll
O3 - Toolbar: &gooスティック - {C1724158-90ED-413D-AE2D-6360F0CAA755} - C:\PROGRA~1\goo\stick\goostk.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Multimedia Keyboard] FTMKEY.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PriusEasyLauncher] C:\Program Files\Hitachi\PriusEasy\PriusEasyLauncher\EasyLauncher.exe -T
O4 - HKLM\..\Run: [PESCDL.EXE] "C:\Program Files\HITACHI\Prius Navistation\PESCDL.exe"
O4 - HKLM\..\Run: [dms_helper] "C:\Program Files\DigiOn\DiXiM Media Server\dms_helper.exe"
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG9.0] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Google 検索(&G) - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: このページのキャッシュ - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: リンク元 - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: 翻訳(&T) - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: 関連ページ - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun の Java コンソール - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: リサーチ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://prius.hitachi.co.jp/go/prius/index.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1025B63-5F68-4DCF-B7D4-372946A01791}: NameServer = 221.113.139.138 61.207.11.154
O18 - Protocol: msjwwdat - {BAAB02DC-913E-40AA-B9ED-8068DEE42CFA} - C:\Program Files\Microsoft Office\Home Style\JWW\JWWData.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BeatJam Music Server - HTTP (BeatJamMusicStreamingServer) - Justsystem Corporation - C:\Program Files\JUSTSYSTEM\BeatJam Music Server\BeatJamHttpService.exe
O23 - Service: BeatJam Music Server - UPnP (BeatJamUPnPMusicServer) - Justsystem Corporation - C:\Program Files\JUSTSYSTEM\BeatJam Music Server\BeatJamUPnPService.exe
O23 - Service: DiXiM Media Server - DigiOn - C:\Program Files\DigiOn\DiXiM Media Server\dmsf.exe
O23 - Service: HITACHI HPEPGRD (HPEPGRD) - Unknown owner - C:\Program Files\HITACHI\Prius Navistation\HPEPGRD.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Problems

1. I can't delete O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fﾟ・#ｷｺﾄﾖ`I) - Unknown owner - C:\WINDOWS\apihp32.exe with HiJack This no matter what I do. In the end, I clicked the "Info on selected item" button and this was displayed:

the services on WIndows NT4, Windows 2000, Windows XP and Windows 2003 are special type of programs that are essential to the system and are required for proper functioning of the system. Services processes are started before users logins and are protected by Windows. They can only be stopped from the servcies dialog in Administration Tools Windows. Malware that registers itself as a service is subsequently also harder to kill.

(Action Taken: Service is disabled and stopped. Reboot Needed)

Note: The Ms4Hd rootkit parasite (and possible other rootkits) will crash HiJackthis when it scans NT services section. Revert to HiJack This 1.98.2 or other pre-1.00.x version to complete the scan.

But luckily, the other programs you ask me to download did the deleting (I think) as I can no longer find it in the HJT log I posted above.

2. The About Buster completed the scan and a dialog box appeared informing me of this. I clicked OK and another dialog box appeared informing me of About Buster error '369'. I clicked OK as there were no other options. When I did, the About Buster Window closed immediately, leaving me with no logfile.

3. As for Ewido anti-malware, there was an error while saving the scan report and the program closed immediately. This is the only thing found in the report file saved in the desktop.

---------------------------------------------------------
ewido anti-malware - スキャンリポート
---------------------------------------------------------

+ 作成場所: 16:13:58, 2006/01/08

I think the text in the file is completely useless to you. The ewido found 16 infected files while scanning and I chose the Delete option. However, ewido saved a backup of this files. Should I completely delete all of them for good?

Question:

1. If everything is all right, can I delete all, but Ewido anti-malware, the softwares you had asked me to download?

Sorry for all the trouble.
P.S.
I'm beginning to get the hang of using Firefox.

I find it more nice than IE.

#15 Siggyx

SuperHelper

Authentic Member
6,776 posts

Posted 08 January 2006 - 09:10 AM

Step#1:Restore Deleted System Files

Now we need to see if we need to restore some deleted files:Please check for the following files using the Windows Search Engine:

control.exe
rundll32.exe
wmplayer.exe
msconfig.exe
notepad.exe
shell.dll
SDHelper.dll

If any are missing or not working properly then you can download new copies from
Merijn's Files and following the instructions at that site to have them where they belong for your OS.

If you are having any difficulty with Notepad, please go to Merijn's Files and choose 'Windows Files' from the menu on the left hand side of the page. Then choose 'Notepad' from the list and download it to C:\Windows and C:\Windows\System32
Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.
This infection often deletes some system files that need to be replaced. The most frequent one it deletes is shell.dll in Win2K or XP. In XP there are two copies of this file, one in Windows (WINNT) and one in Windows\System32. It does not delete the one in Windows\System so it does not affect Win9x/ME. If you find it missing, please copy the shell.dll from c:\windows\system32\dllcache into both \Windows (WINNT) and Windows\System32 .
The other system file which is most frequently deleted is control.exe. Please check to make sure that you have this file and it is the correct size. If not Please check for the existence of this file by going to to Merijn's Files (sdhelper) and examine where the file should be for your operating system. If the file is missing then download the appropriate file and place it in the proper place according to the information at this website. The control.exe is more often deleted in Win9x/ME.
If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button

Step#2:Download CCleaner

Download Ccleaner to clean temp files from your computer.
Double click on Ccleaner to install the program, with its default settings, selecting language and agreeing to the license agreement.
Double click the CCleaner shortcut on the desktop to start the program.
Click Options > Advanced and uncheck "Only delete files in Windows Temp folders older than 48 hours".

Step#3:Complete An Online AntiVirus Scan

Run an online antivirus scan at:

Trend Micro-Housecall Online AV

Reboot

Step#4:Find the Infected Files On Your Hard Drive
[list]
Navigate to C:\Windows
look for files that were created at the approximate time and date as the infection occurred.
look for those that end in exe, DAT and DLL and if found, right click on the file and check properties. Legitimate files should be copyrighted by Microsoft
if you determine they are bad files, right click on them and choose delete
Navigate to C:\Windows\System or C:\Windows\System32 (depending on the OS) and repeat each of the above steps to check for those ending in exe, DAT and/or DLL
if the above files will not delete, then make a new folder on your desktop by right clicking on the desktop and choosing New > Folder. Name the folder CWS Files.
Move the files from C:\Windows or C:\Windows\System or C:\Windows\system32
to the new folder CWS Files.

Step#5:Using your Windows CD to replace System Files

** In cases where many system files are missing you have no alternative but to have them insert their Windows OS disk and run sfc /scannow from the Run box if able or from Recovery Console if not able to get into windows[/b]

Step#6:Scan And Post a New HijackThis Log

1. Scan again with HijackThis

2. POST your log file using Add Reply to see what is left to fix.

Body Background

skin color theme