• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.
Sign in to follow this  
Followers 0
fbr

res://digzv.dll/ is my home page

4 posts in this topic

I did download the latest versions of ad-aware 6.0 and spybot S&D. ALready for a couple of days I am trying to get rid of irritating spyware, in which I do not succeed. Currently, ad-aware just gave the message of a tracking-cookie cgi-bin[1].txt and spybot gave a tracking cookie doubleclick[1].txt. After removal and new start-up, these re-appear.

My home page is res://digzv.dll/index.html#37680 and I am continuously re-directed to http://search-to-find.com. Adds appear on my screen, based on the latest search terms I have used via google.

I ran HijackThis and deleted all entries with digzv. After reboot the re-appear.

 

I really would appreciate your help

 

FBR

====================

 

My current HijackThis logfile is as follows.

 

Logfile of HijackThis v1.97.7

Scan saved at 17:05:49, on 7-7-2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\drivers\KodakCCS.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

C:\WINDOWS\System32\ScsiAccess.EXE

C:\WINDOWS\winrx32.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\system32\apidp.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Frans\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\digzv.dll/sp.html#37680

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://digzv.dll/index.html#37680

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://digzv.dll/index.html#37680

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\digzv.dll/sp.html#37680

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://digzv.dll/index.html#37680

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\digzv.dll/sp.html#37680

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door @Home

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>

O2 - BHO: (no name) - {04D6A205-BCF1-A72C-2E8D-6CC68DA15F18} - C:\WINDOWS\atlha32.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [atljb32.exe] C:\WINDOWS\system32\atljb32.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [MessengerPlus3] "D:\Gijs\msn\MSNPLUS\MsgPlus.exe"

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [apidp.exe] C:\WINDOWS\system32\apidp.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - HKLM\..\RunOnce: [sysqo32.exe] C:\WINDOWS\sysqo32.exe

O4 - HKLM\..\RunOnce: [javafv32.exe] C:\WINDOWS\javafv32.exe

O4 - HKLM\..\RunOnce: [ntuk32.exe] C:\WINDOWS\system32\ntuk32.exe

O4 - HKLM\..\RunOnce: [winfp.exe] C:\WINDOWS\winfp.exe

O4 - HKLM\..\RunOnce: [addsv32.exe] C:\WINDOWS\system32\addsv32.exe

O4 - HKLM\..\RunOnce: [mfcer.exe] C:\WINDOWS\mfcer.exe

O4 - HKLM\..\RunOnce: [iezg.exe] C:\WINDOWS\system32\iezg.exe

O4 - HKLM\..\RunOnce: [sysyh32.exe] C:\WINDOWS\system32\sysyh32.exe

O4 - HKLM\..\RunOnce: [sysyc.exe] C:\WINDOWS\sysyc.exe

O4 - HKLM\..\RunOnce: [mfceh32.exe] C:\WINDOWS\system32\mfceh32.exe

O4 - HKLM\..\RunOnce: [netmt32.exe] C:\WINDOWS\netmt32.exe

O4 - HKLM\..\RunOnce: [ipqg.exe] C:\WINDOWS\ipqg.exe

O4 - HKLM\..\RunOnce: [netia32.exe] C:\WINDOWS\system32\netia32.exe

O4 - HKLM\..\RunOnce: [ierx32.exe] C:\WINDOWS\ierx32.exe

O4 - HKLM\..\RunOnce: [ntgx.exe] C:\WINDOWS\ntgx.exe

O4 - HKLM\..\RunOnce: [aping32.exe] C:\WINDOWS\system32\aping32.exe

O4 - HKLM\..\RunOnce: [mfczl.exe] C:\WINDOWS\mfczl.exe

O4 - HKLM\..\RunOnce: [apihr.exe] C:\WINDOWS\system32\apihr.exe

O4 - HKLM\..\RunOnce: [netsa32.exe] C:\WINDOWS\system32\netsa32.exe

O4 - HKLM\..\RunOnce: [crhu32.exe] C:\WINDOWS\system32\crhu32.exe

O4 - HKLM\..\RunOnce: [msig32.exe] C:\WINDOWS\system32\msig32.exe

O4 - HKLM\..\RunOnce: [d3sa32.exe] C:\WINDOWS\d3sa32.exe

O4 - HKLM\..\RunOnce: [appml.exe] C:\WINDOWS\appml.exe

O4 - HKLM\..\RunOnce: [crgj32.exe] C:\WINDOWS\system32\crgj32.exe

O4 - HKLM\..\RunOnce: [ieqs32.exe] C:\WINDOWS\ieqs32.exe

O4 - HKLM\..\RunOnce: [crvp.exe] C:\WINDOWS\crvp.exe

O4 - HKLM\..\RunOnce: [ieuw.exe] C:\WINDOWS\ieuw.exe

O4 - HKLM\..\RunOnce: [netcv.exe] C:\WINDOWS\system32\netcv.exe

O4 - HKLM\..\RunOnce: [sysbu32.exe] C:\WINDOWS\system32\sysbu32.exe

O4 - HKLM\..\RunOnce: [atlsc.exe] C:\WINDOWS\system32\atlsc.exe

O4 - HKLM\..\RunOnce: [msbw.exe] C:\WINDOWS\msbw.exe

O4 - HKLM\..\RunOnce: [atlnw32.exe] C:\WINDOWS\system32\atlnw32.exe

O4 - HKLM\..\RunOnce: [winpw.exe] C:\WINDOWS\system32\winpw.exe

O4 - HKLM\..\RunOnce: [mfcqg32.exe] C:\WINDOWS\mfcqg32.exe

O4 - HKLM\..\RunOnce: [ipyo32.exe] C:\WINDOWS\ipyo32.exe

O4 - HKLM\..\RunOnce: [javato.exe] C:\WINDOWS\system32\javato.exe

O4 - HKLM\..\RunOnce: [mfcqh32.exe] C:\WINDOWS\system32\mfcqh32.exe

O4 - HKLM\..\RunOnce: [sysef32.exe] C:\WINDOWS\system32\sysef32.exe

O4 - HKLM\..\RunOnce: [crrg32.exe] C:\WINDOWS\system32\crrg32.exe

O4 - HKLM\..\RunOnce: [sysnc32.exe] C:\WINDOWS\sysnc32.exe

O4 - HKLM\..\RunOnce: [sdkar.exe] C:\WINDOWS\system32\sdkar.exe

O4 - HKLM\..\RunOnce: [apppr32.exe] C:\WINDOWS\apppr32.exe

O4 - HKLM\..\RunOnce: [sysmr.exe] C:\WINDOWS\sysmr.exe

O4 - HKLM\..\RunOnce: [addxz32.exe] C:\WINDOWS\addxz32.exe

O4 - HKLM\..\RunOnce: [javakl32.exe] C:\WINDOWS\system32\javakl32.exe

O4 - HKLM\..\RunOnce: [apiqy.exe] C:\WINDOWS\apiqy.exe

O4 - HKLM\..\RunOnce: [addjp32.exe] C:\WINDOWS\system32\addjp32.exe

O4 - HKLM\..\RunOnce: [atllc.exe] C:\WINDOWS\system32\atllc.exe

O4 - HKLM\..\RunOnce: [ipwm.exe] C:\WINDOWS\ipwm.exe

O4 - HKLM\..\RunOnce: [atlnw.exe] C:\WINDOWS\atlnw.exe

O4 - HKLM\..\RunOnce: [appxa32.exe] C:\WINDOWS\system32\appxa32.exe

O4 - HKLM\..\RunOnce: [adddz.exe] C:\WINDOWS\system32\adddz.exe

O4 - HKLM\..\RunOnce: [d3rz.exe] C:\WINDOWS\d3rz.exe

O4 - HKLM\..\RunOnce: [crpl32.exe] C:\WINDOWS\crpl32.exe

O4 - HKLM\..\RunOnce: [msfz.exe] C:\WINDOWS\system32\msfz.exe

O4 - HKLM\..\RunOnce: [d3lv32.exe] C:\WINDOWS\d3lv32.exe

O4 - HKLM\..\RunOnce: [addon32.exe] C:\WINDOWS\system32\addon32.exe

O4 - HKLM\..\RunOnce: [msbt32.exe] C:\WINDOWS\system32\msbt32.exe

O4 - HKLM\..\RunOnce: [d3ze.exe] C:\WINDOWS\d3ze.exe

O4 - HKLM\..\RunOnce: [atlic.exe] C:\WINDOWS\atlic.exe

O4 - HKLM\..\RunOnce: [apiut.exe] C:\WINDOWS\apiut.exe

O4 - HKLM\..\RunOnce: [sdklg.exe] C:\WINDOWS\sdklg.exe

O4 - HKLM\..\RunOnce: [mfcqc.exe] C:\WINDOWS\system32\mfcqc.exe

O4 - HKLM\..\RunOnce: [mfcob.exe] C:\WINDOWS\mfcob.exe

O4 - HKLM\..\RunOnce: [netln32.exe] C:\WINDOWS\netln32.exe

O4 - HKLM\..\RunOnce: [sysws32.exe] C:\WINDOWS\sysws32.exe

O4 - HKLM\..\RunOnce: [apigi.exe] C:\WINDOWS\system32\apigi.exe

O4 - HKLM\..\RunOnce: [atlks.exe] C:\WINDOWS\system32\atlks.exe

O4 - HKLM\..\RunOnce: [ipya.exe] C:\WINDOWS\ipya.exe

O4 - HKLM\..\RunOnce: [mfcep.exe] C:\WINDOWS\mfcep.exe

O4 - HKLM\..\RunOnce: [syswe.exe] C:\WINDOWS\system32\syswe.exe

O4 - HKLM\..\RunOnce: [winec.exe] C:\WINDOWS\winec.exe

O4 - HKLM\..\RunOnce: [ieex32.exe] C:\WINDOWS\system32\ieex32.exe

O4 - HKLM\..\RunOnce: [ipvt.exe] C:\WINDOWS\system32\ipvt.exe

O4 - HKLM\..\RunOnce: [d3hb.exe] C:\WINDOWS\d3hb.exe

O4 - HKLM\..\RunOnce: [crpv32.exe] C:\WINDOWS\crpv32.exe

O4 - HKLM\..\RunOnce: [msxl.exe] C:\WINDOWS\msxl.exe

O4 - HKLM\..\RunOnce: [cryn32.exe] C:\WINDOWS\cryn32.exe

O4 - HKLM\..\RunOnce: [atltx.exe] C:\WINDOWS\atltx.exe

O4 - HKLM\..\RunOnce: [mfcil.exe] C:\WINDOWS\system32\mfcil.exe

O4 - HKLM\..\RunOnce: [syswn.exe] C:\WINDOWS\syswn.exe

O4 - HKLM\..\RunOnce: [appkt32.exe] C:\WINDOWS\appkt32.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28177.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://195.18.69.102/activex/AxisCamControl.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8172.5102430556

O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_3us.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab28177.cab

Share this post


Link to post
Share on other sites

Hi,

 

Before you begin, please print out the following instructions so that you can follow along as we go.

 

Download About:Buster from my signature and unzip it to its own folder.

 

Fixing the HIJACKTHIS log

Please look over the following entries I have listed, check them and Press the "Fix Checked" button with HijackThis.

When you are doing this, make sure you have NO Internet Explorer windows open, including this one.

  • O2 - BHO: (no name) - {04D6A205-BCF1-A72C-2E8D-6CC68DA15F18} - C:\WINDOWS\atlha32.dll
  • O4 - HKLM\..\Run: [atljb32.exe] C:\WINDOWS\system32\atljb32.exe
  • O4 - HKLM\..\Run: [apidp.exe] C:\WINDOWS\system32\apidp.exe
  • O4 - HKLM\..\RunOnce: [sysqo32.exe] C:\WINDOWS\sysqo32.exe
  • O4 - HKLM\..\RunOnce: [javafv32.exe] C:\WINDOWS\javafv32.exe
  • O4 - HKLM\..\RunOnce: [ntuk32.exe] C:\WINDOWS\system32\ntuk32.exe
  • O4 - HKLM\..\RunOnce: [winfp.exe] C:\WINDOWS\winfp.exe
  • O4 - HKLM\..\RunOnce: [addsv32.exe] C:\WINDOWS\system32\addsv32.exe
  • O4 - HKLM\..\RunOnce: [mfcer.exe] C:\WINDOWS\mfcer.exe
  • O4 - HKLM\..\RunOnce: [iezg.exe] C:\WINDOWS\system32\iezg.exe
  • O4 - HKLM\..\RunOnce: [sysyh32.exe] C:\WINDOWS\system32\sysyh32.exe
  • O4 - HKLM\..\RunOnce: [sysyc.exe] C:\WINDOWS\sysyc.exe
  • O4 - HKLM\..\RunOnce: [mfceh32.exe] C:\WINDOWS\system32\mfceh32.exe
  • O4 - HKLM\..\RunOnce: [netmt32.exe] C:\WINDOWS\netmt32.exe
  • O4 - HKLM\..\RunOnce: [ipqg.exe] C:\WINDOWS\ipqg.exe
  • O4 - HKLM\..\RunOnce: [netia32.exe] C:\WINDOWS\system32\netia32.exe
  • O4 - HKLM\..\RunOnce: [ierx32.exe] C:\WINDOWS\ierx32.exe
  • O4 - HKLM\..\RunOnce: [ntgx.exe] C:\WINDOWS\ntgx.exe
  • O4 - HKLM\..\RunOnce: [aping32.exe] C:\WINDOWS\system32\aping32.exe
  • O4 - HKLM\..\RunOnce: [mfczl.exe] C:\WINDOWS\mfczl.exe
  • O4 - HKLM\..\RunOnce: [apihr.exe] C:\WINDOWS\system32\apihr.exe
  • O4 - HKLM\..\RunOnce: [netsa32.exe] C:\WINDOWS\system32\netsa32.exe
  • O4 - HKLM\..\RunOnce: [crhu32.exe] C:\WINDOWS\system32\crhu32.exe
  • O4 - HKLM\..\RunOnce: [msig32.exe] C:\WINDOWS\system32\msig32.exe
  • O4 - HKLM\..\RunOnce: [d3sa32.exe] C:\WINDOWS\d3sa32.exe
  • O4 - HKLM\..\RunOnce: [appml.exe] C:\WINDOWS\appml.exe
  • O4 - HKLM\..\RunOnce: [crgj32.exe] C:\WINDOWS\system32\crgj32.exe
  • O4 - HKLM\..\RunOnce: [ieqs32.exe] C:\WINDOWS\ieqs32.exe
  • O4 - HKLM\..\RunOnce: [crvp.exe] C:\WINDOWS\crvp.exe
  • O4 - HKLM\..\RunOnce: [ieuw.exe] C:\WINDOWS\ieuw.exe
  • O4 - HKLM\..\RunOnce: [netcv.exe] C:\WINDOWS\system32\netcv.exe
  • O4 - HKLM\..\RunOnce: [sysbu32.exe] C:\WINDOWS\system32\sysbu32.exe
  • O4 - HKLM\..\RunOnce: [atlsc.exe] C:\WINDOWS\system32\atlsc.exe
  • O4 - HKLM\..\RunOnce: [msbw.exe] C:\WINDOWS\msbw.exe
  • O4 - HKLM\..\RunOnce: [atlnw32.exe] C:\WINDOWS\system32\atlnw32.exe
  • O4 - HKLM\..\RunOnce: [winpw.exe] C:\WINDOWS\system32\winpw.exe
  • O4 - HKLM\..\RunOnce: [mfcqg32.exe] C:\WINDOWS\mfcqg32.exe
  • O4 - HKLM\..\RunOnce: [ipyo32.exe] C:\WINDOWS\ipyo32.exe
  • O4 - HKLM\..\RunOnce: [javato.exe] C:\WINDOWS\system32\javato.exe
  • O4 - HKLM\..\RunOnce: [mfcqh32.exe] C:\WINDOWS\system32\mfcqh32.exe
  • O4 - HKLM\..\RunOnce: [sysef32.exe] C:\WINDOWS\system32\sysef32.exe
  • O4 - HKLM\..\RunOnce: [crrg32.exe] C:\WINDOWS\system32\crrg32.exe
  • O4 - HKLM\..\RunOnce: [sysnc32.exe] C:\WINDOWS\sysnc32.exe
  • O4 - HKLM\..\RunOnce: [sdkar.exe] C:\WINDOWS\system32\sdkar.exe
  • O4 - HKLM\..\RunOnce: [apppr32.exe] C:\WINDOWS\apppr32.exe
  • O4 - HKLM\..\RunOnce: [sysmr.exe] C:\WINDOWS\sysmr.exe
  • O4 - HKLM\..\RunOnce: [addxz32.exe] C:\WINDOWS\addxz32.exe
  • O4 - HKLM\..\RunOnce: [javakl32.exe] C:\WINDOWS\system32\javakl32.exe
  • O4 - HKLM\..\RunOnce: [apiqy.exe] C:\WINDOWS\apiqy.exe
  • O4 - HKLM\..\RunOnce: [addjp32.exe] C:\WINDOWS\system32\addjp32.exe
  • O4 - HKLM\..\RunOnce: [atllc.exe] C:\WINDOWS\system32\atllc.exe
  • O4 - HKLM\..\RunOnce: [ipwm.exe] C:\WINDOWS\ipwm.exe
  • O4 - HKLM\..\RunOnce: [atlnw.exe] C:\WINDOWS\atlnw.exe
  • O4 - HKLM\..\RunOnce: [appxa32.exe] C:\WINDOWS\system32\appxa32.exe
  • O4 - HKLM\..\RunOnce: [adddz.exe] C:\WINDOWS\system32\adddz.exe
  • O4 - HKLM\..\RunOnce: [d3rz.exe] C:\WINDOWS\d3rz.exe
  • O4 - HKLM\..\RunOnce: [crpl32.exe] C:\WINDOWS\crpl32.exe
  • O4 - HKLM\..\RunOnce: [msfz.exe] C:\WINDOWS\system32\msfz.exe
  • O4 - HKLM\..\RunOnce: [d3lv32.exe] C:\WINDOWS\d3lv32.exe
  • O4 - HKLM\..\RunOnce: [addon32.exe] C:\WINDOWS\system32\addon32.exe
  • O4 - HKLM\..\RunOnce: [msbt32.exe] C:\WINDOWS\system32\msbt32.exe
  • O4 - HKLM\..\RunOnce: [d3ze.exe] C:\WINDOWS\d3ze.exe
  • O4 - HKLM\..\RunOnce: [atlic.exe] C:\WINDOWS\atlic.exe
  • O4 - HKLM\..\RunOnce: [apiut.exe] C:\WINDOWS\apiut.exe
  • O4 - HKLM\..\RunOnce: [sdklg.exe] C:\WINDOWS\sdklg.exe
  • O4 - HKLM\..\RunOnce: [mfcqc.exe] C:\WINDOWS\system32\mfcqc.exe
  • O4 - HKLM\..\RunOnce: [mfcob.exe] C:\WINDOWS\mfcob.exe
  • O4 - HKLM\..\RunOnce: [netln32.exe] C:\WINDOWS\netln32.exe
  • O4 - HKLM\..\RunOnce: [sysws32.exe] C:\WINDOWS\sysws32.exe
  • O4 - HKLM\..\RunOnce: [apigi.exe] C:\WINDOWS\system32\apigi.exe
  • O4 - HKLM\..\RunOnce: [atlks.exe] C:\WINDOWS\system32\atlks.exe
  • O4 - HKLM\..\RunOnce: [ipya.exe] C:\WINDOWS\ipya.exe
  • O4 - HKLM\..\RunOnce: [mfcep.exe] C:\WINDOWS\mfcep.exe
  • O4 - HKLM\..\RunOnce: [syswe.exe] C:\WINDOWS\system32\syswe.exe
  • O4 - HKLM\..\RunOnce: [winec.exe] C:\WINDOWS\winec.exe
  • O4 - HKLM\..\RunOnce: [ieex32.exe] C:\WINDOWS\system32\ieex32.exe
  • O4 - HKLM\..\RunOnce: [ipvt.exe] C:\WINDOWS\system32\ipvt.exe
  • O4 - HKLM\..\RunOnce: [d3hb.exe] C:\WINDOWS\d3hb.exe
  • O4 - HKLM\..\RunOnce: [crpv32.exe] C:\WINDOWS\crpv32.exe
  • O4 - HKLM\..\RunOnce: [msxl.exe] C:\WINDOWS\msxl.exe
  • O4 - HKLM\..\RunOnce: [cryn32.exe] C:\WINDOWS\cryn32.exe
  • O4 - HKLM\..\RunOnce: [atltx.exe] C:\WINDOWS\atltx.exe
  • O4 - HKLM\..\RunOnce: [mfcil.exe] C:\WINDOWS\system32\mfcil.exe
  • O4 - HKLM\..\RunOnce: [syswn.exe] C:\WINDOWS\syswn.exe
  • O4 - HKLM\..\RunOnce: [appkt32.exe] C:\WINDOWS\appkt32.exe

Clean your computer of useless cookies, temporary files

Navigate to the following folders and delete the contents inside but not the folders

  • Start | Run (type) "%temp%" (no quotes)
    Completely delete the entire contents of that "temp" folder.
  • Empty your "Recycle Bin"

Run About:Buster

  • Double click About:Buster.
  • Click OK and Start.
  • Let About:buster fix all the entries it finds.

Scanning for viruses and trojans

Due to the large number of infections that you have, please consider running a virus and trojan scan. Before you do please turn off system Restore first.

Deleting spyware files and folders

You need to show hidden files and boot into safe mode before the deletion process.

Once in safe mode, follow the directory listed and delete the following .exe's.

  • C:\WINDOWS\system32\apidp.exe
  • C:\WINDOWS\sysqo32.exe
  • C:\WINDOWS\javafv32.exe
  • c:\WINDOWS\system32\ntuk32.exe
  • C:\WINDOWS\system32\addsv32.exe
  • C:\WINDOWS\mfcer.exe
  • C:\WINDOWS\system32\iezg.exe
  • C:\WINDOWS\system32\sysyh32.exe
  • C:\WINDOWS\sysyc.exe
  • C:\WINDOWS\system32\mfceh32.exe
  • C:\WINDOWS\netmt32.exe
  • C:\WINDOWS\ipqg.exe
  • C:\WINDOWS\ierx32.exe
  • C:\WINDOWS\ntgx.exe
  • C:\WINDOWS\system32\aping32.exe
  • C:\WINDOWS\mfczl.exe
  • C:\WINDOWS\system32\apihr.exe
  • C:\WINDOWS\system32\netsa32.exe
  • C:\WINDOWS\system32\crhu32.exe
  • C:\WINDOWS\system32\msig32.exe
  • C:\WINDOWS\d3sa32.exe
  • C:\WINDOWS\appml.exe
  • C:\WINDOWS\system32\crgj32.exe
  • C:\WINDOWS\ieqs32.exe
  • C:\WINDOWS\crvp.exe
  • C:\WINDOWS\ieuw.exe
  • C:\WINDOWS\system32\netcv.exe
  • C:\WINDOWS\system32\sysbu32.exe
  • C:\WINDOWS\system32\atlsc.exe
  • C:\WINDOWS\msbw.exe
  • C:\WINDOWS\system32\atlnw32.exe
  • C:\WINDOWS\system32\winpw.exe
  • C:\WINDOWS\mfcqg32.exe
  • C:\WINDOWS\ipyo32.exe
  • C:\WINDOWS\system32\javato.exe
  • C:\WINDOWS\system32\mfcqh32.exe
  • C:\WINDOWS\system32\sysef32.exe
  • C:\WINDOWS\system32\crrg32.exe
  • C:\WINDOWS\sysnc32.exe
  • C:\WINDOWS\system32\sdkar.exe
  • C:\WINDOWS\apppr32.exe
  • C:\WINDOWS\sysmr.exe
  • C:\WINDOWS\addxz32.exe
  • C:\WINDOWS\system32\javakl32.exe
  • C:\WINDOWS\apiqy.exe
  • C:\WINDOWS\system32\addjp32.exe
  • C:\WINDOWS\system32\atllc.exe
  • C:\WINDOWS\ipwm.exe
  • C:\WINDOWS\atlnw.exe
  • C:\WINDOWS\system32\appxa32.exe
  • C:\WINDOWS\system32\adddz.exe
  • C:\WINDOWS\d3rz.exe
  • C:\WINDOWS\crpl32.exe
  • C:\WINDOWS\system32\msfz.exe
  • C:\WINDOWS\d3lv32.exe
  • C:\WINDOWS\system32\addon32.exe
  • C:\WINDOWS\system32\msbt32.exe
  • C:\WINDOWS\d3ze.exe
  • C:\WINDOWS\atlic.exe
  • C:\WINDOWS\apiut.exe
  • C:\WINDOWS\sdklg.exe
  • C:\WINDOWS\system32\mfcqc.exe
  • C:\WINDOWS\mfcob.exe
  • C:\WINDOWS\netln32.exe
  • C:\WINDOWS\sysws32.exe
  • C:\WINDOWS\system32\apigi.exe
  • C:\WINDOWS\system32\atlks.exe
  • C:\WINDOWS\ipya.exe
  • C:\WINDOWS\mfcep.exe
  • C:\WINDOWS\system32\syswe.exe
  • C:\WINDOWS\winec.exe
  • C:\WINDOWS\system32\ieex32.exe
  • C:\WINDOWS\system32\ipvt.exe
  • C:\WINDOWS\d3hb.exe
  • C:\WINDOWS\crpv32.exe
  • C:\WINDOWS\msxl.exe
  • C:\WINDOWS\cryn32.exe
  • C:\WINDOWS\atltx.exe
  • C:\WINDOWS\system32\mfcil.exe
  • C:\WINDOWS\syswn.exe
  • C:\WINDOWS\appkt32.exe

Reboot and post a new HijackThis Log.

 

Learn how to prevent future infection

Spyware preventions

To reduce the likelyhood of future infections, I strongly recommend installing the following antispyware tools.

  • SpywareBlaster<=SpywareBlaster will prevent spyware from being installed and consumes no system resources.
  • Spyware Guard<=SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad<=IE/Spyad is a free tool that places over 4000 websites and domains in the IE Restricted list which will seriously impair attempts to infect your system.
  • Script Defender<=Script Defender is a script blocker that can be used to protect against drive by downloads.

I would also recommend installing any one of the following firewalls.

  • Sygate<=Sygate Security Agent incorporates an application-centric firewall that stealths host systems, provides stateful firewalling, applies rule-based security policy, and controls application usage.
  • Agtinum Outpost<=Agnitum Outpost is a full-featured yet light-weight personal firewall product with application scanning and basic intrusion-detection features. It offers a good balance between ease of use and protection.
  • Zone Labs<=Zone Labs is a leading creator of endpoint security solutions and one of the most trusted brands in Internet security, protecting millions of PCs from risks posed by hackers and data theft. The award-winning endpoint security product line is deployed in global enterprises.
  • Kerio Personal Firewall<=Kerio Personal Firewall (KPF) helps users control how their computers exchange data with other computers on the Internet or local network.Necessity for all desktop computers connected to broadband Internet, using DSL, cable, ISDN, WiFi or satellite modems.

Edited by stockkbroker

Share this post


Link to post
Share on other sites

Thanks for all the help. It is getting better, but I am not yet there. I followed all your advises, and finally ran again hijackthis. Still my home page is redirected to a wrong place. My PC is much faster now though, which means for me that a lot of rubbish has gone. So far so good, now the rest. Again, I would greatly appreciate your advise.

 

 

FBR

===========

 

My new log file is as follows:

 

Logfile of HijackThis v1.97.7

Scan saved at 21:14:24, on 7-7-2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\drivers\KodakCCS.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

C:\WINDOWS\System32\ScsiAccess.EXE

C:\WINDOWS\winrx32.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\system32\addqg.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Documents and Settings\Frans\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nngqi.dll/sp.html#37680

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://nngqi.dll/index.html#37680

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://nngqi.dll/index.html#37680

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nngqi.dll/sp.html#37680

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://nngqi.dll/index.html#37680

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nngqi.dll/sp.html#37680

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door @Home

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {5389907B-5AA0-FD40-FFCD-B654F6817EFA} - C:\WINDOWS\system32\mfcfg.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [MessengerPlus3] "D:\Gijs\msn\MSNPLUS\MsgPlus.exe"

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [apidp.exe] C:\WINDOWS\system32\apidp.exe

O4 - HKLM\..\Run: [addqg.exe] C:\WINDOWS\system32\addqg.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - HKLM\..\RunOnce: [msvq32.exe] C:\WINDOWS\system32\msvq32.exe

O4 - HKLM\..\RunOnce: [sysep.exe] C:\WINDOWS\sysep.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28177.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://195.18.69.102/activex/AxisCamControl.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8172.5102430556

O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_3us.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab28177.cab

Share this post


Link to post
Share on other sites

Hi,

 

Your log is a lot cleaner.

 

I am afraid you have to redo some of the steps since some new files have been generated.

 

Print out the following instructions so that you can follow along as we go.

 

Make sure you follow my instructions exactly and close ALL explorer windows when fixing HijackThis and About:buster.

 

Fixing the HIJACKTHIS log

Please look over the following entries I have listed, check them and Press the "Fix Checked" button with HijackThis.

When you are doing this, make sure you have NO Internet Explorer windows open, including this one.

  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nngqi.dll/sp.html#37680
  • R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://nngqi.dll/index.html#37680
  • R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://nngqi.dll/index.html#37680
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nngqi.dll/sp.html#37680
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://nngqi.dll/index.html#37680
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nngqi.dll/sp.html#37680
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door @Home
  • O2 - BHO: (no name) - {5389907B-5AA0-FD40-FFCD-B654F6817EFA} - C:\WINDOWS\system32\mfcfg.dll
  • O4 - HKLM\..\Run: [apidp.exe] C:\WINDOWS\system32\apidp.exe
  • O4 - HKLM\..\Run: [addqg.exe] C:\WINDOWS\system32\addqg.exe
  • O4 - HKLM\..\RunOnce: [msvq32.exe] C:\WINDOWS\system32\msvq32.exe
  • O4 - HKLM\..\RunOnce: [sysep.exe] C:\WINDOWS\sysep.exe

Clean your computer of useless cookies, temporary files

Navigate to the following folders and delete the contents inside but not the folders

  • Start | Run (type) "%temp%" (no quotes)
  • Completely delete the entire contents of that "temp" folder.
  • Empty your "Recycle Bin"

 

Run About:Buster

  • Double click About:Buster.
  • Click OK and Start.
  • Let About:buster fix all the entries it finds.

Deleting spyware files and folders

You need to show hidden files and boot into safe mode before the deletion process.

Once in safe mode, follow the directory listed and delete the following exe's.

  • C:\WINDOWS\winrx32.exe
  • C:\WINDOWS\system32\addqg.exe
  • C:\WINDOWS\system32\apidp.exe
  • C:\WINDOWS\system32\addqg.exe
  • C:\WINDOWS\system32\msvq32.exe
  • C:\WINDOWS\sysep.exe

Update and run Adaware again.

  • Ad-Aware<=Follow the link to learn how to update and use Ad aware.

Reboot and post a new HijackThis log.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0