If you must, you can lock this if you deem necessary, but please do not delete. I need someone to see this, and I'm having extremely strange errors getting this to show up properly elsewhere.
Thanks
PBHewitt
These steps must be done, and must be done in this order for the fix to work.
Please read through them first and make sure you understand.
If you have any questions,even if you think it is dumb, do not hesitate to ask.
These instructions aren't as overwhelming as they may look.
If you miss a step or do something wrong, we will just have to start over,no big deal, so relax and take your time!
Step 1
Turn off [L=System Restore]http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam[/L]
Start Windows in Safe Mode by pressing F8 as the computer is booting and choosing Safe Mode
For this fix to work, we HAVE to be in [L=Safe Mode]http://www.bleepingcomputer.com/forums/index.php?showtutorial=61
STEP 2
* Right-click on My Computer
* Choose Manage
* Double-click on Services and Applications
* Click on Services
* In the righthand column find " Remote Procedure Call (RPC) Helper ", and double-click on it
(in Safe Mode this may already be stopped)
* Choose Stop
* Set the Startup Type to Disabled
* Click Ok
* Close the Computer Management window
There are 2 other RPC services. Leave those alone
Only stop and disable Remote Procedure Call (RPC) Helper
STEP 3
Run HJT
Place a check next to these entries, if they still exist:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINXP\system32\axmys.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINXP\system32\axmys.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINXP\system32\axmys.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINXP\system32\axmys.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINXP\system32\axmys.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINXP\system32\axmys.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINXP\system32\axmys.dll/sp.html#14044
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINXP\System32\Userinit.exe
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {FE88300A-81B1-4D60-1B11-46041255D042} - C:\WINXP\system32\apitt32.dll
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [Narrator] C:\WINXP\System32\iuiqqy.exe
O4 - HKLM\..\Run: [syssb.exe] C:\WINXP\system32\syssb.exe
O4 - HKLM\..\Run: [1C9.tmp] C:\DOCUME~1\PAUL~1.NET\LOCALS~1\Temp\1C9.tmp.exe 0 10001
O4 - HKLM\..\Run: [ntechin] C:\WINXP\system32\n20050308.exe
O4 - HKLM\..\Run: [Dvx] C:\WINXP\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [kalvsys] C:\winxp\system32\kalvcup32.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...8ab2292e6aa4d79
O16 - DPF: {41B23C28-488E-4E5C-ACE2-BB0BBABE99E8} (HHCtrl Object) - http://206.161.207.9...dexe/hhctrl.ocx
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topcon...vex/loader2.ocx
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar....r2/winhot32.cab
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINXP\javaze32.exe (file missing)
Close ALL windows, including this one, and click on "Fix Checked"
STEP 4
Close HiJackThis and run About:Buster. Follow the directions and have the program search the system for offending files and remove them.
****If you run About:Buster and receive an error about a missing MSCOMCTL.OCX file, click on the following link to download a program to restore the file.
[l=LINK HERE]http://www.javacoolsoftware.net/downloads/missingfilesetup.exe[/L]
STEP 5
Now we must delete the offending files
Go to C:\WINXP and delete these files:
ippu32.exe
javaze32.exe
Go to C:\WINXP\system32 and delete the following files:
apitt32.dll
axmys.dll
iuiqqy.exe
kalvcup32.exe
n20050308.exe
syssb.exe
Delete this folder
wsxsvc
Go to C:\Program Files and delete this folder
VBouncer
Reboot, run your spyware scanners again, and post another HJT log please
Edited by DumbTerminal, 18 January 2005 - 10:58 AM.