Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

highjackthis log [RESOLVED]

Started by frost4225 , Jun 10 2005 07:18 PM

This topic is locked

#1
frost4225

Posted 10 June 2005 - 07:18 PM

New Member

Member
9 posts

hello everyone i am getting a couple of things i am getting an about:blank home page, even after i change the homepage. and i am getting alot of "only the best" popups. thank you for your help.

Attached Files

hijackthis.txt 6.73KB 221 downloads

#2
frost4225

Posted 10 June 2005 - 07:47 PM

New Member

Topic Starter
Member
9 posts

Logfile of HijackThis v1.99.1
Scan saved at 6:46:58 PM, on 6/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\system32\javare32.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\crhg32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\frank cramer\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nfkeq.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nfkeq.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nfkeq.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nfkeq.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nfkeq.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nfkeq.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nfkeq.dll/sp.html#96676
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DF68EA3F-353B-2006-149E-B74E2F05DCBC} - C:\WINDOWS\system32\addqm32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [javare32.exe] C:\WINDOWS\system32\javare32.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\nnmvlsqi.exe
O16 - DPF: {50AD557E-3426-41FD-AFDD-2AF39BB1C387} - http://akamai.downlo...ice_5_EN_XP.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1113888634655
O16 - DPF: {706F3805-27D7-478D-80E5-E25D2BB030B3} (VacPro.internazionale_ver3) - http://www.advnt01.c...ionale_ver3.CAB
O16 - DPF: {BFC9677B-8006-4336-9D49-2C797AEFCB9E} - http://akamai.downlo...ESS_1058_XP.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\crhg32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#3
Excal

Posted 10 June 2005 - 08:05 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

helping in Live Chat

#4
Excal

Posted 10 June 2005 - 08:30 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Hi frost4225 and welcome to GeeksToGo! My name is Excal and I will be helping you.

I can see that you have some malware issues. This maybe a few step process in removing it. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download and install CleanUp! Here
Do NOT run it yet.Save all of these files somewhere you will remember like to the Desktop.

Update About:Buster

Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
Click "OK" at the prompt with instructions.
Click "Update" and then "Check For Update" to begin the update process.
If any updates exist please download them by clicking "Download Update" then click the X to close that window.
Now close About:Buster

Update CWShredder

Open CWShredder and click I AGREE
Click Check For Update
Close CWShredder

Download and unzip cwsserviceremove to your desktop. use either link below:
Site 1
Site 2
Site 3
Please Do Not use yet.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Close all browsers, windows and unneeded programs.

4. Go to Start->Run and type in services.msc and hit OK. Then look for Remote Procedure Call (RPC) Helper and double click on it. Click on the Stop button and under Startup type, choose Disabled.

5. Open HiJack and do a scan.

6. Put a Check next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nfkeq.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nfkeq.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nfkeq.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nfkeq.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nfkeq.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nfkeq.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nfkeq.dll/sp.html#96676
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {DF68EA3F-353B-2006-149E-B74E2F05DCBC} - C:\WINDOWS\system32\addqm32.dll
O4 - HKLM\..\Run: [javare32.exe] C:\WINDOWS\system32\javare32.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\nnmvlsqi.exe
O16 - DPF: {50AD557E-3426-41FD-AFDD-2AF39BB1C387} - http://akamai.downlo...ice_5_EN_XP.cab
O16 - DPF: {706F3805-27D7-478D-80E5-E25D2BB030B3} (VacPro.internazionale_ver3) - http://www.advnt01.c...ionale_ver3.CAB
O16 - DPF: {BFC9677B-8006-4336-9D49-2C797AEFCB9E} - http://akamai.downlo...ESS_1058_XP.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\crhg32.exe

7. click the Fix Checked box

8. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

9. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\system32\nfkeq.dll
C:\WINDOWS\system32\addqm32.dll
C:\WINDOWS\system32\javare32.exe
C:\Program Files\Internet Explorer\nnmvlsqi.exe
C:\WINDOWS\crhg32.exe

10. Please run about:buster by RubbeRDuckY:

Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
Click Yes to allow it to shutdown explorer.exe.
It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.

11. Double click on the cwsserviceremove and when asked to merge say yes.

12. Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

13. Now run CleanUp!Reboot your computer into normal windows.

14. Run this online virus scan: ActiveScan - Save the results from the scan!

15. Please post an Active scan log and a fresh HiJackThis log to verify all is good. Ensure you rehide your “hidden files and folders” back to the way they were.

#5
frost4225

Posted 11 June 2005 - 03:17 PM

New Member

Topic Starter
Member
9 posts

hello, i ran into a problem when i tried to use about: buster it says

run-time error '339':
component 'MSCOMCTL.OCX' or one of its dependencies not correctly registered: a file is missing or invalid

can you help

#6
Excal

Posted 11 June 2005 - 07:06 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Hi frost4225,

run this program

http://www.spywarein...ngfilesetup.exe

this should fix that problem.

Thanks,

:tazz:

Excal

Edited by Excalibur190, 11 June 2005 - 07:12 PM.

#7
frost4225

Posted 11 June 2005 - 09:31 PM

New Member

Topic Starter
Member
9 posts

ok i did all the stuff now i will attach the active scan and hijack this,

i am still getting the "ONLY THE BEST" popups

Logfile of HijackThis v1.99.1
Scan saved at 8:29:35 PM, on 6/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\sdkow.exe
C:\WINDOWS\system32\atltq.exe
C:\Documents and Settings\frank cramer\Desktop\New Folder\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zfvza.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zfvza.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zfvza.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zfvza.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zfvza.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zfvza.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zfvza.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C82A01F1-0E24-0405-FCD2-44CC8C6C0E07} - C:\WINDOWS\system32\ipqf.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [atltq.exe] C:\WINDOWS\system32\atltq.exe
O4 - HKLM\..\RunOnce: [sdkow.exe] C:\WINDOWS\sdkow.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1113888634655
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\crhg32.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

and active scan

Incident Status Location

Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\mfczx32.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\ipqf.dll
Spyware:Spyware/Dyfuca No disinfected Windows Registry
Adware:Adware/SideFind No disinfected C:\Program Files\SideFind
Spyware:Spyware/LocalNRD No disinfected C:\WINDOWS\inf\addremln.inf
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Ab scissor.url
Adware:Adware/NaviPromo No disinfected Windows Registry
Adware:Adware/Adsmart No disinfected C:\WINDOWS\sys????.exe
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\frank cramer\Desktop\New Folder\backups\backup-20050610-202005-543.dll
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\frank cramer\Desktop\New Folder\backups\backup-20050611-194220-919.dll
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Ab scissor.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Broadband comparison.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Credit counseling.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Credit report.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Crm software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Debt credit card.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Escorts.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Fha.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Health insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Help desk software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Insurance home.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Loan for debt consolidation.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Loan for people with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Marketing email.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Mortgage insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Mortgage life insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Nevada corporations.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Online Betting Site.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Online gambling casino.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Online instant loan.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Order phentermine.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Payroll advance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Personal loans online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Personal loans with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Prescription Drugs Rx Online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Refinancing my mortgage.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Tahoe vacation rental.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Unsecured bad credit loans.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Videos.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\What is hydrocodone.url
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apifb.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apiqg32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appek32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3dr.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3iz.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3le32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3ry32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ient32.dll
Spyware:Spyware/LocalNRD No disinfected C:\WINDOWS\INF\addremln.inf
Spyware:Spyware/LocalNRD No disinfected C:\WINDOWS\INF\localNrd.inf
Adware:Adware/MultiMPP No disinfected C:\WINDOWS\INF\multimpp.inf
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ipkk32.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ipnt32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ipsd.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\mfcfl.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\netnt.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_arnocu.log
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_auqloj.txt
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_dlqonf.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_eopauo.log
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_hkagtg.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_ixzfst.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_mcupqz.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_tluymt.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\syssn32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\addvn32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\apidp.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\apiqv.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\apppe.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\atlhm.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\d3ft32.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\ipqf.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\mfcrg.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\mfczx32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\msww.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\netpn.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\ntkn.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\ntog32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\ntrh32.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\sdkyh32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\winjb32.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\winke32.exe

#8
Excal

Posted 11 June 2005 - 10:14 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Hi frost4225,

It appears that something is preventing the fix, I think it might be your Norton. Can you please disable all Norton products, then redo the fix as posted.

Thanks,

:tazz:

Excal

#9
frost4225

Posted 11 June 2005 - 11:29 PM

New Member

Topic Starter
Member
9 posts

ok here we go. looks like we got rid of the "only the best" popup but i still have some kind of casino popup.

highjackthis

Logfile of HijackThis v1.99.1
Scan saved at 10:25:36 PM, on 6/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\frank cramer\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1113888634655
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

active scan

Incident Status Location

Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\mfczx32.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\ipqf.dll
Spyware:Spyware/Dyfuca No disinfected Windows Registry
Adware:Adware/SideFind No disinfected C:\Program Files\SideFind
Spyware:Spyware/LocalNRD No disinfected C:\WINDOWS\inf\addremln.inf
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Ab scissor.url
Adware:Adware/NaviPromo No disinfected Windows Registry
Adware:Adware/Adsmart No disinfected C:\WINDOWS\sys????.exe
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\frank cramer\Desktop\New Folder\backups\backup-20050610-202005-543.dll
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\frank cramer\Desktop\New Folder\backups\backup-20050611-194220-919.dll
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Ab scissor.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Broadband comparison.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Credit counseling.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Credit report.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Crm software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Debt credit card.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Escorts.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Fha.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Health insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Help desk software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Insurance home.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Loan for debt consolidation.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Loan for people with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Marketing email.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Mortgage insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Mortgage life insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Nevada corporations.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Online Betting Site.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Online gambling casino.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Online instant loan.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Order phentermine.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Payroll advance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Personal loans online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Personal loans with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Prescription Drugs Rx Online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Refinancing my mortgage.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Tahoe vacation rental.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Unsecured bad credit loans.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Videos.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\What is hydrocodone.url
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apifb.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apiqg32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appek32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3dr.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3iz.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3le32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3ry32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ient32.dll
Spyware:Spyware/LocalNRD No disinfected C:\WINDOWS\INF\addremln.inf
Spyware:Spyware/LocalNRD No disinfected C:\WINDOWS\INF\localNrd.inf
Adware:Adware/MultiMPP No disinfected C:\WINDOWS\INF\multimpp.inf
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ipkk32.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ipnt32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ipsd.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\mfcfl.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\netnt.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_arnocu.log
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_auqloj.txt
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_dlqonf.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_eopauo.log
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_hkagtg.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_ixzfst.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_mcupqz.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_tluymt.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\syssn32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\addvn32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\apidp.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\apiqv.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\apppe.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\atlhm.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\d3ft32.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\ipqf.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\mfcrg.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\mfczx32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\msww.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\netpn.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\ntkn.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\ntog32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\ntrh32.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\sdkyh32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\winjb32.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\winke32.exe

#10
Excal

Posted 11 June 2005 - 11:41 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Hi frost4225,

1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "Delete on Reboot".

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\mfczx32.dll
C:\WINDOWS\system32\ipqf.dll
C:\Program Files\SideFind
C:\WINDOWS\inf\addremln.inf
C:\Documents and Settings\frank cramer\Favorites\Sites about\Ab scissor.url
C:\WINDOWS\sys????.exe
C:\Documents and Settings\frank cramer\Desktop\New Folder\backups\backup-20050610-202005-543.dll
C:\Documents and Settings\frank cramer\Desktop\New Folder\backups\backup-20050611-194220-919.dll
C:\Documents and Settings\frank cramer\Favorites\Sites about\Ab scissor.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Broadband comparison.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Credit counseling.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Credit report.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Crm software.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Debt credit card.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Escorts.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Fha.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Health insurance.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Help desk software.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Insurance home.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Loan for debt consolidation.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Loan for people with bad credit.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Marketing email.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Mortgage insurance.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Mortgage life insurance.url
C\Documents and Settings\frank cramer\Favorites\Sites about\Nevada corporations.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Online Betting Site.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Online gambling casino.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Online instant loan.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Order phentermine.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Payroll advance.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Personal loans online.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Personal loans with bad credit.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Prescription Drugs Rx Online.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Refinancing my mortgage.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Tahoe vacation rental.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Unsecured bad credit loans.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Videos.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\What is hydrocodone.url
C:\WINDOWS\apifb.dll
C:\WINDOWS\apiqg32.dll
C:\WINDOWS\appek32.dll
C:\WINDOWS\d3dr.dll
C:\WINDOWS\d3iz.dll
C:\WINDOWS\d3le32.dll
C:\WINDOWS\d3ry32.dll
C:\WINDOWS\ient32.dll
C:\WINDOWS\INF\addremln.inf
C:\WINDOWS\INF\localNrd.inf
C:\WINDOWS\INF\multimpp.inf
C:\WINDOWS\ipkk32.dll
C:\WINDOWS\ipnt32.exe
C:\WINDOWS\ipsd.dll
C:\WINDOWS\mfcfl.dll
C:\WINDOWS\netnt.dll
C:\WINDOWS\n_arnocu.log
C:\WINDOWS\n_auqloj.txt
C:\WINDOWS\n_dlqonf.dat
C:\WINDOWS\n_eopauo.log
C:\WINDOWS\n_hkagtg.dat
C:\WINDOWS\n_ixzfst.dat
C:\WINDOWS\n_mcupqz.dat
C:\WINDOWS\n_tluymt.dat
C:\WINDOWS\syssn32.exe
C:\WINDOWS\SYSTEM32\addvn32.exe
C:\WINDOWS\SYSTEM32\apidp.dll
C:\WINDOWS\SYSTEM32\apiqv.dll
C:\WINDOWS\SYSTEM32\apppe.exe
C:\WINDOWS\SYSTEM32\atlhm.dll
C:\WINDOWS\SYSTEM32\d3ft32.dll
C:\WINDOWS\SYSTEM32\ipqf.dll
C:\WINDOWS\SYSTEM32\mfcrg.dll
C:\WINDOWS\SYSTEM32\mfczx32.dll
C:\WINDOWS\SYSTEM32\msww.dll
C:\WINDOWS\SYSTEM32\netpn.dll
C:\WINDOWS\SYSTEM32\ntkn.dll
C:\WINDOWS\SYSTEM32\ntog32.dll
C:\WINDOWS\SYSTEM32\ntrh32.dll
C:\WINDOWS\SYSTEM32\sdkyh32.dll
C:\WINDOWS\SYSTEM32\winjb32.dll
C:\WINDOWS\winke32.exe

6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

Run active scan again and tell me how your computer is running

Thanks,

:tazz:

Excal

#11
frost4225

Posted 12 June 2005 - 12:36 AM

New Member

Topic Starter
Member
9 posts

ok alot better here are my two reports

still getting casino popup

hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 11:35:29 PM, on 6/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\frank cramer\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1113888634655
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

active scan report

Incident Status Location

Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\mfczx32.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\ipqf.dll
Spyware:Spyware/Dyfuca No disinfected Windows Registry
Adware:Adware/SideFind No disinfected C:\Program Files\SideFind
Spyware:Spyware/LocalNRD No disinfected C:\WINDOWS\inf\addremln.inf
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Ab scissor.url
Adware:Adware/NaviPromo No disinfected Windows Registry
Adware:Adware/Adsmart No disinfected C:\WINDOWS\sys????.exe
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\frank cramer\Desktop\New Folder\backups\backup-20050610-202005-543.dll
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\frank cramer\Desktop\New Folder\backups\backup-20050611-194220-919.dll
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Ab scissor.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Broadband comparison.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Credit counseling.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Credit report.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Crm software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Debt credit card.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Escorts.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Fha.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Health insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Help desk software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Insurance home.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Loan for debt consolidation.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Loan for people with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Marketing email.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Mortgage insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Mortgage life insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Nevada corporations.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Online Betting Site.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Online gambling casino.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Online instant loan.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Order phentermine.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Payroll advance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Personal loans online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Personal loans with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Prescription Drugs Rx Online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Refinancing my mortgage.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Tahoe vacation rental.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Unsecured bad credit loans.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Videos.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\What is hydrocodone.url
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apifb.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apiqg32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appek32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3dr.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3iz.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3le32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3ry32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ient32.dll
Spyware:Spyware/LocalNRD No disinfected C:\WINDOWS\INF\addremln.inf
Spyware:Spyware/LocalNRD No disinfected C:\WINDOWS\INF\localNrd.inf
Adware:Adware/MultiMPP No disinfected C:\WINDOWS\INF\multimpp.inf
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ipkk32.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ipnt32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ipsd.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\mfcfl.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\netnt.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_arnocu.log
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_auqloj.txt
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_dlqonf.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_eopauo.log
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_hkagtg.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_ixzfst.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_mcupqz.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_tluymt.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\syssn32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\addvn32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\apidp.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\apiqv.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\apppe.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\atlhm.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\d3ft32.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\ipqf.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\mfcrg.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\mfczx32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\msww.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\netpn.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\ntkn.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\ntog32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\ntrh32.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\sdkyh32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\winjb32.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\winke32.exe

#12
Excal

Posted 12 June 2005 - 08:52 AM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Hi frost4225,

The good news is your HiJackThis Log looks great

The not so good news is that It seems like some of those files are being protected again, enusre that all your norton products are disabled before using kill box and doin the online scans.

We are almost there, Hang in there

1) Please run Killbox.

2) Select "Delete on Reboot".

3) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\mfczx32.dll
C:\WINDOWS\system32\ipqf.dll
C:\Program Files\SideFind
C:\WINDOWS\inf\addremln.inf
C:\Documents and Settings\frank cramer\Favorites\Sites about\Ab scissor.url
C:\WINDOWS\sys????.exe
C:\Documents and Settings\frank cramer\Desktop\New Folder\backups\backup-20050610-202005-543.dll
C:\Documents and Settings\frank cramer\Desktop\New Folder\backups\backup-20050611-194220-919.dll
C:\Documents and Settings\frank cramer\Favorites\Sites about\Ab scissor.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Broadband comparison.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Credit counseling.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Credit report.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Crm software.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Debt credit card.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Escorts.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Fha.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Health insurance.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Help desk software.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Insurance home.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Loan for debt consolidation.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Loan for people with bad credit.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Marketing email.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Mortgage insurance.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Mortgage life insurance.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Nevada corporations.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Online Betting Site.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Online gambling casino.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Online instant loan.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Order phentermine.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Payroll advance.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Personal loans online.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Personal loans with bad credit.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Prescription Drugs Rx Online.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Refinancing my mortgage.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Tahoe vacation rental.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Unsecured bad credit loans.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\Videos.url
C:\Documents and Settings\frank cramer\Favorites\Sites about\What is hydrocodone.url
C:\WINDOWS\apifb.dll
C:\WINDOWS\apiqg32.dll
C:\WINDOWS\appek32.dll
C:\WINDOWS\d3dr.dll
C:\WINDOWS\d3iz.dll
C:\WINDOWS\d3le32.dll
C:\WINDOWS\d3ry32.dll
C:\WINDOWS\ient32.dll
C:\WINDOWS\INF\addremln.inf
C:\WINDOWS\INF\localNrd.inf
C:\WINDOWS\INF\multimpp.inf
C:\WINDOWS\ipkk32.dll
C:\WINDOWS\ipnt32.exe
C:\WINDOWS\ipsd.dll
C:\WINDOWS\mfcfl.dll
C:\WINDOWS\netnt.dll
C:\WINDOWS\n_arnocu.log
C:\WINDOWS\n_auqloj.txt
C:\WINDOWS\n_dlqonf.dat
C:\WINDOWS\n_eopauo.log
C:\WINDOWS\n_hkagtg.dat
C:\WINDOWS\n_ixzfst.dat
C:\WINDOWS\n_mcupqz.dat
C:\WINDOWS\n_tluymt.dat
C:\WINDOWS\syssn32.exe
C:\WINDOWS\SYSTEM32\addvn32.exe
C:\WINDOWS\SYSTEM32\apidp.dll
C:\WINDOWS\SYSTEM32\apiqv.dll
C:\WINDOWS\SYSTEM32\apppe.exe
C:\WINDOWS\SYSTEM32\atlhm.dll
C:\WINDOWS\SYSTEM32\d3ft32.dll
C:\WINDOWS\SYSTEM32\ipqf.dll
C:\WINDOWS\SYSTEM32\mfcrg.dll
C:\WINDOWS\SYSTEM32\mfczx32.dll
C:\WINDOWS\SYSTEM32\msww.dll
C:\WINDOWS\SYSTEM32\netpn.dll
C:\WINDOWS\SYSTEM32\ntkn.dll
C:\WINDOWS\SYSTEM32\ntog32.dll
C:\WINDOWS\SYSTEM32\ntrh32.dll
C:\WINDOWS\SYSTEM32\sdkyh32.dll
C:\WINDOWS\SYSTEM32\winjb32.dll
C:\WINDOWS\winke32.exe

4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

6) Let the system reboot.

I need you to please do scans at these 2 sites also, then post the logs.

HouseCall
Kaspersky

Run ActiveScan again and tell me how your computer is running

Thanks,

:tazz:

Excal

Edited by Excalibur190, 12 June 2005 - 08:53 AM.

#13
frost4225

Posted 12 June 2005 - 04:43 PM

New Member

Topic Starter
Member
9 posts

ok here is my hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 3:41:05 PM, on 6/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
C:\Documents and Settings\frank cramer\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1113888634655
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

and my activescan log

Incident Status Location

Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\mfczx32.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\ipqf.dll
Spyware:Spyware/Dyfuca No disinfected Windows Registry
Adware:Adware/SideFind No disinfected C:\Program Files\SideFind
Spyware:Spyware/LocalNRD No disinfected C:\WINDOWS\inf\addremln.inf
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Ab scissor.url
Adware:Adware/NaviPromo No disinfected Windows Registry
Adware:Adware/Adsmart No disinfected C:\WINDOWS\sys????.exe
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\frank cramer\Desktop\New Folder\backups\backup-20050610-202005-543.dll
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\frank cramer\Desktop\New Folder\backups\backup-20050611-194220-919.dll
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Ab scissor.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Broadband comparison.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Credit counseling.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Credit report.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Crm software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Debt credit card.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Escorts.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Fha.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Health insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Help desk software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Insurance home.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Loan for debt consolidation.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Loan for people with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Marketing email.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Mortgage insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Mortgage life insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Nevada corporations.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Online Betting Site.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Online gambling casino.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Online instant loan.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Order phentermine.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Payroll advance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Personal loans online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Personal loans with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Prescription Drugs Rx Online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Refinancing my mortgage.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Tahoe vacation rental.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Unsecured bad credit loans.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Videos.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\What is hydrocodone.url
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apifb.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apiqg32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appek32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3dr.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3iz.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3le32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3ry32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ient32.dll
Spyware:Spyware/LocalNRD No disinfected C:\WINDOWS\INF\addremln.inf
Spyware:Spyware/LocalNRD No disinfected C:\WINDOWS\INF\localNrd.inf
Adware:Adware/MultiMPP No disinfected C:\WINDOWS\INF\multimpp.inf
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ipkk32.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ipnt32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ipsd.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\mfcfl.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\netnt.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_arnocu.log
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_auqloj.txt
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_dlqonf.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_eopauo.log
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_hkagtg.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_ixzfst.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_mcupqz.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_tluymt.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\syssn32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\addvn32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\apidp.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\apiqv.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\apppe.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\atlhm.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\d3ft32.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\ipqf.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\mfcrg.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\mfczx32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\msww.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\netpn.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\ntkn.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\ntog32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\ntrh32.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\sdkyh32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\winjb32.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\winke32.exe
and kapersky log

File Name Virus Name Send Delete

C:\Documents ...Deleted Items.dbx Trojan-...tifraud.bm send delete

C:\WINDOWS\crhh32.dll Trojan-...2.Agent.bq send delete

C:\WINDOWS\iezi.dll Trojan-...2.Agent.bq send delete

C:\WINDOWS\javaoj.dll Trojan-...2.Agent.bc send delete

C:\WINDOWS\javayn.dll Trojan-...2.Agent.bc send delete

C:\WINDOWS\n_jayrru.log Trojan-...2.Agent.bc send delete

C:\WINDOWS\n_pjyiww.log Trojan-...2.Agent.bc send delete

C:\WINDOWS\SY...veScan\imscan.dll Virus.D...ronia.2538 send delete

#14
Excal

Posted 12 June 2005 - 06:20 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Hi frost4225,

Seems like we have some stubborn ones hanging on here :tazz:

Again, ensure all your norton porgrams are disabled for this fix please.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Please download ewido security suite it is a trial version of the program.

Install ewido security suite
Launch ewido, there should be an icon on your desktop double-click it.
The program will prompt you to update click the OK button
The program will now go to the main screen

You will need to update ewido to the latest definition files.

On the left hand side of the main screen click update
Click on Start

The update will start and a progress bar will show the updates being installed.
Please Close Ewido, we will be using this later.

Just a few random bad files to clean up.

Open HiJackThis
Click on the configure button on the bottom right
Click on the tab "Misc Tools"
Click on "Delete File on Reboot"
Navigate to this file - C:\WINDOWS\winke32.exe
Double click on that file.
HJT asks you if you want to reboot, now. Click "no".

Do that for the following files also, until you get to the last one, then click "yes" when HJT asks you to reboot.

C:\WINDOWS\apifb.dll
C:\WINDOWS\apiqg32.dll
C:\WINDOWS\appek32.dll
C:\WINDOWS\d3dr.dll
C:\WINDOWS\d3iz.dll
C:\WINDOWS\d3le32.dll
C:\WINDOWS\d3ry32.dll
C:\WINDOWS\ient32.dll
C:\WINDOWS\INF\addremln.inf
C:\WINDOWS\INF\localNrd.inf
C:\WINDOWS\INF\multimpp.inf
C:\WINDOWS\ipkk32.dll
C:\WINDOWS\ipnt32.exe
C:\WINDOWS\ipsd.dll
C:\WINDOWS\mfcfl.dll
C:\WINDOWS\netnt.dll
C:\WINDOWS\n_arnocu.log
C:\WINDOWS\n_auqloj.txt
C:\WINDOWS\n_dlqonf.dat
C:\WINDOWS\n_eopauo.log
C:\WINDOWS\n_hkagtg.dat
C:\WINDOWS\n_ixzfst.dat
C:\WINDOWS\n_mcupqz.dat
C:\WINDOWS\n_tluymt.dat
C:\WINDOWS\syssn32.exe
C:\WINDOWS\SYSTEM32\addvn32.exe
C:\WINDOWS\SYSTEM32\apidp.dll
C:\WINDOWS\SYSTEM32\apiqv.dll
C:\WINDOWS\SYSTEM32\apppe.exe
C:\WINDOWS\SYSTEM32\atlhm.dll
C:\WINDOWS\SYSTEM32\d3ft32.dll
C:\WINDOWS\SYSTEM32\ipqf.dll
C:\WINDOWS\SYSTEM32\mfcrg.dll
C:\WINDOWS\SYSTEM32\mfczx32.dll
C:\WINDOWS\SYSTEM32\msww.dll
C:\WINDOWS\SYSTEM32\netpn.dll
C:\WINDOWS\SYSTEM32\ntkn.dll
C:\WINDOWS\SYSTEM32\ntog32.dll
C:\WINDOWS\SYSTEM32\ntrh32.dll
C:\WINDOWS\SYSTEM32\sdkyh32.dll
C:\WINDOWS\SYSTEM32\winjb32.dll

when your are rebooting, reboot into safe mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please remove the following folders using Windows Explorer (if present):

C:\Documents and Settings\frank cramer\Favorites\Sites about

Open up Ewido and do the following:

Click on scanner
Make sure the following boxes are checked before scanning:
- Binder
- Crypter
- Archives
Click on Start Scan
Let the program scan the machine

While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

Click Save report
Save the report to your desktop

Reboot into normal mode.

Run this online virus scan: ActiveScan - Save the results from the scan!

Post back with the Ewido Scan Report and the Active Scan report. Please tell me how your computer is running

#15
frost4225

Posted 12 June 2005 - 09:03 PM

New Member

Topic Starter
Member
9 posts

ewido scan report:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:55:08 PM, 6/12/2005
+ Report-Checksum: D3501FAD

+ Date of database: 6/13/2005
+ Version of scan engine: v3.0

+ Duration: 28 min
+ Scanned Files: 52511
+ Speed: 30.69 Files/Second
+ Infected files: 5
+ Removed files: 5
+ Files put in quarantine: 5
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\frank cramer\Desktop\New Folder\backups\backup-20050610-202006-415.dll -> Dialer.Generic -> Cleaned with backup
C:\WINDOWS\crhh32.dll -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\iezi.dll -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\SYSTEM32\msclock32.dll -> Dialer.Generic -> Cleaned with backup
C:\WINDOWS\SYSTEM32\msplock32.dll -> Dialer.Generic -> Cleaned with backup

::Report End

active scan report

Incident Status Location

Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\mfczx32.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\ipqf.dll
Spyware:Spyware/Dyfuca No disinfected Windows Registry
Adware:Adware/SideFind No disinfected C:\Program Files\SideFind
Spyware:Spyware/LocalNRD No disinfected C:\WINDOWS\inf\addremln.inf
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Ab scissor.url
Adware:Adware/NaviPromo No disinfected Windows Registry
Adware:Adware/Adsmart No disinfected C:\WINDOWS\sys????.exe
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\frank cramer\Desktop\New Folder\backups\backup-20050610-202005-543.dll
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\frank cramer\Desktop\New Folder\backups\backup-20050611-194220-919.dll
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Ab scissor.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Broadband comparison.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Credit counseling.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Credit report.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Crm software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Debt credit card.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Escorts.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Fha.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Health insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Help desk software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Insurance home.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Loan for debt consolidation.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Loan for people with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Marketing email.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Mortgage insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Mortgage life insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Nevada corporations.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Online Betting Site.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Online gambling casino.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Online instant loan.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Order phentermine.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Payroll advance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Personal loans online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Personal loans with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Prescription Drugs Rx Online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Refinancing my mortgage.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Tahoe vacation rental.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Unsecured bad credit loans.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\Videos.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\frank cramer\Favorites\Sites about\What is hydrocodone.url
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apifb.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apiqg32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appek32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3dr.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3iz.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3le32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3ry32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ient32.dll
Spyware:Spyware/LocalNRD No disinfected C:\WINDOWS\INF\addremln.inf
Spyware:Spyware/LocalNRD No disinfected C:\WINDOWS\INF\localNrd.inf
Adware:Adware/MultiMPP No disinfected C:\WINDOWS\INF\multimpp.inf
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ipkk32.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ipnt32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ipsd.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\mfcfl.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\netnt.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_arnocu.log
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_auqloj.txt
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_dlqonf.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_eopauo.log
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_hkagtg.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_ixzfst.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_mcupqz.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_tluymt.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\syssn32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\addvn32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\apidp.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\apiqv.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\apppe.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\atlhm.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\d3ft32.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\ipqf.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\mfcrg.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\mfczx32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\msww.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\netpn.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\ntkn.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\ntog32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\ntrh32.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\sdkyh32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM32\winjb32.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\winke32.exe