Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91911 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

My Hijack This Log


  • This topic is locked This topic is locked
11 replies to this topic

#1 Galvin

Galvin

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 11 November 2005 - 01:15 PM

Hi
hope you guys can help me, i'm at my wits end! My IE explorer keeps crashing. I have spyware infection from www.pcadprotector.cc

thanks in advance ;)

Logfile of HijackThis v1.99.1
Scan saved at 19:08:15, on 11/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\addpg32.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE
C:\WINDOWS\system32\bcmwltry.exe
C:\WINDOWS\anvshell.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Advanced Security Level\newadmin.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\winwe.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\User\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wttcp.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wttcp.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wttcp.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wttcp.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wttcp.dll/sp.html#17702
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wttcp.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.c...earch.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *new-search.net*;*x-google.net*
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {4D571E7A-BC7E-742B-7D52-B1DF949D095A} - C:\WINDOWS\system32\mfcnp32.dll
O2 - BHO: Class - {BD58BF8C-4ED8-E73A-BFC8-5C055B538F63} - C:\WINDOWS\system32\mfcnp32.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [apiht32.exe] C:\WINDOWS\apiht32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [winve32.exe] C:\WINDOWS\system32\winve32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [sysom32.exe] C:\WINDOWS\sysom32.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [d3ct32.exe] C:\WINDOWS\d3ct32.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE /P23 "EPSON Stylus C66 Series" /O6 "USB001" /M "Stylus C66"
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [Anvshell] anvshell.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ipzq.exe] C:\WINDOWS\system32\ipzq.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [MediaPipeTrayIcon] "C:\Program Files\MediaPipe\MPTray.exe" /H
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [00saskda] "C:\Program Files\Advanced Security Level\newadmin.exe" saskda
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [MediaPipe] "C:\Program Files\MediaPipe\MediaPipe.exe" /H
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [MediaPipe P2P Loader] "C:\Program Files\p2pnetworks\mpp2pl.exe" /H
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [sysin.exe] C:\WINDOWS\system32\sysin.exe
O4 - HKLM\..\Run: [javarg32.exe] C:\WINDOWS\javarg32.exe
O4 - HKLM\..\Run: [winwe.exe] C:\WINDOWS\system32\winwe.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O17 - HKLM\System\CCS\Services\Tcpip\..\{605C0C61-54B6-4C41-B324-BE70B377675C}: NameServer = 194.168.8.100,194.168.4.100
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\addpg32.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

    Advertisements

Register to Remove


#2 Galvin

Galvin

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 11 November 2005 - 09:09 PM

is there a straight forward program that can get rid of this joke? I'm so angry... I wana beat the S*it outta the peeps who make this!!!!!!!

#3 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,172 posts

Posted 18 November 2005 - 07:00 PM

Hello Galvin, welcome to the forum. Sorry about the delay in responding :( If you still need help, Scan again with HijackThis, and copy/paste" a new log file into this thread.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#4 Galvin

Galvin

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 21 November 2005 - 09:15 AM

Hi
thank you for the reply! here it is....


