• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
ale3164

res://ydyyw.dll/index.html

8 posts in this topic

Hi,

I've studied much on this site about this problem but no matter what I did it keeps coming back as soon as I open Internet Explorer. I wonder if anyone can help 'manually'.

I ran adaware with the latest definition, tried spybot, tried a couple of fixes I found on the boards and at one time managed to regain my www.google.com home page but it lasted only a couple of seconds before the first ad popped up and it all went wrong again :grrr:

 

Here's my Hijack log:

 

Logfile of HijackThis v1.97.7

Scan saved at 10:53:11 PM, on 7/13/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE

C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE

C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\ADDLF32.EXE

C:\WINDOWS\CRGM.EXE

C:\WINDOWS\SYSTEM\SDKUD.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\MX\VI_GRM.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\CARPSERV.EXE

C:\WINDOWS\SYSTEM\STD.EXE

C:\WINDOWS\SYSTEM\INTERNAT.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE

C:\PROGRAM FILES\WINAMP\WINAMPA.EXE

C:\WINDOWS\SYSTEM\WINRL.EXE

C:\WINDOWS\CRGM.EXE

C:\WINDOWS\CRGM.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\PROGRAM FILES\INCREDIMAIL\BIN\INCMAIL.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\CRGM.EXE

C:\WINDOWS\CRBX.EXE

C:\WINDOWS\NETZR32.EXE

C:\WINDOWS\ADDLF32.EXE

C:\PROGRAM FILES\INCREDIMAIL\BIN\INCMAIL.EXE

C:\PROGRAM FILES\INCREDIMAIL\BIN\IMAPP.EXE

C:\WINDOWS\CRGM.EXE

C:\WINDOWS\SYSTEM\APPTB32.EXE

C:\WINDOWS\SYSTEM\APPTB32.EXE

C:\WINDOWS\SYSTEM\APITD.EXE

C:\WINDOWS\SYSTEM\APITD.EXE

C:\WINDOWS\CRGM.EXE

C:\WINDOWS\WUAUBOOT.EXE

C:\WINDOWS\RUNDLL32.EXE

E:\NEW DOWNLOADS\HIJACKTHIS1977.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ydyyw.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ydyyw.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ydyyw.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ydyyw.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ydyyw.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ydyyw.dll/sp.html#96676

F1 - win.ini: load=C:\MX\vi_grm.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (file missing)

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {03079084-F75C-2B6F-084A-49B91F4795D1} - C:\WINDOWS\CRZG.DLL (file missing)

O2 - BHO: (no name) - {D884B5A0-3017-DC89-792D-96559276EAEB} - C:\WINDOWS\SYSTEM\SDKIC32.DLL (file missing)

O2 - BHO: (no name) - {7F1DF9FD-5957-0313-B9F9-EABDB4F680EE} - C:\WINDOWS\JAVACA32.DLL (file missing)

O2 - BHO: (no name) - {3E7CDDE8-9716-144C-9AAF-E90709400712} - C:\WINDOWS\SYSTEM\APPAR.DLL (file missing)

O2 - BHO: (no name) - {83962868-6A3A-9ABE-3EAD-6C841963E70A} - C:\WINDOWS\D3NW32.DLL (file missing)

O2 - BHO: (no name) - {A0EFD1BB-68C4-6795-EE28-3366CAE67C38} - C:\WINDOWS\SYSTEM\SYSQX32.DLL (file missing)

O2 - BHO: (no name) - {68238DDE-059B-0897-6A39-69CB853D5A0A} - C:\WINDOWS\SYSTEM\D3WZ32.DLL (file missing)

O2 - BHO: (no name) - {435F1D19-5009-3DC0-D4DA-82194D25D05C} - C:\WINDOWS\SYSTEM\ADDIQ32.DLL (file missing)

O2 - BHO: (no name) - {75895338-95C6-E212-8F56-E4EABE6726D1} - C:\WINDOWS\APPWC.DLL (file missing)

O2 - BHO: (no name) - {4566CC43-0B31-07E0-141A-12FC7D5FF802} - C:\WINDOWS\SYSDR32.DLL (file missing)

O2 - BHO: (no name) - {8D86E46F-B9DE-ADD7-1BA7-60042DD50BAA} - C:\WINDOWS\ADDUO32.DLL (file missing)

O2 - BHO: (no name) - {83A0177B-A41F-B1FA-F8EB-9BD00B7EAFEA} - C:\WINDOWS\ADDUO32.DLL (file missing)

O2 - BHO: (no name) - {1F23E677-6B02-0CE8-7B33-B10B254FB351} - C:\WINDOWS\ADDUO32.DLL (file missing)

O2 - BHO: (no name) - {26F48417-BA3B-EB85-58BC-D6D86BF802EF} - C:\WINDOWS\IEXM.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [ssd] C:\WINDOWS\SYSTEM\Std.exe

O4 - HKLM\..\Run: [internat.exe] internat.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [bootWarn] C:\Program Files\Norton SystemWorks\Norton AntiVirus\BootWarn.exe /a

O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [WINRL.EXE] C:\WINDOWS\SYSTEM\WINRL.EXE

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE

O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O4 - HKLM\..\RunServices: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"

O4 - HKLM\..\RunServices: [sDKQV32.EXE] C:\WINDOWS\SYSTEM\SDKQV32.EXE

O4 - HKLM\..\RunServices: [D3QY.EXE] C:\WINDOWS\D3QY.EXE

O4 - HKLM\..\RunServices: [iENC32.EXE] C:\WINDOWS\IENC32.EXE

O4 - HKLM\..\RunServices: [D3VX.EXE] C:\WINDOWS\D3VX.EXE

O4 - HKLM\..\RunServices: [iEIB32.EXE] C:\WINDOWS\SYSTEM\IEIB32.EXE

O4 - HKLM\..\RunServices: [MFCSK32.EXE] C:\WINDOWS\SYSTEM\MFCSK32.EXE

O4 - HKLM\..\RunServices: [sDKCK32.EXE] C:\WINDOWS\SDKCK32.EXE

O4 - HKLM\..\RunServices: [MSIQ.EXE] C:\WINDOWS\SYSTEM\MSIQ.EXE

O4 - HKLM\..\RunServices: [MSWT.EXE] C:\WINDOWS\MSWT.EXE

O4 - HKLM\..\RunServices: [CRUQ.EXE] C:\WINDOWS\CRUQ.EXE

O4 - HKLM\..\RunServices: [MSCK32.EXE] C:\WINDOWS\MSCK32.EXE

O4 - HKLM\..\RunServices: [D3YL32.EXE] C:\WINDOWS\SYSTEM\D3YL32.EXE

O4 - HKLM\..\RunServices: [iPNP32.EXE] C:\WINDOWS\IPNP32.EXE

O4 - HKLM\..\RunServices: [APIXW32.EXE] C:\WINDOWS\APIXW32.EXE

O4 - HKLM\..\RunServices: [JAVAEF.EXE] C:\WINDOWS\SYSTEM\JAVAEF.EXE

O4 - HKLM\..\RunServices: [APIWY.EXE] C:\WINDOWS\SYSTEM\APIWY.EXE

O4 - HKLM\..\RunServices: [CRFT.EXE] C:\WINDOWS\SYSTEM\CRFT.EXE

O4 - HKLM\..\RunServices: [sYSHN.EXE] C:\WINDOWS\SYSTEM\SYSHN.EXE

O4 - HKLM\..\RunServices: [D3YZ.EXE] C:\WINDOWS\SYSTEM\D3YZ.EXE

O4 - HKLM\..\RunServices: [NETHQ32.EXE] C:\WINDOWS\NETHQ32.EXE

O4 - HKLM\..\RunServices: [JAVAQX32.EXE] C:\WINDOWS\SYSTEM\JAVAQX32.EXE

O4 - HKLM\..\RunServices: [ATLHT.EXE] C:\WINDOWS\ATLHT.EXE

O4 - HKLM\..\RunServices: [CRGM.EXE] C:\WINDOWS\CRGM.EXE

O4 - HKLM\..\RunServices: [ADDLF32.EXE] C:\WINDOWS\ADDLF32.EXE

O4 - HKLM\..\RunServices: [sDKUD.EXE] C:\WINDOWS\SYSTEM\SDKUD.EXE

O4 - HKLM\..\RunServices: [CRBX.EXE] C:\WINDOWS\CRBX.EXE

O4 - HKLM\..\RunServices: [NETZR32.EXE] C:\WINDOWS\NETZR32.EXE

O4 - HKLM\..\RunServices: [APPTB32.EXE] C:\WINDOWS\SYSTEM\APPTB32.EXE

O4 - HKLM\..\RunServices: [APITD.EXE] C:\WINDOWS\SYSTEM\APITD.EXE

O4 - HKCU\..\Run: [incrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c

O4 - HKCU\..\Run: [spyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8135.5500231481

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

 

If anyone can help sort this out ... please help me before the wipe. I formatted once already because of a different problem ... what a pain!!!

Share this post


Link to post
Share on other sites

Hello ale3164,

 

First, please download the latest version of HijackThis from here, and scan/post a fresh HijackThis logfile in this thread.

 

Next, please download About:Buster Version 1.27 and unzip it to your desktop. Start it, hit Ok, Start, And Ok again to start the scan. It will generate a log. Post that log along with a new Hijack this log here.

 

If this doesnt work, boot into safe mode and try. How to boot into safe mode?

Share this post


Link to post
Share on other sites

Ok, here's the new log:

 

Logfile of HijackThis v1.98.0

Scan saved at 11:43:51 PM, on 7/13/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE

C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE

C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\CRGM.EXE

C:\WINDOWS\ADDLF32.EXE

C:\WINDOWS\SYSTEM\SDKUD.EXE

C:\WINDOWS\CRBX.EXE

C:\WINDOWS\NETZR32.EXE

C:\WINDOWS\SYSTEM\APPTB32.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\SYSTEM\APITD.EXE

C:\MX\VI_GRM.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\CARPSERV.EXE

C:\WINDOWS\SYSTEM\STD.EXE

C:\WINDOWS\SYSTEM\INTERNAT.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\WINAMP\WINAMPA.EXE

C:\WINDOWS\SYSTEM\WINRL.EXE

C:\WINDOWS\SYSTEM\APITD.EXE

C:\WINDOWS\SYSTEM\APITD.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\PROGRAM FILES\INCREDIMAIL\BIN\INCMAIL.EXE

C:\PROGRAM FILES\INCREDIMAIL\BIN\IMAPP.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\SYSTEM\APITD.EXE

C:\WINDOWS\SYSTEM\MFCVY.EXE

C:\WINDOWS\SYSTEM\NTED.EXE

C:\WINDOWS\CRGM.EXE

C:\WINDOWS\SYSTEM\APITD.EXE

C:\WINDOWS\NTSK32.EXE

C:\WINDOWS\SYSTEM\APITD.EXE

C:\WINDOWS\D3UK.EXE

E:\NEW DOWNLOADS\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ydyyw.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ydyyw.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ydyyw.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ydyyw.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ydyyw.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ydyyw.dll/index.html#96676

R3 - Default URLSearchHook is missing

F1 - win.ini: load=C:\MX\vi_grm.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (file missing)

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O2 - BHO: Class - {03079084-F75C-2B6F-084A-49B91F4795D1} - C:\WINDOWS\CRZG.DLL (file missing)

O2 - BHO: Class - {D884B5A0-3017-DC89-792D-96559276EAEB} - C:\WINDOWS\SYSTEM\SDKIC32.DLL (file missing)

O2 - BHO: Class - {7F1DF9FD-5957-0313-B9F9-EABDB4F680EE} - C:\WINDOWS\JAVACA32.DLL (file missing)

O2 - BHO: Class - {3E7CDDE8-9716-144C-9AAF-E90709400712} - C:\WINDOWS\SYSTEM\APPAR.DLL (file missing)

O2 - BHO: Class - {83962868-6A3A-9ABE-3EAD-6C841963E70A} - C:\WINDOWS\D3NW32.DLL (file missing)

O2 - BHO: Class - {A0EFD1BB-68C4-6795-EE28-3366CAE67C38} - C:\WINDOWS\SYSTEM\SYSQX32.DLL (file missing)

O2 - BHO: Class - {68238DDE-059B-0897-6A39-69CB853D5A0A} - C:\WINDOWS\SYSTEM\D3WZ32.DLL (file missing)

O2 - BHO: Class - {435F1D19-5009-3DC0-D4DA-82194D25D05C} - C:\WINDOWS\SYSTEM\ADDIQ32.DLL (file missing)

O2 - BHO: Class - {75895338-95C6-E212-8F56-E4EABE6726D1} - C:\WINDOWS\APPWC.DLL (file missing)

O2 - BHO: Class - {4566CC43-0B31-07E0-141A-12FC7D5FF802} - C:\WINDOWS\SYSDR32.DLL (file missing)

O2 - BHO: Class - {8D86E46F-B9DE-ADD7-1BA7-60042DD50BAA} - C:\WINDOWS\ADDUO32.DLL (file missing)

O2 - BHO: Class - {83A0177B-A41F-B1FA-F8EB-9BD00B7EAFEA} - C:\WINDOWS\ADDUO32.DLL (file missing)

O2 - BHO: Class - {1F23E677-6B02-0CE8-7B33-B10B254FB351} - C:\WINDOWS\ADDUO32.DLL (file missing)

O2 - BHO: Class - {26F48417-BA3B-EB85-58BC-D6D86BF802EF} - C:\WINDOWS\IEXM.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [ssd] C:\WINDOWS\SYSTEM\Std.exe

O4 - HKLM\..\Run: [internat.exe] internat.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [bootWarn] C:\Program Files\Norton SystemWorks\Norton AntiVirus\BootWarn.exe /a

O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [WINRL.EXE] C:\WINDOWS\SYSTEM\WINRL.EXE

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE

O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O4 - HKLM\..\RunServices: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"

O4 - HKLM\..\RunServices: [sDKQV32.EXE] C:\WINDOWS\SYSTEM\SDKQV32.EXE

O4 - HKLM\..\RunServices: [D3QY.EXE] C:\WINDOWS\D3QY.EXE

O4 - HKLM\..\RunServices: [iENC32.EXE] C:\WINDOWS\IENC32.EXE

O4 - HKLM\..\RunServices: [D3VX.EXE] C:\WINDOWS\D3VX.EXE

O4 - HKLM\..\RunServices: [iEIB32.EXE] C:\WINDOWS\SYSTEM\IEIB32.EXE

O4 - HKLM\..\RunServices: [MFCSK32.EXE] C:\WINDOWS\SYSTEM\MFCSK32.EXE

O4 - HKLM\..\RunServices: [sDKCK32.EXE] C:\WINDOWS\SDKCK32.EXE

O4 - HKLM\..\RunServices: [MSIQ.EXE] C:\WINDOWS\SYSTEM\MSIQ.EXE

O4 - HKLM\..\RunServices: [MSWT.EXE] C:\WINDOWS\MSWT.EXE

O4 - HKLM\..\RunServices: [CRUQ.EXE] C:\WINDOWS\CRUQ.EXE

O4 - HKLM\..\RunServices: [MSCK32.EXE] C:\WINDOWS\MSCK32.EXE

O4 - HKLM\..\RunServices: [D3YL32.EXE] C:\WINDOWS\SYSTEM\D3YL32.EXE

O4 - HKLM\..\RunServices: [iPNP32.EXE] C:\WINDOWS\IPNP32.EXE

O4 - HKLM\..\RunServices: [APIXW32.EXE] C:\WINDOWS\APIXW32.EXE

O4 - HKLM\..\RunServices: [JAVAEF.EXE] C:\WINDOWS\SYSTEM\JAVAEF.EXE

O4 - HKLM\..\RunServices: [APIWY.EXE] C:\WINDOWS\SYSTEM\APIWY.EXE

O4 - HKLM\..\RunServices: [CRFT.EXE] C:\WINDOWS\SYSTEM\CRFT.EXE

O4 - HKLM\..\RunServices: [sYSHN.EXE] C:\WINDOWS\SYSTEM\SYSHN.EXE

O4 - HKLM\..\RunServices: [D3YZ.EXE] C:\WINDOWS\SYSTEM\D3YZ.EXE

O4 - HKLM\..\RunServices: [NETHQ32.EXE] C:\WINDOWS\NETHQ32.EXE

O4 - HKLM\..\RunServices: [JAVAQX32.EXE] C:\WINDOWS\SYSTEM\JAVAQX32.EXE

O4 - HKLM\..\RunServices: [ATLHT.EXE] C:\WINDOWS\ATLHT.EXE

O4 - HKLM\..\RunServices: [CRGM.EXE] C:\WINDOWS\CRGM.EXE

O4 - HKLM\..\RunServices: [ADDLF32.EXE] C:\WINDOWS\ADDLF32.EXE

O4 - HKLM\..\RunServices: [sDKUD.EXE] C:\WINDOWS\SYSTEM\SDKUD.EXE

O4 - HKLM\..\RunServices: [CRBX.EXE] C:\WINDOWS\CRBX.EXE

O4 - HKLM\..\RunServices: [NETZR32.EXE] C:\WINDOWS\NETZR32.EXE

O4 - HKLM\..\RunServices: [APPTB32.EXE] C:\WINDOWS\SYSTEM\APPTB32.EXE

O4 - HKLM\..\RunServices: [APITD.EXE] C:\WINDOWS\SYSTEM\APITD.EXE

O4 - HKLM\..\RunServices: [MFCVY.EXE] C:\WINDOWS\SYSTEM\MFCVY.EXE

O4 - HKLM\..\RunServices: [NTED.EXE] C:\WINDOWS\SYSTEM\NTED.EXE

O4 - HKLM\..\RunServices: [NTSK32.EXE] C:\WINDOWS\NTSK32.EXE

O4 - HKLM\..\RunServices: [D3UK.EXE] C:\WINDOWS\D3UK.EXE

O4 - HKCU\..\Run: [incrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c

O4 - HKCU\..\Run: [spyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

 

-- Scan 1 --------

About:Buster Version 1.27

Removed! : C:\WINDOWS\erwgu.dat

Removed! : C:\WINDOWS\bmcrb.dat

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

This is it - I hope you can help.

 

(CAn this be fixed by using Windows System Restore..guess not, it would have been to simple :)

Share this post


Link to post
Share on other sites

Hmm..Do this:

 

1.)

GoTo:

Start>run>Type:

msinfo32

*Expand: "Software Environment"

*Expand: "System hooks"

File may be listed As:

 

-Hook type: Window Procedure

-Hooked by: XXXXX.dll

-Application: RUNDLL32.EXE

-Dll path: C:\WINDOWS\SYSTEM\XXXXX.dll

-Application path: C:\WINDOWS\RUNDLL32.EXE

 

Where XXXXX..dll is the file name.

 

If So hilite And use edit>copy and post here

 

2.)

Download: "StartDreck", unzip!

*Don't be f00led by the site's 'unique' interface!!!

http://www.niksoft.at/download/startdreck.htm

DoubleClick: 'StartDreck.exe'

Hit: -config

hit: -Unmark all

Check these boxes only:

Registry->run keys

Registry-> Browser helper objects

System/drivers-> Running processes

hit >ok.

 

Use the "save" tab, to save, name and post the log!

Edited by splintercell990

Share this post


Link to post
Share on other sites

1.)

GoTo:

Start>run>Type:

msinfo32

*Expand: "Software Environment"

*Expand: "System hooks"

File may be listed As:

 

-Hook type: Window Procedure

-Hooked by: XXXXX.dll

-Application: RUNDLL32.EXE

-Dll path: C:\WINDOWS\SYSTEM\XXXXX.dll

-Application path: C:\WINDOWS\RUNDLL32.EXE

 

I COULD EXPAND 'SOFTWARE ENVIRONMENT' BUT THERE WAS NO 'SYSTEM HOOKS' ENTRY. :mellow:

 

________________

 

StartDreck (build 2.1.5 public BETA) - 2004-07-14 @ 00:37:12

Platform: Windows ME (Win 4.90.3000 )

 

»Registry

»Run Keys

»Current User

»Run

*IncrediMail=C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c

*SpyKiller=C:\Program Files\SpyKiller\spykiller.exe /startup

»RunOnce

»Default User

»Run

*IncrediMail=C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c

*SpyKiller=C:\Program Files\SpyKiller\spykiller.exe /startup

»RunOnce

»Local Machine

»Run

*PCHealth=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

*SystemTray=SysTray.Exe

*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

*CARPService=carpserv.exe

*Ssd=C:\WINDOWS\SYSTEM\Std.exe

*internat.exe=internat.exe

*ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

*ccRegVfy="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

*BootWarn=C:\Program Files\Norton SystemWorks\Norton AntiVirus\BootWarn.exe /a

*NPROTECT=C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

*WinampAgent=C:\Program Files\Winamp\winampa.exe

*WINRL.EXE=C:\WINDOWS\SYSTEM\WINRL.EXE

*Installed=1

*NoChange=1

*Installed=1

*Installed=1

»RunOnce

»RunServices

*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

*SchedulingAgent=mstask.exe

**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe

*ccEvtMgr="C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

*ScriptBlocking="C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

*CSINJECT.EXE=C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE

*NPROTECT=C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

*SymTray - Norton SystemWorks=C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"

*SDKQV32.EXE=C:\WINDOWS\SYSTEM\SDKQV32.EXE

*D3QY.EXE=C:\WINDOWS\D3QY.EXE

*IENC32.EXE=C:\WINDOWS\IENC32.EXE

*D3VX.EXE=C:\WINDOWS\D3VX.EXE

*IEIB32.EXE=C:\WINDOWS\SYSTEM\IEIB32.EXE

*MFCSK32.EXE=C:\WINDOWS\SYSTEM\MFCSK32.EXE

*SDKCK32.EXE=C:\WINDOWS\SDKCK32.EXE

*MSIQ.EXE=C:\WINDOWS\SYSTEM\MSIQ.EXE

*MSWT.EXE=C:\WINDOWS\MSWT.EXE

*CRUQ.EXE=C:\WINDOWS\CRUQ.EXE

*MSCK32.EXE=C:\WINDOWS\MSCK32.EXE

*D3YL32.EXE=C:\WINDOWS\SYSTEM\D3YL32.EXE

*IPNP32.EXE=C:\WINDOWS\IPNP32.EXE

*APIXW32.EXE=C:\WINDOWS\APIXW32.EXE

*JAVAEF.EXE=C:\WINDOWS\SYSTEM\JAVAEF.EXE

*APIWY.EXE=C:\WINDOWS\SYSTEM\APIWY.EXE

*CRFT.EXE=C:\WINDOWS\SYSTEM\CRFT.EXE

*SYSHN.EXE=C:\WINDOWS\SYSTEM\SYSHN.EXE

*D3YZ.EXE=C:\WINDOWS\SYSTEM\D3YZ.EXE

*NETHQ32.EXE=C:\WINDOWS\NETHQ32.EXE

*JAVAQX32.EXE=C:\WINDOWS\SYSTEM\JAVAQX32.EXE

*ATLHT.EXE=C:\WINDOWS\ATLHT.EXE

*CRGM.EXE=C:\WINDOWS\CRGM.EXE

*ADDLF32.EXE=C:\WINDOWS\ADDLF32.EXE

*SDKUD.EXE=C:\WINDOWS\SYSTEM\SDKUD.EXE

*CRBX.EXE=C:\WINDOWS\CRBX.EXE

*NETZR32.EXE=C:\WINDOWS\NETZR32.EXE

*APPTB32.EXE=C:\WINDOWS\SYSTEM\APPTB32.EXE

*APITD.EXE=C:\WINDOWS\SYSTEM\APITD.EXE

*MFCVY.EXE=C:\WINDOWS\SYSTEM\MFCVY.EXE

*NTED.EXE=C:\WINDOWS\SYSTEM\NTED.EXE

*NTSK32.EXE=C:\WINDOWS\NTSK32.EXE

*D3UK.EXE=C:\WINDOWS\D3UK.EXE

*ADDXO32.EXE=C:\WINDOWS\ADDXO32.EXE

*NTQW.EXE=C:\WINDOWS\NTQW.EXE

*MSRY32.EXE=C:\WINDOWS\SYSTEM\MSRY32.EXE

*JAVAGR.EXE=C:\WINDOWS\SYSTEM\JAVAGR.EXE

»RunServicesOnce

»RunOnceEx

»RunServicesOnceEx

»Browser Helper Objects (LM)

*{53707962-6F74-2D53-2644-206D7942484F}

`InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

*Navbho.CNavExtBho.1/{BDF3E430-B101-42AD-A544-FADC6B084872}

`InprocServer32=C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

*Class/{03079084-F75C-2B6F-084A-49B91F4795D1}

`InprocServer32=C:\WINDOWS\CRZG.DLL

*Class/{D884B5A0-3017-DC89-792D-96559276EAEB}

`InprocServer32=C:\WINDOWS\SYSTEM\SDKIC32.DLL

*Class/{7F1DF9FD-5957-0313-B9F9-EABDB4F680EE}

`InprocServer32=C:\WINDOWS\JAVACA32.DLL

*Class/{3E7CDDE8-9716-144C-9AAF-E90709400712}

`InprocServer32=C:\WINDOWS\SYSTEM\APPAR.DLL

*Class/{83962868-6A3A-9ABE-3EAD-6C841963E70A}

`InprocServer32=C:\WINDOWS\D3NW32.DLL

*Class/{A0EFD1BB-68C4-6795-EE28-3366CAE67C38}

`InprocServer32=C:\WINDOWS\SYSTEM\SYSQX32.DLL

*Class/{68238DDE-059B-0897-6A39-69CB853D5A0A}

`InprocServer32=C:\WINDOWS\SYSTEM\D3WZ32.DLL

*Class/{435F1D19-5009-3DC0-D4DA-82194D25D05C}

`InprocServer32=C:\WINDOWS\SYSTEM\ADDIQ32.DLL

*Class/{75895338-95C6-E212-8F56-E4EABE6726D1}

`InprocServer32=C:\WINDOWS\APPWC.DLL

*Class/{4566CC43-0B31-07E0-141A-12FC7D5FF802}

`InprocServer32=C:\WINDOWS\SYSDR32.DLL

*Class/{8D86E46F-B9DE-ADD7-1BA7-60042DD50BAA}

`InprocServer32=C:\WINDOWS\ADDUO32.DLL

*Class/{83A0177B-A41F-B1FA-F8EB-9BD00B7EAFEA}

`InprocServer32=C:\WINDOWS\ADDUO32.DLL

*Class/{1F23E677-6B02-0CE8-7B33-B10B254FB351}

`InprocServer32=C:\WINDOWS\ADDUO32.DLL

*Class/{26F48417-BA3B-EB85-58BC-D6D86BF802EF}

`InprocServer32=C:\WINDOWS\IEXM.DLL

»Files

»System/Drivers

»Running Processes

*FFCFA26D=C:\WINDOWS\SYSTEM\KERNEL32.DLL

*FFFFE4C5=C:\WINDOWS\SYSTEM\MSGSRV32.EXE

*FFFE0439=C:\WINDOWS\SYSTEM\mmtask.tsk

*FFFE0EF5=C:\WINDOWS\SYSTEM\MPREXE.EXE

*FFFE7F6D=C:\WINDOWS\SYSTEM\MSTASK.EXE

*FFFEE975=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE

*FFFEDB95=C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE

*FFFD3285=C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE

*FFFEB31D=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE

*FFFD7AED=C:\WINDOWS\EXPLORER.EXE

*FFFD8421=C:\WINDOWS\CRGM.EXE

*FFFDE131=C:\WINDOWS\ADDLF32.EXE

*FFFDC5B5=C:\WINDOWS\SYSTEM\SDKUD.EXE

*FFFC602D=C:\WINDOWS\CRBX.EXE

*FFFD8FE9=C:\WINDOWS\NETZR32.EXE

*FFFDDA55=C:\WINDOWS\SYSTEM\APPTB32.EXE

*FFFC21AD=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

*FFFCA121=C:\WINDOWS\SYSTEM\APITD.EXE

*FFFBE795=C:\MX\VI_GRM.EXE

*FFFA1DF9=C:\WINDOWS\SYSTEM\DDHELP.EXE

*FFFA66E1=C:\WINDOWS\SYSTEM\SYSTRAY.EXE

*FFFC434D=C:\WINDOWS\CARPSERV.EXE

*FFFB1445=C:\WINDOWS\SYSTEM\STD.EXE

*FFFA4FE9=C:\WINDOWS\SYSTEM\INTERNAT.EXE

*FFFA21DD=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE

*FFFA0B55=C:\WINDOWS\SYSTEM\WMIEXE.EXE

*FFFB8095=C:\PROGRAM FILES\WINAMP\WINAMPA.EXE

*FFF99131=C:\WINDOWS\SYSTEM\WINRL.EXE

*FFF9C83D=C:\WINDOWS\SYSTEM\APITD.EXE

*FFF9858D=C:\WINDOWS\SYSTEM\APITD.EXE

*FFF9B88D=C:\WINDOWS\SYSTEM\RNAAPP.EXE

*FFF7067D=C:\WINDOWS\SYSTEM\TAPISRV.EXE

*FFFB30D9=C:\PROGRAM FILES\INCREDIMAIL\BIN\INCMAIL.EXE

*FFF80AAD=C:\PROGRAM FILES\INCREDIMAIL\BIN\IMAPP.EXE

*FFF46AA1=C:\WINDOWS\SYSTEM\APITD.EXE

*FFF4C0F5=C:\WINDOWS\SYSTEM\MFCVY.EXE

*FFF33E99=C:\WINDOWS\SYSTEM\NTED.EXE

*FFF370C5=C:\WINDOWS\CRGM.EXE

*FFF394E5=C:\WINDOWS\SYSTEM\APITD.EXE

*FFF3F811=C:\WINDOWS\NTSK32.EXE

*FFF23F35=C:\WINDOWS\SYSTEM\APITD.EXE

*FFF26C6D=C:\WINDOWS\D3UK.EXE

*FFF29F51=C:\WINDOWS\SYSTEM\WINOA386.MOD

*FFF2F0AD=C:\WINDOWS\SYSTEM\APITD.EXE

*FFF16479=C:\WINDOWS\NETZR32.EXE

*FFF1B135=C:\WINDOWS\SYSTEM\APITD.EXE

*FFF1EB35=C:\WINDOWS\SYSTEM\APITD.EXE

*FFF03F5D=C:\WINDOWS\SYSTEM\APITD.EXE

*FFF073E9=C:\WINDOWS\SYSTEM\APITD.EXE

*FFF09B59=C:\WINDOWS\SYSTEM\APITD.EXE

*FFF05275=C:\WINDOWS\CRBX.EXE

*FFCF0AE9=C:\WINDOWS\NETZR32.EXE

*EF284BC9=C:\WINDOWS\ADDLF32.EXE

*EF27175D=C:\WINDOWS\NETZR32.EXE

*EF278601=C:\WINDOWS\SYSTEM\APITD.EXE

*FFF04099=C:\WINDOWS\CRBX.EXE

*EF274701=C:\WINDOWS\SYSTEM\APITD.EXE

*EF275485=C:\WINDOWS\SYSTEM\APITD.EXE

*FFF08419=C:\WINDOWS\SYSTEM\APITD.EXE

*FFF190AD=C:\WINDOWS\ADDLF32.EXE

*EF28CDBD=C:\WINDOWS\ADDLF32.EXE

*EF279A9D=C:\WINDOWS\SYSTEM\APITD.EXE

*FFF16035=C:\WINDOWS\SYSTEM\APITD.EXE

*EF262115=C:\WINDOWS\SYSTEM\MFCVY.EXE

*EF2643C1=C:\WINDOWS\SYSTEM\APITD.EXE

*EF26B699=C:\WINDOWS\SYSTEM\MFCVY.EXE

*EF26B0A9=C:\WINDOWS\ADDLF32.EXE

*EF268DA5=C:\WINDOWS\SYSTEM\APITD.EXE

*EF252279=C:\WINDOWS\CRBX.EXE

*EF27D895=C:\WINDOWS\CRBX.EXE

*EF25525D=C:\WINDOWS\NETZR32.EXE

*EF26CC2D=C:\WINDOWS\NTSK32.EXE

*FFF308C9=C:\WINDOWS\SYSTEM\APITD.EXE

*FFF1B3E1=C:\WINDOWS\ADDXO32.EXE

*EF27E619=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

*FFF6517D=C:\WINDOWS\SYSTEM\MFCVY.EXE

*FFF21B19=C:\WINDOWS\NTQW.EXE

*FFF38715=C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\HELPCTR.EXE

*EF249F25=C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

*EF23346D=C:\WINDOWS\SYSTEM\SPOOL32.EXE

*EF223C89=C:\PROGRAM FILES\INCREDIMAIL\BIN\IMNOTFY.EXE

*EF23B061=C:\WINDOWS\SYSTEM\APITD.EXE

*FFFB4A59=C:\WINDOWS\SYSTEM\MSRY32.EXE

*EF22E98D=C:\WINDOWS\SYSTEM\APITD.EXE

*EF22F611=C:\WINDOWS\SYSTEM\JAVAGR.EXE

*EF22C02D=E:\NEW DOWNLOADS\STARTDRECK.EXE

»Application specific

 

Here is the log. Though - should I not delete some of the entries in HIJACK referring to the hijacked homepage?

Share this post


Link to post
Share on other sites

Okay, with all other browsers closed, please fix the following items in HijackThis:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ydyyw.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ydyyw.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ydyyw.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ydyyw.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ydyyw.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ydyyw.dll/index.html#96676

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {03079084-F75C-2B6F-084A-49B91F4795D1} - C:\WINDOWS\CRZG.DLL (file missing)

O2 - BHO: Class - {D884B5A0-3017-DC89-792D-96559276EAEB} - C:\WINDOWS\SYSTEM\SDKIC32.DLL (file missing)

O2 - BHO: Class - {7F1DF9FD-5957-0313-B9F9-EABDB4F680EE} - C:\WINDOWS\JAVACA32.DLL (file missing)

O2 - BHO: Class - {3E7CDDE8-9716-144C-9AAF-E90709400712} - C:\WINDOWS\SYSTEM\APPAR.DLL (file missing)

O2 - BHO: Class - {83962868-6A3A-9ABE-3EAD-6C841963E70A} - C:\WINDOWS\D3NW32.DLL (file missing)

O2 - BHO: Class - {A0EFD1BB-68C4-6795-EE28-3366CAE67C38} - C:\WINDOWS\SYSTEM\SYSQX32.DLL (file missing)

O2 - BHO: Class - {68238DDE-059B-0897-6A39-69CB853D5A0A} - C:\WINDOWS\SYSTEM\D3WZ32.DLL (file missing)

O2 - BHO: Class - {435F1D19-5009-3DC0-D4DA-82194D25D05C} - C:\WINDOWS\SYSTEM\ADDIQ32.DLL (file missing)

O2 - BHO: Class - {75895338-95C6-E212-8F56-E4EABE6726D1} - C:\WINDOWS\APPWC.DLL (file missing)

O2 - BHO: Class - {4566CC43-0B31-07E0-141A-12FC7D5FF802} - C:\WINDOWS\SYSDR32.DLL (file missing)

O2 - BHO: Class - {8D86E46F-B9DE-ADD7-1BA7-60042DD50BAA} - C:\WINDOWS\ADDUO32.DLL (file missing)

O2 - BHO: Class - {83A0177B-A41F-B1FA-F8EB-9BD00B7EAFEA} - C:\WINDOWS\ADDUO32.DLL (file missing)

O2 - BHO: Class - {1F23E677-6B02-0CE8-7B33-B10B254FB351} - C:\WINDOWS\ADDUO32.DLL (file missing)

O2 - BHO: Class - {26F48417-BA3B-EB85-58BC-D6D86BF802EF} - C:\WINDOWS\IEXM.DLL

O4 - HKLM\..\RunServices: [sDKQV32.EXE] C:\WINDOWS\SYSTEM\SDKQV32.EXE

O4 - HKLM\..\RunServices: [D3QY.EXE] C:\WINDOWS\D3QY.EXE

O4 - HKLM\..\RunServices: [iENC32.EXE] C:\WINDOWS\IENC32.EXE

O4 - HKLM\..\RunServices: [D3VX.EXE] C:\WINDOWS\D3VX.EXE

O4 - HKLM\..\RunServices: [iEIB32.EXE] C:\WINDOWS\SYSTEM\IEIB32.EXE

O4 - HKLM\..\RunServices: [MFCSK32.EXE] C:\WINDOWS\SYSTEM\MFCSK32.EXE

O4 - HKLM\..\RunServices: [sDKCK32.EXE] C:\WINDOWS\SDKCK32.EXE

O4 - HKLM\..\RunServices: [MSIQ.EXE] C:\WINDOWS\SYSTEM\MSIQ.EXE

O4 - HKLM\..\RunServices: [MSWT.EXE] C:\WINDOWS\MSWT.EXE

O4 - HKLM\..\RunServices: [CRUQ.EXE] C:\WINDOWS\CRUQ.EXE

O4 - HKLM\..\RunServices: [MSCK32.EXE] C:\WINDOWS\MSCK32.EXE

O4 - HKLM\..\RunServices: [D3YL32.EXE] C:\WINDOWS\SYSTEM\D3YL32.EXE

O4 - HKLM\..\RunServices: [iPNP32.EXE] C:\WINDOWS\IPNP32.EXE

O4 - HKLM\..\RunServices: [APIXW32.EXE] C:\WINDOWS\APIXW32.EXE

O4 - HKLM\..\RunServices: [JAVAEF.EXE] C:\WINDOWS\SYSTEM\JAVAEF.EXE

O4 - HKLM\..\RunServices: [APIWY.EXE] C:\WINDOWS\SYSTEM\APIWY.EXE

O4 - HKLM\..\RunServices: [CRFT.EXE] C:\WINDOWS\SYSTEM\CRFT.EXE

O4 - HKLM\..\RunServices: [sYSHN.EXE] C:\WINDOWS\SYSTEM\SYSHN.EXE

O4 - HKLM\..\RunServices: [D3YZ.EXE] C:\WINDOWS\SYSTEM\D3YZ.EXE

O4 - HKLM\..\RunServices: [NETHQ32.EXE] C:\WINDOWS\NETHQ32.EXE

O4 - HKLM\..\RunServices: [JAVAQX32.EXE] C:\WINDOWS\SYSTEM\JAVAQX32.EXE

O4 - HKLM\..\RunServices: [ATLHT.EXE] C:\WINDOWS\ATLHT.EXE

O4 - HKLM\..\RunServices: [CRGM.EXE] C:\WINDOWS\CRGM.EXE

O4 - HKLM\..\RunServices: [ADDLF32.EXE] C:\WINDOWS\ADDLF32.EXE

O4 - HKLM\..\RunServices: [sDKUD.EXE] C:\WINDOWS\SYSTEM\SDKUD.EXE

O4 - HKLM\..\RunServices: [CRBX.EXE] C:\WINDOWS\CRBX.EXE

O4 - HKLM\..\RunServices: [NETZR32.EXE] C:\WINDOWS\NETZR32.EXE

O4 - HKLM\..\RunServices: [APPTB32.EXE] C:\WINDOWS\SYSTEM\APPTB32.EXE

O4 - HKLM\..\RunServices: [APITD.EXE] C:\WINDOWS\SYSTEM\APITD.EXE

O4 - HKLM\..\RunServices: [MFCVY.EXE] C:\WINDOWS\SYSTEM\MFCVY.EXE

O4 - HKLM\..\RunServices: [NTED.EXE] C:\WINDOWS\SYSTEM\NTED.EXE

O4 - HKLM\..\RunServices: [NTSK32.EXE] C:\WINDOWS\NTSK32.EXE

O4 - HKLM\..\RunServices: [D3UK.EXE] C:\WINDOWS\D3UK.EXE

 

Reboot to safe mode (press F8 after the BIOS loads), and delete all of the .exe's associated with the randomly named RunServices entries...

 

Reboot, and when in Windows again, download Ad-aware from: http://www.lavasoft.de/res/aaw6.exe

 

Install the program and launch it.

 

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

 

Next, we need to configure Ad-aware for a full scan.

 

icon11.gif Click on the Gear icon (second from the left) to access the preferences/settings window

 

1. In the General window make sure the following are selected:

  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :

  • Scan Within Archives
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URL’s
  • Scan my Hosts file
  • Under Click here to select drives + folders, choose:
  • All of your hard drives

icon11.gif Click on the Advanced button on the left and select:

  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details

icon11.gif Click the Tweak button and select:

  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile

    [*]Under the Cleaning Engine:

    • Let Windows remove files in use at next reboot

icon11.gif Click on Proceed to save the settings.

 

icon11.gif Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:

  • Use Custom Scanning Options

icon11.gif Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

icon11.gif Save the log file when it asks and then click Finish

icon11.gif When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

icon11.gifReboot your computer.

 

Next, download CWShredder:

http://www.spywareinfo.com/downloads/tools/CWShredder.exe

Double click and hit the fix button to fix all found problems, and Reboot.

 

Then Turn off System Restore. To do this, right-click My Computer and click Properties. Next, click the System Restore tab and check "Turn off System Restore". Finally, click Apply, and then click OK. Now, to finish resetting the system restore point, we need to turn ON System Restore once again. To do this, right-click My Computer and click Properties. Next, click the System Restore tab and UN-Check "Turn off System Restore". Finally, click Apply, and then click OK.

 

Next a full scan here and let it clean, making sure you reboot when it is done.

 

Post a fresh HijackThis logfile in this thread once you are done :)

 

Good Luck :)

Edited by splintercell990

Share this post


Link to post
Share on other sites

Splintercell, thanks for trying - after I followed your advice to the letter it seemed clean. However when I opened IE it came right back. I am discouraged that it can be removed short of a complete format. Whoever is the cause of this frustration deserves to be shot!

 

Can anything else be done?

 

Here's the new Hijack log:

 

Logfile of HijackThis v1.98.0

Scan saved at 9:20:20 PM, on 7/14/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE

C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE

C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE

C:\WINDOWS\NTQW.EXE

C:\WINDOWS\ADDXO32.EXE

C:\WINDOWS\SYSTEM\MSRY32.EXE

C:\WINDOWS\SYSTEM\APPCP32.EXE

C:\WINDOWS\NTEB32.EXE

C:\WINDOWS\SYSTEM\JAVAGR.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\MX\VI_GRM.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\CARPSERV.EXE

C:\WINDOWS\SYSTEM\STD.EXE

C:\WINDOWS\SYSTEM\INTERNAT.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE

C:\PROGRAM FILES\WINAMP\WINAMPA.EXE

C:\WINDOWS\SYSTEM\WINRL.EXE

C:\WINDOWS\NTQW.EXE

C:\WINDOWS\NTEB32.EXE

C:\WINDOWS\SYSTEM\JAVAGR.EXE

C:\WINDOWS\SYSTEM\MSRY32.EXE

C:\WINDOWS\SYSTEM\APPCP32.EXE

C:\PROGRAM FILES\INCREDIMAIL\BIN\IMAPP.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\PROGRAM FILES\INCREDIMAIL\BIN\INCMAIL.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\NTQW.EXE

C:\WINDOWS\NTQW.EXE

C:\WINDOWS\MFCOO.EXE

C:\WINDOWS\NTEB32.EXE

C:\WINDOWS\IPCO.EXE

C:\WINDOWS\ADDXO32.EXE

C:\WINDOWS\NTQW.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\MFCOO.EXE

C:\WINDOWS\NTEB32.EXE

C:\MY DOCUMENTS\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\jblrg.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jblrg.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jblrg.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\jblrg.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\jblrg.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jblrg.dll/index.html#96676

R3 - Default URLSearchHook is missing

F1 - win.ini: load=C:\MX\vi_grm.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (file missing)

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O2 - BHO: Class - {6C5AE851-04CC-89B6-6790-7C463150E44F} - C:\WINDOWS\SYSTEM\APIZE.DLL (file missing)

O2 - BHO: Class - {9FF3EC2B-5A88-1F24-6D40-596F602C24F7} - C:\WINDOWS\SYSTEM\ADDLT32.DLL (file missing)

O2 - BHO: Class - {D909FA9D-7AE6-6B2A-B820-22D8EBB261F2} - C:\WINDOWS\ATLFD.DLL

O2 - BHO: Class - {EADA06E9-6006-2FFD-3A2E-309CEA0EE5DA} - C:\WINDOWS\IPZO.DLL (file missing)

O2 - BHO: Class - {5201E7DA-AC9B-AE35-32D6-EFC802B05B50} - C:\WINDOWS\SYSTEM\NETFU.DLL

O2 - BHO: Class - {DF83D71D-7E3C-905C-49E6-8B0B8142868F} - C:\WINDOWS\NTSG32.DLL (file missing)

O2 - BHO: Class - {B4FB0365-675A-5E62-B49B-D990566002AC} - C:\WINDOWS\ADDIY.DLL (file missing)

O2 - BHO: Class - {195BB02B-4008-2F27-063D-AEAD3798CA0C} - C:\WINDOWS\SYSTEM\APIYE.DLL (file missing)

O2 - BHO: Class - {01C38962-50E8-FF21-1263-007E149E5D9C} - C:\WINDOWS\SYSTEM\ATLWB.DLL (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [ssd] C:\WINDOWS\SYSTEM\Std.exe

O4 - HKLM\..\Run: [internat.exe] internat.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [bootWarn] C:\Program Files\Norton SystemWorks\Norton AntiVirus\BootWarn.exe /a

O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [WINRL.EXE] C:\WINDOWS\SYSTEM\WINRL.EXE

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE

O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O4 - HKLM\..\RunServices: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"

O4 - HKLM\..\RunServices: [ADDXO32.EXE] C:\WINDOWS\ADDXO32.EXE

O4 - HKLM\..\RunServices: [NTQW.EXE] C:\WINDOWS\NTQW.EXE

O4 - HKLM\..\RunServices: [MSRY32.EXE] C:\WINDOWS\SYSTEM\MSRY32.EXE

O4 - HKLM\..\RunServices: [JAVAGR.EXE] C:\WINDOWS\SYSTEM\JAVAGR.EXE

O4 - HKLM\..\RunServices: [APPCP32.EXE] C:\WINDOWS\SYSTEM\APPCP32.EXE

O4 - HKLM\..\RunServices: [NTEB32.EXE] C:\WINDOWS\NTEB32.EXE

O4 - HKLM\..\RunServices: [MFCOO.EXE] C:\WINDOWS\MFCOO.EXE

O4 - HKLM\..\RunServices: [iPCO.EXE] C:\WINDOWS\IPCO.EXE

O4 - HKCU\..\Run: [incrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c

O4 - HKCU\..\Run: [spyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

Share this post


Link to post
Share on other sites

Hello ale3164,

 

Lets try it the manual way then...

  1. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders".
  2. Next, go to Start->Run and type "Services.msc" (without quotes) then hit OK.
  3. Scroll down and find the service called "Network Security Service".
  4. When you find it, double-click on it. In the next window that opens, click the Stop button, then change the Startup Type to Disabled. Now hit Apply and then OK and close any open windows.
  5. Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":
     
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\jblrg.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jblrg.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jblrg.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\jblrg.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\jblrg.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jblrg.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {6C5AE851-04CC-89B6-6790-7C463150E44F} - C:\WINDOWS\SYSTEM\APIZE.DLL (file missing)
    O2 - BHO: Class - {9FF3EC2B-5A88-1F24-6D40-596F602C24F7} - C:\WINDOWS\SYSTEM\ADDLT32.DLL (file missing)
    O2 - BHO: Class - {D909FA9D-7AE6-6B2A-B820-22D8EBB261F2} - C:\WINDOWS\ATLFD.DLL
    O2 - BHO: Class - {EADA06E9-6006-2FFD-3A2E-309CEA0EE5DA} - C:\WINDOWS\IPZO.DLL (file missing)
    O2 - BHO: Class - {5201E7DA-AC9B-AE35-32D6-EFC802B05B50} - C:\WINDOWS\SYSTEM\NETFU.DLL
    O2 - BHO: Class - {DF83D71D-7E3C-905C-49E6-8B0B8142868F} - C:\WINDOWS\NTSG32.DLL (file missing)
    O2 - BHO: Class - {B4FB0365-675A-5E62-B49B-D990566002AC} - C:\WINDOWS\ADDIY.DLL (file missing)
    O2 - BHO: Class - {195BB02B-4008-2F27-063D-AEAD3798CA0C} - C:\WINDOWS\SYSTEM\APIYE.DLL (file missing)
    O2 - BHO: Class - {01C38962-50E8-FF21-1263-007E149E5D9C} - C:\WINDOWS\SYSTEM\ATLWB.DLL (file missing)
    O4 - HKLM\..\RunServices: [ADDXO32.EXE] C:\WINDOWS\ADDXO32.EXE
    O4 - HKLM\..\RunServices: [NTQW.EXE] C:\WINDOWS\NTQW.EXE
    O4 - HKLM\..\RunServices: [MSRY32.EXE] C:\WINDOWS\SYSTEM\MSRY32.EXE
    O4 - HKLM\..\RunServices: [JAVAGR.EXE] C:\WINDOWS\SYSTEM\JAVAGR.EXE
    O4 - HKLM\..\RunServices: [APPCP32.EXE] C:\WINDOWS\SYSTEM\APPCP32.EXE
    O4 - HKLM\..\RunServices: [NTEB32.EXE] C:\WINDOWS\NTEB32.EXE
    O4 - HKLM\..\RunServices: [MFCOO.EXE] C:\WINDOWS\MFCOO.EXE
    O4 - HKLM\..\RunServices: [iPCO.EXE] C:\WINDOWS\IPCO.EXE
     
     
  6. Reboot into Safe Mode - How do I boot into "Safe" mode?, and delete the following files:
     
    jblrg.dll
    APIZE.DLL
    ADDLT32.DLL
    ATLFD.DLL
    IPZO.DLL
    NETFU.DLL
    NTSG32.DLL
    APIYE.DLL
    ATLWB.DLL
    ADDXO32.EXE
    NTQW.EXE
    MSRY32.EXE
    JAVAGR.EXE
    APPCP32.EXE
    NTEB32.EXE
    MFCOO.EXE
    IPCO.EXE
     
     
  7. Go to Start => Run and type in "regedit" (without quotes) and press "Enter".
  8. One the registry opens, Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3
    If __NS_Service_3 exists , right click on it and choose delete from the menu.
  9. Still in the registry, navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service_3
    If LEGACY___NS_Service_3 exists then right click on it and choose delete from the menu.
  10. Exit regedit and reboot in Normal Mode.
  11. Two files (Possibly three) were also deleted from your computer and need to be replaced.
    • control.exe - Go to Merijn Files (control) and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.
    • Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program.
    • If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

[*]Run HiJackThis again and post a new log in this thread.

[/code]

 

Good Luck :)

Edited by splintercell990

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0