Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Everything opens so slow + popups [RESOLVED]


  • This topic is locked This topic is locked

#1
drago

drago

    Member

  • Member
  • PipPip
  • 22 posts
[FONT=Arial][SIZE=7][COLOR=gray]

Hi,
Thanks for your help guys. My problem is with the speed of everything. Anything takes like half a minute to open, including computer folders. Plus my hompage is always changed and I got popups too. Many times computer freezes and I have to restart. Please help.

Below is an attached log from Hijackthis. Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 12:23:44 PM, on 5/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2cf41f1db14bc8f414e16e1555b77108\update\update.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\netff.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\3DLman.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\crex32.exe
C:\WINDOWS\System32\qpratext.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\psblient.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\unzipped\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hpjlv.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hpjlv.dll/sp.html#14044
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hpjlv.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hpjlv.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hpjlv.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hpjlv.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hpjlv.dll/sp.html#14044
R3 - Default URLSearchHook is missing
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {BED69B83-24C0-5FE8-2822-B760E2BC7FD1} - C:\WINDOWS\atlvp.dll
O2 - BHO: Class - {F72C2F74-8735-611B-5E85-D33CA3E557A9} - C:\WINDOWS\ipbf32.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_2_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [3Dlabs Taskbar Display Manager] C:\WINDOWS\System32\3DLman.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [*cabc] C:\WINDOWS\java\classes\cabc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [crex32.exe] C:\WINDOWS\system32\crex32.exe
O4 - HKLM\..\Run: [w3oX3EW] qpratext.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\RunOnce: [netff.exe] C:\WINDOWS\system32\netff.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [h077ROa6W] psblient.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../yse/ymmapi.dll
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_2_0.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\netla.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
  • 0

Advertisements


#2
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello Drago :tazz:

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

After all that, please post back with how things went as well as the logs requested and a new HiJackThis logand we will remove whats left

Good Luck
  • 0

#3
drago

drago

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Thank you very much for your help,
I had to download about:buster from some other site but otherwise it was smooth. I am attaching a log from SpSeHjfix:[/B]


(5/29/05 4:15:55 PM) SPSeHjFix started v1.1.2
(5/29/05 4:15:55 PM) OS: WinXP Service Pack 1 (5.1.2600)
(5/29/05 4:15:55 PM) Language: english
(5/29/05 4:15:55 PM) Win-Path: C:\WINDOWS
(5/29/05 4:15:55 PM) System-Path: C:\WINDOWS\System32
(5/29/05 4:15:55 PM) Temp-Path: C:\DOCUME~1\DAVIDR~1\LOCALS~1\Temp\
(5/29/05 4:16:11 PM) Disinfection started
(5/29/05 4:16:11 PM) Bad-Dll(IEP): (not found)
(5/29/05 4:16:11 PM) Bad-Dll(IEP) in BHO: (not found)
(5/29/05 4:16:11 PM) UBF: 4 - UBB: 0 - UBR: 11
(5/29/05 4:16:11 PM) UBF: 4 - UBB: 0 - UBR: 11
(5/29/05 4:16:11 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar:
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar:
(5/29/05 4:16:11 PM) Stealth-String not found
(5/29/05 4:16:11 PM) Not infected->END


[B]And the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:46:40 PM, on 5/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\3DLman.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wtnov.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wtnov.dll/sp.html#14044
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wtnov.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wtnov.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wtnov.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wtnov.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wtnov.dll/sp.html#14044
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {17151197-586C-9ECF-1CC7-EAEDA430EFC7} - C:\WINDOWS\system32\sysxb32.dll (file missing)
O2 - BHO: Class - {28510C06-A16B-091E-FA46-4DB58B0A0432} - C:\WINDOWS\addwx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_2_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [3Dlabs Taskbar Display Manager] C:\WINDOWS\System32\3DLman.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [*cabc] C:\WINDOWS\java\classes\cabc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [crex32.exe] C:\WINDOWS\system32\crex32.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [w3oX3EW] ntknst.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [h077ROa6W] newend.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../yse/ymmapi.dll
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_2_0.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\netff.exe" /s (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
  • 0

#4
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello Drago

Just remember Drago I told you this would be a few step process. Just work through the fixes If you run into any problems just let me Know in your next post .This is a nasty infection But we will get it.

Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

(Just download what you dont have)

First:
Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.

You have a nasty About:Blank infection. This fix requires several tools that need to be downloaded. Please download these now, we will run them later.

1) About:Buster - Download it and extract it to C:/aboutbuster.
2) CleanUp! - Download it and install it.
3) CWShredder 2.11 - Download it and save it to your desktop.
4) Ad-Aware - Download, install, and update.

Enable hidden files and folders: http://www.bleepingc...torial=62#winme
Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below service:

Network Security Service (NSS) ( 11F#`I)

*NOTE* Make sure the name says Network Security Service (NSS) ( 11F#`I) because there are legitimate service by similar name.

When you find them, double-click on each one. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.

During the fix do NOT connect to the internet. Unless you can memorize these instructions, it would be a good idea to print them out.

Boot into safe mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Run AboutBuster
-Click Start to begin the process
-Click OK on the Buster Report dialogue box to start the scan
AboutBuster scans the computer for malicious files and deletes them.
Run Aboutbuster again
Save the report (copy and paste into Notepad and save as a .txt file) to post a copy for review.

Run CWShredder
-Next, click on the: Fix button
-Follow the prompts, and press OK

Run CleanUp
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Ad-Aware
-Configure Ad-Aware for a full system scan
-Run it

Clean Up the left overs

Run HJT, close any open windows, and fix the following items (if they are still there):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wtnov.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wtnov.dll/sp.html#14044
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wtnov.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wtnov.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wtnov.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wtnov.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wtnov.dll/sp.html#14044
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {17151197-586C-9ECF-1CC7-EAEDA430EFC7} - C:\WINDOWS\system32\sysxb32.dll (file missing)
O2 - BHO: Class - {28510C06-A16B-091E-FA46-4DB58B0A0432} - C:\WINDOWS\addwx.dll
O4 - HKLM\..\Run: [*cabc] C:\WINDOWS\java\classes\cabc.exe
O4 - HKLM\..\Run: [crex32.exe] C:\WINDOWS\system32\crex32.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [w3oX3EW] ntknst.exe
O4 - HKCU\..\Run: [h077ROa6W] newend.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab


Using windows explorer( right click start, left click explore)
Search for and delete these files and folders (If found)
C:\WINDOWS\addwx.dll
C:\WINDOWS\system32\crex32.exe
C:\Program Files\AutoUpdate
C:\WINDOWS\system32\netff.exe

Open Ewido
Click on scanner
Make sure the following boxes are checked before scanning:
  • Binder
  • Crypter
  • Archives

    Click on Start Scan
    Let the program scan the machine
    While the scan is in progress you will be prompted to clean files, click OK

    Once the scan has completed, there will be a button located on the bottom of the screen named Save report[list]
  • Click Save report
  • Save the report to your desktop
Reboot your machine and post back a new HJT log and the ewido .txt log file you saved and the About buster log by using Add Reply
  • 0

#5
drago

drago

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hi loophole,
Thanks again. I got everything right. I just got this ewido alert pop up all the time to clean one trojan, but when I click OK it wants to reboot. However, after restart it pops up again.

I am posting 3 logs. (HJT, About:buster and ewido)


Logfile of HijackThis v1.99.1
Scan saved at 3:33:01 PM, on 5/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\unzipped\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {5BB66F6F-6BA4-ED53-05F3-F6ED2C204BED} - C:\WINDOWS\crnm32.dll
O2 - BHO: Class - {61F55B99-6BD7-C8CA-0AB9-97CFED9C0C6D} - C:\WINDOWS\crum.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {CF3EF571-43E7-5C38-FDC9-6E168AF22B5A} - C:\WINDOWS\system32\netzi32.dll
O2 - BHO: Class - {F0FEAC69-B908-0A98-E707-86A79716D60E} - C:\WINDOWS\addvr32.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_2_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [3Dlabs Taskbar Display Manager] C:\WINDOWS\System32\3DLman.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [*cabc] C:\WINDOWS\java\classes\cabc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [crex32.exe] C:\WINDOWS\system32\crex32.exe
O4 - HKLM\..\Run: [w3oX3EW] ntknst.exe
O4 - HKLM\..\Run: [appgs.exe] C:\WINDOWS\system32\appgs.exe
O4 - HKLM\..\RunOnce: [appic.exe] C:\WINDOWS\system32\appic.exe
O4 - HKLM\..\RunOnce: [netwu32.exe] C:\WINDOWS\system32\netwu32.exe
O4 - HKLM\..\RunOnce: [sdkop.exe] C:\WINDOWS\system32\sdkop.exe
O4 - HKLM\..\RunOnce: [apibs32.exe] C:\WINDOWS\apibs32.exe
O4 - HKLM\..\RunOnce: [appsp32.exe] C:\WINDOWS\appsp32.exe
O4 - HKLM\..\RunOnce: [atlaw32.exe] C:\WINDOWS\atlaw32.exe
O4 - HKLM\..\RunOnce: [addhf32.exe] C:\WINDOWS\system32\addhf32.exe
O4 - HKLM\..\RunOnce: [ntwu32.exe] C:\WINDOWS\system32\ntwu32.exe
O4 - HKLM\..\RunOnce: [d3rx.exe] C:\WINDOWS\system32\d3rx.exe
O4 - HKLM\..\RunOnce: [javayy32.exe] C:\WINDOWS\system32\javayy32.exe
O4 - HKLM\..\RunOnce: [apitd.exe] C:\WINDOWS\apitd.exe
O4 - HKLM\..\RunOnce: [msut32.exe] C:\WINDOWS\msut32.exe
O4 - HKLM\..\RunOnce: [mfcqy32.exe] C:\WINDOWS\mfcqy32.exe
O4 - HKLM\..\RunOnce: [sysqw.exe] C:\WINDOWS\sysqw.exe
O4 - HKLM\..\RunOnce: [ipwd.exe] C:\WINDOWS\system32\ipwd.exe
O4 - HKLM\..\RunOnce: [atltx.exe] C:\WINDOWS\system32\atltx.exe
O4 - HKLM\..\RunOnce: [crrl.exe] C:\WINDOWS\crrl.exe
O4 - HKLM\..\RunOnce: [sdknn32.exe] C:\WINDOWS\system32\sdknn32.exe
O4 - HKLM\..\RunOnce: [mfckt.exe] C:\WINDOWS\mfckt.exe
O4 - HKLM\..\RunOnce: [syspl.exe] C:\WINDOWS\system32\syspl.exe
O4 - HKLM\..\RunOnce: [ntkv32.exe] C:\WINDOWS\ntkv32.exe
O4 - HKLM\..\RunOnce: [wined.exe] C:\WINDOWS\wined.exe
O4 - HKLM\..\RunOnce: [mfcvg32.exe] C:\WINDOWS\system32\mfcvg32.exe
O4 - HKLM\..\RunOnce: [iegj.exe] C:\WINDOWS\system32\iegj.exe
O4 - HKLM\..\RunOnce: [appuz.exe] C:\WINDOWS\appuz.exe
O4 - HKLM\..\RunOnce: [apiud.exe] C:\WINDOWS\system32\apiud.exe
O4 - HKLM\..\RunOnce: [ntwf32.exe] C:\WINDOWS\ntwf32.exe
O4 - HKLM\..\RunOnce: [apilr.exe] C:\WINDOWS\apilr.exe
O4 - HKLM\..\RunOnce: [javazd.exe] C:\WINDOWS\javazd.exe
O4 - HKLM\..\RunOnce: [ntrc.exe] C:\WINDOWS\ntrc.exe
O4 - HKLM\..\RunOnce: [winpc.exe] C:\WINDOWS\winpc.exe
O4 - HKLM\..\RunOnce: [netkm.exe] C:\WINDOWS\system32\netkm.exe
O4 - HKLM\..\RunOnce: [mfcov.exe] C:\WINDOWS\mfcov.exe
O4 - HKLM\..\RunOnce: [netfn32.exe] C:\WINDOWS\system32\netfn32.exe
O4 - HKLM\..\RunOnce: [apipj.exe] C:\WINDOWS\apipj.exe
O4 - HKLM\..\RunOnce: [crfe32.exe] C:\WINDOWS\system32\crfe32.exe
O4 - HKLM\..\RunOnce: [mfctz32.exe] C:\WINDOWS\system32\mfctz32.exe
O4 - HKLM\..\RunOnce: [iekq.exe] C:\WINDOWS\system32\iekq.exe
O4 - HKLM\..\RunOnce: [ieff.exe] C:\WINDOWS\system32\ieff.exe
O4 - HKLM\..\RunOnce: [javaet.exe] C:\WINDOWS\javaet.exe
O4 - HKLM\..\RunOnce: [addia32.exe] C:\WINDOWS\system32\addia32.exe
O4 - HKLM\..\RunOnce: [addfj.exe] C:\WINDOWS\addfj.exe
O4 - HKLM\..\RunOnce: [netsr32.exe] C:\WINDOWS\system32\netsr32.exe
O4 - HKLM\..\RunOnce: [winwk.exe] C:\WINDOWS\system32\winwk.exe
O4 - HKLM\..\RunOnce: [appdu32.exe] C:\WINDOWS\appdu32.exe
O4 - HKLM\..\RunOnce: [ipkt32.exe] C:\WINDOWS\ipkt32.exe
O4 - HKLM\..\RunOnce: [iend32.exe] C:\WINDOWS\iend32.exe
O4 - HKLM\..\RunOnce: [atlmw32.exe] C:\WINDOWS\system32\atlmw32.exe
O4 - HKLM\..\RunOnce: [mfcmj32.exe] C:\WINDOWS\mfcmj32.exe
O4 - HKLM\..\RunOnce: [atlyz32.exe] C:\WINDOWS\system32\atlyz32.exe
O4 - HKLM\..\RunOnce: [apiki32.exe] C:\WINDOWS\system32\apiki32.exe
O4 - HKLM\..\RunOnce: [iebc32.exe] C:\WINDOWS\iebc32.exe
O4 - HKLM\..\RunOnce: [sysvl32.exe] C:\WINDOWS\sysvl32.exe
O4 - HKLM\..\RunOnce: [sdkyg32.exe] C:\WINDOWS\system32\sdkyg32.exe
O4 - HKLM\..\RunOnce: [mfcdq32.exe] C:\WINDOWS\mfcdq32.exe
O4 - HKLM\..\RunOnce: [apimc.exe] C:\WINDOWS\system32\apimc.exe
O4 - HKLM\..\RunOnce: [ipae32.exe] C:\WINDOWS\system32\ipae32.exe
O4 - HKLM\..\RunOnce: [addct32.exe] C:\WINDOWS\system32\addct32.exe
O4 - HKLM\..\RunOnce: [apiqj32.exe] C:\WINDOWS\apiqj32.exe
O4 - HKLM\..\RunOnce: [netzv.exe] C:\WINDOWS\netzv.exe
O4 - HKLM\..\RunOnce: [mfcwq.exe] C:\WINDOWS\mfcwq.exe
O4 - HKLM\..\RunOnce: [crbw.exe] C:\WINDOWS\system32\crbw.exe
O4 - HKLM\..\RunOnce: [appkc32.exe] C:\WINDOWS\system32\appkc32.exe
O4 - HKLM\..\RunOnce: [javaic32.exe] C:\WINDOWS\system32\javaic32.exe
O4 - HKLM\..\RunOnce: [ntsj32.exe] C:\WINDOWS\system32\ntsj32.exe
O4 - HKLM\..\RunOnce: [ievs32.exe] C:\WINDOWS\ievs32.exe
O4 - HKLM\..\RunOnce: [javaox32.exe] C:\WINDOWS\system32\javaox32.exe
O4 - HKLM\..\RunOnce: [sysnk.exe] C:\WINDOWS\system32\sysnk.exe
O4 - HKLM\..\RunOnce: [crmw.exe] C:\WINDOWS\crmw.exe
O4 - HKLM\..\RunOnce: [apiov32.exe] C:\WINDOWS\apiov32.exe
O4 - HKLM\..\RunOnce: [javaom.exe] C:\WINDOWS\javaom.exe
O4 - HKLM\..\RunOnce: [mfcwx.exe] C:\WINDOWS\system32\mfcwx.exe
O4 - HKLM\..\RunOnce: [addah32.exe] C:\WINDOWS\system32\addah32.exe
O4 - HKLM\..\RunOnce: [addsl32.exe] C:\WINDOWS\system32\addsl32.exe
O4 - HKLM\..\RunOnce: [mfcck.exe] C:\WINDOWS\system32\mfcck.exe
O4 - HKLM\..\RunOnce: [mfcpx.exe] C:\WINDOWS\system32\mfcpx.exe
O4 - HKLM\..\RunOnce: [javatn32.exe] C:\WINDOWS\system32\javatn32.exe
O4 - HKLM\..\RunOnce: [crqn.exe] C:\WINDOWS\crqn.exe
O4 - HKLM\..\RunOnce: [ntau.exe] C:\WINDOWS\ntau.exe
O4 - HKLM\..\RunOnce: [winyu.exe] C:\WINDOWS\winyu.exe
O4 - HKLM\..\RunOnce: [addgy32.exe] C:\WINDOWS\system32\addgy32.exe
O4 - HKLM\..\RunOnce: [javapc32.exe] C:\WINDOWS\javapc32.exe
O4 - HKLM\..\RunOnce: [msvm32.exe] C:\WINDOWS\msvm32.exe
O4 - HKLM\..\RunOnce: [mshi32.exe] C:\WINDOWS\mshi32.exe
O4 - HKLM\..\RunOnce: [ienu32.exe] C:\WINDOWS\system32\ienu32.exe
O4 - HKLM\..\RunOnce: [crac32.exe] C:\WINDOWS\crac32.exe
O4 - HKLM\..\RunOnce: [winka32.exe] C:\WINDOWS\system32\winka32.exe
O4 - HKLM\..\RunOnce: [ieiv.exe] C:\WINDOWS\system32\ieiv.exe
O4 - HKLM\..\RunOnce: [addnv.exe] C:\WINDOWS\addnv.exe
O4 - HKLM\..\RunOnce: [winrf32.exe] C:\WINDOWS\system32\winrf32.exe
O4 - HKLM\..\RunOnce: [mskj.exe] C:\WINDOWS\mskj.exe
O4 - HKLM\..\RunOnce: [crze.exe] C:\WINDOWS\crze.exe
O4 - HKLM\..\RunOnce: [appmk.exe] C:\WINDOWS\appmk.exe
O4 - HKLM\..\RunOnce: [sdkvq32.exe] C:\WINDOWS\sdkvq32.exe
O4 - HKLM\..\RunOnce: [addkr32.exe] C:\WINDOWS\addkr32.exe
O4 - HKLM\..\RunOnce: [syscp.exe] C:\WINDOWS\system32\syscp.exe
O4 - HKLM\..\RunOnce: [sdkci32.exe] C:\WINDOWS\system32\sdkci32.exe
O4 - HKLM\..\RunOnce: [applo.exe] C:\WINDOWS\applo.exe
O4 - HKLM\..\RunOnce: [javagy32.exe] C:\WINDOWS\system32\javagy32.exe
O4 - HKLM\..\RunOnce: [apioj32.exe] C:\WINDOWS\system32\apioj32.exe
O4 - HKLM\..\RunOnce: [javayi.exe] C:\WINDOWS\javayi.exe
O4 - HKLM\..\RunOnce: [appbx32.exe] C:\WINDOWS\appbx32.exe
O4 - HKLM\..\RunOnce: [iezk32.exe] C:\WINDOWS\system32\iezk32.exe
O4 - HKLM\..\RunOnce: [d3so.exe] C:\WINDOWS\system32\d3so.exe
O4 - HKLM\..\RunOnce: [javaik.exe] C:\WINDOWS\system32\javaik.exe
O4 - HKLM\..\RunOnce: [d3cb.exe] C:\WINDOWS\system32\d3cb.exe
O4 - HKLM\..\RunOnce: [addux.exe] C:\WINDOWS\addux.exe
O4 - HKLM\..\RunOnce: [ntdv32.exe] C:\WINDOWS\ntdv32.exe
O4 - HKLM\..\RunOnce: [atlga.exe] C:\WINDOWS\system32\atlga.exe
O4 - HKLM\..\RunOnce: [apixy.exe] C:\WINDOWS\system32\apixy.exe
O4 - HKLM\..\RunOnce: [wincs32.exe] C:\WINDOWS\system32\wincs32.exe
O4 - HKLM\..\RunOnce: [mfcbn.exe] C:\WINDOWS\system32\mfcbn.exe
O4 - HKLM\..\RunOnce: [winuk32.exe] C:\WINDOWS\winuk32.exe
O4 - HKLM\..\RunOnce: [apizc32.exe] C:\WINDOWS\apizc32.exe
O4 - HKLM\..\RunOnce: [appmj32.exe] C:\WINDOWS\system32\appmj32.exe
O4 - HKLM\..\RunOnce: [ipwa32.exe] C:\WINDOWS\ipwa32.exe
O4 - HKLM\..\RunOnce: [msom.exe] C:\WINDOWS\system32\msom.exe
O4 - HKLM\..\RunOnce: [mfcsw32.exe] C:\WINDOWS\mfcsw32.exe
O4 - HKLM\..\RunOnce: [appnx.exe] C:\WINDOWS\system32\appnx.exe
O4 - HKLM\..\RunOnce: [ipgu.exe] C:\WINDOWS\ipgu.exe
O4 - HKLM\..\RunOnce: [winuw.exe] C:\WINDOWS\system32\winuw.exe
O4 - HKLM\..\RunOnce: [ipdc32.exe] C:\WINDOWS\system32\ipdc32.exe
O4 - HKLM\..\RunOnce: [appdq.exe] C:\WINDOWS\system32\appdq.exe
O4 - HKLM\..\RunOnce: [msik32.exe] C:\WINDOWS\system32\msik32.exe
O4 - HKLM\..\RunOnce: [d3ot.exe] C:\WINDOWS\system32\d3ot.exe
O4 - HKLM\..\RunOnce: [nettv32.exe] C:\WINDOWS\system32\nettv32.exe
O4 - HKLM\..\RunOnce: [crdo32.exe] C:\WINDOWS\crdo32.exe
O4 - HKLM\..\RunOnce: [netiq32.exe] C:\WINDOWS\netiq32.exe
O4 - HKLM\..\RunOnce: [apixf.exe] C:\WINDOWS\system32\apixf.exe
O4 - HKLM\..\RunOnce: [crpb32.exe] C:\WINDOWS\crpb32.exe
O4 - HKLM\..\RunOnce: [winut32.exe] C:\WINDOWS\system32\winut32.exe
O4 - HKLM\..\RunOnce: [mszb.exe] C:\WINDOWS\mszb.exe
O4 - HKLM\..\RunOnce: [ipmv32.exe] C:\WINDOWS\ipmv32.exe
O4 - HKLM\..\RunOnce: [crsi32.exe] C:\WINDOWS\system32\crsi32.exe
O4 - HKLM\..\RunOnce: [mfcag.exe] C:\WINDOWS\mfcag.exe
O4 - HKLM\..\RunOnce: [iedb.exe] C:\WINDOWS\system32\iedb.exe
O4 - HKLM\..\RunOnce: [sdkcr32.exe] C:\WINDOWS\system32\sdkcr32.exe
O4 - HKLM\..\RunOnce: [atlhl.exe] C:\WINDOWS\system32\atlhl.exe
O4 - HKLM\..\RunOnce: [iejo32.exe] C:\WINDOWS\system32\iejo32.exe
O4 - HKLM\..\RunOnce: [atlcl.exe] C:\WINDOWS\system32\atlcl.exe
O4 - HKLM\..\RunOnce: [ipgw.exe] C:\WINDOWS\ipgw.exe
O4 - HKLM\..\RunOnce: [javayw32.exe] C:\WINDOWS\system32\javayw32.exe
O4 - HKLM\..\RunOnce: [winfh32.exe] C:\WINDOWS\winfh32.exe
O4 - HKLM\..\RunOnce: [sdkuh.exe] C:\WINDOWS\system32\sdkuh.exe
O4 - HKLM\..\RunOnce: [ntbg32.exe] C:\WINDOWS\system32\ntbg32.exe
O4 - HKLM\..\RunOnce: [d3zt.exe] C:\WINDOWS\system32\d3zt.exe
O4 - HKLM\..\RunOnce: [ntty.exe] C:\WINDOWS\ntty.exe
O4 - HKLM\..\RunOnce: [sysav32.exe] C:\WINDOWS\system32\sysav32.exe
O4 - HKLM\..\RunOnce: [mfcyq.exe] C:\WINDOWS\system32\mfcyq.exe
O4 - HKLM\..\RunOnce: [ntds.exe] C:\WINDOWS\system32\ntds.exe
O4 - HKLM\..\RunOnce: [addrs32.exe] C:\WINDOWS\addrs32.exe
O4 - HKLM\..\RunOnce: [sysnu32.exe] C:\WINDOWS\system32\sysnu32.exe
O4 - HKLM\..\RunOnce: [msep32.exe] C:\WINDOWS\msep32.exe
O4 - HKLM\..\RunOnce: [addxj32.exe] C:\WINDOWS\addxj32.exe
O4 - HKLM\..\RunOnce: [addbe.exe] C:\WINDOWS\system32\addbe.exe
O4 - HKLM\..\RunOnce: [javaeu32.exe] C:\WINDOWS\javaeu32.exe
O4 - HKLM\..\RunOnce: [apinl.exe] C:\WINDOWS\system32\apinl.exe
O4 - HKLM\..\RunOnce: [mske.exe] C:\WINDOWS\mske.exe
O4 - HKLM\..\RunOnce: [apihe32.exe] C:\WINDOWS\apihe32.exe
O4 - HKLM\..\RunOnce: [nettx.exe] C:\WINDOWS\nettx.exe
O4 - HKLM\..\RunOnce: [appsa32.exe] C:\WINDOWS\system32\appsa32.exe
O4 - HKLM\..\RunOnce: [javaih32.exe] C:\WINDOWS\javaih32.exe
O4 - HKLM\..\RunOnce: [netqq.exe] C:\WINDOWS\system32\netqq.exe
O4 - HKLM\..\RunOnce: [d3oj.exe] C:\WINDOWS\system32\d3oj.exe
O4 - HKLM\..\RunOnce: [javaee.exe] C:\WINDOWS\system32\javaee.exe
O4 - HKLM\..\RunOnce: [apixv.exe] C:\WINDOWS\system32\apixv.exe
O4 - HKLM\..\RunOnce: [javafo32.exe] C:\WINDOWS\system32\javafo32.exe
O4 - HKLM\..\RunOnce: [ipzr.exe] C:\WINDOWS\system32\ipzr.exe
O4 - HKLM\..\RunOnce: [javawd32.exe] C:\WINDOWS\system32\javawd32.exe
O4 - HKLM\..\RunOnce: [appyz32.exe] C:\WINDOWS\system32\appyz32.exe
O4 - HKLM\..\RunOnce: [javauu32.exe] C:\WINDOWS\javauu32.exe
O4 - HKLM\..\RunOnce: [sdkdt32.exe] C:\WINDOWS\system32\sdkdt32.exe
O4 - HKLM\..\RunOnce: [ieic32.exe] C:\WINDOWS\system32\ieic32.exe
O4 - HKLM\..\RunOnce: [sysqq32.exe] C:\WINDOWS\system32\sysqq32.exe
O4 - HKLM\..\RunOnce: [ieug32.exe] C:\WINDOWS\ieug32.exe
O4 - HKLM\..\RunOnce: [ntry.exe] C:\WINDOWS\system32\ntry.exe
O4 - HKLM\..\RunOnce: [ipak.exe] C:\WINDOWS\ipak.exe
O4 - HKLM\..\RunOnce: [winau.exe] C:\WINDOWS\winau.exe
O4 - HKLM\..\RunOnce: [ieyn32.exe] C:\WINDOWS\ieyn32.exe
O4 - HKLM\..\RunOnce: [ipmq.exe] C:\WINDOWS\ipmq.exe
O4 - HKLM\..\RunOnce: [ievw32.exe] C:\WINDOWS\system32\ievw32.exe
O4 - HKLM\..\RunOnce: [sdkaq32.exe] C:\WINDOWS\sdkaq32.exe
O4 - HKLM\..\RunOnce: [d3fu.exe] C:\WINDOWS\system32\d3fu.exe
O4 - HKLM\..\RunOnce: [appje.exe] C:\WINDOWS\system32\appje.exe
O4 - HKLM\..\RunOnce: [iexk.exe] C:\WINDOWS\system32\iexk.exe
O4 - HKLM\..\RunOnce: [appvf32.exe] C:\WINDOWS\system32\appvf32.exe
O4 - HKLM\..\RunOnce: [ipah32.exe] C:\WINDOWS\system32\ipah32.exe
O4 - HKLM\..\RunOnce: [msep.exe] C:\WINDOWS\system32\msep.exe
O4 - HKLM\..\RunOnce: [sdkdc.exe] C:\WINDOWS\sdkdc.exe
O4 - HKLM\..\RunOnce: [apibp.exe] C:\WINDOWS\system32\apibp.exe
O4 - HKLM\..\RunOnce: [addad32.exe] C:\WINDOWS\addad32.exe
O4 - HKLM\..\RunOnce: [apitz.exe] C:\WINDOWS\system32\apitz.exe
O4 - HKLM\..\RunOnce: [d3df32.exe] C:\WINDOWS\system32\d3df32.exe
O4 - HKLM\..\RunOnce: [javanm.exe] C:\WINDOWS\system32\javanm.exe
O4 - HKLM\..\RunOnce: [winqv.exe] C:\WINDOWS\winqv.exe
O4 - HKLM\..\RunOnce: [ieuf.exe] C:\WINDOWS\system32\ieuf.exe
O4 - HKLM\..\RunOnce: [javask.exe] C:\WINDOWS\javask.exe
O4 - HKLM\..\RunOnce: [ntdp.exe] C:\WINDOWS\ntdp.exe
O4 - HKLM\..\RunOnce: [d3vq.exe] C:\WINDOWS\system32\d3vq.exe
O4 - HKLM\..\RunOnce: [javave.exe] C:\WINDOWS\system32\javave.exe
O4 - HKLM\..\RunOnce: [appno32.exe] C:\WINDOWS\system32\appno32.exe
O4 - HKLM\..\RunOnce: [winjy.exe] C:\WINDOWS\winjy.exe
O4 - HKLM\..\RunOnce: [addsj32.exe] C:\WINDOWS\addsj32.exe
O4 - HKLM\..\RunOnce: [ielm.exe] C:\WINDOWS\ielm.exe
O4 - HKLM\..\RunOnce: [ntoy.exe] C:\WINDOWS\system32\ntoy.exe
O4 - HKLM\..\RunOnce: [d3ce32.exe] C:\WINDOWS\system32\d3ce32.exe
O4 - HKLM\..\RunOnce: [addiy.exe] C:\WINDOWS\addiy.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [h077ROa6W] newend.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../yse/ymmapi.dll
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_2_0.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\netff.exe" /s (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe


Scanned at: 3:06:15 PM on: 5/31/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26


Removed Data Streams:
C:\WINDOWS\AMS2INST.LOG:lchdn


Removed 2 Random Key Entries
Removed! : C:\WINDOWS\rbmdu.dat
Removed! : C:\WINDOWS\system32\dqxrb.dat
Removed! : C:\WINDOWS\system32\hhbhq.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26


Removed Data Streams:
C:\WINDOWS\AMS2INST.LOG:lchdn


Attempted Clean Of Temp folder.
Pages Reset... Done!


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:06:43 PM, 5/31/2005
+ Report-Checksum: C17A3FFB

+ Date of database: 5/31/2005
+ Version of scan engine: v3.0

+ Duration: 104 min
+ Scanned Files: 69391
+ Speed: 11.07 Files/Second
+ Infected files: 87
+ Removed files: 87
+ Files put in quarantine: 87
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\
E:\
F:\

+ Scan result:
C:\WINDOWS\addvr32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\addwx.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\atlax.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\atlxk.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\azqdb.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\bgyrt.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\cqljm.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\crbe32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\crnm32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\crum.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\cxysh.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\dklqh.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\206360.exe -> Dialer.Generic -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\WindowsUpd4Container.dll -> TrojanDownloader.Agent.n -> Cleaned with backup
C:\WINDOWS\fsshu.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\goskh.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\heklu.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\ieia32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\ippe.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\jumvf.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\jwdsm.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\knihi.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\llrgr.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\mfcdc32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\NDNuninstall5_20.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\WINDOWS\NDNuninstall5_48.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\WINDOWS\ovpmz.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\ptptf.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\pxajm.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\rooar.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\safri.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\svncn.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\addfw32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\addgy32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\apimc.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\barnf.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\cgqzr.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\chktrust.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\WINDOWS\system32\crkq.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\ctkbd.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\egadm.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\fnwxf.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\fyxus.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\hhlzm.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\hnmif.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\hpjlv.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\HyperLinker3.exe -> Spyware.iSearch -> Cleaned with backup
C:\WINDOWS\system32\hznkv.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\ipfj32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\javaew.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\jcvgm.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\jytwx.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\ksjyq.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\netyf.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\netzi32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\nfkea.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\nmduq.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\qxtsw.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\rawzo.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\rsmyz.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\sdkdp.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\sdkrb32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\sysjq32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\tdcbs.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\teuej.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\ukpzp.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\unregister.exe -> Spyware.VB.f -> Cleaned with backup
C:\WINDOWS\system32\viikx.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\wined.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\winpa.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\zhogc.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\tamad.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\tmuub.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\txkqb.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\ubeae.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\vchza.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\vmrdn.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\vzifs.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\wapil.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\wdgtl.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\wggwm.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\wgtnm.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\wxgio.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\xcptn.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\xirsr.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\yencw.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\zbrlp.dll -> Spyware.SearchPage -> Cleaned with backup


::Report End
  • 0

#6
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below service:

Network Security Service (NSS) ( 11F#`I)

*NOTE* Make sure the name says Network Security Service (NSS) ( 11F#`I) because there are legitimate service by similar name.

When you find them, double-click on each one. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

O2 - BHO: Class - {5BB66F6F-6BA4-ED53-05F3-F6ED2C204BED} - C:\WINDOWS\crnm32.dll
O2 - BHO: Class - {61F55B99-6BD7-C8CA-0AB9-97CFED9C0C6D} - C:\WINDOWS\crum.dll
O4 - HKLM\..\Run: [*cabc] C:\WINDOWS\java\classes\cabc.exe
O4 - HKLM\..\Run: [crex32.exe] C:\WINDOWS\system32\crex32.exe
O4 - HKLM\..\Run: [w3oX3EW] ntknst.exe
O4 - HKLM\..\Run: [appgs.exe] C:\WINDOWS\system32\appgs.exe
O4 - HKLM\..\RunOnce: [appic.exe] C:\WINDOWS\system32\appic.exe
O4 - HKLM\..\RunOnce: [netwu32.exe] C:\WINDOWS\system32\netwu32.exe
O4 - HKLM\..\RunOnce: [sdkop.exe] C:\WINDOWS\system32\sdkop.exe
O4 - HKLM\..\RunOnce: [apibs32.exe] C:\WINDOWS\apibs32.exe
O4 - HKLM\..\RunOnce: [appsp32.exe] C:\WINDOWS\appsp32.exe
O4 - HKLM\..\RunOnce: [atlaw32.exe] C:\WINDOWS\atlaw32.exe
O4 - HKLM\..\RunOnce: [addhf32.exe] C:\WINDOWS\system32\addhf32.exe
O4 - HKLM\..\RunOnce: [ntwu32.exe] C:\WINDOWS\system32\ntwu32.exe
O4 - HKLM\..\RunOnce: [d3rx.exe] C:\WINDOWS\system32\d3rx.exe
O4 - HKLM\..\RunOnce: [javayy32.exe] C:\WINDOWS\system32\javayy32.exe
O4 - HKLM\..\RunOnce: [apitd.exe] C:\WINDOWS\apitd.exe
O4 - HKLM\..\RunOnce: [msut32.exe] C:\WINDOWS\msut32.exe
O4 - HKLM\..\RunOnce: [mfcqy32.exe] C:\WINDOWS\mfcqy32.exe
O4 - HKLM\..\RunOnce: [sysqw.exe] C:\WINDOWS\sysqw.exe
O4 - HKLM\..\RunOnce: [ipwd.exe] C:\WINDOWS\system32\ipwd.exe
O4 - HKLM\..\RunOnce: [atltx.exe] C:\WINDOWS\system32\atltx.exe
O4 - HKLM\..\RunOnce: [crrl.exe] C:\WINDOWS\crrl.exe
O4 - HKLM\..\RunOnce: [sdknn32.exe] C:\WINDOWS\system32\sdknn32.exe
O4 - HKLM\..\RunOnce: [mfckt.exe] C:\WINDOWS\mfckt.exe
O4 - HKLM\..\RunOnce: [syspl.exe] C:\WINDOWS\system32\syspl.exe
O4 - HKLM\..\RunOnce: [ntkv32.exe] C:\WINDOWS\ntkv32.exe
O4 - HKLM\..\RunOnce: [wined.exe] C:\WINDOWS\wined.exe
O4 - HKLM\..\RunOnce: [mfcvg32.exe] C:\WINDOWS\system32\mfcvg32.exe
O4 - HKLM\..\RunOnce: [iegj.exe] C:\WINDOWS\system32\iegj.exe
O4 - HKLM\..\RunOnce: [appuz.exe] C:\WINDOWS\appuz.exe
O4 - HKLM\..\RunOnce: [apiud.exe] C:\WINDOWS\system32\apiud.exe
O4 - HKLM\..\RunOnce: [ntwf32.exe] C:\WINDOWS\ntwf32.exe
O4 - HKLM\..\RunOnce: [apilr.exe] C:\WINDOWS\apilr.exe
O4 - HKLM\..\RunOnce: [javazd.exe] C:\WINDOWS\javazd.exe
O4 - HKLM\..\RunOnce: [ntrc.exe] C:\WINDOWS\ntrc.exe
O4 - HKLM\..\RunOnce: [winpc.exe] C:\WINDOWS\winpc.exe
O4 - HKLM\..\RunOnce: [netkm.exe] C:\WINDOWS\system32\netkm.exe
O4 - HKLM\..\RunOnce: [mfcov.exe] C:\WINDOWS\mfcov.exe
O4 - HKLM\..\RunOnce: [netfn32.exe] C:\WINDOWS\system32\netfn32.exe
O4 - HKLM\..\RunOnce: [apipj.exe] C:\WINDOWS\apipj.exe
O4 - HKLM\..\RunOnce: [crfe32.exe] C:\WINDOWS\system32\crfe32.exe
O4 - HKLM\..\RunOnce: [mfctz32.exe] C:\WINDOWS\system32\mfctz32.exe
O4 - HKLM\..\RunOnce: [iekq.exe] C:\WINDOWS\system32\iekq.exe
O4 - HKLM\..\RunOnce: [ieff.exe] C:\WINDOWS\system32\ieff.exe
O4 - HKLM\..\RunOnce: [javaet.exe] C:\WINDOWS\javaet.exe
O4 - HKLM\..\RunOnce: [addia32.exe] C:\WINDOWS\system32\addia32.exe
O4 - HKLM\..\RunOnce: [addfj.exe] C:\WINDOWS\addfj.exe
O4 - HKLM\..\RunOnce: [netsr32.exe] C:\WINDOWS\system32\netsr32.exe
O4 - HKLM\..\RunOnce: [winwk.exe] C:\WINDOWS\system32\winwk.exe
O4 - HKLM\..\RunOnce: [appdu32.exe] C:\WINDOWS\appdu32.exe
O4 - HKLM\..\RunOnce: [ipkt32.exe] C:\WINDOWS\ipkt32.exe
O4 - HKLM\..\RunOnce: [iend32.exe] C:\WINDOWS\iend32.exe
O4 - HKLM\..\RunOnce: [atlmw32.exe] C:\WINDOWS\system32\atlmw32.exe
O4 - HKLM\..\RunOnce: [mfcmj32.exe] C:\WINDOWS\mfcmj32.exe
O4 - HKLM\..\RunOnce: [atlyz32.exe] C:\WINDOWS\system32\atlyz32.exe
O4 - HKLM\..\RunOnce: [apiki32.exe] C:\WINDOWS\system32\apiki32.exe
O4 - HKLM\..\RunOnce: [iebc32.exe] C:\WINDOWS\iebc32.exe
O4 - HKLM\..\RunOnce: [sysvl32.exe] C:\WINDOWS\sysvl32.exe
O4 - HKLM\..\RunOnce: [sdkyg32.exe] C:\WINDOWS\system32\sdkyg32.exe
O4 - HKLM\..\RunOnce: [mfcdq32.exe] C:\WINDOWS\mfcdq32.exe
O4 - HKLM\..\RunOnce: [apimc.exe] C:\WINDOWS\system32\apimc.exe
O4 - HKLM\..\RunOnce: [ipae32.exe] C:\WINDOWS\system32\ipae32.exe
O4 - HKLM\..\RunOnce: [addct32.exe] C:\WINDOWS\system32\addct32.exe
O4 - HKLM\..\RunOnce: [apiqj32.exe] C:\WINDOWS\apiqj32.exe
O4 - HKLM\..\RunOnce: [netzv.exe] C:\WINDOWS\netzv.exe
O4 - HKLM\..\RunOnce: [mfcwq.exe] C:\WINDOWS\mfcwq.exe
O4 - HKLM\..\RunOnce: [crbw.exe] C:\WINDOWS\system32\crbw.exe
O4 - HKLM\..\RunOnce: [appkc32.exe] C:\WINDOWS\system32\appkc32.exe
O4 - HKLM\..\RunOnce: [javaic32.exe] C:\WINDOWS\system32\javaic32.exe
O4 - HKLM\..\RunOnce: [ntsj32.exe] C:\WINDOWS\system32\ntsj32.exe
O4 - HKLM\..\RunOnce: [ievs32.exe] C:\WINDOWS\ievs32.exe
O4 - HKLM\..\RunOnce: [javaox32.exe] C:\WINDOWS\system32\javaox32.exe
O4 - HKLM\..\RunOnce: [sysnk.exe] C:\WINDOWS\system32\sysnk.exe
O4 - HKLM\..\RunOnce: [crmw.exe] C:\WINDOWS\crmw.exe
O4 - HKLM\..\RunOnce: [apiov32.exe] C:\WINDOWS\apiov32.exe
O4 - HKLM\..\RunOnce: [javaom.exe] C:\WINDOWS\javaom.exe
O4 - HKLM\..\RunOnce: [mfcwx.exe] C:\WINDOWS\system32\mfcwx.exe
O4 - HKLM\..\RunOnce: [addah32.exe] C:\WINDOWS\system32\addah32.exe
O4 - HKLM\..\RunOnce: [addsl32.exe] C:\WINDOWS\system32\addsl32.exe
O4 - HKLM\..\RunOnce: [mfcck.exe] C:\WINDOWS\system32\mfcck.exe
O4 - HKLM\..\RunOnce: [mfcpx.exe] C:\WINDOWS\system32\mfcpx.exe
O4 - HKLM\..\RunOnce: [javatn32.exe] C:\WINDOWS\system32\javatn32.exe
O4 - HKLM\..\RunOnce: [crqn.exe] C:\WINDOWS\crqn.exe
O4 - HKLM\..\RunOnce: [ntau.exe] C:\WINDOWS\ntau.exe
O4 - HKLM\..\RunOnce: [winyu.exe] C:\WINDOWS\winyu.exe
O4 - HKLM\..\RunOnce: [addgy32.exe] C:\WINDOWS\system32\addgy32.exe
O4 - HKLM\..\RunOnce: [javapc32.exe] C:\WINDOWS\javapc32.exe
O4 - HKLM\..\RunOnce: [msvm32.exe] C:\WINDOWS\msvm32.exe
O4 - HKLM\..\RunOnce: [mshi32.exe] C:\WINDOWS\mshi32.exe
O4 - HKLM\..\RunOnce: [ienu32.exe] C:\WINDOWS\system32\ienu32.exe
O4 - HKLM\..\RunOnce: [crac32.exe] C:\WINDOWS\crac32.exe
O4 - HKLM\..\RunOnce: [winka32.exe] C:\WINDOWS\system32\winka32.exe
O4 - HKLM\..\RunOnce: [ieiv.exe] C:\WINDOWS\system32\ieiv.exe
O4 - HKLM\..\RunOnce: [addnv.exe] C:\WINDOWS\addnv.exe
O4 - HKLM\..\RunOnce: [winrf32.exe] C:\WINDOWS\system32\winrf32.exe
O4 - HKLM\..\RunOnce: [mskj.exe] C:\WINDOWS\mskj.exe
O4 - HKLM\..\RunOnce: [crze.exe] C:\WINDOWS\crze.exe
O4 - HKLM\..\RunOnce: [appmk.exe] C:\WINDOWS\appmk.exe
O4 - HKLM\..\RunOnce: [sdkvq32.exe] C:\WINDOWS\sdkvq32.exe
O4 - HKLM\..\RunOnce: [addkr32.exe] C:\WINDOWS\addkr32.exe
O4 - HKLM\..\RunOnce: [syscp.exe] C:\WINDOWS\system32\syscp.exe
O4 - HKLM\..\RunOnce: [sdkci32.exe] C:\WINDOWS\system32\sdkci32.exe
O4 - HKLM\..\RunOnce: [applo.exe] C:\WINDOWS\applo.exe
O4 - HKLM\..\RunOnce: [javagy32.exe] C:\WINDOWS\system32\javagy32.exe
O4 - HKLM\..\RunOnce: [apioj32.exe] C:\WINDOWS\system32\apioj32.exe
O4 - HKLM\..\RunOnce: [javayi.exe] C:\WINDOWS\javayi.exe
O4 - HKLM\..\RunOnce: [appbx32.exe] C:\WINDOWS\appbx32.exe
O4 - HKLM\..\RunOnce: [iezk32.exe] C:\WINDOWS\system32\iezk32.exe
O4 - HKLM\..\RunOnce: [d3so.exe] C:\WINDOWS\system32\d3so.exe
O4 - HKLM\..\RunOnce: [javaik.exe] C:\WINDOWS\system32\javaik.exe
O4 - HKLM\..\RunOnce: [d3cb.exe] C:\WINDOWS\system32\d3cb.exe
O4 - HKLM\..\RunOnce: [addux.exe] C:\WINDOWS\addux.exe
O4 - HKLM\..\RunOnce: [ntdv32.exe] C:\WINDOWS\ntdv32.exe
O4 - HKLM\..\RunOnce: [atlga.exe] C:\WINDOWS\system32\atlga.exe
O4 - HKLM\..\RunOnce: [apixy.exe] C:\WINDOWS\system32\apixy.exe
O4 - HKLM\..\RunOnce: [wincs32.exe] C:\WINDOWS\system32\wincs32.exe
O4 - HKLM\..\RunOnce: [mfcbn.exe] C:\WINDOWS\system32\mfcbn.exe
O4 - HKLM\..\RunOnce: [winuk32.exe] C:\WINDOWS\winuk32.exe
O4 - HKLM\..\RunOnce: [apizc32.exe] C:\WINDOWS\apizc32.exe
O4 - HKLM\..\RunOnce: [appmj32.exe] C:\WINDOWS\system32\appmj32.exe
O4 - HKLM\..\RunOnce: [ipwa32.exe] C:\WINDOWS\ipwa32.exe
O4 - HKLM\..\RunOnce: [msom.exe] C:\WINDOWS\system32\msom.exe
O4 - HKLM\..\RunOnce: [mfcsw32.exe] C:\WINDOWS\mfcsw32.exe
O4 - HKLM\..\RunOnce: [appnx.exe] C:\WINDOWS\system32\appnx.exe
O4 - HKLM\..\RunOnce: [ipgu.exe] C:\WINDOWS\ipgu.exe
O4 - HKLM\..\RunOnce: [winuw.exe] C:\WINDOWS\system32\winuw.exe
O4 - HKLM\..\RunOnce: [ipdc32.exe] C:\WINDOWS\system32\ipdc32.exe
O4 - HKLM\..\RunOnce: [appdq.exe] C:\WINDOWS\system32\appdq.exe
O4 - HKLM\..\RunOnce: [msik32.exe] C:\WINDOWS\system32\msik32.exe
O4 - HKLM\..\RunOnce: [d3ot.exe] C:\WINDOWS\system32\d3ot.exe
O4 - HKLM\..\RunOnce: [nettv32.exe] C:\WINDOWS\system32\nettv32.exe
O4 - HKLM\..\RunOnce: [crdo32.exe] C:\WINDOWS\crdo32.exe
O4 - HKLM\..\RunOnce: [netiq32.exe] C:\WINDOWS\netiq32.exe
O4 - HKLM\..\RunOnce: [apixf.exe] C:\WINDOWS\system32\apixf.exe
O4 - HKLM\..\RunOnce: [crpb32.exe] C:\WINDOWS\crpb32.exe
O4 - HKLM\..\RunOnce: [winut32.exe] C:\WINDOWS\system32\winut32.exe
O4 - HKLM\..\RunOnce: [mszb.exe] C:\WINDOWS\mszb.exe
O4 - HKLM\..\RunOnce: [ipmv32.exe] C:\WINDOWS\ipmv32.exe
O4 - HKLM\..\RunOnce: [crsi32.exe] C:\WINDOWS\system32\crsi32.exe
O4 - HKLM\..\RunOnce: [mfcag.exe] C:\WINDOWS\mfcag.exe
O4 - HKLM\..\RunOnce: [iedb.exe] C:\WINDOWS\system32\iedb.exe
O4 - HKLM\..\RunOnce: [sdkcr32.exe] C:\WINDOWS\system32\sdkcr32.exe
O4 - HKLM\..\RunOnce: [atlhl.exe] C:\WINDOWS\system32\atlhl.exe
O4 - HKLM\..\RunOnce: [iejo32.exe] C:\WINDOWS\system32\iejo32.exe
O4 - HKLM\..\RunOnce: [atlcl.exe] C:\WINDOWS\system32\atlcl.exe
O4 - HKLM\..\RunOnce: [ipgw.exe] C:\WINDOWS\ipgw.exe
O4 - HKLM\..\RunOnce: [javayw32.exe] C:\WINDOWS\system32\javayw32.exe
O4 - HKLM\..\RunOnce: [winfh32.exe] C:\WINDOWS\winfh32.exe
O4 - HKLM\..\RunOnce: [sdkuh.exe] C:\WINDOWS\system32\sdkuh.exe
O4 - HKLM\..\RunOnce: [ntbg32.exe] C:\WINDOWS\system32\ntbg32.exe
O4 - HKLM\..\RunOnce: [d3zt.exe] C:\WINDOWS\system32\d3zt.exe
O4 - HKLM\..\RunOnce: [ntty.exe] C:\WINDOWS\ntty.exe
O4 - HKLM\..\RunOnce: [sysav32.exe] C:\WINDOWS\system32\sysav32.exe
O4 - HKLM\..\RunOnce: [mfcyq.exe] C:\WINDOWS\system32\mfcyq.exe
O4 - HKLM\..\RunOnce: [ntds.exe] C:\WINDOWS\system32\ntds.exe
O4 - HKLM\..\RunOnce: [addrs32.exe] C:\WINDOWS\addrs32.exe
O4 - HKLM\..\RunOnce: [sysnu32.exe] C:\WINDOWS\system32\sysnu32.exe
O4 - HKLM\..\RunOnce: [msep32.exe] C:\WINDOWS\msep32.exe
O4 - HKLM\..\RunOnce: [addxj32.exe] C:\WINDOWS\addxj32.exe
O4 - HKLM\..\RunOnce: [addbe.exe] C:\WINDOWS\system32\addbe.exe
O4 - HKLM\..\RunOnce: [javaeu32.exe] C:\WINDOWS\javaeu32.exe
O4 - HKLM\..\RunOnce: [apinl.exe] C:\WINDOWS\system32\apinl.exe
O4 - HKLM\..\RunOnce: [mske.exe] C:\WINDOWS\mske.exe
O4 - HKLM\..\RunOnce: [apihe32.exe] C:\WINDOWS\apihe32.exe
O4 - HKLM\..\RunOnce: [nettx.exe] C:\WINDOWS\nettx.exe
O4 - HKLM\..\RunOnce: [appsa32.exe] C:\WINDOWS\system32\appsa32.exe
O4 - HKLM\..\RunOnce: [javaih32.exe] C:\WINDOWS\javaih32.exe
O4 - HKLM\..\RunOnce: [netqq.exe] C:\WINDOWS\system32\netqq.exe
O4 - HKLM\..\RunOnce: [d3oj.exe] C:\WINDOWS\system32\d3oj.exe
O4 - HKLM\..\RunOnce: [javaee.exe] C:\WINDOWS\system32\javaee.exe
O4 - HKLM\..\RunOnce: [apixv.exe] C:\WINDOWS\system32\apixv.exe
O4 - HKLM\..\RunOnce: [javafo32.exe] C:\WINDOWS\system32\javafo32.exe
O4 - HKLM\..\RunOnce: [ipzr.exe] C:\WINDOWS\system32\ipzr.exe
O4 - HKLM\..\RunOnce: [javawd32.exe] C:\WINDOWS\system32\javawd32.exe
O4 - HKLM\..\RunOnce: [appyz32.exe] C:\WINDOWS\system32\appyz32.exe
O4 - HKLM\..\RunOnce: [javauu32.exe] C:\WINDOWS\javauu32.exe
O4 - HKLM\..\RunOnce: [sdkdt32.exe] C:\WINDOWS\system32\sdkdt32.exe
O4 - HKLM\..\RunOnce: [ieic32.exe] C:\WINDOWS\system32\ieic32.exe
O4 - HKLM\..\RunOnce: [sysqq32.exe] C:\WINDOWS\system32\sysqq32.exe
O4 - HKLM\..\RunOnce: [ieug32.exe] C:\WINDOWS\ieug32.exe
O4 - HKLM\..\RunOnce: [ntry.exe] C:\WINDOWS\system32\ntry.exe
O4 - HKLM\..\RunOnce: [ipak.exe] C:\WINDOWS\ipak.exe
O4 - HKLM\..\RunOnce: [winau.exe] C:\WINDOWS\winau.exe
O4 - HKLM\..\RunOnce: [ieyn32.exe] C:\WINDOWS\ieyn32.exe
O4 - HKLM\..\RunOnce: [ipmq.exe] C:\WINDOWS\ipmq.exe
O4 - HKLM\..\RunOnce: [ievw32.exe] C:\WINDOWS\system32\ievw32.exe
O4 - HKLM\..\RunOnce: [sdkaq32.exe] C:\WINDOWS\sdkaq32.exe
O4 - HKLM\..\RunOnce: [d3fu.exe] C:\WINDOWS\system32\d3fu.exe
O4 - HKLM\..\RunOnce: [appje.exe] C:\WINDOWS\system32\appje.exe
O4 - HKLM\..\RunOnce: [iexk.exe] C:\WINDOWS\system32\iexk.exe
O4 - HKLM\..\RunOnce: [appvf32.exe] C:\WINDOWS\system32\appvf32.exe
O4 - HKLM\..\RunOnce: [ipah32.exe] C:\WINDOWS\system32\ipah32.exe
O4 - HKLM\..\RunOnce: [msep.exe] C:\WINDOWS\system32\msep.exe
O4 - HKLM\..\RunOnce: [sdkdc.exe] C:\WINDOWS\sdkdc.exe
O4 - HKLM\..\RunOnce: [apibp.exe] C:\WINDOWS\system32\apibp.exe
O4 - HKLM\..\RunOnce: [addad32.exe] C:\WINDOWS\addad32.exe
O4 - HKLM\..\RunOnce: [apitz.exe] C:\WINDOWS\system32\apitz.exe
O4 - HKLM\..\RunOnce: [d3df32.exe] C:\WINDOWS\system32\d3df32.exe
O4 - HKLM\..\RunOnce: [javanm.exe] C:\WINDOWS\system32\javanm.exe
O4 - HKLM\..\RunOnce: [winqv.exe] C:\WINDOWS\winqv.exe
O4 - HKLM\..\RunOnce: [ieuf.exe] C:\WINDOWS\system32\ieuf.exe
O4 - HKLM\..\RunOnce: [javask.exe] C:\WINDOWS\javask.exe
O4 - HKLM\..\RunOnce: [ntdp.exe] C:\WINDOWS\ntdp.exe
O4 - HKLM\..\RunOnce: [d3vq.exe] C:\WINDOWS\system32\d3vq.exe
O4 - HKLM\..\RunOnce: [javave.exe] C:\WINDOWS\system32\javave.exe
O4 - HKLM\..\RunOnce: [appno32.exe] C:\WINDOWS\system32\appno32.exe
O4 - HKLM\..\RunOnce: [winjy.exe] C:\WINDOWS\winjy.exe
O4 - HKLM\..\RunOnce: [addsj32.exe] C:\WINDOWS\addsj32.exe
O4 - HKLM\..\RunOnce: [ielm.exe] C:\WINDOWS\ielm.exe
O4 - HKLM\..\RunOnce: [ntoy.exe] C:\WINDOWS\system32\ntoy.exe
O4 - HKLM\..\RunOnce: [d3ce32.exe] C:\WINDOWS\system32\d3ce32.exe
O4 - HKLM\..\RunOnce: [addiy.exe] C:\WINDOWS\addiy.exe
O4 - HKCU\..\Run: [h077ROa6W] newend.exe
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\netff.exe" /s (file missing)



Now open pocketkillbox Select the option "Delete on reboot".
Now highlight and 'copy' (Ctrl + C) the entire list of filepaths below:
Click 'File' on the killbox menu at the top and choose 'Paste from clipboard'
The entire list should now be in the "Full Path of File to Delete"
field.To check, click on the dropdown-arrow next to that field.
If you expand it, these lines should all be there.

C:\WINDOWS\java\classes\cabc.exe
C:\WINDOWS\system32\crex32.ex
C:\WINDOWS\system32\appgs.exe
C:\WINDOWS\system32\appic.exe
C:\WINDOWS\system32\netwu32.exe
C:\WINDOWS\system32\sdkop.exe
C:\WINDOWS\apibs32.exe
C:\WINDOWS\appsp32.exe
C:\WINDOWS\atlaw32.exe
C:\WINDOWS\system32\addhf32.exe
C:\WINDOWS\system32\ntwu32.exe
C:\WINDOWS\system32\d3rx.exe
C:\WINDOWS\system32\javayy32.exe
C:\WINDOWS\apitd.exe
C:\WINDOWS\msut32.exe
C:\WINDOWS\mfcqy32.exe
C:\WINDOWS\sysqw.exe
C:\WINDOWS\system32\ipwd.exe
C:\WINDOWS\system32\atltx.exe
C:\WINDOWS\crrl.exe
C:\WINDOWS\system32\sdknn32.exe
C:\WINDOWS\mfckt.exe
C:\WINDOWS\system32\syspl.exe
C:\WINDOWS\ntkv32.exe
C:\WINDOWS\wined.exe
C:\WINDOWS\system32\mfcvg32.exe
C:\WINDOWS\system32\iegj.exe
C:\WINDOWS\appuz.exe
C:\WINDOWS\system32\apiud.exe
C:\WINDOWS\ntwf32.exe
C:\WINDOWS\apilr.exe
C:\WINDOWS\javazd.exe
C:\WINDOWS\ntrc.exe
C:\WINDOWS\winpc.exe
C:\WINDOWS\system32\netkm.exe
C:\WINDOWS\mfcov.exe
C:\WINDOWS\system32\netfn32.exe
C:\WINDOWS\apipj.exe
C:\WINDOWS\system32\crfe32.exe
C:\WINDOWS\system32\mfctz32.exe
C:\WINDOWS\system32\iekq.exe
C:\WINDOWS\system32\ieff.exe
C:\WINDOWS\javaet.exe
C:\WINDOWS\system32\addia32.exe
C:\WINDOWS\addfj.exe
C:\WINDOWS\system32\netsr32.exe
C:\WINDOWS\system32\winwk.exe
C:\WINDOWS\appdu32.exe
C:\WINDOWS\ipkt32.exe
C:\WINDOWS\iend32.exe
C:\WINDOWS\system32\atlmw32.exe
C:\WINDOWS\mfcmj32.exe
C:\WINDOWS\system32\atlyz32.exe
C:\WINDOWS\system32\apiki32.exe
C:\WINDOWS\iebc32.exe
C:\WINDOWS\sysvl32.exe
C:\WINDOWS\system32\sdkyg32.exe
C:\WINDOWS\mfcdq32.exe
C:\WINDOWS\system32\apimc.exe
C:\WINDOWS\system32\ipae32.exe
C:\WINDOWS\system32\addct32.exe
C:\WINDOWS\apiqj32.exe
C:\WINDOWS\netzv.exe
C:\WINDOWS\mfcwq.exe
C:\WINDOWS\system32\crbw.exe
C:\WINDOWS\system32\appkc32.exe
C:\WINDOWS\system32\javaic32.exe
C:\WINDOWS\system32\ntsj32.exe
C:\WINDOWS\ievs32.exe
C:\WINDOWS\system32\javaox32.exe
C:\WINDOWS\system32\sysnk.exe
C:\WINDOWS\crmw.exe
C:\WINDOWS\apiov32.exe
C:\WINDOWS\javaom.exe
C:\WINDOWS\system32\mfcwx.exe
C:\WINDOWS\system32\addah32.exe
C:\WINDOWS\system32\addsl32.exe
C:\WINDOWS\system32\mfcck.exe
C:\WINDOWS\system32\mfcpx.exe
C:\WINDOWS\system32\javatn32.exe
C:\WINDOWS\crqn.exe
C:\WINDOWS\ntau.exe
C:\WINDOWS\winyu.exe
C:\WINDOWS\system32\addgy32.exe
C:\WINDOWS\javapc32.exe
C:\WINDOWS\msvm32.exe
C:\WINDOWS\mshi32.exe
C:\WINDOWS\system32\ienu32.exe
C:\WINDOWS\crac32.exe
C:\WINDOWS\system32\winka32.exe
C:\WINDOWS\system32\ieiv.exe
C:\WINDOWS\addnv.exe
C:\WINDOWS\system32\winrf32.exe
C:\WINDOWS\mskj.exe
C:\WINDOWS\crze.exe
C:\WINDOWS\appmk.exe
C:\WINDOWS\sdkvq32.exe
C:\WINDOWS\addkr32.exe
C:\WINDOWS\system32\syscp.exe
C:\WINDOWS\system32\sdkci32.exe
C:\WINDOWS\applo.exe
C:\WINDOWS\system32\javagy32.exe
C:\WINDOWS\system32\apioj32.exe
C:\WINDOWS\javayi.exe
C:\WINDOWS\appbx32.exe
C:\WINDOWS\system32\iezk32.exe
C:\WINDOWS\system32\d3so.exe
C:\WINDOWS\system32\javaik.exe
C:\WINDOWS\system32\d3cb.exe
C:\WINDOWS\addux.exe
C:\WINDOWS\ntdv32.exe
C:\WINDOWS\system32\atlga.exe
C:\WINDOWS\system32\apixy.exe
C:\WINDOWS\system32\wincs32.exe
C:\WINDOWS\system32\mfcbn.exe
C:\WINDOWS\winuk32.exe
C:\WINDOWS\apizc32.exe
C:\WINDOWS\system32\appmj32.exe
C:\WINDOWS\ipwa32.exe
C:\WINDOWS\system32\msom.exe
C:\WINDOWS\mfcsw32.exe
C:\WINDOWS\system32\appnx.exe
C:\WINDOWS\ipgu.exe
C:\WINDOWS\system32\winuw.exe
C:\WINDOWS\system32\ipdc32.exe
C:\WINDOWS\system32\appdq.exe
C:\WINDOWS\system32\msik32.exe
C:\WINDOWS\system32\d3ot.exe
C:\WINDOWS\system32\nettv32.exe
C:\WINDOWS\crdo32.exe
C:\WINDOWS\netiq32.exe
C:\WINDOWS\system32\apixf.exe
C:\WINDOWS\crpb32.exe
C:\WINDOWS\system32\winut32.exe
C:\WINDOWS\mszb.exe
C:\WINDOWS\ipmv32.exe
C:\WINDOWS\system32\crsi32.exe
C:\WINDOWS\mfcag.exe
C:\WINDOWS\system32\iedb.exe
C:\WINDOWS\system32\sdkcr32.exe
C:\WINDOWS\system32\atlhl.exe
C:\WINDOWS\system32\iejo32.exe
C:\WINDOWS\system32\atlcl.exe
C:\WINDOWS\ipgw.exe
C:\WINDOWS\system32\javayw32.exe
C:\WINDOWS\winfh32.exe
C:\WINDOWS\system32\sdkuh.exe
C:\WINDOWS\system32\ntbg32.exe
C:\WINDOWS\system32\d3zt.exe
C:\WINDOWS\ntty.exe
C:\WINDOWS\system32\sysav32.exe
C:\WINDOWS\system32\mfcyq.exe
C:\WINDOWS\system32\ntds.exe
C:\WINDOWS\addrs32.exe
C:\WINDOWS\system32\sysnu32.exe
C:\WINDOWS\msep32.exe
C:\WINDOWS\addxj32.exe
C:\WINDOWS\system32\addbe.exe
C:\WINDOWS\javaeu32.exe
C:\WINDOWS\system32\apinl.exe
C:\WINDOWS\mske.exe
C:\WINDOWS\apihe32.exe
C:\WINDOWS\nettx.exe
C:\WINDOWS\system32\appsa32.exe
C:\WINDOWS\javaih32.exe
C:\WINDOWS\system32\netqq.exe
C:\WINDOWS\system32\d3oj.exe
C:\WINDOWS\system32\javaee.exe
C:\WINDOWS\system32\apixv.exe
C:\WINDOWS\system32\javafo32.exe
C:\WINDOWS\system32\ipzr.exe
C:\WINDOWS\system32\javawd32.exe
C:\WINDOWS\system32\appyz32.exe
C:\WINDOWS\javauu32.exe
C:\WINDOWS\system32\sdkdt32.exe
C:\WINDOWS\system32\ieic32.exe
C:\WINDOWS\system32\sysqq32.exe
C:\WINDOWS\ieug32.exe
C:\WINDOWS\system32\ntry.exe
C:\WINDOWS\ipak.exe
C:\WINDOWS\winau.exe
C:\WINDOWS\ieyn32.exe
C:\WINDOWS\ipmq.exe
C:\WINDOWS\system32\ievw32.exe
C:\WINDOWS\sdkaq32.exe
C:\WINDOWS\system32\d3fu.exe
C:\WINDOWS\system32\iexk.exe
C:\WINDOWS\system32\appvf32.exe
C:\WINDOWS\system32\ipah32.exe
C:\WINDOWS\system32\msep.exe
C:\WINDOWS\sdkdc.exe
C:\WINDOWS\system32\apibp.exe
C:\WINDOWS\addad32.exe
C:\WINDOWS\system32\apitz.exe
C:\WINDOWS\system32\d3df32.exe
C:\WINDOWS\system32\javanm.exe
C:\WINDOWS\winqv.exe
C:\WINDOWS\system32\ieuf.exe
C:\WINDOWS\javask.exe
C:\WINDOWS\ntdp.exe
C:\WINDOWS\system32\d3vq.exe
C:\WINDOWS\system32\javave.exe
C:\WINDOWS\system32\appno32.exe
C:\WINDOWS\winjy.exe
C:\WINDOWS\addsj32.exe
C:\WINDOWS\ielm.exe
C:\WINDOWS\system32\ntoy.exe
C:\WINDOWS\system32\d3ce32.exe
C:\WINDOWS\addiy.exe
C:\WINDOWS\system32\ipzr.exe
C:\WINDOWS\system32\javawd32.exe
C:\WINDOWS\system32\appyz32.exe
C:\WINDOWS\javauu32.exe
C:\WINDOWS\system32\sdkdt32.exe
C:\WINDOWS\system32\ieic32.exe
C:\WINDOWS\system32\sysqq32.exe
C:\WINDOWS\ieug32.exe
C:\WINDOWS\system32\ntry.exe
C:\WINDOWS\ipak.exe
C:\WINDOWS\winau.exe
C:\WINDOWS\ieyn32.exe
C:\WINDOWS\ipmq.exe
C:\WINDOWS\system32\ievw32.exe
C:\WINDOWS\sdkaq32.exe
C:\WINDOWS\system32\d3fu.exe
C:\WINDOWS\system32\appje.exe
C:\WINDOWS\system32\iexk.exe
C:\WINDOWS\system32\appvf32.exe
C:\WINDOWS\system32\ipah32.exe
C:\WINDOWS\system32\msep.exe
C:\WINDOWS\sdkdc.exe
C:\WINDOWS\system32\apibp.exe
C:\WINDOWS\addad32.exe
C:\WINDOWS\system32\apitz.exe
C:\WINDOWS\system32\d3df32.exe
C:\WINDOWS\system32\javanm.exe
C:\WINDOWS\winqv.exe
C:\WINDOWS\system32\ieuf.exe
C:\WINDOWS\javask.exe
C:\WINDOWS\ntdp.exe
C:\WINDOWS\system32\d3vq.exe
C:\WINDOWS\system32\javave.exe
C:\WINDOWS\system32\appno32.exe
C:\WINDOWS\winjy.exe
C:\WINDOWS\addsj32.exe
C:\WINDOWS\ielm.exe
C:\WINDOWS\system32\ntoy.exe
C:\WINDOWS\system32\d3ce32.exe
C:\WINDOWS\addiy.exe
C:\WINDOWS\system32\netff.exe
C:\WINDOWS\crnm32.dll
C:\WINDOWS\crum.dll
C:\WINDOWS\system32\appje.exe


Then press the red button with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot, click YES.When it asks if you would like to Reboot now, click YES.

into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).


Run AboutBuster
-Click Start to begin the process
-Click OK on the Buster Report dialogue box to start the scan
AboutBuster scans the computer for malicious files and deletes them.
Run Aboutbuster again or until it doesnt find much
Save the report (copy and paste into Notepad and save as a .txt file) to post a copy for review.

Run CWShredder
-Next, click on the: Fix button
-Follow the prompts, and press OK

Run CleanUp
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Adaware

Run Ewidio


Reboot and post ewido and hijack log and ab log and we'll see how it went
  • 0

#7
drago

drago

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
hi loophole,
I get the ewido alerts about trojans every minute. It says trojan.agent.bi



Scanned at: 6:38:32 PM on: 6/1/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Removed 3 Random Key Entries
Removed! : C:\WINDOWS\vskea.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!






---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:16:45 PM, 6/1/2005
+ Report-Checksum: 6AB528AF

+ Date of database: 6/1/2005
+ Version of scan engine: v3.0

+ Duration: 360 min
+ Scanned Files: 69316
+ Speed: 3.20 Files/Second
+ Infected files: 23
+ Removed files: 21
+ Files put in quarantine: 21
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\
E:\
F:\

+ Scan result:
C:\WINDOWS\addjg32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\apiik32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\crjd.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\d3pu.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\d3rd.dll -> TrojanDownloader.Agent.bc -> Ignored
C:\WINDOWS\ipud32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\jkyot.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\qmjvo.dll -> Spyware.SearchPage -> Ignored
C:\WINDOWS\system32\addrc.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\addxe32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\apiks.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\biaff.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\crgz32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\d3bc32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\ipyw.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\sujgk.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\vxsei.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\ughms.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\winby32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\winfj32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\wingw32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\xuhst.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\xxcad.dll -> Spyware.SearchPage -> Cleaned with backup


::Report End



Logfile of HijackThis v1.99.1
Scan saved at 10:38:49 AM, on 6/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\3DLman.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\appgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\notepad.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xuhst.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xuhst.dll/sp.html#14044
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xuhst.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xuhst.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xuhst.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xuhst.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xuhst.dll/sp.html#14044
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {05F25C50-3BB3-631B-F741-59280D6A3014} - C:\WINDOWS\system32\crbx.dll
O2 - BHO: Class - {589D6BFA-A677-84A6-8861-4258C74F6BA6} - C:\WINDOWS\system32\netoz32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {D3E5D124-D9B7-84AB-815D-1BC94BD013BE} - C:\WINDOWS\system32\addxe32.dll
O2 - BHO: Class - {E63F1C8C-F268-E0E3-67B6-E79D4A5DD48E} - C:\WINDOWS\d3rd.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_2_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [3Dlabs Taskbar Display Manager] C:\WINDOWS\System32\3DLman.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [appgs.exe] C:\WINDOWS\system32\appgs.exe
O4 - HKLM\..\RunOnce: [crsi32.exe] C:\WINDOWS\system32\crsi32.exe
O4 - HKLM\..\RunOnce: [atlhl.exe] C:\WINDOWS\system32\atlhl.exe
O4 - HKLM\..\RunOnce: [sdkda32.exe] C:\WINDOWS\system32\sdkda32.exe
O4 - HKLM\..\RunOnce: [d3lg.exe] C:\WINDOWS\system32\d3lg.exe
O4 - HKLM\..\RunOnce: [netqb32.exe] C:\WINDOWS\netqb32.exe
O4 - HKLM\..\RunOnce: [sdkeg.exe] C:\WINDOWS\system32\sdkeg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../yse/ymmapi.dll
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_2_0.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\netff.exe" /s (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
  • 0

#8
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello Drago

Please download firefox here
Until we get you cleaned up, please do NOT use Internet Explorer or reboot your computer. Doing either of these can and will cause your infection to replicate itself!
  • 0

#9
drago

drago

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
I have downloaded the file!
  • 0

#10
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello Drago :tazz:

print out a copy of these instructions to follow while you complete this procedure.
The first thing I want you to do is to delete the About.Buster program you have. There was a new version released over the weekend, and it has some updated definitions that we are going to need!

1. Download about:buster by RubbeRDuckY Here. http://www.geekstogo...=download&id=25
Update About:Buster
Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
Click "OK" at the prompt with instructions.
Click "Update" and then "Check For Update" to begin the update process.
If any updates exist please download them by clicking "Download Update" then click the X to close that window.
Now close About:Buster

2. Please download the latest version of Ad-aware. If you're using an older version (or dont have AdAware yet), download Ad-aware SE Personal and install it. http://lavasoft.elem...pport/download/
Before scanning with Ad-aware SE Free:
Update your version using the following configuration below
Update[list]
Select Check for updates.
Then Connect and download the newest update .
Close the program, we will use it later!

3. Download the eScan Antivirus Toolkit here. http://www.spywarein...wnload/mwav.exe
Save it to the desktop. This program is 9.9MB in size.
Don't run it yet, we will use it later.

4 Update Ewido security suite

5. you must first STOP and DISABLE the rogue service:
There are different Display Names to look for:

* Workstation NetLogon Service
* Remote Procedure Call (RPC) Helper
* Remote Access Service
* Network Security Service (NSS)

Go to Start => Run and type "Services.msc" (without quotes) then click Ok.

1.) Scroll down and find one of the bad services described above such as:Network Security Service (NSS)
2.) When you find it, double-click on it.
3.) In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled.
4.) Now hit Apply and then Ok and close any open windows.

6. copy the contents of the Code Box below to Notepad. Name the file as cwsresfix.reg. Change the Save as Type to All Files, Save this file on the desktop.

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_11F_#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_?_%AF___]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_O?_rtȲ$_]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_O.#?´_]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11F฿ไ #ทบฤึ`I] 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11F_#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\?_%AF___]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\O?_rtȲ$_]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\O.#?´_]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_11F_#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_?_%AF___]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_O?_rtȲ$_]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_O.#?´_]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\11F_#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\?_%AF___]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\O?_rtȲ$_]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\O.#?´_]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_11F_#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_?_%AF___]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_O?_rtȲ$_]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_O.#?´_]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\11F_#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\?_%AF___]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\O?_rtȲ$_]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\O.#?´_]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_11F_#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_?_%AF___]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_O?_rtȲ$_]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_O.#?´_]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\11F_#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\?_%AF___]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\O?_rtȲ$_]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\O.#?´_]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_11F_#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_?_%AF___]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_O?_rtȲ$_]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_O.#?´_]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\11F_#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\?_%AF___]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\O?_rtȲ$_]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\O.#?´_]

7. Reboot into Safe Mode

8. From Safe Mode, double-click on CWShredder.exe to open it, click the 'Fix->' button (not 'Scan Only') and you'll be prompted that CWShredder will shutdown any Internet Explorer and Windows Media Player windows, click OK to continue and let it run completely to delete anything it finds. After its scan, click Next, then Exit.

9. From Safe Mode, browse to C:\AboutBuster and double click on aboutbuster.exe. When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for rogue files and automatically run a second time.

10. From Safe Mode, run the eScan Antivirus Toolkit. Please follow these instructions:
1.) Double-click on the mwav.exe file saved to the desktop. A WinZip Self-Extractor will appear.
2.) Click Unzip, by default it will extract all the program files to new folder called Kaspersky at the root of the C:\drive. (C:\Kaspersky).
3.) A dialog box stating "168 file(s) unzipped successfully" will appear, click OK. After clicking ok, the eScan AntiVirus Toolkit Utility interface will appear.
4.) With the eScan interface on your desktop, make sure that the boxes under Scan Option, Memory, Registry, Startup Folders, System Folders, Services, are all checked.
5.) Check the Drive box, this will create a another Drive box below it, check this second Drive box as well, now a large window across from the second Drive box appears. In this window use the drop-down arrow and choose the drive letter of your hard drive, usually C:\.
6.) Below these boxes, make sure the box Scan All Files is checked, not Program Files.
7.) Click the Scan Clean button and let the utility run until it completes a thorough scan of your hard drive. eScan will delete any viruses or trojans it finds.
8.) When the scan has finished, the top window will read Scan Completed. To close the interface, click OK, click Exit, then click Exit again.

11. From Safe Mode, run the Ewido Security Suite 3.0.
NOTE: Windows 2000 and XP only.
1.) Double-click on the e Ewido shortcut on the desktop to open the program.
2.) On the upper LH side column, click on Scanner.
3.) Click on the + Everything button.
4.) Click on the Start button.
5.) Have the program delete everything it finds.

12. From Safe Mode, run the Ad-Aware SE program you downloaded and configured earlier, make sure "Perform full system scan" is checked, let it scan the hard drive and delete all entries it finds. Run the program again a second time.

13. From Safe Mode, double-click on the cwsresfix.reg you created earlier and when it prompts to merge say yes, and this will clear some registry entries left behind by the process. Now reboot the PC back into Normal Mode (Windows).

14. Go to Start, Run, type in %temp% click OK.
Click Edit, Select All, click File, Delete, now click Yes to send items to Recycle Bin. Now empty Recycle Bin.

15. Please post a fresh HJT log here for review so we can clean out any remnants of infection.
  • 0

#11
drago

drago

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hi Loophole,
I have for you new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:25:49 PM, on 6/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\3DLman.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_2_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [3Dlabs Taskbar Display Manager] C:\WINDOWS\System32\3DLman.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../yse/ymmapi.dll
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_2_0.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
  • 0

#12
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello Drago ;)

Good job Drago you got it :tazz: . Just a couple minor entries to fix

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing


Reboot and post a hijack log and tell me how your system is running now
  • 0

#13
drago

drago

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
I am attaching the HJT log. Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 12:15:44 PM, on 6/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\3DLman.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\unzipped\hijackthis\HijackThis.exe
C:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_2_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [3Dlabs Taskbar Display Manager] C:\WINDOWS\System32\3DLman.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../yse/ymmapi.dll
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_2_0.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
  • 0

#14
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
your system is clean :tazz:

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.
And also see TonyKlein's good advice
So how did I get infected in the first place? and Spyware Aid's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.
  • 0

#15
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP