Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

AVGold, about:blank infection [CLOSED]

Started by Ordano , Jul 14 2005 09:42 AM

  • This topic is locked This topic is locked

#1
Ordano
Posted 14 July 2005 - 09:42 AM

Ordano

    New Member

  • Member
  • Pip
  • 4 posts
Yesterday I got hit with an AVGold infection. I tried to remove it myself and failed miserably :tazz:. I removed AVgold (Add/Remove Programs) and deleted the directory left behind. I also managed to fix the black backround placed over my Desktop. I can't seem to shake the browser hijack though. I already have Service Pack 2 Installed for Windows XP... Here is my log, Can anyone help?


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Canon\MultiPASS4\MPTBox.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\sysdr32.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\omglk.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\omglk.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\omglk.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\omglk.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\omglk.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\omglk.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\omglk.dll/sp.html#14044
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {2C874D56-A88C-3E88-B23F-99BEE8C67943} - C:\WINDOWS\ipji.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [MPTBox] C:\Program Files\Canon\MultiPASS4\MPTBox.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [sysdr32.exe] C:\WINDOWS\system32\sysdr32.exe
O4 - HKLM\..\RunOnce: [ipji.exe] C:\WINDOWS\ipji.exe
O4 - HKLM\..\RunOnce: [addxk32.exe] C:\WINDOWS\addxk32.exe
O4 - HKLM\..\RunOnce: [d3bh32.exe] C:\WINDOWS\d3bh32.exe
O4 - HKLM\..\RunOnce: [nethj.exe] C:\WINDOWS\system32\nethj.exe
O4 - HKLM\..\RunOnce: [appws.exe] C:\WINDOWS\appws.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121317290237
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
  • 0

Advertisements

#2
Trevuren
Posted 14 July 2005 - 11:53 AM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi ordano and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

1. If you haven't logged in go to Geeks to Go and do so. Then proceed to item a.

If you already have logged in, go directly to item a.

a. Click on My Controls at the top right hand corner of the window.
b. In the left hand column, click "View Topics"
c. If you click on the title of your post, you will be taken there

2. Also, while at the My Controls page, check the box to the right of your post and then scroll down.
.Where it says "unsubscribe" click the pull-down menu and select "immediate email notification"

3. Please DELETE your current HJT program from its present location.

4. Download and run the following HijackThis autoinstall program from Here HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

A. Close ALL windows except HJT

B. SCAN with HJT and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')

C. POST the log in this thread using 'Add Reply' (Ctrl-V to 'paste')


DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

NOTE: You forgot to post the whole top half of your log last time. We need both parts to complete our analysis.


Regards,

Trevuren
  • 0

#3
Ordano
Posted 14 July 2005 - 05:46 PM

Ordano

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks for the help, I did everything you said. Here is the log in its entirety:

Logfile of HijackThis v1.99.1
Scan saved at 7:44:44 PM, on 7/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Canon\MultiPASS4\MPTBox.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\sysdr32.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jhmsy.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jhmsy.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jhmsy.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jhmsy.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jhmsy.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jhmsy.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jhmsy.dll/sp.html#14044
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {2C874D56-A88C-3E88-B23F-99BEE8C67943} - C:\WINDOWS\ipji.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [MPTBox] C:\Program Files\Canon\MultiPASS4\MPTBox.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [sysdr32.exe] C:\WINDOWS\system32\sysdr32.exe
O4 - HKLM\..\RunOnce: [ipji.exe] C:\WINDOWS\ipji.exe
O4 - HKLM\..\RunOnce: [addxk32.exe] C:\WINDOWS\addxk32.exe
O4 - HKLM\..\RunOnce: [d3bh32.exe] C:\WINDOWS\d3bh32.exe
O4 - HKLM\..\RunOnce: [nethj.exe] C:\WINDOWS\system32\nethj.exe
O4 - HKLM\..\RunOnce: [appws.exe] C:\WINDOWS\appws.exe
O4 - HKLM\..\RunOnce: [sdkvt.exe] C:\WINDOWS\system32\sdkvt.exe
O4 - HKLM\..\RunOnce: [addbw32.exe] C:\WINDOWS\system32\addbw32.exe
O4 - HKLM\..\RunOnce: [atlom32.exe] C:\WINDOWS\atlom32.exe
O4 - HKLM\..\RunOnce: [mstp32.exe] C:\WINDOWS\system32\mstp32.exe
O4 - HKLM\..\RunOnce: [msho32.exe] C:\WINDOWS\msho32.exe
O4 - HKLM\..\RunOnce: [ipmi.exe] C:\WINDOWS\ipmi.exe
O4 - HKLM\..\RunOnce: [addmq32.exe] C:\WINDOWS\addmq32.exe
O4 - HKLM\..\RunOnce: [ntse.exe] C:\WINDOWS\system32\ntse.exe
O4 - HKLM\..\RunOnce: [javarm.exe] C:\WINDOWS\system32\javarm.exe
O4 - HKLM\..\RunOnce: [iekn.exe] C:\WINDOWS\system32\iekn.exe
O4 - HKLM\..\RunOnce: [ipbn32.exe] C:\WINDOWS\system32\ipbn32.exe
O4 - HKLM\..\RunOnce: [iepc32.exe] C:\WINDOWS\system32\iepc32.exe
O4 - HKLM\..\RunOnce: [ippk.exe] C:\WINDOWS\ippk.exe
O4 - HKLM\..\RunOnce: [atltw.exe] C:\WINDOWS\atltw.exe
O4 - HKLM\..\RunOnce: [sdkil32.exe] C:\WINDOWS\system32\sdkil32.exe
O4 - HKLM\..\RunOnce: [mszs32.exe] C:\WINDOWS\system32\mszs32.exe
O4 - HKLM\..\RunOnce: [crcw.exe] C:\WINDOWS\system32\crcw.exe
O4 - HKLM\..\RunOnce: [apibm32.exe] C:\WINDOWS\system32\apibm32.exe
O4 - HKLM\..\RunOnce: [addrb32.exe] C:\WINDOWS\addrb32.exe
O4 - HKLM\..\RunOnce: [apprj.exe] C:\WINDOWS\apprj.exe
O4 - HKLM\..\RunOnce: [addar.exe] C:\WINDOWS\system32\addar.exe
O4 - HKLM\..\RunOnce: [netpg32.exe] C:\WINDOWS\netpg32.exe
O4 - HKLM\..\RunOnce: [javano32.exe] C:\WINDOWS\javano32.exe
O4 - HKLM\..\RunOnce: [ntis.exe] C:\WINDOWS\system32\ntis.exe
O4 - HKLM\..\RunOnce: [apphh32.exe] C:\WINDOWS\apphh32.exe
O4 - HKLM\..\RunOnce: [ieyx.exe] C:\WINDOWS\system32\ieyx.exe
O4 - HKLM\..\RunOnce: [sdkxm32.exe] C:\WINDOWS\system32\sdkxm32.exe
O4 - HKLM\..\RunOnce: [apivc32.exe] C:\WINDOWS\apivc32.exe
O4 - HKLM\..\RunOnce: [apivk32.exe] C:\WINDOWS\apivk32.exe
O4 - HKLM\..\RunOnce: [javaek32.exe] C:\WINDOWS\system32\javaek32.exe
O4 - HKLM\..\RunOnce: [atlek.exe] C:\WINDOWS\atlek.exe
O4 - HKLM\..\RunOnce: [sysix.exe] C:\WINDOWS\system32\sysix.exe
O4 - HKLM\..\RunOnce: [apixm32.exe] C:\WINDOWS\apixm32.exe
O4 - HKLM\..\RunOnce: [sysrf32.exe] C:\WINDOWS\sysrf32.exe
O4 - HKLM\..\RunOnce: [winrv32.exe] C:\WINDOWS\winrv32.exe
O4 - HKLM\..\RunOnce: [apian32.exe] C:\WINDOWS\apian32.exe
O4 - HKLM\..\RunOnce: [msav32.exe] C:\WINDOWS\system32\msav32.exe
O4 - HKLM\..\RunOnce: [atldh32.exe] C:\WINDOWS\system32\atldh32.exe
O4 - HKLM\..\RunOnce: [netil.exe] C:\WINDOWS\netil.exe
O4 - HKLM\..\RunOnce: [apirm32.exe] C:\WINDOWS\system32\apirm32.exe
O4 - HKLM\..\RunOnce: [mfcxj.exe] C:\WINDOWS\mfcxj.exe
O4 - HKLM\..\RunOnce: [apilf.exe] C:\WINDOWS\apilf.exe
O4 - HKLM\..\RunOnce: [ieqc.exe] C:\WINDOWS\system32\ieqc.exe
O4 - HKLM\..\RunOnce: [netln.exe] C:\WINDOWS\netln.exe
O4 - HKLM\..\RunOnce: [atlac.exe] C:\WINDOWS\atlac.exe
O4 - HKLM\..\RunOnce: [ielv32.exe] C:\WINDOWS\system32\ielv32.exe
O4 - HKLM\..\RunOnce: [wineg.exe] C:\WINDOWS\wineg.exe
O4 - HKLM\..\RunOnce: [mfcak.exe] C:\WINDOWS\mfcak.exe
O4 - HKLM\..\RunOnce: [ntsl32.exe] C:\WINDOWS\ntsl32.exe
O4 - HKLM\..\RunOnce: [crjt.exe] C:\WINDOWS\crjt.exe
O4 - HKLM\..\RunOnce: [sysnx32.exe] C:\WINDOWS\sysnx32.exe
O4 - HKLM\..\RunOnce: [mswx.exe] C:\WINDOWS\mswx.exe
O4 - HKLM\..\RunOnce: [mscu32.exe] C:\WINDOWS\mscu32.exe
O4 - HKLM\..\RunOnce: [msqr32.exe] C:\WINDOWS\system32\msqr32.exe
O4 - HKLM\..\RunOnce: [ipvn32.exe] C:\WINDOWS\ipvn32.exe
O4 - HKLM\..\RunOnce: [ieqz32.exe] C:\WINDOWS\system32\ieqz32.exe
O4 - HKLM\..\RunOnce: [addvd.exe] C:\WINDOWS\addvd.exe
O4 - HKLM\..\RunOnce: [sysed32.exe] C:\WINDOWS\system32\sysed32.exe
O4 - HKLM\..\RunOnce: [syssa32.exe] C:\WINDOWS\syssa32.exe
O4 - HKLM\..\RunOnce: [sdkxw32.exe] C:\WINDOWS\system32\sdkxw32.exe
O4 - HKLM\..\RunOnce: [syssi32.exe] C:\WINDOWS\syssi32.exe
O4 - HKLM\..\RunOnce: [javarw32.exe] C:\WINDOWS\javarw32.exe
O4 - HKLM\..\RunOnce: [mfclp32.exe] C:\WINDOWS\system32\mfclp32.exe
O4 - HKLM\..\RunOnce: [apitf32.exe] C:\WINDOWS\system32\apitf32.exe
O4 - HKLM\..\RunOnce: [javaux32.exe] C:\WINDOWS\javaux32.exe
O4 - HKLM\..\RunOnce: [appcf.exe] C:\WINDOWS\system32\appcf.exe
O4 - HKLM\..\RunOnce: [sysyr.exe] C:\WINDOWS\sysyr.exe
O4 - HKLM\..\RunOnce: [mfcvh32.exe] C:\WINDOWS\system32\mfcvh32.exe
O4 - HKLM\..\RunOnce: [ntmo32.exe] C:\WINDOWS\system32\ntmo32.exe
O4 - HKLM\..\RunOnce: [neths.exe] C:\WINDOWS\neths.exe
O4 - HKLM\..\RunOnce: [wingh32.exe] C:\WINDOWS\wingh32.exe
O4 - HKLM\..\RunOnce: [d3ex32.exe] C:\WINDOWS\system32\d3ex32.exe
O4 - HKLM\..\RunOnce: [msef.exe] C:\WINDOWS\system32\msef.exe
O4 - HKLM\..\RunOnce: [d3nn.exe] C:\WINDOWS\d3nn.exe
O4 - HKLM\..\RunOnce: [appcc32.exe] C:\WINDOWS\system32\appcc32.exe
O4 - HKLM\..\RunOnce: [apisk32.exe] C:\WINDOWS\system32\apisk32.exe
O4 - HKLM\..\RunOnce: [atlnn.exe] C:\WINDOWS\system32\atlnn.exe
O4 - HKLM\..\RunOnce: [iemd32.exe] C:\WINDOWS\system32\iemd32.exe
O4 - HKLM\..\RunOnce: [sdklt.exe] C:\WINDOWS\sdklt.exe
O4 - HKLM\..\RunOnce: [mfcji32.exe] C:\WINDOWS\mfcji32.exe
O4 - HKLM\..\RunOnce: [winay32.exe] C:\WINDOWS\system32\winay32.exe
O4 - HKLM\..\RunOnce: [addig32.exe] C:\WINDOWS\system32\addig32.exe
O4 - HKLM\..\RunOnce: [netrg32.exe] C:\WINDOWS\netrg32.exe
O4 - HKLM\..\RunOnce: [ierg.exe] C:\WINDOWS\ierg.exe
O4 - HKLM\..\RunOnce: [crvs.exe] C:\WINDOWS\crvs.exe
O4 - HKLM\..\RunOnce: [winki32.exe] C:\WINDOWS\system32\winki32.exe
O4 - HKLM\..\RunOnce: [mfcbp32.exe] C:\WINDOWS\system32\mfcbp32.exe
O4 - HKLM\..\RunOnce: [appwb.exe] C:\WINDOWS\system32\appwb.exe
O4 - HKLM\..\RunOnce: [d3vi32.exe] C:\WINDOWS\system32\d3vi32.exe
O4 - HKLM\..\RunOnce: [ntty32.exe] C:\WINDOWS\ntty32.exe
O4 - HKLM\..\RunOnce: [sdkto.exe] C:\WINDOWS\sdkto.exe
O4 - HKLM\..\RunOnce: [ntco.exe] C:\WINDOWS\system32\ntco.exe
O4 - HKLM\..\RunOnce: [ierd.exe] C:\WINDOWS\ierd.exe
O4 - HKLM\..\RunOnce: [crgs32.exe] C:\WINDOWS\crgs32.exe
O4 - HKLM\..\RunOnce: [d3ae.exe] C:\WINDOWS\system32\d3ae.exe
O4 - HKLM\..\RunOnce: [winwi32.exe] C:\WINDOWS\system32\winwi32.exe
O4 - HKLM\..\RunOnce: [iefi.exe] C:\WINDOWS\system32\iefi.exe
O4 - HKLM\..\RunOnce: [apioq32.exe] C:\WINDOWS\system32\apioq32.exe
O4 - HKLM\..\RunOnce: [atlju32.exe] C:\WINDOWS\system32\atlju32.exe
O4 - HKLM\..\RunOnce: [iphs.exe] C:\WINDOWS\system32\iphs.exe
O4 - HKLM\..\RunOnce: [winno32.exe] C:\WINDOWS\winno32.exe
O4 - HKLM\..\RunOnce: [appgh32.exe] C:\WINDOWS\system32\appgh32.exe
O4 - HKLM\..\RunOnce: [d3le32.exe] C:\WINDOWS\system32\d3le32.exe
O4 - HKLM\..\RunOnce: [atlgp.exe] C:\WINDOWS\system32\atlgp.exe
O4 - HKLM\..\RunOnce: [syskb32.exe] C:\WINDOWS\syskb32.exe
O4 - HKLM\..\RunOnce: [crij.exe] C:\WINDOWS\system32\crij.exe
O4 - HKLM\..\RunOnce: [nethz32.exe] C:\WINDOWS\system32\nethz32.exe
O4 - HKLM\..\RunOnce: [appxo32.exe] C:\WINDOWS\appxo32.exe
O4 - HKLM\..\RunOnce: [appfw.exe] C:\WINDOWS\appfw.exe
O4 - HKLM\..\RunOnce: [addge.exe] C:\WINDOWS\system32\addge.exe
O4 - HKLM\..\RunOnce: [ipvt32.exe] C:\WINDOWS\ipvt32.exe
O4 - HKLM\..\RunOnce: [javatb32.exe] C:\WINDOWS\javatb32.exe
O4 - HKLM\..\RunOnce: [ntpf.exe] C:\WINDOWS\ntpf.exe
O4 - HKLM\..\RunOnce: [atlou32.exe] C:\WINDOWS\atlou32.exe
O4 - HKLM\..\RunOnce: [sysek.exe] C:\WINDOWS\system32\sysek.exe
O4 - HKLM\..\RunOnce: [sdkdz32.exe] C:\WINDOWS\system32\sdkdz32.exe
O4 - HKLM\..\RunOnce: [apibp32.exe] C:\WINDOWS\apibp32.exe
O4 - HKLM\..\RunOnce: [netbx32.exe] C:\WINDOWS\netbx32.exe
O4 - HKLM\..\RunOnce: [crkx32.exe] C:\WINDOWS\system32\crkx32.exe
O4 - HKLM\..\RunOnce: [atlkx.exe] C:\WINDOWS\atlkx.exe
O4 - HKLM\..\RunOnce: [appia.exe] C:\WINDOWS\appia.exe
O4 - HKLM\..\RunOnce: [crha32.exe] C:\WINDOWS\crha32.exe
O4 - HKLM\..\RunOnce: [appop32.exe] C:\WINDOWS\appop32.exe
O4 - HKLM\..\RunOnce: [crox32.exe] C:\WINDOWS\system32\crox32.exe
O4 - HKLM\..\RunOnce: [addrj32.exe] C:\WINDOWS\addrj32.exe
O4 - HKLM\..\RunOnce: [mfcvn.exe] C:\WINDOWS\system32\mfcvn.exe
O4 - HKLM\..\RunOnce: [atlen32.exe] C:\WINDOWS\atlen32.exe
O4 - HKLM\..\RunOnce: [applk.exe] C:\WINDOWS\system32\applk.exe
O4 - HKLM\..\RunOnce: [atlyh.exe] C:\WINDOWS\atlyh.exe
O4 - HKLM\..\RunOnce: [d3ed.exe] C:\WINDOWS\system32\d3ed.exe
O4 - HKLM\..\RunOnce: [mfcyp.exe] C:\WINDOWS\mfcyp.exe
O4 - HKLM\..\RunOnce: [addoe.exe] C:\WINDOWS\addoe.exe
O4 - HKLM\..\RunOnce: [d3yx32.exe] C:\WINDOWS\d3yx32.exe
O4 - HKLM\..\RunOnce: [mssi.exe] C:\WINDOWS\system32\mssi.exe
O4 - HKLM\..\RunOnce: [appnm.exe] C:\WINDOWS\appnm.exe
O4 - HKLM\..\RunOnce: [apign32.exe] C:\WINDOWS\system32\apign32.exe
O4 - HKLM\..\RunOnce: [sdkwu.exe] C:\WINDOWS\system32\sdkwu.exe
O4 - HKLM\..\RunOnce: [msay32.exe] C:\WINDOWS\msay32.exe
O4 - HKLM\..\RunOnce: [javakz.exe] C:\WINDOWS\system32\javakz.exe
O4 - HKLM\..\RunOnce: [crpv32.exe] C:\WINDOWS\crpv32.exe
O4 - HKLM\..\RunOnce: [javaes32.exe] C:\WINDOWS\system32\javaes32.exe
O4 - HKLM\..\RunOnce: [apijp32.exe] C:\WINDOWS\system32\apijp32.exe
O4 - HKLM\..\RunOnce: [crea32.exe] C:\WINDOWS\system32\crea32.exe
O4 - HKLM\..\RunOnce: [ieif.exe] C:\WINDOWS\ieif.exe
O4 - HKLM\..\RunOnce: [msrf32.exe] C:\WINDOWS\system32\msrf32.exe
O4 - HKLM\..\RunOnce: [d3gc32.exe] C:\WINDOWS\d3gc32.exe
O4 - HKLM\..\RunOnce: [iply32.exe] C:\WINDOWS\iply32.exe
O4 - HKLM\..\RunOnce: [msgk32.exe] C:\WINDOWS\msgk32.exe
O4 - HKLM\..\RunOnce: [winko.exe] C:\WINDOWS\system32\winko.exe
O4 - HKLM\..\RunOnce: [systo32.exe] C:\WINDOWS\systo32.exe
O4 - HKLM\..\RunOnce: [ieil.exe] C:\WINDOWS\system32\ieil.exe
O4 - HKLM\..\RunOnce: [sysni.exe] C:\WINDOWS\system32\sysni.exe
O4 - HKLM\..\RunOnce: [ntte.exe] C:\WINDOWS\ntte.exe
O4 - HKLM\..\RunOnce: [sysnq.exe] C:\WINDOWS\system32\sysnq.exe
O4 - HKLM\..\RunOnce: [msdf.exe] C:\WINDOWS\system32\msdf.exe
O4 - HKLM\..\RunOnce: [ntny32.exe] C:\WINDOWS\ntny32.exe
O4 - HKLM\..\RunOnce: [sdkgj.exe] C:\WINDOWS\system32\sdkgj.exe
O4 - HKLM\..\RunOnce: [addvo32.exe] C:\WINDOWS\system32\addvo32.exe
O4 - HKLM\..\RunOnce: [apilv.exe] C:\WINDOWS\system32\apilv.exe
O4 - HKLM\..\RunOnce: [sdkpz32.exe] C:\WINDOWS\system32\sdkpz32.exe
O4 - HKLM\..\RunOnce: [netza.exe] C:\WINDOWS\system32\netza.exe
O4 - HKLM\..\RunOnce: [ipew32.exe] C:\WINDOWS\system32\ipew32.exe
O4 - HKLM\..\RunOnce: [nettt32.exe] C:\WINDOWS\nettt32.exe
O4 - HKLM\..\RunOnce: [addyq32.exe] C:\WINDOWS\system32\addyq32.exe
O4 - HKLM\..\RunOnce: [iptb32.exe] C:\WINDOWS\iptb32.exe
O4 - HKLM\..\RunOnce: [iewl32.exe] C:\WINDOWS\iewl32.exe
O4 - HKLM\..\RunOnce: [ieeb32.exe] C:\WINDOWS\system32\ieeb32.exe
O4 - HKLM\..\RunOnce: [atlgt32.exe] C:\WINDOWS\atlgt32.exe
O4 - HKLM\..\RunOnce: [d3ob.exe] C:\WINDOWS\system32\d3ob.exe
O4 - HKLM\..\RunOnce: [ntjf.exe] C:\WINDOWS\ntjf.exe
O4 - HKLM\..\RunOnce: [iehd32.exe] C:\WINDOWS\system32\iehd32.exe
O4 - HKLM\..\RunOnce: [appxk32.exe] C:\WINDOWS\appxk32.exe
O4 - HKLM\..\RunOnce: [winso.exe] C:\WINDOWS\winso.exe
O4 - HKLM\..\RunOnce: [javard32.exe] C:\WINDOWS\javard32.exe
O4 - HKLM\..\RunOnce: [netpt32.exe] C:\WINDOWS\system32\netpt32.exe
O4 - HKLM\..\RunOnce: [ippb.exe] C:\WINDOWS\system32\ippb.exe
O4 - HKLM\..\RunOnce: [netyb.exe] C:\WINDOWS\netyb.exe
O4 - HKLM\..\RunOnce: [crny32.exe] C:\WINDOWS\system32\crny32.exe
O4 - HKLM\..\RunOnce: [syseg32.exe] C:\WINDOWS\system32\syseg32.exe
O4 - HKLM\..\RunOnce: [mszk.exe] C:\WINDOWS\system32\mszk.exe
O4 - HKLM\..\RunOnce: [ipyz32.exe] C:\WINDOWS\system32\ipyz32.exe
O4 - HKLM\..\RunOnce: [atlwp.exe] C:\WINDOWS\atlwp.exe
O4 - HKLM\..\RunOnce: [ieve32.exe] C:\WINDOWS\ieve32.exe
O4 - HKLM\..\RunOnce: [javalu32.exe] C:\WINDOWS\system32\javalu32.exe
O4 - HKLM\..\RunOnce: [javatc32.exe] C:\WINDOWS\system32\javatc32.exe
O4 - HKLM\..\RunOnce: [sysdc32.exe] C:\WINDOWS\sysdc32.exe
O4 - HKLM\..\RunOnce: [ntcc.exe] C:\WINDOWS\ntcc.exe
O4 - HKLM\..\RunOnce: [mfcgo.exe] C:\WINDOWS\mfcgo.exe
O4 - HKLM\..\RunOnce: [javawe32.exe] C:\WINDOWS\system32\javawe32.exe
O4 - HKLM\..\RunOnce: [ieml32.exe] C:\WINDOWS\system32\ieml32.exe
O4 - HKLM\..\RunOnce: [d3hx.exe] C:\WINDOWS\d3hx.exe
O4 - HKLM\..\RunOnce: [netge32.exe] C:\WINDOWS\system32\netge32.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121317290237
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
  • 0

#4
Trevuren
Posted 14 July 2005 - 06:46 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
This is going to be very difficult. It is a bad About:Blank infection which has been partially removed which makes it harder to completely eradicate. Upon receiving this fix, you are not to disconnect from the internet until told to do do in the fix, not to reboot or turn off your machine. Every time you do, you re-infect yourself more, look at the increase in the "Run Once" items from the first log to the second log. We will try he easy way first and keep our fingers crossed. I wouls be surprised if this got it the first time. Usually, we we have to erode it slowly.
===================================================
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Please download and install these programs - DON'T RUN THEM YET!!
  • Please download and unzip About:Buster to a folder on your Desktop. Inside the folder is a readme file that has instructions on the use of the program.
    • AboutBuster MUST be updated before you use it.
    • Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box . Don't run it yet.
  • Please download and install AD-Aware.
    Check Here on how setup and use it - please make sure you update it first.

  • Download HSfix from HERE and unzip it to your desktop.


  • Download CW-Shredder at the link below:
    http://cwshredder.ne...CWSshtreder.exe

  • Open Windows Explorer & Go to Tools > Folder Options.
    • Click on the View tab and make sure that "Show hidden files and folders" is checked.
    • Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" .
    • Now click "Apply to all folders"
    • Click "Apply" then "OK"
  • For anyone using Windows XP, 'Search' will not automatically show hidden files even if your folder options settings are set to do that.
    Do this so you can see hidden files and folders - click HERE to download XPhidden.zip by David Higham. Extract xphidden.reg from the zip file and save it to the desktop. When done, double-click the xphidden.reg and when asked to merge say yes.
+++++++++++++++++++++++++++++++++++++++++++++++++

Here's the fix:


1. Reboot into SafeMode. <---MAKE SURE YOU KNOW HOW TO DO THIS!!

2. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for:

C:\WINDOWS\system32\sysdr32.exe

If you find the files, highlight them, and then click End Process => Exit the Task Manager.


3. CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jhmsy.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jhmsy.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jhmsy.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jhmsy.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jhmsy.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jhmsy.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jhmsy.dll/sp.html#14044
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {2C874D56-A88C-3E88-B23F-99BEE8C67943} - C:\WINDOWS\ipji.dll
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [sysdr32.exe] C:\WINDOWS\system32\sysdr32.exe
O4 - HKLM\..\RunOnce: [ipji.exe] C:\WINDOWS\ipji.exe
O4 - HKLM\..\RunOnce: [addxk32.exe] C:\WINDOWS\addxk32.exe
O4 - HKLM\..\RunOnce: [d3bh32.exe] C:\WINDOWS\d3bh32.exe
O4 - HKLM\..\RunOnce: [nethj.exe] C:\WINDOWS\system32\nethj.exe
O4 - HKLM\..\RunOnce: [appws.exe] C:\WINDOWS\appws.exe
O4 - HKLM\..\RunOnce: [sdkvt.exe] C:\WINDOWS\system32\sdkvt.exe
O4 - HKLM\..\RunOnce: [addbw32.exe] C:\WINDOWS\system32\addbw32.exe
O4 - HKLM\..\RunOnce: [atlom32.exe] C:\WINDOWS\atlom32.exe
O4 - HKLM\..\RunOnce: [mstp32.exe] C:\WINDOWS\system32\mstp32.exe
O4 - HKLM\..\RunOnce: [msho32.exe] C:\WINDOWS\msho32.exe
O4 - HKLM\..\RunOnce: [ipmi.exe] C:\WINDOWS\ipmi.exe
O4 - HKLM\..\RunOnce: [addmq32.exe] C:\WINDOWS\addmq32.exe
O4 - HKLM\..\RunOnce: [ntse.exe] C:\WINDOWS\system32\ntse.exe
O4 - HKLM\..\RunOnce: [javarm.exe] C:\WINDOWS\system32\javarm.exe
O4 - HKLM\..\RunOnce: [iekn.exe] C:\WINDOWS\system32\iekn.exe
O4 - HKLM\..\RunOnce: [ipbn32.exe] C:\WINDOWS\system32\ipbn32.exe
O4 - HKLM\..\RunOnce: [iepc32.exe] C:\WINDOWS\system32\iepc32.exe
O4 - HKLM\..\RunOnce: [ippk.exe] C:\WINDOWS\ippk.exe
O4 - HKLM\..\RunOnce: [atltw.exe] C:\WINDOWS\atltw.exe
O4 - HKLM\..\RunOnce: [sdkil32.exe] C:\WINDOWS\system32\sdkil32.exe
O4 - HKLM\..\RunOnce: [mszs32.exe] C:\WINDOWS\system32\mszs32.exe
O4 - HKLM\..\RunOnce: [crcw.exe] C:\WINDOWS\system32\crcw.exe
O4 - HKLM\..\RunOnce: [apibm32.exe] C:\WINDOWS\system32\apibm32.exe
O4 - HKLM\..\RunOnce: [addrb32.exe] C:\WINDOWS\addrb32.exe
O4 - HKLM\..\RunOnce: [apprj.exe] C:\WINDOWS\apprj.exe
O4 - HKLM\..\RunOnce: [addar.exe] C:\WINDOWS\system32\addar.exe
O4 - HKLM\..\RunOnce: [netpg32.exe] C:\WINDOWS\netpg32.exe
O4 - HKLM\..\RunOnce: [javano32.exe] C:\WINDOWS\javano32.exe
O4 - HKLM\..\RunOnce: [ntis.exe] C:\WINDOWS\system32\ntis.exe
O4 - HKLM\..\RunOnce: [apphh32.exe] C:\WINDOWS\apphh32.exe
O4 - HKLM\..\RunOnce: [ieyx.exe] C:\WINDOWS\system32\ieyx.exe
O4 - HKLM\..\RunOnce: [sdkxm32.exe] C:\WINDOWS\system32\sdkxm32.exe
O4 - HKLM\..\RunOnce: [apivc32.exe] C:\WINDOWS\apivc32.exe
O4 - HKLM\..\RunOnce: [apivk32.exe] C:\WINDOWS\apivk32.exe
O4 - HKLM\..\RunOnce: [javaek32.exe] C:\WINDOWS\system32\javaek32.exe
O4 - HKLM\..\RunOnce: [atlek.exe] C:\WINDOWS\atlek.exe
O4 - HKLM\..\RunOnce: [sysix.exe] C:\WINDOWS\system32\sysix.exe
O4 - HKLM\..\RunOnce: [apixm32.exe] C:\WINDOWS\apixm32.exe
O4 - HKLM\..\RunOnce: [sysrf32.exe] C:\WINDOWS\sysrf32.exe
O4 - HKLM\..\RunOnce: [winrv32.exe] C:\WINDOWS\winrv32.exe
O4 - HKLM\..\RunOnce: [apian32.exe] C:\WINDOWS\apian32.exe
O4 - HKLM\..\RunOnce: [msav32.exe] C:\WINDOWS\system32\msav32.exe
O4 - HKLM\..\RunOnce: [atldh32.exe] C:\WINDOWS\system32\atldh32.exe
O4 - HKLM\..\RunOnce: [netil.exe] C:\WINDOWS\netil.exe
O4 - HKLM\..\RunOnce: [apirm32.exe] C:\WINDOWS\system32\apirm32.exe
O4 - HKLM\..\RunOnce: [mfcxj.exe] C:\WINDOWS\mfcxj.exe
O4 - HKLM\..\RunOnce: [apilf.exe] C:\WINDOWS\apilf.exe
O4 - HKLM\..\RunOnce: [ieqc.exe] C:\WINDOWS\system32\ieqc.exe
O4 - HKLM\..\RunOnce: [netln.exe] C:\WINDOWS\netln.exe
O4 - HKLM\..\RunOnce: [atlac.exe] C:\WINDOWS\atlac.exe
O4 - HKLM\..\RunOnce: [ielv32.exe] C:\WINDOWS\system32\ielv32.exe
O4 - HKLM\..\RunOnce: [wineg.exe] C:\WINDOWS\wineg.exe
O4 - HKLM\..\RunOnce: [mfcak.exe] C:\WINDOWS\mfcak.exe
O4 - HKLM\..\RunOnce: [ntsl32.exe] C:\WINDOWS\ntsl32.exe
O4 - HKLM\..\RunOnce: [crjt.exe] C:\WINDOWS\crjt.exe
O4 - HKLM\..\RunOnce: [sysnx32.exe] C:\WINDOWS\sysnx32.exe
O4 - HKLM\..\RunOnce: [mswx.exe] C:\WINDOWS\mswx.exe
O4 - HKLM\..\RunOnce: [mscu32.exe] C:\WINDOWS\mscu32.exe
O4 - HKLM\..\RunOnce: [msqr32.exe] C:\WINDOWS\system32\msqr32.exe
O4 - HKLM\..\RunOnce: [ipvn32.exe] C:\WINDOWS\ipvn32.exe
O4 - HKLM\..\RunOnce: [ieqz32.exe] C:\WINDOWS\system32\ieqz32.exe
O4 - HKLM\..\RunOnce: [addvd.exe] C:\WINDOWS\addvd.exe
O4 - HKLM\..\RunOnce: [sysed32.exe] C:\WINDOWS\system32\sysed32.exe
O4 - HKLM\..\RunOnce: [syssa32.exe] C:\WINDOWS\syssa32.exe
O4 - HKLM\..\RunOnce: [sdkxw32.exe] C:\WINDOWS\system32\sdkxw32.exe
O4 - HKLM\..\RunOnce: [syssi32.exe] C:\WINDOWS\syssi32.exe
O4 - HKLM\..\RunOnce: [javarw32.exe] C:\WINDOWS\javarw32.exe
O4 - HKLM\..\RunOnce: [mfclp32.exe] C:\WINDOWS\system32\mfclp32.exe
O4 - HKLM\..\RunOnce: [apitf32.exe] C:\WINDOWS\system32\apitf32.exe
O4 - HKLM\..\RunOnce: [javaux32.exe] C:\WINDOWS\javaux32.exe
O4 - HKLM\..\RunOnce: [appcf.exe] C:\WINDOWS\system32\appcf.exe
O4 - HKLM\..\RunOnce: [sysyr.exe] C:\WINDOWS\sysyr.exe
O4 - HKLM\..\RunOnce: [mfcvh32.exe] C:\WINDOWS\system32\mfcvh32.exe
O4 - HKLM\..\RunOnce: [ntmo32.exe] C:\WINDOWS\system32\ntmo32.exe
O4 - HKLM\..\RunOnce: [neths.exe] C:\WINDOWS\neths.exe
O4 - HKLM\..\RunOnce: [wingh32.exe] C:\WINDOWS\wingh32.exe
O4 - HKLM\..\RunOnce: [d3ex32.exe] C:\WINDOWS\system32\d3ex32.exe
O4 - HKLM\..\RunOnce: [msef.exe] C:\WINDOWS\system32\msef.exe
O4 - HKLM\..\RunOnce: [d3nn.exe] C:\WINDOWS\d3nn.exe
O4 - HKLM\..\RunOnce: [appcc32.exe] C:\WINDOWS\system32\appcc32.exe
O4 - HKLM\..\RunOnce: [apisk32.exe] C:\WINDOWS\system32\apisk32.exe
O4 - HKLM\..\RunOnce: [atlnn.exe] C:\WINDOWS\system32\atlnn.exe
O4 - HKLM\..\RunOnce: [iemd32.exe] C:\WINDOWS\system32\iemd32.exe
O4 - HKLM\..\RunOnce: [sdklt.exe] C:\WINDOWS\sdklt.exe
O4 - HKLM\..\RunOnce: [mfcji32.exe] C:\WINDOWS\mfcji32.exe
O4 - HKLM\..\RunOnce: [winay32.exe] C:\WINDOWS\system32\winay32.exe
O4 - HKLM\..\RunOnce: [addig32.exe] C:\WINDOWS\system32\addig32.exe
O4 - HKLM\..\RunOnce: [netrg32.exe] C:\WINDOWS\netrg32.exe
O4 - HKLM\..\RunOnce: [ierg.exe] C:\WINDOWS\ierg.exe
O4 - HKLM\..\RunOnce: [crvs.exe] C:\WINDOWS\crvs.exe
O4 - HKLM\..\RunOnce: [winki32.exe] C:\WINDOWS\system32\winki32.exe
O4 - HKLM\..\RunOnce: [mfcbp32.exe] C:\WINDOWS\system32\mfcbp32.exe
O4 - HKLM\..\RunOnce: [appwb.exe] C:\WINDOWS\system32\appwb.exe
O4 - HKLM\..\RunOnce: [d3vi32.exe] C:\WINDOWS\system32\d3vi32.exe
O4 - HKLM\..\RunOnce: [ntty32.exe] C:\WINDOWS\ntty32.exe
O4 - HKLM\..\RunOnce: [sdkto.exe] C:\WINDOWS\sdkto.exe
O4 - HKLM\..\RunOnce: [ntco.exe] C:\WINDOWS\system32\ntco.exe
O4 - HKLM\..\RunOnce: [ierd.exe] C:\WINDOWS\ierd.exe
O4 - HKLM\..\RunOnce: [crgs32.exe] C:\WINDOWS\crgs32.exe
O4 - HKLM\..\RunOnce: [d3ae.exe] C:\WINDOWS\system32\d3ae.exe
O4 - HKLM\..\RunOnce: [winwi32.exe] C:\WINDOWS\system32\winwi32.exe
O4 - HKLM\..\RunOnce: [iefi.exe] C:\WINDOWS\system32\iefi.exe
O4 - HKLM\..\RunOnce: [apioq32.exe] C:\WINDOWS\system32\apioq32.exe
O4 - HKLM\..\RunOnce: [atlju32.exe] C:\WINDOWS\system32\atlju32.exe
O4 - HKLM\..\RunOnce: [iphs.exe] C:\WINDOWS\system32\iphs.exe
O4 - HKLM\..\RunOnce: [winno32.exe] C:\WINDOWS\winno32.exe
O4 - HKLM\..\RunOnce: [appgh32.exe] C:\WINDOWS\system32\appgh32.exe
O4 - HKLM\..\RunOnce: [d3le32.exe] C:\WINDOWS\system32\d3le32.exe
O4 - HKLM\..\RunOnce: [atlgp.exe] C:\WINDOWS\system32\atlgp.exe
O4 - HKLM\..\RunOnce: [syskb32.exe] C:\WINDOWS\syskb32.exe
O4 - HKLM\..\RunOnce: [crij.exe] C:\WINDOWS\system32\crij.exe
O4 - HKLM\..\RunOnce: [nethz32.exe] C:\WINDOWS\system32\nethz32.exe
O4 - HKLM\..\RunOnce: [appxo32.exe] C:\WINDOWS\appxo32.exe
O4 - HKLM\..\RunOnce: [appfw.exe] C:\WINDOWS\appfw.exe
O4 - HKLM\..\RunOnce: [addge.exe] C:\WINDOWS\system32\addge.exe
O4 - HKLM\..\RunOnce: [ipvt32.exe] C:\WINDOWS\ipvt32.exe
O4 - HKLM\..\RunOnce: [javatb32.exe] C:\WINDOWS\javatb32.exe
O4 - HKLM\..\RunOnce: [ntpf.exe] C:\WINDOWS\ntpf.exe
O4 - HKLM\..\RunOnce: [atlou32.exe] C:\WINDOWS\atlou32.exe
O4 - HKLM\..\RunOnce: [sysek.exe] C:\WINDOWS\system32\sysek.exe
O4 - HKLM\..\RunOnce: [sdkdz32.exe] C:\WINDOWS\system32\sdkdz32.exe
O4 - HKLM\..\RunOnce: [apibp32.exe] C:\WINDOWS\apibp32.exe
O4 - HKLM\..\RunOnce: [netbx32.exe] C:\WINDOWS\netbx32.exe
O4 - HKLM\..\RunOnce: [crkx32.exe] C:\WINDOWS\system32\crkx32.exe
O4 - HKLM\..\RunOnce: [atlkx.exe] C:\WINDOWS\atlkx.exe
O4 - HKLM\..\RunOnce: [appia.exe] C:\WINDOWS\appia.exe
O4 - HKLM\..\RunOnce: [crha32.exe] C:\WINDOWS\crha32.exe
O4 - HKLM\..\RunOnce: [appop32.exe] C:\WINDOWS\appop32.exe
O4 - HKLM\..\RunOnce: [crox32.exe] C:\WINDOWS\system32\crox32.exe
O4 - HKLM\..\RunOnce: [addrj32.exe] C:\WINDOWS\addrj32.exe
O4 - HKLM\..\RunOnce: [mfcvn.exe] C:\WINDOWS\system32\mfcvn.exe
O4 - HKLM\..\RunOnce: [atlen32.exe] C:\WINDOWS\atlen32.exe
O4 - HKLM\..\RunOnce: [applk.exe] C:\WINDOWS\system32\applk.exe
O4 - HKLM\..\RunOnce: [atlyh.exe] C:\WINDOWS\atlyh.exe
O4 - HKLM\..\RunOnce: [d3ed.exe] C:\WINDOWS\system32\d3ed.exe
O4 - HKLM\..\RunOnce: [mfcyp.exe] C:\WINDOWS\mfcyp.exe
O4 - HKLM\..\RunOnce: [addoe.exe] C:\WINDOWS\addoe.exe
O4 - HKLM\..\RunOnce: [d3yx32.exe] C:\WINDOWS\d3yx32.exe
O4 - HKLM\..\RunOnce: [mssi.exe] C:\WINDOWS\system32\mssi.exe
O4 - HKLM\..\RunOnce: [appnm.exe] C:\WINDOWS\appnm.exe
O4 - HKLM\..\RunOnce: [apign32.exe] C:\WINDOWS\system32\apign32.exe
O4 - HKLM\..\RunOnce: [sdkwu.exe] C:\WINDOWS\system32\sdkwu.exe
O4 - HKLM\..\RunOnce: [msay32.exe] C:\WINDOWS\msay32.exe
O4 - HKLM\..\RunOnce: [javakz.exe] C:\WINDOWS\system32\javakz.exe
O4 - HKLM\..\RunOnce: [crpv32.exe] C:\WINDOWS\crpv32.exe
O4 - HKLM\..\RunOnce: [javaes32.exe] C:\WINDOWS\system32\javaes32.exe
O4 - HKLM\..\RunOnce: [apijp32.exe] C:\WINDOWS\system32\apijp32.exe
O4 - HKLM\..\RunOnce: [crea32.exe] C:\WINDOWS\system32\crea32.exe
O4 - HKLM\..\RunOnce: [ieif.exe] C:\WINDOWS\ieif.exe
O4 - HKLM\..\RunOnce: [msrf32.exe] C:\WINDOWS\system32\msrf32.exe
O4 - HKLM\..\RunOnce: [d3gc32.exe] C:\WINDOWS\d3gc32.exe
O4 - HKLM\..\RunOnce: [iply32.exe] C:\WINDOWS\iply32.exe
O4 - HKLM\..\RunOnce: [msgk32.exe] C:\WINDOWS\msgk32.exe
O4 - HKLM\..\RunOnce: [winko.exe] C:\WINDOWS\system32\winko.exe
O4 - HKLM\..\RunOnce: [systo32.exe] C:\WINDOWS\systo32.exe
O4 - HKLM\..\RunOnce: [ieil.exe] C:\WINDOWS\system32\ieil.exe
O4 - HKLM\..\RunOnce: [sysni.exe] C:\WINDOWS\system32\sysni.exe
O4 - HKLM\..\RunOnce: [ntte.exe] C:\WINDOWS\ntte.exe
O4 - HKLM\..\RunOnce: [sysnq.exe] C:\WINDOWS\system32\sysnq.exe
O4 - HKLM\..\RunOnce: [msdf.exe] C:\WINDOWS\system32\msdf.exe
O4 - HKLM\..\RunOnce: [ntny32.exe] C:\WINDOWS\ntny32.exe
O4 - HKLM\..\RunOnce: [sdkgj.exe] C:\WINDOWS\system32\sdkgj.exe
O4 - HKLM\..\RunOnce: [addvo32.exe] C:\WINDOWS\system32\addvo32.exe
O4 - HKLM\..\RunOnce: [apilv.exe] C:\WINDOWS\system32\apilv.exe
O4 - HKLM\..\RunOnce: [sdkpz32.exe] C:\WINDOWS\system32\sdkpz32.exe
O4 - HKLM\..\RunOnce: [netza.exe] C:\WINDOWS\system32\netza.exe
O4 - HKLM\..\RunOnce: [ipew32.exe] C:\WINDOWS\system32\ipew32.exe
O4 - HKLM\..\RunOnce: [nettt32.exe] C:\WINDOWS\nettt32.exe
O4 - HKLM\..\RunOnce: [addyq32.exe] C:\WINDOWS\system32\addyq32.exe
O4 - HKLM\..\RunOnce: [iptb32.exe] C:\WINDOWS\iptb32.exe
O4 - HKLM\..\RunOnce: [iewl32.exe] C:\WINDOWS\iewl32.exe
O4 - HKLM\..\RunOnce: [ieeb32.exe] C:\WINDOWS\system32\ieeb32.exe
O4 - HKLM\..\RunOnce: [atlgt32.exe] C:\WINDOWS\atlgt32.exe
O4 - HKLM\..\RunOnce: [d3ob.exe] C:\WINDOWS\system32\d3ob.exe
O4 - HKLM\..\RunOnce: [ntjf.exe] C:\WINDOWS\ntjf.exe
O4 - HKLM\..\RunOnce: [iehd32.exe] C:\WINDOWS\system32\iehd32.exe
O4 - HKLM\..\RunOnce: [appxk32.exe] C:\WINDOWS\appxk32.exe
O4 - HKLM\..\RunOnce: [winso.exe] C:\WINDOWS\winso.exe
O4 - HKLM\..\RunOnce: [javard32.exe] C:\WINDOWS\javard32.exe
O4 - HKLM\..\RunOnce: [netpt32.exe] C:\WINDOWS\system32\netpt32.exe
O4 - HKLM\..\RunOnce: [ippb.exe] C:\WINDOWS\system32\ippb.exe
O4 - HKLM\..\RunOnce: [netyb.exe] C:\WINDOWS\netyb.exe
O4 - HKLM\..\RunOnce: [crny32.exe] C:\WINDOWS\system32\crny32.exe
O4 - HKLM\..\RunOnce: [syseg32.exe] C:\WINDOWS\system32\syseg32.exe
O4 - HKLM\..\RunOnce: [mszk.exe] C:\WINDOWS\system32\mszk.exe
O4 - HKLM\..\RunOnce: [ipyz32.exe] C:\WINDOWS\system32\ipyz32.exe
O4 - HKLM\..\RunOnce: [atlwp.exe] C:\WINDOWS\atlwp.exe
O4 - HKLM\..\RunOnce: [ieve32.exe] C:\WINDOWS\ieve32.exe
O4 - HKLM\..\RunOnce: [javalu32.exe] C:\WINDOWS\system32\javalu32.exe
O4 - HKLM\..\RunOnce: [javatc32.exe] C:\WINDOWS\system32\javatc32.exe
O4 - HKLM\..\RunOnce: [sysdc32.exe] C:\WINDOWS\sysdc32.exe
O4 - HKLM\..\RunOnce: [ntcc.exe] C:\WINDOWS\ntcc.exe
O4 - HKLM\..\RunOnce: [mfcgo.exe] C:\WINDOWS\mfcgo.exe
O4 - HKLM\..\RunOnce: [javawe32.exe] C:\WINDOWS\system32\javawe32.exe
O4 - HKLM\..\RunOnce: [ieml32.exe] C:\WINDOWS\system32\ieml32.exe
O4 - HKLM\..\RunOnce: [d3hx.exe] C:\WINDOWS\d3hx.exe
O4 - HKLM\..\RunOnce: [netge32.exe] C:\WINDOWS\system32\netge32.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab


4. Delete the following files if present:

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

C:\WINDOWS\system32\sysdr32.exe
C:\WINDOWS\jhmsy.dll
C:\WINDOWS\ipji.dll
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\ipji.exe
C:\WINDOWS\addxk32.exe
C:\WINDOWS\d3bh32.exe
C:\WINDOWS\system32\nethj.exe
C:\WINDOWS\appws.exe
C:\WINDOWS\system32\sdkvt.exe
C:\WINDOWS\system32\addbw32.exe
C:\WINDOWS\atlom32.exe
C:\WINDOWS\system32\mstp32.exe
C:\WINDOWS\msho32.exe
C:\WINDOWS\ipmi.exe
C:\WINDOWS\addmq32.exe
C:\WINDOWS\system32\ntse.exe
C:\WINDOWS\system32\javarm.exe
C:\WINDOWS\system32\iekn.exe
C:\WINDOWS\system32\ipbn32.exe
C:\WINDOWS\system32\iepc32.exe
C:\WINDOWS\ippk.exe
C:\WINDOWS\atltw.exe
C:\WINDOWS\system32\sdkil32.exe
C:\WINDOWS\system32\mszs32.exe
C:\WINDOWS\system32\crcw.exe
C:\WINDOWS\system32\apibm32.exe
C:\WINDOWS\addrb32.exe
C:\WINDOWS\apprj.exe
C:\WINDOWS\system32\addar.exe
C:\WINDOWS\netpg32.exe
C:\WINDOWS\javano32.exe
C:\WINDOWS\system32\ntis.exe
C:\WINDOWS\apphh32.exe
C:\WINDOWS\system32\ieyx.exe
C:\WINDOWS\system32\sdkxm32.exe
C:\WINDOWS\apivc32.exe
C:\WINDOWS\apivk32.exe
C:\WINDOWS\system32\javaek32.exe
C:\WINDOWS\atlek.exe
C:\WINDOWS\system32\sysix.exe
C:\WINDOWS\apixm32.exe
C:\WINDOWS\sysrf32.exe
C:\WINDOWS\winrv32.exe
C:\WINDOWS\apian32.exe
C:\WINDOWS\system32\msav32.exe
C:\WINDOWS\system32\atldh32.exe
C:\WINDOWS\netil.exe
C:\WINDOWS\system32\apirm32.exe
C:\WINDOWS\mfcxj.exe
C:\WINDOWS\apilf.exe
C:\WINDOWS\system32\ieqc.exe
C:\WINDOWS\netln.exe
C:\WINDOWS\atlac.exe
C:\WINDOWS\system32\ielv32.exe
C:\WINDOWS\wineg.exe
C:\WINDOWS\mfcak.exe
C:\WINDOWS\ntsl32.exe
C:\WINDOWS\crjt.exe
C:\WINDOWS\sysnx32.exe
C:\WINDOWS\mswx.exe
C:\WINDOWS\mscu32.exe
C:\WINDOWS\system32\msqr32.exe
C:\WINDOWS\ipvn32.exe
C:\WINDOWS\system32\ieqz32.exe
C:\WINDOWS\addvd.exe
C:\WINDOWS\system32\sysed32.exe
C:\WINDOWS\syssa32.exe
C:\WINDOWS\system32\sdkxw32.exe
C:\WINDOWS\syssi32.exe
C:\WINDOWS\javarw32.exe
C:\WINDOWS\system32\mfclp32.exe
C:\WINDOWS\system32\apitf32.exe
C:\WINDOWS\javaux32.exe
C:\WINDOWS\system32\appcf.exe
C:\WINDOWS\sysyr.exe
C:\WINDOWS\system32\mfcvh32.exe
C:\WINDOWS\system32\ntmo32.exe
C:\WINDOWS\neths.exe
C:\WINDOWS\wingh32.exe
C:\WINDOWS\system32\d3ex32.exe
C:\WINDOWS\system32\msef.exe
C:\WINDOWS\d3nn.exe
C:\WINDOWS\system32\appcc32.exe
C:\WINDOWS\system32\apisk32.exe
C:\WINDOWS\system32\atlnn.exe
C:\WINDOWS\system32\iemd32.exe
C:\WINDOWS\sdklt.exe
C:\WINDOWS\mfcji32.exe
C:\WINDOWS\system32\winay32.exe
C:\WINDOWS\system32\addig32.exe
C:\WINDOWS\netrg32.exe
C:\WINDOWS\ierg.exe
C:\WINDOWS\crvs.exe
C:\WINDOWS\system32\winki32.exe
C:\WINDOWS\system32\mfcbp32.exe
C:\WINDOWS\system32\appwb.exe
C:\WINDOWS\system32\d3vi32.exe
C:\WINDOWS\ntty32.exe
C:\WINDOWS\sdkto.exe
C:\WINDOWS\system32\ntco.exe
C:\WINDOWS\ierd.exe
C:\WINDOWS\crgs32.exe
C:\WINDOWS\system32\d3ae.exe
C:\WINDOWS\system32\winwi32.exe
C:\WINDOWS\system32\iefi.exe
C:\WINDOWS\system32\apioq32.exe
C:\WINDOWS\system32\atlju32.exe
C:\WINDOWS\system32\iphs.exe
C:\WINDOWS\winno32.exe
C:\WINDOWS\system32\appgh32.exe
C:\WINDOWS\system32\d3le32.exe
C:\WINDOWS\system32\atlgp.exe
C:\WINDOWS\syskb32.exe
C:\WINDOWS\system32\crij.exe
C:\WINDOWS\system32\nethz32.exe
C:\WINDOWS\appxo32.exe
C:\WINDOWS\appfw.exe
C:\WINDOWS\system32\addge.exe
C:\WINDOWS\ipvt32.exe
C:\WINDOWS\javatb32.exe
C:\WINDOWS\ntpf.exe
C:\WINDOWS\atlou32.exe
C:\WINDOWS\system32\sysek.exe
C:\WINDOWS\system32\sdkdz32.exe
C:\WINDOWS\apibp32.exe
C:\WINDOWS\netbx32.exe
C:\WINDOWS\system32\crkx32.exe
C:\WINDOWS\atlkx.exe
C:\WINDOWS\appia.exe
C:\WINDOWS\crha32.exe
C:\WINDOWS\appop32.exe
C:\WINDOWS\system32\crox32.exe
C:\WINDOWS\addrj32.exe
C:\WINDOWS\system32\mfcvn.exe
C:\WINDOWS\atlen32.exe
C:\WINDOWS\system32\applk.exe
C:\WINDOWS\atlyh.exe
C:\WINDOWS\system32\d3ed.exe
C:\WINDOWS\mfcyp.exe
C:\WINDOWS\addoe.exe
C:\WINDOWS\d3yx32.exe
C:\WINDOWS\system32\mssi.exe
C:\WINDOWS\appnm.exe
C:\WINDOWS\system32\apign32.exe
C:\WINDOWS\system32\sdkwu.exe
C:\WINDOWS\msay32.exe
C:\WINDOWS\system32\javakz.exe
C:\WINDOWS\crpv32.exe
C:\WINDOWS\system32\javaes32.exe
C:\WINDOWS\system32\apijp32.exe
C:\WINDOWS\system32\crea32.exe
C:\WINDOWS\ieif.exe
C:\WINDOWS\system32\msrf32.exe
C:\WINDOWS\d3gc32.exe
C:\WINDOWS\iply32.exe
C:\WINDOWS\msgk32.exe
C:\WINDOWS\system32\winko.exe
C:\WINDOWS\systo32.exe
C:\WINDOWS\system32\ieil.exe
C:\WINDOWS\system32\sysni.exe
C:\WINDOWS\ntte.exe
C:\WINDOWS\system32\sysnq.exe
C:\WINDOWS\system32\msdf.exe
C:\WINDOWS\ntny32.exe
C:\WINDOWS\system32\sdkgj.exe
C:\WINDOWS\system32\addvo32.exe
C:\WINDOWS\system32\apilv.exe
C:\WINDOWS\system32\sdkpz32.exe
C:\WINDOWS\system32\netza.exe
C:\WINDOWS\system32\ipew32.exe
C:\WINDOWS\nettt32.exe
C:\WINDOWS\system32\addyq32.exe
C:\WINDOWS\iptb32.exe
C:\WINDOWS\iewl32.exe
C:\WINDOWS\system32\ieeb32.exe
C:\WINDOWS\atlgt32.exe
C:\WINDOWS\system32\d3ob.exe
C:\WINDOWS\ntjf.exe
C:\WINDOWS\system32\iehd32.exe
C:\WINDOWS\appxk32.exe
C:\WINDOWS\winso.exe
C:\WINDOWS\javard32.exe
C:\WINDOWS\system32\netpt32.exe
C:\WINDOWS\system32\ippb.exe
C:\WINDOWS\netyb.exe
C:\WINDOWS\system32\crny32.exe
C:\WINDOWS\system32\syseg32.exe
C:\WINDOWS\system32\mszk.exe
C:\WINDOWS\system32\ipyz32.exe
C:\WINDOWS\atlwp.exe
C:\WINDOWS\ieve32.exe
C:\WINDOWS\system32\javalu32.exe
C:\WINDOWS\system32\javatc32.exe
C:\WINDOWS\sysdc32.exe
C:\WINDOWS\ntcc.exe
C:\WINDOWS\mfcgo.exe
C:\WINDOWS\system32\javawe32.exe
C:\WINDOWS\system32\ieml32.exe
C:\WINDOWS\d3hx.exe
C:\WINDOWS\system32\netge32.exe


(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)

5. Run AboutBuster . This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

6. Scan with AdAware and let it remove any bad files found.

7. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:
  • Temporary Files
  • Temporary Internet Files
  • Recycle Bin


8. Double click on the HSfix and when asked to merge say yes.

9. Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

10. Reboot into normal mode.

11. Download the Hoster from:HERE. Press "Restore Original Hosts" and press "OK". Exit Program.

12. Download and run this online virus scan:The site is often slow to appear)
http://housecall.tre.../start_corp.asp
Make sure you check "AutoClean"

If it says that you need to download an Active X element from their site, please do so. It is safe

13. Reboot and post a fresh Hijack This log for review.

Regards,

Trevuren
  • 0

#5
Ordano
Posted 14 July 2005 - 11:07 PM

Ordano

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Alright Trevuren, I followed your instructions until I got to the part where I needed to delete files. I began deleting the ones on your list and noticed a pattern with the file names that needed to be deleted. Each .exe file had a prefix of some sort: java, sys, net... etc. Then the name would be followed with two random letters and occasionally '32' would be added to the end... Each file was also around 11kb and didnt have a Company name or description. I had 200-300 of these files (Many of them next to each other, which is how I noticed the pattern) and I deleted as many of them as I could being careful not to delete anything important.

I think it worked! :tazz:

I have two problems though... my IE Browser doesn't seem to work anymore. I am currently using Firefox. Second problem: I wasn't able to use the Online Virus scanner with Firefox. I'm having a problem installing the components for it. So I used AntiVir XP (updated) Insted. It didn't find anything.

Here is my AboutBuster Log:

AboutBuster 5.0 reference file 30
Scan started on [7/14/2005] at [10:54:00 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\ALSndMgr.ini:htpqjm
Removed Stream! C:\WINDOWS\AuHCcup1.ini:dduyvq
Removed Stream! C:\WINDOWS\BPMNT.dll:vefdxs
Removed Stream! C:\WINDOWS\control.ini:xgngi
Removed Stream! C:\WINDOWS\Directx.log:oghghm
Removed Stream! C:\WINDOWS\DtcInstall.log:ghzljo
Removed Stream! C:\WINDOWS\explorer.scf:rhsqdy
Removed Stream! C:\WINDOWS\jautoexp.dat:abxtdr
Removed Stream! C:\WINDOWS\KB821557.log:fjvlgx
Removed Stream! C:\WINDOWS\KB824105.log:xkoraa
Removed Stream! C:\WINDOWS\KB826939.log:sywuq
Removed Stream! C:\WINDOWS\ocgen.log:nziugg
Removed Stream! C:\WINDOWS\ocgen.log:wrnllf
Removed Stream! C:\WINDOWS\oeuninst.exe:prgqni
Removed Stream! C:\WINDOWS\OEWABLog.txt:rsqqht
Removed Stream! C:\WINDOWS\Owner.acl:hsqwhs
Removed Stream! C:\WINDOWS\pebki.dat:kysiar
Removed Stream! C:\WINDOWS\Q308676.log:dzlncc
Removed Stream! C:\WINDOWS\Q309691.log:wkskts
Removed Stream! C:\WINDOWS\Q312370.log:hcqer
Removed Stream! C:\WINDOWS\Q315000.log:xvpzul
Removed Stream! C:\WINDOWS\Q323172.log:pwhexo
Removed Stream! C:\WINDOWS\Q811493.log:qwlkys
Removed Stream! C:\WINDOWS\Q817606.log:ixdpad
Removed Stream! C:\WINDOWS\REGLOCS.OLD:oxdij
Removed Stream! C:\WINDOWS\Rhododendron.bmp:abchtl
Removed Stream! C:\WINDOWS\ryyay.txt:zedclo
Removed Stream! C:\WINDOWS\Santa Fe Stucco.bmp:kbvnno
Removed Stream! C:\WINDOWS\sessmgr.setup.log:sfvhnq
Removed Stream! C:\WINDOWS\setupact.log:bzdof
Removed Stream! C:\WINDOWS\setuperr.log:sjhtt
Removed Stream! C:\WINDOWS\tsc.ptn:nkccj
Removed Stream! C:\WINDOWS\VPTNFILE.911:eijmvf
Removed Stream! C:\WINDOWS\War3Unin.dat:ymguf
Removed Stream! C:\WINDOWS\War3Unin.pif:ojbzpq
Removed Stream! C:\WINDOWS\win.ini:hbmfra
Removed Stream! C:\WINDOWS\_default.pif:acskbm
Removed Stream! C:\WINDOWS\_default.pif:aqvdb
------------------------------------------------
Removed File! : C:\Windows\agecf.dat
Removed File! : C:\Windows\nqvzs.dat
Removed File! : C:\Windows\omglk.dll
Removed File! : C:\Windows\System32\kewdu.dll
Removed File! : C:\Windows\System32\pixia.dll
Removed File! : C:\Windows\System32\proqe.dll
Removed File! : C:\Windows\System32\qhaxu.dll
Removed File! : C:\Windows\System32\rqckk.dll
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:55:34 PM


=================================================

Here is my new Hijack this Log:

Logfile of HijackThis v1.99.1
Scan saved at 1:07:13 AM, on 7/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Canon\MultiPASS4\MPTBox.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [MPTBox] C:\Program Files\Canon\MultiPASS4\MPTBox.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM\aim.exe
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121317290237
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

=====================================================

How does it look?

Edited by Ordano, 14 July 2005 - 11:09 PM.

  • 0

#6
Trevuren
Posted 14 July 2005 - 11:18 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Your clean except for this one item:

1. Run HijackThis, click SCAN and place a checkmark beside the following item:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

2. Now, with all windows closed, click on Fix checked, and EXIT the program.

3. REBOOT your system.

==============================================

Do you have your XP CD ?

Trevuren
  • 0

#7
Ordano
Posted 16 July 2005 - 12:17 PM

Ordano

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
No I don't :tazz: I could live without IE but is there any place I could download it from?
  • 0

#8
Trevuren
Posted 16 July 2005 - 12:42 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Try Installing IE SP1 from HERE


Trevuren
  • 0

#9
Trevuren
Posted 02 August 2005 - 02:04 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP