Viruses, Spyware and...

Annoying computer (HJT log)

•

Join Date: May 2006

Posts: 52

Reputation: TiJay is an unknown quantity at this point

Solved Threads: 4

TiJay

Offline

Junior Poster in Training

Annoying computer (HJT log)

Jul 30th, 2006

Logfile of HijackThis v1.99.1
Scan saved at 9:56:26 PM, on 7/30/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\System32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Norton AntiVirus\navapsvc.exe
G:\Program Files\Norton AntiVirus\SAVScan.exe
G:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\Program Files\DAEMON Tools\daemon.exe
G:\Program Files\Common Files\AOL\1145160770\ee\AOLSoftware.exe
G:\WINDOWS\System32\rundll32.exe
G:\Program Files\Messenger\msmsgs.exe
G:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
G:\Program Files\MSN Messenger\MsnMsgr.Exe
G:\WINDOWS\System32\devldr32.exe
G:\Program Files\TClock\TClock.exe
g:\program files\common files\aol\1145160770\ee\aim6.exe
G:\Documents and Settings\Hoodz\Desktop\HijackThis.exe
G:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
F2 - REG:system.ini: Shell=Explorer.exe, G:\WINDOWS\System32\rhcbx.exe
F2 - REG:system.ini: UserInit=G:\WINDOWS\system32\userinit.exe,ddjfihw.exe
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - G:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {0B8F5A08-95CC-F37B-999C-95FC5FFEB7E5} - G:\WINDOWS\System32\vbwtouvi.dll (file missing)
O2 - BHO: (no name) - {10F62E6E-BB8C-D802-A146-EA2B22CED19D} - G:\WINDOWS\System32\ioufilb.dll (file missing)
O2 - BHO: (no name) - {198A0D66-E78E-D804-A146-EA2B2296D1CF} - G:\WINDOWS\System32\gogckfrj.dll (file missing)
O2 - BHO: (no name) - {31206883-8F49-C288-4ABD-A5BFAB8E82C2} - G:\WINDOWS\System32\rkuwyv.dll (file missing)
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - G:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {3EAC253C-B9A9-8A30-A146-EA2B22CE8B9E} - G:\WINDOWS\System32\isezc.dll (file missing)
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - G:\Program Files\NewDotNet\newdotnet7_22.dll
O2 - BHO: (no name) - {4E261F83-FA3D-C2BC-4ABD-A5BFAB8E82C2} - G:\WINDOWS\System32\rkuwyv.dll (file missing)
O2 - BHO: (no name) - {5023C73A-5BA0-3A39-F4EA-00D5FD73B99E} - G:\WINDOWS\System32\ojkrom.dll (file missing)
O2 - BHO: (no name) - {557A956D-56A3-3439-F4EA-00D5FD73BB99} - G:\WINDOWS\System32\cyrwf.dll (file missing)
O2 - BHO: (no name) - {562C9338-53F2-366E-F4EA-00D5FD73BF98} - G:\WINDOWS\System32\qie.dll (file missing)
O2 - BHO: (no name) - {567DC638-5BA6-3138-F4EA-00D5FD73BC9D} - G:\WINDOWS\System32\etysdg.dll (file missing)
O2 - BHO: (no name) - {587E9769-56A2-3035-F4EA-00D5FD73B0CA} - G:\WINDOWS\System32\bnalau.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - G:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {67FE7966-E9FF-D830-A146-EA2B2296D1CF} - G:\WINDOWS\System32\gogckfrj.dll (file missing)
O2 - BHO: (no name) - {68AC7E3D-BDA9-D865-A146-EA2B22CED2CE} - G:\WINDOWS\System32\ulxbph.dll (file missing)
O2 - BHO: (no name) - {6EF7286D-B5FD-D836-A146-EA2B22CED19D} - G:\WINDOWS\System32\ioufilb.dll (file missing)
O2 - BHO: (no name) - {6EF7286E-B9AE-DE30-A146-EA2B22CE809A} - G:\WINDOWS\System32\ezwlk.dll (file missing)
O2 - BHO: (no name) - {74895E0B-95B9-F34F-999C-95FC5FFEB7E5} - G:\WINDOWS\System32\vbwtouvi.dll (file missing)
O2 - BHO: (no name) - {8C7B4E05-F4E2-9A3A-CD4E-FABADB614E96} - G:\WINDOWS\System32\apfaq.dll (file missing)
O2 - BHO: (no name) - {95BC3E31-F8AC-9E34-F83F-FDEA6EEA2290} - G:\WINDOWS\System32\vualu.dll (file missing)
O2 - BHO: (no name) - {9910B117-7CAD-1426-DFF8-2417B1845C95} - G:\WINDOWS\System32\vtla.dll
O2 - BHO: (no name) - {9CEF6966-ACA8-9F6F-F83F-FDEA6EEA28C5} - G:\WINDOWS\System32\wkfzj.dll (file missing)
O2 - BHO: (no name) - {A4093C52-D796-C954-CD4E-FABADB3918C4} - G:\WINDOWS\System32\qxduuj.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - G:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E667B614-72D9-1412-DFF8-2417B1845C95} - G:\WINDOWS\System32\vtla.dll
O2 - BHO: (no name) - {F30D3805-8191-9A0E-CD4E-FABADB614E96} - G:\WINDOWS\System32\apfaq.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - G:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "G:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools] "G:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [IpWins] G:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] G:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [HostManager] G:\Program Files\Common Files\AOL\1145160770\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] G:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 G:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\RunServices: [p2p networking] p2pnetworking.exe
O4 - HKCU\..\Run: [MSMSGS] "G:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "G:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "G:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [TClock.exe] G:\Program Files\TClock\tclock_install.exe
O4 - HKCU\..\Run: [Aim6] "G:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///G:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///G:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///G:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///G:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - G:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - G:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - G:\WINDOWS\web\related.htm
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - G:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/162287c6...p/RdxIE601.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O20 - AppInit_DLLs: smss.dll G:\WINDOWS\System32\smss.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - G:\WINDOWS\Sm9zaCBEaXhzb24\command.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - G:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - G:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - G:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

__________________________________________________________

This is my bud's computer...he has the computer knowledge of a common orangatangue...I went through it and fixed a bunch of shit (it's messed up now, but you should have seen it before. I ran CCCleaner, and Killboxed a few things that were being mean...but the computer is still running a bit slow. If someone can read through this, i'd appreciate it.

This is just a signature. No need to pay attention unless your computer is having spyware/malware issues, or showing poor performance.

Get Hijackthis

Run the program, and post the log file here.

WARNING - If you don't have a good understanding of this program - do not attempt to use it to fix things - just get the log, and post it, someone with experience should be able to help you and tell you what to tick and what to leave alone.

•

Join Date: Jul 2006

Posts: 189

Reputation: zelkea is an unknown quantity at this point

Solved Threads: 11

zelkea

Offline

Junior Poster

Re: Annoying computer (HJT log)

Aug 2nd, 2006

What type of audio card does your buddy have? Check out this site - http://www.auditmypc.com/process/devldr32.asp. I don't have time to review the reset of your logs I will try to get back to asap.

AJZ

•

Join Date: May 2006

Posts: 52

Reputation: TiJay is an unknown quantity at this point

Solved Threads: 4

TiJay

Offline

Junior Poster in Training

Re: Annoying computer (HJT log)

Aug 5th, 2006

I think he is using an onboard sound card, next time I'm over there, I'll check out his device manager and see if it is Creative...

•

Join Date: Dec 2003

Posts: 6,439

Reputation: DMR will become famous soon enough

Solved Threads: 362

DMR

Offline

Wombat At Large

Re: Annoying computer (HJT log)

Aug 6th, 2006

That's a fairly infected/infested system, and here's one of the biggest reasons- the following info in your HJT log's header shows that you are running a totally "virgin" version of Windows XP. That is, no Service Packs, Security/Bug Fixes, etc. have been installed.:

Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running such an outdated, unpatched version of Windows, your system will almost certainly get reinfected in no time. You should use the Windows Update feature to bring your system up to a fully-patched version of Service Pack 1 (note that upgrading to Service Pack 2 on an infected system is not recommended!). Once you've done that, the info in your log's header should read as follows:
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing

Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.

However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.

•

Join Date: May 2006

Posts: 52

Reputation: TiJay is an unknown quantity at this point

Solved Threads: 4

TiJay

Offline

Junior Poster in Training

Re: Annoying computer (HJT log)

Aug 6th, 2006

I have tried to convince him to patch his computer up with the updates, he says he can't for whatever reason. I know he has a legit version of windows...I installed it for him. (Unless his pops gave me a bogus version) Now that I finally convinced him to, his computer is too messed up to patch now, I've been trying to clean it to prepare it for updates, but whatever is there is being anal.

As for the soundcard - It is creative, I can't find any removal instructions for it, and I'm getting mixed reviews for the file on my searches, some say its bad, some say it's a legit file used by Creative. None say how to get rid of it other than (Buy this malware program)

*mutters*

•

Join Date: Dec 2003

Posts: 6,439

Reputation: DMR will become famous soon enough

Solved Threads: 362

DMR

Offline

Wombat At Large

Re: Annoying computer (HJT log)

Aug 7th, 2006

•

Originally Posted by TiJay

I have tried to convince him to patch his computer up with the updates, he says he can't for whatever reason.

Please try to find out exactly why he can't update the system. If he doesn't at least upgrade to the final Service Pack 1 rollup, the nastier variants of some of the infections currently out there "in the wild" will just walk right back in to his system.

•

Originally Posted by TiJay

As for the soundcard - It is creative, I can't find any removal instructions for it, and I'm getting mixed reviews for the file on my searches, some say its bad, some say it's a legit file used by Creative.

There is a valid and non-malicious Creative file named devldr32.exe, but as is often the case, there is also a malicious file which uses the same name in an attempt to avoid detection. We'll deal with that issue in the course of the general disinfecting.

OK, here we go... the system has several infections, so please be patient.

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

* Use Norton's Live Update feature to install the most current Norton antivirus updates.

* Download the following utilities and save them to your desktop or another convenient folder:

ATF-Cleaner
ewido Anti-spyware (30-day trial version)
WinsockXPFix
PurityScan/Oin Uninstaller

* Open your Add/Remove Programs control panel and uninstall any and all software related to the following:

PurityScan
Oin
Outerinfo
MyWay/MySearch/MyBar
NewdotNet

* Run the PurityScan/Oin Uninstaller. A graphical walk-through of the uninstall procedure can be found here.

* Open the Services utility in your Administrative Tools control panel.
- In the list of services, locate the service named Command Service or cmdService and double-click on it.
- In the General tab of the Properties window that opens, click the Stop button.
- Once the service is stopped, choose Disabled in the Startup Type drop-down menu and then click OK.
- Close the Services utility.

* Install and Configure ewido:

Close all other Applications and then run the ewido installer
Select language click Ok
Click I Agree
Click next
Click Install
Click Finish
Wait Ewido will open main screen automatically.
Wait again a few minutes and Ewido Should Auto update itself. If it doesn't click update at top of screen.
It is very important to get the updates
When updating has finished, close Ewido.

* Close all open programs/windows, (especially web browsers). Run another HijackThis scan, put a check in the boxes to the left of the following entries, and then click the "Fix Checked" button:

F2 - REG:system.ini: Shell=Explorer.exe, G:\WINDOWS\System32\rhcbx.exe
F2 - REG:system.ini: UserInit=G:\WINDOWS\system32\userinit.exe,ddjfihw.exe
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {0B8F5A08-95CC-F37B-999C-95FC5FFEB7E5} - G:\WINDOWS\System32\vbwtouvi.dll (file missing)
O2 - BHO: (no name) - {10F62E6E-BB8C-D802-A146-EA2B22CED19D} - G:\WINDOWS\System32\ioufilb.dll (file missing)
O2 - BHO: (no name) - {198A0D66-E78E-D804-A146-EA2B2296D1CF} - G:\WINDOWS\System32\gogckfrj.dll (file missing)
O2 - BHO: (no name) - {31206883-8F49-C288-4ABD-A5BFAB8E82C2} - G:\WINDOWS\System32\rkuwyv.dll (file missing)
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - G:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {3EAC253C-B9A9-8A30-A146-EA2B22CE8B9E} - G:\WINDOWS\System32\isezc.dll (file missing)
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - G:\Program Files\NewDotNet\newdotnet7_22.dll
O2 - BHO: (no name) - {4E261F83-FA3D-C2BC-4ABD-A5BFAB8E82C2} - G:\WINDOWS\System32\rkuwyv.dll (file missing)
O2 - BHO: (no name) - {5023C73A-5BA0-3A39-F4EA-00D5FD73B99E} - G:\WINDOWS\System32\ojkrom.dll (file missing)
O2 - BHO: (no name) - {557A956D-56A3-3439-F4EA-00D5FD73BB99} - G:\WINDOWS\System32\cyrwf.dll (file missing)
O2 - BHO: (no name) - {562C9338-53F2-366E-F4EA-00D5FD73BF98} - G:\WINDOWS\System32\qie.dll (file missing)
O2 - BHO: (no name) - {567DC638-5BA6-3138-F4EA-00D5FD73BC9D} - G:\WINDOWS\System32\etysdg.dll (file missing)
O2 - BHO: (no name) - {587E9769-56A2-3035-F4EA-00D5FD73B0CA} - G:\WINDOWS\System32\bnalau.dll (file missing)
O2 - BHO: (no name) - {67FE7966-E9FF-D830-A146-EA2B2296D1CF} - G:\WINDOWS\System32\gogckfrj.dll (file missing)
O2 - BHO: (no name) - {68AC7E3D-BDA9-D865-A146-EA2B22CED2CE} - G:\WINDOWS\System32\ulxbph.dll (file missing)
O2 - BHO: (no name) - {6EF7286D-B5FD-D836-A146-EA2B22CED19D} - G:\WINDOWS\System32\ioufilb.dll (file missing)
O2 - BHO: (no name) - {6EF7286E-B9AE-DE30-A146-EA2B22CE809A} - G:\WINDOWS\System32\ezwlk.dll (file missing)
O2 - BHO: (no name) - {74895E0B-95B9-F34F-999C-95FC5FFEB7E5} - G:\WINDOWS\System32\vbwtouvi.dll (file missing)
O2 - BHO: (no name) - {8C7B4E05-F4E2-9A3A-CD4E-FABADB614E96} - G:\WINDOWS\System32\apfaq.dll (file missing)
O2 - BHO: (no name) - {95BC3E31-F8AC-9E34-F83F-FDEA6EEA2290} - G:\WINDOWS\System32\vualu.dll (file missing)
O2 - BHO: (no name) - {9910B117-7CAD-1426-DFF8-2417B1845C95} - G:\WINDOWS\System32\vtla.dll
O2 - BHO: (no name) - {9CEF6966-ACA8-9F6F-F83F-FDEA6EEA28C5} - G:\WINDOWS\System32\wkfzj.dll (file missing)
O2 - BHO: (no name) - {A4093C52-D796-C954-CD4E-FABADB3918C4} - G:\WINDOWS\System32\qxduuj.dll (file missing)
O2 - BHO: (no name) - {E667B614-72D9-1412-DFF8-2417B1845C95} - G:\WINDOWS\System32\vtla.dll
O2 - BHO: (no name) - {F30D3805-8191-9A0E-CD4E-FABADB614E96} - G:\WINDOWS\System32\apfaq.dll (file missing)
O4 - HKLM\..\Run: [IpWins] G:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 G:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\RunServices: [p2p networking] p2pnetworking.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - G:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - G:\WINDOWS\web\related.htm
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O20 - AppInit_DLLs: smss.dll G:\WINDOWS\System32\smss.dll
O23 - Service: Command Service (cmdService) - Unknown owner - G:\WINDOWS\Sm9zaCBEaXhzb24\command.exe (file missing)

* In HijackThis' main window, click on Config, then Misc Tools, and then press the Delete an NT service.. button. When it opens, enter the following in the deletion box and press OK: cmdService
Close HijackThis after that.

* Run WinsockXPFix; instructions can be found here:
http://www.iup.edu/house/resnet/winfix.shtm

* Reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Log in to the Administrator account.

* Run ATF-Cleaner
- Double-click ATF-Cleaner.exe to open the program.
- Under Main choose: Select All
- Click the Empty Selected button.

If you use Firefox browser : Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser: Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

* Run a full system scan with Norton; have it fix all malicious items it finds.

* Open Ewido

Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.
Close Ewido.

* Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

* Locate and delete the following files (if they still exist):

G:\WINDOWS\System32\rhcbx.exe
G:\WINDOWS\System32\ddjfihw.exe
G:\WINDOWS\System32\vbwtouvi.dll G:\WINDOWS\System32\ioufilb.dll G:\WINDOWS\System32\gogckfrj.dll G:\WINDOWS\System32\rkuwyv.dll
G:\WINDOWS\System32\isezc.dll G:\WINDOWS\System32\ojkrom.dll G:\WINDOWS\System32\cyrwf.dll G:\WINDOWS\System32\qie.dll G:\WINDOWS\System32\etysdg.dll G:\WINDOWS\System32\bnalau.dll G:\WINDOWS\System32\ulxbph.dll G:\WINDOWS\System32\ezwlk.dll G:\WINDOWS\System32\apfaq.dll G:\WINDOWS\System32\vualu.dll G:\WINDOWS\System32\vtla.dll
G:\WINDOWS\System32\wkfzj.dll G:\WINDOWS\System32\qxduuj.dll
G:\WINDOWS\System32\smss.dll

* Delete the following folders entirely:

G:\WINDOWS\Sm9zaCBEaXhzb24
G:\Program Files\E2G
G:\Program Files\NewDotNet
G:\Program Files\ipwins

* Empty your Recycle Bin and reboot normally.

* Run HijackThis again and post the new log. Also post the log that ewido generated.

-

Last edited by DMR; Aug 7th, 2006 at 3:02 am.