[aullie]

Please help
I cannot directly access my computer, my documents, my control panel etc.from the start menu or from the icons. I get the Dr watson Postmortem Debugger error that it has encountered a problem and needs to close. Then everything freezes. I also have no control over my home page.
I've run AdAware and also Spybot Sand D which found some items but has not been able to clean this up.
From what I've read, it looks rather involved. I'm fairly computer literate and have managed to clean things out before but certainly it appears I need some help with this one.
I gather I should be using Hijack THis...a program I've not used before???
Thanks

[Advertisements]

Please Click here!, and follow the recommendations in the guide.

If you're still having trouble, We'll need you to use a free diagnostic tool, Hijack This. Follow the instructions in step five of this guide, and post your log.

Most of what Hijack This lists lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.

Edited by Efwis, 28 February 2005 - 01:04 PM.

[Dragon]

Please Click here!, and follow the recommendations in the guide.

If you're still having trouble, We'll need you to use a free diagnostic tool, Hijack This. Follow the instructions in step five of this guide, and post your log.

Most of what Hijack This lists lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.

Edited by Efwis, 28 February 2005 - 01:04 PM.

[aullie]

Thanks,

I'm at work now and will have to try this later when I return home.

[aullie]

In beginning to follow the initial Geeks To Go Malware Removal instructions...I was wondering if there's a way to tell if I have the Windows XP Service Pack 2 installed.
I won't be installing it at this time anyway because I'm certain there is malware present but would like to know.

[Dragon]

it will have a header on the Hijack This log that looks like this:

Logfile of HijackThis v1.99.1
Scan saved at 10:24:06 AM, on 2/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

if you have Service Pack 2 it is indicated as above. if you only have Service pack 1 it will read SP! after windows XP and Internet Explorer

Edited by Efwis, 28 February 2005 - 03:44 PM.

[aullie]

Okay, I followed all the instructions in the initial instructions...Adware, spybot, CW Shredder, virus scanning, windows update etc...and the Dr. Watson Debugger problem and hijacked home page contine. I have just created my first log file through Hijack this and HERE IT IS>......please help

Logfile of HijackThis v1.99.1
Scan saved at 8:31:34 PM, on 2/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\d3pb32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\atlfd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brents\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qnxff.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qnxff.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qnxff.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qnxff.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qnxff.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qnxff.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qnxff.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {05DDF3D2-6A66-0B87-40D6-F21D101758C7} - C:\WINDOWS\system32\apiki32.dll
O4 - HKLM\..\Run: [atlfd.exe] C:\WINDOWS\atlfd.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: http://www.manulifebank.ca
O15 - Trusted Zone: http://www.sd67.bc.ca
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: RaptisoftGameLoader - http://miniclips.com...tgameloader.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com...78336/enter.cab
O16 - DPF: {4E52618E-546D-11D5-90EE-00D0B7484CA6} (NPAgent Class) - https://client.manul...tAggregator.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F0BC061F-DAF9-4533-8011-53BCB4C10307} (Installations Assistent) - http://install.cheat...nsAssistent.ocx
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://www.tukati.co...1.21/tukati.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Brents\Local Settings\Temporary Internet Files\Content.IE5\CDEZCPER\CWShredder[1].exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Workstation NetLogon Service (� 6QÔõ'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\d3pb32.exe" /s (file missing)

[Dragon]

Please read through the instructions before you start (you may want to print this out).

Please download and install these programs - don't run them yet!!

Please download and unzip
About:Buster to a folder. Inside the folder is a readme file that has instructions on the use of the program.
AboutBuster MUST be updated before you use it.
Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box . Don't run it yet.


Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first.

