Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Gold antivirus [RESOLVED]


  • This topic is locked This topic is locked

#1
jtoro

jtoro

    Member

  • Member
  • PipPip
  • 25 posts
I just found this forum after having a problem with what seems to be a piece of malware called Gold antivirus.

Upon infection I ran:

Norton antivirus (found nothing)
Spybot (found some items)
Ad-Aware (which found 3 registry keys and a host of other stuff)

The machine is still afflicted. I would greatly appreciate any help anyone here has to offer. I did download the Hijackthis software and have collected a log file. Should I post it here?

Many thanks,

J
  • 0

Advertisements


#2
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi jtoro and welcome to GeeksToGo! My name is Excal and I will be helping you.


Please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.

:tazz:

Excal
  • 0

#3
jtoro

jtoro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Excal,

Thank you very much for your help. It is truly appreciated. One additional comment before I post the log. I disabled everything in the startup except for NvCpl,mfcz32,msmsgs. I only did this in an effort to eliminate the black screen and graphic provided by AVgold. Then I realized that the problem was way more than I felt comfortable tackling.

I also noticed that the quality of the display seems to have been impaired. I guess we will get to that when the time comes.

OK here is the log. I made the logfile in safe mode.

Logfile of HijackThis v1.99.1
Scan saved at 6:26:29 PM, on 7/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.coolwebse...ch.php?aff=3825
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\orszf.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\orszf.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\orszf.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\orszf.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\orszf.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\orszf.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {82341895-A1EE-6A36-B4A4-5394B2CED036} - C:\WINDOWS\sdkpg.dll
O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINDOWS\gds5.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mfcsz32.exe] C:\WINDOWS\system32\mfcsz32.exe
O4 - HKLM\..\RunOnce: [syshc.exe] C:\WINDOWS\system32\syshc.exe
O4 - HKLM\..\RunOnce: [d3ut.exe] C:\WINDOWS\d3ut.exe
O4 - HKLM\..\RunOnce: [ievj.exe] C:\WINDOWS\system32\ievj.exe
O4 - HKLM\..\RunOnce: [nettk.exe] C:\WINDOWS\system32\nettk.exe
O4 - HKLM\..\RunOnce: [d3if.exe] C:\WINDOWS\d3if.exe
O4 - HKLM\..\RunOnce: [appgs32.exe] C:\WINDOWS\system32\appgs32.exe
O4 - HKLM\..\RunOnce: [d3lo32.exe] C:\WINDOWS\d3lo32.exe
O4 - HKLM\..\RunOnce: [javahy32.exe] C:\WINDOWS\javahy32.exe
O4 - HKLM\..\RunOnce: [sdkqw32.exe] C:\WINDOWS\system32\sdkqw32.exe
O4 - HKLM\..\RunOnce: [iptg.exe] C:\WINDOWS\iptg.exe
O4 - HKLM\..\RunOnce: [sysbv.exe] C:\WINDOWS\system32\sysbv.exe
O4 - HKLM\..\RunOnce: [addmg32.exe] C:\WINDOWS\addmg32.exe
O4 - HKLM\..\RunOnce: [ntge.exe] C:\WINDOWS\ntge.exe
O4 - HKLM\..\RunOnce: [winex.exe] C:\WINDOWS\system32\winex.exe
O4 - HKLM\..\RunOnce: [sysms32.exe] C:\WINDOWS\system32\sysms32.exe
O4 - HKLM\..\RunOnce: [crch.exe] C:\WINDOWS\crch.exe
O4 - HKLM\..\RunOnce: [javafv.exe] C:\WINDOWS\javafv.exe
O4 - HKLM\..\RunOnce: [ieaj.exe] C:\WINDOWS\system32\ieaj.exe
O4 - HKLM\..\RunOnce: [appop32.exe] C:\WINDOWS\appop32.exe
O4 - HKLM\..\RunOnce: [d3cj.exe] C:\WINDOWS\d3cj.exe
O4 - HKLM\..\RunOnce: [winua32.exe] C:\WINDOWS\system32\winua32.exe
O4 - HKLM\..\RunOnce: [crzd32.exe] C:\WINDOWS\crzd32.exe
O4 - HKLM\..\RunOnce: [ntui32.exe] C:\WINDOWS\ntui32.exe
O4 - HKLM\..\RunOnce: [ipsd.exe] C:\WINDOWS\ipsd.exe
O4 - HKLM\..\RunOnce: [addxy.exe] C:\WINDOWS\system32\addxy.exe
O4 - HKLM\..\RunOnce: [winrd32.exe] C:\WINDOWS\winrd32.exe
O4 - HKLM\..\RunOnce: [crwf.exe] C:\WINDOWS\system32\crwf.exe
O4 - HKLM\..\RunOnce: [syssj32.exe] C:\WINDOWS\system32\syssj32.exe
O4 - HKLM\..\RunOnce: [javafd.exe] C:\WINDOWS\system32\javafd.exe
O4 - HKLM\..\RunOnce: [sysrf.exe] C:\WINDOWS\system32\sysrf.exe
O4 - HKLM\..\RunOnce: [mskk.exe] C:\WINDOWS\system32\mskk.exe
O4 - HKLM\..\RunOnce: [ippe32.exe] C:\WINDOWS\system32\ippe32.exe
O4 - HKLM\..\RunOnce: [mfcyn.exe] C:\WINDOWS\system32\mfcyn.exe
O4 - HKLM\..\RunOnce: [syseh32.exe] C:\WINDOWS\system32\syseh32.exe
O4 - HKLM\..\RunOnce: [javaoc32.exe] C:\WINDOWS\javaoc32.exe
O4 - HKLM\..\RunOnce: [ieej32.exe] C:\WINDOWS\ieej32.exe
O4 - HKLM\..\RunOnce: [javafg32.exe] C:\WINDOWS\javafg32.exe
O4 - HKLM\..\RunOnce: [mfcsa.exe] C:\WINDOWS\mfcsa.exe
O4 - HKLM\..\RunOnce: [sdkxc.exe] C:\WINDOWS\system32\sdkxc.exe
O4 - HKLM\..\RunOnce: [apiyx32.exe] C:\WINDOWS\system32\apiyx32.exe
O4 - HKLM\..\RunOnce: [windr.exe] C:\WINDOWS\system32\windr.exe
O4 - HKLM\..\RunOnce: [d3va.exe] C:\WINDOWS\system32\d3va.exe
O4 - HKLM\..\RunOnce: [netbu32.exe] C:\WINDOWS\netbu32.exe
O4 - HKLM\..\RunOnce: [mfcwg32.exe] C:\WINDOWS\mfcwg32.exe
O4 - HKLM\..\RunOnce: [sysja.exe] C:\WINDOWS\system32\sysja.exe
O4 - HKLM\..\RunOnce: [appfg.exe] C:\WINDOWS\appfg.exe
O4 - HKLM\..\RunOnce: [javaok32.exe] C:\WINDOWS\system32\javaok32.exe
O4 - HKLM\..\RunOnce: [apiue32.exe] C:\WINDOWS\system32\apiue32.exe
O4 - HKLM\..\RunOnce: [msyx.exe] C:\WINDOWS\system32\msyx.exe
O4 - HKLM\..\RunOnce: [javacj.exe] C:\WINDOWS\javacj.exe
O4 - HKLM\..\RunOnce: [mfcid32.exe] C:\WINDOWS\system32\mfcid32.exe
O4 - HKLM\..\RunOnce: [sdkpu32.exe] C:\WINDOWS\system32\sdkpu32.exe
O4 - HKLM\..\RunOnce: [syssy32.exe] C:\WINDOWS\system32\syssy32.exe
O4 - HKLM\..\RunOnce: [javaxs.exe] C:\WINDOWS\javaxs.exe
O4 - HKLM\..\RunOnce: [atlig.exe] C:\WINDOWS\system32\atlig.exe
O4 - HKLM\..\RunOnce: [msna.exe] C:\WINDOWS\msna.exe
O4 - HKLM\..\RunOnce: [netvi32.exe] C:\WINDOWS\system32\netvi32.exe
O4 - HKLM\..\RunOnce: [winak.exe] C:\WINDOWS\system32\winak.exe
O4 - HKLM\..\RunOnce: [apicf32.exe] C:\WINDOWS\apicf32.exe
O4 - HKLM\..\RunOnce: [winpz.exe] C:\WINDOWS\winpz.exe
O4 - HKLM\..\RunOnce: [mfctb.exe] C:\WINDOWS\system32\mfctb.exe
O4 - HKLM\..\RunOnce: [cray.exe] C:\WINDOWS\system32\cray.exe
O4 - HKLM\..\RunOnce: [addpn.exe] C:\WINDOWS\addpn.exe
O4 - HKLM\..\RunOnce: [crdh32.exe] C:\WINDOWS\crdh32.exe
O4 - HKLM\..\RunOnce: [iefc.exe] C:\WINDOWS\iefc.exe
O4 - HKLM\..\RunOnce: [ntsw32.exe] C:\WINDOWS\system32\ntsw32.exe
O4 - HKLM\..\RunOnce: [mfcdp.exe] C:\WINDOWS\system32\mfcdp.exe
O4 - HKLM\..\RunOnce: [sdkse32.exe] C:\WINDOWS\sdkse32.exe
O4 - HKLM\..\RunOnce: [mfcxg.exe] C:\WINDOWS\system32\mfcxg.exe
O4 - HKLM\..\RunOnce: [apifo32.exe] C:\WINDOWS\system32\apifo32.exe
O4 - HKLM\..\RunOnce: [javasu.exe] C:\WINDOWS\javasu.exe
O4 - HKLM\..\RunOnce: [sdkau.exe] C:\WINDOWS\system32\sdkau.exe
O4 - HKLM\..\RunOnce: [ieqj32.exe] C:\WINDOWS\ieqj32.exe
O4 - HKLM\..\RunOnce: [appgr32.exe] C:\WINDOWS\appgr32.exe
O4 - HKLM\..\RunOnce: [winjd.exe] C:\WINDOWS\system32\winjd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\syshc.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thank you again for your help!
  • 0

#4
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi,

Can you please enable everything you disabled in MSConfig, then post a fresh HiJackthis log. I need to see everything before I tackle your cleanup. I promise your screen won't be that color for very long ;)

Thanks,

:tazz:

Excal
  • 0

#5
jtoro

jtoro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Excal,

Ok not a problem. The startup menu is reset and a new log was taken.

Thank you again.

This is the logfile

Logfile of HijackThis v1.99.1
Scan saved at 8:48:32 AM, on 7/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\mfcsz32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.coolwebse...ch.php?aff=3825
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\orszf.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\orszf.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\orszf.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\orszf.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\orszf.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\orszf.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {82341895-A1EE-6A36-B4A4-5394B2CED036} - C:\WINDOWS\sdkpg.dll
O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINDOWS\gds5.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mfcsz32.exe] C:\WINDOWS\system32\mfcsz32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\RunOnce: [syshc.exe] C:\WINDOWS\system32\syshc.exe
O4 - HKLM\..\RunOnce: [d3ut.exe] C:\WINDOWS\d3ut.exe
O4 - HKLM\..\RunOnce: [ievj.exe] C:\WINDOWS\system32\ievj.exe
O4 - HKLM\..\RunOnce: [nettk.exe] C:\WINDOWS\system32\nettk.exe
O4 - HKLM\..\RunOnce: [d3if.exe] C:\WINDOWS\d3if.exe
O4 - HKLM\..\RunOnce: [appgs32.exe] C:\WINDOWS\system32\appgs32.exe
O4 - HKLM\..\RunOnce: [d3lo32.exe] C:\WINDOWS\d3lo32.exe
O4 - HKLM\..\RunOnce: [javahy32.exe] C:\WINDOWS\javahy32.exe
O4 - HKLM\..\RunOnce: [sdkqw32.exe] C:\WINDOWS\system32\sdkqw32.exe
O4 - HKLM\..\RunOnce: [iptg.exe] C:\WINDOWS\iptg.exe
O4 - HKLM\..\RunOnce: [sysbv.exe] C:\WINDOWS\system32\sysbv.exe
O4 - HKLM\..\RunOnce: [addmg32.exe] C:\WINDOWS\addmg32.exe
O4 - HKLM\..\RunOnce: [ntge.exe] C:\WINDOWS\ntge.exe
O4 - HKLM\..\RunOnce: [winex.exe] C:\WINDOWS\system32\winex.exe
O4 - HKLM\..\RunOnce: [sysms32.exe] C:\WINDOWS\system32\sysms32.exe
O4 - HKLM\..\RunOnce: [crch.exe] C:\WINDOWS\crch.exe
O4 - HKLM\..\RunOnce: [javafv.exe] C:\WINDOWS\javafv.exe
O4 - HKLM\..\RunOnce: [ieaj.exe] C:\WINDOWS\system32\ieaj.exe
O4 - HKLM\..\RunOnce: [appop32.exe] C:\WINDOWS\appop32.exe
O4 - HKLM\..\RunOnce: [d3cj.exe] C:\WINDOWS\d3cj.exe
O4 - HKLM\..\RunOnce: [winua32.exe] C:\WINDOWS\system32\winua32.exe
O4 - HKLM\..\RunOnce: [crzd32.exe] C:\WINDOWS\crzd32.exe
O4 - HKLM\..\RunOnce: [ntui32.exe] C:\WINDOWS\ntui32.exe
O4 - HKLM\..\RunOnce: [ipsd.exe] C:\WINDOWS\ipsd.exe
O4 - HKLM\..\RunOnce: [addxy.exe] C:\WINDOWS\system32\addxy.exe
O4 - HKLM\..\RunOnce: [winrd32.exe] C:\WINDOWS\winrd32.exe
O4 - HKLM\..\RunOnce: [crwf.exe] C:\WINDOWS\system32\crwf.exe
O4 - HKLM\..\RunOnce: [syssj32.exe] C:\WINDOWS\system32\syssj32.exe
O4 - HKLM\..\RunOnce: [javafd.exe] C:\WINDOWS\system32\javafd.exe
O4 - HKLM\..\RunOnce: [sysrf.exe] C:\WINDOWS\system32\sysrf.exe
O4 - HKLM\..\RunOnce: [mskk.exe] C:\WINDOWS\system32\mskk.exe
O4 - HKLM\..\RunOnce: [ippe32.exe] C:\WINDOWS\system32\ippe32.exe
O4 - HKLM\..\RunOnce: [mfcyn.exe] C:\WINDOWS\system32\mfcyn.exe
O4 - HKLM\..\RunOnce: [syseh32.exe] C:\WINDOWS\system32\syseh32.exe
O4 - HKLM\..\RunOnce: [javaoc32.exe] C:\WINDOWS\javaoc32.exe
O4 - HKLM\..\RunOnce: [ieej32.exe] C:\WINDOWS\ieej32.exe
O4 - HKLM\..\RunOnce: [javafg32.exe] C:\WINDOWS\javafg32.exe
O4 - HKLM\..\RunOnce: [mfcsa.exe] C:\WINDOWS\mfcsa.exe
O4 - HKLM\..\RunOnce: [sdkxc.exe] C:\WINDOWS\system32\sdkxc.exe
O4 - HKLM\..\RunOnce: [apiyx32.exe] C:\WINDOWS\system32\apiyx32.exe
O4 - HKLM\..\RunOnce: [windr.exe] C:\WINDOWS\system32\windr.exe
O4 - HKLM\..\RunOnce: [d3va.exe] C:\WINDOWS\system32\d3va.exe
O4 - HKLM\..\RunOnce: [netbu32.exe] C:\WINDOWS\netbu32.exe
O4 - HKLM\..\RunOnce: [mfcwg32.exe] C:\WINDOWS\mfcwg32.exe
O4 - HKLM\..\RunOnce: [sysja.exe] C:\WINDOWS\system32\sysja.exe
O4 - HKLM\..\RunOnce: [appfg.exe] C:\WINDOWS\appfg.exe
O4 - HKLM\..\RunOnce: [javaok32.exe] C:\WINDOWS\system32\javaok32.exe
O4 - HKLM\..\RunOnce: [apiue32.exe] C:\WINDOWS\system32\apiue32.exe
O4 - HKLM\..\RunOnce: [msyx.exe] C:\WINDOWS\system32\msyx.exe
O4 - HKLM\..\RunOnce: [javacj.exe] C:\WINDOWS\javacj.exe
O4 - HKLM\..\RunOnce: [mfcid32.exe] C:\WINDOWS\system32\mfcid32.exe
O4 - HKLM\..\RunOnce: [sdkpu32.exe] C:\WINDOWS\system32\sdkpu32.exe
O4 - HKLM\..\RunOnce: [syssy32.exe] C:\WINDOWS\system32\syssy32.exe
O4 - HKLM\..\RunOnce: [javaxs.exe] C:\WINDOWS\javaxs.exe
O4 - HKLM\..\RunOnce: [atlig.exe] C:\WINDOWS\system32\atlig.exe
O4 - HKLM\..\RunOnce: [msna.exe] C:\WINDOWS\msna.exe
O4 - HKLM\..\RunOnce: [netvi32.exe] C:\WINDOWS\system32\netvi32.exe
O4 - HKLM\..\RunOnce: [winak.exe] C:\WINDOWS\system32\winak.exe
O4 - HKLM\..\RunOnce: [apicf32.exe] C:\WINDOWS\apicf32.exe
O4 - HKLM\..\RunOnce: [winpz.exe] C:\WINDOWS\winpz.exe
O4 - HKLM\..\RunOnce: [mfctb.exe] C:\WINDOWS\system32\mfctb.exe
O4 - HKLM\..\RunOnce: [cray.exe] C:\WINDOWS\system32\cray.exe
O4 - HKLM\..\RunOnce: [addpn.exe] C:\WINDOWS\addpn.exe
O4 - HKLM\..\RunOnce: [crdh32.exe] C:\WINDOWS\crdh32.exe
O4 - HKLM\..\RunOnce: [iefc.exe] C:\WINDOWS\iefc.exe
O4 - HKLM\..\RunOnce: [ntsw32.exe] C:\WINDOWS\system32\ntsw32.exe
O4 - HKLM\..\RunOnce: [mfcdp.exe] C:\WINDOWS\system32\mfcdp.exe
O4 - HKLM\..\RunOnce: [sdkse32.exe] C:\WINDOWS\sdkse32.exe
O4 - HKLM\..\RunOnce: [mfcxg.exe] C:\WINDOWS\system32\mfcxg.exe
O4 - HKLM\..\RunOnce: [apifo32.exe] C:\WINDOWS\system32\apifo32.exe
O4 - HKLM\..\RunOnce: [javasu.exe] C:\WINDOWS\javasu.exe
O4 - HKLM\..\RunOnce: [sdkau.exe] C:\WINDOWS\system32\sdkau.exe
O4 - HKLM\..\RunOnce: [ieqj32.exe] C:\WINDOWS\ieqj32.exe
O4 - HKLM\..\RunOnce: [appgr32.exe] C:\WINDOWS\appgr32.exe
O4 - HKLM\..\RunOnce: [winjd.exe] C:\WINDOWS\system32\winjd.exe
O4 - HKLM\..\RunOnce: [appic.exe] C:\WINDOWS\system32\appic.exe
O4 - HKLM\..\RunOnce: [d3jl32.exe] C:\WINDOWS\system32\d3jl32.exe
O4 - HKLM\..\RunOnce: [addth32.exe] C:\WINDOWS\addth32.exe
O4 - HKLM\..\RunOnce: [sdkwe.exe] C:\WINDOWS\system32\sdkwe.exe
O4 - HKLM\..\RunOnce: [javary32.exe] C:\WINDOWS\javary32.exe
O4 - HKLM\..\RunOnce: [mfcvu32.exe] C:\WINDOWS\system32\mfcvu32.exe
O4 - HKLM\..\RunOnce: [apptp32.exe] C:\WINDOWS\system32\apptp32.exe
O4 - HKLM\..\RunOnce: [netjx.exe] C:\WINDOWS\system32\netjx.exe
O4 - HKLM\..\RunOnce: [winpz32.exe] C:\WINDOWS\system32\winpz32.exe
O4 - HKLM\..\RunOnce: [javanb32.exe] C:\WINDOWS\system32\javanb32.exe
O4 - HKLM\..\RunOnce: [syssl32.exe] C:\WINDOWS\system32\syssl32.exe
O4 - HKLM\..\RunOnce: [cria32.exe] C:\WINDOWS\cria32.exe
O4 - HKLM\..\RunOnce: [netvc32.exe] C:\WINDOWS\system32\netvc32.exe
O4 - HKLM\..\RunOnce: [sdklk.exe] C:\WINDOWS\system32\sdklk.exe
O4 - HKLM\..\RunOnce: [mspo32.exe] C:\WINDOWS\system32\mspo32.exe
O4 - HKLM\..\RunOnce: [addzb32.exe] C:\WINDOWS\addzb32.exe
O4 - HKLM\..\RunOnce: [netrx.exe] C:\WINDOWS\system32\netrx.exe
O4 - HKLM\..\RunOnce: [crzo.exe] C:\WINDOWS\system32\crzo.exe
O4 - HKLM\..\RunOnce: [crfl32.exe] C:\WINDOWS\system32\crfl32.exe
O4 - HKLM\..\RunOnce: [netkf.exe] C:\WINDOWS\netkf.exe
O4 - HKLM\..\RunOnce: [ntdg32.exe] C:\WINDOWS\ntdg32.exe
O4 - HKLM\..\RunOnce: [atlja.exe] C:\WINDOWS\system32\atlja.exe
O4 - HKLM\..\RunOnce: [atlwx.exe] C:\WINDOWS\system32\atlwx.exe
O4 - HKLM\..\RunOnce: [msct.exe] C:\WINDOWS\msct.exe
O4 - HKLM\..\RunOnce: [iphw32.exe] C:\WINDOWS\system32\iphw32.exe
O4 - HKLM\..\RunOnce: [msxu32.exe] C:\WINDOWS\system32\msxu32.exe
O4 - HKLM\..\RunOnce: [winls.exe] C:\WINDOWS\winls.exe
O4 - HKLM\..\RunOnce: [javaru.exe] C:\WINDOWS\javaru.exe
O4 - HKLM\..\RunOnce: [crod.exe] C:\WINDOWS\system32\crod.exe
O4 - HKLM\..\RunOnce: [winxq32.exe] C:\WINDOWS\system32\winxq32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32\hookdump.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) -

http://community.web...otoUploader.CAB
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\syshc.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common

Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton

AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security

Center\SymWSC.exe
  • 0

#6
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi jtoro and welcome to GeeksToGo!

I can see that you have some malware issues. This maybe a few step process in removing it. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

Please download and install these programs - don't run them yet!!

Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

Please download and unzip
About:Buster to a folder. Inside the folder is a readme file that has instructions on the use of the program.
AboutBuster MUST be updated before you use it.
Start AboutBuster, click the update button, check for updates. Please don't run it yet.

Please download and install AD-Aware.

Check Here on how setup and use it - please make sure you update it first.

Download and unzip HSfix to your desktop :
HSRegFix

Download and install CleanUp! Here*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Download CWShredder here to its own folder.

Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
We will be using this program later.

Download the Host Here
Please do not use program yet

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Open up the Host program.
  • Make sure that the "make hosts writable?" button in the upper right corner is enabled.
  • Click back up Host files
  • then click Restore orginal host files
  • close program
4. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

5. Go to Start->Run and type in services.msc and hit OK. Then look for Network Security Service ( 11F#`I) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

6. Close all browsers, windows and unneeded programs.

7. Open HiJack and do a scan.

8. Put a Check next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.coolwebse...ch.php?aff=3825
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\orszf.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\orszf.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\orszf.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\orszf.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\orszf.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\orszf.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {82341895-A1EE-6A36-B4A4-5394B2CED036} - C:\WINDOWS\sdkpg.dll
O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINDOWS\gds5.dll
O4 - HKLM\..\Run: [mfcsz32.exe] C:\WINDOWS\system32\mfcsz32.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\RunOnce: [syshc.exe] C:\WINDOWS\system32\syshc.exe
O4 - HKLM\..\RunOnce: [d3ut.exe] C:\WINDOWS\d3ut.exe
O4 - HKLM\..\RunOnce: [ievj.exe] C:\WINDOWS\system32\ievj.exe
O4 - HKLM\..\RunOnce: [nettk.exe] C:\WINDOWS\system32\nettk.exe
O4 - HKLM\..\RunOnce: [d3if.exe] C:\WINDOWS\d3if.exe
O4 - HKLM\..\RunOnce: [appgs32.exe] C:\WINDOWS\system32\appgs32.exe
O4 - HKLM\..\RunOnce: [d3lo32.exe] C:\WINDOWS\d3lo32.exe
O4 - HKLM\..\RunOnce: [javahy32.exe] C:\WINDOWS\javahy32.exe
O4 - HKLM\..\RunOnce: [sdkqw32.exe] C:\WINDOWS\system32\sdkqw32.exe
O4 - HKLM\..\RunOnce: [iptg.exe] C:\WINDOWS\iptg.exe
O4 - HKLM\..\RunOnce: [sysbv.exe] C:\WINDOWS\system32\sysbv.exe
O4 - HKLM\..\RunOnce: [addmg32.exe] C:\WINDOWS\addmg32.exe
O4 - HKLM\..\RunOnce: [ntge.exe] C:\WINDOWS\ntge.exe
O4 - HKLM\..\RunOnce: [winex.exe] C:\WINDOWS\system32\winex.exe
O4 - HKLM\..\RunOnce: [sysms32.exe] C:\WINDOWS\system32\sysms32.exe
O4 - HKLM\..\RunOnce: [crch.exe] C:\WINDOWS\crch.exe
O4 - HKLM\..\RunOnce: [javafv.exe] C:\WINDOWS\javafv.exe
O4 - HKLM\..\RunOnce: [ieaj.exe] C:\WINDOWS\system32\ieaj.exe
O4 - HKLM\..\RunOnce: [appop32.exe] C:\WINDOWS\appop32.exe
O4 - HKLM\..\RunOnce: [d3cj.exe] C:\WINDOWS\d3cj.exe
O4 - HKLM\..\RunOnce: [winua32.exe] C:\WINDOWS\system32\winua32.exe
O4 - HKLM\..\RunOnce: [crzd32.exe] C:\WINDOWS\crzd32.exe
O4 - HKLM\..\RunOnce: [ntui32.exe] C:\WINDOWS\ntui32.exe
O4 - HKLM\..\RunOnce: [ipsd.exe] C:\WINDOWS\ipsd.exe
O4 - HKLM\..\RunOnce: [addxy.exe] C:\WINDOWS\system32\addxy.exe
O4 - HKLM\..\RunOnce: [winrd32.exe] C:\WINDOWS\winrd32.exe
O4 - HKLM\..\RunOnce: [crwf.exe] C:\WINDOWS\system32\crwf.exe
O4 - HKLM\..\RunOnce: [syssj32.exe] C:\WINDOWS\system32\syssj32.exe
O4 - HKLM\..\RunOnce: [javafd.exe] C:\WINDOWS\system32\javafd.exe
O4 - HKLM\..\RunOnce: [sysrf.exe] C:\WINDOWS\system32\sysrf.exe
O4 - HKLM\..\RunOnce: [mskk.exe] C:\WINDOWS\system32\mskk.exe
O4 - HKLM\..\RunOnce: [ippe32.exe] C:\WINDOWS\system32\ippe32.exe
O4 - HKLM\..\RunOnce: [mfcyn.exe] C:\WINDOWS\system32\mfcyn.exe
O4 - HKLM\..\RunOnce: [syseh32.exe] C:\WINDOWS\system32\syseh32.exe
O4 - HKLM\..\RunOnce: [javaoc32.exe] C:\WINDOWS\javaoc32.exe
O4 - HKLM\..\RunOnce: [ieej32.exe] C:\WINDOWS\ieej32.exe
O4 - HKLM\..\RunOnce: [javafg32.exe] C:\WINDOWS\javafg32.exe
O4 - HKLM\..\RunOnce: [mfcsa.exe] C:\WINDOWS\mfcsa.exe
O4 - HKLM\..\RunOnce: [sdkxc.exe] C:\WINDOWS\system32\sdkxc.exe
O4 - HKLM\..\RunOnce: [apiyx32.exe] C:\WINDOWS\system32\apiyx32.exe
O4 - HKLM\..\RunOnce: [windr.exe] C:\WINDOWS\system32\windr.exe
O4 - HKLM\..\RunOnce: [d3va.exe] C:\WINDOWS\system32\d3va.exe
O4 - HKLM\..\RunOnce: [netbu32.exe] C:\WINDOWS\netbu32.exe
O4 - HKLM\..\RunOnce: [mfcwg32.exe] C:\WINDOWS\mfcwg32.exe
O4 - HKLM\..\RunOnce: [sysja.exe] C:\WINDOWS\system32\sysja.exe
O4 - HKLM\..\RunOnce: [appfg.exe] C:\WINDOWS\appfg.exe
O4 - HKLM\..\RunOnce: [javaok32.exe] C:\WINDOWS\system32\javaok32.exe
O4 - HKLM\..\RunOnce: [apiue32.exe] C:\WINDOWS\system32\apiue32.exe
O4 - HKLM\..\RunOnce: [msyx.exe] C:\WINDOWS\system32\msyx.exe
O4 - HKLM\..\RunOnce: [javacj.exe] C:\WINDOWS\javacj.exe
O4 - HKLM\..\RunOnce: [mfcid32.exe] C:\WINDOWS\system32\mfcid32.exe
O4 - HKLM\..\RunOnce: [sdkpu32.exe] C:\WINDOWS\system32\sdkpu32.exe
O4 - HKLM\..\RunOnce: [syssy32.exe] C:\WINDOWS\system32\syssy32.exe
O4 - HKLM\..\RunOnce: [javaxs.exe] C:\WINDOWS\javaxs.exe
O4 - HKLM\..\RunOnce: [atlig.exe] C:\WINDOWS\system32\atlig.exe
O4 - HKLM\..\RunOnce: [msna.exe] C:\WINDOWS\msna.exe
O4 - HKLM\..\RunOnce: [netvi32.exe] C:\WINDOWS\system32\netvi32.exe
O4 - HKLM\..\RunOnce: [winak.exe] C:\WINDOWS\system32\winak.exe
O4 - HKLM\..\RunOnce: [apicf32.exe] C:\WINDOWS\apicf32.exe
O4 - HKLM\..\RunOnce: [winpz.exe] C:\WINDOWS\winpz.exe
O4 - HKLM\..\RunOnce: [mfctb.exe] C:\WINDOWS\system32\mfctb.exe
O4 - HKLM\..\RunOnce: [cray.exe] C:\WINDOWS\system32\cray.exe
O4 - HKLM\..\RunOnce: [addpn.exe] C:\WINDOWS\addpn.exe
O4 - HKLM\..\RunOnce: [crdh32.exe] C:\WINDOWS\crdh32.exe
O4 - HKLM\..\RunOnce: [iefc.exe] C:\WINDOWS\iefc.exe
O4 - HKLM\..\RunOnce: [ntsw32.exe] C:\WINDOWS\system32\ntsw32.exe
O4 - HKLM\..\RunOnce: [mfcdp.exe] C:\WINDOWS\system32\mfcdp.exe
O4 - HKLM\..\RunOnce: [sdkse32.exe] C:\WINDOWS\sdkse32.exe
O4 - HKLM\..\RunOnce: [mfcxg.exe] C:\WINDOWS\system32\mfcxg.exe
O4 - HKLM\..\RunOnce: [apifo32.exe] C:\WINDOWS\system32\apifo32.exe
O4 - HKLM\..\RunOnce: [javasu.exe] C:\WINDOWS\javasu.exe
O4 - HKLM\..\RunOnce: [sdkau.exe] C:\WINDOWS\system32\sdkau.exe
O4 - HKLM\..\RunOnce: [ieqj32.exe] C:\WINDOWS\ieqj32.exe
O4 - HKLM\..\RunOnce: [appgr32.exe] C:\WINDOWS\appgr32.exe
O4 - HKLM\..\RunOnce: [winjd.exe] C:\WINDOWS\system32\winjd.exe
O4 - HKLM\..\RunOnce: [appic.exe] C:\WINDOWS\system32\appic.exe
O4 - HKLM\..\RunOnce: [d3jl32.exe] C:\WINDOWS\system32\d3jl32.exe
O4 - HKLM\..\RunOnce: [addth32.exe] C:\WINDOWS\addth32.exe
O4 - HKLM\..\RunOnce: [sdkwe.exe] C:\WINDOWS\system32\sdkwe.exe
O4 - HKLM\..\RunOnce: [javary32.exe] C:\WINDOWS\javary32.exe
O4 - HKLM\..\RunOnce: [mfcvu32.exe] C:\WINDOWS\system32\mfcvu32.exe
O4 - HKLM\..\RunOnce: [apptp32.exe] C:\WINDOWS\system32\apptp32.exe
O4 - HKLM\..\RunOnce: [netjx.exe] C:\WINDOWS\system32\netjx.exe
O4 - HKLM\..\RunOnce: [winpz32.exe] C:\WINDOWS\system32\winpz32.exe
O4 - HKLM\..\RunOnce: [javanb32.exe] C:\WINDOWS\system32\javanb32.exe
O4 - HKLM\..\RunOnce: [syssl32.exe] C:\WINDOWS\system32\syssl32.exe
O4 - HKLM\..\RunOnce: [cria32.exe] C:\WINDOWS\cria32.exe
O4 - HKLM\..\RunOnce: [netvc32.exe] C:\WINDOWS\system32\netvc32.exe
O4 - HKLM\..\RunOnce: [sdklk.exe] C:\WINDOWS\system32\sdklk.exe
O4 - HKLM\..\RunOnce: [mspo32.exe] C:\WINDOWS\system32\mspo32.exe
O4 - HKLM\..\RunOnce: [addzb32.exe] C:\WINDOWS\addzb32.exe
O4 - HKLM\..\RunOnce: [netrx.exe] C:\WINDOWS\system32\netrx.exe
O4 - HKLM\..\RunOnce: [crzo.exe] C:\WINDOWS\system32\crzo.exe
O4 - HKLM\..\RunOnce: [crfl32.exe] C:\WINDOWS\system32\crfl32.exe
O4 - HKLM\..\RunOnce: [netkf.exe] C:\WINDOWS\netkf.exe
O4 - HKLM\..\RunOnce: [ntdg32.exe] C:\WINDOWS\ntdg32.exe
O4 - HKLM\..\RunOnce: [atlja.exe] C:\WINDOWS\system32\atlja.exe
O4 - HKLM\..\RunOnce: [atlwx.exe] C:\WINDOWS\system32\atlwx.exe
O4 - HKLM\..\RunOnce: [msct.exe] C:\WINDOWS\msct.exe
O4 - HKLM\..\RunOnce: [iphw32.exe] C:\WINDOWS\system32\iphw32.exe
O4 - HKLM\..\RunOnce: [msxu32.exe] C:\WINDOWS\system32\msxu32.exe
O4 - HKLM\..\RunOnce: [winls.exe] C:\WINDOWS\winls.exe
O4 - HKLM\..\RunOnce: [javaru.exe] C:\WINDOWS\javaru.exe
O4 - HKLM\..\RunOnce: [crod.exe] C:\WINDOWS\system32\crod.exe
O4 - HKLM\..\RunOnce: [winxq32.exe] C:\WINDOWS\system32\winxq32.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32\hookdump.exe
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\syshc.exe


9. click the Fix Checked box

10. Please run Killbox.
  • Select "Delete on Reboot".
  • Copy the file names below to the clipboard by highlighting them and pressing Control-C:

    C:\WINDOWS\sdkpg.dll
    C:\WINDOWS\gds5.dll
    C:\WINDOWS\system32\mfcsz32.exe
    C:\WINDOWS\system32\syshc.exe
    C:\WINDOWS\d3ut.exe
    C:\WINDOWS\system32\ievj.exe
    C:\WINDOWS\system32\nettk.exe
    C:\WINDOWS\d3if.exe
    C:\WINDOWS\system32\appgs32.exe
    C:\WINDOWS\d3lo32.exe
    C:\WINDOWS\javahy32.exe
    C:\WINDOWS\system32\sdkqw32.exe
    C:\WINDOWS\iptg.exe
    C:\WINDOWS\system32\sysbv.exe
    C:\WINDOWS\addmg32.exe
    C:\WINDOWS\ntge.exe
    C:\WINDOWS\system32\winex.exe
    C:\WINDOWS\system32\sysms32.exe
    C:\WINDOWS\crch.exe
    C:\WINDOWS\javafv.exe
    C:\WINDOWS\system32\ieaj.exe
    C:\WINDOWS\appop32.exe
    C:\WINDOWS\d3cj.exe
    C:\WINDOWS\system32\winua32.exe
    C:\WINDOWS\crzd32.exe
    C:\WINDOWS\ntui32.exe
    C:\WINDOWS\ipsd.exe
    C:\WINDOWS\system32\addxy.exe
    C:\WINDOWS\winrd32.exe
    C:\WINDOWS\system32\crwf.exe
    C:\WINDOWS\system32\syssj32.exe
    C:\WINDOWS\system32\javafd.exe
    C:\WINDOWS\system32\sysrf.exe
    C:\WINDOWS\system32\mskk.exe
    C:\WINDOWS\system32\ippe32.exe
    C:\WINDOWS\system32\mfcyn.exe
    C:\WINDOWS\system32\syseh32.exe
    C:\WINDOWS\javaoc32.exe
    C:\WINDOWS\ieej32.exe
    C:\WINDOWS\javafg32.exe
    C:\WINDOWS\mfcsa.exe
    C:\WINDOWS\system32\sdkxc.exe
    C:\WINDOWS\system32\apiyx32.exe
    C:\WINDOWS\system32\windr.exe
    C:\WINDOWS\system32\d3va.exe
    C:\WINDOWS\netbu32.exe
    C:\WINDOWS\mfcwg32.exe
    C:\WINDOWS\system32\sysja.exe
    C:\WINDOWS\appfg.exe
    C:\WINDOWS\system32\javaok32.exe
    C:\WINDOWS\system32\apiue32.exe
    C:\WINDOWS\system32\msyx.exe
    C:\WINDOWS\javacj.exe
    C:\WINDOWS\system32\mfcid32.exe
    C:\WINDOWS\system32\sdkpu32.exe
    C:\WINDOWS\system32\syssy32.exe
    C:\WINDOWS\javaxs.exe
    C:\WINDOWS\system32\atlig.exe
    C:\WINDOWS\msna.exe
    C:\WINDOWS\system32\netvi32.exe
    C:\WINDOWS\system32\winak.exe
    C:\WINDOWS\apicf32.exe
    C:\WINDOWS\winpz.exe
    C:\WINDOWS\system32\mfctb.exe
    C:\WINDOWS\system32\cray.exe
    C:\WINDOWS\addpn.exe
    C:\WINDOWS\crdh32.exe
    C:\WINDOWS\iefc.exe
    C:\WINDOWS\system32\ntsw32.exe
    C:\WINDOWS\system32\mfcdp.exe
    C:\WINDOWS\sdkse32.exe
    C:\WINDOWS\system32\mfcxg.exe
    C:\WINDOWS\system32\apifo32.exe
    C:\WINDOWS\javasu.exe
    C:\WINDOWS\system32\sdkau.exe
    C:\WINDOWS\ieqj32.exe
    C:\WINDOWS\appgr32.exe
    C:\WINDOWS\system32\winjd.exe
    C:\WINDOWS\system32\appic.exe
    C:\WINDOWS\system32\d3jl32.exe
    C:\WINDOWS\addth32.exe
    C:\WINDOWS\system32\sdkwe.exe
    C:\WINDOWS\javary32.exe
    C:\WINDOWS\system32\mfcvu32.exe
    C:\WINDOWS\system32\apptp32.exe
    C:\WINDOWS\system32\netjx.exe
    C:\WINDOWS\system32\winpz32.exe
    C:\WINDOWS\system32\javanb32.exe
    C:\WINDOWS\system32\syssl32.exe
    C:\WINDOWS\cria32.exe
    C:\WINDOWS\system32\netvc32.exe
    C:\WINDOWS\system32\sdklk.exe
    C:\WINDOWS\system32\mspo32.exe
    C:\WINDOWS\addzb32.exe
    C:\WINDOWS\system32\netrx.exe
    C:\WINDOWS\system32\crzo.exe
    C:\WINDOWS\system32\crfl32.exe
    C:\WINDOWS\netkf.exe
    C:\WINDOWS\ntdg32.exe
    C:\WINDOWS\system32\atlja.exe
    C:\WINDOWS\system32\atlwx.exe
    C:\WINDOWS\msct.exe
    C:\WINDOWS\system32\iphw32.exe
    C:\WINDOWS\system32\msxu32.exe
    C:\WINDOWS\winls.exe
    C:\WINDOWS\javaru.exe
    C:\WINDOWS\system32\crod.exe
    C:\WINDOWS\system32\winxq32.exe
    C:\WINDOWS\system32\hookdump.exe
    C:\WINDOWS\system32\syshc.exe



  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
Reboot back into safe mode

11. Please run about:buster by RubbeRDuckY:
  • Click Begin Removal.
  • It will begin to check your computer for malicious files.
  • AboutBuster will finish and open a new page. Follow the instructions for protection on that page.
  • Shut down AboutBuster. A log should have been created.Please Save this log and copy it in your next post.
12. Scan with AdAware and let it remove any bad files found.

13. Run the program CleanUp! (do not reboot yet)

14. Double click on the HSFix and when asked to merge say yes.

15. Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about. Reboot your computer into normal windows.

16. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

17. Please post an Active scan log and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

#7
jtoro

jtoro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Excal,

Ok that is quite a shopping list you put together for me :tazz: I am at work presently but will get on it as soon as I return home tonight. Thank you for the very clear step by step instructions.

Joe
  • 0

#8
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
lol, yes it is ;)

You have whats called the DrWatson A:B infection. Its very lovely ;)


talk to u tonight.

:tazz:

Excal
  • 0

#9
jtoro

jtoro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Excal,

Yes you are correct, lovely little infection. OK just FYI before I post the logs.

1. pasted info you gave into killbox outside of safe mode. Clicked YES at the delete on reboot prompt. Did not see a NO option at the pending operations prompt. The options were OK or close the window. I chose close the window. I rebooted into safe mode and tried to paste the previously pasted info from a wordpad file into killbox but paste was not working. I then decided to continue onward.

2. Adaware found three registry values. I will post this log as well.

3. After step 15 upon rebooting received the message "the application or dll C:\WINDOWS\sdkro32.dll is not a valid windows image. Please check against your installation diskette.

4. Still have pop-ups

5. Still have blue blocks around all desktop icon text.

Now the logs listed here in the order that they were performed.

About Buster:
AboutBuster 5.0 reference file 30
Scan started on [7/12/2005] at [9:13:42 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\KB839643-DirectX9.log:nawnoj
Removed Stream! C:\WINDOWS\KB840374.log:gaoaqu
Removed Stream! C:\WINDOWS\KB867282.log:zmlycn
Removed Stream! C:\WINDOWS\KB883357.log:sneeex
Removed Stream! C:\WINDOWS\KB886185.log:vreovx
Removed Stream! C:\WINDOWS\{5C29D06B-AA9F-4554-BD34-3C3AC013F59E}.dat:desdij
------------------------------------------------
Removed File! : C:\Windows\cybqz.dll
Removed File! : C:\Windows\wxlcq.dll
Removed File! : C:\Windows\ytcrx.dll
Removed File! : C:\Windows\System32\orszf.dll
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 9:13:58 PM

AdAware:
Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Tuesday, July 12, 2005 9:16:22 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R347 26.10.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives


7-12-2005 9:16:22 PM - Scan started. (Custom mode)

Listing running processes


#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 7-13-2005 1:12:33 AM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 7-13-2005 1:12:37 AM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-13-2005 1:12:38 AM
BasePriority : Normal
FileSize : 105 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 8/29/2002 10:00:00 AM
Last accessed : 7/13/2005 1:16:22 AM
Last modified : 8/4/2004 7:56:55 AM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-13-2005 1:12:38 AM
BasePriority : Normal
FileSize : 13 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 8/29/2002 10:00:00 AM
Last accessed : 7/13/2005 1:16:22 AM
Last modified : 8/4/2004 7:56:50 AM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-13-2005 1:12:40 AM
BasePriority : Normal
FileSize : 14 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/29/2002 10:00:00 AM
Last accessed : 7/13/2005 1:16:22 AM
Last modified : 8/4/2004 7:56:57 AM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-13-2005 1:12:40 AM
BasePriority : Normal
FileSize : 14 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/29/2002 10:00:00 AM
Last accessed : 7/13/2005 1:16:22 AM
Last modified : 8/4/2004 7:56:57 AM

#:7 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 7-13-2005 1:12:52 AM
BasePriority : Normal
FileSize : 1008 KB
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 8/29/2002 10:00:00 AM
Last accessed : 7/13/2005 1:12:52 AM
Last modified : 8/4/2004 7:56:49 AM

#:8 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 7-13-2005 1:16:14 AM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 10/28/2003 2:17:40 AM
Last accessed : 7/13/2005 1:16:14 AM
Last modified : 7/13/2003 3:00:20 AM

Memory scan result :

New objects : 0
Objects found so far: 0


Started registry scan


Registry scan result :

New objects : 0
Objects found so far: 0


Started deep registry scan

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainDefault_Page_URLabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Default_Page_URL
Data : "about:blank"


Deep registry scan result :

New objects : 3
Objects found so far: 3


Deep scanning and examining files (C:)


Tracking Cookie Object recognized!
Type : File
Data : joseph toro@centrport[1].txt
Object : C:\Documents and Settings\Joseph Toro\Cookies\

Created on : 7/11/2005 10:54:22 PM
Last accessed : 7/13/2005 1:18:08 AM
Last modified : 7/11/2005 10:54:22 PM



Tracking Cookie Object recognized!
Type : File
Data : joseph toro@cgi-bin[2].txt
Object : C:\Documents and Settings\Joseph Toro\Cookies\

Created on : 7/12/2005 10:26:03 PM
Last accessed : 7/13/2005 1:18:08 AM
Last modified : 7/12/2005 10:27:07 PM



Disk scan result for C:\

New objects : 0
Objects found so far: 5

Possible Browser Hijack attempt Object recognized!
Type : File
Data : only sex website.url
Object : C:\Documents and Settings\Joseph Toro\Favorites\

Created on : 7/12/2005 12:42:06 PM
Last accessed : 7/13/2005 1:06:56 AM
Last modified : 7/12/2005 12:42:06 PM



Possible Browser Hijack attempt Object recognized!
Type : File
Data : search the web.url
Object : C:\Documents and Settings\Joseph Toro\Favorites\

Created on : 7/12/2005 12:42:06 PM
Last accessed : 7/13/2005 1:06:56 AM
Last modified : 7/12/2005 12:42:06 PM



Possible Browser Hijack attempt Object recognized!
Type : File
Data : seven days of free [bleep].url
Object : C:\Documents and Settings\Joseph Toro\Favorites\

Created on : 7/12/2005 12:42:06 PM
Last accessed : 7/13/2005 1:06:56 AM
Last modified : 7/12/2005 12:42:06 PM




Performing conditional scans..


Conditional scan result:

New objects : 0
Objects found so far: 8


9:35:29 PM Scan complete

Summary of this scan

Total scanning time :00:19:06:953
Objects scanned :185653
Objects identified :8
Objects ignored :0
New objects :8





Active Scan:

Incident Status Location

Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Only sex website.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Sites about\Ab scissor.url
Adware:Adware/CWS.Aboutblank No disinfected Windows Registry
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Only sex website.url
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Search the web.url
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Seven days of free [bleep].url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Sites about\Ab scissor.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Sites about\Broadband comparison.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Sites about\Credit counseling.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Sites about\Credit report.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Sites about\Crm software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Sites about\Debt credit card.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Sites about\Escorts.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Sites about\Fha.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Sites about\Health insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Sites about\Help desk software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Sites about\Insurance home.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Sites about\Loan for debt consolidation.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Sites about\Loan for people with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Sites about\Marketing email.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Sites about\Mortgage insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Sites about\Mortgage life insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Sites about\Nevada corporations.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Sites about\Online Betting Site.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Sites about\Online gambling casino.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Sites about\Online instant loan.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Sites about\Order phentermine.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Sites about\Payroll advance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Sites about\Personal loans online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Sites about\Personal loans with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Sites about\Prescription Drugs Rx Online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Sites about\Refinancing my mortgage.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Sites about\Tahoe vacation rental.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Sites about\Unsecured bad credit loans.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Sites about\Videos.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Joseph Toro\Favorites\Sites about\What is hydrocodone.url
Virus:Trj/Downloader.DHJ Disinfected C:\Program Files\HJT\backups\backup-20050712-204310-269.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM32\oyiok.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM32\xcskc.dll

HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 10:30:27 PM, on 7/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\apial32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ivybi.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ivybi.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ivybi.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ivybi.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ivybi.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ivybi.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {F73396C4-CF26-92B0-F05D-07D7BAA16C5C} - C:\WINDOWS\appym32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [mfcsz32.exe] C:\WINDOWS\system32\mfcsz32.exe
O4 - HKLM\..\Run: [apial32.exe] C:\WINDOWS\system32\apial32.exe
O4 - HKLM\..\RunOnce: [mfcbu32.exe] C:\WINDOWS\mfcbu32.exe
O4 - HKLM\..\RunOnce: [netbm32.exe] C:\WINDOWS\netbm32.exe
O4 - HKLM\..\RunOnce: [netvm.exe] C:\WINDOWS\system32\netvm.exe
O4 - HKLM\..\RunOnce: [mfcfw32.exe] C:\WINDOWS\system32\mfcfw32.exe
O4 - HKLM\..\RunOnce: [apizn.exe] C:\WINDOWS\apizn.exe
O4 - HKLM\..\RunOnce: [javamx.exe] C:\WINDOWS\javamx.exe
O4 - HKLM\..\RunOnce: [sysvy.exe] C:\WINDOWS\system32\sysvy.exe
O4 - HKLM\..\RunOnce: [systg32.exe] C:\WINDOWS\system32\systg32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\syshc.exe (file missing)
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Excal, your patience and courtesy must be commended.

All the best,
Joe

Edited by jtoro, 12 July 2005 - 08:51 PM.

  • 0

#10
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hey joe,

We cleaned up alot, but still alot left. We are going to run pretty much the same fix again. Just follow it carefully, there are a few changes in the order and 2 new programs :tazz:


DOWNLOAD PROGRAMS


Download SpSeHjfix Here.
Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix) Do not use yet.

Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates


THE FIX


Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Go to Start->Run and type in services.msc and hit OK. Then look for Network Security Service ( 11F#`I) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

5. Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about. Reboot your computer into normal windows.

6. Open up and run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

7. Close all browsers, windows and unneeded programs.

8. Open HiJack and do a scan.

9. Put a Check next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ivybi.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ivybi.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ivybi.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ivybi.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ivybi.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ivybi.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {F73396C4-CF26-92B0-F05D-07D7BAA16C5C} - C:\WINDOWS\appym32.dll
O4 - HKLM\..\Run: [mfcsz32.exe] C:\WINDOWS\system32\mfcsz32.exe
O4 - HKLM\..\Run: [apial32.exe] C:\WINDOWS\system32\apial32.exe
O4 - HKLM\..\RunOnce: [mfcbu32.exe] C:\WINDOWS\mfcbu32.exe
O4 - HKLM\..\RunOnce: [netbm32.exe] C:\WINDOWS\netbm32.exe
O4 - HKLM\..\RunOnce: [netvm.exe] C:\WINDOWS\system32\netvm.exe
O4 - HKLM\..\RunOnce: [mfcfw32.exe] C:\WINDOWS\system32\mfcfw32.exe
O4 - HKLM\..\RunOnce: [apizn.exe] C:\WINDOWS\apizn.exe
O4 - HKLM\..\RunOnce: [javamx.exe] C:\WINDOWS\javamx.exe
O4 - HKLM\..\RunOnce: [sysvy.exe] C:\WINDOWS\system32\sysvy.exe
O4 - HKLM\..\RunOnce: [systg32.exe] C:\WINDOWS\system32\systg32.exe
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\syshc.exe (file missing)


10. click the Fix Checked box

11. Please remove the following folders using Windows Explorer (if present):

C:\Documents and Settings\Joseph Toro\Favorites\Sites about

12. Please remove just the files from the following paths using Windows Explorer (if present):

C:\Documents and Settings\Joseph Toro\Favorites\Only sex website.url
C:\Documents and Settings\Joseph Toro\Favorites\Sites about\Ab scissor.url
C:\Documents and Settings\Joseph Toro\Favorites\Search the web.url
C:\Documents and Settings\Joseph Toro\Favorites\Seven days of free [bleep].url
C:\WINDOWS\SYSTEM32\oyiok.dll
C:\WINDOWS\SYSTEM32\xcskc.dll
C\WINDOWS\ivybi.dll/sp.html#37049
C:\WINDOWS\appym32.dll
C:\WINDOWS\system32\mfcsz32.exe
C:\WINDOWS\system32\apial32.exe
C:\WINDOWS\mfcbu32.exe
C:\WINDOWS\netbm32.exe
C:\WINDOWS\system32\netvm.exe
C:\WINDOWS\system32\mfcfw32.exe
C:\WINDOWS\apizn.exe
C:\WINDOWS\javamx.exe
C:\WINDOWS\system32\sysvy.exe
C:\WINDOWS\system32\systg32.exe
C:\WINDOWS\system32\syshc.exe


13. Please run about:buster by RubbeRDuckY:
  • Click Begin Removal.
  • It will begin to check your computer for malicious files.
  • AboutBuster will finish and open a new page. Follow the instructions for protection on that page.
  • Shut down AboutBuster. A log should have been created.Please Save this log and copy it in your next post.
14. Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

15. Double click on the HSFix and when asked to merge say yes.

16. Run the program CleanUp! (do not reboot yet)

17. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

18. Please post an Active scan log and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

Advertisements


#11
jtoro

jtoro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Excal,

Things are looking better. Here are the logs in the order that they were executed.

The following things were noted.

1. HJT was not able to remove O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\syshc.exe (file missing) Should I be concerned about this?

2. under step 12. the file names you noted were present but all in caps and with additional tex (MFCSZ32.EXE-09561AAE.pf). They were recent files. I deleted them. Hope that is not a bad thing. :tazz:

3. Panda found no viruses but I was unable to get a log. Must have been doing something wrong. At the end of the scan the choose profile dialog box for outlook would come up. I will scan again.

4. I see two new files on the desktop. One is named desktop and has the following contents ([LocalizedFileNames]
Windows Media Player.lnk=@C:\WINDOWS\inf\unregmp2.exe,-4)
The second is named Thumbs (unknown application) Can I delete these?

Thank you,

Joe


ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:27:53 PM, 7/13/2005
+ Report-Checksum: A96D0F34

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{74339574-CCF2-3651-E5EA-88C8BFBBFB28} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A0B249A8-05AF-32B0-992B-DB1CAFDEB3E4} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{AF197E67-53B8-6C01-4733-3E7C25BA3A3B} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{F065E398-2ACB-9034-8B2A-28A827FF521F} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-2348792268-1007953774-3110568756-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{74339574-CCF2-3651-E5EA-88C8BFBBFB28} -> Spyware.CoolWebSearch : Cleaned with backup
C:\Program Files\HJT\backups\backup-20050712-204310-214.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\addbm.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addff.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addmb.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addvr.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addwx.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apihs32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\apiij32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\apioh.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apirw32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apitw32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apiyc32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\apiyc32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\apizn.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apphw.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\appic.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\appqo.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\apptd32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\appym32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\atlir32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atljp32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\crvc32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\d3lr32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\d3sx.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\DEBUGSM.INI:ckoor -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\DEBUGSM.INI:edxtu -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\DEBUGSM.INI:xfeyl -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\DESKTOP.INI:uhpsz -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\EPSON Perfection 3170.ini:mkgtw -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\EPSON Perfection 3170.ini:ynxeg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\EPSTPLOG.TXT:jxcey -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Film Factory.scr:xljms -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\GMUD32.INI:pjvxr -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\GMUD32.INI:uznxu -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\iefy.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ieia.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ieji32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ipku32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ipoj32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ipuo32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ivybi.dll -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\javadt.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javamx.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javaxn.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javayb.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\javazu.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\lrun32.ini:aptio -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\lrun32.ini:sjsxc -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\mfcbu32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfccd32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfcdm32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\mfcqq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfctv.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\msiz32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\msnf.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\msvy.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netbm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netfz32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netmg.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netnz32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netql32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netwo.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntbl32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntbtlog.txt:fokav -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ntdz.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\nthq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntlm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntls.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ntmi.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ntrl.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntvi.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ODBCINST.INI:tbcpm -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ODBCINST.INI:yzbjh -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\OEWABLog.txt:bccwx -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\orun32.ini:uvmbb -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SchedLgU.Txt:bwdig -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SchedLgU.Txt:ulnuq -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\sdkcm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkgg32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkxr.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SETUPLOG.TXT:wdeic -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\smscfg.ini:bbokzc -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\smscfg.ini:wcgzn -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\smscfg.ini:wihfc -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\sysey32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sysgo32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sysjv32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sysml.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\SYSTEM.INI:hjkxq -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM.INI:xfnvi -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\SYSTEM32\addfj32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\addnc.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\SYSTEM32\addvl.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\apial32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\SYSTEM32\apial32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\apiei32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\apijj.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\apimi32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\apipv32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\appee32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\appen.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\appry.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\atlav.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\SYSTEM32\atlhd.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\atloj.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\atlse32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\atlyd32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\crag.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\crkz32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\crpk32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\crsd32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\crus.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\d3tt.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\iecr32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ieyf.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\iplv32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ipsj32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\javacb32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\javajs32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\javame.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mfccz32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mfcff.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mfcfw32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mfcke32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mfcre32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mfcsm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mfcvn32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mfcws.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\msaj.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\msgp32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\SYSTEM32\msio32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\msjt.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mspg32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mstl32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\msyr.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mszg32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\SYSTEM32\netgt.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\netoq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\netvm.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ntby32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ntdq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ntfd32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ntnd.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\SYSTEM32\ntrc.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\nttj.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ntvb.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ntvt.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\SYSTEM32\oyiok.dll -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\SYSTEM32\sdkag.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\sdkjo.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\sdkpk.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\SYSTEM32\sdkxv32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\sdkzz32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\sysbo.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\sysde32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\sysev32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\syshk32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\sysng.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\systg32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\sysvy.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\syswc.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\winff32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\SYSTEM32\winnw32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\winod32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\winol.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\winsi32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\winvj32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\winvv32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\winxb32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\xcskc.dll -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\sysxt.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\tdwsp.dll -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\Topo4.ini:buceh -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Topo4.ini:wqkhm -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\VB.INI:igqge -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\VB.INI:uuvjj -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\WIN.INI:uidgb -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\WIN.INI:vkvsa -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\winac.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winjr.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\winmg.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\wintl.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winve32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winvf.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winxr.exe -> Trojan.Agent.bi : Cleaned with backup


AboutBuster 5.0 reference file 30
Scan started on [7/13/2005] at [8:09:17 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\{5C29D06B-AA9F-4554-BD34-3C3AC013F59E}.dat:nskvra
Removed Stream! C:\WINDOWS\{5C29D06B-AA9F-4554-BD34-3C3AC013F59E}.dat:qwrzdw
Removed Stream! C:\WINDOWS\{5C29D06B-AA9F-4554-BD34-3C3AC013F59E}.dat:spjblx
Removed Stream! C:\WINDOWS\{5C29D06B-AA9F-4554-BD34-3C3AC013F59E}.dat:vfcikl
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 8:09:30 PM


AboutBuster 5.0 reference file 30
Scan started on [7/13/2005] at [8:07:45 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\KB837001.log:wyfsqy
Removed Stream! C:\WINDOWS\KB840315.log:oyyxki
Removed Stream! C:\WINDOWS\KB842773.log:hzqlnt
Removed Stream! C:\WINDOWS\KB887742.log:syylqh
Removed Stream! C:\WINDOWS\KB890047.log:lzjqkr
Removed Stream! C:\WINDOWS\MedCtrOC.log:ugzeyx
Removed Stream! C:\WINDOWS\MSMQINST.LOG:ehsksz
Removed Stream! C:\WINDOWS\{5C29D06B-AA9F-4554-BD34-3C3AC013F59E}.dat:gsdjul
Removed Stream! C:\WINDOWS\{5C29D06B-AA9F-4554-BD34-3C3AC013F59E}.dat:ngvoev
------------------------------------------------
Removed File! : C:\Windows\wvuxs.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 8:07:59 PM


(7/13/05 8:10:55 PM) SPSeHjFix started v1.1.2
(7/13/05 8:10:55 PM) OS: WinXP Service Pack 2 (5.1.2600)
(7/13/05 8:10:55 PM) Language: english
(7/13/05 8:10:55 PM) Win-Path: C:\WINDOWS
(7/13/05 8:10:55 PM) System-Path: C:\WINDOWS\system32
(7/13/05 8:10:55 PM) Temp-Path: C:\DOCUME~1\JOSEPH~1\LOCALS~1\Temp\


(7/13/05 8:11:49 PM) SPSeHjFix started v1.1.2
(7/13/05 8:11:49 PM) OS: WinXP Service Pack 2 (5.1.2600)
(7/13/05 8:11:49 PM) Language: english
(7/13/05 8:11:49 PM) Win-Path: C:\WINDOWS
(7/13/05 8:11:49 PM) System-Path: C:\WINDOWS\system32
(7/13/05 8:11:49 PM) Temp-Path: C:\DOCUME~1\JOSEPH~1\LOCALS~1\Temp\
(7/13/05 8:11:55 PM) Disinfection started
(7/13/05 8:11:55 PM) Bad-Dll(IEP): (not found)
(7/13/05 8:11:55 PM) Bad-Dll(IEP) in BHO: (not found)
(7/13/05 8:11:55 PM) UBF: 4 - UBB: 2 - UBR: 10
(7/13/05 8:11:55 PM) UBF: 4 - UBB: 2 - UBR: 10
(7/13/05 8:11:55 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Search_URL:
(7/13/05 8:11:55 PM) Stealth-String not found
(7/13/05 8:11:55 PM) Not infected->END

Logfile of HijackThis v1.99.1
Scan saved at 9:39:20 PM, on 7/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Fixsoftware\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.reuters.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {2E2D4B26-4CD2-E13B-EE1F-3BB2852CDEAC} - C:\WINDOWS\system32\sdkpk.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [d3sx.exe] C:\WINDOWS\d3sx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\syshc.exe (file missing)
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Fixsoftware\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#12
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi Joe,

What happens when you try to disable this:

Network Security Service ( 11F#`I) ?

Disable all antispyware and anti-virus programs you have as soon as you disconnect from the interenet. when you reboot, ensure they are all re-enabled



THE FIX


Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Go to Start->Run and type in services.msc and hit OK. Then look for Network Security Service ( 11F#`I) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

5. Close all browsers, windows and unneeded programs.

6. Open HiJack and do a scan.

7. Put a Check next to the following items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Class - {2E2D4B26-4CD2-E13B-EE1F-3BB2852CDEAC} - C:\WINDOWS\system32\sdkpk.dll (file missing)
O4 - HKLM\..\Run: [d3sx.exe] C:\WINDOWS\d3sx.exe
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\syshc.exe (file missing)


8. click the Fix Checked box


9. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\system32\sdkpk.dll
C:\WINDOWS\d3sx.exe
C:\WINDOWS\system32\syshc.exe


10. Please post a fresh HiJackThis log. Let me know how your computer is running.
  • 0

#13
jtoro

jtoro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Excal,

Am at work but I can answer your question about the network security item.

I execute steps 1-3.

I am able to see the network security service box but stop button is shaded out (not an option) the disable option is available and I select this option. I scan with HJT and it finds the network security service. It is checked to fix and when I rescan it is still present. FYI I tried setting network security service back to automatic. In this condition HJT does not find it (I assume that's why you want it disabled).

Question. As mentioned before when I find the files C:\WINDOWS\system32\sdkpk.dll they are present but are all caps and have additional numbers letters following (see last post). They do not explicitly match the file names you give. I should delete these, correct?

Sorry for all the questions I just want to make sure I am doing exactly as you request.

Thank you,

Joe

P.S. you guys will definitely get a donation :tazz:
  • 0

#14
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi Joe,

Ok. So as along as that service is disabled, thats my primary concern. Now we have to figure out whats protecting it from deletion in startup.

As far as this goes C:\WINDOWS\system32\sdkpk.dll, sorry I missed that in you r last post. Yes delete that with the numbers ;)

Let me know how it turns out.

:tazz:

Excal
  • 0

#15
jtoro

jtoro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Excal,

OK things are better still. See the latest HJT log below.

1. The item "Service: Network Security Service ( 11F#`I)" is still present in services.msc. It was disabled when the HJT log was collected. Is this item supposed to be present? What is its function regardless of its authenticity?

Otherwise the machine is almost as it was. I managed to get the desktop screen looking as it had in the past. Connecting to the net seems to take longer now. I am most concerned about the network security service item though.

I would ask you how does the log look? Am i out of the woods?

Thanks for the great help! :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 8:44:04 PM, on 7/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.reuters.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Fixsoftware\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP