Jump to content


Photo

res://ydyyw.dll/index.html


  • Please log in to reply
7 replies to this topic

#1 ale3164

ale3164

    Member

  • New Member
  • Pip
  • 4 posts

Posted 13 July 2004 - 03:53 PM

Hi,
I've studied much on this site about this problem but no matter what I did it keeps coming back as soon as I open Internet Explorer. I wonder if anyone can help 'manually'.
I ran adaware with the latest definition, tried spybot, tried a couple of fixes I found on the boards and at one time managed to regain my www.google.com home page but it lasted only a couple of seconds before the first ad popped up and it all went wrong again :grrr:

Here's my Hijack log:

Logfile of HijackThis v1.97.7
Scan saved at 10:53:11 PM, on 7/13/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\ADDLF32.EXE
C:\WINDOWS\CRGM.EXE
C:\WINDOWS\SYSTEM\SDKUD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\MX\VI_GRM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\CARPSERV.EXE
C:\WINDOWS\SYSTEM\STD.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\WINRL.EXE
C:\WINDOWS\CRGM.EXE
C:\WINDOWS\CRGM.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INCREDIMAIL\BIN\INCMAIL.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\CRGM.EXE
C:\WINDOWS\CRBX.EXE
C:\WINDOWS\NETZR32.EXE
C:\WINDOWS\ADDLF32.EXE
C:\PROGRAM FILES\INCREDIMAIL\BIN\INCMAIL.EXE
C:\PROGRAM FILES\INCREDIMAIL\BIN\IMAPP.EXE
C:\WINDOWS\CRGM.EXE
C:\WINDOWS\SYSTEM\APPTB32.EXE
C:\WINDOWS\SYSTEM\APPTB32.EXE
C:\WINDOWS\SYSTEM\APITD.EXE
C:\WINDOWS\SYSTEM\APITD.EXE
C:\WINDOWS\CRGM.EXE
C:\WINDOWS\WUAUBOOT.EXE
C:\WINDOWS\RUNDLL32.EXE
E:\NEW DOWNLOADS\HIJACKTHIS1977.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ydyyw.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ydyyw.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ydyyw.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ydyyw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ydyyw.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ydyyw.dll/sp.html#96676
F1 - win.ini: load=C:\MX\vi_grm.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {03079084-F75C-2B6F-084A-49B91F4795D1} - C:\WINDOWS\CRZG.DLL (file missing)
O2 - BHO: (no name) - {D884B5A0-3017-DC89-792D-96559276EAEB} - C:\WINDOWS\SYSTEM\SDKIC32.DLL (file missing)
O2 - BHO: (no name) - {7F1DF9FD-5957-0313-B9F9-EABDB4F680EE} - C:\WINDOWS\JAVACA32.DLL (file missing)
O2 - BHO: (no name) - {3E7CDDE8-9716-144C-9AAF-E90709400712} - C:\WINDOWS\SYSTEM\APPAR.DLL (file missing)
O2 - BHO: (no name) - {83962868-6A3A-9ABE-3EAD-6C841963E70A} - C:\WINDOWS\D3NW32.DLL (file missing)
O2 - BHO: (no name) - {A0EFD1BB-68C4-6795-EE28-3366CAE67C38} - C:\WINDOWS\SYSTEM\SYSQX32.DLL (file missing)
O2 - BHO: (no name) - {68238DDE-059B-0897-6A39-69CB853D5A0A} - C:\WINDOWS\SYSTEM\D3WZ32.DLL (file missing)
O2 - BHO: (no name) - {435F1D19-5009-3DC0-D4DA-82194D25D05C} - C:\WINDOWS\SYSTEM\ADDIQ32.DLL (file missing)
O2 - BHO: (no name) - {75895338-95C6-E212-8F56-E4EABE6726D1} - C:\WINDOWS\APPWC.DLL (file missing)
O2 - BHO: (no name) - {4566CC43-0B31-07E0-141A-12FC7D5FF802} - C:\WINDOWS\SYSDR32.DLL (file missing)
O2 - BHO: (no name) - {8D86E46F-B9DE-ADD7-1BA7-60042DD50BAA} - C:\WINDOWS\ADDUO32.DLL (file missing)
O2 - BHO: (no name) - {83A0177B-A41F-B1FA-F8EB-9BD00B7EAFEA} - C:\WINDOWS\ADDUO32.DLL (file missing)
O2 - BHO: (no name) - {1F23E677-6B02-0CE8-7B33-B10B254FB351} - C:\WINDOWS\ADDUO32.DLL (file missing)
O2 - BHO: (no name) - {26F48417-BA3B-EB85-58BC-D6D86BF802EF} - C:\WINDOWS\IEXM.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Ssd] C:\WINDOWS\SYSTEM\Std.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [BootWarn] C:\Program Files\Norton SystemWorks\Norton AntiVirus\BootWarn.exe /a
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [WINRL.EXE] C:\WINDOWS\SYSTEM\WINRL.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [SDKQV32.EXE] C:\WINDOWS\SYSTEM\SDKQV32.EXE
O4 - HKLM\..\RunServices: [D3QY.EXE] C:\WINDOWS\D3QY.EXE
O4 - HKLM\..\RunServices: [IENC32.EXE] C:\WINDOWS\IENC32.EXE
O4 - HKLM\..\RunServices: [D3VX.EXE] C:\WINDOWS\D3VX.EXE
O4 - HKLM\..\RunServices: [IEIB32.EXE] C:\WINDOWS\SYSTEM\IEIB32.EXE
O4 - HKLM\..\RunServices: [MFCSK32.EXE] C:\WINDOWS\SYSTEM\MFCSK32.EXE
O4 - HKLM\..\RunServices: [SDKCK32.EXE] C:\WINDOWS\SDKCK32.EXE
O4 - HKLM\..\RunServices: [MSIQ.EXE] C:\WINDOWS\SYSTEM\MSIQ.EXE
O4 - HKLM\..\RunServices: [MSWT.EXE] C:\WINDOWS\MSWT.EXE
O4 - HKLM\..\RunServices: [CRUQ.EXE] C:\WINDOWS\CRUQ.EXE
O4 - HKLM\..\RunServices: [MSCK32.EXE] C:\WINDOWS\MSCK32.EXE
O4 - HKLM\..\RunServices: [D3YL32.EXE] C:\WINDOWS\SYSTEM\D3YL32.EXE
O4 - HKLM\..\RunServices: [IPNP32.EXE] C:\WINDOWS\IPNP32.EXE
O4 - HKLM\..\RunServices: [APIXW32.EXE] C:\WINDOWS\APIXW32.EXE
O4 - HKLM\..\RunServices: [JAVAEF.EXE] C:\WINDOWS\SYSTEM\JAVAEF.EXE
O4 - HKLM\..\RunServices: [APIWY.EXE] C:\WINDOWS\SYSTEM\APIWY.EXE
O4 - HKLM\..\RunServices: [CRFT.EXE] C:\WINDOWS\SYSTEM\CRFT.EXE
O4 - HKLM\..\RunServices: [SYSHN.EXE] C:\WINDOWS\SYSTEM\SYSHN.EXE
O4 - HKLM\..\RunServices: [D3YZ.EXE] C:\WINDOWS\SYSTEM\D3YZ.EXE
O4 - HKLM\..\RunServices: [NETHQ32.EXE] C:\WINDOWS\NETHQ32.EXE
O4 - HKLM\..\RunServices: [JAVAQX32.EXE] C:\WINDOWS\SYSTEM\JAVAQX32.EXE
O4 - HKLM\..\RunServices: [ATLHT.EXE] C:\WINDOWS\ATLHT.EXE
O4 - HKLM\..\RunServices: [CRGM.EXE] C:\WINDOWS\CRGM.EXE
O4 - HKLM\..\RunServices: [ADDLF32.EXE] C:\WINDOWS\ADDLF32.EXE
O4 - HKLM\..\RunServices: [SDKUD.EXE] C:\WINDOWS\SYSTEM\SDKUD.EXE
O4 - HKLM\..\RunServices: [CRBX.EXE] C:\WINDOWS\CRBX.EXE
O4 - HKLM\..\RunServices: [NETZR32.EXE] C:\WINDOWS\NETZR32.EXE
O4 - HKLM\..\RunServices: [APPTB32.EXE] C:\WINDOWS\SYSTEM\APPTB32.EXE
O4 - HKLM\..\RunServices: [APITD.EXE] C:\WINDOWS\SYSTEM\APITD.EXE
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8135.5500231481
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab


If anyone can help sort this out ... please help me before the wipe. I formatted once already because of a different problem ... what a pain!!!

#2 Guest_splintercell990_*

Guest_splintercell990_*
  • Guests

Posted 13 July 2004 - 04:02 PM

Hello ale3164,

First, please download the latest version of HijackThis from here, and scan/post a fresh HijackThis logfile in this thread.

Next, please download About:Buster Version 1.27 and unzip it to your desktop. Start it, hit Ok, Start, And Ok again to start the scan. It will generate a log. Post that log along with a new Hijack this log here.

If this doesnt work, boot into safe mode and try. How to boot into safe mode?

#3 ale3164

ale3164

    Member

  • New Member
  • Pip
  • 4 posts

Posted 13 July 2004 - 04:44 PM

Ok, here's the new log:

Logfile of HijackThis v1.98.0
Scan saved at 11:43:51 PM, on 7/13/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\CRGM.EXE
C:\WINDOWS\ADDLF32.EXE
C:\WINDOWS\SYSTEM\SDKUD.EXE
C:\WINDOWS\CRBX.EXE
C:\WINDOWS\NETZR32.EXE
C:\WINDOWS\SYSTEM\APPTB32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\APITD.EXE
C:\MX\VI_GRM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\CARPSERV.EXE
C:\WINDOWS\SYSTEM\STD.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\WINRL.EXE
C:\WINDOWS\SYSTEM\APITD.EXE
C:\WINDOWS\SYSTEM\APITD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INCREDIMAIL\BIN\INCMAIL.EXE
C:\PROGRAM FILES\INCREDIMAIL\BIN\IMAPP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\APITD.EXE
C:\WINDOWS\SYSTEM\MFCVY.EXE
C:\WINDOWS\SYSTEM\NTED.EXE
C:\WINDOWS\CRGM.EXE
C:\WINDOWS\SYSTEM\APITD.EXE
C:\WINDOWS\NTSK32.EXE
C:\WINDOWS\SYSTEM\APITD.EXE
C:\WINDOWS\D3UK.EXE
E:\NEW DOWNLOADS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ydyyw.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ydyyw.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ydyyw.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ydyyw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ydyyw.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ydyyw.dll/index.html#96676
R3 - Default URLSearchHook is missing
F1 - win.ini: load=C:\MX\vi_grm.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {03079084-F75C-2B6F-084A-49B91F4795D1} - C:\WINDOWS\CRZG.DLL (file missing)
O2 - BHO: Class - {D884B5A0-3017-DC89-792D-96559276EAEB} - C:\WINDOWS\SYSTEM\SDKIC32.DLL (file missing)
O2 - BHO: Class - {7F1DF9FD-5957-0313-B9F9-EABDB4F680EE} - C:\WINDOWS\JAVACA32.DLL (file missing)
O2 - BHO: Class - {3E7CDDE8-9716-144C-9AAF-E90709400712} - C:\WINDOWS\SYSTEM\APPAR.DLL (file missing)
O2 - BHO: Class - {83962868-6A3A-9ABE-3EAD-6C841963E70A} - C:\WINDOWS\D3NW32.DLL (file missing)
O2 - BHO: Class - {A0EFD1BB-68C4-6795-EE28-3366CAE67C38} - C:\WINDOWS\SYSTEM\SYSQX32.DLL (file missing)
O2 - BHO: Class - {68238DDE-059B-0897-6A39-69CB853D5A0A} - C:\WINDOWS\SYSTEM\D3WZ32.DLL (file missing)
O2 - BHO: Class - {435F1D19-5009-3DC0-D4DA-82194D25D05C} - C:\WINDOWS\SYSTEM\ADDIQ32.DLL (file missing)
O2 - BHO: Class - {75895338-95C6-E212-8F56-E4EABE6726D1} - C:\WINDOWS\APPWC.DLL (file missing)
O2 - BHO: Class - {4566CC43-0B31-07E0-141A-12FC7D5FF802} - C:\WINDOWS\SYSDR32.DLL (file missing)
O2 - BHO: Class - {8D86E46F-B9DE-ADD7-1BA7-60042DD50BAA} - C:\WINDOWS\ADDUO32.DLL (file missing)
O2 - BHO: Class - {83A0177B-A41F-B1FA-F8EB-9BD00B7EAFEA} - C:\WINDOWS\ADDUO32.DLL (file missing)
O2 - BHO: Class - {1F23E677-6B02-0CE8-7B33-B10B254FB351} - C:\WINDOWS\ADDUO32.DLL (file missing)
O2 - BHO: Class - {26F48417-BA3B-EB85-58BC-D6D86BF802EF} - C:\WINDOWS\IEXM.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Ssd] C:\WINDOWS\SYSTEM\Std.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [BootWarn] C:\Program Files\Norton SystemWorks\Norton AntiVirus\BootWarn.exe /a
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [WINRL.EXE] C:\WINDOWS\SYSTEM\WINRL.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [SDKQV32.EXE] C:\WINDOWS\SYSTEM\SDKQV32.EXE
O4 - HKLM\..\RunServices: [D3QY.EXE] C:\WINDOWS\D3QY.EXE
O4 - HKLM\..\RunServices: [IENC32.EXE] C:\WINDOWS\IENC32.EXE
O4 - HKLM\..\RunServices: [D3VX.EXE] C:\WINDOWS\D3VX.EXE
O4 - HKLM\..\RunServices: [IEIB32.EXE] C:\WINDOWS\SYSTEM\IEIB32.EXE
O4 - HKLM\..\RunServices: [MFCSK32.EXE] C:\WINDOWS\SYSTEM\MFCSK32.EXE
O4 - HKLM\..\RunServices: [SDKCK32.EXE] C:\WINDOWS\SDKCK32.EXE
O4 - HKLM\..\RunServices: [MSIQ.EXE] C:\WINDOWS\SYSTEM\MSIQ.EXE
O4 - HKLM\..\RunServices: [MSWT.EXE] C:\WINDOWS\MSWT.EXE
O4 - HKLM\..\RunServices: [CRUQ.EXE] C:\WINDOWS\CRUQ.EXE
O4 - HKLM\..\RunServices: [MSCK32.EXE] C:\WINDOWS\MSCK32.EXE
O4 - HKLM\..\RunServices: [D3YL32.EXE] C:\WINDOWS\SYSTEM\D3YL32.EXE
O4 - HKLM\..\RunServices: [IPNP32.EXE] C:\WINDOWS\IPNP32.EXE
O4 - HKLM\..\RunServices: [APIXW32.EXE] C:\WINDOWS\APIXW32.EXE
O4 - HKLM\..\RunServices: [JAVAEF.EXE] C:\WINDOWS\SYSTEM\JAVAEF.EXE
O4 - HKLM\..\RunServices: [APIWY.EXE] C:\WINDOWS\SYSTEM\APIWY.EXE
O4 - HKLM\..\RunServices: [CRFT.EXE] C:\WINDOWS\SYSTEM\CRFT.EXE
O4 - HKLM\..\RunServices: [SYSHN.EXE] C:\WINDOWS\SYSTEM\SYSHN.EXE
O4 - HKLM\..\RunServices: [D3YZ.EXE] C:\WINDOWS\SYSTEM\D3YZ.EXE
O4 - HKLM\..\RunServices: [NETHQ32.EXE] C:\WINDOWS\NETHQ32.EXE
O4 - HKLM\..\RunServices: [JAVAQX32.EXE] C:\WINDOWS\SYSTEM\JAVAQX32.EXE
O4 - HKLM\..\RunServices: [ATLHT.EXE] C:\WINDOWS\ATLHT.EXE
O4 - HKLM\..\RunServices: [CRGM.EXE] C:\WINDOWS\CRGM.EXE
O4 - HKLM\..\RunServices: [ADDLF32.EXE] C:\WINDOWS\ADDLF32.EXE
O4 - HKLM\..\RunServices: [SDKUD.EXE] C:\WINDOWS\SYSTEM\SDKUD.EXE
O4 - HKLM\..\RunServices: [CRBX.EXE] C:\WINDOWS\CRBX.EXE
O4 - HKLM\..\RunServices: [NETZR32.EXE] C:\WINDOWS\NETZR32.EXE
O4 - HKLM\..\RunServices: [APPTB32.EXE] C:\WINDOWS\SYSTEM\APPTB32.EXE
O4 - HKLM\..\RunServices: [APITD.EXE] C:\WINDOWS\SYSTEM\APITD.EXE
O4 - HKLM\..\RunServices: [MFCVY.EXE] C:\WINDOWS\SYSTEM\MFCVY.EXE
O4 - HKLM\..\RunServices: [NTED.EXE] C:\WINDOWS\SYSTEM\NTED.EXE
O4 - HKLM\..\RunServices: [NTSK32.EXE] C:\WINDOWS\NTSK32.EXE
O4 - HKLM\..\RunServices: [D3UK.EXE] C:\WINDOWS\D3UK.EXE
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

-- Scan 1 --------
About:Buster Version 1.27
Removed! : C:\WINDOWS\erwgu.dat
Removed! : C:\WINDOWS\bmcrb.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

This is it - I hope you can help.

(CAn this be fixed by using Windows System Restore..guess not, it would have been to simple :)

#4 Guest_splintercell990_*

Guest_splintercell990_*
  • Guests

Posted 13 July 2004 - 05:20 PM

Hmm..Do this:

1.)
GoTo:
Start>run>Type:
msinfo32
*Expand: "Software Environment"
*Expand: "System hooks"
File may be listed As:

-Hook type: Window Procedure
-Hooked by: XXXXX.dll
-Application: RUNDLL32.EXE
-Dll path: C:\WINDOWS\SYSTEM\XXXXX.dll
-Application path: C:\WINDOWS\RUNDLL32.EXE

Where XXXXX..dll is the file name.

If So hilite And use edit>copy and post here

2.)
Download: "StartDreck", unzip!
*Don't be f00led by the site's 'unique' interface!!!
http://www.niksoft.a.../startdreck.htm
DoubleClick: 'StartDreck.exe'
Hit: -config
hit: -Unmark all
Check these boxes only:
Registry->run keys
Registry-> Browser helper objects
System/drivers-> Running processes
hit >ok.

Use the "save" tab, to save, name and post the log!

Edited by splintercell990, 13 July 2004 - 05:21 PM.


#5 ale3164

ale3164

    Member

  • New Member
  • Pip
  • 4 posts

Posted 13 July 2004 - 05:39 PM

1.)
GoTo:
Start>run>Type:
msinfo32
*Expand: "Software Environment"
*Expand: "System hooks"
File may be listed As:

-Hook type: Window Procedure
-Hooked by: XXXXX.dll
-Application: RUNDLL32.EXE
-Dll path: C:\WINDOWS\SYSTEM\XXXXX.dll
-Application path: C:\WINDOWS\RUNDLL32.EXE

I COULD EXPAND 'SOFTWARE ENVIRONMENT' BUT THERE WAS NO 'SYSTEM HOOKS' ENTRY. :mellow:

________________

StartDreck (build 2.1.5 public BETA) - 2004-07-14 @ 00:37:12
Platform: Windows ME (Win 4.90.3000 )

舞egistry
舞un Keys
翟urrent User
舞un
*IncrediMail=C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
*SpyKiller=C:\Program Files\SpyKiller\spykiller.exe /startup
舞unOnce
聞efault User
舞un
*IncrediMail=C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
*SpyKiller=C:\Program Files\SpyKiller\spykiller.exe /startup
舞unOnce
腿ocal Machine
舞un
*PCHealth=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*CARPService=carpserv.exe
*Ssd=C:\WINDOWS\SYSTEM\Std.exe
*internat.exe=internat.exe
*ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
*ccRegVfy="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
*BootWarn=C:\Program Files\Norton SystemWorks\Norton AntiVirus\BootWarn.exe /a
*NPROTECT=C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
*WinampAgent=C:\Program Files\Winamp\winampa.exe
*WINRL.EXE=C:\WINDOWS\SYSTEM\WINRL.EXE
*Installed=1
*NoChange=1
*Installed=1
*Installed=1
舞unOnce
舞unServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
*ccEvtMgr="C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
*ScriptBlocking="C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
*CSINJECT.EXE=C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
*NPROTECT=C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
*SymTray - Norton SystemWorks=C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
*SDKQV32.EXE=C:\WINDOWS\SYSTEM\SDKQV32.EXE
*D3QY.EXE=C:\WINDOWS\D3QY.EXE
*IENC32.EXE=C:\WINDOWS\IENC32.EXE
*D3VX.EXE=C:\WINDOWS\D3VX.EXE
*IEIB32.EXE=C:\WINDOWS\SYSTEM\IEIB32.EXE
*MFCSK32.EXE=C:\WINDOWS\SYSTEM\MFCSK32.EXE
*SDKCK32.EXE=C:\WINDOWS\SDKCK32.EXE
*MSIQ.EXE=C:\WINDOWS\SYSTEM\MSIQ.EXE
*MSWT.EXE=C:\WINDOWS\MSWT.EXE
*CRUQ.EXE=C:\WINDOWS\CRUQ.EXE
*MSCK32.EXE=C:\WINDOWS\MSCK32.EXE
*D3YL32.EXE=C:\WINDOWS\SYSTEM\D3YL32.EXE
*IPNP32.EXE=C:\WINDOWS\IPNP32.EXE
*APIXW32.EXE=C:\WINDOWS\APIXW32.EXE
*JAVAEF.EXE=C:\WINDOWS\SYSTEM\JAVAEF.EXE
*APIWY.EXE=C:\WINDOWS\SYSTEM\APIWY.EXE
*CRFT.EXE=C:\WINDOWS\SYSTEM\CRFT.EXE
*SYSHN.EXE=C:\WINDOWS\SYSTEM\SYSHN.EXE
*D3YZ.EXE=C:\WINDOWS\SYSTEM\D3YZ.EXE
*NETHQ32.EXE=C:\WINDOWS\NETHQ32.EXE
*JAVAQX32.EXE=C:\WINDOWS\SYSTEM\JAVAQX32.EXE
*ATLHT.EXE=C:\WINDOWS\ATLHT.EXE
*CRGM.EXE=C:\WINDOWS\CRGM.EXE
*ADDLF32.EXE=C:\WINDOWS\ADDLF32.EXE
*SDKUD.EXE=C:\WINDOWS\SYSTEM\SDKUD.EXE
*CRBX.EXE=C:\WINDOWS\CRBX.EXE
*NETZR32.EXE=C:\WINDOWS\NETZR32.EXE
*APPTB32.EXE=C:\WINDOWS\SYSTEM\APPTB32.EXE
*APITD.EXE=C:\WINDOWS\SYSTEM\APITD.EXE
*MFCVY.EXE=C:\WINDOWS\SYSTEM\MFCVY.EXE
*NTED.EXE=C:\WINDOWS\SYSTEM\NTED.EXE
*NTSK32.EXE=C:\WINDOWS\NTSK32.EXE
*D3UK.EXE=C:\WINDOWS\D3UK.EXE
*ADDXO32.EXE=C:\WINDOWS\ADDXO32.EXE
*NTQW.EXE=C:\WINDOWS\NTQW.EXE
*MSRY32.EXE=C:\WINDOWS\SYSTEM\MSRY32.EXE
*JAVAGR.EXE=C:\WINDOWS\SYSTEM\JAVAGR.EXE
舞unServicesOnce
舞unOnceEx
舞unServicesOnceEx
翡rowser Helper Objects (LM)
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
*Navbho.CNavExtBho.1/{BDF3E430-B101-42AD-A544-FADC6B084872}
`InprocServer32=C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
*Class/{03079084-F75C-2B6F-084A-49B91F4795D1}
`InprocServer32=C:\WINDOWS\CRZG.DLL
*Class/{D884B5A0-3017-DC89-792D-96559276EAEB}
`InprocServer32=C:\WINDOWS\SYSTEM\SDKIC32.DLL
*Class/{7F1DF9FD-5957-0313-B9F9-EABDB4F680EE}
`InprocServer32=C:\WINDOWS\JAVACA32.DLL
*Class/{3E7CDDE8-9716-144C-9AAF-E90709400712}
`InprocServer32=C:\WINDOWS\SYSTEM\APPAR.DLL
*Class/{83962868-6A3A-9ABE-3EAD-6C841963E70A}
`InprocServer32=C:\WINDOWS\D3NW32.DLL
*Class/{A0EFD1BB-68C4-6795-EE28-3366CAE67C38}
`InprocServer32=C:\WINDOWS\SYSTEM\SYSQX32.DLL
*Class/{68238DDE-059B-0897-6A39-69CB853D5A0A}
`InprocServer32=C:\WINDOWS\SYSTEM\D3WZ32.DLL
*Class/{435F1D19-5009-3DC0-D4DA-82194D25D05C}
`InprocServer32=C:\WINDOWS\SYSTEM\ADDIQ32.DLL
*Class/{75895338-95C6-E212-8F56-E4EABE6726D1}
`InprocServer32=C:\WINDOWS\APPWC.DLL
*Class/{4566CC43-0B31-07E0-141A-12FC7D5FF802}
`InprocServer32=C:\WINDOWS\SYSDR32.DLL
*Class/{8D86E46F-B9DE-ADD7-1BA7-60042DD50BAA}
`InprocServer32=C:\WINDOWS\ADDUO32.DLL
*Class/{83A0177B-A41F-B1FA-F8EB-9BD00B7EAFEA}
`InprocServer32=C:\WINDOWS\ADDUO32.DLL
*Class/{1F23E677-6B02-0CE8-7B33-B10B254FB351}
`InprocServer32=C:\WINDOWS\ADDUO32.DLL
*Class/{26F48417-BA3B-EB85-58BC-D6D86BF802EF}
`InprocServer32=C:\WINDOWS\IEXM.DLL
肇iles
艋ystem/Drivers
舞unning Processes
*FFCFA26D=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFFE4C5=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFE0439=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFFE0EF5=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFE7F6D=C:\WINDOWS\SYSTEM\MSTASK.EXE
*FFFEE975=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
*FFFEDB95=C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
*FFFD3285=C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
*FFFEB31D=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
*FFFD7AED=C:\WINDOWS\EXPLORER.EXE
*FFFD8421=C:\WINDOWS\CRGM.EXE
*FFFDE131=C:\WINDOWS\ADDLF32.EXE
*FFFDC5B5=C:\WINDOWS\SYSTEM\SDKUD.EXE
*FFFC602D=C:\WINDOWS\CRBX.EXE
*FFFD8FE9=C:\WINDOWS\NETZR32.EXE
*FFFDDA55=C:\WINDOWS\SYSTEM\APPTB32.EXE
*FFFC21AD=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
*FFFCA121=C:\WINDOWS\SYSTEM\APITD.EXE
*FFFBE795=C:\MX\VI_GRM.EXE
*FFFA1DF9=C:\WINDOWS\SYSTEM\DDHELP.EXE
*FFFA66E1=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
*FFFC434D=C:\WINDOWS\CARPSERV.EXE
*FFFB1445=C:\WINDOWS\SYSTEM\STD.EXE
*FFFA4FE9=C:\WINDOWS\SYSTEM\INTERNAT.EXE
*FFFA21DD=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
*FFFA0B55=C:\WINDOWS\SYSTEM\WMIEXE.EXE
*FFFB8095=C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
*FFF99131=C:\WINDOWS\SYSTEM\WINRL.EXE
*FFF9C83D=C:\WINDOWS\SYSTEM\APITD.EXE
*FFF9858D=C:\WINDOWS\SYSTEM\APITD.EXE
*FFF9B88D=C:\WINDOWS\SYSTEM\RNAAPP.EXE
*FFF7067D=C:\WINDOWS\SYSTEM\TAPISRV.EXE
*FFFB30D9=C:\PROGRAM FILES\INCREDIMAIL\BIN\INCMAIL.EXE
*FFF80AAD=C:\PROGRAM FILES\INCREDIMAIL\BIN\IMAPP.EXE
*FFF46AA1=C:\WINDOWS\SYSTEM\APITD.EXE
*FFF4C0F5=C:\WINDOWS\SYSTEM\MFCVY.EXE
*FFF33E99=C:\WINDOWS\SYSTEM\NTED.EXE
*FFF370C5=C:\WINDOWS\CRGM.EXE
*FFF394E5=C:\WINDOWS\SYSTEM\APITD.EXE
*FFF3F811=C:\WINDOWS\NTSK32.EXE
*FFF23F35=C:\WINDOWS\SYSTEM\APITD.EXE
*FFF26C6D=C:\WINDOWS\D3UK.EXE
*FFF29F51=C:\WINDOWS\SYSTEM\WINOA386.MOD
*FFF2F0AD=C:\WINDOWS\SYSTEM\APITD.EXE
*FFF16479=C:\WINDOWS\NETZR32.EXE
*FFF1B135=C:\WINDOWS\SYSTEM\APITD.EXE
*FFF1EB35=C:\WINDOWS\SYSTEM\APITD.EXE
*FFF03F5D=C:\WINDOWS\SYSTEM\APITD.EXE
*FFF073E9=C:\WINDOWS\SYSTEM\APITD.EXE
*FFF09B59=C:\WINDOWS\SYSTEM\APITD.EXE
*FFF05275=C:\WINDOWS\CRBX.EXE
*FFCF0AE9=C:\WINDOWS\NETZR32.EXE
*EF284BC9=C:\WINDOWS\ADDLF32.EXE
*EF27175D=C:\WINDOWS\NETZR32.EXE
*EF278601=C:\WINDOWS\SYSTEM\APITD.EXE
*FFF04099=C:\WINDOWS\CRBX.EXE
*EF274701=C:\WINDOWS\SYSTEM\APITD.EXE
*EF275485=C:\WINDOWS\SYSTEM\APITD.EXE
*FFF08419=C:\WINDOWS\SYSTEM\APITD.EXE
*FFF190AD=C:\WINDOWS\ADDLF32.EXE
*EF28CDBD=C:\WINDOWS\ADDLF32.EXE
*EF279A9D=C:\WINDOWS\SYSTEM\APITD.EXE
*FFF16035=C:\WINDOWS\SYSTEM\APITD.EXE
*EF262115=C:\WINDOWS\SYSTEM\MFCVY.EXE
*EF2643C1=C:\WINDOWS\SYSTEM\APITD.EXE
*EF26B699=C:\WINDOWS\SYSTEM\MFCVY.EXE
*EF26B0A9=C:\WINDOWS\ADDLF32.EXE
*EF268DA5=C:\WINDOWS\SYSTEM\APITD.EXE
*EF252279=C:\WINDOWS\CRBX.EXE
*EF27D895=C:\WINDOWS\CRBX.EXE
*EF25525D=C:\WINDOWS\NETZR32.EXE
*EF26CC2D=C:\WINDOWS\NTSK32.EXE
*FFF308C9=C:\WINDOWS\SYSTEM\APITD.EXE
*FFF1B3E1=C:\WINDOWS\ADDXO32.EXE
*EF27E619=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
*FFF6517D=C:\WINDOWS\SYSTEM\MFCVY.EXE
*FFF21B19=C:\WINDOWS\NTQW.EXE
*FFF38715=C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\HELPCTR.EXE
*EF249F25=C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
*EF23346D=C:\WINDOWS\SYSTEM\SPOOL32.EXE
*EF223C89=C:\PROGRAM FILES\INCREDIMAIL\BIN\IMNOTFY.EXE
*EF23B061=C:\WINDOWS\SYSTEM\APITD.EXE
*FFFB4A59=C:\WINDOWS\SYSTEM\MSRY32.EXE
*EF22E98D=C:\WINDOWS\SYSTEM\APITD.EXE
*EF22F611=C:\WINDOWS\SYSTEM\JAVAGR.EXE
*EF22C02D=E:\NEW DOWNLOADS\STARTDRECK.EXE
翠pplication specific

Here is the log. Though - should I not delete some of the entries in HIJACK referring to the hijacked homepage?

#6 Guest_splintercell990_*

Guest_splintercell990_*
  • Guests

Posted 13 July 2004 - 05:46 PM

Okay, with all other browsers closed, please fix the following items in HijackThis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ydyyw.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ydyyw.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ydyyw.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ydyyw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ydyyw.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ydyyw.dll/index.html#96676
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {03079084-F75C-2B6F-084A-49B91F4795D1} - C:\WINDOWS\CRZG.DLL (file missing)
O2 - BHO: Class - {D884B5A0-3017-DC89-792D-96559276EAEB} - C:\WINDOWS\SYSTEM\SDKIC32.DLL (file missing)
O2 - BHO: Class - {7F1DF9FD-5957-0313-B9F9-EABDB4F680EE} - C:\WINDOWS\JAVACA32.DLL (file missing)
O2 - BHO: Class - {3E7CDDE8-9716-144C-9AAF-E90709400712} - C:\WINDOWS\SYSTEM\APPAR.DLL (file missing)
O2 - BHO: Class - {83962868-6A3A-9ABE-3EAD-6C841963E70A} - C:\WINDOWS\D3NW32.DLL (file missing)
O2 - BHO: Class - {A0EFD1BB-68C4-6795-EE28-3366CAE67C38} - C:\WINDOWS\SYSTEM\SYSQX32.DLL (file missing)
O2 - BHO: Class - {68238DDE-059B-0897-6A39-69CB853D5A0A} - C:\WINDOWS\SYSTEM\D3WZ32.DLL (file missing)
O2 - BHO: Class - {435F1D19-5009-3DC0-D4DA-82194D25D05C} - C:\WINDOWS\SYSTEM\ADDIQ32.DLL (file missing)
O2 - BHO: Class - {75895338-95C6-E212-8F56-E4EABE6726D1} - C:\WINDOWS\APPWC.DLL (file missing)
O2 - BHO: Class - {4566CC43-0B31-07E0-141A-12FC7D5FF802} - C:\WINDOWS\SYSDR32.DLL (file missing)
O2 - BHO: Class - {8D86E46F-B9DE-ADD7-1BA7-60042DD50BAA} - C:\WINDOWS\ADDUO32.DLL (file missing)
O2 - BHO: Class - {83A0177B-A41F-B1FA-F8EB-9BD00B7EAFEA} - C:\WINDOWS\ADDUO32.DLL (file missing)
O2 - BHO: Class - {1F23E677-6B02-0CE8-7B33-B10B254FB351} - C:\WINDOWS\ADDUO32.DLL (file missing)
O2 - BHO: Class - {26F48417-BA3B-EB85-58BC-D6D86BF802EF} - C:\WINDOWS\IEXM.DLL
O4 - HKLM\..\RunServices: [SDKQV32.EXE] C:\WINDOWS\SYSTEM\SDKQV32.EXE
O4 - HKLM\..\RunServices: [D3QY.EXE] C:\WINDOWS\D3QY.EXE
O4 - HKLM\..\RunServices: [IENC32.EXE] C:\WINDOWS\IENC32.EXE
O4 - HKLM\..\RunServices: [D3VX.EXE] C:\WINDOWS\D3VX.EXE
O4 - HKLM\..\RunServices: [IEIB32.EXE] C:\WINDOWS\SYSTEM\IEIB32.EXE
O4 - HKLM\..\RunServices: [MFCSK32.EXE] C:\WINDOWS\SYSTEM\MFCSK32.EXE
O4 - HKLM\..\RunServices: [SDKCK32.EXE] C:\WINDOWS\SDKCK32.EXE
O4 - HKLM\..\RunServices: [MSIQ.EXE] C:\WINDOWS\SYSTEM\MSIQ.EXE
O4 - HKLM\..\RunServices: [MSWT.EXE] C:\WINDOWS\MSWT.EXE
O4 - HKLM\..\RunServices: [CRUQ.EXE] C:\WINDOWS\CRUQ.EXE
O4 - HKLM\..\RunServices: [MSCK32.EXE] C:\WINDOWS\MSCK32.EXE
O4 - HKLM\..\RunServices: [D3YL32.EXE] C:\WINDOWS\SYSTEM\D3YL32.EXE
O4 - HKLM\..\RunServices: [IPNP32.EXE] C:\WINDOWS\IPNP32.EXE
O4 - HKLM\..\RunServices: [APIXW32.EXE] C:\WINDOWS\APIXW32.EXE
O4 - HKLM\..\RunServices: [JAVAEF.EXE] C:\WINDOWS\SYSTEM\JAVAEF.EXE
O4 - HKLM\..\RunServices: [APIWY.EXE] C:\WINDOWS\SYSTEM\APIWY.EXE
O4 - HKLM\..\RunServices: [CRFT.EXE] C:\WINDOWS\SYSTEM\CRFT.EXE
O4 - HKLM\..\RunServices: [SYSHN.EXE] C:\WINDOWS\SYSTEM\SYSHN.EXE
O4 - HKLM\..\RunServices: [D3YZ.EXE] C:\WINDOWS\SYSTEM\D3YZ.EXE
O4 - HKLM\..\RunServices: [NETHQ32.EXE] C:\WINDOWS\NETHQ32.EXE
O4 - HKLM\..\RunServices: [JAVAQX32.EXE] C:\WINDOWS\SYSTEM\JAVAQX32.EXE
O4 - HKLM\..\RunServices: [ATLHT.EXE] C:\WINDOWS\ATLHT.EXE
O4 - HKLM\..\RunServices: [CRGM.EXE] C:\WINDOWS\CRGM.EXE
O4 - HKLM\..\RunServices: [ADDLF32.EXE] C:\WINDOWS\ADDLF32.EXE
O4 - HKLM\..\RunServices: [SDKUD.EXE] C:\WINDOWS\SYSTEM\SDKUD.EXE
O4 - HKLM\..\RunServices: [CRBX.EXE] C:\WINDOWS\CRBX.EXE
O4 - HKLM\..\RunServices: [NETZR32.EXE] C:\WINDOWS\NETZR32.EXE
O4 - HKLM\..\RunServices: [APPTB32.EXE] C:\WINDOWS\SYSTEM\APPTB32.EXE
O4 - HKLM\..\RunServices: [APITD.EXE] C:\WINDOWS\SYSTEM\APITD.EXE
O4 - HKLM\..\RunServices: [MFCVY.EXE] C:\WINDOWS\SYSTEM\MFCVY.EXE
O4 - HKLM\..\RunServices: [NTED.EXE] C:\WINDOWS\SYSTEM\NTED.EXE
O4 - HKLM\..\RunServices: [NTSK32.EXE] C:\WINDOWS\NTSK32.EXE
O4 - HKLM\..\RunServices: [D3UK.EXE] C:\WINDOWS\D3UK.EXE


Reboot to safe mode (press F8 after the BIOS loads), and delete all of the .exe's associated with the randomly named RunServices entries...

Reboot, and when in Windows again, download Ad-aware from: http://www.lavasoft.de/res/aaw6.exe

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

Posted Image Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
  • Scan Within Archives
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URLs
  • Scan my Hosts file
  • Under Click here to select drives + folders, choose:
  • All of your hard drives
Posted Image Click on the Advanced button on the left and select:
  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details
Posted Image Click the Tweak button and select:
  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile
  • Under the Cleaning Engine:
    • Let Windows remove files in use at next reboot
Posted Image Click on Proceed to save the settings.

Posted Image Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
  • Use Custom Scanning Options
Posted Image Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.
Posted Image Save the log file when it asks and then click Finish
Posted Image When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).
Posted Image Reboot your computer.

Next, download CWShredder:
http://www.spywarein.../CWShredder.exe
Double click and hit the fix button to fix all found problems, and Reboot.

Then Turn off System Restore. To do this, right-click My Computer and click Properties. Next, click the System Restore tab and check "Turn off System Restore". Finally, click Apply, and then click OK. Now, to finish resetting the system restore point, we need to turn ON System Restore once again. To do this, right-click My Computer and click Properties. Next, click the System Restore tab and UN-Check "Turn off System Restore". Finally, click Apply, and then click OK.

Next a full scan here and let it clean, making sure you reboot when it is done.

Post a fresh HijackThis logfile in this thread once you are done :)

Good Luck :)

Edited by splintercell990, 13 July 2004 - 05:47 PM.


#7 ale3164

ale3164

    Member

  • New Member
  • Pip
  • 4 posts

Posted 14 July 2004 - 02:22 PM

Splintercell, thanks for trying - after I followed your advice to the letter it seemed clean. However when I opened IE it came right back. I am discouraged that it can be removed short of a complete format. Whoever is the cause of this frustration deserves to be shot!

Can anything else be done?

Here's the new Hijack log:

Logfile of HijackThis v1.98.0
Scan saved at 9:20:20 PM, on 7/14/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\NTQW.EXE
C:\WINDOWS\ADDXO32.EXE
C:\WINDOWS\SYSTEM\MSRY32.EXE
C:\WINDOWS\SYSTEM\APPCP32.EXE
C:\WINDOWS\NTEB32.EXE
C:\WINDOWS\SYSTEM\JAVAGR.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\MX\VI_GRM.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\CARPSERV.EXE
C:\WINDOWS\SYSTEM\STD.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\WINRL.EXE
C:\WINDOWS\NTQW.EXE
C:\WINDOWS\NTEB32.EXE
C:\WINDOWS\SYSTEM\JAVAGR.EXE
C:\WINDOWS\SYSTEM\MSRY32.EXE
C:\WINDOWS\SYSTEM\APPCP32.EXE
C:\PROGRAM FILES\INCREDIMAIL\BIN\IMAPP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INCREDIMAIL\BIN\INCMAIL.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\NTQW.EXE
C:\WINDOWS\NTQW.EXE
C:\WINDOWS\MFCOO.EXE
C:\WINDOWS\NTEB32.EXE
C:\WINDOWS\IPCO.EXE
C:\WINDOWS\ADDXO32.EXE
C:\WINDOWS\NTQW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\MFCOO.EXE
C:\WINDOWS\NTEB32.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\jblrg.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jblrg.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jblrg.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\jblrg.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\jblrg.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jblrg.dll/index.html#96676
R3 - Default URLSearchHook is missing
F1 - win.ini: load=C:\MX\vi_grm.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {6C5AE851-04CC-89B6-6790-7C463150E44F} - C:\WINDOWS\SYSTEM\APIZE.DLL (file missing)
O2 - BHO: Class - {9FF3EC2B-5A88-1F24-6D40-596F602C24F7} - C:\WINDOWS\SYSTEM\ADDLT32.DLL (file missing)
O2 - BHO: Class - {D909FA9D-7AE6-6B2A-B820-22D8EBB261F2} - C:\WINDOWS\ATLFD.DLL
O2 - BHO: Class - {EADA06E9-6006-2FFD-3A2E-309CEA0EE5DA} - C:\WINDOWS\IPZO.DLL (file missing)
O2 - BHO: Class - {5201E7DA-AC9B-AE35-32D6-EFC802B05B50} - C:\WINDOWS\SYSTEM\NETFU.DLL
O2 - BHO: Class - {DF83D71D-7E3C-905C-49E6-8B0B8142868F} - C:\WINDOWS\NTSG32.DLL (file missing)
O2 - BHO: Class - {B4FB0365-675A-5E62-B49B-D990566002AC} - C:\WINDOWS\ADDIY.DLL (file missing)
O2 - BHO: Class - {195BB02B-4008-2F27-063D-AEAD3798CA0C} - C:\WINDOWS\SYSTEM\APIYE.DLL (file missing)
O2 - BHO: Class - {01C38962-50E8-FF21-1263-007E149E5D9C} - C:\WINDOWS\SYSTEM\ATLWB.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Ssd] C:\WINDOWS\SYSTEM\Std.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [BootWarn] C:\Program Files\Norton SystemWorks\Norton AntiVirus\BootWarn.exe /a
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [WINRL.EXE] C:\WINDOWS\SYSTEM\WINRL.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [ADDXO32.EXE] C:\WINDOWS\ADDXO32.EXE
O4 - HKLM\..\RunServices: [NTQW.EXE] C:\WINDOWS\NTQW.EXE
O4 - HKLM\..\RunServices: [MSRY32.EXE] C:\WINDOWS\SYSTEM\MSRY32.EXE
O4 - HKLM\..\RunServices: [JAVAGR.EXE] C:\WINDOWS\SYSTEM\JAVAGR.EXE
O4 - HKLM\..\RunServices: [APPCP32.EXE] C:\WINDOWS\SYSTEM\APPCP32.EXE
O4 - HKLM\..\RunServices: [NTEB32.EXE] C:\WINDOWS\NTEB32.EXE
O4 - HKLM\..\RunServices: [MFCOO.EXE] C:\WINDOWS\MFCOO.EXE
O4 - HKLM\..\RunServices: [IPCO.EXE] C:\WINDOWS\IPCO.EXE
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

#8 Guest_splintercell990_*

Guest_splintercell990_*
  • Guests

Posted 15 July 2004 - 07:02 PM

Hello ale3164,

Lets try it the manual way then...
  • Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders".
  • Next, go to Start->Run and type "Services.msc" (without quotes) then hit OK.
  • Scroll down and find the service called "Network Security Service".
  • When you find it, double-click on it. In the next window that opens, click the Stop button, then change the Startup Type to Disabled. Now hit Apply and then OK and close any open windows.
  • Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\jblrg.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jblrg.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jblrg.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\jblrg.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\jblrg.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jblrg.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {6C5AE851-04CC-89B6-6790-7C463150E44F} - C:\WINDOWS\SYSTEM\APIZE.DLL (file missing)
    O2 - BHO: Class - {9FF3EC2B-5A88-1F24-6D40-596F602C24F7} - C:\WINDOWS\SYSTEM\ADDLT32.DLL (file missing)
    O2 - BHO: Class - {D909FA9D-7AE6-6B2A-B820-22D8EBB261F2} - C:\WINDOWS\ATLFD.DLL
    O2 - BHO: Class - {EADA06E9-6006-2FFD-3A2E-309CEA0EE5DA} - C:\WINDOWS\IPZO.DLL (file missing)
    O2 - BHO: Class - {5201E7DA-AC9B-AE35-32D6-EFC802B05B50} - C:\WINDOWS\SYSTEM\NETFU.DLL
    O2 - BHO: Class - {DF83D71D-7E3C-905C-49E6-8B0B8142868F} - C:\WINDOWS\NTSG32.DLL (file missing)
    O2 - BHO: Class - {B4FB0365-675A-5E62-B49B-D990566002AC} - C:\WINDOWS\ADDIY.DLL (file missing)
    O2 - BHO: Class - {195BB02B-4008-2F27-063D-AEAD3798CA0C} - C:\WINDOWS\SYSTEM\APIYE.DLL (file missing)
    O2 - BHO: Class - {01C38962-50E8-FF21-1263-007E149E5D9C} - C:\WINDOWS\SYSTEM\ATLWB.DLL (file missing)
    O4 - HKLM\..\RunServices: [ADDXO32.EXE] C:\WINDOWS\ADDXO32.EXE
    O4 - HKLM\..\RunServices: [NTQW.EXE] C:\WINDOWS\NTQW.EXE
    O4 - HKLM\..\RunServices: [MSRY32.EXE] C:\WINDOWS\SYSTEM\MSRY32.EXE
    O4 - HKLM\..\RunServices: [JAVAGR.EXE] C:\WINDOWS\SYSTEM\JAVAGR.EXE
    O4 - HKLM\..\RunServices: [APPCP32.EXE] C:\WINDOWS\SYSTEM\APPCP32.EXE
    O4 - HKLM\..\RunServices: [NTEB32.EXE] C:\WINDOWS\NTEB32.EXE
    O4 - HKLM\..\RunServices: [MFCOO.EXE] C:\WINDOWS\MFCOO.EXE
    O4 - HKLM\..\RunServices: [IPCO.EXE] C:\WINDOWS\IPCO.EXE


  • Reboot into Safe Mode - How do I boot into "Safe" mode?, and delete the following files:

    jblrg.dll
    APIZE.DLL
    ADDLT32.DLL
    ATLFD.DLL
    IPZO.DLL
    NETFU.DLL
    NTSG32.DLL
    APIYE.DLL
    ATLWB.DLL
    ADDXO32.EXE
    NTQW.EXE
    MSRY32.EXE
    JAVAGR.EXE
    APPCP32.EXE
    NTEB32.EXE
    MFCOO.EXE
    IPCO.EXE

  • Go to Start => Run and type in "regedit" (without quotes) and press "Enter".
  • One the registry opens, Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3
    If __NS_Service_3 exists , right click on it and choose delete from the menu.
  • Still in the registry, navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service_3
    If LEGACY___NS_Service_3 exists then right click on it and choose delete from the menu.
  • Exit regedit and reboot in Normal Mode.
  • Two files (Possibly three) were also deleted from your computer and need to be replaced.
    • control.exe - Go to Merijn Files (control) and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.
    • Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program.
    • If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)
  • Run HiJackThis again and post a new log in this thread.
[/CODE]

Good Luck :)

Edited by splintercell990, 15 July 2004 - 07:03 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button