Download and unzip cwsserviceremove to your desktop. use either link below:
http://computercops....F...oad&id=3002[/url
http://www.mytechsup...rviceremove.zip


Download CW-Shredder at the link below:
http://cwshredder.net/bin/CWSshtreder.exe://http://www.mytechsupport.ca/helpwit...CWSshtreder.exe

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

For anyone using Windows XP, 'Search' will not automatically show hidden files even if your folder options settings are set to do that. Do this so you can see hidden files and folders - click here http://www.davehigha...ds/xphidden.zip to download xphidden.zip. Extract xphidden.reg from the zip file and save it to the desktop. When done, double-click the xphidden.reg and when asked to merge say yes.

+++++++++++++++++++++++++++++++++++++++++++++++++

Here's the fix:

Important Step
1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:

Service: Workstation NetLogon Service (� 6QÔõ'ª´ÆÐ8)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.

2. Reboot into [url="http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406"]SafeMode.[/url <---MAKE SURE YOU KNOW HOW TO DO THIS!!

3. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for:

d3pb32.exe
atlfd.exe

If you find the files, click on them, and then click End Process => Exit the Task Manager.


4. CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qnxff.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qnxff.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qnxff.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qnxff.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qnxff.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qnxff.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qnxff.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {05DDF3D2-6A66-0B87-40D6-F21D101758C7} - C:\WINDOWS\system32\apiki32.dll
O4 - HKLM\..\Run: [atlfd.exe] C:\WINDOWS\atlfd.exe
O23 - Service: Workstation NetLogon Service (� 6QÔõ'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\d3pb32.exe" /s (file missing)


5. Delete the following files if present:
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

C:\WINDOWS\qnxff.dll
C:\WINDOWS\system32\apiki32.dll
C:\WINDOWS\atlfd.exe
C:\WINDOWS\d3pb32.exe

(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)

6. Run AboutBuster . This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

7. Scan with AdAware and let it remove any bad files found.

8. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

9. Double click on the cwsserviceremove and when asked to merge say yes.

10. Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

11. Reboot into normal mode.

12. Download the Hoster from here http://members.aol.c.../start_corp.asp
Make sure you check "AutoClean"

then reboot and post a fresh Hijack This log to see how we did.

[aullie]

HELP...Having a heck of a time completing all the program installations prior to the fix because How Do I get into Windows Explorer and make sure "show hidden files and folders" is checked etc. when I can't open Windows Explorer without the Dr. Watson error and a total freeze up. Any ideas ...thanks

[Dragon]

sorry for the delay
do this start > run> type explorer

[aullie]

OKAY, I'VE ATTEMPTED TO COMPLETE ALL 13 STEPS IN THE FIX. 1-2 WENT WELL. ON #3 I DIDN'T FIND THE TWO FILES. ON NUMBER FOUR I ONLY FOUND TWO OR THREE THAT WERE EXACTLY AS PRINTED IN YOUR INSTRUCTIONS ALTHOUGH THERE WERE A LOT THAT WERE CLOSE BUT I DIDN'T WANT TO REMOVE ANYTHING THAT WAS ONLY 'CLOSE' TO THE SAME.
ON NUMBER 5, THERE WERE NOT OF THOSE FILES
NUMBER 6-9 WENT FINE
NUMBER 10 - COULD NOT LOCATE CW SHREDDER ANYWHERE ALTHOUGH IT REAPPEARED IN NORMAL MODE. SEARCHED EVERYWHERE IN SAFE MODE FOR IT.
NUMBER 11 FINE
NUMBER 12 FINE
NUMBER 13 FROZE UP ON HOUSECALL BUT THEN I WAS ABLE TO CREATE A NEW HIJACK THIS LOG.
DON'T THINK WE GOT THE BUGGER YET! WHAT DO YOU THINK?

HERE;S THE LOG



Logfile of HijackThis v1.99.1
Scan saved at 8:53:16 PM, on 3/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\atlfd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\d3pb32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Brents\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\kthhx.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kthhx.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\kthhx.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\kthhx.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kthhx.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\kthhx.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\kthhx.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {97C18EBB-5DCC-5C24-5898-11BC0CB86073} - C:\WINDOWS\netyl.dll
O2 - BHO: (no name) - {A3B7B915-D6D2-510A-A72E-DE0B53457F00} - C:\WINDOWS\system32\mfcgl.dll
O4 - HKLM\..\Run: [atlfd.exe] C:\WINDOWS\atlfd.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: http://www.manulifebank.ca
O15 - Trusted Zone: http://www.sd67.bc.ca
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com...78336/enter.cab
O16 - DPF: {4E52618E-546D-11D5-90EE-00D0B7484CA6} (NPAgent Class) - https://client.manul...tAggregator.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F0BC061F-DAF9-4533-8011-53BCB4C10307} (Installations Assistent) - http://install.cheat...nsAssistent.ocx
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://www.tukati.co...1.21/tukati.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Brents\Local Settings\Temporary Internet Files\Content.IE5\CDEZCPER\CWShredder[1].exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Network Security Service (NSS) (� 6QÔõ'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\d3pb32.exe

HERE'S THE BUSTER LOG FILE

Scanned at: 8:23:42 PM on: 3/1/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 16


ADS not scanned System(FAT)
Removed 4 Random Key Entries
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

[Dragon]

we are so close, yet so far away,

I'm going to have you run the same process in a moment, but first you need to do a couple of things for me.

Reset your restore points.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb;en-us;310405

next, Right click http://mvps.org/winh.../DelDomains.inf and select Save As to download WinHelp2002's DelDomains.inf. Please save the file somewhere you can find it like on the desktop. To run the inf file, right click on it and select Install.

then finally, don't worry about downloading the programs again since you already have them.
Please read through the instructions before you start (you may want to print this out).

Please download and install these programs - don't run them yet!!

Please download and unzip
About:Buster to a folder. Inside the folder is a readme file that has instructions on the use of the program.
AboutBuster MUST be updated before you use it.
Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box . Don't run it yet.


Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first.

Download and unzip cwsserviceremove to your desktop. use either link below:
http://computercops....ownload&id=3002
http://www.mytechsup...rviceremove.zip


Download CW-Shredder at the link below:
http://cwshredder.ne...CWSshtreder.exe

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

For anyone using Windows XP, 'Search' will not automatically show hidden files even if your folder options settings are set to do that. Do this so you can see hidden files and folders - click here http://www.davehigha...ds/xphidden.zip to download xphidden.zip. Extract xphidden.reg from the zip file and save it to the desktop. When done, double-click the xphidden.reg and when asked to merge say yes.

+++++++++++++++++++++++++++++++++++++++++++++++++

Here's the fix:

Important Step
1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:

Network Security Service (NSS) (� 6QÔõ'ª´ÆÐ8)


When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.

2. Reboot into SafeMode.[/url <---MAKE SURE YOU KNOW HOW TO DO THIS!!

3. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for:

C:\WINDOWS\atlfd.exe
C:\WINDOWS\d3pb32.exe if you are in safe mode they may not be running

If you find the files, click on them, and then click End Process => Exit the Task Manager.


4. CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\kthhx.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kthhx.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\kthhx.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\kthhx.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kthhx.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\kthhx.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\kthhx.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {97C18EBB-5DCC-5C24-5898-11BC0CB86073} - C:\WINDOWS\netyl.dll
O2 - BHO: (no name) - {A3B7B915-D6D2-510A-A72E-DE0B53457F00} - C:\WINDOWS\system32\mfcgl.dll
O4 - HKLM\..\Run: [atlfd.exe] C:\WINDOWS\atlfd.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: http://www.manulifeb...manulifebank.ca
O15 .../www.sd67.bc.ca
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149 these may not be there at this point
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://www.tukati.co...1.21/tukati.cab
O23 - Service: Network Security Service (NSS) (� 6QÔõ'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\d3pb32.exe

5. Delete the following files if present:
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

C:\WINDOWS\system32\kthhx.dll
C:\WINDOWS\netyl.dll
C:\WINDOWS\system32\mfcgl.dll
C:\WINDOWS\atlfd.exe
C:\WINDOWS\d3pb32.exe

(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)

6. Run AboutBuster . This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

7. Scan with AdAware and let it remove any bad files found.

8. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

9. Double click on the cwsserviceremove and when asked to merge say yes.

10. Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

11. Reboot into normal mode.

12. Download the Hoster from here http://members.aol.c...bee/hoster.zip. Press "Restore Original Hosts" and press "OK". Exit Program.

13. Download and run this online virus scan:
[url="http://housecall.trendmicro.com/housecall/start_corp.asp"]http://housecall.trendmicro.com/housecall/start_corp.asp
Make sure you check "AutoClean"

then reboot and post a fresh Hijack This log to see how we did.

Edited by Efwis, 01 March 2005 - 11:30 PM.

[aullie]

Still stuck with malware. I've completed all the steps again but housecall says I have 50 bad files detected that can't be cleaned. Here's it's log

Results:
We have detected 50 infected file(s) with 50 virus(es) on your computer: 0 virus(es) cleaned, 50 virus(es) uncleanable, 0 virus(es) deleted, 0 virus(es) undeletable, 0 virus(es) passed.
Detected File Associated Virus Name Action taken
C:\WINDOWS\system32\ipsa32.exe TROJ_AGENT.MP Uncleanable
C:\WINDOWS\system32\sdkjw.exe TROJ_AGENT.MP Uncleanable
C:\WINDOWS\system32\d3ah32.exe TROJ_AGENT.MP Uncleanable
C:\WINDOWS\system32\addix32.exe TROJ_AGENT.MP Uncleanable
C:\WINDOWS\system32\winqs.exe TROJ_AGENT.MP Uncleanable
C:\WINDOWS\system32\d3rn.exe TROJ_AGENT.MQ Uncleanable
C:\WINDOWS\Downloaded Program Files\InstallationsAssistent.ocx TROJ_SMALL.RZ Uncleanable
C:\WINDOWS\uloaio.dat TROJ_AGENT.ALL Uncleanable
C:\WINDOWS\jyethi.dat TROJ_AGENT.MP Uncleanable
C:\WINDOWS\crpybs.txt TROJ_AGENT.MQ Uncleanable
C:\WINDOWS\hlnfzk.dat TROJ_AGENT.ALL Uncleanable
C:\WINDOWS\fgrxlq.txt TROJ_AGENT.ALL Uncleanable
C:\WINDOWS\mltisw.dat TROJ_AGENT.MQ Uncleanable
C:\WINDOWS\jxsfde.dat TROJ_AGENT.MP Uncleanable
C:\WINDOWS\atlfd.exe TROJ_AGENT.MQ Uncleanable
C:\WINDOWS\xsfdee.dat TROJ_AGENT.MP Uncleanable
C:\WINDOWS\byktfo.dat TROJ_AGENT.MQ Uncleanable
C:\WINDOWS\addzp32.exe TROJ_AGENT.ALL Uncleanable
C:\WINDOWS\syswo32.exe TROJ_AGENT.ALL Uncleanable
C:\WINDOWS\addpo.exe TROJ_AGENT.MP Uncleanable
C:\WINDOWS\addse.exe TROJ_AGENT.RK Uncleanable
C:\WINDOWS\xqkfio.dat TROJ_AGENT.MQ Uncleanable
C:\WINDOWS\ntfd32.exe TROJ_AGENT.MP Uncleanable
C:\WINDOWS\sysrd.exe TROJ_AGENT.MP Uncleanable
C:\WINDOWS\mfchq.exe TROJ_AGENT.MP Uncleanable
C:\WINDOWS\gswfkz.dat TROJ_AGENT.MQ Uncleanable
C:\WINDOWS\clzbun.txt TROJ_AGENT.MP Uncleanable
C:\WINDOWS\ukvpek.log TROJ_AGENT.MP Uncleanable
C:\WINDOWS\nlfcyv.dat TROJ_AGENT.MQ Uncleanable
C:\WINDOWS\d3pb32.exe TROJ_AGENT.MP Uncleanable
C:\WINDOWS\lafsli.dat TROJ_AGENT.MQ Uncleanable
C:\WINDOWS\rmookv.txt TROJ_AGENT.MP Uncleanable
C:\WINDOWS\knytmy.txt TROJ_AGENT.MQ Uncleanable
C:\WINDOWS\crdz32.exe TROJ_AGENT.MP Uncleanable
C:\WINDOWS\umsgwx.txt TROJ_AGENT.MQ Uncleanable
C:\WINDOWS\vvnrhj.dat TROJ_AGENT.MQ Uncleanable
C:\WINDOWS\winhy32.exe TROJ_AGENT.MP Uncleanable
C:\WINDOWS\apipp32.exe TROJ_AGENT.MP Uncleanable
C:\WINDOWS\javaxc32.exe TROJ_AGENT.MP Uncleanable
C:\WINDOWS\bpnzuf.log TROJ_AGENT.MP Uncleanable
C:\WINDOWS\uqfeop.log TROJ_AGENT.MQ Uncleanable
C:\WINDOWS\owlwvt.txt TROJ_AGENT.MP Uncleanable
C:\WINDOWS\hxvbpe.txt TROJ_AGENT.MQ Uncleanable
C:\WINDOWS\addlt32.exe TROJ_AGENT.MP Uncleanable
C:\WINDOWS\crkt32.exe TROJ_AGENT.MQ Uncleanable
C:\WINDOWS\wsodjm.txt TROJ_AGENT.MP Uncleanable
C:\WINDOWS\ptzqlw.txt TROJ_AGENT.MQ Uncleanable
C:\WINDOWS\atlpz.exe TROJ_AGENT.MP Uncleanable
C:\Documents and Settings\Brents\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-78a21404-59fc898e.zip (Dummy.class) JAVA_BYTEVER.B Uncleanable
C:\Documents and Settings\Brents\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-53fa37b1-412784f7.zip (Dummy.class) JAVA_BYTEVER.B Uncleanable

HERE IS THE HIJACK THIS LOG: BUT FIRST>>>(again there were some files in safe mode that were close to what you wanted me to delete but not exact. FOR EXAMPLE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
res://C:\WINDOWS\system32\kthhx.dll/sp.html#44768 was there but one portion did not match...INSTEAD OF kthhx.dd it says qmlts.dll and there are
others close but not exact too.
Should I have deleted them anyway?????)

Logfile of HijackThis v1.99.1
Scan saved at 10:20:28 AM, on 3/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Brents\Desktop\HijackThis.exe
C:\WINDOWS\system32\wscntfy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qmlts.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qmlts.dll/sp.html#44768
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bourque.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qmlts.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qmlts.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qmlts.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com...78336/enter.cab
O16 - DPF: {4E52618E-546D-11D5-90EE-00D0B7484CA6} (NPAgent Class) - https://client.manul...tAggregator.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F0BC061F-DAF9-4533-8011-53BCB4C10307} (Installations Assistent) - http://install.cheat...nsAssistent.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Brents\Local Settings\Temporary Internet Files\Content.IE5\CDEZCPER\CWShredder[1].exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Hope you can helpme further...Thanks for all of this.

[aullie]

Further to my last post....the good news is that I do own my homepage again and the about blank garbage seems to be gone....but there are still issues with bad files as per my last post.

[Dragon]

sorry for the delay in posting, i was out all afternoon,

anyway here is what I want you to do.

find and delete all of these files in safe mode
C:\Documents and Settings\Brents\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-78a21404-59fc898e.zip
C:\Documents and Settings\Brents\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-53fa37b1-412784f7.zip

Download a Free Trial of Trojan Hunter at http://www.misec.net...rojanHunter.exe first. Next, look over the Following Entries I have listed, run Hijack This again and check them and then, making sure you have No Internet Explorer Windows open, including this one, Press the "Fix Checked" Button with HijackThis.

Reboot If I have specified below, and Post a Fresh HijackThis log.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qmlts.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qmlts.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qmlts.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qmlts.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qmlts.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O16 - DPF: {F0BC061F-DAF9-4533-8011-53BCB4C10307} (Installations Assistent) - http://install.cheat...nsAssistent.ocx

After this, Reboot and Delete the following files [colro=red] not all of these may be on your seystem anymore after trojan hunter[/color]

C:\WINDOWS\system32\ipsa32.exe TROJ_AGENT.MP Uncleanable
C:\WINDOWS\system32\sdkjw.exe TROJ_AGENT.MP Uncleanable
C:\WINDOWS\system32\d3ah32.exe TROJ_AGENT.MP Uncleanable
C:\WINDOWS\system32\addix32.exe TROJ_AGENT.MP Uncleanable
C:\WINDOWS\system32\winqs.exe TROJ_AGENT.MP Uncleanable
C:\WINDOWS\system32\d3rn.exe TROJ_AGENT.MQ Uncleanable
C:\WINDOWS\Downloaded Program Files\InstallationsAssistent.ocx TROJ_SMALL.RZ Uncleanable
C:\WINDOWS\uloaio.dat
C:\WINDOWS\jyethi.dat
C:\WINDOWS\crpybs.txt
C:\WINDOWS\hlnfzk.dat
C:\WINDOWS\fgrxlq.txt
C:\WINDOWS\mltisw.dat
C:\WINDOWS\jxsfde.dat
C:\WINDOWS\atlfd.exe
C:\WINDOWS\xsfdee.dat
C:\WINDOWS\byktfo.dat
C:\WINDOWS\addzp32.exe
C:\WINDOWS\syswo32.exe
C:\WINDOWS\addpo.exe
C:\WINDOWS\addse.exe
C:\WINDOWS\xqkfio.dat
C:\WINDOWS\ntfd32.exe
C:\WINDOWS\sysrd.exe
C:\WINDOWS\mfchq.exe
C:\WINDOWS\gswfkz.dat
C:\WINDOWS\clzbun.txt
C:\WINDOWS\ukvpek.log
C:\WINDOWS\nlfcyv.dat
C:\WINDOWS\d3pb32.exe
C:\WINDOWS\lafsli.dat
C:\WINDOWS\rmookv.txt
C:\WINDOWS\knytmy.txt
C:\WINDOWS\crdz32.exe
C:\WINDOWS\umsgwx.txt
C:\WINDOWS\vvnrhj.dat
C:\WINDOWS\winhy32.exe
C:\WINDOWS\apipp32.exe
C:\WINDOWS\javaxc32.exe
C:\WINDOWS\bpnzuf.log
C:\WINDOWS\uqfeop.log
C:\WINDOWS\owlwvt.txt
C:\WINDOWS\hxvbpe.txt
C:\WINDOWS\addlt32.exe
C:\WINDOWS\crkt32.exe
C:\WINDOWS\wsodjm.txt
C:\WINDOWS\ptzqlw.txt
C:\WINDOWS\atlpz.exe


could you please include a list of all the similar .dll files that you are commenting about. I realize there may be a ton of them but I can't be sure which ones to delete without seeing them. post them with your next hijack this log.

Note: Make sure you have Set Windows to show Hidden Files & Folders as well as extensions before you Start Sending Them to us For Analysis, or you're deleting them. This can be done by looking at the instructions at This Webpage http://www.xtra.co.n...1916458,00.html

and finally,
take a free Online Virus scan at http://www.housecall.trendmicro.com or http://www3.ca.com/v...virusscan.aspx.

Edited by Efwis, 02 March 2005 - 05:43 PM.

[aullie]

Just before I do the latest instructions you should know that things are actually quite normal now. NO Dr. Watson errors and I can access everything....HOwever that last scan by housecall this morning did find those 50 bad files....should I proceed with the latest list??? And again thanks for all your help.