Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

"Only The Best" WHAT IS THIS? [RESOLVED]

Started by BigAl1976 , Jul 26 2005 08:31 PM

  • This topic is locked This topic is locked

#1
BigAl1976
Posted 26 July 2005 - 08:31 PM

BigAl1976

    Member

  • Member
  • PipPip
  • 10 posts
Logfile of HijackThis v1.99.1
Scan saved at 9:18:13 PM, on 7/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\mfcuh32.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\logonmgr.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\msncc.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\MSNAccel.exe
C:\Documents and Settings\Alex\Desktop\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {007F3E5D-5957-E86E-8681-82EE2B1C5E7F} - C:\WINDOWS\system32\addtq32.dll
O2 - BHO: Class - {18E79D78-37FF-46FB-174F-D52C8A9B4AA4} - C:\WINDOWS\addof.dll
O2 - BHO: Class - {B785CE58-BFCA-F505-DF78-61EE7CB4B1C9} - C:\WINDOWS\system32\atlvw32.dll
O2 - BHO: Class - {B8E64B1D-97B9-D9CD-4452-E3D27877AC97} - C:\WINDOWS\system32\d3wj.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [mfctc32.exe] C:\WINDOWS\system32\mfctc32.exe
O4 - HKLM\..\Run: [ieda32.exe] C:\WINDOWS\ieda32.exe
O4 - HKLM\..\Run: [mfcuh32.exe] C:\WINDOWS\system32\mfcuh32.exe
O4 - HKLM\..\RunOnce: [appgn32.exe] C:\WINDOWS\appgn32.exe
O4 - HKLM\..\RunOnce: [winvx.exe] C:\WINDOWS\system32\winvx.exe
O4 - HKLM\..\RunOnce: [netso32.exe] C:\WINDOWS\system32\netso32.exe
O4 - HKLM\..\RunOnce: [atlnr.exe] C:\WINDOWS\system32\atlnr.exe
O4 - HKLM\..\RunOnce: [msse.exe] C:\WINDOWS\msse.exe
O4 - HKLM\..\RunOnce: [mfcld32.exe] C:\WINDOWS\mfcld32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: View Original Image - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{03765121-F259-482F-85EA-D18E4BC28F77}: NameServer = 209.244.0.3 209.244.0.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{03765121-F259-482F-85EA-D18E4BC28F77}: NameServer = 209.244.0.3 209.244.0.4
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\appgn32.exe" /s (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

I have gone through the steps listed in the "do this first befor posting" I even tried to use some of the orther posts to see if i can correct what is wrong with mine... but... i dont want to do more harm than good. I know some but not enough :tazz: (shows you how much things change in five years... i was a computer tech...I thought...)

HELP would be GREAT!
thanks
Alex G. Olson


AboutBuster 5.0 reference file 28
Scan started on [7/25/2005] at [8:16:18 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\explorer.scf:ryuvzx
Removed Stream! C:\WINDOWS\FeatherTexture.bmp:kymata
Removed Stream! C:\WINDOWS\KB887472.log:qwhse
Removed Stream! C:\WINDOWS\KB888113.log:xwonjy
Removed Stream! C:\WINDOWS\KB890175.log:qxgsej
Removed Stream! C:\WINDOWS\KB896422.log:tyjlaw
Removed Stream! C:\WINDOWS\Prairie Wind.bmp:iryfa
Removed Stream! C:\WINDOWS\system.ini:bwyjq
------------------------------------------------
Removed File! : C:\Windows\qtltw.dll
Removed File! : C:\Windows\ydgrj.dll
------------------------------------------------
Scan was ABORTED at 8:17:00 PM


AboutBuster 5.0 reference file 31
Scan started on [7/26/2005] at [7:14:24 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\clock.avi:ovyxaa
------------------------------------------------
Removed File! : C:\Windows\mnify.dat
Removed File! : C:\Windows\System32\cvqpc.dll
Removed File! : C:\Windows\System32\iioxg.dat
Removed File! : C:\Windows\System32\ybevi.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 7:15:14 PM

I also ran Webroot Spysweeper for MSN and it found
CWS_NS3, and CoolWebSearch (CWS)
This is the log...

07:16 PM: |··· Start of Session, Tuesday, July 26, 2005 ···|
07:16 PM: Spy Sweeper for MSN 3.5.0 (Build 202) started
07:16 PM: Sweep initiated using definitions version 441
07:16 PM: Sweeping memory for threats.
07:17 PM: Memory sweep has completed. Elapsed time 00:00:24
07:17 PM: Registry sweep initiated.
07:17 PM: Found: 60 CWS_NS3 registry traces.
07:17 PM: Registry sweep completed. Elapsed time 00:00:38
07:17 PM: Full sweep on all local drives initiated.
07:17 PM: Now sweeping drive C:
07:18 PM: Found Adware: CoolWebSearch (CWS), version 1, c:\documents and settings\localservice\favorites\only sex website.url
07:18 PM: Found Adware: CoolWebSearch (CWS), version 1, c:\documents and settings\localservice\favorites\search the web.url
07:18 PM: Found Adware: CoolWebSearch (CWS), version 1, c:\documents and settings\localservice\favorites\seven days of free [bleep].url
07:18 PM: Found Cookie: Tickle Cookie, version 1, c:\documents and settings\alex\cookies\alex@tickle[2].txt
07:18 PM: Found Cookie: 2o7.net Cookie, version 1, c:\documents and settings\alex\cookies\alex@2o7[2].txt
07:32 PM: Found: 5 file traces.
07:32 PM: Full Sweep has completed. Elapsed time 00:16:08
32,670 files swept
65 item traces located
07:33 PM: Removal process initiated
07:33 PM: Quarantining: 2o7.net Cookie
07:33 PM: Cookie: c:\documents and settings\alex\cookies\alex@2o7[2].txt
07:33 PM: Quarantining: CoolWebSearch (CWS)
07:33 PM: File: c:\documents and settings\localservice\favorites\only sex website.url
07:33 PM: File: c:\documents and settings\localservice\favorites\search the web.url
07:33 PM: File: c:\documents and settings\localservice\favorites\seven days of free [bleep].url
07:33 PM: Quarantining: CWS_NS3
07:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{0b2910b5-8ae6-8676-e13b-4cec5e6a75f1}
07:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{4fbfbe36-bc17-cab4-ca0b-1f18dd30b292}
07:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}
07:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{742cf04d-ee46-1423-e899-b91c547abc20}
07:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{929f8e8d-2c15-4240-e685-fa3c645381c5}
07:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{4fbfbe36-bc17-cab4-ca0b-1f18dd30b292}
07:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}
07:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{742cf04d-ee46-1423-e899-b91c547abc20}
07:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{929f8e8d-2c15-4240-e685-fa3c645381c5}
07:33 PM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\hsa
07:33 PM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\se
07:33 PM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\sw
07:33 PM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\sw||displayname
07:33 PM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\sw||uninstallstring
07:33 PM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\se||displayname
07:33 PM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\se||uninstallstring
07:33 PM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\hsa||displayname
07:33 PM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\hsa||uninstallstring
07:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{929f8e8d-2c15-4240-e685-fa3c645381c5}\data
07:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{929f8e8d-2c15-4240-e685-fa3c645381c5}\localserver32
07:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{929f8e8d-2c15-4240-e685-fa3c645381c5}\data||(-default-)
07:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{929f8e8d-2c15-4240-e685-fa3c645381c5}\data||data0
07:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{929f8e8d-2c15-4240-e685-fa3c645381c5}\data||data2
07:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{929f8e8d-2c15-4240-e685-fa3c645381c5}\localserver32||(-default-)
07:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{742cf04d-ee46-1423-e899-b91c547abc20}\data
07:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{742cf04d-ee46-1423-e899-b91c547abc20}\localserver32
07:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{742cf04d-ee46-1423-e899-b91c547abc20}\data||(-default-)
07:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{742cf04d-ee46-1423-e899-b91c547abc20}\data||data0
07:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{742cf04d-ee46-1423-e899-b91c547abc20}\data||data2
07:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{742cf04d-ee46-1423-e899-b91c547abc20}\localserver32||(-default-)
07:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{4fbfbe36-bc17-cab4-ca0b-1f18dd30b292}\data
07:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{4fbfbe36-bc17-cab4-ca0b-1f18dd30b292}\localserver32
07:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{4fbfbe36-bc17-cab4-ca0b-1f18dd30b292}\data||(-default-)
07:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{4fbfbe36-bc17-cab4-ca0b-1f18dd30b292}\data||data0
07:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{4fbfbe36-bc17-cab4-ca0b-1f18dd30b292}\data||data2
07:33 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{4fbfbe36-bc17-cab4-ca0b-1f18dd30b292}\localserver32||(-default-)
07:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{929f8e8d-2c15-4240-e685-fa3c645381c5}\data
07:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{929f8e8d-2c15-4240-e685-fa3c645381c5}\localserver32
07:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{929f8e8d-2c15-4240-e685-fa3c645381c5}\data||(-default-)
07:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{929f8e8d-2c15-4240-e685-fa3c645381c5}\data||data0
07:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{929f8e8d-2c15-4240-e685-fa3c645381c5}\data||data2
07:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{929f8e8d-2c15-4240-e685-fa3c645381c5}\localserver32||(-default-)
07:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{742cf04d-ee46-1423-e899-b91c547abc20}\data
07:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{742cf04d-ee46-1423-e899-b91c547abc20}\localserver32
07:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{742cf04d-ee46-1423-e899-b91c547abc20}\data||(-default-)
07:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{742cf04d-ee46-1423-e899-b91c547abc20}\data||data0
07:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{742cf04d-ee46-1423-e899-b91c547abc20}\data||data2
07:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{742cf04d-ee46-1423-e899-b91c547abc20}\localserver32||(-default-)
07:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{4fbfbe36-bc17-cab4-ca0b-1f18dd30b292}\data
07:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{4fbfbe36-bc17-cab4-ca0b-1f18dd30b292}\localserver32
07:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{4fbfbe36-bc17-cab4-ca0b-1f18dd30b292}\data||(-default-)
07:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{4fbfbe36-bc17-cab4-ca0b-1f18dd30b292}\data||data0
07:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{4fbfbe36-bc17-cab4-ca0b-1f18dd30b292}\data||data2
07:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{4fbfbe36-bc17-cab4-ca0b-1f18dd30b292}\localserver32||(-default-)
07:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{0b2910b5-8ae6-8676-e13b-4cec5e6a75f1}\data
07:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{0b2910b5-8ae6-8676-e13b-4cec5e6a75f1}\localserver32
07:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{0b2910b5-8ae6-8676-e13b-4cec5e6a75f1}\data||(-default-)
07:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{0b2910b5-8ae6-8676-e13b-4cec5e6a75f1}\data||data0
07:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{0b2910b5-8ae6-8676-e13b-4cec5e6a75f1}\data||data2
07:33 PM: Registry: HKEY_CLASSES_ROOT\clsid\{0b2910b5-8ae6-8676-e13b-4cec5e6a75f1}\localserver32||(-default-)
07:33 PM: Quarantining: Tickle Cookie
07:33 PM: Cookie: c:\documents and settings\alex\cookies\alex@tickle[2].txt
07:33 PM: Cleaning Traces
07:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{929f8e8d-2c15-4240-e685-fa3c645381c5}\localserver32
07:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{929f8e8d-2c15-4240-e685-fa3c645381c5}\data|| (data2)
07:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{929f8e8d-2c15-4240-e685-fa3c645381c5}\data|| (data0)
07:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{929f8e8d-2c15-4240-e685-fa3c645381c5}\data
07:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{929f8e8d-2c15-4240-e685-fa3c645381c5}
07:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{742cf04d-ee46-1423-e899-b91c547abc20}\localserver32
07:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{742cf04d-ee46-1423-e899-b91c547abc20}\data|| (data2)
07:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{742cf04d-ee46-1423-e899-b91c547abc20}\data|| (data0)
07:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{742cf04d-ee46-1423-e899-b91c547abc20}\data
07:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{742cf04d-ee46-1423-e899-b91c547abc20}
07:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}
07:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{4fbfbe36-bc17-cab4-ca0b-1f18dd30b292}\localserver32
07:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{4fbfbe36-bc17-cab4-ca0b-1f18dd30b292}\data|| (data2)
07:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{4fbfbe36-bc17-cab4-ca0b-1f18dd30b292}\data|| (data0)
07:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{4fbfbe36-bc17-cab4-ca0b-1f18dd30b292}\data
07:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{4fbfbe36-bc17-cab4-ca0b-1f18dd30b292}
07:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{0b2910b5-8ae6-8676-e13b-4cec5e6a75f1}\localserver32
07:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{0b2910b5-8ae6-8676-e13b-4cec5e6a75f1}\data|| (data2)
07:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{0b2910b5-8ae6-8676-e13b-4cec5e6a75f1}\data|| (data0)
07:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{0b2910b5-8ae6-8676-e13b-4cec5e6a75f1}\data
07:33 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{0b2910b5-8ae6-8676-e13b-4cec5e6a75f1}
07:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\sw|| (uninstallstring)
07:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\sw|| (displayname)
07:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\sw
07:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\se|| (uninstallstring)
07:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\se|| (displayname)
07:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\se
07:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\hsa|| (uninstallstring)
07:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\hsa|| (displayname)
07:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\hsa
07:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{929f8e8d-2c15-4240-e685-fa3c645381c5}\localserver32
07:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{929f8e8d-2c15-4240-e685-fa3c645381c5}\data|| (data2)
07:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{929f8e8d-2c15-4240-e685-fa3c645381c5}\data|| (data0)
07:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{929f8e8d-2c15-4240-e685-fa3c645381c5}\data
07:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{929f8e8d-2c15-4240-e685-fa3c645381c5}
07:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{742cf04d-ee46-1423-e899-b91c547abc20}\localserver32
07:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{742cf04d-ee46-1423-e899-b91c547abc20}\data|| (data2)
07:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{742cf04d-ee46-1423-e899-b91c547abc20}\data|| (data0)
07:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{742cf04d-ee46-1423-e899-b91c547abc20}\data
07:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{742cf04d-ee46-1423-e899-b91c547abc20}
07:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}
07:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{4fbfbe36-bc17-cab4-ca0b-1f18dd30b292}\localserver32
07:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{4fbfbe36-bc17-cab4-ca0b-1f18dd30b292}\data|| (data2)
07:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{4fbfbe36-bc17-cab4-ca0b-1f18dd30b292}\data|| (data0)
07:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{4fbfbe36-bc17-cab4-ca0b-1f18dd30b292}\data
07:33 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{4fbfbe36-bc17-cab4-ca0b-1f18dd30b292}
07:33 PM: Removing file: c:\documents and settings\localservice\favorites\seven days of free [bleep].url
07:33 PM: Removing file: c:\documents and settings\localservice\favorites\search the web.url
07:33 PM: Removing file: c:\documents and settings\localservice\favorites\only sex website.url
07:33 PM: 09:25 PM: |··· Start of Session, Tuesday, July 26, 2005 ···|
09:25 PM: Spy Sweeper for MSN 3.5.0 (Build 202) started
09:26 PM: Processing Startup Alerts
09:26 PM: Removed Startup entry: mfcuh32.exe
09:26 PM: Removed Startup entry: atlnr.exe
09:26 PM: Removed Startup entry: msse.exe
09:26 PM: Removed Startup entry: mfcld32.exe
09:26 PM: Removed Startup entry: winoe32.exe
09:26 PM: Removed Startup entry: sdkgu.exe
09:26 PM: Processing Startup Alerts
09:26 PM: Removed Startup entry: atlnr.exe
09:26 PM: Removed Startup entry: msse.exe
09:26 PM: Removed Startup entry: mfcld32.exe
09:26 PM: Removed Startup entry: winoe32.exe
09:26 PM: Removed Startup entry: sdkgu.exe
09:26 PM: Processing Startup Alerts
09:26 PM: Removed Startup entry: atlnr.exe
09:26 PM: Removed Startup entry: msse.exe
09:26 PM: Removed Startup entry: mfcld32.exe
09:26 PM: Removed Startup entry: winoe32.exe
09:26 PM: Removed Startup entry: sdkgu.exe
09:27 PM: Processing Startup Alerts
09:27 PM: Removed Startup entry: atlnr.exe
09:27 PM: Removed Startup entry: msse.exe
09:27 PM: Removed Startup entry: mfcld32.exe
09:27 PM: Removed Startup entry: winoe32.exe
09:27 PM: Removed Startup entry: sdkgu.exe
09:27 PM: Removed Startup entry: mfcuh32.exe
09:27 PM: Removed Startup entry: mspj32.exe
09:28 PM: Updating spyware definitions
09:40 PM: Your spyware definitions have been updated.

Edited by BigAl1976, 27 July 2005 - 08:23 AM.

  • 0

Advertisements

#2
greyknight17
Posted 27 July 2005 - 05:29 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi Alex and welcome to GTG.

Please do not give us any other logs (besides HijackThis) unless we ask for it.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download cwsserviceremove http://www.greyknigh...rviceremove.zip and unzip it to your desktop. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {007F3E5D-5957-E86E-8681-82EE2B1C5E7F} - C:\WINDOWS\system32\addtq32.dll
O2 - BHO: Class - {18E79D78-37FF-46FB-174F-D52C8A9B4AA4} - C:\WINDOWS\addof.dll
O2 - BHO: Class - {B785CE58-BFCA-F505-DF78-61EE7CB4B1C9} - C:\WINDOWS\system32\atlvw32.dll
O2 - BHO: Class - {B8E64B1D-97B9-D9CD-4452-E3D27877AC97} - C:\WINDOWS\system32\d3wj.dll
O4 - HKLM\..\Run: [mfctc32.exe] C:\WINDOWS\system32\mfctc32.exe
O4 - HKLM\..\Run: [ieda32.exe] C:\WINDOWS\ieda32.exe
O4 - HKLM\..\Run: [mfcuh32.exe] C:\WINDOWS\system32\mfcuh32.exe
O4 - HKLM\..\RunOnce: [appgn32.exe] C:\WINDOWS\appgn32.exe
O4 - HKLM\..\RunOnce: [winvx.exe] C:\WINDOWS\system32\winvx.exe
O4 - HKLM\..\RunOnce: [netso32.exe] C:\WINDOWS\system32\netso32.exe
O4 - HKLM\..\RunOnce: [atlnr.exe] C:\WINDOWS\system32\atlnr.exe
O4 - HKLM\..\RunOnce: [msse.exe] C:\WINDOWS\msse.exe
O4 - HKLM\..\RunOnce: [mfcld32.exe] C:\WINDOWS\mfcld32.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\appgn32.exe" /s (file missing)

Run AboutBuster and click Begin Removal button. Once that's done, just hit the OK button. Click Exit once you are done. Click the OK button and it should exit. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here.

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\system32\addtq32.dll
C:\WINDOWS\addof.dll
C:\WINDOWS\system32\atlvw32.dll
C:\WINDOWS\system32\d3wj.dll
C:\WINDOWS\ieda32.exe
C:\WINDOWS\system32\mfctc32.exe
C:\WINDOWS\system32\mfcuh32.exe
C:\WINDOWS\appgn32.exe
C:\WINDOWS\system32\atlnr.exe
C:\WINDOWS\mfcld32.exe
C:\WINDOWS\msse.exe
C:\WINDOWS\system32\netso32.exe
C:\WINDOWS\system32\winvx.exe
C:\WINDOWS\appgn32.exe

Run cwsserviceremove.reg now and say yes to add it to the registry.

Restart and run a new HijackThis scan. Save the log file and post it here.
  • 0

#3
BigAl1976
Posted 27 July 2005 - 07:16 PM

BigAl1976

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Download cwsserviceremove

http://www.greyknigh...rviceremove.zip

KRC Page Not Found

I hit the report button on the page.
Would you like me to do the other things?
Alex
  • 0

#4
greyknight17
Posted 28 July 2005 - 09:38 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Sorry about that. Try again now. It should be up :tazz:
  • 0

#5
BigAl1976
Posted 28 July 2005 - 09:47 AM

BigAl1976

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thank You link works fine now.
Will follow inst. and post new after I get home from work.
Thanks Again.
Alex

Ok did what you sad to do.
did the HiJackThis found most of them tried to fix the
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\appgn32.exe" /s (file missing)
would not work

just to let you know i have spy bot running a reg reporter that les me know when the registery(sp) is going to change... and it went nuts on bootup in reg. mode with the names we tried to get rid of in the fix ex... mfctc32.exe, ieda32.exe..... i tried to finde them in explorer but ther were not there?????

the logs...

Logfile of HijackThis v1.99.1
Scan saved at 8:49:45 PM, on 7/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Alex\Desktop\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {007F3E5D-5957-E86E-8681-82EE2B1C5E7F} - (no file)
O2 - BHO: (no name) - {18E79D78-37FF-46FB-174F-D52C8A9B4AA4} - (no file)
O2 - BHO: Class - {80E8CD34-35DC-961E-EADE-11A17381D170} - C:\WINDOWS\system32\atlbc.dll
O2 - BHO: (no name) - {B785CE58-BFCA-F505-DF78-61EE7CB4B1C9} - (no file)
O2 - BHO: (no name) - {B8E64B1D-97B9-D9CD-4452-E3D27877AC97} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [mfctc32.exe] C:\WINDOWS\system32\mfctc32.exe
O4 - HKLM\..\Run: [ieda32.exe] C:\WINDOWS\ieda32.exe
O4 - HKLM\..\Run: [mfcuh32.exe] C:\WINDOWS\system32\mfcuh32.exe
O4 - HKLM\..\RunOnce: [appgn32.exe] C:\WINDOWS\appgn32.exe
O4 - HKLM\..\RunOnce: [winvx.exe] C:\WINDOWS\system32\winvx.exe
O4 - HKLM\..\RunOnce: [netso32.exe] C:\WINDOWS\system32\netso32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\appgn32.exe" /s (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

and


AboutBuster 5.0 reference file 31
Scan started on [7/28/2005] at [8:37:17 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\control.ini:ikgrb
Removed Stream! C:\WINDOWS\River Sumida.bmp:eukol
Removed Stream! C:\WINDOWS\_default.pif:tzyfg
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 8:38:20 PM



All Yours...
Thanks
Alex

Edited by BigAl1976, 28 July 2005 - 08:05 PM.

  • 0

#6
BigAl1976
Posted 28 July 2005 - 08:09 PM

BigAl1976

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
sorry
  • 0

#7
greyknight17
Posted 28 July 2005 - 10:20 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No problem. We'll try this again. Please make sure that Spybot's TeaTimer program is turned OFF right before you do any of the fixes here (double check to see if it's on in safe mode):

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {007F3E5D-5957-E86E-8681-82EE2B1C5E7F} - (no file)
O2 - BHO: (no name) - {18E79D78-37FF-46FB-174F-D52C8A9B4AA4} - (no file)
O2 - BHO: Class - {80E8CD34-35DC-961E-EADE-11A17381D170} - C:\WINDOWS\system32\atlbc.dll
O2 - BHO: (no name) - {B785CE58-BFCA-F505-DF78-61EE7CB4B1C9} - (no file)
O2 - BHO: (no name) - {B8E64B1D-97B9-D9CD-4452-E3D27877AC97} - (no file)
O4 - HKLM\..\Run: [mfctc32.exe] C:\WINDOWS\system32\mfctc32.exe
O4 - HKLM\..\Run: [ieda32.exe] C:\WINDOWS\ieda32.exe
O4 - HKLM\..\Run: [mfcuh32.exe] C:\WINDOWS\system32\mfcuh32.exe
O4 - HKLM\..\RunOnce: [appgn32.exe] C:\WINDOWS\appgn32.exe
O4 - HKLM\..\RunOnce: [winvx.exe] C:\WINDOWS\system32\winvx.exe
O4 - HKLM\..\RunOnce: [netso32.exe] C:\WINDOWS\system32\netso32.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\appgn32.exe" /s (file missing)

Run CWShredder and fix what it finds. Run AboutBuster again and save the log to post later.

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\system32\atlbc.dll
C:\WINDOWS\system32\mfctc32.exe
C:\WINDOWS\ieda32.exe
C:\WINDOWS\system32\mfcuh32.exe
C:\WINDOWS\appgn32.exe
C:\WINDOWS\system32\winvx.exe
C:\WINDOWS\system32\netso32.exe
C:\WINDOWS\appgn32.exe

Run cwsserviceremove.reg and add to registry.

Restart and run a new HijackThis scan. Save the log file and post it here along with the AboutBuster log.
  • 0

#8
BigAl1976
Posted 29 July 2005 - 10:01 PM

BigAl1976

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Ok... First off I would like to say sorry there were some things in spybot that i had dissabled or not to (start up). Taken care of now. :tazz:

And the Logs...

Logfile of HijackThis v1.99.1
Scan saved at 10:44:47 PM, on 7/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wineu32.exe
C:\WINDOWS\adduq.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Alex\Desktop\HiJackThis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0427CF01-0410-2654-E229-75B55A233C97} - C:\WINDOWS\apirs.dll
O2 - BHO: Class - {13EABCAA-47E6-BF98-36D9-49B7ADFEE6CE} - C:\WINDOWS\system32\ipvz32.dll
O2 - BHO: Class - {1A8E8BF9-BC1C-41DD-5D9A-CEB7C14ABF94} - C:\WINDOWS\system32\msie.dll
O2 - BHO: Class - {A228710E-2CE8-F8F6-81BD-7CC3A16C63D0} - C:\WINDOWS\system32\netjl.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {DC8B0938-5FED-2CB4-7F25-40FB2AA50A25} - C:\WINDOWS\nethu32.dll
O2 - BHO: Class - {F6BCAEA7-7910-C92B-BD7B-CADE109FB093} - C:\WINDOWS\system32\wingv32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [apicd.exe] C:\WINDOWS\apicd.exe
O4 - HKLM\..\Run: [atlfr32.exe] C:\WINDOWS\system32\atlfr32.exe
O4 - HKLM\..\Run: [d3po.exe] C:\WINDOWS\d3po.exe
O4 - HKLM\..\Run: [sdkle32.exe] C:\WINDOWS\sdkle32.exe
O4 - HKLM\..\Run: [wineu32.exe] C:\WINDOWS\wineu32.exe
O4 - HKLM\..\RunOnce: [addat32.exe] C:\WINDOWS\system32\addat32.exe
O4 - HKLM\..\RunOnce: [addet.exe] C:\WINDOWS\addet.exe
O4 - HKLM\..\RunOnce: [adduq.exe] C:\WINDOWS\adduq.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\appgn32.exe" /s (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

and the other...

AboutBuster 5.0 reference file 28
Scan started on [7/25/2005] at [8:16:18 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\explorer.scf:ryuvzx
Removed Stream! C:\WINDOWS\FeatherTexture.bmp:kymata
Removed Stream! C:\WINDOWS\KB887472.log:qwhse
Removed Stream! C:\WINDOWS\KB888113.log:xwonjy
Removed Stream! C:\WINDOWS\KB890175.log:qxgsej
Removed Stream! C:\WINDOWS\KB896422.log:tyjlaw
Removed Stream! C:\WINDOWS\Prairie Wind.bmp:iryfa
Removed Stream! C:\WINDOWS\system.ini:bwyjq
------------------------------------------------
Removed File! : C:\Windows\qtltw.dll
Removed File! : C:\Windows\ydgrj.dll
------------------------------------------------
Scan was ABORTED at 8:17:00 PM


AboutBuster 5.0 reference file 31
Scan started on [7/26/2005] at [7:14:24 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\clock.avi:ovyxaa
------------------------------------------------
Removed File! : C:\Windows\mnify.dat
Removed File! : C:\Windows\System32\cvqpc.dll
Removed File! : C:\Windows\System32\iioxg.dat
Removed File! : C:\Windows\System32\ybevi.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 7:15:14 PM


AboutBuster 5.0 reference file 31
Scan started on [7/28/2005] at [8:37:17 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\control.ini:ikgrb
Removed Stream! C:\WINDOWS\River Sumida.bmp:eukol
Removed Stream! C:\WINDOWS\_default.pif:tzyfg
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 8:38:20 PM


AboutBuster 5.0 reference file 31
Scan started on [7/29/2005] at [9:17:51 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default.pif:fduip
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 9:18:52 PM


Thanks,
Alex
  • 0

#9
greyknight17
Posted 29 July 2005 - 10:17 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0427CF01-0410-2654-E229-75B55A233C97} - C:\WINDOWS\apirs.dll
O2 - BHO: Class - {13EABCAA-47E6-BF98-36D9-49B7ADFEE6CE} - C:\WINDOWS\system32\ipvz32.dll
O2 - BHO: Class - {1A8E8BF9-BC1C-41DD-5D9A-CEB7C14ABF94} - C:\WINDOWS\system32\msie.dll
O2 - BHO: Class - {A228710E-2CE8-F8F6-81BD-7CC3A16C63D0} - C:\WINDOWS\system32\netjl.dll
O2 - BHO: Class - {DC8B0938-5FED-2CB4-7F25-40FB2AA50A25} - C:\WINDOWS\nethu32.dll
O2 - BHO: Class - {F6BCAEA7-7910-C92B-BD7B-CADE109FB093} - C:\WINDOWS\system32\wingv32.dll
O4 - HKLM\..\Run: [apicd.exe] C:\WINDOWS\apicd.exe
O4 - HKLM\..\Run: [atlfr32.exe] C:\WINDOWS\system32\atlfr32.exe
O4 - HKLM\..\Run: [d3po.exe] C:\WINDOWS\d3po.exe
O4 - HKLM\..\Run: [sdkle32.exe] C:\WINDOWS\sdkle32.exe
O4 - HKLM\..\Run: [wineu32.exe] C:\WINDOWS\wineu32.exe
O4 - HKLM\..\RunOnce: [addat32.exe] C:\WINDOWS\system32\addat32.exe
O4 - HKLM\..\RunOnce: [addet.exe] C:\WINDOWS\addet.exe
O4 - HKLM\..\RunOnce: [adduq.exe] C:\WINDOWS\adduq.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\appgn32.exe" /s (file missing)

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say no:

C:\WINDOWS\apirs.dll
C:\WINDOWS\system32\ipvz32.dll
C:\WINDOWS\system32\msie.dll
C:\WINDOWS\system32\netjl.dll
C:\WINDOWS\nethu32.dll
C:\WINDOWS\system32\wingv32.dll
C:\WINDOWS\apicd.exe
C:\WINDOWS\system32\atlfr32.exe
C:\WINDOWS\d3po.exe
C:\WINDOWS\sdkle32.exe
C:\WINDOWS\wineu32.exe
C:\WINDOWS\system32\addat32.exe
C:\WINDOWS\addet.exe
C:\WINDOWS\adduq.exe
C:\WINDOWS\appgn32.exe

Run AboutBuster and then run CWShredder.

Run cwsserviceremove.reg again.

Restart and run a new HijackThis scan. Save the log file and post it here. Post AboutBuster log also.
  • 0

#10
BigAl1976
Posted 29 July 2005 - 10:22 PM

BigAl1976

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
You want me to run Killbox in safe mode?
  • 0

Advertisements

#11
BigAl1976
Posted 29 July 2005 - 11:02 PM

BigAl1976

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Ok...things look different...I think...
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\appgn32.exe" /s (file missing)
except that will not go away.

Logfile of HijackThis v1.99.1
Scan saved at 11:53:47 PM, on 7/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Alex\Desktop\HiJackThis\HijackThis.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\appgn32.exe" /s (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


AboutBuster 5.0 reference file 31
Scan started on [7/29/2005] at [11:42:20 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default.pif:xxtcg
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 11:43:24 PM


AboutBuster 5.0 reference file 31
Scan started on [7/29/2005] at [11:49:24 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 11:49:49 PM


Thanks,
Alex
  • 0

#12
greyknight17
Posted 30 July 2005 - 09:22 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi Alex, looks better now. KillBox? Actually that step didn't require to be in Safe Mode. No harm either way :tazz:

OK, let's try to wrap this up now...

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\appgn32.exe" /s (file missing)

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\appgn32.exe

Run cwsserviceremove.reg again.

Restart and run a new HijackThis scan. Save the log file and post it here.
  • 0

#13
BigAl1976
Posted 31 July 2005 - 08:27 AM

BigAl1976

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Ok...

Logfile of HijackThis v1.99.1
Scan saved at 9:06:30 AM, on 7/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Alex\Desktop\HiJackThis\HijackThis.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

and...

AboutBuster 5.0 reference file 28
Scan started on [7/25/2005] at [8:16:18 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\explorer.scf:ryuvzx
Removed Stream! C:\WINDOWS\FeatherTexture.bmp:kymata
Removed Stream! C:\WINDOWS\KB887472.log:qwhse
Removed Stream! C:\WINDOWS\KB888113.log:xwonjy
Removed Stream! C:\WINDOWS\KB890175.log:qxgsej
Removed Stream! C:\WINDOWS\KB896422.log:tyjlaw
Removed Stream! C:\WINDOWS\Prairie Wind.bmp:iryfa
Removed Stream! C:\WINDOWS\system.ini:bwyjq
------------------------------------------------
Removed File! : C:\Windows\qtltw.dll
Removed File! : C:\Windows\ydgrj.dll
------------------------------------------------
Scan was ABORTED at 8:17:00 PM


AboutBuster 5.0 reference file 31
Scan started on [7/26/2005] at [7:14:24 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\clock.avi:ovyxaa
------------------------------------------------
Removed File! : C:\Windows\mnify.dat
Removed File! : C:\Windows\System32\cvqpc.dll
Removed File! : C:\Windows\System32\iioxg.dat
Removed File! : C:\Windows\System32\ybevi.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 7:15:14 PM


AboutBuster 5.0 reference file 31
Scan started on [7/28/2005] at [8:37:17 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\control.ini:ikgrb
Removed Stream! C:\WINDOWS\River Sumida.bmp:eukol
Removed Stream! C:\WINDOWS\_default.pif:tzyfg
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 8:38:20 PM


AboutBuster 5.0 reference file 31
Scan started on [7/29/2005] at [9:17:51 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default.pif:fduip
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 9:18:52 PM


AboutBuster 5.0 reference file 31
Scan started on [7/29/2005] at [11:42:20 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default.pif:xxtcg
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 11:43:24 PM


AboutBuster 5.0 reference file 31
Scan started on [7/29/2005] at [11:49:24 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 11:49:49 PM


AboutBuster 5.0 reference file 31
Scan started on [7/31/2005] at [9:07:16 AM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 9:07:51 AM


well... :tazz:
  • 0

#14
greyknight17
Posted 31 July 2005 - 11:05 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Perfect. We got it all :tazz:

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#15
BigAl1976
Posted 31 July 2005 - 06:38 PM

BigAl1976

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thank You. ;) :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP