[JakeandBake]

Hi and thank you for your time, i have tried various programs and such to get rid of this but its just not cutting it.

Logfile of HijackThis v1.99.1
Scan saved at 11:43:58 AM, on 7/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\sdkbb32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\AOL\1121116134\ee\AOLServiceHost.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Common Files\AOL\1121116134\ee\AOLHostManager.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Common Files\AOL\1121116134\ee\AOLServiceHost.exe
C:\PROGRA~1\COMMON~1\Nullsoft\ActiveX\2.4\AOLMediaPlaybackControl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jake\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mtvwh.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mtvwh.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\mtvwh.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mtvwh.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mtvwh.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\mtvwh.dll/sp.html#93256
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {9AC37E11-63C7-D3E6-8EAE-1319DCCFBDC1} - C:\WINDOWS\ntti32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [sdkbb32.exe] C:\WINDOWS\system32\sdkbb32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunOnce: [mfcjf.exe] C:\WINDOWS\mfcjf.exe
O4 - HKLM\..\RunOnce: [ieux.exe] C:\WINDOWS\system32\ieux.exe
O4 - HKLM\..\RunOnce: [syspn32.exe] C:\WINDOWS\system32\syspn32.exe
O4 - HKLM\..\RunOnce: [netla32.exe] C:\WINDOWS\system32\netla32.exe
O4 - HKLM\..\RunOnce: [sdkdx.exe] C:\WINDOWS\sdkdx.exe
O4 - HKLM\..\RunOnce: [crlb.exe] C:\WINDOWS\system32\crlb.exe
O4 - HKLM\..\RunOnce: [syshf32.exe] C:\WINDOWS\syshf32.exe
O4 - HKLM\..\RunOnce: [netkr32.exe] C:\WINDOWS\system32\netkr32.exe
O4 - HKLM\..\RunOnce: [d3cn.exe] C:\WINDOWS\system32\d3cn.exe
O4 - HKLM\..\RunOnce: [apizl.exe] C:\WINDOWS\apizl.exe
O4 - HKLM\..\RunOnce: [atltr.exe] C:\WINDOWS\system32\atltr.exe
O4 - HKLM\..\RunOnce: [msvi32.exe] C:\WINDOWS\msvi32.exe
O4 - HKLM\..\RunOnce: [crjs.exe] C:\WINDOWS\system32\crjs.exe
O4 - HKLM\..\RunOnce: [sdkby.exe] C:\WINDOWS\system32\sdkby.exe
O4 - HKLM\..\RunOnce: [javamj32.exe] C:\WINDOWS\system32\javamj32.exe
O4 - HKLM\..\RunOnce: [atldi.exe] C:\WINDOWS\atldi.exe
O4 - HKLM\..\RunOnce: [appkk.exe] C:\WINDOWS\system32\appkk.exe
O4 - HKLM\..\RunOnce: [ipuj.exe] C:\WINDOWS\ipuj.exe
O4 - HKLM\..\RunOnce: [crmj.exe] C:\WINDOWS\crmj.exe
O4 - HKLM\..\RunOnce: [msmp32.exe] C:\WINDOWS\system32\msmp32.exe
O4 - HKLM\..\RunOnce: [javabe32.exe] C:\WINDOWS\system32\javabe32.exe
O4 - HKLM\..\RunOnce: [apimx.exe] C:\WINDOWS\apimx.exe
O4 - HKLM\..\RunOnce: [ntld.exe] C:\WINDOWS\system32\ntld.exe
O4 - HKLM\..\RunOnce: [appmo32.exe] C:\WINDOWS\system32\appmo32.exe
O4 - HKLM\..\RunOnce: [apphf32.exe] C:\WINDOWS\system32\apphf32.exe
O4 - HKLM\..\RunOnce: [ipzc.exe] C:\WINDOWS\ipzc.exe
O4 - HKLM\..\RunOnce: [msji.exe] C:\WINDOWS\msji.exe
O4 - HKLM\..\RunOnce: [craj32.exe] C:\WINDOWS\system32\craj32.exe
O4 - HKLM\..\RunOnce: [atlyx.exe] C:\WINDOWS\atlyx.exe
O4 - HKLM\..\RunOnce: [javabt.exe] C:\WINDOWS\javabt.exe
O4 - HKLM\..\RunOnce: [ntwf32.exe] C:\WINDOWS\system32\ntwf32.exe
O4 - HKLM\..\RunOnce: [apics32.exe] C:\WINDOWS\system32\apics32.exe
O4 - HKLM\..\RunOnce: [sysfn32.exe] C:\WINDOWS\system32\sysfn32.exe
O4 - HKLM\..\RunOnce: [sdklh.exe] C:\WINDOWS\sdklh.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121112441459
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sdklh.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[Advertisements]

Hello and welcome to Geeks to Go! I'm kool808 and I will be helping you today.

I am working on your log. As soon as I made a good fix for this, I will post a reply. Thank you for your patience.

[kool808]

Hello and welcome to Geeks to Go! I'm kool808 and I will be helping you today.

I am working on your log. As soon as I made a good fix for this, I will post a reply. Thank you for your patience.

[kool808]

Please read through the instructions before you start (you may want to print this out).

Please download and install these programs - do NOT run them yet!!

1.) Please download and unzip
About:Buster to a folder. Inside the folder is a readme file that has instructions on the use of the program.
AboutBuster MUST be updated before you use it.
Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box . Do NOT run it yet.

2.) Please download and install AD-Aware.
Please follow these download and setup instructions, otherwise, check for updates: Ad-Aware SE Setup
Do NOT run the scan yet!

3.) Download and unzip HSfix to your desktop. HERE (It will extract a file called cwsserviceremove.reg)

4.) Please Download the stand-alone version of CoolWebShredder

5.) Click HERE to download Pocket Killbox by Option^Explicit. Extract it from the zip file to your desktop. Do NOT run it yet.

Be sure to View Hidden and System Files.

For anyone using Windows XP, 'Search' will not automatically show hidden files even if your folder options settings are set to do that. Do this so you can see hidden files and folders - click HERE to download xphidden.zip. Extract xphidden.reg from the zip file and save it to the desktop. When done, double-click the xphidden.reg and when asked to merge say yes.

+++++++++++++++++++++++++++++++++++++++++++++++++

Here's the fix:

Important Step
1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:

11Fßä#·ºÄÖ`I


When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.

2. Reboot in SAFE MODE. (How to boot in Safe Mode...)

3. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for:

C:\WINDOWS\system32\sdkbb32.exe

If you find the files, click on them, and then click End Process => Exit the Task Manager.


4. We will now fix the remaining problems with HijackThis. Please close all remaining windows, disconnect from the internet, open HijackThis then click SCAN. Please put a check on the following items listed below:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mtvwh.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mtvwh.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\mtvwh.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mtvwh.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mtvwh.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\mtvwh.dll/sp.html#93256
R3 - Default URLSearchHook is missing

O2 - BHO: Class - {9AC37E11-63C7-D3E6-8EAE-1319DCCFBDC1} - C:\WINDOWS\ntti32.dll

O4 - HKLM\..\RunOnce: [mfcjf.exe] C:\WINDOWS\mfcjf.exe
O4 - HKLM\..\RunOnce: [ieux.exe] C:\WINDOWS\system32\ieux.exe
O4 - HKLM\..\RunOnce: [syspn32.exe] C:\WINDOWS\system32\syspn32.exe
O4 - HKLM\..\RunOnce: [netla32.exe] C:\WINDOWS\system32\netla32.exe
O4 - HKLM\..\RunOnce: [sdkdx.exe] C:\WINDOWS\sdkdx.exe
O4 - HKLM\..\RunOnce: [crlb.exe] C:\WINDOWS\system32\crlb.exe
O4 - HKLM\..\RunOnce: [syshf32.exe] C:\WINDOWS\syshf32.exe
O4 - HKLM\..\RunOnce: [netkr32.exe] C:\WINDOWS\system32\netkr32.exe
O4 - HKLM\..\RunOnce: [d3cn.exe] C:\WINDOWS\system32\d3cn.exe
O4 - HKLM\..\RunOnce: [apizl.exe] C:\WINDOWS\apizl.exe
O4 - HKLM\..\RunOnce: [atltr.exe] C:\WINDOWS\system32\atltr.exe
O4 - HKLM\..\RunOnce: [msvi32.exe] C:\WINDOWS\msvi32.exe
O4 - HKLM\..\RunOnce: [crjs.exe] C:\WINDOWS\system32\crjs.exe
O4 - HKLM\..\RunOnce: [sdkby.exe] C:\WINDOWS\system32\sdkby.exe
O4 - HKLM\..\RunOnce: [javamj32.exe] C:\WINDOWS\system32\javamj32.exe
O4 - HKLM\..\RunOnce: [atldi.exe] C:\WINDOWS\atldi.exe
O4 - HKLM\..\RunOnce: [appkk.exe] C:\WINDOWS\system32\appkk.exe
O4 - HKLM\..\RunOnce: [ipuj.exe] C:\WINDOWS\ipuj.exe
O4 - HKLM\..\RunOnce: [crmj.exe] C:\WINDOWS\crmj.exe
O4 - HKLM\..\RunOnce: [msmp32.exe] C:\WINDOWS\system32\msmp32.exe
O4 - HKLM\..\RunOnce: [javabe32.exe] C:\WINDOWS\system32\javabe32.exe
O4 - HKLM\..\RunOnce: [apimx.exe] C:\WINDOWS\apimx.exe
O4 - HKLM\..\RunOnce: [ntld.exe] C:\WINDOWS\system32\ntld.exe
O4 - HKLM\..\RunOnce: [appmo32.exe] C:\WINDOWS\system32\appmo32.exe
O4 - HKLM\..\RunOnce: [apphf32.exe] C:\WINDOWS\system32\apphf32.exe
O4 - HKLM\..\RunOnce: [ipzc.exe] C:\WINDOWS\ipzc.exe
O4 - HKLM\..\RunOnce: [msji.exe] C:\WINDOWS\msji.exe
O4 - HKLM\..\RunOnce: [craj32.exe] C:\WINDOWS\system32\craj32.exe
O4 - HKLM\..\RunOnce: [atlyx.exe] C:\WINDOWS\atlyx.exe
O4 - HKLM\..\RunOnce: [javabt.exe] C:\WINDOWS\javabt.exe
O4 - HKLM\..\RunOnce: [ntwf32.exe] C:\WINDOWS\system32\ntwf32.exe
O4 - HKLM\..\RunOnce: [apics32.exe] C:\WINDOWS\system32\apics32.exe
O4 - HKLM\..\RunOnce: [sysfn32.exe] C:\WINDOWS\system32\sysfn32.exe
O4 - HKLM\..\RunOnce: [sdklh.exe] C:\WINDOWS\sdklh.exe

O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sdklh.exe

Make sure to double check the items you have selected, then click Fix Checked.


5. Through Windows Explorer, delete the following folder(s) or files(s) if they exist (in bold):

• C:\WINDOWS\system32\mtvwh.dll
• C:\WINDOWS\system32\mtvwh.dll/sp.html#93256
• C:\WINDOWS\ntti32.dll
• C:\WINDOWS\mfcjf.exe
• C:\WINDOWS\system32\ieux.exe
• C:\WINDOWS\system32\syspn32.exe
• C:\WINDOWS\system32\netla32.exe
• C:\WINDOWS\sdkdx.exe
• C:\WINDOWS\system32\crlb.exe
• C:\WINDOWS\syshf32.exe
• C:\WINDOWS\system32\netkr32.exe
• C:\WINDOWS\system32\d3cn.exe
• C:\WINDOWS\apizl.exe
• C:\WINDOWS\system32\atltr.exe
• C:\WINDOWS\msvi32.exe
• C:\WINDOWS\system32\crjs.exe
• C:\WINDOWS\system32\sdkby.exe
• C:\WINDOWS\system32\javamj32.exe
• C:\WINDOWS\atldi.exe
• C:\WINDOWS\system32\appkk.exe
• C:\WINDOWS\ipuj.exe
• C:\WINDOWS\crmj.exe
• C:\WINDOWS\system32\msmp32.exe
• C:\WINDOWS\system32\javabe32.exe
• C:\WINDOWS\apimx.exe
• C:\WINDOWS\system32\ntld.exe
• C:\WINDOWS\system32\appmo32.exe
• C:\WINDOWS\system32\apphf32.exe
• C:\WINDOWS\ipzc.exe
• C:\WINDOWS\msji.exe
• C:\WINDOWS\system32\craj32.exe
• C:\WINDOWS\atlyx.exe
• C:\WINDOWS\javabt.exe
• C:\WINDOWS\system32\ntwf32.exe
• C:\WINDOWS\system32\apics32.exe
• C:\WINDOWS\system32\sysfn32.exe
• C:\WINDOWS\sdklh.exe
• C:\WINDOWS\sdklh.exe

Finally, Empty Recycle Bin

6. Run AboutBuster . This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

7. Scan with AdAware and let it remove any bad files found.

8. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

9. Double click on the cwsserviceremove and when asked to merge say yes.

10. Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

11. Reboot into normal mode.

12. Download the Hoster http://www.funkytoad.com/download/hoster.zip
DO NOT run the program yet.

Unzip Host to your desktop

Open up the Host program folder then double-clicking Hoster.exe.

• Make sure that the instruction found on the upper right corner is labeled "Your Host file is editable. Click button to right to make your Hosts file Read-only" and must be in green. Otherwise, if the label is RED click the button just right beside it to change the label and color back to GREEN.
• Click back-up Host files
• then click Restore orginal host files
• close program

13. Download and run this online virus scan:
http://housecall.trendmicro.com/housecall/start_corp.asp
Make sure you check "AutoClean"
===================================================
To make sure everything has been deleted, select all files found in this quote then copy all of them. Paste them in Notepad then save as killbox.txt.

C:\WINDOWS\system32\mtvwh.dll
C:\WINDOWS\system32\mtvwh.dll/sp.html#93256
C:\WINDOWS\ntti32.dll
C:\WINDOWS\mfcjf.exe
C:\WINDOWS\system32\ieux.exe
C:\WINDOWS\system32\syspn32.exe
C:\WINDOWS\system32\netla32.exe
C:\WINDOWS\sdkdx.exe
C:\WINDOWS\system32\crlb.exe
C:\WINDOWS\syshf32.exe
C:\WINDOWS\system32\netkr32.exe
C:\WINDOWS\system32\d3cn.exe
C:\WINDOWS\apizl.exe
C:\WINDOWS\system32\atltr.exe
C:\WINDOWS\msvi32.exe
C:\WINDOWS\system32\crjs.exe
C:\WINDOWS\system32\sdkby.exe
C:\WINDOWS\system32\javamj32.exe
C:\WINDOWS\atldi.exe
C:\WINDOWS\system32\appkk.exe
C:\WINDOWS\ipuj.exe
C:\WINDOWS\crmj.exe
C:\WINDOWS\system32\msmp32.exe
C:\WINDOWS\system32\javabe32.exe
C:\WINDOWS\apimx.exe
C:\WINDOWS\system32\ntld.exe
C:\WINDOWS\system32\appmo32.exe
C:\WINDOWS\system32\apphf32.exe
C:\WINDOWS\ipzc.exe
C:\WINDOWS\msji.exe
C:\WINDOWS\system32\craj32.exe
C:\WINDOWS\atlyx.exe
C:\WINDOWS\javabt.exe
C:\WINDOWS\system32\ntwf32.exe
C:\WINDOWS\system32\apics32.exe
C:\WINDOWS\system32\sysfn32.exe
C:\WINDOWS\sdklh.exe
C:\WINDOWS\sdklh.exe

Run Killbox.exe.

* Select "Delete on Reboot".

* Open the notepad you saved earlier. Go to Edit > Select All to select all file paths in the notepad, then press CTRL + C which will copy all of them to the clipboard.

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "OK" at any "PendingRenameOperation" prompt. If your computer does not restart automatically, please restart it manually.

After computer has restarted continue with the rest of the instructions:
=======================================
To make sure it is perfectly clean let us have the final check.

• Close all windows, open HijackThis then SCAN.
• Post a NEW HijackThis Log.
• Please tell me how your system is working now.

Good Luck!

Edited by kool808, 17 July 2005 - 06:42 AM.

[kool808]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.