[Danooo]

After recently formatting my computer, I forgot to install SP2. This lead to me being prone to attacks. I was unprotected and got infected with spyware which keeps coming back in different forms. I really need to know how to delete this stuff for good. The only way I can access 2 different programmes the same time is through safe mode. This is the most annoying thing ever. Can someone please look through my log and advice me on what to do?

Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.344\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\syprk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\syprk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\syprk.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\syprk.dll/sp.html#37049
O2 - BHO: Class - {3376A8DD-F7C4-77CF-6511-9B4C70AC5C19} - C:\WINDOWS\mfcbx.dll
O2 - BHO: Class - {A3F9FD31-3DFB-13C1-8E7D-BCEAF75A15DA} - C:\WINDOWS\apppj.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{9A3D623B-C60A-404A-AC20-3052F0565B6A}\SVCHOST.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [d3ro.exe] C:\WINDOWS\system32\d3ro.exe
O4 - HKLM\..\Run: [ipmb32.exe] C:\WINDOWS\system32\ipmb32.exe
O4 - HKLM\..\Run: [sdkjn32.exe] C:\WINDOWS\system32\sdkjn32.exe
O4 - HKLM\..\RunOnce: [ntye32.exe] C:\WINDOWS\system32\ntye32.exe
O4 - HKLM\..\RunOnce: [addxt.exe] C:\WINDOWS\addxt.exe
O4 - HKLM\..\RunOnce: [atljq32.exe] C:\WINDOWS\atljq32.exe
O4 - HKLM\..\RunOnce: [sysoh32.exe] C:\WINDOWS\sysoh32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: 67.19.178.84
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117121090484
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\atljm32.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

[Advertisements]

Hello Danooo

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible

Uninstall via Add/Remove programs: "Messenger Plus 3"
If you insist on using "Messenger Plus 3" reinstall without the "Sponsor Software"
Note: Sponsor Software = C2Media\LOP (parasite)
This is not a Microsoft or MSN product! Be aware that any update to "Messenger Plus" will cause the program to prompt you to install the "Sponsor Software".

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below service:

Remote Procedure Call (RPC) Helper (or possible: 11Fßä#·ºÄÖ`I)

*NOTE* Make sure the name says HELPER because there are legitimate service by similar name.

When you find them, double-click on each one. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.

Please download ewido security suite it is a trial version of the program.

• Install ewido security suite
• When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will prompt you to update click the OK button
• The program will now go to the main screen

You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update
• Click on Start

The update will start and a progress bar will show the updates being installed.
Once the updates are installed close ewido we will use it later[list]


You have a nasty About:Blank infection. This fix requires several tools that need to be downloaded. Please download these now, we will run them later.

1) About:Buster - Download it and extract it to C:/aboutbuster.
2) CleanUp! - Download it and install it.
3) CWShredder 2.11 - Download it and save it to your desktop.
4) Ad-Aware - Download, install, and update.
5) Please download Pocket Killbox here Download it and extract to a convenient location



Enable hidden files and folders: http://www.bleepingc...torial=62#winme

During the fix do NOT connect to the internet. Unless you can memorize these instructions, it would be a good idea to print them out.

Right click on the Microsoft AntiSpyware icon (looks like a target) and click on Security Agents Status (Enabled) and click on Disable Real-time Protection. To re enable it, you follow the same steps but click on Enable Real-time Protection

Now open pocketkillbox Select the option "Delete on reboot".
Now highlight and 'copy' (Ctrl + C) the entire list of filepaths below:
Click 'File' on the killbox menu at the top and choose 'Paste from clipboard'
The entire list should now be in the "Full Path of File to Delete"
field.To check, click on the dropdown-arrow next to that field.
If you expand it, these lines should all be there.

C:\WINDOWS\mfcbx.dll
C:\WINDOWS\apppj.dll
C:\WINDOWS\system32\d3ro.exe
C:\WINDOWS\system32\ipmb32.exe
C:\WINDOWS\system32\sdkjn32.exe
C:\WINDOWS\system32\ntye32.exe
C:\WINDOWS\addxt.exe
C:\WINDOWS\atljq32.exe
C:\WINDOWS\sysoh32.exe
C:\WINDOWS\system32\atljm32.exe

Then press the red button with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot, click YES.When it asks if you would like to Reboot now, click YES. (you will be rebooting into Safemode)


Boot into safe mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Run AboutBuster
-Click Start to begin the process
-Click OK on the Buster Report dialogue box to start the scan
AboutBuster scans the computer for malicious files and deletes them.
Save the report (copy and paste into Notepad and save as a .txt file) to post a copy for review.

Run CWShredder
-Next, click on the: ‘Fix’ button
-Follow the prompts, and press OK

Run CleanUp
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Ad-Aware
-Configure Ad-Aware for a full system scan
-Run it

Run Ewido and save the log

Clean Up the left overs

Run HJT, close any open windows, and fix the following items (if they are still there):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\syprk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\syprk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\syprk.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\syprk.dll/sp.html#37049
O2 - BHO: Class - {3376A8DD-F7C4-77CF-6511-9B4C70AC5C19} - C:\WINDOWS\mfcbx.dll
O2 - BHO: Class - {A3F9FD31-3DFB-13C1-8E7D-BCEAF75A15DA} - C:\WINDOWS\apppj.dll
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [d3ro.exe] C:\WINDOWS\system32\d3ro.exe
O4 - HKLM\..\Run: [ipmb32.exe] C:\WINDOWS\system32\ipmb32.exe
O4 - HKLM\..\Run: [sdkjn32.exe] C:\WINDOWS\system32\sdkjn32.exe
O4 - HKLM\..\RunOnce: [ntye32.exe] C:\WINDOWS\system32\ntye32.exe
O4 - HKLM\..\RunOnce: [addxt.exe] C:\WINDOWS\addxt.exe
O4 - HKLM\..\RunOnce: [atljq32.exe] C:\WINDOWS\atljq32.exe
O4 - HKLM\..\RunOnce: [sysoh32.exe] C:\WINDOWS\sysoh32.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O15 - Trusted IP range: 67.19.178.84
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\atljm32.exe (file missing)

Reboot and post a new Hijack log as well as the Ewido log

thanks

Edited by loophole, 06 June 2005 - 03:01 AM.

[loophole]

Hello Danooo

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible

Uninstall via Add/Remove programs: "Messenger Plus 3"
If you insist on using "Messenger Plus 3" reinstall without the "Sponsor Software"
Note: Sponsor Software = C2Media\LOP (parasite)
This is not a Microsoft or MSN product! Be aware that any update to "Messenger Plus" will cause the program to prompt you to install the "Sponsor Software".

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below service:

Remote Procedure Call (RPC) Helper (or possible: 11Fßä#·ºÄÖ`I)

*NOTE* Make sure the name says HELPER because there are legitimate service by similar name.

When you find them, double-click on each one. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.

Please download ewido security suite it is a trial version of the program.

• Install ewido security suite
• When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will prompt you to update click the OK button
• The program will now go to the main screen

You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update
• Click on Start

The update will start and a progress bar will show the updates being installed.
Once the updates are installed close ewido we will use it later[list]


You have a nasty About:Blank infection. This fix requires several tools that need to be downloaded. Please download these now, we will run them later.

1) About:Buster - Download it and extract it to C:/aboutbuster.
2) CleanUp! - Download it and install it.
3) CWShredder 2.11 - Download it and save it to your desktop.
4) Ad-Aware - Download, install, and update.
5) Please download Pocket Killbox here Download it and extract to a convenient location



Enable hidden files and folders: http://www.bleepingc...torial=62#winme

During the fix do NOT connect to the internet. Unless you can memorize these instructions, it would be a good idea to print them out.

Right click on the Microsoft AntiSpyware icon (looks like a target) and click on Security Agents Status (Enabled) and click on Disable Real-time Protection. To re enable it, you follow the same steps but click on Enable Real-time Protection

Now open pocketkillbox Select the option "Delete on reboot".
Now highlight and 'copy' (Ctrl + C) the entire list of filepaths below:
Click 'File' on the killbox menu at the top and choose 'Paste from clipboard'
The entire list should now be in the "Full Path of File to Delete"
field.To check, click on the dropdown-arrow next to that field.
If you expand it, these lines should all be there.

C:\WINDOWS\mfcbx.dll
C:\WINDOWS\apppj.dll
C:\WINDOWS\system32\d3ro.exe
C:\WINDOWS\system32\ipmb32.exe
C:\WINDOWS\system32\sdkjn32.exe
C:\WINDOWS\system32\ntye32.exe
C:\WINDOWS\addxt.exe
C:\WINDOWS\atljq32.exe
C:\WINDOWS\sysoh32.exe
C:\WINDOWS\system32\atljm32.exe

Then press the red button with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot, click YES.When it asks if you would like to Reboot now, click YES. (you will be rebooting into Safemode)


Boot into safe mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Run AboutBuster
-Click Start to begin the process
-Click OK on the Buster Report dialogue box to start the scan
AboutBuster scans the computer for malicious files and deletes them.
Save the report (copy and paste into Notepad and save as a .txt file) to post a copy for review.

Run CWShredder
-Next, click on the: ‘Fix’ button
-Follow the prompts, and press OK

Run CleanUp
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Ad-Aware
-Configure Ad-Aware for a full system scan
-Run it

Run Ewido and save the log

Clean Up the left overs

Run HJT, close any open windows, and fix the following items (if they are still there):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\syprk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\syprk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\syprk.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\syprk.dll/sp.html#37049
O2 - BHO: Class - {3376A8DD-F7C4-77CF-6511-9B4C70AC5C19} - C:\WINDOWS\mfcbx.dll
O2 - BHO: Class - {A3F9FD31-3DFB-13C1-8E7D-BCEAF75A15DA} - C:\WINDOWS\apppj.dll
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [d3ro.exe] C:\WINDOWS\system32\d3ro.exe
O4 - HKLM\..\Run: [ipmb32.exe] C:\WINDOWS\system32\ipmb32.exe
O4 - HKLM\..\Run: [sdkjn32.exe] C:\WINDOWS\system32\sdkjn32.exe
O4 - HKLM\..\RunOnce: [ntye32.exe] C:\WINDOWS\system32\ntye32.exe
O4 - HKLM\..\RunOnce: [addxt.exe] C:\WINDOWS\addxt.exe
O4 - HKLM\..\RunOnce: [atljq32.exe] C:\WINDOWS\atljq32.exe
O4 - HKLM\..\RunOnce: [sysoh32.exe] C:\WINDOWS\sysoh32.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O15 - Trusted IP range: 67.19.178.84
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\atljm32.exe (file missing)

Reboot and post a new Hijack log as well as the Ewido log

thanks

Edited by loophole, 06 June 2005 - 03:01 AM.

[loophole]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.