Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Download.Trojan [CLOSED]

Started by canadiandude18 , Jul 11 2005 06:40 PM

  • This topic is locked This topic is locked

#1
canadiandude18
Posted 11 July 2005 - 06:40 PM

canadiandude18

    Member

  • Member
  • PipPip
  • 13 posts
Hi there,

I've found AntivirusGold on my machine and thought I got rid of it, but then Iefeat shows up on my Symantec Corporate edition scan. I've used Spybot and AdAware, and am currently running a Panda Active Scan. I've also used Symantec's specific tool for removing IeFeat but it says it can't find it when its continually finds in the Autoprotect. Here is my Hijack This Log.

Logfile of HijackThis v1.99.1
Scan saved at 6:33:58 PM, on 11/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\vpc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msut32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\ROGERS~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bxmmi.dll/sp.html#87649
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bxmmi.dll/sp.html#87649
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bxmmi.dll/sp.html#87649
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bxmmi.dll/sp.html#87649
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bxmmi.dll/sp.html#87649
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\bxmmi.dll/sp.html#87649
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\bxmmi.dll/sp.html#87649
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {3C590378-0A5C-B10E-AF30-95DF78FBEABD} - C:\WINDOWS\apipu32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: Class - {E0FF3D06-7E37-07B2-CEAA-D833E87335B6} - C:\WINDOWS\winll32.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [sysyp32.exe] C:\WINDOWS\system32\sysyp32.exe
O4 - HKLM\..\Run: [d3fa32.exe] C:\WINDOWS\system32\d3fa32.exe
O4 - HKLM\..\Run: [sdknx.exe] C:\WINDOWS\system32\sdknx.exe
O4 - HKLM\..\Run: [msut32.exe] C:\WINDOWS\system32\msut32.exe
O4 - HKLM\..\RunOnce: [javaos32.exe] C:\WINDOWS\javaos32.exe
O4 - HKLM\..\RunOnce: [nttd.exe] C:\WINDOWS\system32\nttd.exe
O4 - HKLM\..\RunOnce: [apivh32.exe] C:\WINDOWS\system32\apivh32.exe
O4 - HKLM\..\RunOnce: [ipvk32.exe] C:\WINDOWS\ipvk32.exe
O4 - HKLM\..\RunOnce: [msdp32.exe] C:\WINDOWS\system32\msdp32.exe
O4 - HKLM\..\RunOnce: [syshj.exe] C:\WINDOWS\syshj.exe
O4 - HKLM\..\RunOnce: [sysrx.exe] C:\WINDOWS\sysrx.exe
O4 - HKLM\..\RunOnce: [iepn.exe] C:\WINDOWS\system32\iepn.exe
O4 - HKLM\..\RunOnce: [ieke.exe] C:\WINDOWS\system32\ieke.exe
O4 - HKLM\..\RunOnce: [apphg.exe] C:\WINDOWS\apphg.exe
O4 - HKLM\..\RunOnce: [sdkto32.exe] C:\WINDOWS\system32\sdkto32.exe
O4 - HKLM\..\RunOnce: [d3cj.exe] C:\WINDOWS\d3cj.exe
O4 - HKLM\..\RunOnce: [addhl.exe] C:\WINDOWS\addhl.exe
O4 - HKLM\..\RunOnce: [sysqj.exe] C:\WINDOWS\system32\sysqj.exe
O4 - HKLM\..\RunOnce: [ipls32.exe] C:\WINDOWS\ipls32.exe
O4 - HKLM\..\RunOnce: [atljg32.exe] C:\WINDOWS\system32\atljg32.exe
O4 - HKLM\..\RunOnce: [netxi32.exe] C:\WINDOWS\netxi32.exe
O4 - HKLM\..\RunOnce: [mfcho.exe] C:\WINDOWS\mfcho.exe
O4 - HKLM\..\RunOnce: [mfcjy.exe] C:\WINDOWS\system32\mfcjy.exe
O4 - HKLM\..\RunOnce: [sysuw32.exe] C:\WINDOWS\sysuw32.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [windc.exe] C:\WINDOWS\windc.exe
O4 - HKLM\..\RunOnce: [apprf32.exe] C:\WINDOWS\apprf32.exe
O4 - HKLM\..\RunOnce: [javarl.exe] C:\WINDOWS\system32\javarl.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...ZBzeb032YYCA_ZZ
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

An help would be appreciated. Thanks.

Dean
  • 0

Advertisements

#2
Trevuren
Posted 11 July 2005 - 07:19 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi canadiandude18 and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

1. If you haven't logged in go to Geeks to Go and do so. Then proceed to item a.

If you already have logged in, go directly to item a.

a. Click on My Controls at the top right hand corner of the window.
b. In the left hand column, click "View Topics"
c. If you click on the title of your post, you will be taken there

2. Also, while at the My Controls page, check the box to the right of your post and then scroll down.
.Where it says "unsubscribe" click the pull-down menu and select "immediate email notification"

3. Please DELETE your current HJT program from its present location.

4. Download and run the following HijackThis autoinstall program from Here HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

A. Close ALL windows except HJT

B. SCAN with HJT and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')

C. POST the log in this thread using 'Add Reply' (Ctrl-V to 'paste')


DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

Your system is suffering from a severe case of a variant to the About:Blank infection. After you have sent me your next log, you are not to turn off or reboot your computer until advised that you can by me. This variant morohs every time you look around. Check the number of "Run Once" items and "Run" items that don't make sense.


Regards,

Trevuren
  • 0

#3
canadiandude18
Posted 12 July 2005 - 04:50 PM

canadiandude18

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi Trev,

I appreciate your quick response. Here is the log, as per your instructions, and I'll be sure to leave a note on the computer to leave it on.

Logfile of HijackThis v1.99.1
Scan saved at 4:44:23 PM, on 12/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\msut32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bxmmi.dll/sp.html#87649
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bxmmi.dll/sp.html#87649
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\bkflc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bkflc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bkflc.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\bxmmi.dll/sp.html#87649
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\bkflc.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {5926D284-FE93-486D-2B11-4A74D55F0434} - C:\WINDOWS\system32\ieco.dll
O2 - BHO: Class - {736A732C-C2C9-6CE6-0C3D-D550CF0B4ECE} - C:\WINDOWS\system32\atlnl32.dll
O2 - BHO: Class - {98529CC2-52A9-99EE-F7DF-D4FA46CD1BDA} - C:\WINDOWS\system32\sdkhi32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {F3264A95-EA02-5435-7C3B-CC1A6BECFC5B} - C:\WINDOWS\atlog.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [sysyp32.exe] C:\WINDOWS\system32\sysyp32.exe
O4 - HKLM\..\Run: [d3fa32.exe] C:\WINDOWS\system32\d3fa32.exe
O4 - HKLM\..\Run: [sdknx.exe] C:\WINDOWS\system32\sdknx.exe
O4 - HKLM\..\Run: [msut32.exe] C:\WINDOWS\system32\msut32.exe
O4 - HKLM\..\RunOnce: [syshj.exe] C:\WINDOWS\syshj.exe
O4 - HKLM\..\RunOnce: [windc.exe] C:\WINDOWS\windc.exe
O4 - HKLM\..\RunOnce: [netqd.exe] C:\WINDOWS\system32\netqd.exe
O4 - HKLM\..\RunOnce: [ntyb32.exe] C:\WINDOWS\system32\ntyb32.exe
O4 - HKLM\..\RunOnce: [addgp.exe] C:\WINDOWS\system32\addgp.exe
O4 - HKLM\..\RunOnce: [crzc.exe] C:\WINDOWS\crzc.exe
O4 - HKLM\..\RunOnce: [javamn32.exe] C:\WINDOWS\system32\javamn32.exe
O4 - HKLM\..\RunOnce: [ntyv32.exe] C:\WINDOWS\system32\ntyv32.exe
O4 - HKLM\..\RunOnce: [ievq.exe] C:\WINDOWS\ievq.exe
O4 - HKLM\..\RunOnce: [addbs.exe] C:\WINDOWS\system32\addbs.exe
O4 - HKLM\..\RunOnce: [ipar.exe] C:\WINDOWS\system32\ipar.exe
O4 - HKLM\..\RunOnce: [d3je.exe] C:\WINDOWS\system32\d3je.exe
O4 - HKLM\..\RunOnce: [mfcio.exe] C:\WINDOWS\mfcio.exe
O4 - HKLM\..\RunOnce: [sdkfh32.exe] C:\WINDOWS\sdkfh32.exe
O4 - HKLM\..\RunOnce: [atllb.exe] C:\WINDOWS\system32\atllb.exe
O4 - HKLM\..\RunOnce: [addem.exe] C:\WINDOWS\addem.exe
O4 - HKLM\..\RunOnce: [netxi.exe] C:\WINDOWS\netxi.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...ZBzeb032YYCA_ZZ
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\syshj.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks again for your help.

Dean
  • 0

#4
Trevuren
Posted 12 July 2005 - 05:11 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Please download and install these programs - DON'T RUN THEM YET!!
  • Please download and unzip About:Buster to a folder on your Desktop. Inside the folder is a readme file that has instructions on the use of the program.
    • AboutBuster MUST be updated before you use it.
    • Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box . Don't run it yet.
  • Please download and install AD-Aware.
    Check Here on how setup and use it - please make sure you update it first.

  • Download HSfix from HERE and unzip it to your desktop.


  • Download CW-Shredder at the link below:
    http://cwshredder.ne...CWSshtreder.exe

  • Open Windows Explorer & Go to Tools > Folder Options.
    • Click on the View tab and make sure that "Show hidden files and folders" is checked.
    • Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" .
    • Now click "Apply to all folders"
    • Click "Apply" then "OK"
  • For anyone using Windows XP, 'Search' will not automatically show hidden files even if your folder options settings are set to do that.
    Do this so you can see hidden files and folders - click HERE to download XPhidden.zip by David Higham. Extract xphidden.reg from the zip file and save it to the desktop. When done, double-click the xphidden.reg and when asked to merge say yes.
+++++++++++++++++++++++++++++++++++++++++++++++++

Here's the fix:


1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok. Click on the Extended Tab.

Scroll down and find the service called:

Workstation NetLogon Service

2. When you find it,
  • double-click on it.
  • In the next window that opens, click the Stop
    button
  • Then click on properties and under the General Tab
  • Change the Startup Type to Disabled.
  • Now hit Apply and then Ok and close any open windows.
If you don´t find this service listed go ahead with the next steps.

3. Reboot into SafeMode. <---MAKE SURE YOU KNOW HOW TO DO THIS!!

4. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for:

C:\WINDOWS\system32\msut32.exe

If you find the files, highlight them, and then click End Process => Exit the Task Manager.


5. CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bxmmi.dll/sp.html#87649
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bxmmi.dll/sp.html#87649
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\bkflc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bkflc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bkflc.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\bxmmi.dll/sp.html#87649
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\bkflc.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {5926D284-FE93-486D-2B11-4A74D55F0434} - C:\WINDOWS\system32\ieco.dll
O2 - BHO: Class - {736A732C-C2C9-6CE6-0C3D-D550CF0B4ECE} - C:\WINDOWS\system32\atlnl32.dll
O2 - BHO: Class - {98529CC2-52A9-99EE-F7DF-D4FA46CD1BDA} - C:\WINDOWS\system32\sdkhi32.dll
O2 - BHO: Class - {F3264A95-EA02-5435-7C3B-CC1A6BECFC5B} - C:\WINDOWS\atlog.dll
O4 - HKLM\..\Run: [sysyp32.exe] C:\WINDOWS\system32\sysyp32.exe
O4 - HKLM\..\Run: [d3fa32.exe] C:\WINDOWS\system32\d3fa32.exe
O4 - HKLM\..\Run: [sdknx.exe] C:\WINDOWS\system32\sdknx.exe
O4 - HKLM\..\Run: [msut32.exe] C:\WINDOWS\system32\msut32.exe
O4 - HKLM\..\RunOnce: [syshj.exe] C:\WINDOWS\syshj.exe
O4 - HKLM\..\RunOnce: [windc.exe] C:\WINDOWS\windc.exe
O4 - HKLM\..\RunOnce: [netqd.exe] C:\WINDOWS\system32\netqd.exe
O4 - HKLM\..\RunOnce: [ntyb32.exe] C:\WINDOWS\system32\ntyb32.exe
O4 - HKLM\..\RunOnce: [addgp.exe] C:\WINDOWS\system32\addgp.exe
O4 - HKLM\..\RunOnce: [crzc.exe] C:\WINDOWS\crzc.exe
O4 - HKLM\..\RunOnce: [javamn32.exe] C:\WINDOWS\system32\javamn32.exe
O4 - HKLM\..\RunOnce: [ntyv32.exe] C:\WINDOWS\system32\ntyv32.exe
O4 - HKLM\..\RunOnce: [ievq.exe] C:\WINDOWS\ievq.exe
O4 - HKLM\..\RunOnce: [addbs.exe] C:\WINDOWS\system32\addbs.exe
O4 - HKLM\..\RunOnce: [ipar.exe] C:\WINDOWS\system32\ipar.exe
O4 - HKLM\..\RunOnce: [d3je.exe] C:\WINDOWS\system32\d3je.exe
O4 - HKLM\..\RunOnce: [mfcio.exe] C:\WINDOWS\mfcio.exe
O4 - HKLM\..\RunOnce: [sdkfh32.exe] C:\WINDOWS\sdkfh32.exe
O4 - HKLM\..\RunOnce: [atllb.exe] C:\WINDOWS\system32\atllb.exe
O4 - HKLM\..\RunOnce: [addem.exe] C:\WINDOWS\addem.exe
O4 - HKLM\..\RunOnce: [netxi.exe] C:\WINDOWS\netxi.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...ZBzeb032YYCA_ZZ
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\syshj.exe" /s (file missing)

6. Delete the following files if present:

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

C:\WINDOWS\system32\msut32.exe
C:\WINDOWS\bxmmi.dll
C:\WINDOWS\system32\bkflc.dll
C:\WINDOWS\system32\ieco.dll
C:\WINDOWS\system32\atlnl32.dll
C:\WINDOWS\system32\sdkhi32.dll
C:\WINDOWS\atlog.dll
C:\WINDOWS\system32\sysyp32.exe
C:\WINDOWS\system32\d3fa32.exe
C:\WINDOWS\system32\sdknx.exe
C:\WINDOWS\syshj.exe
C:\WINDOWS\windc.exe
C:\WINDOWS\system32\netqd.exe
C:\WINDOWS\system32\ntyb32.exe
C:\WINDOWS\system32\addgp.exe
C:\WINDOWS\crzc.exe
C:\WINDOWS\system32\javamn32.exe
C:\WINDOWS\system32\ntyv32.exe
C:\WINDOWS\ievq.exe
C:\WINDOWS\system32\addbs.exe
C:\WINDOWS\system32\ipar.exe
C:\WINDOWS\system32\d3je.exe
C:\WINDOWS\mfcio.exe
C:\WINDOWS\sdkfh32.exe
C:\WINDOWS\system32\atllb.exe
C:\WINDOWS\addem.exe
C:\WINDOWS\netxi.exe
C:\WINDOWS\syshj.exe


(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)

7. Run AboutBuster . This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

8. Scan with AdAware and let it remove any bad files found.

9. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:
  • Temporary Files
  • Temporary Internet Files
  • Recycle Bin


10. Double click on the HSfix and when asked to merge say yes.

11. Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

12. Reboot into normal mode.

13. Download the Hoster from:HERE. Press "Restore Original Hosts" and press "OK". Exit Program.

14. Download and run this online virus scan:The site is often slow to appear)
http://housecall.tre.../start_corp.asp
Make sure you check "AutoClean"

If it says that you need to download an Active X element from their site, please do so. It is safe

15. Reboot and post a fresh Hijack This log for review.

Regards,

Trevuren
  • 0

#5
canadiandude18
Posted 13 July 2005 - 11:12 AM

canadiandude18

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi Trev,

I don't think we're done here just yet. Some quick notes from your instructions. The Workstation NetLogon Service wasn't there, neither was the process from msut32.exe. A few of the inital HijackThis selected files also were not there. I ran your instructions as best I could, but when I got to the end Internet Explorer kept crashing everytime I tried to run the Trend Microsystems scan.

Anyway, here is the log from HijackThis. Below will be the one from About:Buster. I'll still make sure that the computer doesn't shut down until I see a post from you.

Logfile of HijackThis v1.99.1
Scan saved at 11:04:54 AM, on 13/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\sysyq32.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\smfen.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\smfen.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\smfen.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\smfen.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\smfen.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\smfen.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\smfen.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {E97E5AE0-29D6-7DFA-7E92-29CC5D770DA3} - C:\WINDOWS\ipkw32.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [sysyq32.exe] C:\WINDOWS\system32\sysyq32.exe
O4 - HKLM\..\RunOnce: [sysvt32.exe] C:\WINDOWS\system32\sysvt32.exe
O4 - HKLM\..\RunOnce: [javakz32.exe] C:\WINDOWS\system32\javakz32.exe
O4 - HKLM\..\RunOnce: [crkp32.exe] C:\WINDOWS\system32\crkp32.exe
O4 - HKLM\..\RunOnce: [ntup32.exe] C:\WINDOWS\system32\ntup32.exe
O4 - HKLM\..\RunOnce: [ntmm.exe] C:\WINDOWS\ntmm.exe
O4 - HKLM\..\RunOnce: [apivm32.exe] C:\WINDOWS\system32\apivm32.exe
O4 - HKLM\..\RunOnce: [appzg32.exe] C:\WINDOWS\system32\appzg32.exe
O4 - HKLM\..\RunOnce: [netlb.exe] C:\WINDOWS\netlb.exe
O4 - HKLM\..\RunOnce: [netiu32.exe] C:\WINDOWS\system32\netiu32.exe
O4 - HKLM\..\RunOnce: [crzh.exe] C:\WINDOWS\system32\crzh.exe
O4 - HKLM\..\RunOnce: [javanw32.exe] C:\WINDOWS\system32\javanw32.exe
O4 - HKLM\..\RunOnce: [msvi.exe] C:\WINDOWS\msvi.exe
O4 - HKLM\..\RunOnce: [addbl.exe] C:\WINDOWS\addbl.exe
O4 - HKLM\..\RunOnce: [d3gn32.exe] C:\WINDOWS\d3gn32.exe
O4 - HKLM\..\RunOnce: [sdkye32.exe] C:\WINDOWS\system32\sdkye32.exe
O4 - HKLM\..\RunOnce: [sysun32.exe] C:\WINDOWS\system32\sysun32.exe
O4 - HKLM\..\RunOnce: [crvk32.exe] C:\WINDOWS\system32\crvk32.exe
O4 - HKLM\..\RunOnce: [netae.exe] C:\WINDOWS\netae.exe
O4 - HKLM\..\RunOnce: [atlpw32.exe] C:\WINDOWS\atlpw32.exe
O4 - HKLM\..\RunOnce: [msuq.exe] C:\WINDOWS\msuq.exe
O4 - HKLM\..\RunOnce: [javaiv.exe] C:\WINDOWS\javaiv.exe
O4 - HKLM\..\RunOnce: [appyu32.exe] C:\WINDOWS\system32\appyu32.exe
O4 - HKLM\..\RunOnce: [d3eo.exe] C:\WINDOWS\system32\d3eo.exe
O4 - HKLM\..\RunOnce: [winsc32.exe] C:\WINDOWS\winsc32.exe
O4 - HKLM\..\RunOnce: [javaqm32.exe] C:\WINDOWS\javaqm32.exe
O4 - HKLM\..\RunOnce: [javaig32.exe] C:\WINDOWS\javaig32.exe
O4 - HKLM\..\RunOnce: [cran32.exe] C:\WINDOWS\cran32.exe
O4 - HKLM\..\RunOnce: [ipvo.exe] C:\WINDOWS\ipvo.exe
O4 - HKLM\..\RunOnce: [msth.exe] C:\WINDOWS\system32\msth.exe
O4 - HKLM\..\RunOnce: [ipyb32.exe] C:\WINDOWS\system32\ipyb32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sysvt32.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Roger Stewart\Desktop\Dean's Malware Removal\CWShredder.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

About:Buster Log

AboutBuster 5.0 reference file 30
Scan started on [13/07/2005] at [10:30:42 AM]
------------------------------------------------
Removed Stream! C:\WINDOWS\Blue Lace 16.bmp:siwuip
Removed Stream! C:\WINDOWS\brtvv.dat:uzohe
Removed Stream! C:\WINDOWS\CBCDIJKN.ini:lihzcr
Removed Stream! C:\WINDOWS\CMSETACL.LOG:fbeaz
Removed Stream! C:\WINDOWS\COMSETUP.LOG:gmuywb
Removed Stream! C:\WINDOWS\DESKTOP.INI:qnmdql
Removed Stream! C:\WINDOWS\EventSystem.log:joxrsw
Removed Stream! C:\WINDOWS\gbniz.txt:kshqfn
Removed Stream! C:\WINDOWS\Greenstone.bmp:rgxjm
Removed Stream! C:\WINDOWS\hmkmr.dat:tywtx
Removed Stream! C:\WINDOWS\hpothb07.tif:itpys
Removed Stream! C:\WINDOWS\igfvg.dat:wbuiu
Removed Stream! C:\WINDOWS\itpys.txt:obmnw
Removed Stream! C:\WINDOWS\KB873333.log:ehmvck
Removed Stream! C:\WINDOWS\KB886185.log:vysalz
Removed Stream! C:\WINDOWS\KB888302.log:rwith
Removed Stream! C:\WINDOWS\KB893086.log:qsdsc
Removed Stream! C:\WINDOWS\lablw.dat:qslfz
Removed Stream! C:\WINDOWS\mp10oem.txt:upesxj
Removed Stream! C:\WINDOWS\MSDFMAP.INI:brwjc
Removed Stream! C:\WINDOWS\nsw.log:nhwfrt
Removed Stream! C:\WINDOWS\River Sumida.bmp:bjrnmo
Removed Stream! C:\WINDOWS\setuperr.log:vikbxq
Removed Stream! C:\WINDOWS\SIERRA.INI:lwxmz
Removed Stream! C:\WINDOWS\Sti_Trace.log:hnfhsf
Removed Stream! C:\WINDOWS\SYSTEM.INI:zfcrln
Removed Stream! C:\WINDOWS\T30DebugLogFile.txt:znqnup
Removed Stream! C:\WINDOWS\wmsetup10.log:irohc
Removed Stream! C:\WINDOWS\xhbmd.log:flsoz
Removed Stream! C:\WINDOWS\yeaec.dat:iwttdb
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:awlyxm
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:axipi
------------------------------------------------
Removed File! : C:\Windows\ddlis.dll
Removed File! : C:\Windows\dkble.dat
Removed File! : C:\Windows\fdmao.dat
Removed File! : C:\Windows\fdoxj.dll
Removed File! : C:\Windows\lablw.dat
Removed File! : C:\Windows\xfkad.dat
Removed File! : C:\Windows\zrbvk.dat
Removed File! : C:\Windows\System32\acazu.dat
Removed File! : C:\Windows\System32\agrjt.dat
Removed File! : C:\Windows\System32\eggyg.dll
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:31:00 AM


Thanks again.

Dean
  • 0

#6
Trevuren
Posted 13 July 2005 - 12:24 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
This appears to be of the newer variant. I will have to prepare a totally manual fix fior you to follow. In the meantime, please do not reboot, turn off and keep your use of the internet at a minimum.


Trevuren
  • 0

#7
Trevuren
Posted 13 July 2005 - 12:45 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Step#1:Getting Ready

(the reason Wordpad was chosen is that Notepad is sometimes deleted by this variant)


Please save these instructions to WordPad so that you have them accessible while following the steps. You also may want to print out these directions as the Internet will not be available. You must disconnect from the internet totally, as staying connected while fixing will prevent the fix from working. Also please keep Internet Explorer and Outlook Express closed throughout as opening either will reinstall the infection. Read through all the instructions so that you can ask any questions now, before you disconnect from the Internet.

Please start by downloading the tools you will need to clean this infection. If you have a problem or question with any please continue to follow the list step by step to the end and ask the questions when you are asked to reply. Just be sure to let us know what the problem was when you finally reply.


Step#2:Show All Hidden Files

Please download and open the following zip file. Double-click on the file inside the zip and when it asks you if you would like to merge the file into your registry, please answer yes. This will make sure all files are visible on your computer.
http://www.davehigha...ds/xphidden.zip


Step#3:Download CWShredder

1. Please Download the most recent version of CWShredder, from CWSInstall.exe

2. Check for Updates but please Do NOT use it yet


Step#4:Download About Buster


1. Please download About:Buster from here: http://www.malwareby...boutBuster5.zip.

2. Once it is downloaded extract it to c:\aboutbuster.

3. Check to make sure it is up-to-date. Please Do NOT use it yet


Step#5:Download Registrar Lite

Another program to download is Registrar Lite for use later: Please download Registrar Lite and install it to C:\Program Files\RegLite\ . This is a registry editor that is very easy to use.




Please disconnect from the Internet




Step#6:Disable The Bad Service
  • Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE
  • Click on start > control panel > administrative programs > services. Look for a service called Remote Procedure Call (RPC) . Double click on that service and click stop and then set the startup to disabled. Also write down the name and path of the file listed in the Path to executable field. This filename must be deleted below.
Step#7:Stop The Running Processes


Press control-alt-delete to get into the task manager and end the following processes if they exist:

C:\WINDOWS\system32\sysyq32.exe


Step#8:Use HijackThis to Delete About Blank

Now using Windows Explorer I now need you to delete the following files:

C:\WINDOWS\system32\sysyq32.exe
C:\WINDOWS\system32\smfen.dll
C:\WINDOWS\ipkw32.dll
C:\WINDOWS\system32\sysvt32.exe
C:\WINDOWS\system32\javakz32.exe
C:\WINDOWS\system32\crkp32.exe
C:\WINDOWS\system32\ntup32.exe
C:\WINDOWS\ntmm.exe
C:\WINDOWS\system32\apivm32.exe
C:\WINDOWS\system32\appzg32.exe
C:\WINDOWS\netlb.exe
C:\WINDOWS\system32\netiu32.exe
C:\WINDOWS\system32\crzh.exe
C:\WINDOWS\system32\javanw32.exe
C:\WINDOWS\msvi.exe
C:\WINDOWS\addbl.exe
C:\WINDOWS\d3gn32.exe
C:\WINDOWS\system32\sdkye32.exe
C:\WINDOWS\system32\sysun32.exe
C:\WINDOWS\system32\crvk32.exe
C:\WINDOWS\netae.exe
C:\WINDOWS\atlpw32.exe
C:\WINDOWS\msuq.exe
C:\WINDOWS\javaiv.exe
C:\WINDOWS\system32\appyu32.exe
C:\WINDOWS\system32\d3eo.exe
C:\WINDOWS\winsc32.exe
C:\WINDOWS\javaqm32.exe
C:\WINDOWS\javaig32.exe
C:\WINDOWS\cran32.exe
C:\WINDOWS\ipvo.exe
C:\WINDOWS\system32\msth.exe
C:\WINDOWS\system32\ipyb32.exe
C:\WINDOWS\system32\sysvt32.exe





If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.



Step#9:Cleaning With HijackThis

Then close all programs and windows and run hijackthis. Put a checkmark next to each of these entries and click 'fix checked' button when ready (some may be gone after uninstalling some programs):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\smfen.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\smfen.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\smfen.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\smfen.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\smfen.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\smfen.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\smfen.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {E97E5AE0-29D6-7DFA-7E92-29CC5D770DA3} - C:\WINDOWS\ipkw32.dll
O4 - HKLM\..\Run: [sysyq32.exe] C:\WINDOWS\system32\sysyq32.exe
O4 - HKLM\..\RunOnce: [sysvt32.exe] C:\WINDOWS\system32\sysvt32.exe
O4 - HKLM\..\RunOnce: [javakz32.exe] C:\WINDOWS\system32\javakz32.exe
O4 - HKLM\..\RunOnce: [crkp32.exe] C:\WINDOWS\system32\crkp32.exe
O4 - HKLM\..\RunOnce: [ntup32.exe] C:\WINDOWS\system32\ntup32.exe
O4 - HKLM\..\RunOnce: [ntmm.exe] C:\WINDOWS\ntmm.exe
O4 - HKLM\..\RunOnce: [apivm32.exe] C:\WINDOWS\system32\apivm32.exe
O4 - HKLM\..\RunOnce: [appzg32.exe] C:\WINDOWS\system32\appzg32.exe
O4 - HKLM\..\RunOnce: [netlb.exe] C:\WINDOWS\netlb.exe
O4 - HKLM\..\RunOnce: [netiu32.exe] C:\WINDOWS\system32\netiu32.exe
O4 - HKLM\..\RunOnce: [crzh.exe] C:\WINDOWS\system32\crzh.exe
O4 - HKLM\..\RunOnce: [javanw32.exe] C:\WINDOWS\system32\javanw32.exe
O4 - HKLM\..\RunOnce: [msvi.exe] C:\WINDOWS\msvi.exe
O4 - HKLM\..\RunOnce: [addbl.exe] C:\WINDOWS\addbl.exe
O4 - HKLM\..\RunOnce: [d3gn32.exe] C:\WINDOWS\d3gn32.exe
O4 - HKLM\..\RunOnce: [sdkye32.exe] C:\WINDOWS\system32\sdkye32.exe
O4 - HKLM\..\RunOnce: [sysun32.exe] C:\WINDOWS\system32\sysun32.exe
O4 - HKLM\..\RunOnce: [crvk32.exe] C:\WINDOWS\system32\crvk32.exe
O4 - HKLM\..\RunOnce: [netae.exe] C:\WINDOWS\netae.exe
O4 - HKLM\..\RunOnce: [atlpw32.exe] C:\WINDOWS\atlpw32.exe
O4 - HKLM\..\RunOnce: [msuq.exe] C:\WINDOWS\msuq.exe
O4 - HKLM\..\RunOnce: [javaiv.exe] C:\WINDOWS\javaiv.exe
O4 - HKLM\..\RunOnce: [appyu32.exe] C:\WINDOWS\system32\appyu32.exe
O4 - HKLM\..\RunOnce: [d3eo.exe] C:\WINDOWS\system32\d3eo.exe
O4 - HKLM\..\RunOnce: [winsc32.exe] C:\WINDOWS\winsc32.exe
O4 - HKLM\..\RunOnce: [javaqm32.exe] C:\WINDOWS\javaqm32.exe
O4 - HKLM\..\RunOnce: [javaig32.exe] C:\WINDOWS\javaig32.exe
O4 - HKLM\..\RunOnce: [cran32.exe] C:\WINDOWS\cran32.exe
O4 - HKLM\..\RunOnce: [ipvo.exe] C:\WINDOWS\ipvo.exe
O4 - HKLM\..\RunOnce: [msth.exe] C:\WINDOWS\system32\msth.exe
O4 - HKLM\..\RunOnce: [ipyb32.exe] C:\WINDOWS\system32\ipyb32.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sysvt32.exe" /s (file missing)

click "fix checked"




Step#10: Backup The Registry

In the next step we are going to remove a service that gets installed by this malware.

1. Open Registrar Lite and run it.

2. Copy and paste the bold text below into the address bar of Registrar Lite:(this is making a Registry backup for safety in case of error)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\

Go to File> Export and and save as (in the C:\Program Files\Registrar Lite (Reglite) folder):

1.) Winkey.reg (Save as type: regedit4 .reg type)
2.) Winkey.hiv (Save as type: Scroll to select-regetd32/WinAPI *hiv *dat files)




Step#11: Delete the Registry Entries

3. Copy and paste each line of bold text below into the address bar of Reglite one at a time:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ 11Fßä#·ºÄÖ`I
  • Click Go
  • If 11Fßä#·ºÄÖ`I exist it will be highlighted in the left pane , right click on it and choose delete from the menu.

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ 11Fßä#·ºÄÖ`I
  • Click Go
  • If 11Fßä#·ºÄÖ`I exist it will be highlighted in the left pane , right click on it and choose delete from the menu.

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ 11Fßä#·ºÄÖ`I
  • Click Go
  • If 11Fßä#·ºÄÖ`I exist it will be highlighted in the left pane , right click on it and choose delete from the menu.
4. Copy and Paste each line of bold text below into the address bar of Registrar Lite one at a time:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ 11Fßä#·ºÄÖ`I
  • Click Go
  • If LEGACY_ 11Fßä#·ºÄÖ`I exist it will be highlighted in the left pane , right click on it and choose delete from the menu.

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY__ 11Fßä#·ºÄÖ`I
  • Click Go
  • If LEGACY_ 11Fßä#·ºÄÖ`I exist it will be highlighted in the left pane , right click on it and choose delete from the menu.

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY__ 11Fßä#·ºÄÖ`I
  • Click Go
  • If LEGACY_ 11Fßä#·ºÄÖ`I exist it will be highlighted in the left pane , right click on it and choose delete from the menu.
If you get errors when copying and pasting the above bold entries into RegLite please try replacing the bold text with the following abbreviated line, changed as necessary for each entry eg currentcontrolset001, currentcontrolset002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    AND
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_
If this search finds the bad entries please look in the left hand column for the funny looking letter/number combination and if found, right click and choose delete for each entry

Please be cautious in identifying the correct entries in the registry because deleting other entries may cause serious problems with your PC




Step#12:Fixing With CWShredder
  • CLOSE ALL WINDOWS except CWShredder
  • Run the program by clicking 'fix' and letting it fix all CWS remnants.
Step#13:Fixing With About Buster

This is the step where we will use About:Buster that you had downloaded previously.
  • Navigate to the c:\aboutbuster directory
  • double-click on aboutbuster.exe
  • When the tool opens press the OK button, then Start button, then the OK button
  • then finally the Yes button. It will start scanning your computer for files.
  • If it asks if you would like to do a second pass, allow it to do so.
  • Post the log file in your next reply
Step#14:Saving and Using a Reg File

Copy the contents of the Quote Box below to Notepad.
Name the file as fix.reg
Change the Save as Type to All Files
and Save it on the desktop


REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]


Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.

Reboot your computer back to normal mode


Step#15:Scan and Post a New HJT log with other logs
  • Scan again with HijackThis. We still have a few steps to complete but a log file at this time would be helpful.

    Reconnect To The Internet
  • Post both your log from About Buster and your HijackThis log here in this thread with any questions or problems that you have run into. There are still some steps that are necessary to clear out all of the malware. There will be necessary files that it has deleted that will need to be replaced.
Take your time and Good Luck

Trevuren
  • 0

#8
canadiandude18
Posted 13 July 2005 - 01:42 PM

canadiandude18

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi Trev,

Just before I get going on this what will I need to do to replace the necessary files? My Windows XP cd? I want to make sure that I have everything ready before I get started.

Dean
  • 0

#9
Trevuren
Posted 13 July 2005 - 01:54 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi Dean,

Don't worry. This is a two-post process and all the info about replacing files (if you have to) and where to get them will be in part 2.


Trevuren
  • 0

#10
canadiandude18
Posted 13 July 2005 - 06:05 PM

canadiandude18

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi Trev,

Here is the HijackThis Log.

Logfile of HijackThis v1.99.1
Scan saved at 5:55:33 PM, on 13/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\iepo.exe
C:\WINDOWS\system32\apijx.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {20970929-741B-E524-6A22-7A8BD24B33B9} - C:\WINDOWS\ielv.dll
O2 - BHO: Class - {33AB6D19-5A93-6B2B-C66B-A46D17FB07FC} - C:\WINDOWS\system32\atlvr.dll
O2 - BHO: Class - {92F02BED-A800-CA49-47BA-DF817710F100} - C:\WINDOWS\ntqx32.dll
O2 - BHO: Class - {98650C20-64CF-9411-679D-9E2DDABCF7AF} - C:\WINDOWS\atlxb32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {BCF3D9B9-2A98-D31B-CDFB-D21F5D81CA48} - C:\WINDOWS\system32\mfckm32.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iepo.exe] C:\WINDOWS\iepo.exe
O4 - HKLM\..\RunOnce: [sysrl32.exe] C:\WINDOWS\system32\sysrl32.exe
O4 - HKLM\..\RunOnce: [winef32.exe] C:\WINDOWS\winef32.exe
O4 - HKLM\..\RunOnce: [crrz32.exe] C:\WINDOWS\system32\crrz32.exe
O4 - HKLM\..\RunOnce: [sdksa32.exe] C:\WINDOWS\sdksa32.exe
O4 - HKLM\..\RunOnce: [mfcfc.exe] C:\WINDOWS\mfcfc.exe
O4 - HKLM\..\RunOnce: [javavr.exe] C:\WINDOWS\system32\javavr.exe
O4 - HKLM\..\RunOnce: [d3uf32.exe] C:\WINDOWS\d3uf32.exe
O4 - HKLM\..\RunOnce: [cred32.exe] C:\WINDOWS\system32\cred32.exe
O4 - HKLM\..\RunOnce: [apijx.exe] C:\WINDOWS\system32\apijx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sysrl32.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Roger Stewart\Desktop\Dean's Malware Removal\CWShredder.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Here is the About:Buster Log:

AboutBuster 5.0 reference file 30
Scan started on [13/07/2005] at [10:30:42 AM]
------------------------------------------------
Removed Stream! C:\WINDOWS\Blue Lace 16.bmp:siwuip
Removed Stream! C:\WINDOWS\brtvv.dat:uzohe
Removed Stream! C:\WINDOWS\CBCDIJKN.ini:lihzcr
Removed Stream! C:\WINDOWS\CMSETACL.LOG:fbeaz
Removed Stream! C:\WINDOWS\COMSETUP.LOG:gmuywb
Removed Stream! C:\WINDOWS\DESKTOP.INI:qnmdql
Removed Stream! C:\WINDOWS\EventSystem.log:joxrsw
Removed Stream! C:\WINDOWS\gbniz.txt:kshqfn
Removed Stream! C:\WINDOWS\Greenstone.bmp:rgxjm
Removed Stream! C:\WINDOWS\hmkmr.dat:tywtx
Removed Stream! C:\WINDOWS\hpothb07.tif:itpys
Removed Stream! C:\WINDOWS\igfvg.dat:wbuiu
Removed Stream! C:\WINDOWS\itpys.txt:obmnw
Removed Stream! C:\WINDOWS\KB873333.log:ehmvck
Removed Stream! C:\WINDOWS\KB886185.log:vysalz
Removed Stream! C:\WINDOWS\KB888302.log:rwith
Removed Stream! C:\WINDOWS\KB893086.log:qsdsc
Removed Stream! C:\WINDOWS\lablw.dat:qslfz
Removed Stream! C:\WINDOWS\mp10oem.txt:upesxj
Removed Stream! C:\WINDOWS\MSDFMAP.INI:brwjc
Removed Stream! C:\WINDOWS\nsw.log:nhwfrt
Removed Stream! C:\WINDOWS\River Sumida.bmp:bjrnmo
Removed Stream! C:\WINDOWS\setuperr.log:vikbxq
Removed Stream! C:\WINDOWS\SIERRA.INI:lwxmz
Removed Stream! C:\WINDOWS\Sti_Trace.log:hnfhsf
Removed Stream! C:\WINDOWS\SYSTEM.INI:zfcrln
Removed Stream! C:\WINDOWS\T30DebugLogFile.txt:znqnup
Removed Stream! C:\WINDOWS\wmsetup10.log:irohc
Removed Stream! C:\WINDOWS\xhbmd.log:flsoz
Removed Stream! C:\WINDOWS\yeaec.dat:iwttdb
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:awlyxm
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:axipi
------------------------------------------------
Removed File! : C:\Windows\ddlis.dll
Removed File! : C:\Windows\dkble.dat
Removed File! : C:\Windows\fdmao.dat
Removed File! : C:\Windows\fdoxj.dll
Removed File! : C:\Windows\lablw.dat
Removed File! : C:\Windows\xfkad.dat
Removed File! : C:\Windows\zrbvk.dat
Removed File! : C:\Windows\System32\acazu.dat
Removed File! : C:\Windows\System32\agrjt.dat
Removed File! : C:\Windows\System32\eggyg.dll
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:31:00 AM


AboutBuster 5.0 reference file 30
Scan started on [13/07/2005] at [5:46:14 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\brtvv.dat:kpoxgz
Removed Stream! C:\WINDOWS\hpothb07.tif:itpysa
Removed Stream! C:\WINDOWS\xhbmd.log:pxhrx
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:acwdnk
------------------------------------------------
Removed File! : C:\Windows\sumzh.dat
Removed File! : C:\Windows\System32\fypps.dat
Removed File! : C:\Windows\System32\jgucl.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 5:46:33 PM


Thanks again. Still had some stuff pop up after the reboot but it wasn't as fast or as prevalent as before.

-C:\WINDOWS\system32\smfen.dll was not there.
-When we were cleaning with HijackThis the smfen.dll processes weren't there. The sp.html #37049 was tagged rather onto a zhvmw ( C:\Windows\system32\zhvmw\sp.html#37049). I assumed it had just changed again and went with it. The rest was the same as your instructions; I'm

I appreciate your help.

Dean
  • 0

Advertisements

#11
Trevuren
Posted 13 July 2005 - 06:21 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
A bit of history so you understand what is happening. This variant of the About:Blank infection mutates EVERY single time you REBOOT, turn off your system or CONNECT to the internet using INTERNET EXPLORER. It can often be one of the most difficult infections to cure. You can't kill it off piece by piece because if one piece is missing the others sense it and regenerate replacements that are different. If this approach does not work, we will adopt a slightly different strategy to get the little devils. I used the plural because you are constantly re-infecting your machine by using it in the ways mentioned above.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Please download and install these programs - DON'T RUN THEM YET!!
  • Please download and unzip About:Buster to a folder on your Desktop. Inside the folder is a readme file that has instructions on the use of the program.
    • AboutBuster MUST be updated before you use it.
    • Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box . Don't run it yet.
  • Please download and install AD-Aware.
    Check Here on how setup and use it - please make sure you update it first.

  • Download HSfix from HERE and unzip it to your desktop.


  • Download CW-Shredder at the link below:
    http://cwshredder.ne...CWSshtreder.exe

  • Open Windows Explorer & Go to Tools > Folder Options.
    • Click on the View tab and make sure that "Show hidden files and folders" is checked.
    • Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" .
    • Now click "Apply to all folders"
    • Click "Apply" then "OK"
  • For anyone using Windows XP, 'Search' will not automatically show hidden files even if your folder options settings are set to do that.
    Do this so you can see hidden files and folders - click HERE to download XPhidden.zip by David Higham. Extract xphidden.reg from the zip file and save it to the desktop. When done, double-click the xphidden.reg and when asked to merge say yes.
+++++++++++++++++++++++++++++++++++++++++++++++++

Here's the fix:


1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok. Click on the Extended Tab.

Scroll down and find the service called:

Workstation NetLogon Service

2. When you find it,
  • double-click on it.
  • In the next window that opens, click the Stop
    button
  • Then click on properties and under the General Tab
  • Change the Startup Type to Disabled.
  • Now hit Apply and then Ok and close any open windows.
If you don´t find this service listed go ahead with the next steps.

3. Reboot into SafeMode. <---MAKE SURE YOU KNOW HOW TO DO THIS!!

4. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for:

C:\WINDOWS\iepo.exe
C:\WINDOWS\system32\apijx.exe

If you find the files, highlight them, and then click End Process => Exit the Task Manager.


5. CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {20970929-741B-E524-6A22-7A8BD24B33B9} - C:\WINDOWS\ielv.dll
O2 - BHO: Class - {33AB6D19-5A93-6B2B-C66B-A46D17FB07FC} - C:\WINDOWS\system32\atlvr.dll
O2 - BHO: Class - {92F02BED-A800-CA49-47BA-DF817710F100} - C:\WINDOWS\ntqx32.dll
O2 - BHO: Class - {98650C20-64CF-9411-679D-9E2DDABCF7AF} - C:\WINDOWS\atlxb32.dll
O2 - BHO: Class - {BCF3D9B9-2A98-D31B-CDFB-D21F5D81CA48} - C:\WINDOWS\system32\mfckm32.dll
O4 - HKLM\..\Run: [iepo.exe] C:\WINDOWS\iepo.exe
O4 - HKLM\..\RunOnce: [sysrl32.exe] C:\WINDOWS\system32\sysrl32.exe
O4 - HKLM\..\RunOnce: [winef32.exe] C:\WINDOWS\winef32.exe
O4 - HKLM\..\RunOnce: [crrz32.exe] C:\WINDOWS\system32\crrz32.exe
O4 - HKLM\..\RunOnce: [sdksa32.exe] C:\WINDOWS\sdksa32.exe
O4 - HKLM\..\RunOnce: [mfcfc.exe] C:\WINDOWS\mfcfc.exe
O4 - HKLM\..\RunOnce: [javavr.exe] C:\WINDOWS\system32\javavr.exe
O4 - HKLM\..\RunOnce: [d3uf32.exe] C:\WINDOWS\d3uf32.exe
O4 - HKLM\..\RunOnce: [cred32.exe] C:\WINDOWS\system32\cred32.exe
O4 - HKLM\..\RunOnce: [apijx.exe] C:\WINDOWS\system32\apijx.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sysrl32.exe" /s (file missing)


6. Delete the following files if present:

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

C:\WINDOWS\iepo.exe
C:\WINDOWS\system32\apijx.exe
C:\WINDOWS\ielv.dll
C:\WINDOWS\system32\atlvr.dll
C:\WINDOWS\ntqx32.dll
C:\WINDOWS\atlxb32.dll
C:\WINDOWS\system32\mfckm32.dll
C:\WINDOWS\system32\sysrl32.exe
C:\WINDOWS\winef32.exe
C:\WINDOWS\system32\crrz32.exe
C:\WINDOWS\sdksa32.exe
C:\WINDOWS\mfcfc.exe
C:\WINDOWS\system32\javavr.exe
C:\WINDOWS\d3uf32.exe
C:\WINDOWS\system32\cred32.exe
C:\WINDOWS\system32\sysrl32.e

(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)

7. Run AboutBuster . This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

8. Scan with AdAware and let it remove any bad files found.

9. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:
  • Temporary Files
  • Temporary Internet Files
  • Recycle Bin


10. Double click on the HSfix and when asked to merge say yes.

11. Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

12. Reboot into normal mode.

13. Download the Hoster from:HERE. Press "Restore Original Hosts" and press "OK". Exit Program.

14. Download and run this online virus scan:The site is often slow to appear)
http://housecall.tre.../start_corp.asp
Make sure you check "AutoClean"

If it says that you need to download an Active X element from their site, please do so. It is safe

15. Reboot and post a fresh Hijack This log for review.

Regards,

Trevuren

Edited by Trevuren, 13 July 2005 - 06:30 PM.

  • 0

#12
canadiandude18
Posted 15 July 2005 - 09:59 AM

canadiandude18

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi Trev,

I havn't done the above yet. I was sick yesterday and didn't get to it. I'm going to try the process today, but if it shifts when we reboot what happens when I reboot into safe mode?

Dean
  • 0

#13
Trevuren
Posted 15 July 2005 - 10:38 AM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Just complete the fix please. Thanks


Trevuren
  • 0

#14
canadiandude18
Posted 15 July 2005 - 05:15 PM

canadiandude18

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi Trev,

Thanks again for the help. Just some quick notes. I couldn't run the Trend Microsystems online scan. When I originally tried to open IE it just gave me the error reporting screen. Eventually it came up with the Microsoft Help page telling me how to do a basic trouble shoot of IE.

I tried the scan twice, only ever reaching the stage where I was asked to install the ActiveX control for the site. I clicked run and IE crashed. I tried once more, but wanted to limit my net activity. Anyway, here is the HijackThis log file. Thanks again.

Logfile of HijackThis v1.99.1
Scan saved at 5:11:12 PM, on 15/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\mskl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\winsu.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ugfdq.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ugfdq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ugfdq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ugfdq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ugfdq.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ugfdq.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ugfdq.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {10093460-6F53-E394-D35F-77E61A43FF4C} - C:\WINDOWS\system32\appdi.dll
O2 - BHO: Class - {4600A8E2-F7BC-32D2-2B42-0CAB9CAC3C8D} - C:\WINDOWS\mskl.dll
O2 - BHO: Class - {797CF3F6-DFA4-7C09-D2A7-116A21249ABF} - C:\WINDOWS\system32\ippn32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {E5F0C91D-B125-C770-69FE-FB3428702538} - C:\WINDOWS\system32\sysmn.dll
O2 - BHO: Class - {FA368488-8008-3889-4E2F-86BBFD486BD2} - C:\WINDOWS\system32\d3ga32.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [atlnh.exe] C:\WINDOWS\system32\atlnh.exe
O4 - HKLM\..\Run: [sysmn.exe] C:\WINDOWS\system32\sysmn.exe
O4 - HKLM\..\Run: [mskl.exe] C:\WINDOWS\mskl.exe
O4 - HKLM\..\RunOnce: [javaxi.exe] C:\WINDOWS\system32\javaxi.exe
O4 - HKLM\..\RunOnce: [apick.exe] C:\WINDOWS\apick.exe
O4 - HKLM\..\RunOnce: [ntar32.exe] C:\WINDOWS\ntar32.exe
O4 - HKLM\..\RunOnce: [atlgl.exe] C:\WINDOWS\atlgl.exe
O4 - HKLM\..\RunOnce: [syszo.exe] C:\WINDOWS\system32\syszo.exe
O4 - HKLM\..\RunOnce: [atlop32.exe] C:\WINDOWS\atlop32.exe
O4 - HKLM\..\RunOnce: [mfcza32.exe] C:\WINDOWS\system32\mfcza32.exe
O4 - HKLM\..\RunOnce: [sysew32.exe] C:\WINDOWS\system32\sysew32.exe
O4 - HKLM\..\RunOnce: [apizi.exe] C:\WINDOWS\system32\apizi.exe
O4 - HKLM\..\RunOnce: [atlcu32.exe] C:\WINDOWS\system32\atlcu32.exe
O4 - HKLM\..\RunOnce: [netqu32.exe] C:\WINDOWS\system32\netqu32.exe
O4 - HKLM\..\RunOnce: [mfcay.exe] C:\WINDOWS\mfcay.exe
O4 - HKLM\..\RunOnce: [iebk.exe] C:\WINDOWS\system32\iebk.exe
O4 - HKLM\..\RunOnce: [ieim32.exe] C:\WINDOWS\ieim32.exe
O4 - HKLM\..\RunOnce: [mfcqh32.exe] C:\WINDOWS\mfcqh32.exe
O4 - HKLM\..\RunOnce: [apiyx.exe] C:\WINDOWS\apiyx.exe
O4 - HKLM\..\RunOnce: [mfczx.exe] C:\WINDOWS\system32\mfczx.exe
O4 - HKLM\..\RunOnce: [sdkom32.exe] C:\WINDOWS\sdkom32.exe
O4 - HKLM\..\RunOnce: [msmu32.exe] C:\WINDOWS\msmu32.exe
O4 - HKLM\..\RunOnce: [crif.exe] C:\WINDOWS\crif.exe
O4 - HKLM\..\RunOnce: [apigv32.exe] C:\WINDOWS\apigv32.exe
O4 - HKLM\..\RunOnce: [appft.exe] C:\WINDOWS\system32\appft.exe
O4 - HKLM\..\RunOnce: [addft.exe] C:\WINDOWS\addft.exe
O4 - HKLM\..\RunOnce: [apiys.exe] C:\WINDOWS\system32\apiys.exe
O4 - HKLM\..\RunOnce: [apiga.exe] C:\WINDOWS\system32\apiga.exe
O4 - HKLM\..\RunOnce: [sdkra32.exe] C:\WINDOWS\system32\sdkra32.exe
O4 - HKLM\..\RunOnce: [d3hi.exe] C:\WINDOWS\system32\d3hi.exe
O4 - HKLM\..\RunOnce: [addlm32.exe] C:\WINDOWS\system32\addlm32.exe
O4 - HKLM\..\RunOnce: [sdktc32.exe] C:\WINDOWS\system32\sdktc32.exe
O4 - HKLM\..\RunOnce: [addct32.exe] C:\WINDOWS\addct32.exe
O4 - HKLM\..\RunOnce: [javavm32.exe] C:\WINDOWS\javavm32.exe
O4 - HKLM\..\RunOnce: [addqx32.exe] C:\WINDOWS\system32\addqx32.exe
O4 - HKLM\..\RunOnce: [crek.exe] C:\WINDOWS\crek.exe
O4 - HKLM\..\RunOnce: [wintz32.exe] C:\WINDOWS\wintz32.exe
O4 - HKLM\..\RunOnce: [mfcrh.exe] C:\WINDOWS\mfcrh.exe
O4 - HKLM\..\RunOnce: [cran32.exe] C:\WINDOWS\system32\cran32.exe
O4 - HKLM\..\RunOnce: [d3ad.exe] C:\WINDOWS\system32\d3ad.exe
O4 - HKLM\..\RunOnce: [sdkeh32.exe] C:\WINDOWS\system32\sdkeh32.exe
O4 - HKLM\..\RunOnce: [mfcuw.exe] C:\WINDOWS\mfcuw.exe
O4 - HKLM\..\RunOnce: [crsb32.exe] C:\WINDOWS\crsb32.exe
O4 - HKLM\..\RunOnce: [d3rj.exe] C:\WINDOWS\d3rj.exe
O4 - HKLM\..\RunOnce: [javaak.exe] C:\WINDOWS\system32\javaak.exe
O4 - HKLM\..\RunOnce: [winqz.exe] C:\WINDOWS\winqz.exe
O4 - HKLM\..\RunOnce: [winem.exe] C:\WINDOWS\system32\winem.exe
O4 - HKLM\..\RunOnce: [addka32.exe] C:\WINDOWS\system32\addka32.exe
O4 - HKLM\..\RunOnce: [winyx32.exe] C:\WINDOWS\system32\winyx32.exe
O4 - HKLM\..\RunOnce: [crdb32.exe] C:\WINDOWS\system32\crdb32.exe
O4 - HKLM\..\RunOnce: [atlls32.exe] C:\WINDOWS\atlls32.exe
O4 - HKLM\..\RunOnce: [javavy.exe] C:\WINDOWS\javavy.exe
O4 - HKLM\..\RunOnce: [atliu.exe] C:\WINDOWS\system32\atliu.exe
O4 - HKLM\..\RunOnce: [ipey32.exe] C:\WINDOWS\ipey32.exe
O4 - HKLM\..\RunOnce: [apioz.exe] C:\WINDOWS\system32\apioz.exe
O4 - HKLM\..\RunOnce: [sysnp32.exe] C:\WINDOWS\system32\sysnp32.exe
O4 - HKLM\..\RunOnce: [netqa32.exe] C:\WINDOWS\system32\netqa32.exe
O4 - HKLM\..\RunOnce: [sdkuf.exe] C:\WINDOWS\sdkuf.exe
O4 - HKLM\..\RunOnce: [ipdf32.exe] C:\WINDOWS\system32\ipdf32.exe
O4 - HKLM\..\RunOnce: [ipkc32.exe] C:\WINDOWS\ipkc32.exe
O4 - HKLM\..\RunOnce: [addpy32.exe] C:\WINDOWS\addpy32.exe
O4 - HKLM\..\RunOnce: [ipss32.exe] C:\WINDOWS\ipss32.exe
O4 - HKLM\..\RunOnce: [atlqq32.exe] C:\WINDOWS\system32\atlqq32.exe
O4 - HKLM\..\RunOnce: [sdktb32.exe] C:\WINDOWS\system32\sdktb32.exe
O4 - HKLM\..\RunOnce: [d3yg.exe] C:\WINDOWS\d3yg.exe
O4 - HKLM\..\RunOnce: [ntgb32.exe] C:\WINDOWS\ntgb32.exe
O4 - HKLM\..\RunOnce: [msbn.exe] C:\WINDOWS\msbn.exe
O4 - HKLM\..\RunOnce: [mspk32.exe] C:\WINDOWS\mspk32.exe
O4 - HKLM\..\RunOnce: [msdh32.exe] C:\WINDOWS\system32\msdh32.exe
O4 - HKLM\..\RunOnce: [iedp32.exe] C:\WINDOWS\system32\iedp32.exe
O4 - HKLM\..\RunOnce: [sysfg32.exe] C:\WINDOWS\sysfg32.exe
O4 - HKLM\..\RunOnce: [addll32.exe] C:\WINDOWS\addll32.exe
O4 - HKLM\..\RunOnce: [winzi.exe] C:\WINDOWS\winzi.exe
O4 - HKLM\..\RunOnce: [javasb.exe] C:\WINDOWS\system32\javasb.exe
O4 - HKLM\..\RunOnce: [javahw32.exe] C:\WINDOWS\javahw32.exe
O4 - HKLM\..\RunOnce: [mfcms32.exe] C:\WINDOWS\system32\mfcms32.exe
O4 - HKLM\..\RunOnce: [crpe.exe] C:\WINDOWS\crpe.exe
O4 - HKLM\..\RunOnce: [iplq32.exe] C:\WINDOWS\system32\iplq32.exe
O4 - HKLM\..\RunOnce: [atljx.exe] C:\WINDOWS\atljx.exe
O4 - HKLM\..\RunOnce: [iein32.exe] C:\WINDOWS\iein32.exe
O4 - HKLM\..\RunOnce: [javazc32.exe] C:\WINDOWS\system32\javazc32.exe
O4 - HKLM\..\RunOnce: [sdkhs.exe] C:\WINDOWS\sdkhs.exe
O4 - HKLM\..\RunOnce: [d3mx32.exe] C:\WINDOWS\system32\d3mx32.exe
O4 - HKLM\..\RunOnce: [msfi.exe] C:\WINDOWS\msfi.exe
O4 - HKLM\..\RunOnce: [winzj32.exe] C:\WINDOWS\winzj32.exe
O4 - HKLM\..\RunOnce: [javasc32.exe] C:\WINDOWS\javasc32.exe
O4 - HKLM\..\RunOnce: [atlss.exe] C:\WINDOWS\atlss.exe
O4 - HKLM\..\RunOnce: [appat32.exe] C:\WINDOWS\system32\appat32.exe
O4 - HKLM\..\RunOnce: [iezw32.exe] C:\WINDOWS\iezw32.exe
O4 - HKLM\..\RunOnce: [apppd.exe] C:\WINDOWS\apppd.exe
O4 - HKLM\..\RunOnce: [nettz32.exe] C:\WINDOWS\system32\nettz32.exe
O4 - HKLM\..\RunOnce: [atldi.exe] C:\WINDOWS\atldi.exe
O4 - HKLM\..\RunOnce: [mfcxt32.exe] C:\WINDOWS\mfcxt32.exe
O4 - HKLM\..\RunOnce: [iecy32.exe] C:\WINDOWS\iecy32.exe
O4 - HKLM\..\RunOnce: [apizl32.exe] C:\WINDOWS\system32\apizl32.exe
O4 - HKLM\..\RunOnce: [netzt32.exe] C:\WINDOWS\system32\netzt32.exe
O4 - HKLM\..\RunOnce: [sdkdx.exe] C:\WINDOWS\sdkdx.exe
O4 - HKLM\..\RunOnce: [appfq32.exe] C:\WINDOWS\appfq32.exe
O4 - HKLM\..\RunOnce: [javaoh32.exe] C:\WINDOWS\javaoh32.exe
O4 - HKLM\..\RunOnce: [addxn.exe] C:\WINDOWS\addxn.exe
O4 - HKLM\..\RunOnce: [netmk32.exe] C:\WINDOWS\system32\netmk32.exe
O4 - HKLM\..\RunOnce: [crqw.exe] C:\WINDOWS\system32\crqw.exe
O4 - HKLM\..\RunOnce: [d3wt32.exe] C:\WINDOWS\system32\d3wt32.exe
O4 - HKLM\..\RunOnce: [d3ki32.exe] C:\WINDOWS\d3ki32.exe
O4 - HKLM\..\RunOnce: [ieyc32.exe] C:\WINDOWS\ieyc32.exe
O4 - HKLM\..\RunOnce: [msmz32.exe] C:\WINDOWS\system32\msmz32.exe
O4 - HKLM\..\RunOnce: [winam32.exe] C:\WINDOWS\system32\winam32.exe
O4 - HKLM\..\RunOnce: [winuf.exe] C:\WINDOWS\system32\winuf.exe
O4 - HKLM\..\RunOnce: [sdkhc.exe] C:\WINDOWS\sdkhc.exe
O4 - HKLM\..\RunOnce: [ierc.exe] C:\WINDOWS\system32\ierc.exe
O4 - HKLM\..\RunOnce: [ieaq.exe] C:\WINDOWS\system32\ieaq.exe
O4 - HKLM\..\RunOnce: [atlqg32.exe] C:\WINDOWS\system32\atlqg32.exe
O4 - HKLM\..\RunOnce: [apibr.exe] C:\WINDOWS\system32\apibr.exe
O4 - HKLM\..\RunOnce: [sysig32.exe] C:\WINDOWS\system32\sysig32.exe
O4 - HKLM\..\RunOnce: [ieda32.exe] C:\WINDOWS\system32\ieda32.exe
O4 - HKLM\..\RunOnce: [atlhm.exe] C:\WINDOWS\atlhm.exe
O4 - HKLM\..\RunOnce: [sdkwb32.exe] C:\WINDOWS\system32\sdkwb32.exe
O4 - HKLM\..\RunOnce: [d3ur.exe] C:\WINDOWS\system32\d3ur.exe
O4 - HKLM\..\RunOnce: [winqn32.exe] C:\WINDOWS\system32\winqn32.exe
O4 - HKLM\..\RunOnce: [ieav.exe] C:\WINDOWS\system32\ieav.exe
O4 - HKLM\..\RunOnce: [ienk32.exe] C:\WINDOWS\system32\ienk32.exe
O4 - HKLM\..\RunOnce: [ieuh32.exe] C:\WINDOWS\ieuh32.exe
O4 - HKLM\..\RunOnce: [ntzl32.exe] C:\WINDOWS\system32\ntzl32.exe
O4 - HKLM\..\RunOnce: [apphb.exe] C:\WINDOWS\system32\apphb.exe
O4 - HKLM\..\RunOnce: [winhb32.exe] C:\WINDOWS\winhb32.exe
O4 - HKLM\..\RunOnce: [msox32.exe] C:\WINDOWS\system32\msox32.exe
O4 - HKLM\..\RunOnce: [apiii32.exe] C:\WINDOWS\apiii32.exe
O4 - HKLM\..\RunOnce: [appsj.exe] C:\WINDOWS\system32\appsj.exe
O4 - HKLM\..\RunOnce: [appmc32.exe] C:\WINDOWS\system32\appmc32.exe
O4 - HKLM\..\RunOnce: [atlmk32.exe] C:\WINDOWS\system32\atlmk32.exe
O4 - HKLM\..\RunOnce: [netqo.exe] C:\WINDOWS\netqo.exe
O4 - HKLM\..\RunOnce: [sysli32.exe] C:\WINDOWS\sysli32.exe
O4 - HKLM\..\RunOnce: [apiou32.exe] C:\WINDOWS\apiou32.exe
O4 - HKLM\..\RunOnce: [ntsy.exe] C:\WINDOWS\system32\ntsy.exe
O4 - HKLM\..\RunOnce: [netbg32.exe] C:\WINDOWS\netbg32.exe
O4 - HKLM\..\RunOnce: [ippl32.exe] C:\WINDOWS\system32\ippl32.exe
O4 - HKLM\..\RunOnce: [crxp32.exe] C:\WINDOWS\system32\crxp32.exe
O4 - HKLM\..\RunOnce: [ipvm.exe] C:\WINDOWS\ipvm.exe
O4 - HKLM\..\RunOnce: [netvm.exe] C:\WINDOWS\system32\netvm.exe
O4 - HKLM\..\RunOnce: [sysjr32.exe] C:\WINDOWS\sysjr32.exe
O4 - HKLM\..\RunOnce: [msev.exe] C:\WINDOWS\system32\msev.exe
O4 - HKLM\..\RunOnce: [ntdk32.exe] C:\WINDOWS\ntdk32.exe
O4 - HKLM\..\RunOnce: [mfcta32.exe] C:\WINDOWS\system32\mfcta32.exe
O4 - HKLM\..\RunOnce: [mfcbi.exe] C:\WINDOWS\system32\mfcbi.exe
O4 - HKLM\..\RunOnce: [atlci.exe] C:\WINDOWS\atlci.exe
O4 - HKLM\..\RunOnce: [javalq.exe] C:\WINDOWS\javalq.exe
O4 - HKLM\..\RunOnce: [addiw.exe] C:\WINDOWS\system32\addiw.exe
O4 - HKLM\..\RunOnce: [crhd32.exe] C:\WINDOWS\system32\crhd32.exe
O4 - HKLM\..\RunOnce: [ipmn.exe] C:\WINDOWS\system32\ipmn.exe
O4 - HKLM\..\RunOnce: [apptt.exe] C:\WINDOWS\apptt.exe
O4 - HKLM\..\RunOnce: [appnf32.exe] C:\WINDOWS\appnf32.exe
O4 - HKLM\..\RunOnce: [atlnn32.exe] C:\WINDOWS\atlnn32.exe
O4 - HKLM\..\RunOnce: [apiaz32.exe] C:\WINDOWS\apiaz32.exe
O4 - HKLM\..\RunOnce: [apivl.exe] C:\WINDOWS\system32\apivl.exe
O4 - HKLM\..\RunOnce: [addyx32.exe] C:\WINDOWS\system32\addyx32.exe
O4 - HKLM\..\RunOnce: [d3dt32.exe] C:\WINDOWS\system32\d3dt32.exe
O4 - HKLM\..\RunOnce: [appyf.exe] C:\WINDOWS\appyf.exe
O4 - HKLM\..\RunOnce: [syscr.exe] C:\WINDOWS\syscr.exe
O4 - HKLM\..\RunOnce: [mfcrg32.exe] C:\WINDOWS\system32\mfcrg32.exe
O4 - HKLM\..\RunOnce: [sysrt32.exe] C:\WINDOWS\system32\sysrt32.exe
O4 - HKLM\..\RunOnce: [winzb32.exe] C:\WINDOWS\winzb32.exe
O4 - HKLM\..\RunOnce: [nths.exe] C:\WINDOWS\nths.exe
O4 - HKLM\..\RunOnce: [mfcdc32.exe] C:\WINDOWS\mfcdc32.exe
O4 - HKLM\..\RunOnce: [nethh.exe] C:\WINDOWS\nethh.exe
O4 - HKLM\..\RunOnce: [apixe32.exe] C:\WINDOWS\apixe32.exe
O4 - HKLM\..\RunOnce: [sysba.exe] C:\WINDOWS\sysba.exe
O4 - HKLM\..\RunOnce: [d3av32.exe] C:\WINDOWS\system32\d3av32.exe
O4 - HKLM\..\RunOnce: [netfa32.exe] C:\WINDOWS\system32\netfa32.exe
O4 - HKLM\..\RunOnce: [msil32.exe] C:\WINDOWS\system32\msil32.exe
O4 - HKLM\..\RunOnce: [ienq32.exe] C:\WINDOWS\system32\ienq32.exe
O4 - HKLM\..\RunOnce: [iecn.exe] C:\WINDOWS\iecn.exe
O4 - HKLM\..\RunOnce: [iehj.exe] C:\WINDOWS\iehj.exe
O4 - HKLM\..\RunOnce: [ntvg.exe] C:\WINDOWS\ntvg.exe
O4 - HKLM\..\RunOnce: [mfcnx.exe] C:\WINDOWS\mfcnx.exe
O4 - HKLM\..\RunOnce: [sdkjb32.exe] C:\WINDOWS\sdkjb32.exe
O4 - HKLM\..\RunOnce: [nettc.exe] C:\WINDOWS\nettc.exe
O4 - HKLM\..\RunOnce: [netvn32.exe] C:\WINDOWS\system32\netvn32.exe
O4 - HKLM\..\RunOnce: [addsr32.exe] C:\WINDOWS\addsr32.exe
O4 - HKLM\..\RunOnce: [crtq.exe] C:\WINDOWS\system32\crtq.exe
O4 - HKLM\..\RunOnce: [appcz.exe] C:\WINDOWS\system32\appcz.exe
O4 - HKLM\..\RunOnce: [ipmz.exe] C:\WINDOWS\ipmz.exe
O4 - HKLM\..\RunOnce: [mfcid.exe] C:\WINDOWS\system32\mfcid.exe
O4 - HKLM\..\RunOnce: [d3wi32.exe] C:\WINDOWS\system32\d3wi32.exe
O4 - HKLM\..\RunOnce: [sysup.exe] C:\WINDOWS\system32\sysup.exe
O4 - HKLM\..\RunOnce: [atlqt.exe] C:\WINDOWS\atlqt.exe
O4 - HKLM\..\RunOnce: [ipjm32.exe] C:\WINDOWS\system32\ipjm32.exe
O4 - HKLM\..\RunOnce: [sysdy32.exe] C:\WINDOWS\sysdy32.exe
O4 - HKLM\..\RunOnce: [d3mg.exe] C:\WINDOWS\system32\d3mg.exe
O4 - HKLM\..\RunOnce: [mssv32.exe] C:\WINDOWS\mssv32.exe
O4 - HKLM\..\RunOnce: [d3hs32.exe] C:\WINDOWS\system32\d3hs32.exe
O4 - HKLM\..\RunOnce: [msgi32.exe] C:\WINDOWS\system32\msgi32.exe
O4 - HKLM\..\RunOnce: [winlm.exe] C:\WINDOWS\winlm.exe
O4 - HKLM\..\RunOnce: [iejj32.exe] C:\WINDOWS\iejj32.exe
O4 - HKLM\..\RunOnce: [winip.exe] C:\WINDOWS\system32\winip.exe
O4 - HKLM\..\RunOnce: [iexe.exe] C:\WINDOWS\system32\iexe.exe
O4 - HKLM\..\RunOnce: [sdkix32.exe] C:\WINDOWS\sdkix32.exe
O4 - HKLM\..\RunOnce: [javati.exe] C:\WINDOWS\javati.exe
O4 - HKLM\..\RunOnce: [iexm.exe] C:\WINDOWS\system32\iexm.exe
O4 - HKLM\..\RunOnce: [appin32.exe] C:\WINDOWS\appin32.exe
O4 - HKLM\..\RunOnce: [winfk32.exe] C:\WINDOWS\winfk32.exe
O4 - HKLM\..\RunOnce: [msdh.exe] C:\WINDOWS\system32\msdh.exe
O4 - HKLM\..\RunOnce: [crei.exe] C:\WINDOWS\crei.exe
O4 - HKLM\..\RunOnce: [addtx32.exe] C:\WINDOWS\system32\addtx32.exe
O4 - HKLM\..\RunOnce: [atlnq.exe] C:\WINDOWS\atlnq.exe
O4 - HKLM\..\RunOnce: [mfcjd32.exe] C:\WINDOWS\system32\mfcjd32.exe
O4 - HKLM\..\RunOnce: [winzs32.exe] C:\WINDOWS\winzs32.exe
O4 - HKLM\..\RunOnce: [winqp.exe] C:\WINDOWS\winqp.exe
O4 - HKLM\..\RunOnce: [sdkvl.exe] C:\WINDOWS\system32\sdkvl.exe
O4 - HKLM\..\RunOnce: [addqx.exe] C:\WINDOWS\addqx.exe
O4 - HKLM\..\RunOnce: [iefm.exe] C:\WINDOWS\iefm.exe
O4 - HKLM\..\RunOnce: [sdkqf32.exe] C:\WINDOWS\system32\sdkqf32.exe
O4 - HKLM\..\RunOnce: [atlxv32.exe] C:\WINDOWS\system32\atlxv32.exe
O4 - HKLM\..\RunOnce: [ntva32.exe] C:\WINDOWS\system32\ntva32.exe
O4 - HKLM\..\RunOnce: [appaw32.exe] C:\WINDOWS\system32\appaw32.exe
O4 - HKLM\..\RunOnce: [sdkvi32.exe] C:\WINDOWS\system32\sdkvi32.exe
O4 - HKLM\..\RunOnce: [javajn32.exe] C:\WINDOWS\system32\javajn32.exe
O4 - HKLM\..\RunOnce: [addys.exe] C:\WINDOWS\addys.exe
O4 - HKLM\..\RunOnce: [crff32.exe] C:\WINDOWS\crff32.exe
O4 - HKLM\..\RunOnce: [appar32.exe] C:\WINDOWS\system32\appar32.exe
O4 - HKLM\..\RunOnce: [mfcfv.exe] C:\WINDOWS\mfcfv.exe
O4 - HKLM\..\RunOnce: [addxm.exe] C:\WINDOWS\system32\addxm.exe
O4 - HKLM\..\RunOnce: [msqf32.exe] C:\WINDOWS\system32\msqf32.exe
O4 - HKLM\..\RunOnce: [iebq.exe] C:\WINDOWS\iebq.exe
O4 - HKLM\..\RunOnce: [appfu.exe] C:\WINDOWS\appfu.exe
O4 - HKLM\..\RunOnce: [crob32.exe] C:\WINDOWS\crob32.exe
O4 - HKLM\..\RunOnce: [msng.exe] C:\WINDOWS\system32\msng.exe
O4 - HKLM\..\RunOnce: [javadv.exe] C:\WINDOWS\system32\javadv.exe
O4 - HKLM\..\RunOnce: [netvo32.exe] C:\WINDOWS\netvo32.exe
O4 - HKLM\..\RunOnce: [crkd.exe] C:\WINDOWS\system32\crkd.exe
O4 - HKLM\..\RunOnce: [sysve32.exe] C:\WINDOWS\sysve32.exe
O4 - HKLM\..\RunOnce: [ippq32.exe] C:\WINDOWS\system32\ippq32.exe
O4 - HKLM\..\RunOnce: [mfczq.exe] C:\WINDOWS\system32\mfczq.exe
O4 - HKLM\..\RunOnce: [apien32.exe] C:\WINDOWS\system32\apien32.exe
O4 - HKLM\..\RunOnce: [mfctk32.exe] C:\WINDOWS\mfctk32.exe
O4 - HKLM\..\RunOnce: [ntfw.exe] C:\WINDOWS\system32\ntfw.exe
O4 - HKLM\..\RunOnce: [netvt32.exe] C:\WINDOWS\system32\netvt32.exe
O4 - HKLM\..\RunOnce: [winap32.exe] C:\WINDOWS\system32\winap32.exe
O4 - HKLM\..\RunOnce: [ipdb32.exe] C:\WINDOWS\system32\ipdb32.exe
O4 - HKLM\..\RunOnce: [javahf.exe] C:\WINDOWS\javahf.exe
O4 - HKLM\..\RunOnce: [d3be.exe] C:\WINDOWS\system32\d3be.exe
O4 - HKLM\..\RunOnce: [sdkqu.exe] C:\WINDOWS\system32\sdkqu.exe
O4 - HKLM\..\RunOnce: [addfq32.exe] C:\WINDOWS\system32\addfq32.exe
O4 - HKLM\..\RunOnce: [crkv32.exe] C:\WINDOWS\system32\crkv32.exe
O4 - HKLM\..\RunOnce: [appfh.exe] C:\WINDOWS\system32\appfh.exe
O4 - HKLM\..\RunOnce: [javaha.exe] C:\WINDOWS\system32\javaha.exe
O4 - HKLM\..\RunOnce: [addwf32.exe] C:\WINDOWS\addwf32.exe
O4 - HKLM\..\RunOnce: [winfn.exe] C:\WINDOWS\winfn.exe
O4 - HKLM\..\RunOnce: [javaks32.exe] C:\WINDOWS\javaks32.exe
O4 - HKLM\..\RunOnce: [ipnw.exe] C:\WINDOWS\ipnw.exe
O4 - HKLM\..\RunOnce: [iecb.exe] C:\WINDOWS\system32\iecb.exe
O4 - HKLM\..\RunOnce: [d3gc.exe] C:\WINDOWS\d3gc.exe
O4 - HKLM\..\RunOnce: [ieze32.exe] C:\WINDOWS\ieze32.exe
O4 - HKLM\..\RunOnce: [ieoa32.exe] C:\WINDOWS\system32\ieoa32.exe
O4 - HKLM\..\RunOnce: [nttx32.exe] C:\WINDOWS\nttx32.exe
O4 - HKLM\..\RunOnce: [javamo32.exe] C:\WINDOWS\system32\javamo32.exe
O4 - HKLM\..\RunOnce: [winpa32.exe] C:\WINDOWS\winpa32.exe
O4 - HKLM\..\RunOnce: [appdf32.exe] C:\WINDOWS\appdf32.exe
O4 - HKLM\..\RunOnce: [addjb.exe] C:\WINDOWS\system32\addjb.exe
O4 - HKLM\..\RunOnce: [crdv.exe] C:\WINDOWS\system32\crdv.exe
O4 - HKLM\..\RunOnce: [winmn.exe] C:\WINDOWS\winmn.exe
O4 - HKLM\..\RunOnce: [atlsp32.exe] C:\WINDOWS\system32\atlsp32.exe
O4 - HKLM\..\RunOnce: [sdkvj32.exe] C:\WINDOWS\sdkvj32.exe
O4 - HKLM\..\RunOnce: [d3zf.exe] C:\WINDOWS\d3zf.exe
O4 - HKLM\..\RunOnce: [javapc.exe] C:\WINDOWS\javapc.exe
O4 - HKLM\..\RunOnce: [crcz.exe] C:\WINDOWS\crcz.exe
O4 - HKLM\..\RunOnce: [mfcie.exe] C:\WINDOWS\system32\mfcie.exe
O4 - HKLM\..\RunOnce: [d3cp.exe] C:\WINDOWS\d3cp.exe
O4 - HKLM\..\RunOnce: [sdksw.exe] C:\WINDOWS\sdksw.exe
O4 - HKLM\..\RunOnce: [netvi.exe] C:\WINDOWS\system32\netvi.exe
O4 - HKLM\..\RunOnce: [javarm.exe] C:\WINDOWS\javarm.exe
O4 - HKLM\..\RunOnce: [addam.exe] C:\WINDOWS\system32\addam.exe
O4 - HKLM\..\RunOnce: [atlor.exe] C:\WINDOWS\system32\atlor.exe
O4 - HKLM\..\RunOnce: [atlto32.exe] C:\WINDOWS\atlto32.exe
O4 - HKLM\..\RunOnce: [atlil32.exe] C:\WINDOWS\system32\atlil32.exe
O4 - HKLM\..\RunOnce: [msnh32.exe] C:\WINDOWS\system32\msnh32.exe
O4 - HKLM\..\RunOnce: [mfcit32.exe] C:\WINDOWS\system32\mfcit32.exe
O4 - HKLM\..\RunOnce: [netmx.exe] C:\WINDOWS\netmx.exe
O4 - HKLM\..\RunOnce: [d3ed.exe] C:\WINDOWS\system32\d3ed.exe
O4 - HKLM\..\RunOnce: [netki.exe] C:\WINDOWS\netki.exe
O4 - HKLM\..\RunOnce: [ipym.exe] C:\WINDOWS\ipym.exe
O4 - HKLM\..\RunOnce: [ipsg32.exe] C:\WINDOWS\system32\ipsg32.exe
O4 - HKLM\..\RunOnce: [appxc32.exe] C:\WINDOWS\appxc32.exe
O4 - HKLM\..\RunOnce: [cres32.exe] C:\WINDOWS\cres32.exe
O4 - HKLM\..\RunOnce: [appbf.exe] C:\WINDOWS\system32\appbf.exe
O4 - HKLM\..\RunOnce: [crhc32.exe] C:\WINDOWS\crhc32.exe
O4 - HKLM\..\RunOnce: [msav32.exe] C:\WINDOWS\system32\msav32.exe
O4 - HKLM\..\RunOnce: [ipfr32.exe] C:\WINDOWS\system32\ipfr32.exe
O4 - HKLM\..\RunOnce: [iead.exe] C:\WINDOWS\system32\iead.exe
O4 - HKLM\..\RunOnce: [javaep.exe] C:\WINDOWS\javaep.exe
O4 - HKLM\..\RunOnce: [atlkm.exe] C:\WINDOWS\system32\atlkm.exe
O4 - HKLM\..\RunOnce: [sysiz.exe] C:\WINDOWS\sysiz.exe
O4 - HKLM\..\RunOnce: [mfcmd.exe] C:\WINDOWS\system32\mfcmd.exe
O4 - HKLM\..\RunOnce: [crnl.exe] C:\WINDOWS\system32\crnl.exe
O4 - HKLM\..\RunOnce: [d3vb32.exe] C:\WINDOWS\d3vb32.exe
O4 - HKLM\..\RunOnce: [winhw.exe] C:\WINDOWS\system32\winhw.exe
O4 - HKLM\..\RunOnce: [iext32.exe] C:\WINDOWS\system32\iext32.exe
O4 - HKLM\..\RunOnce: [appjf.exe] C:\WINDOWS\appjf.exe
O4 - HKLM\..\RunOnce: [addkf32.exe] C:\WINDOWS\system32\addkf32.exe
O4 - HKLM\..\RunOnce: [addez.exe] C:\WINDOWS\addez.exe
O4 - HKLM\..\RunOnce: [javasv.exe] C:\WINDOWS\javasv.exe
O4 - HKLM\..\RunOnce: [apphy32.exe] C:\WINDOWS\apphy32.exe
O4 - HKLM\..\RunOnce: [ntck32.exe] C:\WINDOWS\system32\ntck32.exe
O4 - HKLM\..\RunOnce: [croo.exe] C:\WINDOWS\croo.exe
O4 - HKLM\..\RunOnce: [javapo32.exe] C:\WINDOWS\system32\javapo32.exe
O4 - HKLM\..\RunOnce: [sdkel.exe] C:\WINDOWS\sdkel.exe
O4 - HKLM\..\RunOnce: [javaji.exe] C:\WINDOWS\system32\javaji.exe
O4 - HKLM\..\RunOnce: [crrq.exe] C:\WINDOWS\system32\crrq.exe
O4 - HKLM\..\RunOnce: [nthf.exe] C:\WINDOWS\system32\nthf.exe
O4 - HKLM\..\RunOnce: [sdkgn.exe] C:\WINDOWS\system32\sdkgn.exe
O4 - HKLM\..\RunOnce: [winpv.exe] C:\WINDOWS\winpv.exe
O4 - HKLM\..\RunOnce: [mfclz32.exe] C:\WINDOWS\system32\mfclz32.exe
O4 - HKLM\..\RunOnce: [appiw32.exe] C:\WINDOWS\system32\appiw32.exe
O4 - HKLM\..\RunOnce: [addpt32.exe] C:\WINDOWS\addpt32.exe
O4 - HKLM\..\RunOnce: [d3uq32.exe] C:\WINDOWS\d3uq32.exe
O4 - HKLM\..\RunOnce: [javarl.exe] C:\WINDOWS\javarl.exe
O4 - HKLM\..\RunOnce: [mfcqs32.exe] C:\WINDOWS\mfcqs32.exe
O4 - HKLM\..\RunOnce: [crxh.exe] C:\WINDOWS\system32\crxh.exe
O4 - HKLM\..\RunOnce: [mswp32.exe] C:\WINDOWS\system32\mswp32.exe
O4 - HKLM\..\RunOnce: [winev32.exe] C:\WINDOWS\system32\winev32.exe
O4 - HKLM\..\RunOnce: [mfcwe32.exe] C:\WINDOWS\mfcwe32.exe
O4 - HKLM\..\RunOnce: [atlfu.exe] C:\WINDOWS\system32\atlfu.exe
O4 - HKLM\..\RunOnce: [apimk32.exe] C:\WINDOWS\apimk32.exe
O4 - HKLM\..\RunOnce: [addca32.exe] C:\WINDOWS\system32\addca32.exe
O4 - HKLM\..\RunOnce: [appki.exe] C:\WINDOWS\system32\appki.exe
O4 - HKLM\..\RunOnce: [javalo.exe] C:\WINDOWS\javalo.exe
O4 - HKLM\..\RunOnce: [apikd32.exe] C:\WINDOWS\apikd32.exe
O4 - HKLM\..\RunOnce: [addit.exe] C:\WINDOWS\system32\addit.exe
O4 - HKLM\..\RunOnce: [ipgg.exe] C:\WINDOWS\system32\ipgg.exe
O4 - HKLM\..\RunOnce: [msvv32.exe] C:\WINDOWS\msvv32.exe
O4 - HKLM\..\RunOnce: [wintd32.exe] C:\WINDOWS\wintd32.exe
O4 - HKLM\..\RunOnce: [ieoo.exe] C:\WINDOWS\ieoo.exe
O4 - HKLM\..\RunOnce: [sdkne32.exe] C:\WINDOWS\sdkne32.exe
O4 - HKLM\..\RunOnce: [apilc.exe] C:\WINDOWS\system32\apilc.exe
O4 - HKLM\..\RunOnce: [appsh.exe] C:\WINDOWS\appsh.exe
O4 - HKLM\..\RunOnce: [d3rx32.exe] C:\WINDOWS\d3rx32.exe
O4 - HKLM\..\RunOnce: [nthm32.exe] C:\WINDOWS\system32\nthm32.exe
O4 - HKLM\..\RunOnce: [atlad.exe] C:\WINDOWS\atlad.exe
O4 - HKLM\..\RunOnce: [syslm32.exe] C:\WINDOWS\syslm32.exe
O4 - HKLM\..\RunOnce: [winsu.exe] C:\WINDOWS\winsu.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javaxi.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Roger Stewart\Desktop\Dean's Malware Removal\CWShredder.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



Here is the about:Buster log file:

AboutBuster 5.0 reference file 30
Scan started on [13/07/2005] at [10:30:42 AM]
------------------------------------------------
Removed Stream! C:\WINDOWS\Blue Lace 16.bmp:siwuip
Removed Stream! C:\WINDOWS\brtvv.dat:uzohe
Removed Stream! C:\WINDOWS\CBCDIJKN.ini:lihzcr
Removed Stream! C:\WINDOWS\CMSETACL.LOG:fbeaz
Removed Stream! C:\WINDOWS\COMSETUP.LOG:gmuywb
Removed Stream! C:\WINDOWS\DESKTOP.INI:qnmdql
Removed Stream! C:\WINDOWS\EventSystem.log:joxrsw
Removed Stream! C:\WINDOWS\gbniz.txt:kshqfn
Removed Stream! C:\WINDOWS\Greenstone.bmp:rgxjm
Removed Stream! C:\WINDOWS\hmkmr.dat:tywtx
Removed Stream! C:\WINDOWS\hpothb07.tif:itpys
Removed Stream! C:\WINDOWS\igfvg.dat:wbuiu
Removed Stream! C:\WINDOWS\itpys.txt:obmnw
Removed Stream! C:\WINDOWS\KB873333.log:ehmvck
Removed Stream! C:\WINDOWS\KB886185.log:vysalz
Removed Stream! C:\WINDOWS\KB888302.log:rwith
Removed Stream! C:\WINDOWS\KB893086.log:qsdsc
Removed Stream! C:\WINDOWS\lablw.dat:qslfz
Removed Stream! C:\WINDOWS\mp10oem.txt:upesxj
Removed Stream! C:\WINDOWS\MSDFMAP.INI:brwjc
Removed Stream! C:\WINDOWS\nsw.log:nhwfrt
Removed Stream! C:\WINDOWS\River Sumida.bmp:bjrnmo
Removed Stream! C:\WINDOWS\setuperr.log:vikbxq
Removed Stream! C:\WINDOWS\SIERRA.INI:lwxmz
Removed Stream! C:\WINDOWS\Sti_Trace.log:hnfhsf
Removed Stream! C:\WINDOWS\SYSTEM.INI:zfcrln
Removed Stream! C:\WINDOWS\T30DebugLogFile.txt:znqnup
Removed Stream! C:\WINDOWS\wmsetup10.log:irohc
Removed Stream! C:\WINDOWS\xhbmd.log:flsoz
Removed Stream! C:\WINDOWS\yeaec.dat:iwttdb
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:awlyxm
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:axipi
------------------------------------------------
Removed File! : C:\Windows\ddlis.dll
Removed File! : C:\Windows\dkble.dat
Removed File! : C:\Windows\fdmao.dat
Removed File! : C:\Windows\fdoxj.dll
Removed File! : C:\Windows\lablw.dat
Removed File! : C:\Windows\xfkad.dat
Removed File! : C:\Windows\zrbvk.dat
Removed File! : C:\Windows\System32\acazu.dat
Removed File! : C:\Windows\System32\agrjt.dat
Removed File! : C:\Windows\System32\eggyg.dll
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:31:00 AM


AboutBuster 5.0 reference file 30
Scan started on [13/07/2005] at [5:46:14 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\brtvv.dat:kpoxgz
Removed Stream! C:\WINDOWS\hpothb07.tif:itpysa
Removed Stream! C:\WINDOWS\xhbmd.log:pxhrx
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:acwdnk
------------------------------------------------
Removed File! : C:\Windows\sumzh.dat
Removed File! : C:\Windows\System32\fypps.dat
Removed File! : C:\Windows\System32\jgucl.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 5:46:33 PM


AboutBuster 5.0 reference file 30
Scan started on [15/07/2005] at [4:57:11 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:bclgoq
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:bkwxkz
------------------------------------------------
Removed File! : C:\Windows\itejb.dll
Removed File! : C:\Windows\jwvwp.dll
Removed File! : C:\Windows\System32\hkpil.dat
Removed File! : C:\Windows\System32\uaott.dll
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 4:57:45 PM

Thank you again.

Dean
  • 0

#15
Trevuren
Posted 15 July 2005 - 06:23 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
This infection is out of control. We must take drastic measures if we want to salvage something, if possible. The following will appear a bit strange to you but you have to trust me, there is a reason behind all of this.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

NO ONE BUT YOU IS TO USE THIS COMPUTER UNTIL THE INFECTION IS TOTALLY ERADICATED

1. You are to download and Install Firefox immediately from HERE. Once it is installed, you are not to use Internet Explorer until I give you the OK.

2. Since you can't use TrendMicro, I want you to download Kaspersky antivirus from HERE. Install it and upgrade its definitions to the most recent available. (Do not use it yet)

3. Run HijackThis, click SCAN and place a checkmark beside the following items:

O4 - HKLM\..\Run: [atlnh.exe] C:\WINDOWS\system32\atlnh.exe
O4 - HKLM\..\Run: [sysmn.exe] C:\WINDOWS\system32\sysmn.exe
O4 - HKLM\..\Run: [mskl.exe] C:\WINDOWS\mskl.exe
O4 - HKLM\..\RunOnce: [javaxi.exe] C:\WINDOWS\system32\javaxi.exe
O4 - HKLM\..\RunOnce: [apick.exe] C:\WINDOWS\apick.exe
O4 - HKLM\..\RunOnce: [ntar32.exe] C:\WINDOWS\ntar32.exe
O4 - HKLM\..\RunOnce: [atlgl.exe] C:\WINDOWS\atlgl.exe
O4 - HKLM\..\RunOnce: [syszo.exe] C:\WINDOWS\system32\syszo.exe
O4 - HKLM\..\RunOnce: [atlop32.exe] C:\WINDOWS\atlop32.exe
O4 - HKLM\..\RunOnce: [mfcza32.exe] C:\WINDOWS\system32\mfcza32.exe
O4 - HKLM\..\RunOnce: [sysew32.exe] C:\WINDOWS\system32\sysew32.exe
O4 - HKLM\..\RunOnce: [apizi.exe] C:\WINDOWS\system32\apizi.exe
O4 - HKLM\..\RunOnce: [atlcu32.exe] C:\WINDOWS\system32\atlcu32.exe
O4 - HKLM\..\RunOnce: [netqu32.exe] C:\WINDOWS\system32\netqu32.exe
O4 - HKLM\..\RunOnce: [mfcay.exe] C:\WINDOWS\mfcay.exe
O4 - HKLM\..\RunOnce: [iebk.exe] C:\WINDOWS\system32\iebk.exe
O4 - HKLM\..\RunOnce: [ieim32.exe] C:\WINDOWS\ieim32.exe
O4 - HKLM\..\RunOnce: [mfcqh32.exe] C:\WINDOWS\mfcqh32.exe
O4 - HKLM\..\RunOnce: [apiyx.exe] C:\WINDOWS\apiyx.exe
O4 - HKLM\..\RunOnce: [mfczx.exe] C:\WINDOWS\system32\mfczx.exe
O4 - HKLM\..\RunOnce: [sdkom32.exe] C:\WINDOWS\sdkom32.exe
O4 - HKLM\..\RunOnce: [msmu32.exe] C:\WINDOWS\msmu32.exe
O4 - HKLM\..\RunOnce: [crif.exe] C:\WINDOWS\crif.exe
O4 - HKLM\..\RunOnce: [apigv32.exe] C:\WINDOWS\apigv32.exe
O4 - HKLM\..\RunOnce: [appft.exe] C:\WINDOWS\system32\appft.exe
O4 - HKLM\..\RunOnce: [addft.exe] C:\WINDOWS\addft.exe
O4 - HKLM\..\RunOnce: [apiys.exe] C:\WINDOWS\system32\apiys.exe
O4 - HKLM\..\RunOnce: [apiga.exe] C:\WINDOWS\system32\apiga.exe
O4 - HKLM\..\RunOnce: [sdkra32.exe] C:\WINDOWS\system32\sdkra32.exe
O4 - HKLM\..\RunOnce: [d3hi.exe] C:\WINDOWS\system32\d3hi.exe
O4 - HKLM\..\RunOnce: [addlm32.exe] C:\WINDOWS\system32\addlm32.exe
O4 - HKLM\..\RunOnce: [sdktc32.exe] C:\WINDOWS\system32\sdktc32.exe
O4 - HKLM\..\RunOnce: [addct32.exe] C:\WINDOWS\addct32.exe
O4 - HKLM\..\RunOnce: [javavm32.exe] C:\WINDOWS\javavm32.exe
O4 - HKLM\..\RunOnce: [addqx32.exe] C:\WINDOWS\system32\addqx32.exe
O4 - HKLM\..\RunOnce: [crek.exe] C:\WINDOWS\crek.exe
O4 - HKLM\..\RunOnce: [wintz32.exe] C:\WINDOWS\wintz32.exe
O4 - HKLM\..\RunOnce: [mfcrh.exe] C:\WINDOWS\mfcrh.exe
O4 - HKLM\..\RunOnce: [cran32.exe] C:\WINDOWS\system32\cran32.exe
O4 - HKLM\..\RunOnce: [d3ad.exe] C:\WINDOWS\system32\d3ad.exe
O4 - HKLM\..\RunOnce: [sdkeh32.exe] C:\WINDOWS\system32\sdkeh32.exe
O4 - HKLM\..\RunOnce: [mfcuw.exe] C:\WINDOWS\mfcuw.exe
O4 - HKLM\..\RunOnce: [crsb32.exe] C:\WINDOWS\crsb32.exe
O4 - HKLM\..\RunOnce: [d3rj.exe] C:\WINDOWS\d3rj.exe
O4 - HKLM\..\RunOnce: [javaak.exe] C:\WINDOWS\system32\javaak.exe
O4 - HKLM\..\RunOnce: [winqz.exe] C:\WINDOWS\winqz.exe
O4 - HKLM\..\RunOnce: [winem.exe] C:\WINDOWS\system32\winem.exe
O4 - HKLM\..\RunOnce: [addka32.exe] C:\WINDOWS\system32\addka32.exe
O4 - HKLM\..\RunOnce: [winyx32.exe] C:\WINDOWS\system32\winyx32.exe
O4 - HKLM\..\RunOnce: [crdb32.exe] C:\WINDOWS\system32\crdb32.exe
O4 - HKLM\..\RunOnce: [atlls32.exe] C:\WINDOWS\atlls32.exe
O4 - HKLM\..\RunOnce: [javavy.exe] C:\WINDOWS\javavy.exe
O4 - HKLM\..\RunOnce: [atliu.exe] C:\WINDOWS\system32\atliu.exe
O4 - HKLM\..\RunOnce: [ipey32.exe] C:\WINDOWS\ipey32.exe
O4 - HKLM\..\RunOnce: [apioz.exe] C:\WINDOWS\system32\apioz.exe
O4 - HKLM\..\RunOnce: [sysnp32.exe] C:\WINDOWS\system32\sysnp32.exe
O4 - HKLM\..\RunOnce: [netqa32.exe] C:\WINDOWS\system32\netqa32.exe
O4 - HKLM\..\RunOnce: [sdkuf.exe] C:\WINDOWS\sdkuf.exe
O4 - HKLM\..\RunOnce: [ipdf32.exe] C:\WINDOWS\system32\ipdf32.exe
O4 - HKLM\..\RunOnce: [ipkc32.exe] C:\WINDOWS\ipkc32.exe
O4 - HKLM\..\RunOnce: [addpy32.exe] C:\WINDOWS\addpy32.exe
O4 - HKLM\..\RunOnce: [ipss32.exe] C:\WINDOWS\ipss32.exe
O4 - HKLM\..\RunOnce: [atlqq32.exe] C:\WINDOWS\system32\atlqq32.exe
O4 - HKLM\..\RunOnce: [sdktb32.exe] C:\WINDOWS\system32\sdktb32.exe
O4 - HKLM\..\RunOnce: [d3yg.exe] C:\WINDOWS\d3yg.exe
O4 - HKLM\..\RunOnce: [ntgb32.exe] C:\WINDOWS\ntgb32.exe
O4 - HKLM\..\RunOnce: [msbn.exe] C:\WINDOWS\msbn.exe
O4 - HKLM\..\RunOnce: [mspk32.exe] C:\WINDOWS\mspk32.exe
O4 - HKLM\..\RunOnce: [msdh32.exe] C:\WINDOWS\system32\msdh32.exe
O4 - HKLM\..\RunOnce: [iedp32.exe] C:\WINDOWS\system32\iedp32.exe
O4 - HKLM\..\RunOnce: [sysfg32.exe] C:\WINDOWS\sysfg32.exe
O4 - HKLM\..\RunOnce: [addll32.exe] C:\WINDOWS\addll32.exe
O4 - HKLM\..\RunOnce: [winzi.exe] C:\WINDOWS\winzi.exe
O4 - HKLM\..\RunOnce: [javasb.exe] C:\WINDOWS\system32\javasb.exe
O4 - HKLM\..\RunOnce: [javahw32.exe] C:\WINDOWS\javahw32.exe
O4 - HKLM\..\RunOnce: [mfcms32.exe] C:\WINDOWS\system32\mfcms32.exe
O4 - HKLM\..\RunOnce: [crpe.exe] C:\WINDOWS\crpe.exe
O4 - HKLM\..\RunOnce: [iplq32.exe] C:\WINDOWS\system32\iplq32.exe
O4 - HKLM\..\RunOnce: [atljx.exe] C:\WINDOWS\atljx.exe
O4 - HKLM\..\RunOnce: [iein32.exe] C:\WINDOWS\iein32.exe
O4 - HKLM\..\RunOnce: [javazc32.exe] C:\WINDOWS\system32\javazc32.exe
O4 - HKLM\..\RunOnce: [sdkhs.exe] C:\WINDOWS\sdkhs.exe
O4 - HKLM\..\RunOnce: [d3mx32.exe] C:\WINDOWS\system32\d3mx32.exe
O4 - HKLM\..\RunOnce: [msfi.exe] C:\WINDOWS\msfi.exe
O4 - HKLM\..\RunOnce: [winzj32.exe] C:\WINDOWS\winzj32.exe
O4 - HKLM\..\RunOnce: [javasc32.exe] C:\WINDOWS\javasc32.exe
O4 - HKLM\..\RunOnce: [atlss.exe] C:\WINDOWS\atlss.exe
O4 - HKLM\..\RunOnce: [appat32.exe] C:\WINDOWS\system32\appat32.exe
O4 - HKLM\..\RunOnce: [iezw32.exe] C:\WINDOWS\iezw32.exe
O4 - HKLM\..\RunOnce: [apppd.exe] C:\WINDOWS\apppd.exe
O4 - HKLM\..\RunOnce: [nettz32.exe] C:\WINDOWS\system32\nettz32.exe
O4 - HKLM\..\RunOnce: [atldi.exe] C:\WINDOWS\atldi.exe
O4 - HKLM\..\RunOnce: [mfcxt32.exe] C:\WINDOWS\mfcxt32.exe
O4 - HKLM\..\RunOnce: [iecy32.exe] C:\WINDOWS\iecy32.exe
O4 - HKLM\..\RunOnce: [apizl32.exe] C:\WINDOWS\system32\apizl32.exe
O4 - HKLM\..\RunOnce: [netzt32.exe] C:\WINDOWS\system32\netzt32.exe
O4 - HKLM\..\RunOnce: [sdkdx.exe] C:\WINDOWS\sdkdx.exe
O4 - HKLM\..\RunOnce: [appfq32.exe] C:\WINDOWS\appfq32.exe
O4 - HKLM\..\RunOnce: [javaoh32.exe] C:\WINDOWS\javaoh32.exe
O4 - HKLM\..\RunOnce: [addxn.exe] C:\WINDOWS\addxn.exe
O4 - HKLM\..\RunOnce: [netmk32.exe] C:\WINDOWS\system32\netmk32.exe
O4 - HKLM\..\RunOnce: [crqw.exe] C:\WINDOWS\system32\crqw.exe
O4 - HKLM\..\RunOnce: [d3wt32.exe] C:\WINDOWS\system32\d3wt32.exe
O4 - HKLM\..\RunOnce: [d3ki32.exe] C:\WINDOWS\d3ki32.exe
O4 - HKLM\..\RunOnce: [ieyc32.exe] C:\WINDOWS\ieyc32.exe
O4 - HKLM\..\RunOnce: [msmz32.exe] C:\WINDOWS\system32\msmz32.exe
O4 - HKLM\..\RunOnce: [winam32.exe] C:\WINDOWS\system32\winam32.exe
O4 - HKLM\..\RunOnce: [winuf.exe] C:\WINDOWS\system32\winuf.exe
O4 - HKLM\..\RunOnce: [sdkhc.exe] C:\WINDOWS\sdkhc.exe
O4 - HKLM\..\RunOnce: [ierc.exe] C:\WINDOWS\system32\ierc.exe
O4 - HKLM\..\RunOnce: [ieaq.exe] C:\WINDOWS\system32\ieaq.exe
O4 - HKLM\..\RunOnce: [atlqg32.exe] C:\WINDOWS\system32\atlqg32.exe
O4 - HKLM\..\RunOnce: [apibr.exe] C:\WINDOWS\system32\apibr.exe
O4 - HKLM\..\RunOnce: [sysig32.exe] C:\WINDOWS\system32\sysig32.exe
O4 - HKLM\..\RunOnce: [ieda32.exe] C:\WINDOWS\system32\ieda32.exe
O4 - HKLM\..\RunOnce: [atlhm.exe] C:\WINDOWS\atlhm.exe
O4 - HKLM\..\RunOnce: [sdkwb32.exe] C:\WINDOWS\system32\sdkwb32.exe
O4 - HKLM\..\RunOnce: [d3ur.exe] C:\WINDOWS\system32\d3ur.exe
O4 - HKLM\..\RunOnce: [winqn32.exe] C:\WINDOWS\system32\winqn32.exe
O4 - HKLM\..\RunOnce: [ieav.exe] C:\WINDOWS\system32\ieav.exe
O4 - HKLM\..\RunOnce: [ienk32.exe] C:\WINDOWS\system32\ienk32.exe
O4 - HKLM\..\RunOnce: [ieuh32.exe] C:\WINDOWS\ieuh32.exe
O4 - HKLM\..\RunOnce: [ntzl32.exe] C:\WINDOWS\system32\ntzl32.exe
O4 - HKLM\..\RunOnce: [apphb.exe] C:\WINDOWS\system32\apphb.exe
O4 - HKLM\..\RunOnce: [winhb32.exe] C:\WINDOWS\winhb32.exe
O4 - HKLM\..\RunOnce: [msox32.exe] C:\WINDOWS\system32\msox32.exe
O4 - HKLM\..\RunOnce: [apiii32.exe] C:\WINDOWS\apiii32.exe
O4 - HKLM\..\RunOnce: [appsj.exe] C:\WINDOWS\system32\appsj.exe
O4 - HKLM\..\RunOnce: [appmc32.exe] C:\WINDOWS\system32\appmc32.exe
O4 - HKLM\..\RunOnce: [atlmk32.exe] C:\WINDOWS\system32\atlmk32.exe
O4 - HKLM\..\RunOnce: [netqo.exe] C:\WINDOWS\netqo.exe
O4 - HKLM\..\RunOnce: [sysli32.exe] C:\WINDOWS\sysli32.exe
O4 - HKLM\..\RunOnce: [apiou32.exe] C:\WINDOWS\apiou32.exe
O4 - HKLM\..\RunOnce: [ntsy.exe] C:\WINDOWS\system32\ntsy.exe
O4 - HKLM\..\RunOnce: [netbg32.exe] C:\WINDOWS\netbg32.exe
O4 - HKLM\..\RunOnce: [ippl32.exe] C:\WINDOWS\system32\ippl32.exe
O4 - HKLM\..\RunOnce: [crxp32.exe] C:\WINDOWS\system32\crxp32.exe
O4 - HKLM\..\RunOnce: [ipvm.exe] C:\WINDOWS\ipvm.exe
O4 - HKLM\..\RunOnce: [netvm.exe] C:\WINDOWS\system32\netvm.exe
O4 - HKLM\..\RunOnce: [sysjr32.exe] C:\WINDOWS\sysjr32.exe
O4 - HKLM\..\RunOnce: [msev.exe] C:\WINDOWS\system32\msev.exe
O4 - HKLM\..\RunOnce: [ntdk32.exe] C:\WINDOWS\ntdk32.exe
O4 - HKLM\..\RunOnce: [mfcta32.exe] C:\WINDOWS\system32\mfcta32.exe
O4 - HKLM\..\RunOnce: [mfcbi.exe] C:\WINDOWS\system32\mfcbi.exe
O4 - HKLM\..\RunOnce: [atlci.exe] C:\WINDOWS\atlci.exe
O4 - HKLM\..\RunOnce: [javalq.exe] C:\WINDOWS\javalq.exe
O4 - HKLM\..\RunOnce: [addiw.exe] C:\WINDOWS\system32\addiw.exe
O4 - HKLM\..\RunOnce: [crhd32.exe] C:\WINDOWS\system32\crhd32.exe
O4 - HKLM\..\RunOnce: [ipmn.exe] C:\WINDOWS\system32\ipmn.exe
O4 - HKLM\..\RunOnce: [apptt.exe] C:\WINDOWS\apptt.exe
O4 - HKLM\..\RunOnce: [appnf32.exe] C:\WINDOWS\appnf32.exe
O4 - HKLM\..\RunOnce: [atlnn32.exe] C:\WINDOWS\atlnn32.exe
O4 - HKLM\..\RunOnce: [apiaz32.exe] C:\WINDOWS\apiaz32.exe
O4 - HKLM\..\RunOnce: [apivl.exe] C:\WINDOWS\system32\apivl.exe
O4 - HKLM\..\RunOnce: [addyx32.exe] C:\WINDOWS\system32\addyx32.exe
O4 - HKLM\..\RunOnce: [d3dt32.exe] C:\WINDOWS\system32\d3dt32.exe
O4 - HKLM\..\RunOnce: [appyf.exe] C:\WINDOWS\appyf.exe
O4 - HKLM\..\RunOnce: [syscr.exe] C:\WINDOWS\syscr.exe
O4 - HKLM\..\RunOnce: [mfcrg32.exe] C:\WINDOWS\system32\mfcrg32.exe
O4 - HKLM\..\RunOnce: [sysrt32.exe] C:\WINDOWS\system32\sysrt32.exe
O4 - HKLM\..\RunOnce: [winzb32.exe] C:\WINDOWS\winzb32.exe
O4 - HKLM\..\RunOnce: [nths.exe] C:\WINDOWS\nths.exe
O4 - HKLM\..\RunOnce: [mfcdc32.exe] C:\WINDOWS\mfcdc32.exe
O4 - HKLM\..\RunOnce: [nethh.exe] C:\WINDOWS\nethh.exe
O4 - HKLM\..\RunOnce: [apixe32.exe] C:\WINDOWS\apixe32.exe
O4 - HKLM\..\RunOnce: [sysba.exe] C:\WINDOWS\sysba.exe
O4 - HKLM\..\RunOnce: [d3av32.exe] C:\WINDOWS\system32\d3av32.exe
O4 - HKLM\..\RunOnce: [netfa32.exe] C:\WINDOWS\system32\netfa32.exe
O4 - HKLM\..\RunOnce: [msil32.exe] C:\WINDOWS\system32\msil32.exe
O4 - HKLM\..\RunOnce: [ienq32.exe] C:\WINDOWS\system32\ienq32.exe
O4 - HKLM\..\RunOnce: [iecn.exe] C:\WINDOWS\iecn.exe
O4 - HKLM\..\RunOnce: [iehj.exe] C:\WINDOWS\iehj.exe
O4 - HKLM\..\RunOnce: [ntvg.exe] C:\WINDOWS\ntvg.exe
O4 - HKLM\..\RunOnce: [mfcnx.exe] C:\WINDOWS\mfcnx.exe
O4 - HKLM\..\RunOnce: [sdkjb32.exe] C:\WINDOWS\sdkjb32.exe
O4 - HKLM\..\RunOnce: [nettc.exe] C:\WINDOWS\nettc.exe
O4 - HKLM\..\RunOnce: [netvn32.exe] C:\WINDOWS\system32\netvn32.exe
O4 - HKLM\..\RunOnce: [addsr32.exe] C:\WINDOWS\addsr32.exe
O4 - HKLM\..\RunOnce: [crtq.exe] C:\WINDOWS\system32\crtq.exe
O4 - HKLM\..\RunOnce: [appcz.exe] C:\WINDOWS\system32\appcz.exe
O4 - HKLM\..\RunOnce: [ipmz.exe] C:\WINDOWS\ipmz.exe
O4 - HKLM\..\RunOnce: [mfcid.exe] C:\WINDOWS\system32\mfcid.exe
O4 - HKLM\..\RunOnce: [d3wi32.exe] C:\WINDOWS\system32\d3wi32.exe
O4 - HKLM\..\RunOnce: [sysup.exe] C:\WINDOWS\system32\sysup.exe
O4 - HKLM\..\RunOnce: [atlqt.exe] C:\WINDOWS\atlqt.exe
O4 - HKLM\..\RunOnce: [ipjm32.exe] C:\WINDOWS\system32\ipjm32.exe
O4 - HKLM\..\RunOnce: [sysdy32.exe] C:\WINDOWS\sysdy32.exe
O4 - HKLM\..\RunOnce: [d3mg.exe] C:\WINDOWS\system32\d3mg.exe
O4 - HKLM\..\RunOnce: [mssv32.exe] C:\WINDOWS\mssv32.exe
O4 - HKLM\..\RunOnce: [d3hs32.exe] C:\WINDOWS\system32\d3hs32.exe
O4 - HKLM\..\RunOnce: [msgi32.exe] C:\WINDOWS\system32\msgi32.exe
O4 - HKLM\..\RunOnce: [winlm.exe] C:\WINDOWS\winlm.exe
O4 - HKLM\..\RunOnce: [iejj32.exe] C:\WINDOWS\iejj32.exe
O4 - HKLM\..\RunOnce: [winip.exe] C:\WINDOWS\system32\winip.exe
O4 - HKLM\..\RunOnce: [iexe.exe] C:\WINDOWS\system32\iexe.exe
O4 - HKLM\..\RunOnce: [sdkix32.exe] C:\WINDOWS\sdkix32.exe
O4 - HKLM\..\RunOnce: [javati.exe] C:\WINDOWS\javati.exe
O4 - HKLM\..\RunOnce: [iexm.exe] C:\WINDOWS\system32\iexm.exe
O4 - HKLM\..\RunOnce: [appin32.exe] C:\WINDOWS\appin32.exe
O4 - HKLM\..\RunOnce: [winfk32.exe] C:\WINDOWS\winfk32.exe
O4 - HKLM\..\RunOnce: [msdh.exe] C:\WINDOWS\system32\msdh.exe
O4 - HKLM\..\RunOnce: [crei.exe] C:\WINDOWS\crei.exe
O4 - HKLM\..\RunOnce: [addtx32.exe] C:\WINDOWS\system32\addtx32.exe
O4 - HKLM\..\RunOnce: [atlnq.exe] C:\WINDOWS\atlnq.exe
O4 - HKLM\..\RunOnce: [mfcjd32.exe] C:\WINDOWS\system32\mfcjd32.exe
O4 - HKLM\..\RunOnce: [winzs32.exe] C:\WINDOWS\winzs32.exe
O4 - HKLM\..\RunOnce: [winqp.exe] C:\WINDOWS\winqp.exe
O4 - HKLM\..\RunOnce: [sdkvl.exe] C:\WINDOWS\system32\sdkvl.exe
O4 - HKLM\..\RunOnce: [addqx.exe] C:\WINDOWS\addqx.exe
O4 - HKLM\..\RunOnce: [iefm.exe] C:\WINDOWS\iefm.exe
O4 - HKLM\..\RunOnce: [sdkqf32.exe] C:\WINDOWS\system32\sdkqf32.exe
O4 - HKLM\..\RunOnce: [atlxv32.exe] C:\WINDOWS\system32\atlxv32.exe
O4 - HKLM\..\RunOnce: [ntva32.exe] C:\WINDOWS\system32\ntva32.exe
O4 - HKLM\..\RunOnce: [appaw32.exe] C:\WINDOWS\system32\appaw32.exe
O4 - HKLM\..\RunOnce: [sdkvi32.exe] C:\WINDOWS\system32\sdkvi32.exe
O4 - HKLM\..\RunOnce: [javajn32.exe] C:\WINDOWS\system32\javajn32.exe
O4 - HKLM\..\RunOnce: [addys.exe] C:\WINDOWS\addys.exe
O4 - HKLM\..\RunOnce: [crff32.exe] C:\WINDOWS\crff32.exe
O4 - HKLM\..\RunOnce: [appar32.exe] C:\WINDOWS\system32\appar32.exe
O4 - HKLM\..\RunOnce: [mfcfv.exe] C:\WINDOWS\mfcfv.exe
O4 - HKLM\..\RunOnce: [addxm.exe] C:\WINDOWS\system32\addxm.exe
O4 - HKLM\..\RunOnce: [msqf32.exe] C:\WINDOWS\system32\msqf32.exe
O4 - HKLM\..\RunOnce: [iebq.exe] C:\WINDOWS\iebq.exe
O4 - HKLM\..\RunOnce: [appfu.exe] C:\WINDOWS\appfu.exe
O4 - HKLM\..\RunOnce: [crob32.exe] C:\WINDOWS\crob32.exe
O4 - HKLM\..\RunOnce: [msng.exe] C:\WINDOWS\system32\msng.exe
O4 - HKLM\..\RunOnce: [javadv.exe] C:\WINDOWS\system32\javadv.exe
O4 - HKLM\..\RunOnce: [netvo32.exe] C:\WINDOWS\netvo32.exe
O4 - HKLM\..\RunOnce: [crkd.exe] C:\WINDOWS\system32\crkd.exe
O4 - HKLM\..\RunOnce: [sysve32.exe] C:\WINDOWS\sysve32.exe
O4 - HKLM\..\RunOnce: [ippq32.exe] C:\WINDOWS\system32\ippq32.exe
O4 - HKLM\..\RunOnce: [mfczq.exe] C:\WINDOWS\system32\mfczq.exe
O4 - HKLM\..\RunOnce: [apien32.exe] C:\WINDOWS\system32\apien32.exe
O4 - HKLM\..\RunOnce: [mfctk32.exe] C:\WINDOWS\mfctk32.exe
O4 - HKLM\..\RunOnce: [ntfw.exe] C:\WINDOWS\system32\ntfw.exe
O4 - HKLM\..\RunOnce: [netvt32.exe] C:\WINDOWS\system32\netvt32.exe
O4 - HKLM\..\RunOnce: [winap32.exe] C:\WINDOWS\system32\winap32.exe
O4 - HKLM\..\RunOnce: [ipdb32.exe] C:\WINDOWS\system32\ipdb32.exe
O4 - HKLM\..\RunOnce: [javahf.exe] C:\WINDOWS\javahf.exe
O4 - HKLM\..\RunOnce: [d3be.exe] C:\WINDOWS\system32\d3be.exe
O4 - HKLM\..\RunOnce: [sdkqu.exe] C:\WINDOWS\system32\sdkqu.exe
O4 - HKLM\..\RunOnce: [addfq32.exe] C:\WINDOWS\system32\addfq32.exe
O4 - HKLM\..\RunOnce: [crkv32.exe] C:\WINDOWS\system32\crkv32.exe
O4 - HKLM\..\RunOnce: [appfh.exe] C:\WINDOWS\system32\appfh.exe
O4 - HKLM\..\RunOnce: [javaha.exe] C:\WINDOWS\system32\javaha.exe
O4 - HKLM\..\RunOnce: [addwf32.exe] C:\WINDOWS\addwf32.exe
O4 - HKLM\..\RunOnce: [winfn.exe] C:\WINDOWS\winfn.exe
O4 - HKLM\..\RunOnce: [javaks32.exe] C:\WINDOWS\javaks32.exe
O4 - HKLM\..\RunOnce: [ipnw.exe] C:\WINDOWS\ipnw.exe
O4 - HKLM\..\RunOnce: [iecb.exe] C:\WINDOWS\system32\iecb.exe
O4 - HKLM\..\RunOnce: [d3gc.exe] C:\WINDOWS\d3gc.exe
O4 - HKLM\..\RunOnce: [ieze32.exe] C:\WINDOWS\ieze32.exe
O4 - HKLM\..\RunOnce: [ieoa32.exe] C:\WINDOWS\system32\ieoa32.exe
O4 - HKLM\..\RunOnce: [nttx32.exe] C:\WINDOWS\nttx32.exe
O4 - HKLM\..\RunOnce: [javamo32.exe] C:\WINDOWS\system32\javamo32.exe
O4 - HKLM\..\RunOnce: [winpa32.exe] C:\WINDOWS\winpa32.exe
O4 - HKLM\..\RunOnce: [appdf32.exe] C:\WINDOWS\appdf32.exe
O4 - HKLM\..\RunOnce: [addjb.exe] C:\WINDOWS\system32\addjb.exe
O4 - HKLM\..\RunOnce: [crdv.exe] C:\WINDOWS\system32\crdv.exe
O4 - HKLM\..\RunOnce: [winmn.exe] C:\WINDOWS\winmn.exe
O4 - HKLM\..\RunOnce: [atlsp32.exe] C:\WINDOWS\system32\atlsp32.exe
O4 - HKLM\..\RunOnce: [sdkvj32.exe] C:\WINDOWS\sdkvj32.exe
O4 - HKLM\..\RunOnce: [d3zf.exe] C:\WINDOWS\d3zf.exe
O4 - HKLM\..\RunOnce: [javapc.exe] C:\WINDOWS\javapc.exe
O4 - HKLM\..\RunOnce: [crcz.exe] C:\WINDOWS\crcz.exe
O4 - HKLM\..\RunOnce: [mfcie.exe] C:\WINDOWS\system32\mfcie.exe
O4 - HKLM\..\RunOnce: [d3cp.exe] C:\WINDOWS\d3cp.exe
O4 - HKLM\..\RunOnce: [sdksw.exe] C:\WINDOWS\sdksw.exe
O4 - HKLM\..\RunOnce: [netvi.exe] C:\WINDOWS\system32\netvi.exe
O4 - HKLM\..\RunOnce: [javarm.exe] C:\WINDOWS\javarm.exe
O4 - HKLM\..\RunOnce: [addam.exe] C:\WINDOWS\system32\addam.exe
O4 - HKLM\..\RunOnce: [atlor.exe] C:\WINDOWS\system32\atlor.exe
O4 - HKLM\..\RunOnce: [atlto32.exe] C:\WINDOWS\atlto32.exe
O4 - HKLM\..\RunOnce: [atlil32.exe] C:\WINDOWS\system32\atlil32.exe
O4 - HKLM\..\RunOnce: [msnh32.exe] C:\WINDOWS\system32\msnh32.exe
O4 - HKLM\..\RunOnce: [mfcit32.exe] C:\WINDOWS\system32\mfcit32.exe
O4 - HKLM\..\RunOnce: [netmx.exe] C:\WINDOWS\netmx.exe
O4 - HKLM\..\RunOnce: [d3ed.exe] C:\WINDOWS\system32\d3ed.exe
O4 - HKLM\..\RunOnce: [netki.exe] C:\WINDOWS\netki.exe
O4 - HKLM\..\RunOnce: [ipym.exe] C:\WINDOWS\ipym.exe
O4 - HKLM\..\RunOnce: [ipsg32.exe] C:\WINDOWS\system32\ipsg32.exe
O4 - HKLM\..\RunOnce: [appxc32.exe] C:\WINDOWS\appxc32.exe
O4 - HKLM\..\RunOnce: [cres32.exe] C:\WINDOWS\cres32.exe
O4 - HKLM\..\RunOnce: [appbf.exe] C:\WINDOWS\system32\appbf.exe
O4 - HKLM\..\RunOnce: [crhc32.exe] C:\WINDOWS\crhc32.exe
O4 - HKLM\..\RunOnce: [msav32.exe] C:\WINDOWS\system32\msav32.exe
O4 - HKLM\..\RunOnce: [ipfr32.exe] C:\WINDOWS\system32\ipfr32.exe
O4 - HKLM\..\RunOnce: [iead.exe] C:\WINDOWS\system32\iead.exe
O4 - HKLM\..\RunOnce: [javaep.exe] C:\WINDOWS\javaep.exe
O4 - HKLM\..\RunOnce: [atlkm.exe] C:\WINDOWS\system32\atlkm.exe
O4 - HKLM\..\RunOnce: [sysiz.exe] C:\WINDOWS\sysiz.exe
O4 - HKLM\..\RunOnce: [mfcmd.exe] C:\WINDOWS\system32\mfcmd.exe
O4 - HKLM\..\RunOnce: [crnl.exe] C:\WINDOWS\system32\crnl.exe
O4 - HKLM\..\RunOnce: [d3vb32.exe] C:\WINDOWS\d3vb32.exe
O4 - HKLM\..\RunOnce: [winhw.exe] C:\WINDOWS\system32\winhw.exe
O4 - HKLM\..\RunOnce: [iext32.exe] C:\WINDOWS\system32\iext32.exe
O4 - HKLM\..\RunOnce: [appjf.exe] C:\WINDOWS\appjf.exe
O4 - HKLM\..\RunOnce: [addkf32.exe] C:\WINDOWS\system32\addkf32.exe
O4 - HKLM\..\RunOnce: [addez.exe] C:\WINDOWS\addez.exe
O4 - HKLM\..\RunOnce: [javasv.exe] C:\WINDOWS\javasv.exe
O4 - HKLM\..\RunOnce: [apphy32.exe] C:\WINDOWS\apphy32.exe
O4 - HKLM\..\RunOnce: [ntck32.exe] C:\WINDOWS\system32\ntck32.exe
O4 - HKLM\..\RunOnce: [croo.exe] C:\WINDOWS\croo.exe
O4 - HKLM\..\RunOnce: [javapo32.exe] C:\WINDOWS\system32\javapo32.exe
O4 - HKLM\..\RunOnce: [sdkel.exe] C:\WINDOWS\sdkel.exe
O4 - HKLM\..\RunOnce: [javaji.exe] C:\WINDOWS\system32\javaji.exe
O4 - HKLM\..\RunOnce: [crrq.exe] C:\WINDOWS\system32\crrq.exe
O4 - HKLM\..\RunOnce: [nthf.exe] C:\WINDOWS\system32\nthf.exe
O4 - HKLM\..\RunOnce: [sdkgn.exe] C:\WINDOWS\system32\sdkgn.exe
O4 - HKLM\..\RunOnce: [winpv.exe] C:\WINDOWS\winpv.exe
O4 - HKLM\..\RunOnce: [mfclz32.exe] C:\WINDOWS\system32\mfclz32.exe
O4 - HKLM\..\RunOnce: [appiw32.exe] C:\WINDOWS\system32\appiw32.exe
O4 - HKLM\..\RunOnce: [addpt32.exe] C:\WINDOWS\addpt32.exe
O4 - HKLM\..\RunOnce: [d3uq32.exe] C:\WINDOWS\d3uq32.exe
O4 - HKLM\..\RunOnce: [javarl.exe] C:\WINDOWS\javarl.exe
O4 - HKLM\..\RunOnce: [mfcqs32.exe] C:\WINDOWS\mfcqs32.exe
O4 - HKLM\..\RunOnce: [crxh.exe] C:\WINDOWS\system32\crxh.exe
O4 - HKLM\..\RunOnce: [mswp32.exe] C:\WINDOWS\system32\mswp32.exe
O4 - HKLM\..\RunOnce: [winev32.exe] C:\WINDOWS\system32\winev32.exe
O4 - HKLM\..\RunOnce: [mfcwe32.exe] C:\WINDOWS\mfcwe32.exe
O4 - HKLM\..\RunOnce: [atlfu.exe] C:\WINDOWS\system32\atlfu.exe
O4 - HKLM\..\RunOnce: [apimk32.exe] C:\WINDOWS\apimk32.exe
O4 - HKLM\..\RunOnce: [addca32.exe] C:\WINDOWS\system32\addca32.exe
O4 - HKLM\..\RunOnce: [appki.exe] C:\WINDOWS\system32\appki.exe
O4 - HKLM\..\RunOnce: [javalo.exe] C:\WINDOWS\javalo.exe
O4 - HKLM\..\RunOnce: [apikd32.exe] C:\WINDOWS\apikd32.exe
O4 - HKLM\..\RunOnce: [addit.exe] C:\WINDOWS\system32\addit.exe
O4 - HKLM\..\RunOnce: [ipgg.exe] C:\WINDOWS\system32\ipgg.exe
O4 - HKLM\..\RunOnce: [msvv32.exe] C:\WINDOWS\msvv32.exe
O4 - HKLM\..\RunOnce: [wintd32.exe] C:\WINDOWS\wintd32.exe
O4 - HKLM\..\RunOnce: [ieoo.exe] C:\WINDOWS\ieoo.exe
O4 - HKLM\..\RunOnce: [sdkne32.exe] C:\WINDOWS\sdkne32.exe
O4 - HKLM\..\RunOnce: [apilc.exe] C:\WINDOWS\system32\apilc.exe
O4 - HKLM\..\RunOnce: [appsh.exe] C:\WINDOWS\appsh.exe
O4 - HKLM\..\RunOnce: [d3rx32.exe] C:\WINDOWS\d3rx32.exe
O4 - HKLM\..\RunOnce: [nthm32.exe] C:\WINDOWS\system32\nthm32.exe
O4 - HKLM\..\RunOnce: [atlad.exe] C:\WINDOWS\atlad.exe
O4 - HKLM\..\RunOnce: [syslm32.exe] C:\WINDOWS\syslm32.exe
O4 - HKLM\..\RunOnce: [winsu.exe] C:\WINDOWS\winsu.exe


When all items have been selected, click Fix checked and EXIT the program.


4. REBOOT into SAFE MODE

5. Using Windows Explorer, locate and DELETE all the files from the above entries. (The purpose of this right now is to make the log more manageable)

6. REBOOT back into Normal Windows Mode

7. Run HJT, SCAN, produce a log and post it into this thread.(Using FireFox)


From this moment on, you are not to use Internet Explorer for any reason, Reboot, turn off your machine or disconnect from the web. Your surfing will have to be restricted to checking for my reply.

Good Luck,

Trevuren
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP