Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

malware spyware [CLOSED]

Started by RandyU , Jun 10 2005 06:32 PM

  • This topic is locked This topic is locked

#1
RandyU
Posted 10 June 2005 - 06:32 PM

RandyU

    New Member

  • Member
  • Pip
  • 9 posts
Logfile of HijackThis v1.99.1
Scan saved at 9:35:20 AM, on 5/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\ewidoctrl.exe
C:\Program Files\ewido\ewidoguard.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Alarm++\Alarm.exe
C:\Program Files\YCIII\YankClip.exe
C:\Tools\Z Clock\ZClock-Digital.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\coysr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\coysr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\coysr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\coysr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\coysr.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\coysr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0602B01F-0C23-2945-B36B-FD4B02C0B514} - C:\WINDOWS\system32\appaw.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {118C66D3-3C81-ABC0-D259-67DA083B7C2F} - C:\WINDOWS\system32\ipij.dll (file missing)
O2 - BHO: Class - {831707D7-0820-512C-1A76-D057092ABDCD} - C:\WINDOWS\system32\apitq32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {D849A7FC-710D-53C7-D561-509D49D3C396} - C:\WINDOWS\system32\atlit.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QBReminderFlash] "C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\RunOnce: [javaia32.exe] C:\WINDOWS\javaia32.exe
O4 - HKLM\..\RunOnce: [atlkk32.exe] C:\WINDOWS\atlkk32.exe
O4 - Startup: Alarm++.lnk = C:\Program Files\Alarm++\Alarm.exe
O4 - Startup: Yankee Clipper III.lnk = C:\Program Files\YCIII\YankClip.exe
O4 - Startup: ZClock.lnk = C:\Tools\Z Clock\ZClock-Digital.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/ractrl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\javaia32.exe" /s (file missing)
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\ewidoguard.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - 3am Labs, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - 3am Labs, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:18:55 AM, 5/31/2005
+ Report-Checksum: 3930A2DD

+ Date of database: 5/31/2005
+ Version of scan engine: v3.0

+ Duration: 23 min
+ Scanned Files: 43995
+ Speed: 31.81 Files/Second
+ Infected files: 30
+ Removed files: 30
+ Files put in quarantine: 30
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\WINDOWS\appwm32.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\kbykr.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\apitq32.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\system32\appif32.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\system32\ictbs.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\netjg32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\netkn32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\netpz.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\netve.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\ntan32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\ntea.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\ntix32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\ntkf32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\ntld32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\ntop32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\ntsl32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\ntws.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\sdkem32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\sdkem32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\sdkyn.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\sysrk32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\sysuw.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\winne32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\winqe32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\windi32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\windy.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\wingv32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\winis.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\wintc32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\winws.exe -> Trojan.Agent.bi -> Cleaned with backup


::Report End
  • 0

Advertisements

#2
greyknight17
Posted 10 June 2005 - 06:51 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please do not post duplicates. I closed your other topic.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download CWShredder at http://www.greyknigh...hredder.sfx.exe and run it. Uncompress the file and run it. Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Download cwsserviceremove and unzip it. Don't run it yet.

Download AboutBuster http://www.greyknigh...tBuster.sfx.exe and uncompress the files to a folder on your the Desktop. Run AboutBuster and click OK. Click Update button to see if there are any updates. Close the program now.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Go to Start->Run and type in services.msc and hit OK. Then look for Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\coysr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\coysr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\coysr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\coysr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\coysr.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\coysr.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0602B01F-0C23-2945-B36B-FD4B02C0B514} - C:\WINDOWS\system32\appaw.dll
O2 - BHO: Class - {118C66D3-3C81-ABC0-D259-67DA083B7C2F} - C:\WINDOWS\system32\ipij.dll (file missing)
O2 - BHO: Class - {831707D7-0820-512C-1A76-D057092ABDCD} - C:\WINDOWS\system32\apitq32.dll
O2 - BHO: Class - {D849A7FC-710D-53C7-D561-509D49D3C396} - C:\WINDOWS\system32\atlit.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\RunOnce: [javaia32.exe] C:\WINDOWS\javaia32.exe
O4 - HKLM\..\RunOnce: [atlkk32.exe] C:\WINDOWS\atlkk32.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\javaia32.exe" /s (file missing)

Run AboutBuster and click Begin Removal button. Once that's done, just hit the OK button. Click Exit once you are done. Click the OK button and it should exit. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here.

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\system32\appaw.dll
C:\WINDOWS\system32\apitq32.dll
C:\WINDOWS\system32\atlit.dll
C:\WINDOWS\javaia32.exe
C:\WINDOWS\atlkk32.exe

Run cwsserviceremove now and say yes to merge it.

Restart and run a new HijackThis scan. Save the log file and post it here.
  • 0

#3
RandyU
Posted 11 June 2005 - 09:56 AM

RandyU

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thank you greyknight17,

one thing, cw shredder crashed my system 3 times (blue screen) but, I continued on.

I have AVG anti-virsus installed but i think i have it disabled.
I also have Spyware Blaster installed.
Anyhow, after completing the remaining steps, here is what i have:

------------------------------------------------
Scan was ABORTED at 7:41:00 AM


AboutBuster 5.0 reference file 28
Scan started on [6/11/2005] at [8:19:08 AM]
------------------------------------------------
Removed Stream! C:\WINDOWS\aogqc.txt:rjcia
Removed Stream! C:\WINDOWS\clock.avi:jlhap
Removed Stream! C:\WINDOWS\comsetup.log:cifgr
Removed Stream! C:\WINDOWS\control.ini:vytufx
Removed Stream! C:\WINDOWS\GRACE.INI:buxvy
Removed Stream! C:\WINDOWS\iis6.log:nupocf
Removed Stream! C:\WINDOWS\ivexm.log:uplgo
Removed Stream! C:\WINDOWS\KB834707.log:mqelq
Removed Stream! C:\WINDOWS\KB885835.log:hmtpvm
Removed Stream! C:\WINDOWS\KB885835.log:khstd
Removed Stream! C:\WINDOWS\lhtbl.txt:sdwwbv
Removed Stream! C:\WINDOWS\msoffice(2).ini:uwcaag
Removed Stream! C:\WINDOWS\msoffice(3).ini:daupmk
Removed Stream! C:\WINDOWS\msoffice(3).ini:ojxok
Removed Stream! C:\WINDOWS\msoffice(4).ini:daupmk
Removed Stream! C:\WINDOWS\msoffice(4).ini:fpzfd
Removed Stream! C:\WINDOWS\ocgen.log:wddwe
Removed Stream! C:\WINDOWS\OEWABLog.txt:ayeqz
Removed Stream! C:\WINDOWS\orun32.ini:gvqfdh
Removed Stream! C:\WINDOWS\orun32.isu:gnmei
Removed Stream! C:\WINDOWS\orun32.isu:mpxin
Removed Stream! C:\WINDOWS\setupact.log:mjdaxw
Removed Stream! C:\WINDOWS\setupapi.del:opmmlz
Removed Stream! C:\WINDOWS\setupapi.del:qnipd
Removed Stream! C:\WINDOWS\setupapi.del:trbuy
Removed Stream! C:\WINDOWS\setuperr.del:fkwfrg
Removed Stream! C:\WINDOWS\setuperr.log:wnebo
Removed Stream! C:\WINDOWS\Sti_Trace.log:axbrd
Removed Stream! C:\WINDOWS\T30DebugLogFile.txt:uetrae
Removed Stream! C:\WINDOWS\TaxACT04.ini:amrdie
Removed Stream! C:\WINDOWS\TaxACT04.ini:qykklm
Removed Stream! C:\WINDOWS\tiagl.txt:qcaom
Removed Stream! C:\WINDOWS\tmnfs.log:tnkjkg
Removed Stream! C:\WINDOWS\wiaservc.log:xypprc
Removed Stream! C:\WINDOWS\WindowsUpdate.log:ymems
Removed Stream! C:\WINDOWS\winnt256.bmp:ehvmg
Removed Stream! C:\WINDOWS\wmsetup10.log:fxclgf
Removed Stream! C:\WINDOWS\WMSysPr9.prx:xvamz
Removed Stream! C:\WINDOWS\_default(10).pif:aldyy
Removed Stream! C:\WINDOWS\_default(11).pif:aldyy
Removed Stream! C:\WINDOWS\_default(12).pif:aldyy
Removed Stream! C:\WINDOWS\_default(13).pif:aldyy
Removed Stream! C:\WINDOWS\_default(14).pif:aldyy
Removed Stream! C:\WINDOWS\_default(2).pif:aldyy
Removed Stream! C:\WINDOWS\_default(3).pif:aldyy
Removed Stream! C:\WINDOWS\_default(4).pif:aldyy
Removed Stream! C:\WINDOWS\_default(5).pif:aldyy
Removed Stream! C:\WINDOWS\_default(6).pif:aldyy
Removed Stream! C:\WINDOWS\_default(7).pif:aldyy
Removed Stream! C:\WINDOWS\_default(8).pif:aldyy
Removed Stream! C:\WINDOWS\_default(9).pif:aldyy
Removed Stream! C:\WINDOWS\_default.pif:aefpte
Removed Stream! C:\WINDOWS\_default.pif:aldyy
Removed Stream! C:\WINDOWS\__delete_on_reboot__winqz32.dll:adjck
------------------------------------------------
Removed File! : C:\Windows\addso32.exe
Removed File! : C:\Windows\addvg32.exe
Removed File! : C:\Windows\addvz.exe
Removed File! : C:\Windows\addxy32.exe
Removed File! : C:\Windows\apiau.exe
Removed File! : C:\Windows\apibv.exe
Removed File! : C:\Windows\apicn32.exe
Removed File! : C:\Windows\apidq32.exe
Removed File! : C:\Windows\apifs32.exe
Removed File! : C:\Windows\apigy32.exe
Removed File! : C:\Windows\apike32.exe
Removed File! : C:\Windows\apilb32.exe
Removed File! : C:\Windows\apiqu32.exe
Removed File! : C:\Windows\apirq.exe
Removed File! : C:\Windows\apiuv32.exe
Removed File! : C:\Windows\apiyd32.exe
Removed File! : C:\Windows\apizo.exe
Removed File! : C:\Windows\appaf32.exe
Removed File! : C:\Windows\appbn32.exe
Removed File! : C:\Windows\appeg32.exe
Removed File! : C:\Windows\appgu32.exe
Removed File! : C:\Windows\apphz32.exe
Removed File! : C:\Windows\appjp32.exe
Removed File! : C:\Windows\appnd32.exe
Removed File! : C:\Windows\apppa32.exe
Removed File! : C:\Windows\apppt.exe
Removed File! : C:\Windows\apppx32.exe
Removed File! : C:\Windows\apppy.exe
Removed File! : C:\Windows\atlbh.exe
Removed File! : C:\Windows\atlej.exe
Removed File! : C:\Windows\atlhl32.exe
Removed File! : C:\Windows\atljj32.exe
Removed File! : C:\Windows\atlkk32.exe
Removed File! : C:\Windows\atlpz.exe
Removed File! : C:\Windows\atlqs32.exe
Removed File! : C:\Windows\atlsz32.exe
Removed File! : C:\Windows\atlth32.exe
Removed File! : C:\Windows\atlwe32.exe
Removed File! : C:\Windows\atlwq32.exe
Removed File! : C:\Windows\cran32.exe
Removed File! : C:\Windows\crde32.exe
Removed File! : C:\Windows\crfz32.exe
Removed File! : C:\Windows\crod32.exe
Removed File! : C:\Windows\crph.exe
Removed File! : C:\Windows\crqr32.exe
Removed File! : C:\Windows\crrs.exe
Removed File! : C:\Windows\crtj32.exe
Removed File! : C:\Windows\crtm32.exe
Removed File! : C:\Windows\crtx32.exe
Removed File! : C:\Windows\cruo.exe
Removed File! : C:\Windows\cruo32.exe
Removed File! : C:\Windows\crvz32.exe
Removed File! : C:\Windows\crww32.exe
Removed File! : C:\Windows\cyyfw.dll
Removed File! : C:\Windows\d3df32.exe
Removed File! : C:\Windows\d3el32.exe
Removed File! : C:\Windows\d3fs32.exe
Removed File! : C:\Windows\d3hk.exe
Removed File! : C:\Windows\d3mo.exe
Removed File! : C:\Windows\d3nd32.exe
Removed File! : C:\Windows\d3nq.exe
Removed File! : C:\Windows\d3oo32.exe
Removed File! : C:\Windows\d3ov.exe
Removed File! : C:\Windows\d3pv.exe
Removed File! : C:\Windows\d3qd32.exe
Removed File! : C:\Windows\d3qk32.exe
Removed File! : C:\Windows\d3ra.exe
Removed File! : C:\Windows\d3tu.exe
Removed File! : C:\Windows\d3xh.exe
Removed File! : C:\Windows\d3xi32.exe
Removed File! : C:\Windows\d3xl32.exe
Removed File! : C:\Windows\d3yl.exe
Removed File! : C:\Windows\eedmt.dll
Removed File! : C:\Windows\esgbw.dat
Removed File! : C:\Windows\gidji.dat
Removed File! : C:\Windows\hifxq.dat
Removed File! : C:\Windows\iejo32.exe
Removed File! : C:\Windows\ield.exe
Removed File! : C:\Windows\iema.exe
Removed File! : C:\Windows\iemg32.exe
Removed File! : C:\Windows\ieoa32.exe
Removed File! : C:\Windows\ieoj32.exe
Removed File! : C:\Windows\ietx.exe
Removed File! : C:\Windows\ieur.exe
Removed File! : C:\Windows\ievb32.exe
Removed File! : C:\Windows\iewe32.exe
Removed File! : C:\Windows\iewj.exe
Removed File! : C:\Windows\ieyg.exe
Removed File! : C:\Windows\iezm32.exe
Removed File! : C:\Windows\ipbe32.exe
Removed File! : C:\Windows\ipbi.exe
Removed File! : C:\Windows\ipbn32.exe
Removed File! : C:\Windows\ipjr.exe
Removed File! : C:\Windows\ipjw32.exe
Removed File! : C:\Windows\iplf32.exe
Removed File! : C:\Windows\ipnk.exe
Removed File! : C:\Windows\iprj.exe
Removed File! : C:\Windows\ipud.exe
Removed File! : C:\Windows\ipyn.exe
Removed File! : C:\Windows\javaca.exe
Removed File! : C:\Windows\javaeh.exe
Removed File! : C:\Windows\javaih.exe
Removed File! : C:\Windows\javaje.exe
Removed File! : C:\Windows\javajl32.exe
Removed File! : C:\Windows\javako32.exe
Removed File! : C:\Windows\javalh32.exe
Removed File! : C:\Windows\javasa32.exe
Removed File! : C:\Windows\javash.exe
Removed File! : C:\Windows\javask.exe
Removed File! : C:\Windows\javaux32.exe
Removed File! : C:\Windows\javave32.exe
Removed File! : C:\Windows\javavw32.exe
Removed File! : C:\Windows\javayy.exe
Removed File! : C:\Windows\kcavv.dat
Removed File! : C:\Windows\mduen.dll
Removed File! : C:\Windows\mfcah.exe
Removed File! : C:\Windows\mfcdf32.exe
Removed File! : C:\Windows\mfcdl.exe
Removed File! : C:\Windows\mfcdx32.exe
Removed File! : C:\Windows\mfces32.exe
Removed File! : C:\Windows\mfcge.exe
Removed File! : C:\Windows\mfcko.exe
Removed File! : C:\Windows\mfcpi.exe
Removed File! : C:\Windows\mfcqa.exe
Removed File! : C:\Windows\mfcri32.exe
Removed File! : C:\Windows\mfctm32.exe
Removed File! : C:\Windows\mfcuw.exe
Removed File! : C:\Windows\montc.dat
Removed File! : C:\Windows\msdn32.exe
Removed File! : C:\Windows\msfl.exe
Removed File! : C:\Windows\msfq.exe
Removed File! : C:\Windows\mske32.exe
Removed File! : C:\Windows\mskr32.exe
Removed File! : C:\Windows\msku.exe
Removed File! : C:\Windows\msop32.exe
Removed File! : C:\Windows\mssp.exe
Removed File! : C:\Windows\mstm.exe
Removed File! : C:\Windows\msxq.exe
Removed File! : C:\Windows\mszz32.exe
Removed File! : C:\Windows\nafzj.dat
Removed File! : C:\Windows\netbg32.exe
Removed File! : C:\Windows\netfn32.exe
Removed File! : C:\Windows\netgc32.exe
Removed File! : C:\Windows\netkl.exe
Removed File! : C:\Windows\netmo.exe
Removed File! : C:\Windows\netov32.exe
Removed File! : C:\Windows\netoz32.exe
Removed File! : C:\Windows\netqw32.exe
Removed File! : C:\Windows\netqx32.exe
Removed File! : C:\Windows\netrb.exe
Removed File! : C:\Windows\nettc32.exe
Removed File! : C:\Windows\netvy32.exe
Removed File! : C:\Windows\netyr.exe
Removed File! : C:\Windows\netzp.exe
Removed File! : C:\Windows\nftzf.dat
Removed File! : C:\Windows\ntcn.exe
Removed File! : C:\Windows\ntek.exe
Removed File! : C:\Windows\ntgp.exe
Removed File! : C:\Windows\ntih32.exe
Removed File! : C:\Windows\ntlr32.exe
Removed File! : C:\Windows\ntsx32.exe
Removed File! : C:\Windows\ntvb.exe
Removed File! : C:\Windows\ntxb.exe
Removed File! : C:\Windows\ntzq.exe
Removed File! : C:\Windows\qiwvt.dat
Removed File! : C:\Windows\rpksz.dat
Removed File! : C:\Windows\rwlfx.dat
Removed File! : C:\Windows\sdkfp.exe
Removed File! : C:\Windows\sdkio32.exe
Removed File! : C:\Windows\sdkjz32.exe
Removed File! : C:\Windows\sdkmb32.exe
Removed File! : C:\Windows\sdkpg.exe
Removed File! : C:\Windows\sdkpk32.exe
Removed File! : C:\Windows\sdkta.exe
Removed File! : C:\Windows\sdktd.exe
Removed File! : C:\Windows\sdkus.exe
Removed File! : C:\Windows\sdkwe32.exe
Removed File! : C:\Windows\sdkxd.exe
Removed File! : C:\Windows\sysao.exe
Removed File! : C:\Windows\sysdk.exe
Removed File! : C:\Windows\syshu.exe
Removed File! : C:\Windows\sysiu.exe
Removed File! : C:\Windows\sysje.exe
Removed File! : C:\Windows\sysje32.exe
Removed File! : C:\Windows\sysjo32.exe
Removed File! : C:\Windows\syskh32.exe
Removed File! : C:\Windows\syslw32.exe
Removed File! : C:\Windows\syswt32.exe
Removed File! : C:\Windows\ueeei.dat
Removed File! : C:\Windows\winbt32.exe
Removed File! : C:\Windows\wincq32.exe
Removed File! : C:\Windows\winsp.exe
Removed File! : C:\Windows\winvj32.exe
Removed File! : C:\Windows\winvq.exe
Removed File! : C:\Windows\winyw32.exe
Removed File! : C:\Windows\winzk32.exe
Removed File! : C:\Windows\zzpzp.dat
Removed File! : C:\Windows\System32\addbn32.exe
Removed File! : C:\Windows\System32\addbv32.exe
Removed File! : C:\Windows\System32\addci.exe
Removed File! : C:\Windows\System32\addew32.exe
Removed File! : C:\Windows\System32\addgb32.exe
Removed File! : C:\Windows\System32\addjy32.exe
Removed File! : C:\Windows\System32\addnl32.exe
Removed File! : C:\Windows\System32\addnt.exe
Removed File! : C:\Windows\System32\addpk32.exe
Removed File! : C:\Windows\System32\adduw.exe
Removed File! : C:\Windows\System32\addym32.exe
Removed File! : C:\Windows\System32\addzw32.exe
Removed File! : C:\Windows\System32\apiab32.exe
Removed File! : C:\Windows\System32\apifv.exe
Removed File! : C:\Windows\System32\apifw32.exe
Removed File! : C:\Windows\System32\apigk.exe
Removed File! : C:\Windows\System32\apiip.exe
Removed File! : C:\Windows\System32\apijp32.exe
Removed File! : C:\Windows\System32\apikm32.exe
Removed File! : C:\Windows\System32\apimh.exe
Removed File! : C:\Windows\System32\apims32.exe
Removed File! : C:\Windows\System32\apiqp32.exe
Removed File! : C:\Windows\System32\apirf32.exe
Removed File! : C:\Windows\System32\apito.exe
Removed File! : C:\Windows\System32\apium32.exe
Removed File! : C:\Windows\System32\apixl.exe
Removed File! : C:\Windows\System32\apixo.exe
Removed File! : C:\Windows\System32\apize32.exe
Removed File! : C:\Windows\System32\appdf.exe
Removed File! : C:\Windows\System32\appfc.exe
Removed File! : C:\Windows\System32\apphk32.exe
Removed File! : C:\Windows\System32\applz32.exe
Removed File! : C:\Windows\System32\appmo32.exe
Removed File! : C:\Windows\System32\appmy32.exe
Removed File! : C:\Windows\System32\appnb.exe
Removed File! : C:\Windows\System32\appph32.exe
Removed File! : C:\Windows\System32\apppo32.exe
Removed File! : C:\Windows\System32\appur.exe
Removed File! : C:\Windows\System32\appur32.exe
Removed File! : C:\Windows\System32\appzt32.exe
Removed File! : C:\Windows\System32\atles32.exe
Removed File! : C:\Windows\System32\atlgy32.exe
Removed File! : C:\Windows\System32\atlju.exe
Removed File! : C:\Windows\System32\atlni.exe
Removed File! : C:\Windows\System32\atlpa32.exe
Removed File! : C:\Windows\System32\atlur32.exe
Removed File! : C:\Windows\System32\axfjf.dll
Removed File! : C:\Windows\System32\bjaij.dll
Removed File! : C:\Windows\System32\cgfej.dat
Removed File! : C:\Windows\System32\cjzhe.dat
Removed File! : C:\Windows\System32\crbn32.exe
Removed File! : C:\Windows\System32\criz.exe
Removed File! : C:\Windows\System32\crmp.exe
Removed File! : C:\Windows\System32\crrv32.exe
Removed File! : C:\Windows\System32\crsp32.exe
Removed File! : C:\Windows\System32\cruu32.exe
Removed File! : C:\Windows\System32\crys.exe
Removed File! : C:\Windows\System32\crzt32.exe
Removed File! : C:\Windows\System32\crzy.exe
Removed File! : C:\Windows\System32\cwqbq.dat
Removed File! : C:\Windows\System32\cxlzy.dat
Removed File! : C:\Windows\System32\cyunn.dat
Removed File! : C:\Windows\System32\d3gr.exe
Removed File! : C:\Windows\System32\d3hd.exe
Removed File! : C:\Windows\System32\d3nt.exe
Removed File! : C:\Windows\System32\d3oh32.exe
Removed File! : C:\Windows\System32\d3pa32.exe
Removed File! : C:\Windows\System32\d3rf32.exe
Removed File! : C:\Windows\System32\d3rh32.exe
Removed File! : C:\Windows\System32\d3rp.exe
Removed File! : C:\Windows\System32\d3tz.exe
Removed File! : C:\Windows\System32\d3vs.exe
Removed File! : C:\Windows\System32\d3wt.exe
Removed File! : C:\Windows\System32\d3zb.exe
Removed File! : C:\Windows\System32\exlxl.dll
Removed File! : C:\Windows\System32\fburc.dat
Removed File! : C:\Windows\System32\gbxel.dat
Removed File! : C:\Windows\System32\ghdxg.dat
Removed File! : C:\Windows\System32\gzohn.dat
Removed File! : C:\Windows\System32\hitkn.dat
Removed File! : C:\Windows\System32\hylyg.dll
Removed File! : C:\Windows\System32\iefa.exe
Removed File! : C:\Windows\System32\iefr.exe
Removed File! : C:\Windows\System32\iejc.exe
Removed File! : C:\Windows\System32\iejd.exe
Removed File! : C:\Windows\System32\ielp32.exe
Removed File! : C:\Windows\System32\ienj.exe
Removed File! : C:\Windows\System32\ieoa32.exe
Removed File! : C:\Windows\System32\ieqd32.exe
Removed File! : C:\Windows\System32\iesn.exe
Removed File! : C:\Windows\System32\iewb.exe
Removed File! : C:\Windows\System32\ieyt32.exe
Removed File! : C:\Windows\System32\iezg32.exe
Removed File! : C:\Windows\System32\iezj32.exe
Removed File! : C:\Windows\System32\ikmza.dat
Removed File! : C:\Windows\System32\imhiz.dat
Removed File! : C:\Windows\System32\ipaa.exe
Removed File! : C:\Windows\System32\ipbi32.exe
Removed File! : C:\Windows\System32\ipde.exe
Removed File! : C:\Windows\System32\iphz.exe
Removed File! : C:\Windows\System32\ipqa.exe
Removed File! : C:\Windows\System32\iprs.exe
Removed File! : C:\Windows\System32\iprt32.exe
Removed File! : C:\Windows\System32\iptc.exe
Removed File! : C:\Windows\System32\ipvo.exe
Removed File! : C:\Windows\System32\ipwh.exe
Removed File! : C:\Windows\System32\ipwo.exe
Removed File! : C:\Windows\System32\ipyo32.exe
Removed File! : C:\Windows\System32\javabi.exe
Removed File! : C:\Windows\System32\javace.exe
Removed File! : C:\Windows\System32\javaef32.exe
Removed File! : C:\Windows\System32\javaim32.exe
Removed File! : C:\Windows\System32\javajb32.exe
Removed File! : C:\Windows\System32\javakt.exe
Removed File! : C:\Windows\System32\javamb.exe
Removed File! : C:\Windows\System32\javamz32.exe
Removed File! : C:\Windows\System32\javapm.exe
Removed File! : C:\Windows\System32\javatm32.exe
Removed File! : C:\Windows\System32\javazy32.exe
Removed File! : C:\Windows\System32\jpkde.dat
Removed File! : C:\Windows\System32\mfcaq.exe
Removed File! : C:\Windows\System32\mfcbk.exe
Removed File! : C:\Windows\System32\mfcbn.exe
Removed File! : C:\Windows\System32\mfccc32.exe
Removed File! : C:\Windows\System32\mfccv32.exe
Removed File! : C:\Windows\System32\mfceh32.exe
Removed File! : C:\Windows\System32\mfcex32.exe
Removed File! : C:\Windows\System32\mfchp32.exe
Removed File! : C:\Windows\System32\mfcjj.exe
Removed File! : C:\Windows\System32\mfclm32.exe
Removed File! : C:\Windows\System32\mfcny.exe
Removed File! : C:\Windows\System32\mfcrx32.exe
Removed File! : C:\Windows\System32\mfcyf.exe
Removed File! : C:\Windows\System32\mfcze32.exe
Removed File! : C:\Windows\System32\mqlbn.dll
Removed File! : C:\Windows\System32\mscg.exe
Removed File! : C:\Windows\System32\mscq32.exe
Removed File! : C:\Windows\System32\msgf.exe
Removed File! : C:\Windows\System32\msgl.exe
Removed File! : C:\Windows\System32\msgm32.exe
Removed File! : C:\Windows\System32\msjg32.exe
Removed File! : C:\Windows\System32\msju32.exe
Removed File! : C:\Windows\System32\mslb.exe
Removed File! : C:\Windows\System32\mssk.exe
Removed File! : C:\Windows\System32\msuu.exe
Removed File! : C:\Windows\System32\msve.exe
Removed File! : C:\Windows\System32\msxe.exe
Removed File! : C:\Windows\System32\msyy.exe
Removed File! : C:\Windows\System32\mszq32.exe
Removed File! : C:\Windows\System32\mudgu.dat
Removed File! : C:\Windows\System32\ndjah.dat
Removed File! : C:\Windows\System32\netcp.exe
Removed File! : C:\Windows\System32\netdf.exe
Removed File! : C:\Windows\System32\netfp32.exe
Removed File! : C:\Windows\System32\netfr.exe
Removed File! : C:\Windows\System32\netfv.exe
Removed File! : C:\Windows\System32\netid.exe
Removed File! : C:\Windows\System32\netlv32.exe
Removed File! : C:\Windows\System32\netwb32.exe
Removed File! : C:\Windows\System32\netwm32.exe
Removed File! : C:\Windows\System32\netxg32.exe
Removed File! : C:\Windows\System32\netzo.exe
Removed File! : C:\Windows\System32\nhkeo.dat
Removed File! : C:\Windows\System32\ntcy.exe
Removed File! : C:\Windows\System32\ntdg32.exe
Removed File! : C:\Windows\System32\ntew32.exe
Removed File! : C:\Windows\System32\ntkd.exe
Removed File! : C:\Windows\System32\ntof.exe
Removed File! : C:\Windows\System32\ntrz32.exe
Removed File! : C:\Windows\System32\nttw32.exe
Removed File! : C:\Windows\System32\nttx32.exe
Removed File! : C:\Windows\System32\ntur32.exe
Removed File! : C:\Windows\System32\ntwk.exe
Removed File! : C:\Windows\System32\ntxo32.exe
Removed File! : C:\Windows\System32\pfeuo.dll
Removed File! : C:\Windows\System32\sdkbn32.exe
Removed File! : C:\Windows\System32\sdkci32.exe
Removed File! : C:\Windows\System32\sdkdv.exe
Removed File! : C:\Windows\System32\sdkfc.exe
Removed File! : C:\Windows\System32\sdkjt.exe
Removed File! : C:\Windows\System32\sdkkr32.exe
Removed File! : C:\Windows\System32\sdkma.exe
Removed File! : C:\Windows\System32\sdkme.exe
Removed File! : C:\Windows\System32\sdkmm32.exe
Removed File! : C:\Windows\System32\sdkmy32.exe
Removed File! : C:\Windows\System32\sdkou.exe
Removed File! : C:\Windows\System32\sdkrp.exe
Removed File! : C:\Windows\System32\sdksd.exe
Removed File! : C:\Windows\System32\sdkti32.exe
Removed File! : C:\Windows\System32\sdkxz32.exe
Removed File! : C:\Windows\System32\sysbn32.exe
Removed File! : C:\Windows\System32\syscu32.exe
Removed File! : C:\Windows\System32\sysdm.exe
Removed File! : C:\Windows\System32\sysgr.exe
Removed File! : C:\Windows\System32\sysjx.exe
Removed File! : C:\Windows\System32\sysng32.exe
Removed File! : C:\Windows\System32\sysor32.exe
Removed File! : C:\Windows\System32\syspn32.exe
Removed File! : C:\Windows\System32\sysqw.exe
Removed File! : C:\Windows\System32\sysvw32.exe
Removed File! : C:\Windows\System32\syszd32.exe
Removed File! : C:\Windows\System32\tbjlz.dat
Removed File! : C:\Windows\System32\vogso.dat
Removed File! : C:\Windows\System32\wczvj.dat
Removed File! : C:\Windows\System32\winbn32.exe
Removed File! : C:\Windows\System32\windh32.exe
Removed File! : C:\Windows\System32\wingb32.exe
Removed File! : C:\Windows\System32\winht32.exe
Removed File! : C:\Windows\System32\winiz32.exe
Removed File! : C:\Windows\System32\winrp32.exe
Removed File! : C:\Windows\System32\wintn32.exe
Removed File! : C:\Windows\System32\winuo.exe
Removed File! : C:\Windows\System32\winvz32.exe
Removed File! : C:\Windows\System32\winyb32.exe
Removed File! : C:\Windows\System32\winzt.exe
Removed File! : C:\Windows\System32\wqumy.dll
Removed File! : C:\Windows\System32\wtoee.dll
Removed File! : C:\Windows\System32\wtygy.dat
Removed File! : C:\Windows\System32\xtzcp.dat
Removed File! : C:\Windows\System32\yikvw.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 8:36:58 AM


Logfile of HijackThis v1.99.1
Scan saved at 7:59:55 AM, on 6/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mduen.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mduen.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\mduen.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mduen.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mduen.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mduen.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {94B07238-5DA7-46C7-3E9F-22E42CC1710A} - C:\WINDOWS\netpm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {FB125D13-8C67-EBA5-E5DE-94B08B341C38} - C:\WINDOWS\system32\sdkvh.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QBReminderFlash] "C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [netna32.exe] C:\WINDOWS\system32\netna32.exe
O4 - HKLM\..\Run: [winvj32.exe] C:\WINDOWS\winvj32.exe
O4 - HKLM\..\Run: [addci.exe] C:\WINDOWS\system32\addci.exe
O4 - HKLM\..\Run: [netrb.exe] C:\WINDOWS\netrb.exe
O4 - HKLM\..\RunOnce: [javaia32.exe] C:\WINDOWS\javaia32.exe
O4 - HKLM\..\RunOnce: [atlkk32.exe] C:\WINDOWS\atlkk32.exe
O4 - HKLM\..\RunOnce: [ippk.exe] C:\WINDOWS\ippk.exe
O4 - Startup: Alarm++.lnk = C:\Program Files\Alarm++\Alarm.exe
O4 - Startup: Yankee Clipper III.lnk = C:\Program Files\YCIII\YankClip.exe
O4 - Startup: ZClock.lnk = C:\Tools\Z Clock\ZClock-Digital.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/ractrl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\ewidoguard.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - 3am Labs, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - 3am Labs, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

Again, thanks for your help
RandyU
  • 0

#4
greyknight17
Posted 11 June 2005 - 10:40 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, make sure you have AVG enabled then. It's ok to run that and Ewido since (according to Ewido's site) it says it's compatible with AVG.

OK, I will ask you to run CWShredder in Safe Mode to see if it crashes.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Run CWShredder now and see if it still crashes.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mduen.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mduen.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\mduen.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mduen.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mduen.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mduen.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {94B07238-5DA7-46C7-3E9F-22E42CC1710A} - C:\WINDOWS\netpm.dll
O2 - BHO: Class - {FB125D13-8C67-EBA5-E5DE-94B08B341C38} - C:\WINDOWS\system32\sdkvh.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [netna32.exe] C:\WINDOWS\system32\netna32.exe
O4 - HKLM\..\Run: [winvj32.exe] C:\WINDOWS\winvj32.exe
O4 - HKLM\..\Run: [addci.exe] C:\WINDOWS\system32\addci.exe
O4 - HKLM\..\Run: [netrb.exe] C:\WINDOWS\netrb.exe
O4 - HKLM\..\RunOnce: [javaia32.exe] C:\WINDOWS\javaia32.exe
O4 - HKLM\..\RunOnce: [atlkk32.exe] C:\WINDOWS\atlkk32.exe
O4 - HKLM\..\RunOnce: [ippk.exe] C:\WINDOWS\ippk.exe

Run AboutBuster and click Begin Removal button. Once that's done, just hit the OK button. Click Exit once you are done. Click the OK button and it should exit. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here.

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\netpm.dll
C:\WINDOWS\system32\sdkvh.dll
C:\WINDOWS\system32\netna32.exe
C:\WINDOWS\winvj32.exe
C:\WINDOWS\system32\addci.exe
C:\WINDOWS\netrb.exe
C:\WINDOWS\javaia32.exe
C:\WINDOWS\atlkk32.exe
C:\WINDOWS\ippk.exe

Run CleanUp! and click on CleanUp! button. Once it's done, you may click the Close button. When asked if you want to logoff, choose Yes.

Restart and run a new HijackThis scan. Save the log file and post it here.
  • 0

#5
RandyU
Posted 12 June 2005 - 09:00 AM

RandyU

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
greyknight17 thanks for continued help,

cw shredder still crashed my system in the safe mode.
I forgot to mention to you that before you started helping me I had previously run cw shredder sucessfully in my own attempts to fix my problems.

You did not mention SpywareBlaster: do you recommend I keep that program installed?

Anyhow here are the logs:
ps Do want me to continue AB LogFile with everything or clean it before the next posting?

------------------------------------------------
Scan was ABORTED at 7:41:00 AM


AboutBuster 5.0 reference file 28
Scan started on [6/11/2005] at [8:19:08 AM]
------------------------------------------------
Removed Stream! C:\WINDOWS\aogqc.txt:rjcia
Removed Stream! C:\WINDOWS\clock.avi:jlhap
Removed Stream! C:\WINDOWS\comsetup.log:cifgr
Removed Stream! C:\WINDOWS\control.ini:vytufx
Removed Stream! C:\WINDOWS\GRACE.INI:buxvy
Removed Stream! C:\WINDOWS\iis6.log:nupocf
Removed Stream! C:\WINDOWS\ivexm.log:uplgo
Removed Stream! C:\WINDOWS\KB834707.log:mqelq
Removed Stream! C:\WINDOWS\KB885835.log:hmtpvm
Removed Stream! C:\WINDOWS\KB885835.log:khstd
Removed Stream! C:\WINDOWS\lhtbl.txt:sdwwbv
Removed Stream! C:\WINDOWS\msoffice(2).ini:uwcaag
Removed Stream! C:\WINDOWS\msoffice(3).ini:daupmk
Removed Stream! C:\WINDOWS\msoffice(3).ini:ojxok
Removed Stream! C:\WINDOWS\msoffice(4).ini:daupmk
Removed Stream! C:\WINDOWS\msoffice(4).ini:fpzfd
Removed Stream! C:\WINDOWS\ocgen.log:wddwe
Removed Stream! C:\WINDOWS\OEWABLog.txt:ayeqz
Removed Stream! C:\WINDOWS\orun32.ini:gvqfdh
Removed Stream! C:\WINDOWS\orun32.isu:gnmei
Removed Stream! C:\WINDOWS\orun32.isu:mpxin
Removed Stream! C:\WINDOWS\setupact.log:mjdaxw
Removed Stream! C:\WINDOWS\setupapi.del:opmmlz
Removed Stream! C:\WINDOWS\setupapi.del:qnipd
Removed Stream! C:\WINDOWS\setupapi.del:trbuy
Removed Stream! C:\WINDOWS\setuperr.del:fkwfrg
Removed Stream! C:\WINDOWS\setuperr.log:wnebo
Removed Stream! C:\WINDOWS\Sti_Trace.log:axbrd
Removed Stream! C:\WINDOWS\T30DebugLogFile.txt:uetrae
Removed Stream! C:\WINDOWS\TaxACT04.ini:amrdie
Removed Stream! C:\WINDOWS\TaxACT04.ini:qykklm
Removed Stream! C:\WINDOWS\tiagl.txt:qcaom
Removed Stream! C:\WINDOWS\tmnfs.log:tnkjkg
Removed Stream! C:\WINDOWS\wiaservc.log:xypprc
Removed Stream! C:\WINDOWS\WindowsUpdate.log:ymems
Removed Stream! C:\WINDOWS\winnt256.bmp:ehvmg
Removed Stream! C:\WINDOWS\wmsetup10.log:fxclgf
Removed Stream! C:\WINDOWS\WMSysPr9.prx:xvamz
Removed Stream! C:\WINDOWS\_default(10).pif:aldyy
Removed Stream! C:\WINDOWS\_default(11).pif:aldyy
Removed Stream! C:\WINDOWS\_default(12).pif:aldyy
Removed Stream! C:\WINDOWS\_default(13).pif:aldyy
Removed Stream! C:\WINDOWS\_default(14).pif:aldyy
Removed Stream! C:\WINDOWS\_default(2).pif:aldyy
Removed Stream! C:\WINDOWS\_default(3).pif:aldyy
Removed Stream! C:\WINDOWS\_default(4).pif:aldyy
Removed Stream! C:\WINDOWS\_default(5).pif:aldyy
Removed Stream! C:\WINDOWS\_default(6).pif:aldyy
Removed Stream! C:\WINDOWS\_default(7).pif:aldyy
Removed Stream! C:\WINDOWS\_default(8).pif:aldyy
Removed Stream! C:\WINDOWS\_default(9).pif:aldyy
Removed Stream! C:\WINDOWS\_default.pif:aefpte
Removed Stream! C:\WINDOWS\_default.pif:aldyy
Removed Stream! C:\WINDOWS\__delete_on_reboot__winqz32.dll:adjck
------------------------------------------------
Removed File! : C:\Windows\addso32.exe
Removed File! : C:\Windows\addvg32.exe
Removed File! : C:\Windows\addvz.exe
Removed File! : C:\Windows\addxy32.exe
Removed File! : C:\Windows\apiau.exe
Removed File! : C:\Windows\apibv.exe
Removed File! : C:\Windows\apicn32.exe
Removed File! : C:\Windows\apidq32.exe
Removed File! : C:\Windows\apifs32.exe
Removed File! : C:\Windows\apigy32.exe
Removed File! : C:\Windows\apike32.exe
Removed File! : C:\Windows\apilb32.exe
Removed File! : C:\Windows\apiqu32.exe
Removed File! : C:\Windows\apirq.exe
Removed File! : C:\Windows\apiuv32.exe
Removed File! : C:\Windows\apiyd32.exe
Removed File! : C:\Windows\apizo.exe
Removed File! : C:\Windows\appaf32.exe
Removed File! : C:\Windows\appbn32.exe
Removed File! : C:\Windows\appeg32.exe
Removed File! : C:\Windows\appgu32.exe
Removed File! : C:\Windows\apphz32.exe
Removed File! : C:\Windows\appjp32.exe
Removed File! : C:\Windows\appnd32.exe
Removed File! : C:\Windows\apppa32.exe
Removed File! : C:\Windows\apppt.exe
Removed File! : C:\Windows\apppx32.exe
Removed File! : C:\Windows\apppy.exe
Removed File! : C:\Windows\atlbh.exe
Removed File! : C:\Windows\atlej.exe
Removed File! : C:\Windows\atlhl32.exe
Removed File! : C:\Windows\atljj32.exe
Removed File! : C:\Windows\atlkk32.exe
Removed File! : C:\Windows\atlpz.exe
Removed File! : C:\Windows\atlqs32.exe
Removed File! : C:\Windows\atlsz32.exe
Removed File! : C:\Windows\atlth32.exe
Removed File! : C:\Windows\atlwe32.exe
Removed File! : C:\Windows\atlwq32.exe
Removed File! : C:\Windows\cran32.exe
Removed File! : C:\Windows\crde32.exe
Removed File! : C:\Windows\crfz32.exe
Removed File! : C:\Windows\crod32.exe
Removed File! : C:\Windows\crph.exe
Removed File! : C:\Windows\crqr32.exe
Removed File! : C:\Windows\crrs.exe
Removed File! : C:\Windows\crtj32.exe
Removed File! : C:\Windows\crtm32.exe
Removed File! : C:\Windows\crtx32.exe
Removed File! : C:\Windows\cruo.exe
Removed File! : C:\Windows\cruo32.exe
Removed File! : C:\Windows\crvz32.exe
Removed File! : C:\Windows\crww32.exe
Removed File! : C:\Windows\cyyfw.dll
Removed File! : C:\Windows\d3df32.exe
Removed File! : C:\Windows\d3el32.exe
Removed File! : C:\Windows\d3fs32.exe
Removed File! : C:\Windows\d3hk.exe
Removed File! : C:\Windows\d3mo.exe
Removed File! : C:\Windows\d3nd32.exe
Removed File! : C:\Windows\d3nq.exe
Removed File! : C:\Windows\d3oo32.exe
Removed File! : C:\Windows\d3ov.exe
Removed File! : C:\Windows\d3pv.exe
Removed File! : C:\Windows\d3qd32.exe
Removed File! : C:\Windows\d3qk32.exe
Removed File! : C:\Windows\d3ra.exe
Removed File! : C:\Windows\d3tu.exe
Removed File! : C:\Windows\d3xh.exe
Removed File! : C:\Windows\d3xi32.exe
Removed File! : C:\Windows\d3xl32.exe
Removed File! : C:\Windows\d3yl.exe
Removed File! : C:\Windows\eedmt.dll
Removed File! : C:\Windows\esgbw.dat
Removed File! : C:\Windows\gidji.dat
Removed File! : C:\Windows\hifxq.dat
Removed File! : C:\Windows\iejo32.exe
Removed File! : C:\Windows\ield.exe
Removed File! : C:\Windows\iema.exe
Removed File! : C:\Windows\iemg32.exe
Removed File! : C:\Windows\ieoa32.exe
Removed File! : C:\Windows\ieoj32.exe
Removed File! : C:\Windows\ietx.exe
Removed File! : C:\Windows\ieur.exe
Removed File! : C:\Windows\ievb32.exe
Removed File! : C:\Windows\iewe32.exe
Removed File! : C:\Windows\iewj.exe
Removed File! : C:\Windows\ieyg.exe
Removed File! : C:\Windows\iezm32.exe
Removed File! : C:\Windows\ipbe32.exe
Removed File! : C:\Windows\ipbi.exe
Removed File! : C:\Windows\ipbn32.exe
Removed File! : C:\Windows\ipjr.exe
Removed File! : C:\Windows\ipjw32.exe
Removed File! : C:\Windows\iplf32.exe
Removed File! : C:\Windows\ipnk.exe
Removed File! : C:\Windows\iprj.exe
Removed File! : C:\Windows\ipud.exe
Removed File! : C:\Windows\ipyn.exe
Removed File! : C:\Windows\javaca.exe
Removed File! : C:\Windows\javaeh.exe
Removed File! : C:\Windows\javaih.exe
Removed File! : C:\Windows\javaje.exe
Removed File! : C:\Windows\javajl32.exe
Removed File! : C:\Windows\javako32.exe
Removed File! : C:\Windows\javalh32.exe
Removed File! : C:\Windows\javasa32.exe
Removed File! : C:\Windows\javash.exe
Removed File! : C:\Windows\javask.exe
Removed File! : C:\Windows\javaux32.exe
Removed File! : C:\Windows\javave32.exe
Removed File! : C:\Windows\javavw32.exe
Removed File! : C:\Windows\javayy.exe
Removed File! : C:\Windows\kcavv.dat
Removed File! : C:\Windows\mduen.dll
Removed File! : C:\Windows\mfcah.exe
Removed File! : C:\Windows\mfcdf32.exe
Removed File! : C:\Windows\mfcdl.exe
Removed File! : C:\Windows\mfcdx32.exe
Removed File! : C:\Windows\mfces32.exe
Removed File! : C:\Windows\mfcge.exe
Removed File! : C:\Windows\mfcko.exe
Removed File! : C:\Windows\mfcpi.exe
Removed File! : C:\Windows\mfcqa.exe
Removed File! : C:\Windows\mfcri32.exe
Removed File! : C:\Windows\mfctm32.exe
Removed File! : C:\Windows\mfcuw.exe
Removed File! : C:\Windows\montc.dat
Removed File! : C:\Windows\msdn32.exe
Removed File! : C:\Windows\msfl.exe
Removed File! : C:\Windows\msfq.exe
Removed File! : C:\Windows\mske32.exe
Removed File! : C:\Windows\mskr32.exe
Removed File! : C:\Windows\msku.exe
Removed File! : C:\Windows\msop32.exe
Removed File! : C:\Windows\mssp.exe
Removed File! : C:\Windows\mstm.exe
Removed File! : C:\Windows\msxq.exe
Removed File! : C:\Windows\mszz32.exe
Removed File! : C:\Windows\nafzj.dat
Removed File! : C:\Windows\netbg32.exe
Removed File! : C:\Windows\netfn32.exe
Removed File! : C:\Windows\netgc32.exe
Removed File! : C:\Windows\netkl.exe
Removed File! : C:\Windows\netmo.exe
Removed File! : C:\Windows\netov32.exe
Removed File! : C:\Windows\netoz32.exe
Removed File! : C:\Windows\netqw32.exe
Removed File! : C:\Windows\netqx32.exe
Removed File! : C:\Windows\netrb.exe
Removed File! : C:\Windows\nettc32.exe
Removed File! : C:\Windows\netvy32.exe
Removed File! : C:\Windows\netyr.exe
Removed File! : C:\Windows\netzp.exe
Removed File! : C:\Windows\nftzf.dat
Removed File! : C:\Windows\ntcn.exe
Removed File! : C:\Windows\ntek.exe
Removed File! : C:\Windows\ntgp.exe
Removed File! : C:\Windows\ntih32.exe
Removed File! : C:\Windows\ntlr32.exe
Removed File! : C:\Windows\ntsx32.exe
Removed File! : C:\Windows\ntvb.exe
Removed File! : C:\Windows\ntxb.exe
Removed File! : C:\Windows\ntzq.exe
Removed File! : C:\Windows\qiwvt.dat
Removed File! : C:\Windows\rpksz.dat
Removed File! : C:\Windows\rwlfx.dat
Removed File! : C:\Windows\sdkfp.exe
Removed File! : C:\Windows\sdkio32.exe
Removed File! : C:\Windows\sdkjz32.exe
Removed File! : C:\Windows\sdkmb32.exe
Removed File! : C:\Windows\sdkpg.exe
Removed File! : C:\Windows\sdkpk32.exe
Removed File! : C:\Windows\sdkta.exe
Removed File! : C:\Windows\sdktd.exe
Removed File! : C:\Windows\sdkus.exe
Removed File! : C:\Windows\sdkwe32.exe
Removed File! : C:\Windows\sdkxd.exe
Removed File! : C:\Windows\sysao.exe
Removed File! : C:\Windows\sysdk.exe
Removed File! : C:\Windows\syshu.exe
Removed File! : C:\Windows\sysiu.exe
Removed File! : C:\Windows\sysje.exe
Removed File! : C:\Windows\sysje32.exe
Removed File! : C:\Windows\sysjo32.exe
Removed File! : C:\Windows\syskh32.exe
Removed File! : C:\Windows\syslw32.exe
Removed File! : C:\Windows\syswt32.exe
Removed File! : C:\Windows\ueeei.dat
Removed File! : C:\Windows\winbt32.exe
Removed File! : C:\Windows\wincq32.exe
Removed File! : C:\Windows\winsp.exe
Removed File! : C:\Windows\winvj32.exe
Removed File! : C:\Windows\winvq.exe
Removed File! : C:\Windows\winyw32.exe
Removed File! : C:\Windows\winzk32.exe
Removed File! : C:\Windows\zzpzp.dat
Removed File! : C:\Windows\System32\addbn32.exe
Removed File! : C:\Windows\System32\addbv32.exe
Removed File! : C:\Windows\System32\addci.exe
Removed File! : C:\Windows\System32\addew32.exe
Removed File! : C:\Windows\System32\addgb32.exe
Removed File! : C:\Windows\System32\addjy32.exe
Removed File! : C:\Windows\System32\addnl32.exe
Removed File! : C:\Windows\System32\addnt.exe
Removed File! : C:\Windows\System32\addpk32.exe
Removed File! : C:\Windows\System32\adduw.exe
Removed File! : C:\Windows\System32\addym32.exe
Removed File! : C:\Windows\System32\addzw32.exe
Removed File! : C:\Windows\System32\apiab32.exe
Removed File! : C:\Windows\System32\apifv.exe
Removed File! : C:\Windows\System32\apifw32.exe
Removed File! : C:\Windows\System32\apigk.exe
Removed File! : C:\Windows\System32\apiip.exe
Removed File! : C:\Windows\System32\apijp32.exe
Removed File! : C:\Windows\System32\apikm32.exe
Removed File! : C:\Windows\System32\apimh.exe
Removed File! : C:\Windows\System32\apims32.exe
Removed File! : C:\Windows\System32\apiqp32.exe
Removed File! : C:\Windows\System32\apirf32.exe
Removed File! : C:\Windows\System32\apito.exe
Removed File! : C:\Windows\System32\apium32.exe
Removed File! : C:\Windows\System32\apixl.exe
Removed File! : C:\Windows\System32\apixo.exe
Removed File! : C:\Windows\System32\apize32.exe
Removed File! : C:\Windows\System32\appdf.exe
Removed File! : C:\Windows\System32\appfc.exe
Removed File! : C:\Windows\System32\apphk32.exe
Removed File! : C:\Windows\System32\applz32.exe
Removed File! : C:\Windows\System32\appmo32.exe
Removed File! : C:\Windows\System32\appmy32.exe
Removed File! : C:\Windows\System32\appnb.exe
Removed File! : C:\Windows\System32\appph32.exe
Removed File! : C:\Windows\System32\apppo32.exe
Removed File! : C:\Windows\System32\appur.exe
Removed File! : C:\Windows\System32\appur32.exe
Removed File! : C:\Windows\System32\appzt32.exe
Removed File! : C:\Windows\System32\atles32.exe
Removed File! : C:\Windows\System32\atlgy32.exe
Removed File! : C:\Windows\System32\atlju.exe
Removed File! : C:\Windows\System32\atlni.exe
Removed File! : C:\Windows\System32\atlpa32.exe
Removed File! : C:\Windows\System32\atlur32.exe
Removed File! : C:\Windows\System32\axfjf.dll
Removed File! : C:\Windows\System32\bjaij.dll
Removed File! : C:\Windows\System32\cgfej.dat
Removed File! : C:\Windows\System32\cjzhe.dat
Removed File! : C:\Windows\System32\crbn32.exe
Removed File! : C:\Windows\System32\criz.exe
Removed File! : C:\Windows\System32\crmp.exe
Removed File! : C:\Windows\System32\crrv32.exe
Removed File! : C:\Windows\System32\crsp32.exe
Removed File! : C:\Windows\System32\cruu32.exe
Removed File! : C:\Windows\System32\crys.exe
Removed File! : C:\Windows\System32\crzt32.exe
Removed File! : C:\Windows\System32\crzy.exe
Removed File! : C:\Windows\System32\cwqbq.dat
Removed File! : C:\Windows\System32\cxlzy.dat
Removed File! : C:\Windows\System32\cyunn.dat
Removed File! : C:\Windows\System32\d3gr.exe
Removed File! : C:\Windows\System32\d3hd.exe
Removed File! : C:\Windows\System32\d3nt.exe
Removed File! : C:\Windows\System32\d3oh32.exe
Removed File! : C:\Windows\System32\d3pa32.exe
Removed File! : C:\Windows\System32\d3rf32.exe
Removed File! : C:\Windows\System32\d3rh32.exe
Removed File! : C:\Windows\System32\d3rp.exe
Removed File! : C:\Windows\System32\d3tz.exe
Removed File! : C:\Windows\System32\d3vs.exe
Removed File! : C:\Windows\System32\d3wt.exe
Removed File! : C:\Windows\System32\d3zb.exe
Removed File! : C:\Windows\System32\exlxl.dll
Removed File! : C:\Windows\System32\fburc.dat
Removed File! : C:\Windows\System32\gbxel.dat
Removed File! : C:\Windows\System32\ghdxg.dat
Removed File! : C:\Windows\System32\gzohn.dat
Removed File! : C:\Windows\System32\hitkn.dat
Removed File! : C:\Windows\System32\hylyg.dll
Removed File! : C:\Windows\System32\iefa.exe
Removed File! : C:\Windows\System32\iefr.exe
Removed File! : C:\Windows\System32\iejc.exe
Removed File! : C:\Windows\System32\iejd.exe
Removed File! : C:\Windows\System32\ielp32.exe
Removed File! : C:\Windows\System32\ienj.exe
Removed File! : C:\Windows\System32\ieoa32.exe
Removed File! : C:\Windows\System32\ieqd32.exe
Removed File! : C:\Windows\System32\iesn.exe
Removed File! : C:\Windows\System32\iewb.exe
Removed File! : C:\Windows\System32\ieyt32.exe
Removed File! : C:\Windows\System32\iezg32.exe
Removed File! : C:\Windows\System32\iezj32.exe
Removed File! : C:\Windows\System32\ikmza.dat
Removed File! : C:\Windows\System32\imhiz.dat
Removed File! : C:\Windows\System32\ipaa.exe
Removed File! : C:\Windows\System32\ipbi32.exe
Removed File! : C:\Windows\System32\ipde.exe
Removed File! : C:\Windows\System32\iphz.exe
Removed File! : C:\Windows\System32\ipqa.exe
Removed File! : C:\Windows\System32\iprs.exe
Removed File! : C:\Windows\System32\iprt32.exe
Removed File! : C:\Windows\System32\iptc.exe
Removed File! : C:\Windows\System32\ipvo.exe
Removed File! : C:\Windows\System32\ipwh.exe
Removed File! : C:\Windows\System32\ipwo.exe
Removed File! : C:\Windows\System32\ipyo32.exe
Removed File! : C:\Windows\System32\javabi.exe
Removed File! : C:\Windows\System32\javace.exe
Removed File! : C:\Windows\System32\javaef32.exe
Removed File! : C:\Windows\System32\javaim32.exe
Removed File! : C:\Windows\System32\javajb32.exe
Removed File! : C:\Windows\System32\javakt.exe
Removed File! : C:\Windows\System32\javamb.exe
Removed File! : C:\Windows\System32\javamz32.exe
Removed File! : C:\Windows\System32\javapm.exe
Removed File! : C:\Windows\System32\javatm32.exe
Removed File! : C:\Windows\System32\javazy32.exe
Removed File! : C:\Windows\System32\jpkde.dat
Removed File! : C:\Windows\System32\mfcaq.exe
Removed File! : C:\Windows\System32\mfcbk.exe
Removed File! : C:\Windows\System32\mfcbn.exe
Removed File! : C:\Windows\System32\mfccc32.exe
Removed File! : C:\Windows\System32\mfccv32.exe
Removed File! : C:\Windows\System32\mfceh32.exe
Removed File! : C:\Windows\System32\mfcex32.exe
Removed File! : C:\Windows\System32\mfchp32.exe
Removed File! : C:\Windows\System32\mfcjj.exe
Removed File! : C:\Windows\System32\mfclm32.exe
Removed File! : C:\Windows\System32\mfcny.exe
Removed File! : C:\Windows\System32\mfcrx32.exe
Removed File! : C:\Windows\System32\mfcyf.exe
Removed File! : C:\Windows\System32\mfcze32.exe
Removed File! : C:\Windows\System32\mqlbn.dll
Removed File! : C:\Windows\System32\mscg.exe
Removed File! : C:\Windows\System32\mscq32.exe
Removed File! : C:\Windows\System32\msgf.exe
Removed File! : C:\Windows\System32\msgl.exe
Removed File! : C:\Windows\System32\msgm32.exe
Removed File! : C:\Windows\System32\msjg32.exe
Removed File! : C:\Windows\System32\msju32.exe
Removed File! : C:\Windows\System32\mslb.exe
Removed File! : C:\Windows\System32\mssk.exe
Removed File! : C:\Windows\System32\msuu.exe
Removed File! : C:\Windows\System32\msve.exe
Removed File! : C:\Windows\System32\msxe.exe
Removed File! : C:\Windows\System32\msyy.exe
Removed File! : C:\Windows\System32\mszq32.exe
Removed File! : C:\Windows\System32\mudgu.dat
Removed File! : C:\Windows\System32\ndjah.dat
Removed File! : C:\Windows\System32\netcp.exe
Removed File! : C:\Windows\System32\netdf.exe
Removed File! : C:\Windows\System32\netfp32.exe
Removed File! : C:\Windows\System32\netfr.exe
Removed File! : C:\Windows\System32\netfv.exe
Removed File! : C:\Windows\System32\netid.exe
Removed File! : C:\Windows\System32\netlv32.exe
Removed File! : C:\Windows\System32\netwb32.exe
Removed File! : C:\Windows\System32\netwm32.exe
Removed File! : C:\Windows\System32\netxg32.exe
Removed File! : C:\Windows\System32\netzo.exe
Removed File! : C:\Windows\System32\nhkeo.dat
Removed File! : C:\Windows\System32\ntcy.exe
Removed File! : C:\Windows\System32\ntdg32.exe
Removed File! : C:\Windows\System32\ntew32.exe
Removed File! : C:\Windows\System32\ntkd.exe
Removed File! : C:\Windows\System32\ntof.exe
Removed File! : C:\Windows\System32\ntrz32.exe
Removed File! : C:\Windows\System32\nttw32.exe
Removed File! : C:\Windows\System32\nttx32.exe
Removed File! : C:\Windows\System32\ntur32.exe
Removed File! : C:\Windows\System32\ntwk.exe
Removed File! : C:\Windows\System32\ntxo32.exe
Removed File! : C:\Windows\System32\pfeuo.dll
Removed File! : C:\Windows\System32\sdkbn32.exe
Removed File! : C:\Windows\System32\sdkci32.exe
Removed File! : C:\Windows\System32\sdkdv.exe
Removed File! : C:\Windows\System32\sdkfc.exe
Removed File! : C:\Windows\System32\sdkjt.exe
Removed File! : C:\Windows\System32\sdkkr32.exe
Removed File! : C:\Windows\System32\sdkma.exe
Removed File! : C:\Windows\System32\sdkme.exe
Removed File! : C:\Windows\System32\sdkmm32.exe
Removed File! : C:\Windows\System32\sdkmy32.exe
Removed File! : C:\Windows\System32\sdkou.exe
Removed File! : C:\Windows\System32\sdkrp.exe
Removed File! : C:\Windows\System32\sdksd.exe
Removed File! : C:\Windows\System32\sdkti32.exe
Removed File! : C:\Windows\System32\sdkxz32.exe
Removed File! : C:\Windows\System32\sysbn32.exe
Removed File! : C:\Windows\System32\syscu32.exe
Removed File! : C:\Windows\System32\sysdm.exe
Removed File! : C:\Windows\System32\sysgr.exe
Removed File! : C:\Windows\System32\sysjx.exe
Removed File! : C:\Windows\System32\sysng32.exe
Removed File! : C:\Windows\System32\sysor32.exe
Removed File! : C:\Windows\System32\syspn32.exe
Removed File! : C:\Windows\System32\sysqw.exe
Removed File! : C:\Windows\System32\sysvw32.exe
Removed File! : C:\Windows\System32\syszd32.exe
Removed File! : C:\Windows\System32\tbjlz.dat
Removed File! : C:\Windows\System32\vogso.dat
Removed File! : C:\Windows\System32\wczvj.dat
Removed File! : C:\Windows\System32\winbn32.exe
Removed File! : C:\Windows\System32\windh32.exe
Removed File! : C:\Windows\System32\wingb32.exe
Removed File! : C:\Windows\System32\winht32.exe
Removed File! : C:\Windows\System32\winiz32.exe
Removed File! : C:\Windows\System32\winrp32.exe
Removed File! : C:\Windows\System32\wintn32.exe
Removed File! : C:\Windows\System32\winuo.exe
Removed File! : C:\Windows\System32\winvz32.exe
Removed File! : C:\Windows\System32\winyb32.exe
Removed File! : C:\Windows\System32\winzt.exe
Removed File! : C:\Windows\System32\wqumy.dll
Removed File! : C:\Windows\System32\wtoee.dll
Removed File! : C:\Windows\System32\wtygy.dat
Removed File! : C:\Windows\System32\xtzcp.dat
Removed File! : C:\Windows\System32\yikvw.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 8:36:58 AM


AboutBuster 5.0 reference file 28
Scan started on [6/12/2005] at [7:09:48 AM]
------------------------------------------------
Removed Stream! C:\WINDOWS\KB834707.log:rwvtir
Removed Stream! C:\WINDOWS\msoffice(3).ini:uqfzq
Removed Stream! C:\WINDOWS\orun32.isu:gnmei
Removed Stream! C:\WINDOWS\setuperr.del:fkwfrg
Removed Stream! C:\WINDOWS\setuperr.log:ypwsfk
Removed Stream! C:\WINDOWS\Sti_Trace.log:mfekj
Removed Stream! C:\WINDOWS\Sti_Trace.log:qsvzwu
Removed Stream! C:\WINDOWS\Sti_Trace.log:rqpxhm
Removed Stream! C:\WINDOWS\Sti_Trace.log:ygafic
Removed Stream! C:\WINDOWS\TaxACT04.ini:amrdie
Removed Stream! C:\WINDOWS\tiagl.txt:xkomoa
Removed Stream! C:\WINDOWS\tmnfs.log:tnkjkg
Removed Stream! C:\WINDOWS\_default(10).pif:auukp
Removed Stream! C:\WINDOWS\_default(11).pif:auukp
Removed Stream! C:\WINDOWS\_default(12).pif:auukp
Removed Stream! C:\WINDOWS\_default(13).pif:auukp
Removed Stream! C:\WINDOWS\_default(14).pif:auukp
Removed Stream! C:\WINDOWS\_default(2).pif:asxxh
Removed Stream! C:\WINDOWS\_default(3).pif:asxxh
Removed Stream! C:\WINDOWS\_default(4).pif:asxxh
Removed Stream! C:\WINDOWS\_default(5).pif:auukp
Removed Stream! C:\WINDOWS\_default(6).pif:auukp
Removed Stream! C:\WINDOWS\_default(7).pif:auukp
Removed Stream! C:\WINDOWS\_default(8).pif:auukp
Removed Stream! C:\WINDOWS\_default(9).pif:auukp
Removed Stream! C:\WINDOWS\_default.pif:auukp
Removed Stream! C:\WINDOWS\__delete_on_reboot__winqz32.dll:adytk
------------------------------------------------
Removed File! : C:\Windows\javayg32.exe
Removed File! : C:\Windows\mduen.dll
Removed File! : C:\Windows\msne32.exe
Removed File! : C:\Windows\ntcd.exe
Removed File! : C:\Windows\ntid32.exe
Removed File! : C:\Windows\rwlfx.dat
Removed File! : C:\Windows\yuybh.dll
Removed File! : C:\Windows\System32\apine.exe
Removed File! : C:\Windows\System32\apiwq.exe
Removed File! : C:\Windows\System32\avgvi.dat
Removed File! : C:\Windows\System32\dycly.dat
Removed File! : C:\Windows\System32\mfcvw32.exe
Removed File! : C:\Windows\System32\winym32.exe
Removed File! : C:\Windows\System32\xtzcp.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 7:26:02 AM

Logfile of HijackThis v1.99.1
Scan saved at 7:45:33 AM, on 6/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\ewidoctrl.exe
C:\Program Files\ewido\ewidoguard.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\winzq32.exe
C:\Program Files\Alarm++\Alarm.exe
C:\Program Files\YCIII\YankClip.exe
C:\Tools\Z Clock\ZClock-Digital.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\saqne.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\saqne.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\saqne.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\saqne.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\saqne.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\saqne.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {77D6A3EB-35E9-C062-5ADD-F1EC137D83E6} - C:\WINDOWS\netxj.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {E75E8B80-0901-AC5A-6453-3114563FF460} - C:\WINDOWS\mfcds32.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QBReminderFlash] "C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [winzq32.exe] C:\WINDOWS\winzq32.exe
O4 - Startup: Alarm++.lnk = C:\Program Files\Alarm++\Alarm.exe
O4 - Startup: Yankee Clipper III.lnk = C:\Program Files\YCIII\YankClip.exe
O4 - Startup: ZClock.lnk = C:\Tools\Z Clock\ZClock-Digital.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/ractrl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\javaia32.exe" /s (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\ewidoguard.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - 3am Labs, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - 3am Labs, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

Thanks again.
  • 0

#6
greyknight17
Posted 12 June 2005 - 10:39 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yes, you may keep SpywareBlaster. You may update it and 'Enable All Protection' then close it.

That AB Logfile is getting bigger. OK, delete that file so we have a fresh new one after doing another scan.

Just to let you know (because it seems like we're going in circles here), this infection may take several rounds to fix. But I will ask you to run another virus scan (Panda) to make sure it's nothing else that's causing this problem.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Go to Start->Run and type in services.msc and hit OK. Then look for Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\saqne.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\saqne.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\saqne.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\saqne.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\saqne.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\saqne.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {77D6A3EB-35E9-C062-5ADD-F1EC137D83E6} - C:\WINDOWS\netxj.dll
O2 - BHO: Class - {E75E8B80-0901-AC5A-6453-3114563FF460} - C:\WINDOWS\mfcds32.dll (file missing)
O4 - HKLM\..\Run: [winzq32.exe] C:\WINDOWS\winzq32.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\javaia32.exe" /s (file missing)

Run AboutBuster and click Begin Removal button. Once that's done, just hit the OK button. Click Exit once you are done. Click the OK button and it should exit. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here.

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\winzq32.exe
C:\WINDOWS\netxj.dll

Run the cwsserviceremove.reg file again and say yes to merge it.

Run CleanUp program again.

Restart and run a new HijackThis scan. Save the log file and post it here.

Run an online virus scan at Panda ActiveScan http://www.pandasoft...ucts/activescan. Save the log and post it here.
  • 0

#7
RandyU
Posted 12 June 2005 - 01:50 PM

RandyU

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thanks greyknight17,

I'm here for the duration.

AboutBuster 5.0 reference file 28
Scan started on [6/12/2005] at [11:35:12 AM]
------------------------------------------------
Removed Stream! C:\WINDOWS\orun32.isu:xjtnmg
Removed Stream! C:\WINDOWS\_default(10).pif:azqcv
Removed Stream! C:\WINDOWS\_default(11).pif:azqcv
Removed Stream! C:\WINDOWS\_default(12).pif:azqcv
Removed Stream! C:\WINDOWS\_default(13).pif:azqcv
Removed Stream! C:\WINDOWS\_default(14).pif:azqcv
Removed Stream! C:\WINDOWS\_default(2).pif:auukp
Removed Stream! C:\WINDOWS\_default(3).pif:auukp
Removed Stream! C:\WINDOWS\_default(4).pif:auukp
Removed Stream! C:\WINDOWS\_default(5).pif:azqcv
Removed Stream! C:\WINDOWS\_default(6).pif:azqcv
Removed Stream! C:\WINDOWS\_default(7).pif:azqcv
Removed Stream! C:\WINDOWS\_default(8).pif:azqcv
Removed Stream! C:\WINDOWS\_default(9).pif:azqcv
Removed Stream! C:\WINDOWS\_default.pif:awmue
Removed Stream! C:\WINDOWS\__delete_on_reboot__winqz32.dll:aehcv
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 11:51:59 AM


Logfile of HijackThis v1.99.1
Scan saved at 12:03:53 PM, on 6/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\ewidoctrl.exe
C:\Program Files\ewido\ewidoguard.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\WINDOWS\system32\iphz32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\d3sw.exe
C:\Program Files\Alarm++\Alarm.exe
C:\Program Files\YCIII\YankClip.exe
C:\Tools\Z Clock\ZClock-Digital.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qsydn.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qsydn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qsydn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qsydn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qsydn.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qsydn.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {5D2AC8EF-543F-11C8-6B03-77F06A8BD813} - C:\WINDOWS\syskw.dll
O2 - BHO: Class - {67AAF0FB-1186-9154-CBA3-D8205B92C911} - C:\WINDOWS\system32\javaqo.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {E41BFF67-8F16-E368-AAE6-29E32E2C234F} - C:\WINDOWS\netxj.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QBReminderFlash] "C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [d3sw.exe] C:\WINDOWS\d3sw.exe
O4 - HKLM\..\RunOnce: [iphz32.exe] C:\WINDOWS\system32\iphz32.exe
O4 - Startup: Alarm++.lnk = C:\Program Files\Alarm++\Alarm.exe
O4 - Startup: Yankee Clipper III.lnk = C:\Program Files\YCIII\YankClip.exe
O4 - Startup: ZClock.lnk = C:\Tools\Z Clock\ZClock-Digital.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/ractrl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\javaia32.exe" /s (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\ewidoguard.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - 3am Labs, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - 3am Labs, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


Incident Status Location

Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy\Favorites\Sites about\Ab scissor.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy\Favorites\Sites about\Broadband comparison.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy\Favorites\Sites about\Credit counseling.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy\Favorites\Sites about\Credit report.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy\Favorites\Sites about\Crm software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy\Favorites\Sites about\Debt credit card.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy\Favorites\Sites about\Escorts.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy\Favorites\Sites about\Fha.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy\Favorites\Sites about\Health insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy\Favorites\Sites about\Help desk software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy\Favorites\Sites about\Insurance home.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy\Favorites\Sites about\Loan for debt consolidation.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy\Favorites\Sites about\Loan for people with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy\Favorites\Sites about\Marketing email.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy\Favorites\Sites about\Mortgage insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy\Favorites\Sites about\Mortgage life insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy\Favorites\Sites about\Nevada corporations.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy\Favorites\Sites about\Online Betting Site.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy\Favorites\Sites about\Online gambling casino.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy\Favorites\Sites about\Online instant loan.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy\Favorites\Sites about\Order phentermine.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy\Favorites\Sites about\Payroll advance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy\Favorites\Sites about\Personal loans online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy\Favorites\Sites about\Personal loans with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy\Favorites\Sites about\Prescription Drugs Rx Online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy\Favorites\Sites about\Refinancing my mortgage.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy\Favorites\Sites about\Tahoe vacation rental.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy\Favorites\Sites about\Unsecured bad credit loans.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy\Favorites\Sites about\Videos.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy\Favorites\Sites about\What is hydrocodone.url
Adware:Adware/SearchAid No disinfected C:\RECYCLER\S-1-5-21-2844225563-112124957-2870318443-1006\Dc3.exe
Adware:Adware/SearchAid No disinfected C:\RECYCLER\S-1-5-21-2844225563-112124957-2870318443-1006\Dc4.exe
Adware:Adware/CWS No disinfected C:\WINDOWS\addav.dll
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\addbb.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\addbv32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\addcc32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\addcm32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\addcr.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\adddb32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\adddi.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\addea32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\addei32.exe
Adware:Adware/CWS No disinfected C:\WINDOWS\addeu32.dll
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\addgb32.exe
Adware:Adware/CWS No disinfected C:\WINDOWS\addgl32.dll
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\addgl32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\addhq32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\addia32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\addiq.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\addlj.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\addnl32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\addoi.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\addpe.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\addpt32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\addpx32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\addrl.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\addsi.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\addsi32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\addti.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\adduv.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\addww32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\addwx32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\addxe32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\addzf32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\addzh32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\addzz.exe
Adware:Adware/CWS No disinfected C:\WINDOWS\apiag.dll
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\apiag32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\apiar.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\apiaz.exe
Adware:Adware/CWS No disinfected C:\WINDOWS\apicy32.dll
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\apier.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\apifl.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\apigb.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\apigi32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\apiht.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\apiic32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\apiiq.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\apill.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\apilu32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\apimi32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\apinn32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\apinw32.exe
Adware:Adware/CWS No disinfected C:\WINDOWS\apipt.dll
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\apira.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\apiru32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\apisc.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\apitn.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\apivj32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\apivm32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\apiwt.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\apiwz.exe
Adware:Adware/CWS No disinfected C:\WINDOWS\apixa.dll
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\apixa.exe
Adware:Adware/CWS No disinfected C:\WINDOWS\apiyd32.dll
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\apiyg.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\apiyu.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\apizn.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\apizx.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\apizy32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\appae.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\appan32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\appcg.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\appcj32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\appdj32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\appft.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\appgh.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\apphd32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\apphf32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\appif32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\appio32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\appis32.exe
Adware:Adware/CWS No disinfected C:\WINDOWS\appjz.dll
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\appkj32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\appnt32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\appnw32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\appoj32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\appoo32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\appov.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\apppm32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\appqc32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\appri32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\appro32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\appsl32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\apptj.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\apptz32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\appub.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\appvb32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\appvh32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\appvq.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\appvs.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\appwa.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\appxm32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\appyq.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\appyr32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\atlde32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\atldg32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\atlds32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\atlgd32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\atlgw32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\atlgz.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\atlhy.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\atlij.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\atlip32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\atlkh.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\atlkr.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\atlku32.exe
Adware:Adware/CWS No disinfected C:\WINDOWS\atllj.dll
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\atlln32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\atllq32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\atllr.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\atlmy32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\atlqf32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\atlqn32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\atlqs.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\atlqt32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\atlqx.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\atlrl32.exe
Virus:Trj/Agent.VN Disinfected C:\WINDOWS\atlsa.exe
  • 0

#8
greyknight17
Posted 12 June 2005 - 05:29 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Go to Start->Run and type in services.msc and hit OK. Then look for Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qsydn.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qsydn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qsydn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qsydn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qsydn.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qsydn.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {5D2AC8EF-543F-11C8-6B03-77F06A8BD813} - C:\WINDOWS\syskw.dll
O2 - BHO: Class - {67AAF0FB-1186-9154-CBA3-D8205B92C911} - C:\WINDOWS\system32\javaqo.dll
O2 - BHO: Class - {E41BFF67-8F16-E368-AAE6-29E32E2C234F} - C:\WINDOWS\netxj.dll (file missing)
O4 - HKLM\..\Run: [d3sw.exe] C:\WINDOWS\d3sw.exe
O4 - HKLM\..\RunOnce: [iphz32.exe] C:\WINDOWS\system32\iphz32.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\javaia32.exe" /s (file missing)

Run AboutBuster and click Begin Removal button. Once that's done, just hit the OK button. Click Exit once you are done. Click the OK button and it should exit. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here.

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say no:

C:\WINDOWS\system32\iphz32.exe
C:\WINDOWS\d3sw.exe
C:\WINDOWS\syskw.dll
C:\WINDOWS\system32\javaqo.dll
C:\WINDOWS\atllj.dll
C:\WINDOWS\atlgd32.exe
C:\WINDOWS\appnw32.exe
C:\WINDOWS\appjz.dll
C:\WINDOWS\apiyd32.dll
C:\WINDOWS\apixa.dll
C:\WINDOWS\apipt.dll
C:\WINDOWS\apinn32.exe
C:\WINDOWS\apicy32.dll
C:\WINDOWS\apiag.dll
C:\WINDOWS\addzz.exe
C:\WINDOWS\addgl32.dll
C:\WINDOWS\addeu32.dll
C:\WINDOWS\addav.dll
C:\RECYCLER\S-1-5-21-2844225563-112124957-2870318443-1006\Dc4.exe
C:\RECYCLER\S-1-5-21-2844225563-112124957-2870318443-1006\Dc3.exe

Delete this folder:

C:\Documents and Settings\Randy\Favorites\Sites about\

Run CWShredder and CleanUp! again.

Restart and run a new HijackThis scan. Save the log file and post it here. Also run a new Panda scan and post that log.
  • 0

#9
RandyU
Posted 12 June 2005 - 07:41 PM

RandyU

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
cwshredder crashed my system again, upon rebooting i ran cleanup

AboutBuster 5.0 reference file 28
Scan started on [6/12/2005] at [11:35:12 AM]
------------------------------------------------
Removed Stream! C:\WINDOWS\orun32.isu:xjtnmg
Removed Stream! C:\WINDOWS\_default(10).pif:azqcv
Removed Stream! C:\WINDOWS\_default(11).pif:azqcv
Removed Stream! C:\WINDOWS\_default(12).pif:azqcv
Removed Stream! C:\WINDOWS\_default(13).pif:azqcv
Removed Stream! C:\WINDOWS\_default(14).pif:azqcv
Removed Stream! C:\WINDOWS\_default(2).pif:auukp
Removed Stream! C:\WINDOWS\_default(3).pif:auukp
Removed Stream! C:\WINDOWS\_default(4).pif:auukp
Removed Stream! C:\WINDOWS\_default(5).pif:azqcv
Removed Stream! C:\WINDOWS\_default(6).pif:azqcv
Removed Stream! C:\WINDOWS\_default(7).pif:azqcv
Removed Stream! C:\WINDOWS\_default(8).pif:azqcv
Removed Stream! C:\WINDOWS\_default(9).pif:azqcv
Removed Stream! C:\WINDOWS\_default.pif:awmue
Removed Stream! C:\WINDOWS\__delete_on_reboot__winqz32.dll:aehcv
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 11:51:59 AM


AboutBuster 5.0 reference file 28
Scan started on [6/12/2005] at [6:15:06 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default(10).pif:bfqnw
Removed Stream! C:\WINDOWS\_default(11).pif:bfqnw
Removed Stream! C:\WINDOWS\_default(12).pif:bfqnw
Removed Stream! C:\WINDOWS\_default(13).pif:bfqnw
Removed Stream! C:\WINDOWS\_default(14).pif:bfqnw
Removed Stream! C:\WINDOWS\_default(2).pif:bakjtv
Removed Stream! C:\WINDOWS\_default(2).pif:bayjxd
Removed Stream! C:\WINDOWS\_default(2).pif:bdwjy
Removed Stream! C:\WINDOWS\_default(3).pif:bakjtv
Removed Stream! C:\WINDOWS\_default(3).pif:bayjxd
Removed Stream! C:\WINDOWS\_default(3).pif:bdwjy
Removed Stream! C:\WINDOWS\_default(4).pif:bakjtv
Removed Stream! C:\WINDOWS\_default(4).pif:bayjxd
Removed Stream! C:\WINDOWS\_default(4).pif:bdwjy
Removed Stream! C:\WINDOWS\_default(5).pif:bfqnw
Removed Stream! C:\WINDOWS\_default(6).pif:bfqnw
Removed Stream! C:\WINDOWS\_default(7).pif:bayjxd
Removed Stream! C:\WINDOWS\_default(7).pif:bdwjy
Removed Stream! C:\WINDOWS\_default(8).pif:bakjtv
Removed Stream! C:\WINDOWS\_default(8).pif:bayjxd
Removed Stream! C:\WINDOWS\_default(8).pif:bdwjy
Removed Stream! C:\WINDOWS\_default(9).pif:bakjtv
Removed Stream! C:\WINDOWS\_default(9).pif:bayjxd
Removed Stream! C:\WINDOWS\_default(9).pif:bdwjy
Removed Stream! C:\WINDOWS\_default.pif:azqcv
Removed Stream! C:\WINDOWS\__delete_on_reboot__winqz32.dll:aeqre
------------------------------------------------
Removed File! : C:\Windows\System32\kvkxr.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 6:20:19 PM


Logfile of HijackThis v1.99.1
Scan saved at 6:34:19 PM, on 6/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\ewidoctrl.exe
C:\Program Files\ewido\ewidoguard.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\WINDOWS\system32\iphz32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\d3sw.exe
C:\Program Files\Alarm++\Alarm.exe
C:\Program Files\YCIII\YankClip.exe
C:\Tools\Z Clock\ZClock-Digital.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jqwvo.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jqwvo.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jqwvo.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jqwvo.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jqwvo.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jqwvo.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {44EEE13A-5136-F763-2476-2EE6A9874D4B} - C:\WINDOWS\d3bd.dll
O2 - BHO: Class - {67AAF0FB-1186-9154-CBA3-D8205B92C911} - C:\WINDOWS\system32\javaqo.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QBReminderFlash] "C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [d3sw.exe] C:\WINDOWS\d3sw.exe
O4 - HKLM\..\RunOnce: [iphz32.exe] C:\WINDOWS\system32\iphz32.exe
O4 - Startup: Alarm++.lnk = C:\Program Files\Alarm++\Alarm.exe
O4 - Startup: Yankee Clipper III.lnk = C:\Program Files\YCIII\YankClip.exe
O4 - Startup: ZClock.lnk = C:\Tools\Z Clock\ZClock-Digital.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/ractrl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\javaia32.exe" /s (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\ewidoguard.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - 3am Labs, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - 3am Labs, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

thanks
  • 0

#10
greyknight17
Posted 13 June 2005 - 06:54 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Was just about to ask for help, but then figured that I should try one more thing. If this still doesn't do it, I will call out the cavalry :tazz:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below services:

Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) or just Workstation NetLogon Service

*NOTE* Make sure to disable the service exactly as shown above because there may be legitimate services by similar name.

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.

Run HiJackThis. Click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (copy and paste):

11Fßä#·ºÄÖ`I

and hit OK. Try entering this also if the above doesn't work:

Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I)

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jqwvo.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jqwvo.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jqwvo.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jqwvo.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jqwvo.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jqwvo.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {44EEE13A-5136-F763-2476-2EE6A9874D4B} - C:\WINDOWS\d3bd.dll
O2 - BHO: Class - {67AAF0FB-1186-9154-CBA3-D8205B92C911} - C:\WINDOWS\system32\javaqo.dll (file missing)
O4 - HKLM\..\Run: [d3sw.exe] C:\WINDOWS\d3sw.exe
O4 - HKLM\..\RunOnce: [iphz32.exe] C:\WINDOWS\system32\iphz32.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\javaia32.exe" /s (file missing)

Run AboutBuster and click Begin Removal button. Once that's done, just hit the OK button. Click Exit once you are done. Click the OK button and it should exit. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here.

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\system32\iphz32.exe
C:\WINDOWS\d3sw.exe
C:\WINDOWS\d3bd.dll
C:\WINDOWS\system32\javaqo.dll

Run CleanUp! now. Does CWShredder still crash?

Restart and run a new HijackThis scan. Save the log file and post it here.
  • 0

Advertisements

#11
RandyU
Posted 13 June 2005 - 09:51 AM

RandyU

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
cwshredder still crashed

when i boot to safe mode Workstation NetLogon Service is always stopped, i change startup type from automatic to disabled.
Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) is never there just Workstation NetLogon Service.
hijackthis did not find ( 11Fßä#·ºÄÖ`I) or Workstation NetLogon Service in the registry.

when i ran a scan in HijackThis all of the following R1's like:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jqwvo.dll/sp.html#37049
had faxoo.dll instead of jqwvo.dll. i did not fix them.
question: how about next time i fix whatever these R1's are, jqwvo, faxoo, your input, whatever this bug creates. in other words, i fix whatever i see as long as it consistent amoung the R1's. i don't want to do anything you are unsure of, it just that have noticed this trend lately and was wondering if we needed a different approach. remember there are no stupid questions.

when cwshredder crashes, do we not delete the files to be deleted at reboot.
should we skip trying to run cwshredder next time.

when i restarted after the crash there was a process that just kept running and running, avgw.exe. it was using anywhere from 25 to 95% of the resources, i ended this process. next i ran hijackthis for your log,

then i checked Workstation NetLogon Service, both stop and run were grayed out and it was disabled. i never noticed this before but, the path to the executable was c:\windows\javaia32.exe

hope this helps

Thanks greyknight17!

AboutBuster 5.0 reference file 28
Scan started on [6/12/2005] at [11:35:12 AM]
------------------------------------------------
Removed Stream! C:\WINDOWS\orun32.isu:xjtnmg
Removed Stream! C:\WINDOWS\_default(10).pif:azqcv
Removed Stream! C:\WINDOWS\_default(11).pif:azqcv
Removed Stream! C:\WINDOWS\_default(12).pif:azqcv
Removed Stream! C:\WINDOWS\_default(13).pif:azqcv
Removed Stream! C:\WINDOWS\_default(14).pif:azqcv
Removed Stream! C:\WINDOWS\_default(2).pif:auukp
Removed Stream! C:\WINDOWS\_default(3).pif:auukp
Removed Stream! C:\WINDOWS\_default(4).pif:auukp
Removed Stream! C:\WINDOWS\_default(5).pif:azqcv
Removed Stream! C:\WINDOWS\_default(6).pif:azqcv
Removed Stream! C:\WINDOWS\_default(7).pif:azqcv
Removed Stream! C:\WINDOWS\_default(8).pif:azqcv
Removed Stream! C:\WINDOWS\_default(9).pif:azqcv
Removed Stream! C:\WINDOWS\_default.pif:awmue
Removed Stream! C:\WINDOWS\__delete_on_reboot__winqz32.dll:aehcv
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 11:51:59 AM


AboutBuster 5.0 reference file 28
Scan started on [6/12/2005] at [6:15:06 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default(10).pif:bfqnw
Removed Stream! C:\WINDOWS\_default(11).pif:bfqnw
Removed Stream! C:\WINDOWS\_default(12).pif:bfqnw
Removed Stream! C:\WINDOWS\_default(13).pif:bfqnw
Removed Stream! C:\WINDOWS\_default(14).pif:bfqnw
Removed Stream! C:\WINDOWS\_default(2).pif:bakjtv
Removed Stream! C:\WINDOWS\_default(2).pif:bayjxd
Removed Stream! C:\WINDOWS\_default(2).pif:bdwjy
Removed Stream! C:\WINDOWS\_default(3).pif:bakjtv
Removed Stream! C:\WINDOWS\_default(3).pif:bayjxd
Removed Stream! C:\WINDOWS\_default(3).pif:bdwjy
Removed Stream! C:\WINDOWS\_default(4).pif:bakjtv
Removed Stream! C:\WINDOWS\_default(4).pif:bayjxd
Removed Stream! C:\WINDOWS\_default(4).pif:bdwjy
Removed Stream! C:\WINDOWS\_default(5).pif:bfqnw
Removed Stream! C:\WINDOWS\_default(6).pif:bfqnw
Removed Stream! C:\WINDOWS\_default(7).pif:bayjxd
Removed Stream! C:\WINDOWS\_default(7).pif:bdwjy
Removed Stream! C:\WINDOWS\_default(8).pif:bakjtv
Removed Stream! C:\WINDOWS\_default(8).pif:bayjxd
Removed Stream! C:\WINDOWS\_default(8).pif:bdwjy
Removed Stream! C:\WINDOWS\_default(9).pif:bakjtv
Removed Stream! C:\WINDOWS\_default(9).pif:bayjxd
Removed Stream! C:\WINDOWS\_default(9).pif:bdwjy
Removed Stream! C:\WINDOWS\_default.pif:azqcv
Removed Stream! C:\WINDOWS\__delete_on_reboot__winqz32.dll:aeqre
------------------------------------------------
Removed File! : C:\Windows\System32\kvkxr.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 6:20:19 PM


AboutBuster 5.0 reference file 28
Scan started on [6/13/2005] at [7:36:01 AM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default(10).pif:bknoy
Removed Stream! C:\WINDOWS\_default(11).pif:bknoy
Removed Stream! C:\WINDOWS\_default(12).pif:bknoy
Removed Stream! C:\WINDOWS\_default(13).pif:bknoy
Removed Stream! C:\WINDOWS\_default(14).pif:bknoy
Removed Stream! C:\WINDOWS\_default(2).pif:bfqnw
Removed Stream! C:\WINDOWS\_default(3).pif:bfqnw
Removed Stream! C:\WINDOWS\_default(4).pif:bfqnw
Removed Stream! C:\WINDOWS\_default(5).pif:bknoy
Removed Stream! C:\WINDOWS\_default(6).pif:bknoy
Removed Stream! C:\WINDOWS\_default(7).pif:bfqnw
Removed Stream! C:\WINDOWS\_default(8).pif:bfqnw
Removed Stream! C:\WINDOWS\_default(9).pif:bfqnw
Removed Stream! C:\WINDOWS\_default.pif:bdwjy
Removed Stream! C:\WINDOWS\__delete_on_reboot__winqz32.dll:ajitl
Removed Stream! C:\WINDOWS\__delete_on_reboot__winqz32.dll:ajymp
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 7:52:38 AM


Logfile of HijackThis v1.99.1
Scan saved at 6:34:19 PM, on 6/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\ewidoctrl.exe
C:\Program Files\ewido\ewidoguard.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\WINDOWS\system32\iphz32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\d3sw.exe
C:\Program Files\Alarm++\Alarm.exe
C:\Program Files\YCIII\YankClip.exe
C:\Tools\Z Clock\ZClock-Digital.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jqwvo.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jqwvo.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jqwvo.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jqwvo.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jqwvo.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jqwvo.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {44EEE13A-5136-F763-2476-2EE6A9874D4B} - C:\WINDOWS\d3bd.dll
O2 - BHO: Class - {67AAF0FB-1186-9154-CBA3-D8205B92C911} - C:\WINDOWS\system32\javaqo.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QBReminderFlash] "C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [d3sw.exe] C:\WINDOWS\d3sw.exe
O4 - HKLM\..\RunOnce: [iphz32.exe] C:\WINDOWS\system32\iphz32.exe
O4 - Startup: Alarm++.lnk = C:\Program Files\Alarm++\Alarm.exe
O4 - Startup: Yankee Clipper III.lnk = C:\Program Files\YCIII\YankClip.exe
O4 - Startup: ZClock.lnk = C:\Tools\Z Clock\ZClock-Digital.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/ractrl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\javaia32.exe" /s (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\ewidoguard.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - 3am Labs, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - 3am Labs, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
  • 0

#12
greyknight17
Posted 13 June 2005 - 11:08 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Sorry about that. I should have been more specific since the filenames do change. Yes, fix whatever new filenames are appearing in the R0/R1 entries.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below services:

Workstation NetLogon Service (11Fßä#·ºÄÖ`I) or just Workstation NetLogon Service

*NOTE* Make sure to disable the service exactly as shown above because there may be legitimate services by similar name.

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.

Run HiJackThis. Click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (copy and paste):

11Fßä#·ºÄÖ`I

and hit OK. Try entering this also if the above doesn't work:

Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I)

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jqwvo.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jqwvo.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jqwvo.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jqwvo.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jqwvo.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jqwvo.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {44EEE13A-5136-F763-2476-2EE6A9874D4B} - C:\WINDOWS\d3bd.dll
O2 - BHO: Class - {67AAF0FB-1186-9154-CBA3-D8205B92C911} - C:\WINDOWS\system32\javaqo.dll (file missing)
O4 - HKLM\..\Run: [d3sw.exe] C:\WINDOWS\d3sw.exe
O4 - HKLM\..\RunOnce: [iphz32.exe] C:\WINDOWS\system32\iphz32.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\javaia32.exe" /s (file missing)

Run AboutBuster and click Begin Removal button. Once that's done, just hit the OK button. Click Exit once you are done. Click the OK button and it should exit. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here.

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\system32\iphz32.exe
C:\WINDOWS\d3sw.exe
C:\WINDOWS\d3bd.dll

Run cwsserviceremove.reg again and say yes to merge it. Run CleanUp! program.

Restart and run a new HijackThis scan. Save the log file and post it here.
  • 0

#13
RandyU
Posted 13 June 2005 - 06:08 PM

RandyU

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
here you go sir:

AboutBuster 5.0 reference file 28
Scan started on [6/13/2005] at [4:39:51 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default(10).pif:byaao
Removed Stream! C:\WINDOWS\_default(11).pif:byaao
Removed Stream! C:\WINDOWS\_default(12).pif:byaao
Removed Stream! C:\WINDOWS\_default(13).pif:byaao
Removed Stream! C:\WINDOWS\_default(14).pif:byaao
Removed Stream! C:\WINDOWS\_default(2).pif:bknoy
Removed Stream! C:\WINDOWS\_default(3).pif:bknoy
Removed Stream! C:\WINDOWS\_default(4).pif:bknoy
Removed Stream! C:\WINDOWS\_default(5).pif:bslhv
Removed Stream! C:\WINDOWS\_default(6).pif:bslhv
Removed Stream! C:\WINDOWS\_default(7).pif:bknoy
Removed Stream! C:\WINDOWS\_default(8).pif:bknoy
Removed Stream! C:\WINDOWS\_default(9).pif:bknoy
Removed Stream! C:\WINDOWS\_default.pif:bevnzk
Removed Stream! C:\WINDOWS\_default.pif:bfqnw
Removed Stream! C:\WINDOWS\__delete_on_reboot__winqz32.dll:akbjf
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 4:55:51 PM


Logfile of HijackThis v1.99.1
Scan saved at 5:05:09 PM, on 6/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\ewidoctrl.exe
C:\Program Files\ewido\ewidoguard.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Alarm++\Alarm.exe
C:\Program Files\YCIII\YankClip.exe
C:\Tools\Z Clock\ZClock-Digital.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QBReminderFlash] "C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Startup: Alarm++.lnk = C:\Program Files\Alarm++\Alarm.exe
O4 - Startup: Yankee Clipper III.lnk = C:\Program Files\YCIII\YankClip.exe
O4 - Startup: ZClock.lnk = C:\Tools\Z Clock\ZClock-Digital.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/ractrl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\ewidoctrl.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - 3am Labs, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - 3am Labs, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
  • 0

#14
greyknight17
Posted 13 June 2005 - 07:11 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Eureka! :tazz: I think we have finally got it this time ;)

Your log is clean.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#15
RandyU
Posted 13 June 2005 - 07:24 PM

RandyU

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
many thanks greyknight17
thanks for your patience

i agree looks like you did it!!!!!!!!!!!!!!!

i haven't done the system restore thing but that should be easy

one thing, i'm still getting some of those small windows popups that you can't resize. i use google toolbar popup blocker.
any suggestions for a real real good free popup blocker.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP