• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
susan

HIjack list

6 posts in this topic

This is my first time hijack log. Please let me know if any of these should be deleted. Where do I go from here?

 

Logfile of HijackThis v1.97.7

Scan saved at 6:19:46 PM, on 7/11/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\criv.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\devldr32.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Borland\Interbase\bin\ibguard.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe

C:\Program Files\Borland\Interbase\bin\ibserver.exe

C:\WINDOWS\apiem.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xurkd.dll/sp.html#27063

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xurkd.dll/index.html#27063

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xurkd.dll/index.html#27063

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xurkd.dll/sp.html#27063

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xurkd.dll/index.html#27063

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xurkd.dll/sp.html#27063

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {7AADF982-4598-7DD2-A20B-630DD168492F} - C:\WINDOWS\sysqb32.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [criv.exe] C:\WINDOWS\system32\criv.exe

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKLM\..\RunOnce: [apiem.exe] C:\WINDOWS\apiem.exe

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab

O16 - DPF: {0BCADE60-1E93-11D8-ABDA-0004759647B3} (FastBid1 Class) - http://www.bxwa.com/fastbid/fastbidx1.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {32322460-3E7D-11D7-ABD8-0001029A9BA6} (FastBid2 Class) - http://www.bxwa.com/fastbid/fastbidx2.cab

O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb028.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8098.7303240741

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/activedata/ActiveData.cab

Share this post


Link to post
Share on other sites

Hello susan,

 

Please put HJT in a Permanent folder. You're running it from C:\Program Files\HijackThis.exe

If you make a new folder in Program Files, that would be ok, such as C:\Program Files\Hijackthis\HijackThis.exe

Or you can do this: Click My Computer, then C:\

In the menu bar, File->New->Folder.

That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.

This will allow backups to be made and saved By hijackthis in case something goes wrong.

Follow this link http://www.netstar.me.uk/hjt/hjt.html if you need help.

______

 

Next, download About:Buster and unzip it to your desktop, but don't run it yet.

______

 

Download Ad-aware from: http://www.lavasoft.de/res/aaw6.exe

 

Install the program and launch it, but don't run it yet, just set it up this way:

 

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

 

Next, we need to configure Ad-aware for a full scan.

 

icon11.gif Click on the Gear icon (second from the left) to access the preferences/settings window

 

1. In the General window make sure the following are selected:

  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :

  • Scan Within Archives
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URL’s
  • Scan my Hosts file
  • Under Click here to select drives + folders, choose:
  • All of your hard drives

icon11.gif Click on the Advanced button on the left and select:

  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details

icon11.gif Click the Tweak button and select:

  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile

    [*]Under the Cleaning Engine:

    • Let Windows remove files in use at next reboot

icon11.gif Click on Proceed to save the settings.

 

icon11.gif Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:

  • Use Custom Scanning Options

icon11.gif Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

 

icon11.gif Save the log file when it asks and then click Finish

 

icon11.gif When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

___________

 

Now, reboot to Safe Mode (tap F8 while restarting).

 

Then open Hijackthis, click Scan, then put a check next to the following entries:

 

O2 - BHO: (no name) - {7AADF982-4598-7DD2-A20B-630DD168492F} - C:\WINDOWS\sysqb32.dll

 

O4 - HKLM\..\Run: [criv.exe] C:\WINDOWS\system32\criv.exe

O4 - HKLM\..\RunOnce: [apiem.exe] C:\WINDOWS\apiem.exe

 

O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab

O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb028.cab

 

Now, make sure you Close all open Windows (have only HJT open) and click "Fix Checked".

 

- - - - - - - -

 

Then, while still in safe mode, run About:Buster.

Start it, (Don't worry about the pop-up that says to fix all random objects, we just did that)

Hit Ok, Start, And Ok to start the scan. It will generate a log. Post that log along with a new Hijack this log here.

 

- - - - - - - -

 

Now run Ad-aware, while still in safe mode.

 

_________

 

Then, reboot normally and take a free on-line scan at HouseCall

 

 

After you do the above, please post a new HJT log, and your About Buster log.

Share this post


Link to post
Share on other sites

I followed the instructions you gave me, but am unable to figure out how to save the About:Buster log. I scanned it twice and it removed quite a bit, but left a lot of error in removing messages.

 

Here is my new HIJack log as of 7/31/04

 

susan

 

Logfile of HijackThis v1.97.7

Scan saved at 2:38:25 PM, on 7/31/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe

C:\WINDOWS\atlfn32.exe

C:\WINDOWS\system32\criv.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\System32\devldr32.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vhyim.dll/sp.html#27063

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://vhyim.dll/index.html#27063

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://vhyim.dll/index.html#27063

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vhyim.dll/sp.html#27063

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vhyim.dll/index.html#27063

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vhyim.dll/sp.html#27063

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {4098B116-3E9F-6C68-3DD2-D1F9DE132411} - C:\WINDOWS\netkw.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [criv.exe] C:\WINDOWS\system32\criv.exe

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKLM\..\RunOnce: [addjb.exe] C:\WINDOWS\system32\addjb.exe

O4 - HKLM\..\RunOnce: [addyg32.exe] C:\WINDOWS\addyg32.exe

O4 - HKLM\..\RunOnce: [addwe32.exe] C:\WINDOWS\system32\addwe32.exe

O4 - HKLM\..\RunOnce: [mfcnm.exe] C:\WINDOWS\system32\mfcnm.exe

O4 - HKLM\..\RunOnce: [winzx.exe] C:\WINDOWS\winzx.exe

O4 - HKLM\..\RunOnce: [mfcup32.exe] C:\WINDOWS\system32\mfcup32.exe

O4 - HKLM\..\RunOnce: [atlov32.exe] C:\WINDOWS\system32\atlov32.exe

O4 - HKLM\..\RunOnce: [atlbl32.exe] C:\WINDOWS\system32\atlbl32.exe

O4 - HKLM\..\RunOnce: [apizn32.exe] C:\WINDOWS\apizn32.exe

O4 - HKLM\..\RunOnce: [d3fg32.exe] C:\WINDOWS\d3fg32.exe

O4 - HKLM\..\RunOnce: [wintu.exe] C:\WINDOWS\wintu.exe

O4 - HKLM\..\RunOnce: [iezn32.exe] C:\WINDOWS\iezn32.exe

O4 - HKLM\..\RunOnce: [sdkeh.exe] C:\WINDOWS\sdkeh.exe

O4 - HKLM\..\RunOnce: [addja32.exe] C:\WINDOWS\system32\addja32.exe

O4 - HKLM\..\RunOnce: [ntzy.exe] C:\WINDOWS\ntzy.exe

O4 - HKLM\..\RunOnce: [winel32.exe] C:\WINDOWS\system32\winel32.exe

O4 - HKLM\..\RunOnce: [ipfs32.exe] C:\WINDOWS\ipfs32.exe

O4 - HKLM\..\RunOnce: [addbi32.exe] C:\WINDOWS\system32\addbi32.exe

O4 - HKLM\..\RunOnce: [msdl32.exe] C:\WINDOWS\msdl32.exe

O4 - HKLM\..\RunOnce: [d3nu.exe] C:\WINDOWS\d3nu.exe

O4 - HKLM\..\RunOnce: [mfced.exe] C:\WINDOWS\mfced.exe

O4 - HKLM\..\RunOnce: [apild32.exe] C:\WINDOWS\system32\apild32.exe

O4 - HKLM\..\RunOnce: [ntvy32.exe] C:\WINDOWS\system32\ntvy32.exe

O4 - HKLM\..\RunOnce: [appas32.exe] C:\WINDOWS\system32\appas32.exe

O4 - HKLM\..\RunOnce: [crrb.exe] C:\WINDOWS\system32\crrb.exe

O4 - HKLM\..\RunOnce: [appwm.exe] C:\WINDOWS\system32\appwm.exe

O4 - HKLM\..\RunOnce: [syszj.exe] C:\WINDOWS\system32\syszj.exe

O4 - HKLM\..\RunOnce: [sysrt32.exe] C:\WINDOWS\sysrt32.exe

O4 - HKLM\..\RunOnce: [winqu.exe] C:\WINDOWS\winqu.exe

O4 - HKLM\..\RunOnce: [cryd32.exe] C:\WINDOWS\cryd32.exe

O4 - HKLM\..\RunOnce: [syspi.exe] C:\WINDOWS\syspi.exe

O4 - HKLM\..\RunOnce: [addlj.exe] C:\WINDOWS\addlj.exe

O4 - HKLM\..\RunOnce: [atlbu.exe] C:\WINDOWS\system32\atlbu.exe

O4 - HKLM\..\RunOnce: [addjp32.exe] C:\WINDOWS\system32\addjp32.exe

O4 - HKLM\..\RunOnce: [ntwd.exe] C:\WINDOWS\ntwd.exe

O4 - HKLM\..\RunOnce: [ipxs.exe] C:\WINDOWS\system32\ipxs.exe

O4 - HKLM\..\RunOnce: [crjj.exe] C:\WINDOWS\crjj.exe

O4 - HKLM\..\RunOnce: [crdi.exe] C:\WINDOWS\crdi.exe

O4 - HKLM\..\RunOnce: [ntgs.exe] C:\WINDOWS\system32\ntgs.exe

O4 - HKLM\..\RunOnce: [apphb.exe] C:\WINDOWS\apphb.exe

O4 - HKLM\..\RunOnce: [iprz.exe] C:\WINDOWS\system32\iprz.exe

O4 - HKLM\..\RunOnce: [neter.exe] C:\WINDOWS\system32\neter.exe

O4 - HKLM\..\RunOnce: [javaqv32.exe] C:\WINDOWS\javaqv32.exe

O4 - HKLM\..\RunOnce: [atldz.exe] C:\WINDOWS\atldz.exe

O4 - HKLM\..\RunOnce: [syshv32.exe] C:\WINDOWS\syshv32.exe

O4 - HKLM\..\RunOnce: [mfcnb.exe] C:\WINDOWS\system32\mfcnb.exe

O4 - HKLM\..\RunOnce: [winna32.exe] C:\WINDOWS\system32\winna32.exe

O4 - HKLM\..\RunOnce: [d3qa32.exe] C:\WINDOWS\d3qa32.exe

O4 - HKLM\..\RunOnce: [atlmp32.exe] C:\WINDOWS\atlmp32.exe

O4 - HKLM\..\RunOnce: [netdn.exe] C:\WINDOWS\system32\netdn.exe

O4 - HKLM\..\RunOnce: [addid32.exe] C:\WINDOWS\addid32.exe

O4 - HKLM\..\RunOnce: [addyo.exe] C:\WINDOWS\system32\addyo.exe

O4 - HKLM\..\RunOnce: [craj.exe] C:\WINDOWS\craj.exe

O4 - HKLM\..\RunOnce: [mfcms32.exe] C:\WINDOWS\mfcms32.exe

O4 - HKLM\..\RunOnce: [ipbi.exe] C:\WINDOWS\system32\ipbi.exe

O4 - HKLM\..\RunOnce: [apiwm.exe] C:\WINDOWS\apiwm.exe

O4 - HKLM\..\RunOnce: [netab.exe] C:\WINDOWS\netab.exe

O4 - HKLM\..\RunOnce: [d3qw32.exe] C:\WINDOWS\system32\d3qw32.exe

O4 - HKLM\..\RunOnce: [crrw.exe] C:\WINDOWS\crrw.exe

O4 - HKLM\..\RunOnce: [apius.exe] C:\WINDOWS\system32\apius.exe

O4 - HKLM\..\RunOnce: [ieff.exe] C:\WINDOWS\ieff.exe

O4 - HKLM\..\RunOnce: [apixh32.exe] C:\WINDOWS\apixh32.exe

O4 - HKLM\..\RunOnce: [winhy32.exe] C:\WINDOWS\winhy32.exe

O4 - HKLM\..\RunOnce: [netid.exe] C:\WINDOWS\system32\netid.exe

O4 - HKLM\..\RunOnce: [d3nu32.exe] C:\WINDOWS\d3nu32.exe

O4 - HKLM\..\RunOnce: [atlfn32.exe] C:\WINDOWS\atlfn32.exe

O4 - HKLM\..\RunOnce: [javafe.exe] C:\WINDOWS\javafe.exe

O4 - HKLM\..\RunOnce: [javawe.exe] C:\WINDOWS\system32\javawe.exe

O4 - HKLM\..\RunOnce: [mfclc.exe] C:\WINDOWS\mfclc.exe

O4 - HKLM\..\RunOnce: [ntmf.exe] C:\WINDOWS\system32\ntmf.exe

O4 - HKLM\..\RunOnce: [ieee.exe] C:\WINDOWS\system32\ieee.exe

O4 - HKLM\..\RunOnce: [d3ap32.exe] C:\WINDOWS\d3ap32.exe

O4 - HKLM\..\RunOnce: [syshc.exe] C:\WINDOWS\system32\syshc.exe

O4 - HKLM\..\RunOnce: [iput32.exe] C:\WINDOWS\system32\iput32.exe

O4 - HKLM\..\RunOnce: [ntck.exe] C:\WINDOWS\ntck.exe

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab

O16 - DPF: {0BCADE60-1E93-11D8-ABDA-0004759647B3} (FastBid1 Class) - http://www.bxwa.com/fastbid/fastbidx1.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {32322460-3E7D-11D7-ABD8-0001029A9BA6} (FastBid2 Class) - http://www.bxwa.com/fastbid/fastbidx2.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8098.7303240741

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/activedata/ActiveData.cab

Share this post


Link to post
Share on other sites

Hi susan,

 

There has been an update to Hijackthis and About:Buster since the last time you were here.

Also your Ad-aware should be updated.

 

 

Download About:Buster v2.0 from here: http://www.downloads.subratam.org/AboutBuster.zip

but don't run it yet.

Unzip all files from the zip folder to a folder or your desktop.

Start it and click ok.

Then click "Update". A new screen should popup.

On that screen click "Check for Updates".

If there is an update found, click "Download Updates".

If it doesnt find an update, it will automatically tell you and exit.

We will run it later.

_ _ _ _ _ _

 

 

Make sure you can view hidden and system files: hidden files

 

Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

 

 

It might help to print this part out. Don't open Internet Explorer during any portion of this process.

 

Reboot to Safe mode (tap F8 while restarting).

 

Step 1:

 

Click on start, the control panel, then administrative programs, then services. Look for a service called Network Security Service. Double click on the that service and click stop and then set the startup to disabled. Also write down the name and path of the file listed in the Path to executable field. This filename must be deleted below.

 

Step 2:

 

Go to Task Manager (Ctrl + Alt + Delete) and click on "Processes" then "End Process" for these: (if they are there)

 

atlfn32.exe

criv.exe

 

Then close task manager.

 

Step 3:

 

Open Hijackthis, click Scan, then put a check next to the following entries:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vhyim.dll/sp.html#27063

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://vhyim.dll/index.html#27063

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://vhyim.dll/index.html#27063

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vhyim.dll/sp.html#27063

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vhyim.dll/index.html#27063

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vhyim.dll/sp.html#27063

 

O2 - BHO: (no name) - {4098B116-3E9F-6C68-3DD2-D1F9DE132411} - C:\WINDOWS\netkw.dll

 

O4 - HKLM\..\Run: [criv.exe] C:\WINDOWS\system32\criv.exe

 

O4 - HKLM\..\RunOnce: [addjb.exe] C:\WINDOWS\system32\addjb.exe

O4 - HKLM\..\RunOnce: [addyg32.exe] C:\WINDOWS\addyg32.exe

O4 - HKLM\..\RunOnce: [addwe32.exe] C:\WINDOWS\system32\addwe32.exe

O4 - HKLM\..\RunOnce: [mfcnm.exe] C:\WINDOWS\system32\mfcnm.exe

O4 - HKLM\..\RunOnce: [winzx.exe] C:\WINDOWS\winzx.exe

O4 - HKLM\..\RunOnce: [mfcup32.exe] C:\WINDOWS\system32\mfcup32.exe

O4 - HKLM\..\RunOnce: [atlov32.exe] C:\WINDOWS\system32\atlov32.exe

O4 - HKLM\..\RunOnce: [atlbl32.exe] C:\WINDOWS\system32\atlbl32.exe

O4 - HKLM\..\RunOnce: [apizn32.exe] C:\WINDOWS\apizn32.exe

O4 - HKLM\..\RunOnce: [d3fg32.exe] C:\WINDOWS\d3fg32.exe

O4 - HKLM\..\RunOnce: [wintu.exe] C:\WINDOWS\wintu.exe

O4 - HKLM\..\RunOnce: [iezn32.exe] C:\WINDOWS\iezn32.exe

O4 - HKLM\..\RunOnce: [sdkeh.exe] C:\WINDOWS\sdkeh.exe

O4 - HKLM\..\RunOnce: [addja32.exe] C:\WINDOWS\system32\addja32.exe

O4 - HKLM\..\RunOnce: [ntzy.exe] C:\WINDOWS\ntzy.exe

O4 - HKLM\..\RunOnce: [winel32.exe] C:\WINDOWS\system32\winel32.exe

O4 - HKLM\..\RunOnce: [ipfs32.exe] C:\WINDOWS\ipfs32.exe

O4 - HKLM\..\RunOnce: [addbi32.exe] C:\WINDOWS\system32\addbi32.exe

O4 - HKLM\..\RunOnce: [msdl32.exe] C:\WINDOWS\msdl32.exe

O4 - HKLM\..\RunOnce: [d3nu.exe] C:\WINDOWS\d3nu.exe

O4 - HKLM\..\RunOnce: [mfced.exe] C:\WINDOWS\mfced.exe

O4 - HKLM\..\RunOnce: [apild32.exe] C:\WINDOWS\system32\apild32.exe

O4 - HKLM\..\RunOnce: [ntvy32.exe] C:\WINDOWS\system32\ntvy32.exe

O4 - HKLM\..\RunOnce: [appas32.exe] C:\WINDOWS\system32\appas32.exe

O4 - HKLM\..\RunOnce: [crrb.exe] C:\WINDOWS\system32\crrb.exe

O4 - HKLM\..\RunOnce: [appwm.exe] C:\WINDOWS\system32\appwm.exe

O4 - HKLM\..\RunOnce: [syszj.exe] C:\WINDOWS\system32\syszj.exe

O4 - HKLM\..\RunOnce: [sysrt32.exe] C:\WINDOWS\sysrt32.exe

O4 - HKLM\..\RunOnce: [winqu.exe] C:\WINDOWS\winqu.exe

O4 - HKLM\..\RunOnce: [cryd32.exe] C:\WINDOWS\cryd32.exe

O4 - HKLM\..\RunOnce: [syspi.exe] C:\WINDOWS\syspi.exe

O4 - HKLM\..\RunOnce: [addlj.exe] C:\WINDOWS\addlj.exe

O4 - HKLM\..\RunOnce: [atlbu.exe] C:\WINDOWS\system32\atlbu.exe

O4 - HKLM\..\RunOnce: [addjp32.exe] C:\WINDOWS\system32\addjp32.exe

O4 - HKLM\..\RunOnce: [ntwd.exe] C:\WINDOWS\ntwd.exe

O4 - HKLM\..\RunOnce: [ipxs.exe] C:\WINDOWS\system32\ipxs.exe

O4 - HKLM\..\RunOnce: [crjj.exe] C:\WINDOWS\crjj.exe

O4 - HKLM\..\RunOnce: [crdi.exe] C:\WINDOWS\crdi.exe

O4 - HKLM\..\RunOnce: [ntgs.exe] C:\WINDOWS\system32\ntgs.exe

O4 - HKLM\..\RunOnce: [apphb.exe] C:\WINDOWS\apphb.exe

O4 - HKLM\..\RunOnce: [iprz.exe] C:\WINDOWS\system32\iprz.exe

O4 - HKLM\..\RunOnce: [neter.exe] C:\WINDOWS\system32\neter.exe

O4 - HKLM\..\RunOnce: [javaqv32.exe] C:\WINDOWS\javaqv32.exe

O4 - HKLM\..\RunOnce: [atldz.exe] C:\WINDOWS\atldz.exe

O4 - HKLM\..\RunOnce: [syshv32.exe] C:\WINDOWS\syshv32.exe

O4 - HKLM\..\RunOnce: [mfcnb.exe] C:\WINDOWS\system32\mfcnb.exe

O4 - HKLM\..\RunOnce: [winna32.exe] C:\WINDOWS\system32\winna32.exe

O4 - HKLM\..\RunOnce: [d3qa32.exe] C:\WINDOWS\d3qa32.exe

O4 - HKLM\..\RunOnce: [atlmp32.exe] C:\WINDOWS\atlmp32.exe

O4 - HKLM\..\RunOnce: [netdn.exe] C:\WINDOWS\system32\netdn.exe

O4 - HKLM\..\RunOnce: [addid32.exe] C:\WINDOWS\addid32.exe

O4 - HKLM\..\RunOnce: [addyo.exe] C:\WINDOWS\system32\addyo.exe

O4 - HKLM\..\RunOnce: [craj.exe] C:\WINDOWS\craj.exe

O4 - HKLM\..\RunOnce: [mfcms32.exe] C:\WINDOWS\mfcms32.exe

O4 - HKLM\..\RunOnce: [ipbi.exe] C:\WINDOWS\system32\ipbi.exe

O4 - HKLM\..\RunOnce: [apiwm.exe] C:\WINDOWS\apiwm.exe

O4 - HKLM\..\RunOnce: [netab.exe] C:\WINDOWS\netab.exe

O4 - HKLM\..\RunOnce: [d3qw32.exe] C:\WINDOWS\system32\d3qw32.exe

O4 - HKLM\..\RunOnce: [crrw.exe] C:\WINDOWS\crrw.exe

O4 - HKLM\..\RunOnce: [apius.exe] C:\WINDOWS\system32\apius.exe

O4 - HKLM\..\RunOnce: [ieff.exe] C:\WINDOWS\ieff.exe

O4 - HKLM\..\RunOnce: [apixh32.exe] C:\WINDOWS\apixh32.exe

O4 - HKLM\..\RunOnce: [winhy32.exe] C:\WINDOWS\winhy32.exe

O4 - HKLM\..\RunOnce: [netid.exe] C:\WINDOWS\system32\netid.exe

O4 - HKLM\..\RunOnce: [d3nu32.exe] C:\WINDOWS\d3nu32.exe

O4 - HKLM\..\RunOnce: [atlfn32.exe] C:\WINDOWS\atlfn32.exe

O4 - HKLM\..\RunOnce: [javafe.exe] C:\WINDOWS\javafe.exe

O4 - HKLM\..\RunOnce: [javawe.exe] C:\WINDOWS\system32\javawe.exe

O4 - HKLM\..\RunOnce: [mfclc.exe] C:\WINDOWS\mfclc.exe

O4 - HKLM\..\RunOnce: [ntmf.exe] C:\WINDOWS\system32\ntmf.exe

O4 - HKLM\..\RunOnce: [ieee.exe] C:\WINDOWS\system32\ieee.exe

O4 - HKLM\..\RunOnce: [d3ap32.exe] C:\WINDOWS\d3ap32.exe

O4 - HKLM\..\RunOnce: [syshc.exe] C:\WINDOWS\system32\syshc.exe

O4 - HKLM\..\RunOnce: [iput32.exe] C:\WINDOWS\system32\iput32.exe

O4 - HKLM\..\RunOnce: [ntck.exe] C:\WINDOWS\ntck.exe

 

 

Now Close all open Windows (have only HJT open) and click "Fix Checked".

 

 

Step 4:

 

Then delete the following files:

 

The file from step 1,

 

These are in: C\:Windows\

 

addid32.exe

addlj.exe

addyg32.exe

apixh32.exe

apiwm.exe

apizn32.exe

apphb.exe

atldz.exe

atlfn32.exe

atlmp32.exe

craj.exe

crdi.exe

crjj.exe

crrw.exe

cryd32.exe

d3ap32.exe

d3fg32.exe

d3nu32.exe

d3nu.exe

d3qa32.exe

ieff.exe

iezn32.exe

ipfs32.exe

javafe.exe

javaqv32.exe

mfced.exe

mfclc.exe

mfcms32.exe

msdl32.exe

netab.exe

netkw.dll

ntck.exe

ntwd.exe

ntzy.exe

sdkeh.exe

syshv32.exe

sysrt32.exe

syspi.exe

vhyim.dll

winhy32.exe

winqu.exe

wintu.exe

winzx.exe

 

And these are in: C:\WINDOWS\system32\

 

addbi32.exe

addja32.exe

addjb.exe

addjp32.exe

addyo.exe

addwe32.exe

apild32.exe

apius.exe

appas32.exe

appwm.exe

atlbu.exe

atlbl32.exe

atlov32.exe

criv.exe

crrb.exe

d3qw32.exe

ieee.exe

ipbi.exe

iprz.exe

iput32.exe

ipxs.exe

javawe.exe

mfcnb.exe

mfcnm.exe

mfcup32.exe

netdn.exe

neter.exe

netid.exe

ntgs.exe

ntmf.exe

ntvy32.exe

syshc.exe

syszj.exe

winel32.exe

winna32.exe

 

 

Also delete any files that have the same name as these files but end with a dll. You should see them right next to each other.

 

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

 

Step 5:

 

Go to Start->Run and type Regedit then click Ok. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

and highlight Services in the left pane. In the right pane, look for any of these entries:

 

__NS_Service

__NS_Service_2

__NS_Service_3

 

If any are listed, right-click that entry in the right pane and choose Delete.

 

Again in Regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root and highlight Root in the Left Pane. In the right pane, look for these entries (the number at the end should correspond to the first one you deleted above):

 

LEGACY___NS_Service

LEGACY___NS_Service_2

LEGACY___NS_Service_3

 

If you find it, right-click it in the right-pane and choose delete.

 

If you have trouble deleting a key. Then click once on the key name (LEGACY__NS_SERVICE_ or some other name that starts with LEGACY__NS_SERVICE) to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.

 

Step 6:

 

 

Then browse to the C:\documents and settings\<Your Profile> (repeat for all users)\local settings\temp folder and delete all files and folders in it.

Then browse to the C:\Windows\Temp folder and delete all files in it.

This will delete all your cached internet content including cookies.

 

Then in internet explorer (when you get back to IE) click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

 

Step 7:

 

Double click AboutBuster.exe that you downloaded earlier.

Hit start and then Ok. The program should start scanning. Then hit exit and reboot.

Once rebooted run About:Buster once more to make sure everything is ok.

 

Step 8:

 

Restore files deleted by this malware.

 

Download the Hoster from here Press "Restore Original Hosts" and press "OK". Exit Program.

 

If you have Spybot S&D installed you will also need to replace one file.

Go here and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

 

If you are having any problems opening the control panel go here , and download control.exe per the instructions at the site.

 

Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here http://www.jfitz.com/tips/ie_security_config.html .

 

Step 9:

 

Then, take a free on-line scan at HouseCall

 

Step 10:

 

Then, clean out your System Restore

Doing this will remove all your restore points.

 

Click Start > Settings > Control Panel.

Double-click the System icon.

On the Performance tab click File System.

Click the Troubleshooting tab

Then check Disable System Restore

Click OK.

Click Yes, when you are prompted to restart Windows.

 

After you have restarted, turn System Restore back on:

Click Start > Settings > Control Panel.

Double-click System.

On the Performance tab click File System.

On the Troubleshooting tab, uncheck Disable System Restore.

Click OK. Click Yes, when you are prompted to restart Windows.

 

Then clean your Recycle bin.

 

Also update and run Ad-aware.

 

After you restart, please post a new HJT log.

There is a newer version of HJT out now.

Open HJT, click Config... then Misc Tools, then Check for Update online, and get v1.98

Or you can get it here: HijackThis.exe

 

 

(I'll be away for a few days, but you'll be in good hands)

Share this post


Link to post
Share on other sites

I followed your instructions and my computer is working much quicker.

 

I could not find a Network Security Services file in the administrative programs. I found Network DDE and Network DDE DSDM.

 

On the old HJT log the HKCU entries were all \vhyim.dll...#27063. When I went to delete everything you had written, most were not found. The HKCu entries were all \nldju.dll...#27063.

 

I could not delete wintu.exe from Windows, or criv.exe from System32.

 

Everything else seemed to go okay.

 

Thanks.

 

susan

Share this post


Link to post
Share on other sites

Hi susan

Autodad is away on vacation this week and he asked if I would help you out while he is gone.

 

You should post a fresh hijackthis log so we can check it over for you.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0