Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

My HiJackThis Log [RESOLVED]


  • This topic is locked This topic is locked

#1
smokeythebuffalo

smokeythebuffalo

    New Member

  • Member
  • Pip
  • 4 posts
AVG keeps telling me I have Trojan horse Startpage.19.AO and that it is healed, but next time I open or close an IE page it has the same problem. I have run Ad-Aware SE, Microsoft AntiSpyware, AVG Anti Virus, and Trojan Hunter. Also, I've searched the registry and found nothing to delete.

Any help will be much appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 5:09:07 PM, on 8/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\S3apphk.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\addfu32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\atlvk.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vkzhx.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vkzhx.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vkzhx.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vkzhx.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vkzhx.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vkzhx.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vkzhx.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {8A6CC37B-7883-F9CA-C742-9785D83F18C7} - C:\WINDOWS\system32\javanx.dll
O2 - BHO: Class - {E7208CC8-AE73-3F51-D49A-64CDBD6A4258} - C:\WINDOWS\system32\d3mv32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [addts32.exe] C:\WINDOWS\addts32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [addfu32.exe] C:\WINDOWS\addfu32.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Sid Registration.lnk = G:\ATR1.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\d3nh.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Edited by smokeythebuffalo, 08 August 2005 - 04:23 PM.

  • 0

Advertisements


#2
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP, or Service Pack 4 if you are running Win2k. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here
Apply the update, reboot, and post a fresh Hijack This log.

++++++++++++++++++++++++++++++++++++++++++++
Another link for SP1a download:
http://www.softpedia.com/get/System/OS-Enh...Pack-SP1a.shtml
  • 0

#3
smokeythebuffalo

smokeythebuffalo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Sorry about that. When i did the check on the Windows update site it went ahead and loaded SP2.

Here is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 7:29:50 PM, on 8/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\S3apphk.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\addfu32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ijgcj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ijgcj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ijgcj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ijgcj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ijgcj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ijgcj.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ijgcj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {E7208CC8-AE73-3F51-D49A-64CDBD6A4258} - C:\WINDOWS\system32\d3mv32.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [addts32.exe] C:\WINDOWS\addts32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [addfu32.exe] C:\WINDOWS\addfu32.exe
O4 - HKLM\..\RunOnce: [atlvk.exe] C:\WINDOWS\atlvk.exe
O4 - HKLM\..\RunOnce: [d3jh.exe] C:\WINDOWS\system32\d3jh.exe
O4 - HKLM\..\RunOnce: [ipob32.exe] C:\WINDOWS\ipob32.exe
O4 - HKLM\..\RunOnce: [d3nk.exe] C:\WINDOWS\d3nk.exe
O4 - HKLM\..\RunOnce: [d3lj.exe] C:\WINDOWS\system32\d3lj.exe
O4 - HKLM\..\RunOnce: [winjq32.exe] C:\WINDOWS\system32\winjq32.exe
O4 - HKLM\..\RunOnce: [crol32.exe] C:\WINDOWS\system32\crol32.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Sid Registration.lnk = G:\ATR1.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123546759734
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\d3nh.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Edited by smokeythebuffalo, 08 August 2005 - 06:35 PM.

  • 0

#4
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Please read through the instructions before you start (you may want to print this out).

Please download and install these programs - do NOT run them yet!!

1.) Please download and unzip
About:Buster to a folder. Inside the folder is a readme file that has instructions on the use of the program.
AboutBuster MUST be updated before you use it.
Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box . Do NOT run it yet.

2.) Please download and install AD-Aware.
Please follow these download and setup instructions, otherwise, check for updates: Ad-Aware SE Setup
Do NOT run the scan yet!

3.) Download and unzip HSfix to your desktop. HERE (It will extract a file called cwsserviceremove.reg)

4.) Please Download the stand-alone version of CoolWebShredder

5.) Click HERE to download Pocket Killbox by Option^Explicit. Extract it from the zip file to your desktop. Do NOT run it yet.

Be sure to View Hidden and System Files.

For anyone using Windows XP, 'Search' will not automatically show hidden files even if your folder options settings are set to do that. Do this so you can see hidden files and folders - click HERE to download xphidden.zip. Extract xphidden.reg from the zip file and save it to the desktop. When done, double-click the xphidden.reg and when asked to merge say yes.

+++++++++++++++++++++++++++++++++++++++++++++++++

Here's the fix:

++++++++ STEP 1 ++++++++
Important Step
Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:

Network Security Service


When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you dont find this service listed go ahead with the next steps.

++++++++ STEP 2 ++++++++
Reboot in SAFE MODE. (How to boot in Safe Mode...)

++++++++ STEP 3 ++++++++
Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for:


C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe

C:\WINDOWS\addfu32.exe


If you find the files, click on them, and then click End Process => Exit the Task Manager.

++++++++ STEP 4 ++++++++
  • Uninstallation
    We need to uninstall the following programs:
  • Go to Control Panel > Add/Remove Programs
  • Please locate if they exist
    • Wild Tangent
  • Click Uninstall
  • Confirm with OK
++++++++ STEP 5 ++++++++
We will now fix the remaining problems with HijackThis. Please close all remaining windows, disconnect from the internet, open HijackThis then click SCAN. Please put a check on the following items listed below:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ijgcj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ijgcj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ijgcj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ijgcj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ijgcj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ijgcj.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ijgcj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
R3 - Default URLSearchHook is missing

O2 - BHO: Class - {E7208CC8-AE73-3F51-D49A-64CDBD6A4258} - C:\WINDOWS\system32\d3mv32.dll

O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [addts32.exe] C:\WINDOWS\addts32.exe
O4 - HKLM\..\Run: [addfu32.exe] C:\WINDOWS\addfu32.exe
O4 - HKLM\..\RunOnce: [atlvk.exe] C:\WINDOWS\atlvk.exe
O4 - HKLM\..\RunOnce: [d3jh.exe] C:\WINDOWS\system32\d3jh.exe
O4 - HKLM\..\RunOnce: [ipob32.exe] C:\WINDOWS\ipob32.exe
O4 - HKLM\..\RunOnce: [d3nk.exe] C:\WINDOWS\d3nk.exe
O4 - HKLM\..\RunOnce: [d3lj.exe] C:\WINDOWS\system32\d3lj.exe
O4 - HKLM\..\RunOnce: [winjq32.exe] C:\WINDOWS\system32\winjq32.exe
O4 - HKLM\..\RunOnce: [crol32.exe] C:\WINDOWS\system32\crol32.exe

O4 - Startup: Sid Registration.lnk = G:\ATR1.exe
If you are very familiar with with this file/application, do NOT include with the fix. Otherwise, if not then you should fix this.


O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\d3nh.exe (file missing)


Make sure to double check the items you have selected, then click Fix Checked.


++++++++ STEP 6 ++++++++
Through Windows Explorer, delete the following folder(s) or files(s) if they exist (in bold):
  • C:\Program Files\WildTangent\ <-- whole folder
  • C:\WINDOWS\system32\ijgcj.dll
  • C:\WINDOWS\system32\d3mv32.dll
  • C:\WINDOWS\addts32.exe
  • C:\WINDOWS\addfu32.exe
  • C:\WINDOWS\atlvk.exe
  • C:\WINDOWS\system32\d3jh.exe
  • C:\WINDOWS\ipob32.exe
  • C:\WINDOWS\d3nk.exe
  • C:\WINDOWS\system32\d3lj.exe
  • C:\WINDOWS\system32\winjq32.exe
  • C:\WINDOWS\system32\crol32.exe
  • C:\WINDOWS\system32\d3nh.exe
  • G:\ATR1.exe
Finally, Empty Recycle Bin

++++++++ STEP 7 ++++++++
Run AboutBuster . This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

++++++++ STEP 8 ++++++++
Scan with AdAware and let it remove any bad files found.

++++++++ STEP 9 ++++++++
Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin


++++++++ STEP 10 ++++++++
Double click on the cwsserviceremove and when asked to merge say yes.

++++++++ STEP 11 ++++++++
Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

++++++++ STEP 12 ++++++++
Open HiJackThis, click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (make sure there are NO spaces before or after the name):

11F#`I

Click OK.

It should pull up information about the service, then ask if you want to reboot. Click YES.

++++++++ STEP 13 ++++++++
Once in NORMAL MODE,
Download the Hoster http://www.funkytoad.com/download/hoster.zip
DO NOT run the program yet.

Unzip Host to your desktop

Open up the Host program folder then double-clicking Hoster.exe.
  • Make sure that the instruction found on the upper-right corner is labeled as the one shown below. Otherwise, if the label is RED click the button just right beside it to change the label and color back.

    "Your Host file is editable. Click button to right to make your Hosts file Read-only"

  • Click back-up Host files
  • then click Restore orginal host files
  • close the program.
++++++++ STEP 14 ++++++++
Download and run this online virus scan: http://housecall.trendmicro.com/housecall/start_corp.asp
Make sure you check "AutoClean"
===================================================
To make sure everything has been deleted, select all files found in this quote then copy all of them. Paste them in Notepad then save as killbox.txt.

C:\WINDOWS\system32\ijgcj.dll
C:\WINDOWS\system32\d3mv32.dll
C:\WINDOWS\addts32.exe
C:\WINDOWS\addfu32.exe
C:\WINDOWS\atlvk.exe
C:\WINDOWS\system32\d3jh.exe
C:\WINDOWS\ipob32.exe
C:\WINDOWS\d3nk.exe
C:\WINDOWS\system32\d3lj.exe
C:\WINDOWS\system32\winjq32.exe
C:\WINDOWS\system32\crol32.exe
C:\WINDOWS\system32\d3nh.exe



Run Killbox.exe.

* Select "Delete on Reboot".

* Open the notepad you saved earlier. Go to Edit > Select All to select all file paths in the notepad, then press CTRL + C which will copy all of them to the clipboard.

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "OK" at any "PendingRenameOperation" prompt. If your computer does not restart automatically, please restart it manually.

After computer has restarted continue with the rest of the instructions:
=======================================
To make sure it is perfectly clean let us have the final check.
  • Close all windows, open HijackThis then SCAN.
  • Post a NEW HijackThis Log.
  • Please do NOT forget to post all requested logs.
  • Please tell me how your system is working now.
GOOD LUCK! :tazz:
  • 0

#5
smokeythebuffalo

smokeythebuffalo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
AVG no longer brings up the virus detected message when I open up IE.




AboutBuster 5.0 reference file 31
Scan started on [8/9/2005] at [3:21:27 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\Blue Lace 16.bmp:wtmftm
Removed Stream! C:\WINDOWS\comsetup.log:huqyhz
Removed Stream! C:\WINDOWS\gwhjw.txt:fkwnxo
Removed Stream! C:\WINDOWS\iefav(2).ini:wxxzto
Removed Stream! C:\WINDOWS\iefav(3).ini:wxxzto
Removed Stream! C:\WINDOWS\iefav.ini:wxxzto
Removed Stream! C:\WINDOWS\iis6.log:qdzylj
Removed Stream! C:\WINDOWS\iPlayer(2).INI:hyakpi
Removed Stream! C:\WINDOWS\iPlayer(3).INI:hyakpi
Removed Stream! C:\WINDOWS\iPlayer.INI:hyakpi
Removed Stream! C:\WINDOWS\ocgen.log:irbmw
Removed Stream! C:\WINDOWS\PowerReg.dat:nodnjc
Removed Stream! C:\WINDOWS\setuplog.txt:qvaisf
Removed Stream! C:\WINDOWS\system.ini:bxdapz
Removed Stream! C:\WINDOWS\wininit.ini:cvzdnq
Removed Stream! C:\WINDOWS\_default(2).pif:hwtccy
Removed Stream! C:\WINDOWS\_default.pif:hwtccy
------------------------------------------------
Removed File! : C:\Windows\aafgz.dat
Removed File! : C:\Windows\bycyq.dat
Removed File! : C:\Windows\ijfvt.dat
Removed File! : C:\Windows\jugwi.dat
Removed File! : C:\Windows\kxivk.dll
Removed File! : C:\Windows\vkzhx.dll
Removed File! : C:\Windows\System32\gzlqv.dat
Removed File! : C:\Windows\System32\ilcxi.dll
Removed File! : C:\Windows\System32\iqkay.dat
Removed File! : C:\Windows\System32\vewmq.dll
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 3:22:17 PM


_____________________________________________________________________________-


Logfile of HijackThis v1.99.1
Scan saved at 5:26:27 PM, on 8/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\S3apphk.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Edited by smokeythebuffalo, 09 August 2005 - 04:32 PM.

  • 0

#6
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
:yes: :) :tazz: :( :woot: :tazz: :huh: :( :wub: :hug: :woot:


Congratulations! ;) your system is CLEAN!

WinXP Reset & All-Clean1

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:and a good antivirus (these are also free for personal use):It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visitmonthly. And to keep your system clean run these free malware scannersweekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klein: So how did I get infected in the first place?
  • 0

#7
smokeythebuffalo

smokeythebuffalo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks man the service you guys provide worthy of a proverb. :tazz:
  • 0

#8
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP