0

Help me! AIM stopped working when I upgraded it to the newest version, I have Home Search Assistant and Search Assistant on my program list, I cannot remove them. I also have PGtools which i cant remove either! Heres my list, i'm new to hijackthis!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\program files\valve\steam\steam.exe
C:\WINDOWS\crcn32.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wlmkn.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wlmkn.dll/sp.html#12345
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.portal.radford.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wlmkn.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wlmkn.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wlmkn.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wlmkn.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wlmkn.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = https://www.portal.radford.edu/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Class - {15FBB4C9-D741-BC89-6F52-54F771295D1D} - C:\WINDOWS\wincb.dll
O2 - BHO: Class - {18A2EFFD-B6E8-69B5-4ABB-1F1C8F860433} - C:\WINDOWS\system32\netyb32.dll
O2 - BHO: Class - {1A8F55DA-AA1A-83F6-E440-B24CCE595AB8} - C:\WINDOWS\system32\mfckm.dll
O2 - BHO: Class - {2B49DB2A-1F9C-091F-0AA3-97CDCC0920A1} - C:\WINDOWS\systl32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Class - {5458BAA3-A40F-AB9F-E72F-77F8C6801EAA} - C:\WINDOWS\system32\ntnj.dll
O2 - BHO: Class - {6D1A41A2-E07C-983F-DE15-81818F69D81D} - C:\WINDOWS\system32\appcj32.dll
O2 - BHO: Class - {6EE4E0AD-CA47-9A72-7C18-9CF62AD4C96C} - C:\WINDOWS\system32\crle32.dll
O2 - BHO: Class - {908769E2-4A81-1229-AF77-095E926EDFCB} - C:\WINDOWS\iesj.dll
O2 - BHO: Class - {9AC98B09-E932-6B01-C983-A8AF24A16D40} - C:\WINDOWS\winzn.dll
O2 - BHO: Class - {A97F3FDF-D067-02D7-9B41-A262368C2E2C} - C:\WINDOWS\system32\sdkza.dll
O2 - BHO: Class - {C0B62884-9D9D-A9E4-7E45-B29002B6258A} - C:\WINDOWS\winzh32.dll
O2 - BHO: Class - {C396D0E0-9E0A-542C-DF8F-ADEA8A5525B8} - C:\WINDOWS\appir32.dll
O2 - BHO: Class - {C4322B27-0B19-D263-F955-4B1DF8B80E2E} - C:\WINDOWS\ntwb.dll
O2 - BHO: Class - {C738A371-0430-6A14-07D8-FF8D00747F0E} - C:\WINDOWS\system32\nethk.dll
O2 - BHO: Class - {CC67ADD3-8236-844B-5732-907E26BCF629} - C:\WINDOWS\system32\atlmh32.dll
O2 - BHO: Class - {CC72D832-A0D6-01EC-9307-FA4CF27C6BD1} - C:\WINDOWS\system32\sdkox.dll
O2 - BHO: Class - {D02FD285-78D4-2369-CA17-092C21D1BC0E} - C:\WINDOWS\system32\addgp32.dll
O2 - BHO: Class - {D5FF7721-FA81-5AF4-53A0-7DB2929112EE} - C:\WINDOWS\system32\appfq32.dll
O2 - BHO: Class - {DB1E628A-3979-AFA8-F263-792A5E351800} - C:\WINDOWS\sdklc.dll
O2 - BHO: Class - {DFCBB536-180F-FD1F-9ABF-369D9DE5D726} - C:\WINDOWS\iebo.dll
O2 - BHO: Class - {FFCD035F-429E-054F-1D01-F49E14490C2E} - C:\WINDOWS\sdkvr32.dll
O2 - BHO: Class - {FFCDF546-F480-31CB-7C6B-5F25BAA47B24} - C:\WINDOWS\system32\msof.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\System32\pc32.exe bg
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winmk.exe] C:\WINDOWS\system32\winmk.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/12a42d98c84208a9d417/netzip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vsigns/0003C00/setup.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\crcn32.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WinRoute Pro 4.2 (WinRoute) - Unknown owner - C:\Program Files\WinRoute Pro\winroute.exe (file missing)
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\System32\MsPMSPSv.exe (file missing)

2
Contributors
1
Reply
2
Views
12 Years
Discussion Span
Last Post by crunchie
0

tvockrodt,

Hi and welcome to the Daniweb forums :).

===============

The header for HiJackThis is very important: It helps to determine what steps might need to be taken to better secure your system, and provide more efficient cleanup procedures. For example, some files, which on standard on one platform, may indicate a virus or trojan on another. So, be sure to include this information with any future posts.

===============

Go to www.trendmicro.com, and then:

1. Click "Free Online Scan".
2. Click "Scan now, it's free".

It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:

1. Select all available drives.
2. Check(tick) "Auto Clean".
3. Click "Scan".

When it completes, post back the full filename of any files that cannot be cleaned or deleted.

===============

Download CWShredder 2.14 from here. Run it and press the *fix,* not scan and allow it to clean the infection. Close all browser and explorer windows before hitting the fix button.

-

Download, unzip to your desktop About:Buster and run it, then:

1. Click "Update".
2. Click "Check For Update"

(If no new version is available, skip to step #4.)

3. Click "Download Update", and wait for it to be installed.
4. Click "Start".

(Wait for the initial ADS scan to complete.)

5. Click "Yes", to shutdown any IE session currently open.

(Wait for the about:blank scan to complete.)

6. Click "Ok", to scan once more.
7. Click "Yes", to shutdown any IE sessions currently open.
8. Click "Yes", to begin the second pass.

9. Click "Save log", and post this log back along with your new log.
10. Click "Exit".
11. Click "Exit".
12. "Reboot"..


===============

Next, Open a command prompt by:

1. Clicking "Start", then "Run...".
2. Enter "cmd" (without the quotes).
3. Enter "services.msc" (without the quotes).

-

Now, locate and 'stop' the following services, if present:

Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) owner ... (C:\WINDOWS\crcn32.exe)

Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services. Once stopped, set this service to disabled.

===============

Run HiJackThis then:

1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\WINDOWS\crcn32.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Still in HiJackThis, click "Scan", then check(tick) the following, if present:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wlmkn.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wlmkn.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wlmkn.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wlmkn.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wlmkn.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wlmkn.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wlmkn.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Class - {15FBB4C9-D741-BC89-6F52-54F771295D1D} - C:\WINDOWS\wincb.dll
O2 - BHO: Class - {18A2EFFD-B6E8-69B5-4ABB-1F1C8F860433} - C:\WINDOWS\system32\netyb32.dll
O2 - BHO: Class - {1A8F55DA-AA1A-83F6-E440-B24CCE595AB8} - C:\WINDOWS\system32\mfckm.dll
O2 - BHO: Class - {2B49DB2A-1F9C-091F-0AA3-97CDCC0920A1} - C:\WINDOWS\systl32.dll
O2 - BHO: Class - {5458BAA3-A40F-AB9F-E72F-77F8C6801EAA} - C:\WINDOWS\system32\ntnj.dll
O2 - BHO: Class - {6D1A41A2-E07C-983F-DE15-81818F69D81D} - C:\WINDOWS\system32\appcj32.dll
O2 - BHO: Class - {6EE4E0AD-CA47-9A72-7C18-9CF62AD4C96C} - C:\WINDOWS\system32\crle32.dll
O2 - BHO: Class - {908769E2-4A81-1229-AF77-095E926EDFCB} - C:\WINDOWS\iesj.dll
O2 - BHO: Class - {9AC98B09-E932-6B01-C983-A8AF24A16D40} - C:\WINDOWS\winzn.dll
O2 - BHO: Class - {A97F3FDF-D067-02D7-9B41-A262368C2E2C} - C:\WINDOWS\system32\sdkza.dll
O2 - BHO: Class - {C0B62884-9D9D-A9E4-7E45-B29002B6258A} - C:\WINDOWS\winzh32.dll
O2 - BHO: Class - {C396D0E0-9E0A-542C-DF8F-ADEA8A5525B8} - C:\WINDOWS\appir32.dll
O2 - BHO: Class - {C4322B27-0B19-D263-F955-4B1DF8B80E2E} - C:\WINDOWS\ntwb.dll
O2 - BHO: Class - {C738A371-0430-6A14-07D8-FF8D00747F0E} - C:\WINDOWS\system32\nethk.dll
O2 - BHO: Class - {CC67ADD3-8236-844B-5732-907E26BCF629} - C:\WINDOWS\system32\atlmh32.dll
O2 - BHO: Class - {CC72D832-A0D6-01EC-9307-FA4CF27C6BD1} - C:\WINDOWS\system32\sdkox.dll
O2 - BHO: Class - {D02FD285-78D4-2369-CA17-092C21D1BC0E} - C:\WINDOWS\system32\addgp32.dll
O2 - BHO: Class - {D5FF7721-FA81-5AF4-53A0-7DB2929112EE} - C:\WINDOWS\system32\appfq32.dll
O2 - BHO: Class - {DB1E628A-3979-AFA8-F263-792A5E351800} - C:\WINDOWS\sdklc.dll
O2 - BHO: Class - {DFCBB536-180F-FD1F-9ABF-369D9DE5D726} - C:\WINDOWS\iebo.dll
O2 - BHO: Class - {FFCD035F-429E-054F-1D01-F49E14490C2E} - C:\WINDOWS\sdkvr32.dll
O2 - BHO: Class - {FFCDF546-F480-31CB-7C6B-5F25BAA47B24} - C:\WINDOWS\system32\msof.dll

O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\System32\pc32.exe bg
O4 - HKLM\..\Run: [winmk.exe] C:\WINDOWS\system32\winmk.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
...(Unless you've set these with a anti-spyware program like SpyBot's Immunize feature, have HiJackThis fix this.)

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/mini...ransporter.cab?
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/12a42d9...ip/RdxIE601.cab
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/5...03C00/setup.exe

O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\crcn32.exe


Now, with all windows closed (including Internet Explorer) except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

files...

C:\WINDOWS\crcn32.exe
C:\WINDOWS\wlmkn.dll
C:\WINDOWS\wincb.dll
C:\WINDOWS\system32\netyb32.dll
C:\WINDOWS\system32\mfckm.dll
C:\WINDOWS\systl32.dll
C:\WINDOWS\system32\ntnj.dll
C:\WINDOWS\system32\appcj32.dll
C:\WINDOWS\system32\crle32.dll
C:\WINDOWS\iesj.dll
C:\WINDOWS\winzn.dll
C:\WINDOWS\system32\sdkza.dll
C:\WINDOWS\winzh32.dll
C:\WINDOWS\appir32.dll
C:\WINDOWS\ntwb.dll
C:\WINDOWS\system32\nethk.dll
C:\WINDOWS\system32\atlmh32.dll
C:\WINDOWS\system32\sdkox.dll
C:\WINDOWS\system32\addgp32.dll
C:\WINDOWS\system32\appfq32.dll
C:\WINDOWS\sdklc.dll
C:\WINDOWS\iebo.dll
C:\WINDOWS\sdkvr32.dll
C:\WINDOWS\system32\msof.dll
C:\WINDOWS\System32\pc32.exe
C:\WINDOWS\system32\winmk.exe

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

To help protect your system from hostile ActiveX content, or special 'downloadable' files:

Download, install and keep updated, SpywareBlaster. If you've installed it for the first time:

1) Check for any available updates; if present, they'll be automatically downloaded and installed.
2) Next, "Enable all protection".
3) Exit the program.

-

Note: Remember to regularly check for updates.

===============

After rebooting, rescan with hijackthis and post back a new log. Let me know how everything goes.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.