Logfile of HijackThis v1.99.1
Scan saved at 17:14:43, on 20/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sysjq32.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE
C:\WINDOWS\system32\bcmwltry.exe
C:\WINDOWS\anvshell.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\MediaPipe\MPTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Advanced Security Level\newadmin.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\ipnb32.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
C:\Program Files\MediaPipe\DownloadManager.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\User\Desktop\sniff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bhbsj.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bhbsj.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\bhbsj.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bhbsj.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bhbsj.dll/sp.html#17702
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\bhbsj.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.c...earch.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *new-search.net*;*x-google.net*
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0155F0FD-B763-E202-7DD5-FD3E8D258B75} - C:\WINDOWS\system32\crpb32.dll
O2 - BHO: Class - {0678BD57-7926-2CB9-09D4-78CBB306F3AF} - C:\WINDOWS\system32\iefg32.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {089D9145-FEBB-50AC-FF3F-B6FA52F8C65F} - C:\WINDOWS\system32\apigq.dll
O2 - BHO: Class - {091F1994-2589-E2A5-3267-A7E14CC24368} - C:\WINDOWS\system32\winru32.dll
O2 - BHO: Class - {094EDED8-1F6C-995C-6754-A544D7EA188B} - C:\WINDOWS\system32\crbr32.dll
O2 - BHO: Class - {0D064D84-ED78-BC93-66E2-030B7A926E0F} - C:\WINDOWS\system32\winkj.dll
O2 - BHO: Class - {12564B4A-41D2-B01D-CDF5-CBD849C16E3B} - C:\WINDOWS\system32\syszu.dll
O2 - BHO: Class - {14B627E8-FA46-6393-8D1A-01478E0D9C0A} - C:\WINDOWS\ntoh32.dll
O2 - BHO: Class - {17073AF1-08D6-F8D3-0714-F9848611EE72} - C:\WINDOWS\d3vn32.dll
O2 - BHO: Class - {194D318E-8F3D-B56A-8261-1EB7AB551831} - C:\WINDOWS\system32\mfcnp32.dll
O2 - BHO: Class - {1C57E571-0B87-8702-2AAF-E058D58BEE62} - C:\WINDOWS\system32\apirk.dll
O2 - BHO: Class - {1D0149CD-8604-9933-EB4E-07E5E97FD030} - C:\WINDOWS\system32\crux.dll
O2 - BHO: Class - {204CF7AD-DECD-3393-D1C2-CF61EC78EE41} - C:\WINDOWS\ipzz32.dll
O2 - BHO: Class - {22B4B257-69AE-8C5F-DBD2-FA0E6A98AA9E} - C:\WINDOWS\system32\d3eh32.dll
O2 - BHO: Class - {241DEE3C-B08A-3388-53C6-B2DB4CC5C2A6} - C:\WINDOWS\system32\sdkov.dll
O2 - BHO: Class - {242B601C-A745-B77C-C932-0DC0FDD0D3DF} - C:\WINDOWS\mfcaw32.dll
O2 - BHO: Class - {2843DBFB-EF1A-9CD0-8BD8-6C594E3D26F7} - C:\WINDOWS\system32\d3fh32.dll
O2 - BHO: Class - {2B073C66-A72B-1166-86D6-0AD290B7868D} - C:\WINDOWS\system32\winml32.dll
O2 - BHO: Class - {2CFEC154-1E18-8A30-5463-8A3A27DAB092} - C:\WINDOWS\msep.dll
O2 - BHO: Class - {2D51453B-7BB4-30D4-30E3-86BD9FBD6263} - C:\WINDOWS\system32\mfcsw32.dll
O2 - BHO: Class - {306F8479-A75A-9D8E-3C63-AD58B0678A6A} - C:\WINDOWS\system32\apiqi.dll
O2 - BHO: Class - {3233BB7C-36A8-174F-E368-2B49E6729088} - C:\WINDOWS\sdkib32.dll
O2 - BHO: Class - {342AC8C9-5C5C-97C1-007F-0CAC5ADE9FBE} - C:\WINDOWS\system32\winzx32.dll
O2 - BHO: Class - {3708D630-F75A-A94E-CC74-1A00A8A13D28} - C:\WINDOWS\system32\winge32.dll
O2 - BHO: Class - {39652FC9-57E8-9F1F-F728-8F55D9E5F49F} - C:\WINDOWS\crco32.dll
O2 - BHO: Class - {397908D2-036A-0DE2-011B-1BFB800C4920} - C:\WINDOWS\system32\apibi32.dll
O2 - BHO: Class - {3BB11C70-4057-10E3-BD51-1DC5B80B3E69} - C:\WINDOWS\ntcr.dll
O2 - BHO: Class - {3F300A97-6990-3673-92B7-FCDF52055C5F} - C:\WINDOWS\system32\sysrr.dll
O2 - BHO: Class - {49B2AC5F-DF52-2AA0-9B7C-1E928535C509} - C:\WINDOWS\system32\ntny32.dll
O2 - BHO: Class - {4D571E7A-BC7E-742B-7D52-B1DF949D095A} - C:\WINDOWS\system32\mfcnp32.dll
O2 - BHO: Class - {513F6EAA-2122-D8F1-1E93-77F1B9D55F4B} - C:\WINDOWS\d3nf32.dll
O2 - BHO: Class - {5655D1F2-041F-172B-24A6-490B92FF5C0F} - C:\WINDOWS\crht32.dll
O2 - BHO: Class - {56CC0A27-27B4-C934-2722-3683C7345708} - C:\WINDOWS\msjs32.dll
O2 - BHO: Class - {595AD4D2-88BB-5563-8BB4-F6F7AC5BB382} - C:\WINDOWS\msdt32.dll
O2 - BHO: Class - {596F8480-AF4D-1795-88F6-07ABB014B3CF} - C:\WINDOWS\crog.dll
O2 - BHO: Class - {5D29CB91-A959-E2C1-4346-FA68E60B26EB} - C:\WINDOWS\ipqq.dll
O2 - BHO: Class - {61A19654-5071-5564-29B1-D7DBEE649BEC} - C:\WINDOWS\javafe32.dll
O2 - BHO: Class - {6313DEB7-5E59-B01E-F21E-1BD762F81D56} - C:\WINDOWS\system32\iepu.dll
O2 - BHO: Class - {64A6ABE0-9644-5928-19BA-9CBAE0E5D13F} - C:\WINDOWS\sdkwp32.dll
O2 - BHO: Class - {67869D7A-2851-0964-90C2-54058A2E2EF3} - C:\WINDOWS\system32\mfcnp32.dll
O2 - BHO: Class - {68761E0C-A678-2B1F-4293-E427E94D1A2D} - C:\WINDOWS\system32\ipqd.dll
O2 - BHO: Class - {7352F9CD-FC2A-F515-BFD2-D01E88963271} - C:\WINDOWS\system32\winfl.dll
O2 - BHO: Class - {773BCC80-D9FF-7281-852F-435394A76511} - C:\WINDOWS\d3wz32.dll
O2 - BHO: Class - {788C0572-33EA-961D-24F5-28553EE7D97A} - C:\WINDOWS\system32\mfcgv.dll
O2 - BHO: Class - {7F1738DF-16B2-2588-2CDC-480A65E50CC6} - C:\WINDOWS\system32\d3au.dll
O2 - BHO: Class - {8650B9FD-D511-3B3C-53C7-3F446E18261C} - C:\WINDOWS\d3ud32.dll
O2 - BHO: Class - {871E5A19-66EB-CF29-CC81-77FC95375D97} - C:\WINDOWS\javajp32.dll
O2 - BHO: Class - {87894D8F-1983-7E1F-2872-909898706544} - C:\WINDOWS\atlfc32.dll
O2 - BHO: Class - {8C98D882-BFED-4A96-D6BA-1A0B794BCAF3} - C:\WINDOWS\system32\apped.dll
O2 - BHO: Class - {8D2AB820-4792-EC0B-EEC6-7066F20405E7} - C:\WINDOWS\system32\atlpo.dll
O2 - BHO: Class - {910C0916-F0CB-AF9F-5171-D6E388933C0A} - C:\WINDOWS\system32\addfr.dll
O2 - BHO: Class - {91E5A31C-9AF6-4028-F497-B5396DFA97B8} - C:\WINDOWS\system32\javabe32.dll
O2 - BHO: Class - {94FA4010-B3F3-C483-2777-51238C74EE13} - C:\WINDOWS\javazk.dll
O2 - BHO: Class - {958E0E4F-AED0-880A-9D7C-3E7D9ECC21F3} - C:\WINDOWS\addqt.dll
O2 - BHO: Class - {96238F7D-6165-13E6-0307-788481765169} - C:\WINDOWS\atlhv.dll
O2 - BHO: Class - {9883DB10-208B-086B-8A21-D0FFA737138A} - C:\WINDOWS\system32\winqa32.dll
O2 - BHO: Class - {9AB504D8-11C6-8294-FA52-67AB6C5871F1} - C:\WINDOWS\mfcvg32.dll
O2 - BHO: Class - {9B6F61D4-C995-3451-2DBF-E3A22ACA0DC7} - C:\WINDOWS\system32\d3va32.dll
O2 - BHO: Class - {A007B569-AF4B-EEC3-0057-BC0D905A477E} - C:\WINDOWS\mfchc.dll
O2 - BHO: Class - {A3DCA507-69A8-E89C-A6A4-D014B89CE2B4} - C:\WINDOWS\system32\addgs32.dll
O2 - BHO: Class - {A4F44AA0-9FEC-4E35-454E-9966C5BAB81B} - C:\WINDOWS\system32\apisz.dll
O2 - BHO: Class - {A757209F-1F9F-F6A7-A30C-E09315CE6233} - C:\WINDOWS\ntmn32.dll
O2 - BHO: Class - {A758BCB9-66D2-5737-DE37-3927CE58D302} - C:\WINDOWS\iebn32.dll
O2 - BHO: Class - {A767C372-E131-DC66-D1AB-430AD36BFD03} - C:\WINDOWS\system32\sysvr.dll
O2 - BHO: Class - {A99FCEAE-E73D-1759-13F7-705AC2B13F02} - C:\WINDOWS\ipgt32.dll
O2 - BHO: Class - {AAAC44A7-C8D0-C739-742C-04D0EE463142} - C:\WINDOWS\system32\msdd.dll
O2 - BHO: Class - {ABC23547-BA3A-DB26-3992-2E060D9FCC37} - C:\WINDOWS\system32\netjd32.dll
O2 - BHO: Class - {ABFBD598-C8BC-E4D2-0D9D-C44B013EAEF1} - C:\WINDOWS\system32\atlzn32.dll
O2 - BHO: Class - {AC0966F9-9343-A74E-2826-7AC2FAD8C372} - C:\WINDOWS\javazt32.dll
O2 - BHO: Class - {AC426F98-029C-D066-D1F6-847B9E676227} - C:\WINDOWS\system32\nttj32.dll
O2 - BHO: Class - {AF2EB4D4-A0C1-3ADB-30D6-6AA430E5C447} - C:\WINDOWS\system32\sdkmm32.dll
O2 - BHO: Class - {B156A458-18EC-3B14-7E38-16FB67C2D604} - C:\WINDOWS\system32\iero32.dll
O2 - BHO: Class - {B264BD6E-DBFC-36A5-E38B-227DFE3A044B} - C:\WINDOWS\system32\javaet32.dll
O2 - BHO: Class - {B3233DD8-5126-822F-4309-0905961D0283} - C:\WINDOWS\crlw32.dll
O2 - BHO: Class - {B86BEFD1-FD7B-BF76-1007-90B9084541C0} - C:\WINDOWS\system32\winfg32.dll
O2 - BHO: Class - {B99E436C-32CA-4D17-8A2E-6EDD227AC75B} - C:\WINDOWS\system32\javard32.dll
O2 - BHO: Class - {BA5A91EC-2B2A-2B49-C41E-E07C3952DB06} - C:\WINDOWS\winoh32.dll
O2 - BHO: Class - {BAA30FC7-144C-D511-86B0-B4821F6A694B} - C:\WINDOWS\ipnb32.dll
O2 - BHO: Class - {BD58BF8C-4ED8-E73A-BFC8-5C055B538F63} - C:\WINDOWS\system32\mfcnp32.dll
O2 - BHO: Class - {C088C334-B86C-344C-0F4B-E6396812E3BB} - C:\WINDOWS\addjm32.dll
O2 - BHO: Class - {C15F1819-BE5E-881E-A0AD-33B9A896263E} - C:\WINDOWS\system32\crwo.dll
O2 - BHO: Class - {C2B4381A-624D-8F51-B758-89C0C91258DE} - C:\WINDOWS\ieyw32.dll
O2 - BHO: Class - {C3C39663-C7CE-963C-4C1A-AB55FEDF99E0} - C:\WINDOWS\system32\netae32.dll
O2 - BHO: Class - {C69FBFD4-BD49-D7B4-B94F-E7FBE1F1A212} - C:\WINDOWS\ipwn.dll
O2 - BHO: Class - {C7424DA8-E366-B763-AEE8-1DD605AC38B7} - C:\WINDOWS\system32\addym.dll
O2 - BHO: Class - {C74D3E65-EAED-319D-CFBD-18C81C5D9AD1} - C:\WINDOWS\system32\d3bh.dll
O2 - BHO: Class - {CC67C393-741E-9B61-DB09-E37FD3F55B9B} - C:\WINDOWS\system32\ntxt32.dll
O2 - BHO: Class - {CE91F604-199F-7882-72AB-B4D8255E7E3A} - C:\WINDOWS\system32\sdkbr.dll
O2 - BHO: Class - {D006F3DF-6883-5152-C428-17EFD3009EF0} - C:\WINDOWS\system32\apile32.dll
O2 - BHO: Class - {D12625AE-A957-757E-90B7-0FFA44B59314} - C:\WINDOWS\apisp32.dll
O2 - BHO: Class - {D16792AD-2C2E-4FCB-872C-0EE369121171} - C:\WINDOWS\msdr32.dll
O2 - BHO: Class - {D259260E-E911-1A3A-BEE3-5E850E986740} - C:\WINDOWS\system32\ipug32.dll
O2 - BHO: Class - {D6EE8803-4313-1DDF-936A-FED80B30DA36} - C:\WINDOWS\d3xu32.dll
O2 - BHO: Class - {D7AADEDD-97A8-C970-FA3A-C2E0C1831A77} - C:\WINDOWS\crfm32.dll
O2 - BHO: Class - {DB020AF9-841B-9034-C5AE-896313657679} - C:\WINDOWS\system32\msnw.dll
O2 - BHO: Class - {DC9FB4E0-35CF-8D4C-628B-3690884983C2} - C:\WINDOWS\system32\ipct32.dll
O2 - BHO: Class - {DF681A51-5F05-1F39-036E-D1C704F8F568} - C:\WINDOWS\ipnq32.dll
O2 - BHO: Class - {E2EE63AA-6042-4A78-50B3-4072F042785E} - C:\WINDOWS\msoe32.dll
O2 - BHO: Class - {E2F6A992-AC4E-B9AA-BEDD-46A226F805F4} - C:\WINDOWS\system32\ipbv32.dll
O2 - BHO: Class - {E3C75ADD-28CA-1552-C53A-CB5117FD483C} - C:\WINDOWS\winda.dll
O2 - BHO: Class - {E7DCC3C1-4EF2-ECF2-1C50-115122B2941F} - C:\WINDOWS\javazl32.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: Class - {EADD5986-0880-D4A7-5AF8-F6A41A46F8BA} - C:\WINDOWS\sysxy.dll
O2 - BHO: Class - {EAF52E39-F0F9-7652-DA70-CAD2851543E8} - C:\WINDOWS\system32\winon32.dll
O2 - BHO: Class - {EC341F61-0A1A-E928-100B-606855DB07DD} - C:\WINDOWS\system32\sdkuh32.dll
O2 - BHO: Class - {F24066EC-902B-5FD0-38BE-FCBA8F762791} - C:\WINDOWS\winpy32.dll
O2 - BHO: Class - {F4D82940-3A2E-CD27-8A26-E7D9A6550B86} - C:\WINDOWS\system32\winql.dll
O2 - BHO: Class - {F53EC50C-1736-5E28-E668-CFFB2AA3AE8D} - C:\WINDOWS\mfcix32.dll
O2 - BHO: Class - {F5F0086E-C12D-DA23-939A-802FE220ADD3} - C:\WINDOWS\netpr.dll
O2 - BHO: Class - {FA15DBFA-F8BD-F7B5-963F-843B8521ECF0} - C:\WINDOWS\crho32.dll
O2 - BHO: Class - {FB33A6C8-433D-5DBC-4293-C2A5BAD25729} - C:\WINDOWS\system32\netwc32.dll
O2 - BHO: Class - {FBCF6E0D-1AF5-D96F-B349-56D9EDAA0913} - C:\WINDOWS\mswp.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [apiht32.exe] C:\WINDOWS\apiht32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [winve32.exe] C:\WINDOWS\system32\winve32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [sysom32.exe] C:\WINDOWS\sysom32.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [d3ct32.exe] C:\WINDOWS\d3ct32.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE /P23 "EPSON Stylus C66 Series" /O6 "USB001" /M "Stylus C66"
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [Anvshell] anvshell.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ipzq.exe] C:\WINDOWS\system32\ipzq.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [MediaPipeTrayIcon] "C:\Program Files\MediaPipe\MPTray.exe" /H
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [00saskda] "C:\Program Files\Advanced Security Level\newadmin.exe" saskda
O4 - HKLM\..\Run: [MediaPipe] "C:\Program Files\MediaPipe\MediaPipe.exe" /H
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [MediaPipe P2P Loader] "C:\Program Files\p2pnetworks\mpp2pl.exe" /H
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [sysin.exe] C:\WINDOWS\system32\sysin.exe
O4 - HKLM\..\Run: [javarg32.exe] C:\WINDOWS\javarg32.exe
O4 - HKLM\..\Run: [winwe.exe] C:\WINDOWS\system32\winwe.exe
O4 - HKLM\..\Run: [netpj.exe] C:\WINDOWS\system32\netpj.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [ipnb32.exe] C:\WINDOWS\ipnb32.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O17 - HKLM\System\CCS\Services\Tcpip\..\{605C0C61-54B6-4C41-B324-BE70B377675C}: NameServer = 194.168.8.100,194.168.4.100
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\sysjq32.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

#5 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,172 posts

Posted 21 November 2005 - 04:28 PM

Download CW-Shredder at the link below: (don't run it yet)
http://www.trendmicr.../cwshredder.exe

Download 'SpSeHjfix'. into a folder. (don't run it yet)

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin


Make sure you know how to boot into - SafeMode

Reboot into safe mode.

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

Now run the Shredder - Hit The FIX button!

Reboot and repeat the process above starting with Reboot in Safe Mode.

Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'.




run it in safe mode and run it twice

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#6 Galvin

Galvin

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 22 November 2005 - 08:25 PM

Hi
heres the new HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 02:18:06, on 23/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sysjq32.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\bcmwltry.exe
C:\WINDOWS\anvshell.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\MediaPipe\MPTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Advanced Security Level\newadmin.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\addxq32.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
C:\Program Files\MediaPipe\DownloadManager.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ABC\abc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\User\Desktop\sniff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qrfsh.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qrfsh.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qrfsh.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qrfsh.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qrfsh.dll/sp.html#17702
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qrfsh.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.c...earch.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *new-search.net*;*x-google.net*
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {0D064D84-ED78-BC93-66E2-030B7A926E0F} - C:\WINDOWS\system32\winkj.dll
O2 - BHO: Class - {194D318E-8F3D-B56A-8261-1EB7AB551831} - C:\WINDOWS\system32\mfcnp32.dll (file missing)
O2 - BHO: Class - {22B4B257-69AE-8C5F-DBD2-FA0E6A98AA9E} - C:\WINDOWS\system32\d3eh32.dll
O2 - BHO: Class - {2B073C66-A72B-1166-86D6-0AD290B7868D} - C:\WINDOWS\system32\winml32.dll
O2 - BHO: Class - {3233BB7C-36A8-174F-E368-2B49E6729088} - C:\WINDOWS\sdkib32.dll
O2 - BHO: Class - {397908D2-036A-0DE2-011B-1BFB800C4920} - C:\WINDOWS\system32\apibi32.dll
O2 - BHO: Class - {4D571E7A-BC7E-742B-7D52-B1DF949D095A} - C:\WINDOWS\system32\mfcnp32.dll (file missing)
O2 - BHO: Class - {595AD4D2-88BB-5563-8BB4-F6F7AC5BB382} - C:\WINDOWS\msdt32.dll
O2 - BHO: Class - {6313DEB7-5E59-B01E-F21E-1BD762F81D56} - C:\WINDOWS\system32\iepu.dll
O2 - BHO: Class - {7352F9CD-FC2A-F515-BFD2-D01E88963271} - C:\WINDOWS\system32\winfl.dll
O2 - BHO: Class - {7F1738DF-16B2-2588-2CDC-480A65E50CC6} - C:\WINDOWS\system32\d3au.dll
O2 - BHO: Class - {8C98D882-BFED-4A96-D6BA-1A0B794BCAF3} - C:\WINDOWS\system32\apped.dll
O2 - BHO: Class - {94FA4010-B3F3-C483-2777-51238C74EE13} - C:\WINDOWS\javazk.dll
O2 - BHO: Class - {9AB504D8-11C6-8294-FA52-67AB6C5871F1} - C:\WINDOWS\mfcvg32.dll
O2 - BHO: Class - {A4F44AA0-9FEC-4E35-454E-9966C5BAB81B} - C:\WINDOWS\system32\apisz.dll
O2 - BHO: Class - {A99FCEAE-E73D-1759-13F7-705AC2B13F02} - C:\WINDOWS\ipgt32.dll
O2 - BHO: Class - {AC0966F9-9343-A74E-2826-7AC2FAD8C372} - C:\WINDOWS\javazt32.dll
O2 - BHO: Class - {B264BD6E-DBFC-36A5-E38B-227DFE3A044B} - C:\WINDOWS\system32\javaet32.dll
O2 - BHO: Class - {BA5A91EC-2B2A-2B49-C41E-E07C3952DB06} - C:\WINDOWS\winoh32.dll
O2 - BHO: Class - {C15F1819-BE5E-881E-A0AD-33B9A896263E} - C:\WINDOWS\system32\crwo.dll
O2 - BHO: Class - {C7424DA8-E366-B763-AEE8-1DD605AC38B7} - C:\WINDOWS\system32\addym.dll
O2 - BHO: Class - {D006F3DF-6883-5152-C428-17EFD3009EF0} - C:\WINDOWS\system32\apile32.dll
O2 - BHO: Class - {D6EE8803-4313-1DDF-936A-FED80B30DA36} - C:\WINDOWS\d3xu32.dll
O2 - BHO: Class - {DC73983B-D030-AD00-8DD5-12322CEA9002} - C:\WINDOWS\atlqm32.dll
O2 - BHO: Class - {DD378CBC-121A-DB34-7F0F-4908520597CA} - C:\WINDOWS\system32\crzq32.dll
O2 - BHO: Class - {DF681A51-5F05-1F39-036E-D1C704F8F568} - C:\WINDOWS\ipnq32.dll
O2 - BHO: Class - {E7DCC3C1-4EF2-ECF2-1C50-115122B2941F} - C:\WINDOWS\javazl32.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: Class - {F24066EC-902B-5FD0-38BE-FCBA8F762791} - C:\WINDOWS\winpy32.dll
O2 - BHO: Class - {FA15DBFA-F8BD-F7B5-963F-843B8521ECF0} - C:\WINDOWS\crho32.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [winve32.exe] C:\WINDOWS\system32\winve32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [sysom32.exe] C:\WINDOWS\sysom32.exe
O4 - HKLM\..\Run: [d3ct32.exe] C:\WINDOWS\d3ct32.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [Anvshell] anvshell.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [MediaPipeTrayIcon] "C:\Program Files\MediaPipe\MPTray.exe" /H
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [00saskda] "C:\Program Files\Advanced Security Level\newadmin.exe" saskda
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [MediaPipe P2P Loader] "C:\Program Files\p2pnetworks\mpp2pl.exe" /H
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [sysin.exe] C:\WINDOWS\system32\sysin.exe
O4 - HKLM\..\Run: [winwe.exe] C:\WINDOWS\system32\winwe.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [addxq32.exe] C:\WINDOWS\addxq32.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O17 - HKLM\System\CCS\Services\Tcpip\..\{605C0C61-54B6-4C41-B324-BE70B377675C}: NameServer = 194.168.8.100,194.168.4.100
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\sysjq32.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe



And heres the SpSeHjfix log:

11/22/05 19:23:55) SPSeHjFix started v1.1.2
(11/22/05 19:23:55) OS: WinXP Service Pack 2 (5.1.2600)
(11/22/05 19:23:55) Language: english
(11/22/05 19:23:55) Win-Path: C:\WINDOWS
(11/22/05 19:23:55) System-Path: C:\WINDOWS\system32
(11/22/05 19:23:55) Temp-Path: C:\DOCUME~1\User\LOCALS~1\Temp\
(11/22/05 19:23:57) Disinfection started
(11/22/05 19:23:57) Bad-Dll(IEP): c:\windows\system32\bhbsj.dll
(11/22/05 19:23:57) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:23:57) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:23:57) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\windows\system32\bhbsj.dll/sp.html#17702
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: res://c:\windows\system32\bhbsj.dll/sp.html#17702
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\windows\system32\bhbsj.dll/sp.html#17702
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: res://c:\windows\system32\bhbsj.dll/sp.html#17702
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Page_URL: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Search_URL: res://c:\windows\system32\bhbsj.dll/sp.html#17702
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: res://c:\windows\system32\bhbsj.dll/sp.html#17702
(11/22/05 19:23:57) Stealth-String not found
(11/22/05 19:23:57) No locked Files to delete. End without Reboot
(11/22/05 19:24:42) Disinfection started
(11/22/05 19:24:42) Bad-Dll(IEP): c:\windows\system32\bhbsj.dll
(11/22/05 19:24:42) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:24:42) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:24:42) Bad IE-pages: (none)
(11/22/05 19:24:42) Stealth-String not found
(11/22/05 19:24:42) No locked Files to delete. End without Reboot
(11/22/05 19:24:46) Disinfection started
(11/22/05 19:24:46) Bad-Dll(IEP): c:\windows\system32\bhbsj.dll
(11/22/05 19:24:46) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:24:46) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:24:46) Bad IE-pages: (none)
(11/22/05 19:24:46) Stealth-String not found
(11/22/05 19:24:46) No locked Files to delete. End without Reboot
(11/22/05 19:24:46) Disinfection started
(11/22/05 19:24:46) Bad-Dll(IEP): c:\windows\system32\bhbsj.dll
(11/22/05 19:24:46) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:24:46) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:24:46) Bad IE-pages: (none)
(11/22/05 19:24:46) Stealth-String not found
(11/22/05 19:24:46) No locked Files to delete. End without Reboot
(11/22/05 19:24:46) Disinfection started
(11/22/05 19:24:46) Bad-Dll(IEP): c:\windows\system32\bhbsj.dll
(11/22/05 19:24:46) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:24:46) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:24:46) Bad IE-pages: (none)
(11/22/05 19:24:46) Stealth-String not found
(11/22/05 19:24:46) No locked Files to delete. End without Reboot
(11/22/05 19:24:47) Disinfection started
(11/22/05 19:24:47) Bad-Dll(IEP): c:\windows\system32\bhbsj.dll
(11/22/05 19:24:47) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:24:47) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:24:47) Bad IE-pages: (none)
(11/22/05 19:24:47) Stealth-String not found
(11/22/05 19:24:47) No locked Files to delete. End without Reboot
(11/22/05 19:24:47) Disinfection started
(11/22/05 19:24:47) Bad-Dll(IEP): c:\windows\system32\bhbsj.dll
(11/22/05 19:24:47) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:24:47) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:24:47) Bad IE-pages: (none)
(11/22/05 19:24:47) Stealth-String not found
(11/22/05 19:24:47) No locked Files to delete. End without Reboot
(11/22/05 19:24:47) Disinfection started
(11/22/05 19:24:47) Bad-Dll(IEP): c:\windows\system32\bhbsj.dll
(11/22/05 19:24:47) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:24:47) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:24:47) Bad IE-pages: (none)
(11/22/05 19:24:47) Stealth-String not found
(11/22/05 19:24:47) No locked Files to delete. End without Reboot
(11/22/05 19:24:47) Disinfection started
(11/22/05 19:24:47) Bad-Dll(IEP): c:\windows\system32\bhbsj.dll
(11/22/05 19:24:47) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:24:47) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:24:47) Bad IE-pages: (none)
(11/22/05 19:24:47) Stealth-String not found
(11/22/05 19:24:47) No locked Files to delete. End without Reboot
(11/22/05 19:24:47) Disinfection started
(11/22/05 19:24:47) Bad-Dll(IEP): c:\windows\system32\bhbsj.dll
(11/22/05 19:24:47) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:24:47) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:24:47) Bad IE-pages: (none)
(11/22/05 19:24:47) Stealth-String not found
(11/22/05 19:24:47) No locked Files to delete. End without Reboot
(11/22/05 19:24:47) Disinfection started
(11/22/05 19:24:47) Bad-Dll(IEP): c:\windows\system32\bhbsj.dll
(11/22/05 19:24:47) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:24:47) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:24:47) Bad IE-pages: (none)
(11/22/05 19:24:47) Stealth-String not found
(11/22/05 19:24:47) No locked Files to delete. End without Reboot
(11/22/05 19:24:48) Disinfection started
(11/22/05 19:24:48) Bad-Dll(IEP): c:\windows\system32\bhbsj.dll
(11/22/05 19:24:48) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:24:48) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:24:48) Bad IE-pages: (none)
(11/22/05 19:24:48) Stealth-String not found
(11/22/05 19:24:48) No locked Files to delete. End without Reboot
(11/22/05 19:24:48) Disinfection started
(11/22/05 19:24:48) Bad-Dll(IEP): c:\windows\system32\bhbsj.dll
(11/22/05 19:24:48) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:24:48) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:24:48) Bad IE-pages: (none)
(11/22/05 19:24:48) Stealth-String not found
(11/22/05 19:24:48) No locked Files to delete. End without Reboot
(11/22/05 19:24:48) Disinfection started
(11/22/05 19:24:48) Bad-Dll(IEP): c:\windows\system32\bhbsj.dll
(11/22/05 19:24:48) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:24:48) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:24:48) Bad IE-pages: (none)
(11/22/05 19:24:48) Stealth-String not found
(11/22/05 19:24:48) No locked Files to delete. End without Reboot
(11/22/05 19:24:48) Disinfection started
(11/22/05 19:24:48) Bad-Dll(IEP): c:\windows\system32\bhbsj.dll
(11/22/05 19:24:48) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:24:48) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:24:48) Bad IE-pages: (none)
(11/22/05 19:24:48) Stealth-String not found
(11/22/05 19:24:48) No locked Files to delete. End without Reboot
(11/22/05 19:24:48) Disinfection started
(11/22/05 19:24:48) Bad-Dll(IEP): c:\windows\system32\bhbsj.dll
(11/22/05 19:24:49) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:24:49) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:24:49) Bad IE-pages: (none)
(11/22/05 19:24:49) Stealth-String not found
(11/22/05 19:24:49) No locked Files to delete. End without Reboot
(11/22/05 19:24:49) Disinfection started
(11/22/05 19:24:49) Bad-Dll(IEP): c:\windows\system32\bhbsj.dll
(11/22/05 19:24:49) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:24:49) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:24:49) Bad IE-pages: (none)
(11/22/05 19:24:49) Stealth-String not found
(11/22/05 19:24:49) No locked Files to delete. End without Reboot
(11/22/05 19:25:08) Disinfection started
(11/22/05 19:25:08) Bad-Dll(IEP): c:\windows\system32\bhbsj.dll
(11/22/05 19:25:08) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:25:08) UBF: 4 - UBB: 113 - UBR: 38
(11/22/05 19:25:08) Bad IE-pages: (none)
(11/22/05 19:25:08) Stealth-String not found
(11/22/05 19:25:08) No locked Files to delete. End without Reboot


(11/22/05 19:28:48) SPSeHjFix started v1.1.2
(11/22/05 19:28:48) OS: WinXP Service Pack 2 (5.1.2600)
(11/22/05 19:28:48) Language: english
(11/22/05 19:28:48) Win-Path: C:\WINDOWS
(11/22/05 19:28:48) System-Path: C:\WINDOWS\system32
(11/22/05 19:28:48) Temp-Path: C:\DOCUME~1\User\LOCALS~1\Temp\
(11/22/05 19:28:50) Disinfection started
(11/22/05 19:28:50) Bad-Dll(IEP): (not found)
(11/22/05 19:28:50) Bad-Dll(IEP) in BHO: (not found)
(11/22/05 19:28:50) UBF: 4 - UBB: 28 - UBR: 26
(11/22/05 19:28:50) UBF: 4 - UBB: 28 - UBR: 26
(11/22/05 19:28:50) Bad IE-pages: (none)
(11/22/05 19:28:50) Stealth-String not found
(11/22/05 19:28:50) Not infected->END


thanks in advance

Michael

#7 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,172 posts

Posted 22 November 2005 - 08:50 PM

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.


Go to Start > Run and type in Services.msc then click OK

Click the Extended tab.

Scroll down until you find Workstation NetLogon Service or 11F#`I

Click once on the service to highlight it.

Click Stop

Right-Click on the service.

Click on 'Properties'

Select the 'General' tab

Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box

From the drop-down menu, click on 'Disabled'

Click the 'Apply' tab, then click 'OK'

The service is now stopped and disabled.






Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qrfsh.dll/sp.html#17702

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qrfsh.dll/sp.html#17702

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qrfsh.dll/sp.html#17702

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qrfsh.dll/sp.html#17702

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qrfsh.dll/sp.html#17702

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qrfsh.dll/sp.html#17702

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *new-search.net*;*x-google.net*

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {0D064D84-ED78-BC93-66E2-030B7A926E0F} - C:\WINDOWS\system32\winkj.dll
O2 - BHO: Class - {194D318E-8F3D-B56A-8261-1EB7AB551831} - C:\WINDOWS\system32\mfcnp32.dll (file missing)
O2 - BHO: Class - {22B4B257-69AE-8C5F-DBD2-FA0E6A98AA9E} - C:\WINDOWS\system32\d3eh32.dll
O2 - BHO: Class - {2B073C66-A72B-1166-86D6-0AD290B7868D} - C:\WINDOWS\system32\winml32.dll
O2 - BHO: Class - {3233BB7C-36A8-174F-E368-2B49E6729088} - C:\WINDOWS\sdkib32.dll
O2 - BHO: Class - {397908D2-036A-0DE2-011B-1BFB800C4920} - C:\WINDOWS\system32\apibi32.dll
O2 - BHO: Class - {4D571E7A-BC7E-742B-7D52-B1DF949D095A} - C:\WINDOWS\system32\mfcnp32.dll (file missing)
O2 - BHO: Class - {595AD4D2-88BB-5563-8BB4-F6F7AC5BB382} - C:\WINDOWS\msdt32.dll
O2 - BHO: Class - {6313DEB7-5E59-B01E-F21E-1BD762F81D56} - C:\WINDOWS\system32\iepu.dll
O2 - BHO: Class - {7352F9CD-FC2A-F515-BFD2-D01E88963271} - C:\WINDOWS\system32\winfl.dll
O2 - BHO: Class - {7F1738DF-16B2-2588-2CDC-480A65E50CC6} - C:\WINDOWS\system32\d3au.dll
O2 - BHO: Class - {8C98D882-BFED-4A96-D6BA-1A0B794BCAF3} - C:\WINDOWS\system32\apped.dll
O2 - BHO: Class - {94FA4010-B3F3-C483-2777-51238C74EE13} - C:\WINDOWS\javazk.dll
O2 - BHO: Class - {9AB504D8-11C6-8294-FA52-67AB6C5871F1} - C:\WINDOWS\mfcvg32.dll
O2 - BHO: Class - {A4F44AA0-9FEC-4E35-454E-9966C5BAB81B} - C:\WINDOWS\system32\apisz.dll
O2 - BHO: Class - {A99FCEAE-E73D-1759-13F7-705AC2B13F02} - C:\WINDOWS\ipgt32.dll
O2 - BHO: Class - {AC0966F9-9343-A74E-2826-7AC2FAD8C372} - C:\WINDOWS\javazt32.dll
O2 - BHO: Class - {B264BD6E-DBFC-36A5-E38B-227DFE3A044B} - C:\WINDOWS\system32\javaet32.dll
O2 - BHO: Class - {BA5A91EC-2B2A-2B49-C41E-E07C3952DB06} - C:\WINDOWS\winoh32.dll
O2 - BHO: Class - {C15F1819-BE5E-881E-A0AD-33B9A896263E} - C:\WINDOWS\system32\crwo.dll
O2 - BHO: Class - {C7424DA8-E366-B763-AEE8-1DD605AC38B7} - C:\WINDOWS\system32\addym.dll
O2 - BHO: Class - {D006F3DF-6883-5152-C428-17EFD3009EF0} - C:\WINDOWS\system32\apile32.dll
O2 - BHO: Class - {D6EE8803-4313-1DDF-936A-FED80B30DA36} - C:\WINDOWS\d3xu32.dll
O2 - BHO: Class - {DC73983B-D030-AD00-8DD5-12322CEA9002} - C:\WINDOWS\atlqm32.dll
O2 - BHO: Class - {DD378CBC-121A-DB34-7F0F-4908520597CA} - C:\WINDOWS\system32\crzq32.dll
O2 - BHO: Class - {DF681A51-5F05-1F39-036E-D1C704F8F568} - C:\WINDOWS\ipnq32.dll
O2 - BHO: Class - {E7DCC3C1-4EF2-ECF2-1C50-115122B2941F} - C:\WINDOWS\javazl32.dll
O2 - BHO: Class - {F24066EC-902B-5FD0-38BE-FCBA8F762791} - C:\WINDOWS\winpy32.dll
O2 - BHO: Class - {FA15DBFA-F8BD-F7B5-963F-843B8521ECF0} - C:\WINDOWS\crho32.dll

O4 - HKLM\..\Run: [winve32.exe] C:\WINDOWS\system32\winve32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sysom32.exe] C:\WINDOWS\sysom32.exe
O4 - HKLM\..\Run: [d3ct32.exe] C:\WINDOWS\d3ct32.exe
O4 - HKLM\..\Run: [MediaPipe P2P Loader] "C:\Program Files\p2pnetworks\mpp2pl.exe" /H
O4 - HKLM\..\Run: [sysin.exe] C:\WINDOWS\system32\sysin.exe
O4 - HKLM\..\Run: [winwe.exe] C:\WINDOWS\system32\winwe.exe
O4 - HKLM\..\Run: [addxq32.exe] C:\WINDOWS\addxq32.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\sysjq32.exe


Close ALL windows and browsers except HijackThis and click "Fix checked"





Restart in Safe Mode:
Restart your computer.

Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.



delete these folders if listed:
C:\Program Files\p2pnetworks


delete these files if listed:
C:\WINDOWS\system32\winve32.exe
C:\WINDOWS\sysom32.exe
C:\WINDOWS\d3ct32.exe
C:\WINDOWS\system32\sysin.exe
C:\WINDOWS\system32\winwe.exe
C:\WINDOWS\addxq32.exe
C:\winstall.exe
C:\WINDOWS\sysjq32.exe


Open C:\Windows\Prefetch\ Delete ALL files in this folder.



Do this also if these Temp Folders are part of your OS.

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.


Next navigate to the C:\Documents and Settings\(EVERY LISTED PROFILE USER)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


Empty the Recycle Bin

Reboot and "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#8 Galvin

Galvin

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 24 November 2005 - 10:18 AM

Hi
I did exactly what you asked me to do and my computer is still infected. My home page is still about:blank and I still get popups. Also I get a fake windows security message askin me to buy spyware software

thanks again for your help!

Michael


Logfile of HijackThis v1.99.1
Scan saved at 16:17:13, on 24/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ipbt.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\bcmwltry.exe
C:\WINDOWS\anvshell.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\MediaPipe\MPTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Advanced Security Level\newadmin.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\sysei32.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
C:\Program Files\MediaPipe\DownloadManager.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\User\Desktop\sniff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\awgnd.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\awgnd.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\awgnd.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\awgnd.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\awgnd.dll/sp.html#17702
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\awgnd.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.c...earch.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {070E57F1-C0C3-F8DE-3677-F53A0FB1DBD7} - C:\WINDOWS\system32\addwq32.dll
O2 - BHO: Class - {ABEF1F75-24D4-E9EF-DA8A-24EA88F827DA} - C:\WINDOWS\system32\addwq32.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [Anvshell] anvshell.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [MediaPipeTrayIcon] "C:\Program Files\MediaPipe\MPTray.exe" /H
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [00saskda] "C:\Program Files\Advanced Security Level\newadmin.exe" saskda
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [netzj.exe] C:\WINDOWS\netzj.exe
O4 - HKLM\..\Run: [sysei32.exe] C:\WINDOWS\system32\sysei32.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{605C0C61-54B6-4C41-B324-BE70B377675C}: NameServer = 194.168.8.100,194.168.4.100
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\ipbt.exe" /s (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

#9 Galvin

Galvin

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 25 November 2005 - 10:05 AM

bump...

#10 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,172 posts

Posted 26 November 2005 - 03:13 PM

Step#1:Getting Ready

(the reason Wordpad was chosen is that Notepad is sometimes deleted by this variant)


Please save these instructions to WordPad so that you have them accessible while following the steps. You also may want to print out these directions as the Internet will not be available.

After downloading the tools, you must disconnect from the internet totally, because staying connected while fixing will prevent the fix from working. Also please keep Internet Explorer and Outlook Express closed throughout as opening either will reinstall the infection.

To replace Internet Explorer to use during this fix, please use Internet Explorer once to download and install FireFox, to be used as your alternate browser throughout this fix.

Close Outlook Express and Internet Explorer for the duration of this fix


Please start by downloading the tools you will need to clean this infection. If you have a problem or question with any please continue to follow the list step by step to the end and ask the questions when you are asked to reply. Just be sure to let us know what the problem was when you finally reply.





Step#2:Show All Hidden Files

Please download and open the following zip file. Double-click on the file inside the zip and when it asks you if you would like to merge the file into your registry, please answer yes. This will make sure all files are visible on your computer.
http://www.davehigha...ds/xphidden.zip




Step#3:Download CWShredder

1. Please Download the most recent version of CWShredder, from CWSInstall.exe

2. Check for Updates but please Do NOT use it yet


Step#4:Download About Buster


1. Please download About:Buster from here: http://www.malwareby...boutBuster5.zip.

2. Once it is downloaded extract it to c:\aboutbuster.

3. Check to make sure it is up-to-date. Please Do NOT use it yet


Step#5:Download HSfix.zip and Registrar Lite

1 . Download HSfix.zip and unzip it to your desktop:

http://users.telenet...files/HSfix.zip[/b]

It will probably create a folder for itself (it does on my XP system)

Please Do NOT use it yet


2. Another program to download is Registrar Lite for use later: Please download Registrar Lite and install it to C:\Program Files\RegLite\ . This is a registry editor that is very easy to use.


Please disconnect from the Internet




Step#6:Disable The Bad Service
  • Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE
  • Click on start > control panel > administrative programs > services. Look for a service called Remote Procedure Call . Double click on that service and click stop and then set the startup to disabled. Also write down the name and path of the file listed in the Path to executable field. This filename must be deleted below.
Step#7:Stop The Running Processes

(only for Win2k/XP)


Press control-alt-delete to get into the task manager and end the following processes if they exist:

C:\WINDOWS\system32\ipbt.exe
C:\WINDOWS\system32\netzj.exe
C:\WINDOWS\system32\sysei32.exe


Step#8:Use HijackThis to Delete About BlankOpen HJT and select Misc Tools, select delete a File on Reboot.

I now need you to delete the following files:

C:\WINDOWS\system32\ipbt.exe
C:\WINDOWS\netzj.exe
C:\WINDOWS\system32\sysei32.exe


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.



Step#9:Cleaning With HijackThis

Then close all programs and windows and run hijackthis. Put a checkmark next to each of these entries and click 'fix checked' button when ready (some may be gone after uninstalling some programs):


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\awgnd.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\awgnd.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\awgnd.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\awgnd.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\awgnd.dll/sp.html#17702
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\awgnd.dll/sp.html#17702

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {070E57F1-C0C3-F8DE-3677-F53A0FB1DBD7} - C:\WINDOWS\system32\addwq32.dll

O2 - BHO: Class - {ABEF1F75-24D4-E9EF-DA8A-24EA88F827DA} - C:\WINDOWS\system32\addwq32.dll

O4 - HKLM\..\Run: [netzj.exe] C:\WINDOWS\netzj.exe

O4 - HKLM\..\Run: [sysei32.exe] C:\WINDOWS\system32\sysei32.exe

O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\ipbt.exe" /s (file missing)


click "fix checked"




Step#10: Backup The Registry

In the next step we are going to remove a service that gets installed by this malware.

1. Open Registrar Lite and run it.

2. Copy and paste the bold text below into the address bar of Registrar Lite:(this is making a Registry backup for safety in case of error)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\

Go to File> Export and and save as (in the C:\Program Files\Registrar Lite (Reglite) folder):

1.) Winkey.reg (Save as type: regedit4 .reg type)
2.) Winkey.hiv (Save as type: Scroll to select-regetd32/WinAPI *hiv *dat files)



Step#11: Delete the Registry Entries


Then double-click on the HSfix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.

You should get a message reporting that the changes were successfully merged.


Step#12:Fixing With CWShredder
  • CLOSE ALL WINDOWS except CWShredder
  • Run the program by clicking 'fix' and letting it fix all CWS remnants.
Step#13:Fixing With About Buster

This is the step where we will use About:Buster that you had downloaded previously.
  • Navigate to the c:\aboutbuster directory
  • double-click on aboutbuster.exe
  • When the tool opens press the OK button, then Start button, then the OK button
  • then finally the Yes button. It will start scanning your computer for files.
  • If it asks if you would like to do a second pass, allow it to do so.
  • Post the log file in your next reply
Step#14:Reboot Sytem normally


Reboot your computer back to normal mode


Step#15:Scan and Post a New HJT log with other logs[
[*] Scan again with HijackThis. We still have a few steps to complete but a log file at this time would be helpful.

Reconnect To The Internet


[*] Post both your log from About Buster and your HijackThis log here in this thread with any questions or problems that you have run into. There are still some steps that are necessary to clear out all of the malware. There will be necessary files that it has deleted that will need to be replaced.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#11 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,172 posts

Posted 01 December 2005 - 04:06 PM

How are you doing with the fix Galvin?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#12 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,172 posts

Posted 10 December 2005 - 09:03 PM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users