954,178 Members — Technology Publication meets Social Media
Username:
Password:
Lost login information?
Have something to say? Contribute New Article Reply to this Article
7 Years Ago
0

about:blank hijacker...please help

I've been infected with the dreaded "about:blank" hijacker. It started about two weeks ago and I've tried about 4 or 5 different programs to get rid of this and nothing's worked. Within the past couple days my Internet speed is getting slower and slower. Here are the Hijackthis results:

Logfile of HijackThis v1.99.1
Scan saved at 10:37:51 PM, on 5/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALURIA~1\asKernel.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\ietf32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nzunt.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nzunt.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vtzzf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vtzzf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vtzzf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nzunt.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vtzzf.dll/sp.html#37049
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.comcast.net/home"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\uatt62pk.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\uatt62pk.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {63F52CE5-7ABE-5FF6-7DC7-80E58BFEF6F6} - C:\WINDOWS\system32\crdc32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {BB2E6852-7961-1E70-E3C8-8433F21B7649} - C:\WINDOWS\crni32.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {CC5DFEE2-722A-5C44-8CC5-7BAD2AA546F5} - C:\WINDOWS\system32\apijw32.dll
O2 - BHO: Class - {F573A15E-4E08-2CE8-1F75-3F0D794E2E42} - C:\WINDOWS\system32\sdkpb32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [javajp.exe] C:\WINDOWS\system32\javajp.exe
O4 - HKLM\..\Run: [javacq32.exe] C:\WINDOWS\system32\javacq32.exe
O4 - HKLM\..\Run: [nettf.exe] C:\WINDOWS\nettf.exe
O4 - HKLM\..\Run: [ietf32.exe] C:\WINDOWS\ietf32.exe
O4 - HKLM\..\RunOnce: [sdkzw.exe] C:\WINDOWS\system32\sdkzw.exe
O4 - HKLM\..\RunOnce: [ntma.exe] C:\WINDOWS\ntma.exe
O4 - HKLM\..\RunOnce: [iefu32.exe] C:\WINDOWS\system32\iefu32.exe
O4 - HKLM\..\RunOnce: [ieui32.exe] C:\WINDOWS\system32\ieui32.exe
O4 - HKLM\..\RunOnce: [apilj32.exe] C:\WINDOWS\system32\apilj32.exe
O4 - HKLM\..\RunOnce: [mfcpj32.exe] C:\WINDOWS\mfcpj32.exe
O4 - HKLM\..\RunOnce: [addzh32.exe] C:\WINDOWS\system32\addzh32.exe
O4 - HKLM\..\RunOnce: [apirg32.exe] C:\WINDOWS\system32\apirg32.exe
O4 - HKLM\..\RunOnce: [javals.exe] C:\WINDOWS\javals.exe
O4 - HKLM\..\RunOnce: [atlgh32.exe] C:\WINDOWS\system32\atlgh32.exe
O4 - HKLM\..\RunOnce: [mfcop32.exe] C:\WINDOWS\mfcop32.exe
O4 - HKLM\..\RunOnce: [netaf32.exe] C:\WINDOWS\system32\netaf32.exe
O4 - HKLM\..\RunOnce: [sdkoq.exe] C:\WINDOWS\sdkoq.exe
O4 - HKLM\..\RunOnce: [ntxa32.exe] C:\WINDOWS\ntxa32.exe
O4 - HKLM\..\RunOnce: [sdkqf.exe] C:\WINDOWS\sdkqf.exe
O4 - HKLM\..\RunOnce: [ipun32.exe] C:\WINDOWS\ipun32.exe
O4 - HKLM\..\RunOnce: [d3ql.exe] C:\WINDOWS\system32\d3ql.exe
O4 - HKLM\..\RunOnce: [sdkux32.exe] C:\WINDOWS\system32\sdkux32.exe
O4 - HKLM\..\RunOnce: [apiry.exe] C:\WINDOWS\system32\apiry.exe
O4 - HKLM\..\RunOnce: [ipqe.exe] C:\WINDOWS\ipqe.exe
O4 - HKLM\..\RunOnce: [mfcgt.exe] C:\WINDOWS\mfcgt.exe
O4 - HKLM\..\RunOnce: [iexn32.exe] C:\WINDOWS\system32\iexn32.exe
O4 - HKLM\..\RunOnce: [atljw32.exe] C:\WINDOWS\system32\atljw32.exe
O4 - HKLM\..\RunOnce: [ieoz.exe] C:\WINDOWS\system32\ieoz.exe
O4 - HKLM\..\RunOnce: [netob.exe] C:\WINDOWS\netob.exe
O4 - HKLM\..\RunOnce: [syscd.exe] C:\WINDOWS\system32\syscd.exe
O4 - HKLM\..\RunOnce: [javamq.exe] C:\WINDOWS\javamq.exe
O4 - HKLM\..\RunOnce: [apirs32.exe] C:\WINDOWS\apirs32.exe
O4 - HKLM\..\RunOnce: [syswp32.exe] C:\WINDOWS\system32\syswp32.exe
O4 - HKLM\..\RunOnce: [ntde.exe] C:\WINDOWS\system32\ntde.exe
O4 - HKLM\..\RunOnce: [apitt.exe] C:\WINDOWS\system32\apitt.exe
O4 - HKLM\..\RunOnce: [appxf.exe] C:\WINDOWS\appxf.exe
O4 - HKLM\..\RunOnce: [netbc.exe] C:\WINDOWS\system32\netbc.exe
O4 - HKLM\..\RunOnce: [sysae.exe] C:\WINDOWS\system32\sysae.exe
O4 - HKLM\..\RunOnce: [wintn.exe] C:\WINDOWS\system32\wintn.exe
O4 - HKLM\..\RunOnce: [javalc32.exe] C:\WINDOWS\javalc32.exe
O4 - HKLM\..\RunOnce: [msbk.exe] C:\WINDOWS\msbk.exe
O4 - HKLM\..\RunOnce: [appfo32.exe] C:\WINDOWS\system32\appfo32.exe
O4 - HKLM\..\RunOnce: [syspo.exe] C:\WINDOWS\syspo.exe
O4 - HKLM\..\RunOnce: [javaif.exe] C:\WINDOWS\system32\javaif.exe
O4 - HKLM\..\RunOnce: [iper.exe] C:\WINDOWS\system32\iper.exe
O4 - HKLM\..\RunOnce: [d3bg32.exe] C:\WINDOWS\d3bg32.exe
O4 - HKLM\..\RunOnce: [winro32.exe] C:\WINDOWS\winro32.exe
O4 - HKLM\..\RunOnce: [ienz.exe] C:\WINDOWS\ienz.exe
O4 - HKLM\..\RunOnce: [winvd.exe] C:\WINDOWS\system32\winvd.exe
O4 - HKLM\..\RunOnce: [netzt.exe] C:\WINDOWS\netzt.exe
O4 - HKLM\..\RunOnce: [mfckx32.exe] C:\WINDOWS\system32\mfckx32.exe
O4 - HKLM\..\RunOnce: [apili.exe] C:\WINDOWS\apili.exe
O4 - HKLM\..\RunOnce: [apikn.exe] C:\WINDOWS\system32\apikn.exe
O4 - HKLM\..\RunOnce: [mfcsn.exe] C:\WINDOWS\mfcsn.exe
O4 - HKLM\..\RunOnce: [javaic32.exe] C:\WINDOWS\system32\javaic32.exe
O4 - HKLM\..\RunOnce: [msyj32.exe] C:\WINDOWS\system32\msyj32.exe
O4 - HKLM\..\RunOnce: [crtv.exe] C:\WINDOWS\system32\crtv.exe
O4 - HKLM\..\RunOnce: [netsl32.exe] C:\WINDOWS\system32\netsl32.exe
O4 - HKLM\..\RunOnce: [addqs32.exe] C:\WINDOWS\addqs32.exe
O4 - HKLM\..\RunOnce: [appqi.exe] C:\WINDOWS\appqi.exe
O4 - HKLM\..\RunOnce: [addzj.exe] C:\WINDOWS\system32\addzj.exe
O4 - HKLM\..\RunOnce: [javaff32.exe] C:\WINDOWS\javaff32.exe
O4 - HKLM\..\RunOnce: [ntir.exe] C:\WINDOWS\system32\ntir.exe
O4 - HKLM\..\RunOnce: [atlhh32.exe] C:\WINDOWS\system32\atlhh32.exe
O4 - HKLM\..\RunOnce: [sysxo.exe] C:\WINDOWS\sysxo.exe
O4 - HKLM\..\RunOnce: [sdkwe32.exe] C:\WINDOWS\system32\sdkwe32.exe
O4 - HKLM\..\RunOnce: [apiut32.exe] C:\WINDOWS\apiut32.exe
O4 - HKLM\..\RunOnce: [sdkqo.exe] C:\WINDOWS\sdkqo.exe
O4 - HKLM\..\RunOnce: [netub32.exe] C:\WINDOWS\netub32.exe
O4 - HKLM\..\RunOnce: [atljq32.exe] C:\WINDOWS\atljq32.exe
O4 - HKLM\..\RunOnce: [apijw32.exe] C:\WINDOWS\system32\apijw32.exe
O4 - HKLM\..\RunOnce: [apixt.exe] C:\WINDOWS\system32\apixt.exe
O4 - HKLM\..\RunOnce: [netdp.exe] C:\WINDOWS\system32\netdp.exe
O4 - HKLM\..\RunOnce: [ntqs.exe] C:\WINDOWS\ntqs.exe
O4 - HKLM\..\RunOnce: [apime.exe] C:\WINDOWS\system32\apime.exe
O4 - HKLM\..\RunOnce: [crjt32.exe] C:\WINDOWS\system32\crjt32.exe
O4 - HKLM\..\RunOnce: [ieaa.exe] C:\WINDOWS\system32\ieaa.exe
O4 - HKLM\..\RunOnce: [appee32.exe] C:\WINDOWS\system32\appee32.exe
O4 - HKLM\..\RunOnce: [winnf.exe] C:\WINDOWS\system32\winnf.exe
O4 - HKLM\..\RunOnce: [addtb32.exe] C:\WINDOWS\system32\addtb32.exe
O4 - HKLM\..\RunOnce: [winhy32.exe] C:\WINDOWS\winhy32.exe
O4 - HKLM\..\RunOnce: [javamv32.exe] C:\WINDOWS\system32\javamv32.exe
O4 - HKLM\..\RunOnce: [addhg32.exe] C:\WINDOWS\addhg32.exe
O4 - HKLM\..\RunOnce: [javaux.exe] C:\WINDOWS\system32\javaux.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sdkzw.exe
O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\PROGRA~1\ALURIA~1\ascserv.exe
O23 - Service: asKernel - Unknown owner - C:\PROGRA~1\ALURIA~1\asKernel.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

================================================

Any help to get rid of this spyware would be greatly appreciated. Thanks

adinezza
Newbie Poster
2 posts since May 2005
Reputation Points: 10
Solved Threads: 0
 
7 Years Ago
0

adinezza,

Hi and welcome to the Daniweb forums :).

-

Download CWShredder 2.14 from here. Run it and press the *fix,* not scan and allow it to clean the infection. Close all browser and explorer windows before hitting the fix button.

-

Download, unzip to your desktop About:Buster and run it, then:

1. Click "Update".
2. Click "Check For Update"

(If no new version is available, skip to step #4.)

3. Click "Download Update", and wait for it to be installed.
4. Click "Start".

(Wait for the initial ADS scan to complete.)

5. Click "Yes", to shutdown any IE session currently open.

(Wait for the about:blank scan to complete.)

6. Click "Ok", to scan once more.
7. Click "Yes", to shutdown any IE sessions currently open.
8. Click "Yes", to begin the second pass.

9. Click "Save log", and post this log back along with your new log.
10. Click "Exit".
11. Click "Exit".
12. "Reboot"..


===============

Go to www.trendmicro.com , and then:

1. Click "Free Online Scan".
2. Click "Scan now, it's free".

It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:

1. Select all available drives.
2. Check(tick) "Auto Clean".
3. Click "Scan".

When it completes, post back the full filename of any files that cannot be cleaned or deleted.

===============

Run HiJackThis then:

1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\WINDOWS\ietf32.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Still in HiJackThis, click "Scan", then check(tick) the following, if present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nzunt.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nzunt.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vtzzf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vtzzf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vtzzf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nzunt.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vtzzf.dll/sp.html#37049

R3 - Default URLSearchHook is missing

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\uatt62pk.slt\prefs.js)

O2 - BHO: Class - {63F52CE5-7ABE-5FF6-7DC7-80E58BFEF6F6} - C:\WINDOWS\system32\crdc32.dll
O2 - BHO: Class - {BB2E6852-7961-1E70-E3C8-8433F21B7649} - C:\WINDOWS\crni32.dll
O2 - BHO: Class - {CC5DFEE2-722A-5C44-8CC5-7BAD2AA546F5} - C:\WINDOWS\system32\apijw32.dll
O2 - BHO: Class - {F573A15E-4E08-2CE8-1F75-3F0D794E2E42} - C:\WINDOWS\system32\sdkpb32.dll

O4 - HKLM\..\Run: [javajp.exe] C:\WINDOWS\system32\javajp.exe
O4 - HKLM\..\Run: [javacq32.exe] C:\WINDOWS\system32\javacq32.exe
O4 - HKLM\..\Run: [nettf.exe] C:\WINDOWS\nettf.exe
O4 - HKLM\..\Run: [ietf32.exe] C:\WINDOWS\ietf32.exe
O4 - HKLM\..\RunOnce: [sdkzw.exe] C:\WINDOWS\system32\sdkzw.exe
O4 - HKLM\..\RunOnce: [ntma.exe] C:\WINDOWS\ntma.exe
O4 - HKLM\..\RunOnce: [iefu32.exe] C:\WINDOWS\system32\iefu32.exe
O4 - HKLM\..\RunOnce: [ieui32.exe] C:\WINDOWS\system32\ieui32.exe
O4 - HKLM\..\RunOnce: [apilj32.exe] C:\WINDOWS\system32\apilj32.exe
O4 - HKLM\..\RunOnce: [mfcpj32.exe] C:\WINDOWS\mfcpj32.exe
O4 - HKLM\..\RunOnce: [addzh32.exe] C:\WINDOWS\system32\addzh32.exe
O4 - HKLM\..\RunOnce: [apirg32.exe] C:\WINDOWS\system32\apirg32.exe
O4 - HKLM\..\RunOnce: [javals.exe] C:\WINDOWS\javals.exe
O4 - HKLM\..\RunOnce: [atlgh32.exe] C:\WINDOWS\system32\atlgh32.exe
O4 - HKLM\..\RunOnce: [mfcop32.exe] C:\WINDOWS\mfcop32.exe
O4 - HKLM\..\RunOnce: [netaf32.exe] C:\WINDOWS\system32\netaf32.exe
O4 - HKLM\..\RunOnce: [sdkoq.exe] C:\WINDOWS\sdkoq.exe
O4 - HKLM\..\RunOnce: [ntxa32.exe] C:\WINDOWS\ntxa32.exe
O4 - HKLM\..\RunOnce: [sdkqf.exe] C:\WINDOWS\sdkqf.exe
O4 - HKLM\..\RunOnce: [ipun32.exe] C:\WINDOWS\ipun32.exe
O4 - HKLM\..\RunOnce: [d3ql.exe] C:\WINDOWS\system32\d3ql.exe
O4 - HKLM\..\RunOnce: [sdkux32.exe] C:\WINDOWS\system32\sdkux32.exe
O4 - HKLM\..\RunOnce: [apiry.exe] C:\WINDOWS\system32\apiry.exe
O4 - HKLM\..\RunOnce: [ipqe.exe] C:\WINDOWS\ipqe.exe
O4 - HKLM\..\RunOnce: [mfcgt.exe] C:\WINDOWS\mfcgt.exe
O4 - HKLM\..\RunOnce: [iexn32.exe] C:\WINDOWS\system32\iexn32.exe
O4 - HKLM\..\RunOnce: [atljw32.exe] C:\WINDOWS\system32\atljw32.exe
O4 - HKLM\..\RunOnce: [ieoz.exe] C:\WINDOWS\system32\ieoz.exe
O4 - HKLM\..\RunOnce: [netob.exe] C:\WINDOWS\netob.exe
O4 - HKLM\..\RunOnce: [syscd.exe] C:\WINDOWS\system32\syscd.exe
O4 - HKLM\..\RunOnce: [javamq.exe] C:\WINDOWS\javamq.exe
O4 - HKLM\..\RunOnce: [apirs32.exe] C:\WINDOWS\apirs32.exe
O4 - HKLM\..\RunOnce: [syswp32.exe] C:\WINDOWS\system32\syswp32.exe
O4 - HKLM\..\RunOnce: [ntde.exe] C:\WINDOWS\system32\ntde.exe
O4 - HKLM\..\RunOnce: [apitt.exe] C:\WINDOWS\system32\apitt.exe
O4 - HKLM\..\RunOnce: [appxf.exe] C:\WINDOWS\appxf.exe
O4 - HKLM\..\RunOnce: [netbc.exe] C:\WINDOWS\system32\netbc.exe
O4 - HKLM\..\RunOnce: [sysae.exe] C:\WINDOWS\system32\sysae.exe
O4 - HKLM\..\RunOnce: [wintn.exe] C:\WINDOWS\system32\wintn.exe
O4 - HKLM\..\RunOnce: [javalc32.exe] C:\WINDOWS\javalc32.exe
O4 - HKLM\..\RunOnce: [msbk.exe] C:\WINDOWS\msbk.exe
O4 - HKLM\..\RunOnce: [appfo32.exe] C:\WINDOWS\system32\appfo32.exe
O4 - HKLM\..\RunOnce: [syspo.exe] C:\WINDOWS\syspo.exe
O4 - HKLM\..\RunOnce: [javaif.exe] C:\WINDOWS\system32\javaif.exe
O4 - HKLM\..\RunOnce: [iper.exe] C:\WINDOWS\system32\iper.exe
O4 - HKLM\..\RunOnce: [d3bg32.exe] C:\WINDOWS\d3bg32.exe
O4 - HKLM\..\RunOnce: [winro32.exe] C:\WINDOWS\winro32.exe
O4 - HKLM\..\RunOnce: [ienz.exe] C:\WINDOWS\ienz.exe
O4 - HKLM\..\RunOnce: [winvd.exe] C:\WINDOWS\system32\winvd.exe
O4 - HKLM\..\RunOnce: [netzt.exe] C:\WINDOWS\netzt.exe
O4 - HKLM\..\RunOnce: [mfckx32.exe] C:\WINDOWS\system32\mfckx32.exe
O4 - HKLM\..\RunOnce: [apili.exe] C:\WINDOWS\apili.exe
O4 - HKLM\..\RunOnce: [apikn.exe] C:\WINDOWS\system32\apikn.exe
O4 - HKLM\..\RunOnce: [mfcsn.exe] C:\WINDOWS\mfcsn.exe
O4 - HKLM\..\RunOnce: [javaic32.exe] C:\WINDOWS\system32\javaic32.exe
O4 - HKLM\..\RunOnce: [msyj32.exe] C:\WINDOWS\system32\msyj32.exe
O4 - HKLM\..\RunOnce: [crtv.exe] C:\WINDOWS\system32\crtv.exe
O4 - HKLM\..\RunOnce: [netsl32.exe] C:\WINDOWS\system32\netsl32.exe
O4 - HKLM\..\RunOnce: [addqs32.exe] C:\WINDOWS\addqs32.exe
O4 - HKLM\..\RunOnce: [appqi.exe] C:\WINDOWS\appqi.exe
O4 - HKLM\..\RunOnce: [addzj.exe] C:\WINDOWS\system32\addzj.exe
O4 - HKLM\..\RunOnce: [javaff32.exe] C:\WINDOWS\javaff32.exe
O4 - HKLM\..\RunOnce: [ntir.exe] C:\WINDOWS\system32\ntir.exe
O4 - HKLM\..\RunOnce: [atlhh32.exe] C:\WINDOWS\system32\atlhh32.exe
O4 - HKLM\..\RunOnce: [sysxo.exe] C:\WINDOWS\sysxo.exe
O4 - HKLM\..\RunOnce: [sdkwe32.exe] C:\WINDOWS\system32\sdkwe32.exe
O4 - HKLM\..\RunOnce: [apiut32.exe] C:\WINDOWS\apiut32.exe
O4 - HKLM\..\RunOnce: [sdkqo.exe] C:\WINDOWS\sdkqo.exe
O4 - HKLM\..\RunOnce: [netub32.exe] C:\WINDOWS\netub32.exe
O4 - HKLM\..\RunOnce: [atljq32.exe] C:\WINDOWS\atljq32.exe
O4 - HKLM\..\RunOnce: [apijw32.exe] C:\WINDOWS\system32\apijw32.exe
O4 - HKLM\..\RunOnce: [apixt.exe] C:\WINDOWS\system32\apixt.exe
O4 - HKLM\..\RunOnce: [netdp.exe] C:\WINDOWS\system32\netdp.exe
O4 - HKLM\..\RunOnce: [ntqs.exe] C:\WINDOWS\ntqs.exe
O4 - HKLM\..\RunOnce: [apime.exe] C:\WINDOWS\system32\apime.exe
O4 - HKLM\..\RunOnce: [crjt32.exe] C:\WINDOWS\system32\crjt32.exe
O4 - HKLM\..\RunOnce: [ieaa.exe] C:\WINDOWS\system32\ieaa.exe
O4 - HKLM\..\RunOnce: [appee32.exe] C:\WINDOWS\system32\appee32.exe
O4 - HKLM\..\RunOnce: [winnf.exe] C:\WINDOWS\system32\winnf.exe
O4 - HKLM\..\RunOnce: [addtb32.exe] C:\WINDOWS\system32\addtb32.exe
O4 - HKLM\..\RunOnce: [winhy32.exe] C:\WINDOWS\winhy32.exe
O4 - HKLM\..\RunOnce: [javamv32.exe] C:\WINDOWS\system32\javamv32.exe
O4 - HKLM\..\RunOnce: [addhg32.exe] C:\WINDOWS\addhg32.exe
O4 - HKLM\..\RunOnce: [javaux.exe] C:\WINDOWS\system32\javaux.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sdkzw.exe


Now, with all windows closed except HiJackThis, click "Fix checked".

===============


When your done, rescan your system and make sure the following isn't present:

N3 - Netscape ... 5CSBWeb_01.src (or) 5CSBWeb_02.src

If it is, then fix that entry again; sometimes it'll take more than one pass. The actual entry is ok, and won't be deleted, it's the java wrapper marked in red that needs to be removed.

===============

Locate and delete the following item(s), if present. Make sure your able to " view system and hidden files/ folders: "

folders...

C:\Program Files\PartyPoker

files...

C:\WINDOWS\ietf32.exe
C:\WINDOWS\nzunt.dll
C:\WINDOWS\vtzzf.dll
C:\WINDOWS\system32\crdc32.dll
C:\WINDOWS\crni32.dll
C:\WINDOWS\system32\apijw32.dll
C:\WINDOWS\system32\sdkpb32.dll
C:\WINDOWS\system32\javajp.exe
C:\WINDOWS\system32\javacq32.exe
C:\WINDOWS\nettf.exe
C:\WINDOWS\system32\sdkzw.exe
C:\WINDOWS\ntma.exe
C:\WINDOWS\system32\iefu32.exe
C:\WINDOWS\system32\ieui32.exe
C:\WINDOWS\system32\apilj32.exe
C:\WINDOWS\mfcpj32.exe
C:\WINDOWS\system32\addzh32.exe
C:\WINDOWS\system32\apirg32.exe
C:\WINDOWS\javals.exe
C:\WINDOWS\system32\atlgh32.exe
C:\WINDOWS\mfcop32.exe
C:\WINDOWS\system32\netaf32.exe
C:\WINDOWS\sdkoq.exe
C:\WINDOWS\ntxa32.exe
C:\WINDOWS\sdkqf.exe
C:\WINDOWS\ipun32.exe
C:\WINDOWS\system32\d3ql.exe
C:\WINDOWS\system32\sdkux32.exe
C:\WINDOWS\system32\apiry.exe
C:\WINDOWS\ipqe.exe
C:\WINDOWS\mfcgt.exe
C:\WINDOWS\system32\iexn32.exe
C:\WINDOWS\system32\atljw32.exe
C:\WINDOWS\system32\ieoz.exe
C:\WINDOWS\netob.exe
C:\WINDOWS\system32\syscd.exe
C:\WINDOWS\javamq.exe
C:\WINDOWS\apirs32.exe
C:\WINDOWS\system32\syswp32.exe
C:\WINDOWS\system32\ntde.exe
C:\WINDOWS\system32\apitt.exe
C:\WINDOWS\appxf.exe
C:\WINDOWS\system32\netbc.exe
C:\WINDOWS\system32\sysae.exe
C:\WINDOWS\system32\wintn.exe
C:\WINDOWS\javalc32.exe
C:\WINDOWS\msbk.exe
C:\WINDOWS\system32\appfo32.exe
C:\WINDOWS\syspo.exe
C:\WINDOWS\system32\javaif.exe
C:\WINDOWS\system32\iper.exe
C:\WINDOWS\d3bg32.exe
C:\WINDOWS\winro32.exe
C:\WINDOWS\ienz.exe
C:\WINDOWS\system32\winvd.exe
C:\WINDOWS\netzt.exe
C:\WINDOWS\system32\mfckx32.exe
C:\WINDOWS\apili.exe
C:\WINDOWS\system32\apikn.exe
C:\WINDOWS\mfcsn.exe
C:\WINDOWS\system32\javaic32.exe
C:\WINDOWS\system32\msyj32.exe
C:\WINDOWS\system32\crtv.exe
C:\WINDOWS\system32\netsl32.exe
C:\WINDOWS\addqs32.exe
C:\WINDOWS\appqi.exe
C:\WINDOWS\system32\addzj.exe
C:\WINDOWS\javaff32.exe
C:\WINDOWS\system32\ntir.exe
C:\WINDOWS\system32\atlhh32.exe
C:\WINDOWS\sysxo.exe
C:\WINDOWS\system32\sdkwe32.exe
C:\WINDOWS\apiut32.exe
C:\WINDOWS\sdkqo.exe
C:\WINDOWS\netub32.exe
C:\WINDOWS\atljq32.exe
C:\WINDOWS\system32\apijw32.exe
C:\WINDOWS\system32\apixt.exe
C:\WINDOWS\system32\netdp.exe
C:\WINDOWS\ntqs.exe
C:\WINDOWS\system32\apime.exe
C:\WINDOWS\system32\crjt32.exe
C:\WINDOWS\system32\ieaa.exe
C:\WINDOWS\system32\appee32.exe
C:\WINDOWS\system32\winnf.exe
C:\WINDOWS\system32\addtb32.exe
C:\WINDOWS\winhy32.exe
C:\WINDOWS\system32\javamv32.exe
C:\WINDOWS\addhg32.exe
C:\WINDOWS\system32\javaux.exe

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in " Safe Mode ".

-

Reboot.

===============

After rebooting your PC, rescan with hijackthis and post a new log.
Let me know how things are now.

-

You may want to uninstall Aluria from your PC as they have teamed up with a well known Adware company, WhenU. Read the following if you wish; http://www.dslreports.com/forum/remark,11723816~mode=flat

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 
7 Years Ago
0

crunchie,
Thanks for your help. I followed your advice, but it appears that some of the spyware is on my system. I ran the CWShredder program, and Hijackthis, but I couldn't get the trendmirco.com online scan to work. Everytime I tried it from IE, IE crashed, and when I tried installing the activeX components on Netscape, it said it couldn't find where to install the plugin in the Netscape folder. I tried telling it to look in every subfolder in the Netscape folder, but no luck.

Here are the results from CWShredder:

Scanned at: 8:08:27 PM on: 5/24/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Removed 5 Random Key Entries
Removed! : C:\WINDOWS\cwyiz.dat
Removed! : C:\WINDOWS\fgxtz.dat
Removed! : C:\WINDOWS\gisfv.dat
Removed! : C:\WINDOWS\hries.dat
Removed! : C:\WINDOWS\htkaf.dat
Removed! : C:\WINDOWS\ipqwc.dat
Removed! : C:\WINDOWS\ivmew.dat
Removed! : C:\WINDOWS\jipcc.dat
Removed! : C:\WINDOWS\jxkse.dat
Removed! : C:\WINDOWS\nzile.dat
Removed! : C:\WINDOWS\rzgeg.dat
Removed! : C:\WINDOWS\sopxd.dat
Removed! : C:\WINDOWS\swveq.dat
Removed! : C:\WINDOWS\uaieb.dat
Removed! : C:\WINDOWS\wtxtq.dat
Removed! : C:\WINDOWS\wzulp.dat
Removed! : C:\WINDOWS\system32\ktnus.dat
Removed! : C:\WINDOWS\system32\nvbwq.dat
Removed! : C:\WINDOWS\system32\orihz.dat
Removed! : C:\WINDOWS\system32\pfsrh.dat
Removed! : C:\WINDOWS\system32\pnhlz.dat
Removed! : C:\WINDOWS\system32\rszbk.dat
Removed! : C:\WINDOWS\system32\uowhp.dat
Removed! : C:\WINDOWS\system32\yhxko.dat
Removed! : C:\WINDOWS\system32\yqupg.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Removed! : C:\WINDOWS\vrtyk.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!


=======================================


And here are the results from Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 11:11:52 PM, on 5/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALURIA~1\asKernel.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\winyl32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Documents and Settings\Owner\My Documents\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ogtlf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ogtlf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ogtlf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ogtlf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ogtlf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ogtlf.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ogtlf.dll/sp.html#37049
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.comcast.net/home"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\uatt62pk.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\uatt62pk.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {12899B2B-DA72-DAA3-33E7-18D55F24E119} - C:\WINDOWS\apirh32.dll
O2 - BHO: Class - {2FEAB903-6EB6-13A2-FC5F-0B60204CAD29} - C:\WINDOWS\winyl32.dll
O2 - BHO: Class - {58E19DDB-FF55-C80E-005C-675F6F8331B0} - C:\WINDOWS\system32\apiti.dll
O2 - BHO: Class - {79C93508-E653-3149-0C20-C0B4BFC88F32} - C:\WINDOWS\javadf.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {F97B935C-4820-CB6C-D4EF-A3AF4B649DB3} - C:\WINDOWS\ipld.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [addeq32.exe] C:\WINDOWS\addeq32.exe
O4 - HKLM\..\Run: [ieoz32.exe] C:\WINDOWS\ieoz32.exe
O4 - HKLM\..\Run: [atlfw.exe] C:\WINDOWS\system32\atlfw.exe
O4 - HKLM\..\Run: [winyl32.exe] C:\WINDOWS\winyl32.exe
O4 - HKLM\..\RunOnce: [iewm32.exe] C:\WINDOWS\iewm32.exe
O4 - HKLM\..\RunOnce: [javaew.exe] C:\WINDOWS\system32\javaew.exe
O4 - HKLM\..\RunOnce: [iehf.exe] C:\WINDOWS\iehf.exe
O4 - HKLM\..\RunOnce: [ievc32.exe] C:\WINDOWS\ievc32.exe
O4 - HKLM\..\RunOnce: [apiqo.exe] C:\WINDOWS\apiqo.exe
O4 - HKLM\..\RunOnce: [apikd.exe] C:\WINDOWS\system32\apikd.exe
O4 - HKLM\..\RunOnce: [javapz32.exe] C:\WINDOWS\javapz32.exe
O4 - HKLM\..\RunOnce: [iedp32.exe] C:\WINDOWS\system32\iedp32.exe
O4 - HKLM\..\RunOnce: [nettx32.exe] C:\WINDOWS\nettx32.exe
O4 - HKLM\..\RunOnce: [apiug.exe] C:\WINDOWS\apiug.exe
O4 - HKLM\..\RunOnce: [ntfh32.exe] C:\WINDOWS\ntfh32.exe
O4 - HKLM\..\RunOnce: [apist32.exe] C:\WINDOWS\system32\apist32.exe
O4 - HKLM\..\RunOnce: [addth32.exe] C:\WINDOWS\addth32.exe
O4 - HKLM\..\RunOnce: [apiab32.exe] C:\WINDOWS\apiab32.exe
O4 - HKLM\..\RunOnce: [addoj.exe] C:\WINDOWS\system32\addoj.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sdkzw.exe (file missing)
O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\PROGRA~1\ALURIA~1\ascserv.exe
O23 - Service: asKernel - Unknown owner - C:\PROGRA~1\ALURIA~1\asKernel.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

===========================

I really appreciate you're help even if I can get rid of this stuff.


Thanks

adinezza
Newbie Poster
2 posts since May 2005
Reputation Points: 10
Solved Threads: 0
 
7 Years Ago
0

Reboot into safe mode following the instructions here and do the following:

Run both CWShredder and About:Buster again.

Still in safe mode run HiJackThis, click "Scan", then check(tick) the following, if present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ogtlf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ogtlf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ogtlf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ogtlf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ogtlf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ogtlf.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ogtlf.dll/sp.html#37049

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [addeq32.exe] C:\WINDOWS\addeq32.exe
O4 - HKLM\..\Run: [ieoz32.exe] C:\WINDOWS\ieoz32.exe
O4 - HKLM\..\Run: [atlfw.exe] C:\WINDOWS\system32\atlfw.exe
O4 - HKLM\..\Run: [winyl32.exe] C:\WINDOWS\winyl32.exe
O4 - HKLM\..\RunOnce: [iewm32.exe] C:\WINDOWS\iewm32.exe
O4 - HKLM\..\RunOnce: [javaew.exe] C:\WINDOWS\system32\javaew.exe
O4 - HKLM\..\RunOnce: [iehf.exe] C:\WINDOWS\iehf.exe
O4 - HKLM\..\RunOnce: [ievc32.exe] C:\WINDOWS\ievc32.exe
O4 - HKLM\..\RunOnce: [apiqo.exe] C:\WINDOWS\apiqo.exe
O4 - HKLM\..\RunOnce: [apikd.exe] C:\WINDOWS\system32\apikd.exe
O4 - HKLM\..\RunOnce: [javapz32.exe] C:\WINDOWS\javapz32.exe
O4 - HKLM\..\RunOnce: [iedp32.exe] C:\WINDOWS\system32\iedp32.exe
O4 - HKLM\..\RunOnce: [nettx32.exe] C:\WINDOWS\nettx32.exe
O4 - HKLM\..\RunOnce: [apiug.exe] C:\WINDOWS\apiug.exe
O4 - HKLM\..\RunOnce: [ntfh32.exe] C:\WINDOWS\ntfh32.exe
O4 - HKLM\..\RunOnce: [apist32.exe] C:\WINDOWS\system32\apist32.exe
O4 - HKLM\..\RunOnce: [addth32.exe] C:\WINDOWS\addth32.exe
O4 - HKLM\..\RunOnce: [apiab32.exe] C:\WINDOWS\apiab32.exe
O4 - HKLM\..\RunOnce: [addoj.exe] C:\WINDOWS\system32\addoj.exe

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sdkzw.exe (file missing)


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to " view system and hidden files/ folders: "

files...

C:\WINDOWS\winyl32.exe
C:\WINDOWS\ogtlf.dll
C:\WINDOWS\addeq32.exe
C:\WINDOWS\ieoz32.exe
C:\WINDOWS\system32\atlfw.exe
C:\WINDOWS\iewm32.exe
C:\WINDOWS\system32\javaew.exe
C:\WINDOWS\iehf.exe
C:\WINDOWS\ievc32.exe
C:\WINDOWS\apiqo.exe
C:\WINDOWS\system32\apikd.exe
C:\WINDOWS\javapz32.exe
C:\WINDOWS\system32\iedp32.exe
C:\WINDOWS\nettx32.exe
C:\WINDOWS\apiug.exe
C:\WINDOWS\ntfh32.exe
C:\WINDOWS\system32\apist32.exe
C:\WINDOWS\addth32.exe
C:\WINDOWS\apiab32.exe
C:\WINDOWS\system32\addoj.exe

-

Reboot.

===============

The scan here does not require an active X install, but uses java instead.
http://fr.trendmicro-europe.com/consumer/products/housecall_launch.php

-

After rebooting your PC, rescan with hijackthis and post a new log.
Let me know how things are now.

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 

This article has been dead for over three months

Post: Markdown Syntax: Formatting Help
You
 
© 2012 DaniWeb® LLC
Home | About Us | Contact Us | Terms of Service | Advertising Opportunities
RSS Feed RSS Feed