0

I was trying get my AIM to work, because every time I try to open an IM box, the whole thing closes, and I went to the aim site, and it said that if i had these three programs, it might be causing it and to delete it...Well I can't delete them!!! and my AIM still doesn't work and i have tons of popups and other annoyances on here...how can i delete them??

(Related Thread -- http://www.daniweb.com/techtalkforums/thread23313.html)

4
Contributors
15
Replies
16
Views
12 Years
Discussion Span
Last Post by dlh6213
0

ok so i did this...please help it would mean so much!!

Logfile of HijackThis v1.99.1
Scan saved at 9:43:07 PM, on 5/13/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ntbp32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Warez P2P Client\warez.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\AIM\AIMWDI~1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\Sarah\LOCALS~1\Temp\nst10.tmp
C:\DOCUME~1\Sarah\LOCALS~1\Temp\AIMWDInstallStripped.exe
C:\DOCUME~1\Sarah\LOCALS~1\Temp\nst11.tmp
C:\PROGRA~1\AIM\WxBug.EXE
C:\DOCUME~1\Sarah\LOCALS~1\Temp\GLB12.tmp
C:\DOCUME~1\Sarah\LOCALS~1\Temp\AIMWDInstallStripped.exe
C:\DOCUME~1\Sarah\LOCALS~1\Temp\nst1B.tmp
C:\DOCUME~1\Sarah\LOCALS~1\Temp\AIMWDInstallStripped.exe
C:\DOCUME~1\Sarah\LOCALS~1\Temp\nst1E.tmp
C:\DOCUME~1\Sarah\LOCALS~1\Temp\AIMWDInstallStripped.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Sarah\LOCALS~1\Temp\nst1F.tmp
C:\DOCUME~1\Sarah\LOCALS~1\Temp\AIMWDInstallStripped.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Documents and Settings\Sarah\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ngrog.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ngrog.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ngrog.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ngrog.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {79FED68F-557B-E50C-4282-87434007B6F9} - C:\WINDOWS\atlom32.dll
O2 - BHO: Class - {F99061EE-BCEC-AA3C-EDD1-FD4D490410FD} - C:\WINDOWS\system32\wincn.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WordPerfect Office 1215] C:\Program Files\WordPerfect Office 12\Programs\Registration.exe /title="WordPerfect Office 12" /date=051704 serial=WP12WCX-0100896-SXR
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [d3gx32.exe] C:\WINDOWS\system32\d3gx32.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - HKLM\..\Run: [nteb.exe] C:\WINDOWS\system32\nteb.exe
O4 - HKLM\..\Run: [ntbp32.exe] C:\WINDOWS\system32\ntbp32.exe
O4 - HKLM\..\Run: [AIMWDInstallFilename] C:\PROGRA~1\AIM\AIMWDI~1.EXE
O4 - HKLM\..\RunOnce: [addfx.exe] C:\WINDOWS\system32\addfx.exe
O4 - HKLM\..\RunOnce: [addav32.exe] C:\WINDOWS\system32\addav32.exe
O4 - HKLM\..\RunOnce: [sdkno32.exe] C:\WINDOWS\sdkno32.exe
O4 - HKLM\..\RunOnce: [crkn32.exe] C:\WINDOWS\crkn32.exe
O4 - HKLM\..\RunOnce: [mstg.exe] C:\WINDOWS\mstg.exe
O4 - HKLM\..\RunOnce: [d3ib32.exe] C:\WINDOWS\system32\d3ib32.exe
O4 - HKLM\..\RunOnce: [javaai32.exe] C:\WINDOWS\system32\javaai32.exe
O4 - HKLM\..\RunOnce: [sdkdr.exe] C:\WINDOWS\sdkdr.exe
O4 - HKLM\..\RunOnce: [d3vc.exe] C:\WINDOWS\system32\d3vc.exe
O4 - HKLM\..\RunOnce: [netxz32.exe] C:\WINDOWS\system32\netxz32.exe
O4 - HKLM\..\RunOnce: [netlo32.exe] C:\WINDOWS\netlo32.exe
O4 - HKLM\..\RunOnce: [apihq.exe] C:\WINDOWS\system32\apihq.exe
O4 - HKLM\..\RunOnce: [netag32.exe] C:\WINDOWS\netag32.exe
O4 - HKLM\..\RunOnce: [syspe.exe] C:\WINDOWS\system32\syspe.exe
O4 - HKLM\..\RunOnce: [atlfq.exe] C:\WINDOWS\system32\atlfq.exe
O4 - HKLM\..\RunOnce: [msxb.exe] C:\WINDOWS\msxb.exe
O4 - HKLM\..\RunOnce: [sdklh32.exe] C:\WINDOWS\sdklh32.exe
O4 - HKLM\..\RunOnce: [msak.exe] C:\WINDOWS\msak.exe
O4 - HKLM\..\RunOnce: [netpj32.exe] C:\WINDOWS\system32\netpj32.exe
O4 - HKLM\..\RunOnce: [javanq.exe] C:\WINDOWS\system32\javanq.exe
O4 - HKLM\..\RunOnce: [ntpw.exe] C:\WINDOWS\ntpw.exe
O4 - HKLM\..\RunOnce: [javalx.exe] C:\WINDOWS\javalx.exe
O4 - HKLM\..\RunOnce: [iebg.exe] C:\WINDOWS\iebg.exe
O4 - HKLM\..\RunOnce: [winzi.exe] C:\WINDOWS\winzi.exe
O4 - HKLM\..\RunOnce: [sysbu.exe] C:\WINDOWS\sysbu.exe
O4 - HKLM\..\RunOnce: [winwj32.exe] C:\WINDOWS\system32\winwj32.exe
O4 - HKLM\..\RunOnce: [crfy32.exe] C:\WINDOWS\system32\crfy32.exe
O4 - HKLM\..\RunOnce: [ipdn.exe] C:\WINDOWS\ipdn.exe
O4 - HKLM\..\RunOnce: [ipuk32.exe] C:\WINDOWS\ipuk32.exe
O4 - HKLM\..\RunOnce: [appcd32.exe] C:\WINDOWS\appcd32.exe
O4 - HKLM\..\RunOnce: [crtf.exe] C:\WINDOWS\crtf.exe
O4 - HKLM\..\RunOnce: [addry.exe] C:\WINDOWS\system32\addry.exe
O4 - HKLM\..\RunOnce: [ietl32.exe] C:\WINDOWS\system32\ietl32.exe
O4 - HKLM\..\RunOnce: [syspt.exe] C:\WINDOWS\system32\syspt.exe
O4 - HKLM\..\RunOnce: [ieab.exe] C:\WINDOWS\system32\ieab.exe
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SP2ConnPatcher] "C:\Program Files\SP2 Connection Patcher\sp2connpatcher.exe" -n=200
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4484/mcfscan.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javasz.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

0

Part of your problem may stem from the use of file-sharing programs (aka P2P), such as Warez.

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

(Note: if any of these temporary files cannot be deleted while in ‘normal mode,’ try Safe Mode.

Empty your Recycle Bin.

Before fixing anything with hijackthis, you still should put it into it's own folder. to do this, right-click on an empty area of your desktop, select New, Folder; give the new folder a name (like HJT or HijackThis), and then drag the hijackthis.exe icon that is on your desktop into this new folder.

Then close any open browser windows, scan with hijackthis, and post a new log please.

0

deleted about 22 temp files and a bunch of cookies...here is the new product

Logfile of HijackThis v1.99.1
Scan saved at 3:01:36 PM, on 5/14/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\nteb.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Warez P2P Client\warez.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\winlogon.exe
C:\Documents and Settings\Sarah\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bebvu.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bebvu.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bebvu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bebvu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bebvu.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\bebvu.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\bebvu.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {F99061EE-BCEC-AA3C-EDD1-FD4D490410FD} - C:\WINDOWS\system32\wincn.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WordPerfect Office 1215] C:\Program Files\WordPerfect Office 12\Programs\Registration.exe /title="WordPerfect Office 12" /date=051704 serial=WP12WCX-0100896-SXR
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [d3gx32.exe] C:\WINDOWS\system32\d3gx32.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - HKLM\..\Run: [nteb.exe] C:\WINDOWS\system32\nteb.exe
O4 - HKLM\..\Run: [ntbp32.exe] C:\WINDOWS\system32\ntbp32.exe
O4 - HKLM\..\Run: [AIMWDInstallFilename] C:\PROGRA~1\AIM\AIMWDI~1.EXE
O4 - HKLM\..\RunOnce: [addfx.exe] C:\WINDOWS\system32\addfx.exe
O4 - HKLM\..\RunOnce: [msei.exe] C:\WINDOWS\msei.exe
O4 - HKLM\..\RunOnce: [mfcfi.exe] C:\WINDOWS\mfcfi.exe
O4 - HKLM\..\RunOnce: [msoc.exe] C:\WINDOWS\system32\msoc.exe
O4 - HKLM\..\RunOnce: [ipcn.exe] C:\WINDOWS\ipcn.exe
O4 - HKLM\..\RunOnce: [javafd.exe] C:\WINDOWS\system32\javafd.exe
O4 - HKLM\..\RunOnce: [netqy32.exe] C:\WINDOWS\netqy32.exe
O4 - HKLM\..\RunOnce: [nettl.exe] C:\WINDOWS\system32\nettl.exe
O4 - HKLM\..\RunOnce: [adddb32.exe] C:\WINDOWS\adddb32.exe
O4 - HKLM\..\RunOnce: [winmb32.exe] C:\WINDOWS\system32\winmb32.exe
O4 - HKLM\..\RunOnce: [ipao32.exe] C:\WINDOWS\system32\ipao32.exe
O4 - HKLM\..\RunOnce: [addjk.exe] C:\WINDOWS\addjk.exe
O4 - HKLM\..\RunOnce: [croe32.exe] C:\WINDOWS\croe32.exe
O4 - HKLM\..\RunOnce: [ipwv.exe] C:\WINDOWS\ipwv.exe
O4 - HKLM\..\RunOnce: [wintg32.exe] C:\WINDOWS\system32\wintg32.exe
O4 - HKLM\..\RunOnce: [crps32.exe] C:\WINDOWS\system32\crps32.exe
O4 - HKLM\..\RunOnce: [atlyi.exe] C:\WINDOWS\atlyi.exe
O4 - HKLM\..\RunOnce: [mfchu32.exe] C:\WINDOWS\mfchu32.exe
O4 - HKLM\..\RunOnce: [sdkzq32.exe] C:\WINDOWS\system32\sdkzq32.exe
O4 - HKLM\..\RunOnce: [netoz.exe] C:\WINDOWS\system32\netoz.exe
O4 - HKLM\..\RunOnce: [ienc32.exe] C:\WINDOWS\system32\ienc32.exe
O4 - HKLM\..\RunOnce: [sdkaw32.exe] C:\WINDOWS\sdkaw32.exe
O4 - HKLM\..\RunOnce: [iels32.exe] C:\WINDOWS\iels32.exe
O4 - HKLM\..\RunOnce: [iepf.exe] C:\WINDOWS\iepf.exe
O4 - HKLM\..\RunOnce: [msan.exe] C:\WINDOWS\msan.exe
O4 - HKLM\..\RunOnce: [atltj32.exe] C:\WINDOWS\atltj32.exe
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [SP2ConnPatcher] "C:\Program Files\SP2 Connection Patcher\sp2connpatcher.exe" -n=200
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0036.exe
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia.com/install/pcs_0007.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4484/mcfscan.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javasz.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

0

You missed a couple of steps :)

Before fixing anything with hijackthis, you still should put it into it's own folder. To do this, right-click on an empty area of your desktop, select New, Folder; give the new folder a name (like HJT or HijackThis), and then drag the hijackthis.exe icon that is on your desktop into this new folder.

Then close any open browser windows, scan with hijackthis, and post a new log please.

0

Ok...I think i did it right this time!!! :o

Logfile of HijackThis v1.99.1
Scan saved at 1:29:49 PM, on 5/15/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\d3gx32.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Warez P2P Client\warez.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Sarah\My Documents\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ckyda.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ckyda.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ckyda.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ckyda.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ckyda.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ckyda.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ckyda.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {5BC3F7BC-69C1-08BC-EB9C-EC3C41D197CF} - C:\WINDOWS\appsw.dll
O2 - BHO: Class - {FD53AF3D-B5A4-3DEC-C009-E2E6791F3EE9} - C:\WINDOWS\system32\iezy32.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WordPerfect Office 1215] C:\Program Files\WordPerfect Office 12\Programs\Registration.exe /title="WordPerfect Office 12" /date=051704 serial=WP12WCX-0100896-SXR
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [d3gx32.exe] C:\WINDOWS\system32\d3gx32.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - HKLM\..\Run: [nteb.exe] C:\WINDOWS\system32\nteb.exe
O4 - HKLM\..\Run: [ntbp32.exe] C:\WINDOWS\system32\ntbp32.exe
O4 - HKLM\..\Run: [AIMWDInstallFilename] C:\PROGRA~1\AIM\AIMWDI~1.EXE
O4 - HKLM\..\Run: [d3un.exe] C:\WINDOWS\system32\d3un.exe
O4 - HKLM\..\RunOnce: [addfx.exe] C:\WINDOWS\system32\addfx.exe
O4 - HKLM\..\RunOnce: [aping.exe] C:\WINDOWS\system32\aping.exe
O4 - HKLM\..\RunOnce: [crfv.exe] C:\WINDOWS\crfv.exe
O4 - HKLM\..\RunOnce: [netsx32.exe] C:\WINDOWS\netsx32.exe
O4 - HKLM\..\RunOnce: [addmc.exe] C:\WINDOWS\addmc.exe
O4 - HKLM\..\RunOnce: [appgv32.exe] C:\WINDOWS\appgv32.exe
O4 - HKLM\..\RunOnce: [winkp32.exe] C:\WINDOWS\system32\winkp32.exe
O4 - HKLM\..\RunOnce: [atlou.exe] C:\WINDOWS\system32\atlou.exe
O4 - HKLM\..\RunOnce: [sysct32.exe] C:\WINDOWS\sysct32.exe
O4 - HKLM\..\RunOnce: [d3ex.exe] C:\WINDOWS\system32\d3ex.exe
O4 - HKLM\..\RunOnce: [ntdj.exe] C:\WINDOWS\system32\ntdj.exe
O4 - HKLM\..\RunOnce: [msmy.exe] C:\WINDOWS\msmy.exe
O4 - HKLM\..\RunOnce: [netaa.exe] C:\WINDOWS\system32\netaa.exe
O4 - HKLM\..\RunOnce: [sdkie.exe] C:\WINDOWS\sdkie.exe
O4 - HKLM\..\RunOnce: [ieta32.exe] C:\WINDOWS\system32\ieta32.exe
O4 - HKLM\..\RunOnce: [netzu32.exe] C:\WINDOWS\system32\netzu32.exe
O4 - HKLM\..\RunOnce: [sysnx.exe] C:\WINDOWS\sysnx.exe
O4 - HKLM\..\RunOnce: [atlcv32.exe] C:\WINDOWS\atlcv32.exe
O4 - HKLM\..\RunOnce: [apiax.exe] C:\WINDOWS\apiax.exe
O4 - HKLM\..\RunOnce: [apppo.exe] C:\WINDOWS\apppo.exe
O4 - HKLM\..\RunOnce: [apidm.exe] C:\WINDOWS\system32\apidm.exe
O4 - HKLM\..\RunOnce: [appsb32.exe] C:\WINDOWS\system32\appsb32.exe
O4 - HKLM\..\RunOnce: [iero32.exe] C:\WINDOWS\system32\iero32.exe
O4 - HKLM\..\RunOnce: [wincz.exe] C:\WINDOWS\system32\wincz.exe
O4 - HKLM\..\RunOnce: [sysmg.exe] C:\WINDOWS\sysmg.exe
O4 - HKLM\..\RunOnce: [iexl32.exe] C:\WINDOWS\iexl32.exe
O4 - HKLM\..\RunOnce: [atlqh.exe] C:\WINDOWS\atlqh.exe
O4 - HKLM\..\RunOnce: [mfcww32.exe] C:\WINDOWS\system32\mfcww32.exe
O4 - HKLM\..\RunOnce: [sdkos32.exe] C:\WINDOWS\sdkos32.exe
O4 - HKLM\..\RunOnce: [sdklv32.exe] C:\WINDOWS\sdklv32.exe
O4 - HKLM\..\RunOnce: [mfctd32.exe] C:\WINDOWS\mfctd32.exe
O4 - HKLM\..\RunOnce: [syshf.exe] C:\WINDOWS\syshf.exe
O4 - HKLM\..\RunOnce: [apijd32.exe] C:\WINDOWS\system32\apijd32.exe
O4 - HKLM\..\RunOnce: [appsw.exe] C:\WINDOWS\appsw.exe
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [SP2ConnPatcher] "C:\Program Files\SP2 Connection Patcher\sp2connpatcher.exe" -n=200
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0036.exe
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia.com/install/pcs_0007.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4484/mcfscan.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javasz.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

0

Blech! That log is still a right mess; you have numerous infections. :(

Let's see if we can some of it cleaned up with a few automated utilities before digging in with HJT and manual removal methods

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php


2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed). After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

About:Buster
HSRemove
ewido Security Suite
Microsoft Anti-Spyware beta
Ad Aware SE Personal
SpyBot Search & Destroy


3. Run HiajckThis again and post a fresh log.

0

Ok...It took a while to get all of this done...or at least I think it all is. I downloaded a lot of it, but had to run it all a LOT. The Ewido one would error in the middle and a diff. would freeze...I dunno, but I think it's a little better today, so I ran a HiJack log.

Logfile of HijackThis v1.99.1
Scan saved at 8:02:39 PM, on 5/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\ntht32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Warez P2P Client\warez.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sarah\Desktop\Anti-Bad\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jwhog.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jwhog.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jwhog.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jwhog.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jwhog.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jwhog.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jwhog.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {46DF3BCE-821E-D3DD-3C76-56A4F7ADF988} - C:\WINDOWS\iexo.dll
O2 - BHO: Class - {8F6CE7E6-1006-35E7-C881-E904D5149F8D} - C:\WINDOWS\ntam.dll
O2 - BHO: Class - {E684A367-9097-B604-A183-5AAD9939B58C} - C:\WINDOWS\system32\sdktb.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - HKLM\..\Run: [AIMWDInstallFilename] C:\PROGRA~1\AIM\AIMWDI~1.EXE
O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [appyh32.exe] C:\WINDOWS\system32\appyh32.exe
O4 - HKLM\..\Run: [ntht32.exe] C:\WINDOWS\ntht32.exe
O4 - HKLM\..\RunOnce: [ipnz.exe] C:\WINDOWS\ipnz.exe
O4 - HKLM\..\RunOnce: [ipma32.exe] C:\WINDOWS\ipma32.exe
O4 - HKLM\..\RunOnce: [msnj32.exe] C:\WINDOWS\msnj32.exe
O4 - HKLM\..\RunOnce: [crlc.exe] C:\WINDOWS\crlc.exe
O4 - HKLM\..\RunOnce: [wingd.exe] C:\WINDOWS\wingd.exe
O4 - HKLM\..\RunOnce: [sysfy32.exe] C:\WINDOWS\sysfy32.exe
O4 - HKLM\..\RunOnce: [ipzk32.exe] C:\WINDOWS\ipzk32.exe
O4 - HKLM\..\RunOnce: [addkd32.exe] C:\WINDOWS\addkd32.exe
O4 - HKLM\..\RunOnce: [mfcda.exe] C:\WINDOWS\mfcda.exe
O4 - HKLM\..\RunOnce: [netha32.exe] C:\WINDOWS\system32\netha32.exe
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0036.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia.com/install/pcs_0007.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4484/mcfscan.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javasz.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

0

The detection and removal programs I asked you to run don't seem to have done their jobs as well as they should have. Please do the following:

Print out the instructions below or save them into a text file using Windows Notepad; you will not have access to the Internet during most of this troubleshoot:

1. - Uninstall WeatherBug; it contains spyware components.

- Uninstall SpyFighter; it is a disreputable product which, among other things, returns "false positives" in it scans. Before installing any "anti-spyware" product, you should consult this list to verify the product's legitimacy; there are a lot of imposters and frauds out there.

- You should uninstall Warez P2P, although that choice is yours. Aside from the obvious legal issues, filesharing is one of the primary ways through which people become infected with spyware and adware.


2. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up), and run all of the utilities I listed in #2 of last post again; have each utility fix everything it finds. Running the utilities in Safe Mode might enable them to do a more thorough cleaning.


3. While still in Safe Mode, run HijackThis and have it fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jwhog.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jwhog.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jwhog.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jwhog.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jwhog.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jwhog.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jwhog.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {46DF3BCE-821E-D3DD-3C76-56A4F7ADF988} - C:\WINDOWS\iexo.dll
O2 - BHO: Class - {8F6CE7E6-1006-35E7-C881-E904D5149F8D} - C:\WINDOWS\ntam.dll
O2 - BHO: Class - {E684A367-9097-B604-A183-5AAD9939B58C} - C:\WINDOWS\system32\sdktb.dll
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent
O4 - HKLM\..\Run: [appyh32.exe] C:\WINDOWS\system32\appyh32.exe
O4 - HKLM\..\Run: [ntht32.exe] C:\WINDOWS\ntht32.exe
O4 - HKLM\..\RunOnce: [ipnz.exe] C:\WINDOWS\ipnz.exe
O4 - HKLM\..\RunOnce: [ipma32.exe] C:\WINDOWS\ipma32.exe
O4 - HKLM\..\RunOnce: [msnj32.exe] C:\WINDOWS\msnj32.exe
O4 - HKLM\..\RunOnce: [crlc.exe] C:\WINDOWS\crlc.exe
O4 - HKLM\..\RunOnce: [wingd.exe] C:\WINDOWS\wingd.exe
O4 - HKLM\..\RunOnce: [sysfy32.exe] C:\WINDOWS\sysfy32.exe
O4 - HKLM\..\RunOnce: [ipzk32.exe] C:\WINDOWS\ipzk32.exe
O4 - HKLM\..\RunOnce: [addkd32.exe] C:\WINDOWS\addkd32.exe
O4 - HKLM\..\RunOnce: [mfcda.exe] C:\WINDOWS\mfcda.exe
O4 - HKLM\..\RunOnce: [netha32.exe] C:\WINDOWS\system32\netha32.exe
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia.com/install/pcs_0007.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javasz.exe (file missing)


4. While still in Safe Mode:

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete the following folders entirely:
C:\Program Files\SpyFighter
C:\Program Files\Warez P2P
C:\PROGRAM Files\AWS

- Locate and delete the following files:
C:\WINDOWS\jwhog.dll
C:\WINDOWS\iexo.dll
C:\WINDOWS\ntam.dll
C:\WINDOWS\system32\sdktb.dll
C:\WINDOWS\system32\appyh32.exe
C:\WINDOWS\ntht32.exe
C:\WINDOWS\ipnz.exe
C:\WINDOWS\ipma32.exe
C:\WINDOWS\msnj32.exe
C:\WINDOWS\crlc.exe
C:\WINDOWS\wingd.exe
C:\WINDOWS\sysfy32.exe
C:\WINDOWS\ipzk32.exe
C:\WINDOWS\addkd32.exe
C:\WINDOWS\mfcda.exe
C:\WINDOWS\system32\netha32.exe

C:\WINDOWS\system32\javasz.exe

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!

1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files

- Delete the entire content of your C:\Windows\Temp folder.

- Delete the entire content of your C:\Windows\Prefetch folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.

- Reboot normally.


5. Run HJT again and post a new log.

0

I'm feeling a little more confident about this one...i will be deleting warez soon also...By the way I just wanted to let you know how appreciated you are!!

Logfile of HijackThis v1.99.1
Scan saved at 12:46:01 AM, on 6/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sarah\Desktop\Anti-Bad\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - HKLM\..\Run: [AIMWDInstallFilename] C:\PROGRA~1\AIM\AIMWDI~1.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0036.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia.com/install/pcs_0007.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4484/mcfscan.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javasz.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

0

I'm feeling a little more confident about this one...

And you definitely should- except for one loose end, that's a clean log. Good job! :)

We need to get rid of the following entry, but it might be a little tricky due to the "gibberish" characters in the service's name:

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javasz.exe (file missing)

I need to log off to take care of some "real life" work right now, but I'll post info on how to fix the above problem when I come back on line in a few hours.

0

Hey! Um...I don't wanna bother, but you just prolly forgot about me I think...We were going to take care of my...javasz..thing problem. Thank you! And sorry if I'm annoying..... :o

0

Sorry- "real life" has kept me away from the site.

Try this:

- Open the Services utility in your Administrative Tools control panel.

- Locate the service named " 11Fßä#·ºÄÖ`I" (if it exists) and double-click on it to check its status. If the service is not reported as both "Stopped" and "Disabled", stop the service and set its startup type to "Disabled". Close the Services utility after that.

- Run HJT again and retry the service deletion process.


If that does not work, try deleting the service manually through the Windows Registry Editor:

- Click on the "Run..." option under your Start menu, type the following command in the resulting "Open:" box, and hit Enter:

regedit

- At the top of the Registry Editor window, click on File, and then Export. In the Export range panel, click All, give the file a name, then Save your registry as a backup to a location where you will be able to locate it easily if necessary.

- Navigate through the folder tree to the following locations and look for a sub-folder named " 11Fßä#·ºÄÖ`I". Delete the folders if found:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services

(Note that not all of the "ControlSet00X" folders listed above may exist on your particular system)

- Close the Registry Editor and reboot. Run HJT again and see if the O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javasz.exe (file missing)entry still exists.

0

Hi,

I have this same adware or malware whatever it is. I would like to know if Norton Anti-virus 2004, 2005 or Mcafee latest version can clean it.

Pls help.

Thanks
Anu

0

Hi,

I have this same adware or malware whatever it is. I would like to know if Norton Anti-virus 2004, 2005 or Mcafee latest version can clean it.

Pls help.

Thanks
Anu

Hi Anu, welcome to DaniWeb :D

Please start your own, new thread and describe your problem there.

Also, get the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Then close any open browser windows, 'Scan and Save Log' with hijackthis, copy the log, and paste it in your new thread.

Thanks :)

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.