Jump to content


Photo

Hijack this log file


  • Please log in to reply
4 replies to this topic

#1 memdog

memdog

    Member

  • New Member
  • Pip
  • 4 posts

Posted 05 July 2004 - 04:27 PM

C:\WINDOWS\kdx\KHost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\sdkji.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Corel\Suite8\Programs\DAD8.EXE
C:\Program Files\Common Files\Skyscape\smARTupdate.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Robert\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {408A38D3-8F90-3682-07E0-801204F76847} - C:\WINDOWS\ieui32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sdkji.exe] C:\WINDOWS\system32\sdkji.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKLM\..\RunOnce: [ntcx.exe] C:\WINDOWS\system32\ntcx.exe
O4 - HKLM\..\RunOnce: [winme32.exe] C:\WINDOWS\system32\winme32.exe
O4 - HKLM\..\RunOnce: [atlwz32.exe] C:\WINDOWS\system32\atlwz32.exe
O4 - HKLM\..\RunOnce: [d3fd32.exe] C:\WINDOWS\system32\d3fd32.exe
O4 - HKLM\..\RunOnce: [ipal32.exe] C:\WINDOWS\ipal32.exe
O4 - HKLM\..\RunOnce: [ielj.exe] C:\WINDOWS\system32\ielj.exe
O4 - HKLM\..\RunOnce: [sdklu.exe] C:\WINDOWS\system32\sdklu.exe
O4 - HKLM\..\RunOnce: [apinx32.exe] C:\WINDOWS\apinx32.exe
O4 - HKLM\..\RunOnce: [atlvr.exe] C:\WINDOWS\atlvr.exe
O4 - HKLM\..\RunOnce: [mstw.exe] C:\WINDOWS\mstw.exe
O4 - HKLM\..\RunOnce: [addin32.exe] C:\WINDOWS\addin32.exe
O4 - HKLM\..\RunOnce: [netka.exe] C:\WINDOWS\netka.exe
O4 - HKLM\..\RunOnce: [ipqb.exe] C:\WINDOWS\system32\ipqb.exe
O4 - HKLM\..\RunOnce: [msvg.exe] C:\WINDOWS\msvg.exe
O4 - HKLM\..\RunOnce: [sdksq32.exe] C:\WINDOWS\system32\sdksq32.exe
O4 - HKLM\..\RunOnce: [iech.exe] C:\WINDOWS\iech.exe
O4 - HKLM\..\RunOnce: [ntwm.exe] C:\WINDOWS\ntwm.exe
O4 - HKLM\..\RunOnce: [iped.exe] C:\WINDOWS\iped.exe
O4 - HKLM\..\RunOnce: [sdkvu32.exe] C:\WINDOWS\system32\sdkvu32.exe
O4 - HKLM\..\RunOnce: [addcw32.exe] C:\WINDOWS\system32\addcw32.exe
O4 - HKLM\..\RunOnce: [msvd.exe] C:\WINDOWS\system32\msvd.exe
O4 - HKLM\..\RunOnce: [sdkne32.exe] C:\WINDOWS\system32\sdkne32.exe
O4 - HKLM\..\RunOnce: [appzx32.exe] C:\WINDOWS\appzx32.exe
O4 - HKLM\..\RunOnce: [sdkpq.exe] C:\WINDOWS\system32\sdkpq.exe
O4 - HKLM\..\RunOnce: [winsi.exe] C:\WINDOWS\system32\winsi.exe
O4 - HKLM\..\RunOnce: [javavo.exe] C:\WINDOWS\javavo.exe
O4 - HKLM\..\RunOnce: [ipyl32.exe] C:\WINDOWS\ipyl32.exe
O4 - HKLM\..\RunOnce: [msbc32.exe] C:\WINDOWS\msbc32.exe
O4 - HKLM\..\RunOnce: [atllr32.exe] C:\WINDOWS\atllr32.exe
O4 - HKLM\..\RunOnce: [mfcsr.exe] C:\WINDOWS\system32\mfcsr.exe
O4 - HKLM\..\RunOnce: [ierc.exe] C:\WINDOWS\ierc.exe
O4 - HKLM\..\RunOnce: [mfcwd32.exe] C:\WINDOWS\system32\mfcwd32.exe
O4 - HKLM\..\RunOnce: [netoz.exe] C:\WINDOWS\system32\netoz.exe
O4 - HKLM\..\RunOnce: [winrf32.exe] C:\WINDOWS\winrf32.exe
O4 - HKLM\..\RunOnce: [appjd.exe] C:\WINDOWS\system32\appjd.exe
O4 - HKLM\..\RunOnce: [ntwo.exe] C:\WINDOWS\ntwo.exe
O4 - HKLM\..\RunOnce: [addka.exe] C:\WINDOWS\system32\addka.exe
O4 - HKLM\..\RunOnce: [winwi32.exe] C:\WINDOWS\system32\winwi32.exe
O4 - HKLM\..\RunOnce: [sdkjp32.exe] C:\WINDOWS\sdkjp32.exe
O4 - HKLM\..\RunOnce: [iejn.exe] C:\WINDOWS\iejn.exe
O4 - HKLM\..\RunOnce: [javanw.exe] C:\WINDOWS\javanw.exe
O4 - HKLM\..\RunOnce: [appwq.exe] C:\WINDOWS\appwq.exe
O4 - HKLM\..\RunOnce: [apprz.exe] C:\WINDOWS\system32\apprz.exe
O4 - HKLM\..\RunOnce: [javaxb.exe] C:\WINDOWS\system32\javaxb.exe
O4 - HKLM\..\RunOnce: [winip.exe] C:\WINDOWS\winip.exe
O4 - HKLM\..\RunOnce: [iest32.exe] C:\WINDOWS\iest32.exe
O4 - HKLM\..\RunOnce: [addcg.exe] C:\WINDOWS\addcg.exe
O4 - HKLM\..\RunOnce: [sdkpx32.exe] C:\WINDOWS\sdkpx32.exe
O4 - HKLM\..\RunOnce: [javaha32.exe] C:\WINDOWS\javaha32.exe
O4 - HKLM\..\RunOnce: [mfcjt32.exe] C:\WINDOWS\system32\mfcjt32.exe
O4 - HKLM\..\RunOnce: [d3ea32.exe] C:\WINDOWS\d3ea32.exe
O4 - HKLM\..\RunOnce: [javand.exe] C:\WINDOWS\javand.exe
O4 - HKLM\..\RunOnce: [addcs.exe] C:\WINDOWS\system32\addcs.exe
O4 - HKLM\..\RunOnce: [javamh32.exe] C:\WINDOWS\javamh32.exe
O4 - HKLM\..\RunOnce: [winxg32.exe] C:\WINDOWS\winxg32.exe
O4 - HKLM\..\RunOnce: [netxz.exe] C:\WINDOWS\netxz.exe
O4 - HKLM\..\RunOnce: [ntvr.exe] C:\WINDOWS\ntvr.exe
O4 - HKLM\..\RunOnce: [crgy.exe] C:\WINDOWS\system32\crgy.exe
O4 - HKLM\..\RunOnce: [sysdw32.exe] C:\WINDOWS\system32\sysdw32.exe
O4 - HKLM\..\RunOnce: [apifc.exe] C:\WINDOWS\apifc.exe
O4 - HKLM\..\RunOnce: [mfczs.exe] C:\WINDOWS\system32\mfczs.exe
O4 - HKLM\..\RunOnce: [d3zz32.exe] C:\WINDOWS\d3zz32.exe
O4 - HKLM\..\RunOnce: [mfcdh.exe] C:\WINDOWS\mfcdh.exe
O4 - HKLM\..\RunOnce: [appwh32.exe] C:\WINDOWS\appwh32.exe
O4 - HKLM\..\RunOnce: [msub.exe] C:\WINDOWS\msub.exe
O4 - HKLM\..\RunOnce: [winvb.exe] C:\WINDOWS\system32\winvb.exe
O4 - HKLM\..\RunOnce: [d3sc32.exe] C:\WINDOWS\system32\d3sc32.exe
O4 - HKLM\..\RunOnce: [sysbw32.exe] C:\WINDOWS\sysbw32.exe
O4 - HKLM\..\RunOnce: [iexi32.exe] C:\WINDOWS\system32\iexi32.exe
O4 - HKLM\..\RunOnce: [apirt32.exe] C:\WINDOWS\apirt32.exe
O4 - HKLM\..\RunOnce: [addag32.exe] C:\WINDOWS\system32\addag32.exe
O4 - HKLM\..\RunOnce: [crks.exe] C:\WINDOWS\system32\crks.exe
O4 - HKLM\..\RunOnce: [apimo32.exe] C:\WINDOWS\apimo32.exe
O4 - Startup: Skyscape smARTupdate.lnk = C:\Program Files\Common Files\Skyscape\smARTupdate.exe
O4 - Global Startup: Corel Desktop Application Director 8.LNK = C:\Corel\Suite8\Programs\DAD8.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\MSOffice\Office10\OSA.EXE
O4 - Global Startup: VPN,(COLUMBIA UNIVERSITY & NYP) VPN CLIENT.lnk = C:\Program Files\Columbia University\CU & NYP VPN CLIENT\ipsecdialer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MSOffice\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://mail13a.shu.edu/iNotes.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?319
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content-g.kon...current/kdx.cab

Can anyone help me figure out what's good an what's bad? I'm a novice at this. Thanks,
Memdog

#2 CalamityJane

CalamityJane

    SWI Junkie

  • Emeritus
  • PipPipPipPip
  • 313 posts

Posted 10 July 2004 - 03:27 PM

Hi memdog,

Please include the top part of your log so we can see what operating system details you have - that's very important to be able to help you :)

It will look something like this:

Logfile of HijackThis v1.98.0
Scan saved at 4:08:36 PM, on 7/10/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Make sure you have version 1.98.0 (see bolded entry above). If you have a lower version you need to update it and scan once more and post a fresh log please.

How to update HijackThis
Open HijackThis.exe and press *config* {bottom right corner} and then press *Misc. Tools* at the top. Next press *check for online update* and you should see version 1.98.0 available. Download that. Scan again and post a new log

P.S. If you have any problems getting the update. Simply delete your old version of HijackThis and download the new version from this link.
http://www.spywarein.../HijackThis.exe

or here:
http://www.majorgeek...a8baee6434cfc13
Microsoft MVP Windows-Security 2003-2009

#3 memdog

memdog

    Member

  • New Member
  • Pip
  • 4 posts

Posted 15 July 2004 - 03:56 AM

Downloaded newest version of Hijackthis. Here's the log. Any help/advice is greatly appreciated. Thanks.

Logfile of HijackThis v1.98.0
Scan saved at 5:49:17 AM, on 7/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Columbia University\CU & NYP VPN CLIENT\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\apitq.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\system32\winfw.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DIGStream\digstream.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Corel\Suite8\Programs\DAD8.EXE
C:\Program Files\Common Files\Skyscape\smARTupdate.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\sdkpl.exe
C:\Hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gimsp.dll/sp.html#44272
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://gimsp.dll/index.html#44272
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://gimsp.dll/index.html#44272
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\gimsp.dll/sp.html#44272
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gimsp.dll/sp.html#44272
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://gimsp.dll/index.html#44272
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/w/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {B649C227-6B2C-5344-E8BD-AD0707AF831C} - C:\WINDOWS\system32\ierr32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sdkji.exe] C:\WINDOWS\system32\sdkji.exe
O4 - HKLM\..\RunOnce: [msvd.exe] C:\WINDOWS\system32\msvd.exe
O4 - HKLM\..\RunOnce: [sdkne32.exe] C:\WINDOWS\system32\sdkne32.exe
O4 - HKLM\..\RunOnce: [appzx32.exe] C:\WINDOWS\appzx32.exe
O4 - HKLM\..\RunOnce: [sdkpq.exe] C:\WINDOWS\system32\sdkpq.exe
O4 - HKLM\..\RunOnce: [winsi.exe] C:\WINDOWS\system32\winsi.exe
O4 - HKLM\..\RunOnce: [javavo.exe] C:\WINDOWS\javavo.exe
O4 - HKLM\..\RunOnce: [ipyl32.exe] C:\WINDOWS\ipyl32.exe
O4 - HKLM\..\RunOnce: [msbc32.exe] C:\WINDOWS\msbc32.exe
O4 - HKLM\..\RunOnce: [atllr32.exe] C:\WINDOWS\atllr32.exe
O4 - HKLM\..\RunOnce: [mfcsr.exe] C:\WINDOWS\system32\mfcsr.exe
O4 - HKLM\..\RunOnce: [ierc.exe] C:\WINDOWS\ierc.exe
O4 - HKLM\..\RunOnce: [mfcwd32.exe] C:\WINDOWS\system32\mfcwd32.exe
O4 - HKLM\..\RunOnce: [netoz.exe] C:\WINDOWS\system32\netoz.exe
O4 - HKLM\..\RunOnce: [winrf32.exe] C:\WINDOWS\winrf32.exe
O4 - HKLM\..\RunOnce: [appjd.exe] C:\WINDOWS\system32\appjd.exe
O4 - HKLM\..\RunOnce: [ntwo.exe] C:\WINDOWS\ntwo.exe
O4 - HKLM\..\RunOnce: [addka.exe] C:\WINDOWS\system32\addka.exe
O4 - HKLM\..\RunOnce: [winwi32.exe] C:\WINDOWS\system32\winwi32.exe
O4 - HKLM\..\RunOnce: [sdkjp32.exe] C:\WINDOWS\sdkjp32.exe
O4 - HKLM\..\RunOnce: [iejn.exe] C:\WINDOWS\iejn.exe
O4 - HKLM\..\RunOnce: [javanw.exe] C:\WINDOWS\javanw.exe
O4 - HKLM\..\RunOnce: [appwq.exe] C:\WINDOWS\appwq.exe
O4 - HKLM\..\RunOnce: [apprz.exe] C:\WINDOWS\system32\apprz.exe
O4 - HKLM\..\RunOnce: [javaxb.exe] C:\WINDOWS\system32\javaxb.exe
O4 - HKLM\..\RunOnce: [winip.exe] C:\WINDOWS\winip.exe
O4 - HKLM\..\RunOnce: [iest32.exe] C:\WINDOWS\iest32.exe
O4 - HKLM\..\RunOnce: [addcg.exe] C:\WINDOWS\addcg.exe
O4 - HKLM\..\RunOnce: [sdkpx32.exe] C:\WINDOWS\sdkpx32.exe
O4 - HKLM\..\RunOnce: [javaha32.exe] C:\WINDOWS\javaha32.exe
O4 - HKLM\..\RunOnce: [mfcjt32.exe] C:\WINDOWS\system32\mfcjt32.exe
O4 - HKLM\..\RunOnce: [d3ea32.exe] C:\WINDOWS\d3ea32.exe
O4 - HKLM\..\RunOnce: [javand.exe] C:\WINDOWS\javand.exe
O4 - HKLM\..\RunOnce: [addcs.exe] C:\WINDOWS\system32\addcs.exe
O4 - HKLM\..\RunOnce: [javamh32.exe] C:\WINDOWS\javamh32.exe
O4 - HKLM\..\RunOnce: [winxg32.exe] C:\WINDOWS\winxg32.exe
O4 - HKLM\..\RunOnce: [netxz.exe] C:\WINDOWS\netxz.exe
O4 - HKLM\..\RunOnce: [ntvr.exe] C:\WINDOWS\ntvr.exe
O4 - HKLM\..\RunOnce: [crgy.exe] C:\WINDOWS\system32\crgy.exe
O4 - HKLM\..\RunOnce: [sysdw32.exe] C:\WINDOWS\system32\sysdw32.exe
O4 - HKLM\..\RunOnce: [apifc.exe] C:\WINDOWS\apifc.exe
O4 - HKLM\..\RunOnce: [mfczs.exe] C:\WINDOWS\system32\mfczs.exe
O4 - HKLM\..\RunOnce: [d3zz32.exe] C:\WINDOWS\d3zz32.exe
O4 - HKLM\..\RunOnce: [mfcdh.exe] C:\WINDOWS\mfcdh.exe
O4 - HKLM\..\RunOnce: [appwh32.exe] C:\WINDOWS\appwh32.exe
O4 - HKLM\..\RunOnce: [msub.exe] C:\WINDOWS\msub.exe
O4 - HKLM\..\RunOnce: [winvb.exe] C:\WINDOWS\system32\winvb.exe
O4 - HKLM\..\RunOnce: [d3sc32.exe] C:\WINDOWS\system32\d3sc32.exe
O4 - HKLM\..\RunOnce: [sysbw32.exe] C:\WINDOWS\sysbw32.exe
O4 - HKLM\..\RunOnce: [iexi32.exe] C:\WINDOWS\system32\iexi32.exe
O4 - HKLM\..\RunOnce: [apirt32.exe] C:\WINDOWS\apirt32.exe
O4 - HKLM\..\RunOnce: [addag32.exe] C:\WINDOWS\system32\addag32.exe
O4 - HKLM\..\RunOnce: [crks.exe] C:\WINDOWS\system32\crks.exe
O4 - HKLM\..\RunOnce: [apimo32.exe] C:\WINDOWS\apimo32.exe
O4 - HKLM\..\RunOnce: [apiwo32.exe] C:\WINDOWS\system32\apiwo32.exe
O4 - HKLM\..\RunOnce: [atlsz.exe] C:\WINDOWS\system32\atlsz.exe
O4 - HKLM\..\RunOnce: [atlvp.exe] C:\WINDOWS\system32\atlvp.exe
O4 - HKLM\..\RunOnce: [sysnh.exe] C:\WINDOWS\system32\sysnh.exe
O4 - HKLM\..\RunOnce: [mfcng32.exe] C:\WINDOWS\system32\mfcng32.exe
O4 - HKLM\..\RunOnce: [addat.exe] C:\WINDOWS\system32\addat.exe
O4 - HKLM\..\RunOnce: [d3aq32.exe] C:\WINDOWS\system32\d3aq32.exe
O4 - HKLM\..\RunOnce: [d3hd.exe] C:\WINDOWS\system32\d3hd.exe
O4 - HKLM\..\RunOnce: [mfcum.exe] C:\WINDOWS\mfcum.exe
O4 - HKLM\..\RunOnce: [sdkdj32.exe] C:\WINDOWS\system32\sdkdj32.exe
O4 - HKLM\..\RunOnce: [addso.exe] C:\WINDOWS\system32\addso.exe
O4 - HKLM\..\RunOnce: [crxf.exe] C:\WINDOWS\system32\crxf.exe
O4 - HKLM\..\RunOnce: [sysni.exe] C:\WINDOWS\sysni.exe
O4 - HKLM\..\RunOnce: [appfj32.exe] C:\WINDOWS\appfj32.exe
O4 - HKLM\..\RunOnce: [winkt32.exe] C:\WINDOWS\winkt32.exe
O4 - HKLM\..\RunOnce: [sysvo.exe] C:\WINDOWS\sysvo.exe
O4 - HKLM\..\RunOnce: [iexp.exe] C:\WINDOWS\system32\iexp.exe
O4 - HKLM\..\RunOnce: [msfm32.exe] C:\WINDOWS\system32\msfm32.exe
O4 - HKLM\..\RunOnce: [javawc32.exe] C:\WINDOWS\javawc32.exe
O4 - HKLM\..\RunOnce: [sdkcn.exe] C:\WINDOWS\system32\sdkcn.exe
O4 - HKLM\..\RunOnce: [javavr.exe] C:\WINDOWS\javavr.exe
O4 - HKLM\..\RunOnce: [apitq.exe] C:\WINDOWS\apitq.exe
O4 - HKLM\..\RunOnce: [msrw.exe] C:\WINDOWS\system32\msrw.exe
O4 - HKLM\..\RunOnce: [winfw.exe] C:\WINDOWS\system32\winfw.exe
O4 - HKLM\..\RunOnce: [sdktw32.exe] C:\WINDOWS\sdktw32.exe
O4 - HKLM\..\RunOnce: [apilx32.exe] C:\WINDOWS\system32\apilx32.exe
O4 - HKLM\..\RunOnce: [msxf.exe] C:\WINDOWS\system32\msxf.exe
O4 - HKLM\..\RunOnce: [winkf32.exe] C:\WINDOWS\winkf32.exe
O4 - HKLM\..\RunOnce: [atlxt32.exe] C:\WINDOWS\atlxt32.exe
O4 - HKLM\..\RunOnce: [crad.exe] C:\WINDOWS\crad.exe
O4 - HKLM\..\RunOnce: [apiat32.exe] C:\WINDOWS\apiat32.exe
O4 - HKLM\..\RunOnce: [ntlu.exe] C:\WINDOWS\system32\ntlu.exe
O4 - HKLM\..\RunOnce: [sdkrp.exe] C:\WINDOWS\sdkrp.exe
O4 - HKLM\..\RunOnce: [sdkzh32.exe] C:\WINDOWS\sdkzh32.exe
O4 - HKLM\..\RunOnce: [appyj32.exe] C:\WINDOWS\system32\appyj32.exe
O4 - HKLM\..\RunOnce: [ielj.exe] C:\WINDOWS\system32\ielj.exe
O4 - HKLM\..\RunOnce: [sdklu.exe] C:\WINDOWS\system32\sdklu.exe
O4 - HKLM\..\RunOnce: [apinx32.exe] C:\WINDOWS\apinx32.exe
O4 - HKLM\..\RunOnce: [atlvr.exe] C:\WINDOWS\atlvr.exe
O4 - HKLM\..\RunOnce: [mstw.exe] C:\WINDOWS\mstw.exe
O4 - HKLM\..\RunOnce: [addin32.exe] C:\WINDOWS\addin32.exe
O4 - HKLM\..\RunOnce: [netka.exe] C:\WINDOWS\netka.exe
O4 - HKLM\..\RunOnce: [ipqb.exe] C:\WINDOWS\system32\ipqb.exe
O4 - HKLM\..\RunOnce: [msvg.exe] C:\WINDOWS\msvg.exe
O4 - HKLM\..\RunOnce: [sdksq32.exe] C:\WINDOWS\system32\sdksq32.exe
O4 - HKLM\..\RunOnce: [iech.exe] C:\WINDOWS\iech.exe
O4 - HKLM\..\RunOnce: [ntwm.exe] C:\WINDOWS\ntwm.exe
O4 - HKLM\..\RunOnce: [iekj32.exe] C:\WINDOWS\iekj32.exe
O4 - HKLM\..\RunOnce: [javapg.exe] C:\WINDOWS\system32\javapg.exe
O4 - HKLM\..\RunOnce: [ipdr.exe] C:\WINDOWS\system32\ipdr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Skyscape smARTupdate.lnk = C:\Program Files\Common Files\Skyscape\smARTupdate.exe
O4 - Global Startup: Corel Desktop Application Director 8.LNK = C:\Corel\Suite8\Programs\DAD8.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\MSOffice\Office10\OSA.EXE
O4 - Global Startup: VPN,(COLUMBIA UNIVERSITY & NYP) VPN CLIENT.lnk = C:\Program Files\Columbia University\CU & NYP VPN CLIENT\ipsecdialer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MSOffice\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://mail13a.shu.edu/iNotes.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.3.1_02) - https://ny168amicas...._1_3_silent.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?319
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content-g.kon...current/kdx.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

#4 CalamityJane

CalamityJane

    SWI Junkie

  • Emeritus
  • PipPipPipPip
  • 313 posts

Posted 15 July 2004 - 09:01 AM

1. Download this tool called AboutBuster http://www.downloads...AboutBuster.zip

Unzip it to your desktop but don't run it yet.

2. You already have Adaware installed. Make sure it's up to date. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen. You should now see Reference File # : 01R332 12.07.2004 or higher listed.

3. Print out these instructions so you have them handy as most of the steps need to be done in safe mode and you may not be able to go online. Keep IE closed!!

4. Make sure your PC is configured to show hidden files

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

5. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called "Network Security Service". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

6. Reboot to Safe Mode
How to start the computer in Safe mode
http://service1.syma...src=sec_doc_nam

7. Scan with Hijack This and put checks next to all the following, then click "Fix Checked"
This is a very long list. Please proceed with care so that you do not miss any - use the printout of these instructions I asked you to make above.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gimsp.dll/sp.html#44272

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://gimsp.dll/index.html#44272

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://gimsp.dll/index.html#44272

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\gimsp.dll/sp.html#44272

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gimsp.dll/sp.html#44272

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://gimsp.dll/index.html#44272

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/w/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {B649C227-6B2C-5344-E8BD-AD0707AF831C} - C:\WINDOWS\system32\ierr32.dll

O4 - HKLM\..\Run: [sdkji.exe] C:\WINDOWS\system32\sdkji.exe

O4 - HKLM\..\RunOnce: [msvd.exe] C:\WINDOWS\system32\msvd.exe

O4 - HKLM\..\RunOnce: [sdkne32.exe] C:\WINDOWS\system32\sdkne32.exe

O4 - HKLM\..\RunOnce: [appzx32.exe] C:\WINDOWS\appzx32.exe

O4 - HKLM\..\RunOnce: [sdkpq.exe] C:\WINDOWS\system32\sdkpq.exe

O4 - HKLM\..\RunOnce: [winsi.exe] C:\WINDOWS\system32\winsi.exe

O4 - HKLM\..\RunOnce: [javavo.exe] C:\WINDOWS\javavo.exe

O4 - HKLM\..\RunOnce: [ipyl32.exe] C:\WINDOWS\ipyl32.exe

O4 - HKLM\..\RunOnce: [msbc32.exe] C:\WINDOWS\msbc32.exe

O4 - HKLM\..\RunOnce: [atllr32.exe] C:\WINDOWS\atllr32.exe

O4 - HKLM\..\RunOnce: [mfcsr.exe] C:\WINDOWS\system32\mfcsr.exe

O4 - HKLM\..\RunOnce: [ierc.exe] C:\WINDOWS\ierc.exe

O4 - HKLM\..\RunOnce: [mfcwd32.exe] C:\WINDOWS\system32\mfcwd32.exe

O4 - HKLM\..\RunOnce: [netoz.exe] C:\WINDOWS\system32\netoz.exe

O4 - HKLM\..\RunOnce: [winrf32.exe] C:\WINDOWS\winrf32.exe

O4 - HKLM\..\RunOnce: [appjd.exe] C:\WINDOWS\system32\appjd.exe

O4 - HKLM\..\RunOnce: [ntwo.exe] C:\WINDOWS\ntwo.exe

O4 - HKLM\..\RunOnce: [addka.exe] C:\WINDOWS\system32\addka.exe

O4 - HKLM\..\RunOnce: [winwi32.exe] C:\WINDOWS\system32\winwi32.exe

O4 - HKLM\..\RunOnce: [sdkjp32.exe] C:\WINDOWS\sdkjp32.exe

O4 - HKLM\..\RunOnce: [iejn.exe] C:\WINDOWS\iejn.exe

O4 - HKLM\..\RunOnce: [javanw.exe] C:\WINDOWS\javanw.exe

O4 - HKLM\..\RunOnce: [appwq.exe] C:\WINDOWS\appwq.exe

O4 - HKLM\..\RunOnce: [apprz.exe] C:\WINDOWS\system32\apprz.exe

O4 - HKLM\..\RunOnce: [javaxb.exe] C:\WINDOWS\system32\javaxb.exe

O4 - HKLM\..\RunOnce: [winip.exe] C:\WINDOWS\winip.exe

O4 - HKLM\..\RunOnce: [iest32.exe] C:\WINDOWS\iest32.exe

O4 - HKLM\..\RunOnce: [addcg.exe] C:\WINDOWS\addcg.exe

O4 - HKLM\..\RunOnce: [sdkpx32.exe] C:\WINDOWS\sdkpx32.exe

O4 - HKLM\..\RunOnce: [javaha32.exe] C:\WINDOWS\javaha32.exe

O4 - HKLM\..\RunOnce: [mfcjt32.exe] C:\WINDOWS\system32\mfcjt32.exe

O4 - HKLM\..\RunOnce: [d3ea32.exe] C:\WINDOWS\d3ea32.exe

O4 - HKLM\..\RunOnce: [javand.exe] C:\WINDOWS\javand.exe

O4 - HKLM\..\RunOnce: [addcs.exe] C:\WINDOWS\system32\addcs.exe

O4 - HKLM\..\RunOnce: [javamh32.exe] C:\WINDOWS\javamh32.exe

O4 - HKLM\..\RunOnce: [winxg32.exe] C:\WINDOWS\winxg32.exe

O4 - HKLM\..\RunOnce: [netxz.exe] C:\WINDOWS\netxz.exe

O4 - HKLM\..\RunOnce: [ntvr.exe] C:\WINDOWS\ntvr.exe

O4 - HKLM\..\RunOnce: [crgy.exe] C:\WINDOWS\system32\crgy.exe

O4 - HKLM\..\RunOnce: [sysdw32.exe] C:\WINDOWS\system32\sysdw32.exe

O4 - HKLM\..\RunOnce: [apifc.exe] C:\WINDOWS\apifc.exe

O4 - HKLM\..\RunOnce: [mfczs.exe] C:\WINDOWS\system32\mfczs.exe

O4 - HKLM\..\RunOnce: [d3zz32.exe] C:\WINDOWS\d3zz32.exe

O4 - HKLM\..\RunOnce: [mfcdh.exe] C:\WINDOWS\mfcdh.exe

O4 - HKLM\..\RunOnce: [appwh32.exe] C:\WINDOWS\appwh32.exe

O4 - HKLM\..\RunOnce: [msub.exe] C:\WINDOWS\msub.exe

O4 - HKLM\..\RunOnce: [winvb.exe] C:\WINDOWS\system32\winvb.exe

O4 - HKLM\..\RunOnce: [d3sc32.exe] C:\WINDOWS\system32\d3sc32.exe

O4 - HKLM\..\RunOnce: [sysbw32.exe] C:\WINDOWS\sysbw32.exe

O4 - HKLM\..\RunOnce: [iexi32.exe] C:\WINDOWS\system32\iexi32.exe

O4 - HKLM\..\RunOnce: [apirt32.exe] C:\WINDOWS\apirt32.exe

O4 - HKLM\..\RunOnce: [addag32.exe] C:\WINDOWS\system32\addag32.exe

O4 - HKLM\..\RunOnce: [crks.exe] C:\WINDOWS\system32\crks.exe

O4 - HKLM\..\RunOnce: [apimo32.exe] C:\WINDOWS\apimo32.exe

O4 - HKLM\..\RunOnce: [apiwo32.exe] C:\WINDOWS\system32\apiwo32.exe

O4 - HKLM\..\RunOnce: [atlsz.exe] C:\WINDOWS\system32\atlsz.exe

O4 - HKLM\..\RunOnce: [atlvp.exe] C:\WINDOWS\system32\atlvp.exe

O4 - HKLM\..\RunOnce: [sysnh.exe] C:\WINDOWS\system32\sysnh.exe

O4 - HKLM\..\RunOnce: [mfcng32.exe] C:\WINDOWS\system32\mfcng32.exe

O4 - HKLM\..\RunOnce: [addat.exe] C:\WINDOWS\system32\addat.exe

O4 - HKLM\..\RunOnce: [d3aq32.exe] C:\WINDOWS\system32\d3aq32.exe

O4 - HKLM\..\RunOnce: [d3hd.exe] C:\WINDOWS\system32\d3hd.exe

O4 - HKLM\..\RunOnce: [mfcum.exe] C:\WINDOWS\mfcum.exe

O4 - HKLM\..\RunOnce: [sdkdj32.exe] C:\WINDOWS\system32\sdkdj32.exe

O4 - HKLM\..\RunOnce: [addso.exe] C:\WINDOWS\system32\addso.exe

O4 - HKLM\..\RunOnce: [crxf.exe] C:\WINDOWS\system32\crxf.exe

O4 - HKLM\..\RunOnce: [sysni.exe] C:\WINDOWS\sysni.exe

O4 - HKLM\..\RunOnce: [appfj32.exe] C:\WINDOWS\appfj32.exe

O4 - HKLM\..\RunOnce: [winkt32.exe] C:\WINDOWS\winkt32.exe

O4 - HKLM\..\RunOnce: [sysvo.exe] C:\WINDOWS\sysvo.exe

O4 - HKLM\..\RunOnce: [iexp.exe] C:\WINDOWS\system32\iexp.exe

O4 - HKLM\..\RunOnce: [msfm32.exe] C:\WINDOWS\system32\msfm32.exe

O4 - HKLM\..\RunOnce: [javawc32.exe] C:\WINDOWS\javawc32.exe

O4 - HKLM\..\RunOnce: [sdkcn.exe] C:\WINDOWS\system32\sdkcn.exe

O4 - HKLM\..\RunOnce: [javavr.exe] C:\WINDOWS\javavr.exe

O4 - HKLM\..\RunOnce: [apitq.exe] C:\WINDOWS\apitq.exe

O4 - HKLM\..\RunOnce: [msrw.exe] C:\WINDOWS\system32\msrw.exe

O4 - HKLM\..\RunOnce: [winfw.exe] C:\WINDOWS\system32\winfw.exe

O4 - HKLM\..\RunOnce: [sdktw32.exe] C:\WINDOWS\sdktw32.exe

O4 - HKLM\..\RunOnce: [apilx32.exe] C:\WINDOWS\system32\apilx32.exe

O4 - HKLM\..\RunOnce: [msxf.exe] C:\WINDOWS\system32\msxf.exe

O4 - HKLM\..\RunOnce: [winkf32.exe] C:\WINDOWS\winkf32.exe

O4 - HKLM\..\RunOnce: [atlxt32.exe] C:\WINDOWS\atlxt32.exe

O4 - HKLM\..\RunOnce: [crad.exe] C:\WINDOWS\crad.exe

O4 - HKLM\..\RunOnce: [apiat32.exe] C:\WINDOWS\apiat32.exe

O4 - HKLM\..\RunOnce: [ntlu.exe] C:\WINDOWS\system32\ntlu.exe

O4 - HKLM\..\RunOnce: [sdkrp.exe] C:\WINDOWS\sdkrp.exe

O4 - HKLM\..\RunOnce: [sdkzh32.exe] C:\WINDOWS\sdkzh32.exe

O4 - HKLM\..\RunOnce: [appyj32.exe] C:\WINDOWS\system32\appyj32.exe

O4 - HKLM\..\RunOnce: [ielj.exe] C:\WINDOWS\system32\ielj.exe

O4 - HKLM\..\RunOnce: [sdklu.exe] C:\WINDOWS\system32\sdklu.exe

O4 - HKLM\..\RunOnce: [apinx32.exe] C:\WINDOWS\apinx32.exe

O4 - HKLM\..\RunOnce: [atlvr.exe] C:\WINDOWS\atlvr.exe

O4 - HKLM\..\RunOnce: [mstw.exe] C:\WINDOWS\mstw.exe

O4 - HKLM\..\RunOnce: [addin32.exe] C:\WINDOWS\addin32.exe

O4 - HKLM\..\RunOnce: [netka.exe] C:\WINDOWS\netka.exe

O4 - HKLM\..\RunOnce: [ipqb.exe] C:\WINDOWS\system32\ipqb.exe

O4 - HKLM\..\RunOnce: [msvg.exe] C:\WINDOWS\msvg.exe

O4 - HKLM\..\RunOnce: [sdksq32.exe] C:\WINDOWS\system32\sdksq32.exe

O4 - HKLM\..\RunOnce: [iech.exe] C:\WINDOWS\iech.exe

O4 - HKLM\..\RunOnce: [ntwm.exe] C:\WINDOWS\ntwm.exe

O4 - HKLM\..\RunOnce: [iekj32.exe] C:\WINDOWS\iekj32.exe

O4 - HKLM\..\RunOnce: [javapg.exe] C:\WINDOWS\system32\javapg.exe

O4 - HKLM\..\RunOnce: [ipdr.exe] C:\WINDOWS\system32\ipdr.exe

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dl

After checkmarking all of the above, don't forget to press the *fix checked* button. Then close HijackThis. Proceed to the file deletions list below.

and delete the following files if present. I have sorted these by the folder you will find them in. Please delete only the files that match exactly each name listed (do not be tempted to delete any file you find with a similar name - these mimic some valid windows files sometimes, so be sure you have the exact one before deleting).

Note: These files are in the Windows folder
C:\WINDOWS\addcg.exe

C:\WINDOWS\addin32.exe

C:\WINDOWS\apiat32.exe

C:\WINDOWS\apifc.exe

C:\WINDOWS\apimo32.exe

C:\WINDOWS\apinx32.exe

C:\WINDOWS\apirt32.exe

C:\WINDOWS\apitq.exe

C:\WINDOWS\appfj32.exe

C:\WINDOWS\appwh32.exe

C:\WINDOWS\appwq.exe

C:\WINDOWS\appzx32.exe

C:\WINDOWS\atllr32.exe

C:\WINDOWS\atlvr.exe

C:\WINDOWS\atlxt32.exe

C:\WINDOWS\crad.exe

C:\WINDOWS\d3ea32.exe

C:\WINDOWS\d3zz32.exe

C:\WINDOWS\iech.exe

C:\WINDOWS\iejn.exe

C:\WINDOWS\iekj32.exe

C:\WINDOWS\ierc.exe

C:\WINDOWS\iest32.exe

C:\WINDOWS\ipyl32.exe

C:\WINDOWS\javaha32.exe

C:\WINDOWS\javamh32.exe

C:\WINDOWS\javand.exe

C:\WINDOWS\javanw.exe

C:\WINDOWS\javavo.exe

C:\WINDOWS\javavr.exe

C:\WINDOWS\javawc32.exe

C:\WINDOWS\mfcdh.exe

C:\WINDOWS\mfcum.exe

C:\WINDOWS\msbc32.exe

C:\WINDOWS\msopt.dll

C:\WINDOWS\mstw.exe

C:\WINDOWS\msub.exe

C:\WINDOWS\msvg.exe

C:\WINDOWS\netka.exe

C:\WINDOWS\netxz.exe

C:\WINDOWS\ntvr.exe

C:\WINDOWS\ntwm.exe

C:\WINDOWS\ntwo.exe

C:\WINDOWS\sdkjp32.exe

C:\WINDOWS\sdkpl.exe

C:\WINDOWS\sdkpx32.exe

C:\WINDOWS\sdkrp.exe

C:\WINDOWS\sdktw32.exe

C:\WINDOWS\sdkzh32.exe

C:\WINDOWS\sysbw32.exe

C:\WINDOWS\sysni.exe

C:\WINDOWS\sysvo.exe

C:\WINDOWS\winip.exe

C:\WINDOWS\winkf32.exe

C:\WINDOWS\winkt32.exe

C:\WINDOWS\winrf32.exe

C:\WINDOWS\winxg32.exe

Note: These files are in the system32 folder
C:\WINDOWS\system32\addag32.exe

C:\WINDOWS\system32\addat.exe

C:\WINDOWS\system32\addcs.exe

C:\WINDOWS\system32\addka.exe

C:\WINDOWS\system32\addso.exe

C:\WINDOWS\system32\apilx32.exe

C:\WINDOWS\system32\apiwo32.exe

C:\WINDOWS\system32\appjd.exe

C:\WINDOWS\system32\apprz.exe

C:\WINDOWS\system32\appyj32.exe

C:\WINDOWS\system32\atlsz.exe

C:\WINDOWS\system32\atlvp.exe

C:\WINDOWS\system32\crgy.exe

C:\WINDOWS\system32\crks.exe

C:\WINDOWS\system32\crxf.exe

C:\WINDOWS\system32\d3aq32.exe

C:\WINDOWS\system32\d3hd.exe

C:\WINDOWS\system32\d3sc32.exe

C:\WINDOWS\system32\gimsp.dll

C:\WINDOWS\system32\ielj.exe

C:\WINDOWS\system32\ierr32.dll

C:\WINDOWS\system32\iexi32.exe

C:\WINDOWS\system32\iexp.exe

C:\WINDOWS\system32\ipdr.exe

C:\WINDOWS\system32\ipqb.exe

C:\WINDOWS\system32\javapg.exe

C:\WINDOWS\system32\javaxb.exe

C:\WINDOWS\system32\mfcjt32.exe

C:\WINDOWS\system32\mfcng32.exe

C:\WINDOWS\system32\mfcsr.exe

C:\WINDOWS\system32\mfcwd32.exe

C:\WINDOWS\system32\mfczs.exe

C:\WINDOWS\system32\msfm32.exe

C:\WINDOWS\system32\msrw.exe

C:\WINDOWS\system32\msvd.exe

C:\WINDOWS\system32\msxf.exe

C:\WINDOWS\system32\netoz.exe

C:\WINDOWS\system32\ntlu.exe

C:\WINDOWS\system32\sdkji.exe

C:\WINDOWS\system32\sdkcn.exe

C:\WINDOWS\system32\sdkdj32.exe

C:\WINDOWS\system32\sdklu.exe

C:\WINDOWS\system32\sdkne32.exe

C:\WINDOWS\system32\sdkpq.exe

C:\WINDOWS\system32\sdksq32.exe

C:\WINDOWS\system32\sysdw32.exe

C:\WINDOWS\system32\sysnh.exe

C:\WINDOWS\system32\winfw.exe

C:\WINDOWS\system32\winfw.exe

C:\WINDOWS\system32\winsi.exe

C:\WINDOWS\system32\winvb.exe

C:\WINDOWS\system32\winwi32.exe

8. Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or word pad and save as a .txt file) and post a copy back here when you are done with all the steps.

9. Scan with Adaware and let it remove any bad files found.

10. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

11. Reboot to normal mode, scan again with Hijack This and post a new log here.

12. NOTE: Please check your hosts file. Download the Hoster from here: http://members.aol.c...dbee/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself
........................................................
13. Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.

14. Finally, do an online scan at the following site. Let it remove any infected files found.
Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

Post a fresh HijackThis log and the AboutBuster report back here please.
Microsoft MVP Windows-Security 2003-2009

#5 memdog

memdog

    Member

  • New Member
  • Pip
  • 4 posts

Posted 19 July 2004 - 04:43 AM

Jane,

Thanks a lot! No more pop-ups/browser problems, and much faster processing time! I think there may be still a few bad files in my system, so any additional help would be appreciated.

I couldn't figure out how to save the AboutBuster log, but it was huge; pages and pages of files removed. Here's my new Hijackthis log:

Logfile of HijackThis v1.98.0
Scan saved at 2:36:13 PM, on 7/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Columbia University\CU & NYP VPN CLIENT\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DIGStream\digstream.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Corel\Suite8\Programs\DAD8.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Common Files\Skyscape\smARTupdate.exe
C:\Hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Skyscape smARTupdate.lnk = C:\Program Files\Common Files\Skyscape\smARTupdate.exe
O4 - Global Startup: Corel Desktop Application Director 8.LNK = C:\Corel\Suite8\Programs\DAD8.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\MSOffice\Office10\OSA.EXE
O4 - Global Startup: VPN,(COLUMBIA UNIVERSITY & NYP) VPN CLIENT.lnk = C:\Program Files\Columbia University\CU & NYP VPN CLIENT\ipsecdialer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MSOffice\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://mail13a.shu.edu/iNotes.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.3.1_02) - https://ny168amicas...._1_3_silent.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?319
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content-g.kon...current/kdx.cab




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button