Jump to content


Photo

inetkw.dll


  • Please log in to reply
10 replies to this topic

#1 hibbs

hibbs

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 17 July 2004 - 06:41 PM

Hello-

I've been having the error message "Error loading C:\PROGRA~INTERN~2\inetkw.dll" pop up constantly on my screen and am wondering what I need to do to solve the problem. If anyone can help it would be much appreciated. Here is my HijackThis log:

Logfile of HijackThis v1.98.0
Scan saved at 5:06:47 PM, on 7/17/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\crco.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\enbiei.exe
C:\WINNT\System32\hcldnoze.exe
C:\PROGRA~1\Clock idle test\media 2.exe
C:\WINNT\System32\hhtaugb.exe
C:\WINNT\System32\LzioMediaUpdater.exe
C:\WINNT\msyu32.exe
C:\WINNT\System32\mseadu.exe
C:\PROGRA~1\INTERN~2\inetmgr.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\System32\windll32.exe
C:\Documents and Settings\Administrator\Application Data\taas.exe
C:\WINNT\System32\msttcui.exe
C:\WINNT\System32\jpc.exe
C:\WINNT\System32\wuauclt.exe
C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
C:\WINNT\System32\WScript.exe
C:\PROGRA~1\INTERN~2\inetsvc.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Documents and Settings\Administrator\Application Data\DownloadPlus.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Documents and Settings\Administrator\My Documents\My Downloads\hjtlog.exe
c:\hijackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearc.../searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\mkmbp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mkmbp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mkmbp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\mkmbp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearc.../searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\mkmbp.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mkmbp.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearc.../searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearc.../searchbar.html
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {FC9C113A-2E02-F506-F9DA-C96407F18ED0} - C:\WINNT\mfcpc32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Norton Program Scheduler Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe
O4 - HKLM\..\Run: [intdctrr] C:\WINNT\System32\idctup20.exe
O4 - HKLM\..\Run: [] C:\WINNT\System32\
O4 - HKLM\..\Run: [neuogywbhji] C:\WINNT\System32\hcldnoze.exe
O4 - HKLM\..\Run: [bone two] C:\PROGRA~1\Clock idle test\media 2.exe
O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\System32\hhtaugb.exe
O4 - HKLM\..\Run: [LzioMediaUpdater] C:\WINNT\System32\LzioMediaUpdater.exe
O4 - HKLM\..\Run: [he3bbcff] rundll32.exe C:\WINNT\System32\he3bbcff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [wmcbaaca] rundll32.exe C:\WINNT\System32\wmcbaaca.dll,EnableRunDLL32
O4 - HKLM\..\Run: [icddefff] rundll32.exe C:\WINNT\System32\icddefff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [ielcaabe] rundll32.exe C:\WINNT\System32\ielcaabe.dll,EnableRunDLL32
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [AutoLoadersst71OTUNMXJ] "C:\WINNT\System32\sysedt32.exe" /PC="AM.SKHN" /HideUninstall /HideDir
O4 - HKLM\..\Run: [msyu32.exe] C:\WINNT\msyu32.exe
O4 - HKLM\..\Run: [sF2h34O] mseadu.exe
O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [windll32.exe] C:\WINNT\System32\windll32.exe
O4 - HKCU\..\Run: [Uios] C:\Documents and Settings\Administrator\Application Data\taas.exe
O4 - HKCU\..\Run: [dotnRQi4W] msttcui.exe
O4 - HKCU\..\Run: [Bdd] C:\WINNT\System32\jpc.exe
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Administrator\Application Data\DownloadPlus.exe
O4 - Startup: Virtual Bouncer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: Search.vbs
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.cab
O16 - DPF: {12589FA1-C456-11CE-BF01-10AA1055595A} - http://www.wsel.net/...lesilent610.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.zestyfind.com/app/AX/AX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C9C1DDD-2375-4001-8B0C-2212BB86513C}: NameServer = 192.168.1.80
O17 - HKLM\System\CS1\Services\Tcpip\..\{6C9C1DDD-2375-4001-8B0C-2212BB86513C}: NameServer = 192.168.1.80
O17 - HKLM\System\CS2\Services\Tcpip\..\{6C9C1DDD-2375-4001-8B0C-2212BB86513C}: NameServer = 192.168.1.80
O17 - HKLM\System\CS3\Services\Tcpip\..\{6C9C1DDD-2375-4001-8B0C-2212BB86513C}: NameServer = 192.168.1.80
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINNT\msopt.dll

#2 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 23 July 2004 - 10:57 AM

Hi sorry for the delay. your system is very affected. Can you post a fresh log please?
Thanks

#3 hibbs

hibbs

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 24 July 2004 - 10:22 AM

Thanks for the response mmxx66. You can probably tell, but I'm also getting a www.look2me window popping up a lot and I can't get rid of My Daily Horoscope. There are a lot of other problems as well. So any help you give me is really apprciated. I just ran Spybot again and here is the new log:

Logfile of HijackThis v1.98.0
Scan saved at 9:13:24 AM, on 7/24/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\crco.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\enbiei.exe
C:\WINNT\System32\hcldnoze.exe
C:\PROGRA~1\CLOCKI~1\media 2.exe
C:\WINNT\System32\hhtaugb.exe
C:\WINNT\System32\LzioMediaUpdater.exe
C:\WINNT\system32\appfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\INTERN~2\inetmgr.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\WINNT\system32\colref.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\system32\windll32.exe
C:\Documents and Settings\Administrator\Application Data\taas.exe
C:\WINNT\system32\cortsn32.exe
C:\WINNT\System32\jpc.exe
C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
C:\PROGRA~1\INTERN~2\inetsvc.exe
C:\WINNT\System32\WScript.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Documents and Settings\Administrator\Application Data\DownloadPlus.exe
C:\hijackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearc.../searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\zxpwj.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearc...ndex.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zxpwj.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\zxpwj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50140
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearc.../searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\zxpwj.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zxpwj.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearc.../searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearc.../searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll
O2 - BHO: (no name) - {A17679F9-3C53-35F0-7876-516D852366F9} - C:\WINNT\system32\appfg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Norton Program Scheduler Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe
O4 - HKLM\..\Run: [intdctrr] C:\WINNT\system32\idctup20.exe
O4 - HKLM\..\Run: [] C:\WINNT\System32\
O4 - HKLM\..\Run: [neuogywbhji] C:\WINNT\System32\hcldnoze.exe
O4 - HKLM\..\Run: [bone two] C:\PROGRA~1\CLOCKI~1\media 2.exe
O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\System32\hhtaugb.exe
O4 - HKLM\..\Run: [LzioMediaUpdater] C:\WINNT\System32\LzioMediaUpdater.exe
O4 - HKLM\..\Run: [he3bbcff] rundll32.exe C:\WINNT\System32\he3bbcff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [wmcbaaca] rundll32.exe C:\WINNT\System32\wmcbaaca.dll,EnableRunDLL32
O4 - HKLM\..\Run: [icddefff] rundll32.exe C:\WINNT\System32\icddefff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [ielcaabe] rundll32.exe C:\WINNT\System32\ielcaabe.dll,EnableRunDLL32
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [AutoLoadersst71OTUNMXJ] "C:\WINNT\system32\mapstab.exe" /PC="AM.SKHN" /HideUninstall /HideDir
O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe
O4 - HKLM\..\Run: [appfg.exe] C:\WINNT\system32\appfg.exe
O4 - HKLM\..\Run: [sF2h34O] colref.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [windll32.exe] C:\WINNT\system32\windll32.exe
O4 - HKCU\..\Run: [Uios] C:\Documents and Settings\Administrator\Application Data\taas.exe
O4 - HKCU\..\Run: [dotnRQi4W] cortsn32.exe
O4 - HKCU\..\Run: [Bdd] C:\WINNT\System32\jpc.exe
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Administrator\Application Data\DownloadPlus.exe
O4 - Startup: Virtual Bouncer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: Search.vbs
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.cab
O16 - DPF: {12589FA1-C456-11CE-BF01-10AA1055595A} - http://www.wsel.net/...lesilent610.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.zestyfind.com/app/AX/AX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C9C1DDD-2375-4001-8B0C-2212BB86513C}: NameServer = 192.168.1.80
O17 - HKLM\System\CS1\Services\Tcpip\..\{6C9C1DDD-2375-4001-8B0C-2212BB86513C}: NameServer = 192.168.1.80
O17 - HKLM\System\CS2\Services\Tcpip\..\{6C9C1DDD-2375-4001-8B0C-2212BB86513C}: NameServer = 192.168.1.80
O17 - HKLM\System\CS3\Services\Tcpip\..\{6C9C1DDD-2375-4001-8B0C-2212BB86513C}: NameServer = 192.168.1.80
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINNT\msopt.dll

#4 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 24 July 2004 - 11:37 AM

THereīs a lot of work to do here. I donīt want to confuse you so letīs do it step by step.

1. Look2me

Download and run LSP Fix
Check 'I know what I'm doing'.
Select all the instances of 'inetadpt.dll'.
Click the right-pointing arrow.
Click 'Finished'.
Restart your computer.
Delete the following file:
C:\Windows\System32\[binetadpt.dll[/b]


Download VX2Finder


Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*.

Copy and paste the contents of the log into your next reply here.
--------------------------------

Sign off and stay off the internet until the entire procedure is complete.

Open VX2Finder and click on the *click to find VX2.BetterInternet* button.

Then select the *Delete these files* button.
You will be left with notice about one to be deleted on reboot.
It will ask to reboot on deletion of the last file (Reboot)

-----------------
Once back in Windows


Open VX2Finder again and click on these buttons in the right pane:

user agent, Guardian.reg, restore policy

Exit and reboot.

Now close all open windows AND browsers and check these items for HJT to fix:
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.zestyfind.com/app/AX/AX.cab

Run Vx2Finder once more and click on the *click to find VX2.BetterInternet* button. Then click *make log*.
Post it here with a fresh HijackThis log please.

Weīre just beggining. :ph34r:

Edited by mmxx66, 24 July 2004 - 11:38 AM.


#5 hibbs

hibbs

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 24 July 2004 - 07:08 PM

Ok, I deleted the C:\WINNT\System32\inetadpt.dll file. Here is the first log of the VX2. I hope I'm following your steps correctly. I was a little confused. Thanks!

Log for VX2.BetterInternet File Finder

Files Found---
C:\WINNT\system32\abledit.dll
C:\WINNT\system32\ahptif.dll
C:\WINNT\system32\apsmib.dll
C:\WINNT\system32\ayaamon.dll


Guardian Key--- is called:

User Agent String---
{77D22758-48C8-46DC-A254-B8DC250178B3}

#6 hibbs

hibbs

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 24 July 2004 - 07:28 PM

Ok, so I'm confused. Was I supposed to delete the 4 files in the window? I clicked "Delete these files" and it rebooted. Then when I went back in, I couldn't click on the user agent, Guardian.reg, restore policy buttons. So I checked the 4 files and deleted them. Afterwards, when I clicked on the user agent, it asked me if I wanted to delete the string. Do I want to do this, and have I done something I shouldn't have already? Not sure what to do with the user agent, Guardian.reg, restore policy buttons once I click on them. Sorry for not understanding.

#7 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 25 July 2004 - 03:04 PM

Open VX2Finder again and click on these buttons in the right pane:

user agent, Guardian.reg, restore policy

Exit and reboot.

And accept to delete the string if your asked to.

And post a new Hijack This log.

Edited by mmxx66, 25 July 2004 - 03:05 PM.


#8 hibbs

hibbs

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 27 July 2004 - 12:33 AM

Ok, here's the new VX2 log:

Log for VX2.BetterInternet File Finder

Files Found---


Guardian Key--- is called:

User Agent String---
{77D22758-48C8-46DC-A254-B8DC250178B3}


And here is the new HJT log:

Logfile of HijackThis v1.98.0
Scan saved at 10:53:30 PM, on 7/26/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\crco.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hcldnoze.exe
C:\WINNT\System32\hhtaugb.exe
C:\WINNT\System32\LzioMediaUpdater.exe
C:\PROGRA~1\INTERN~2\inetmgr.exe
C:\WINNT\system32\appfg.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\system32\windll32.exe
C:\Documents and Settings\Administrator\Application Data\taas.exe
C:\PROGRA~1\INTERN~2\inetsvc.exe
C:\WINNT\System32\jpc.exe
C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
C:\WINNT\System32\WScript.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Documents and Settings\Administrator\Application Data\DownloadPlus.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\hijackthis.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50140
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\zxpwj.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zxpwj.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zxpwj.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\zxpwj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50140
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\zxpwj.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zxpwj.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearc.../searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50140
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {A17679F9-3C53-35F0-7876-516D852366F9} - C:\WINNT\system32\appfg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Norton Program Scheduler Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [intdctrr] C:\WINNT\system32\idctup20.exe
O4 - HKLM\..\Run: [] C:\WINNT\System32\
O4 - HKLM\..\Run: [neuogywbhji] C:\WINNT\System32\hcldnoze.exe
O4 - HKLM\..\Run: [bone two] C:\PROGRA~1\CLOCKI~1\media 2.exe
O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\System32\hhtaugb.exe
O4 - HKLM\..\Run: [LzioMediaUpdater] C:\WINNT\System32\LzioMediaUpdater.exe
O4 - HKLM\..\Run: [he3bbcff] rundll32.exe C:\WINNT\System32\he3bbcff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [wmcbaaca] rundll32.exe C:\WINNT\System32\wmcbaaca.dll,EnableRunDLL32
O4 - HKLM\..\Run: [icddefff] rundll32.exe C:\WINNT\System32\icddefff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [ielcaabe] rundll32.exe C:\WINNT\System32\ielcaabe.dll,EnableRunDLL32
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [AutoLoadersst71OTUNMXJ] "C:\WINNT\system32\mapstab.exe" /PC="AM.SKHN" /HideUninstall /HideDir
O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe
O4 - HKLM\..\Run: [appfg.exe] C:\WINNT\system32\appfg.exe
O4 - HKLM\..\Run: [sF2h34O] mapstab.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Dale surf tick funk] C:\Documents and Settings\All Users\Application Data\Dash Fast Dale Surf\AXISBALL.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [windll32.exe] C:\WINNT\system32\windll32.exe
O4 - HKCU\..\Run: [Uios] C:\Documents and Settings\Administrator\Application Data\taas.exe
O4 - HKCU\..\Run: [dotnRQi4W] cortsn32.exe
O4 - HKCU\..\Run: [Bdd] C:\WINNT\System32\jpc.exe
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Administrator\Application Data\DownloadPlus.exe
O4 - Startup: Virtual Bouncer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: Search.vbs
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.cab
O16 - DPF: {12589FA1-C456-11CE-BF01-10AA1055595A} - http://www.wsel.net/...lesilent610.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C9C1DDD-2375-4001-8B0C-2212BB86513C}: NameServer = 192.168.1.80
O17 - HKLM\System\CS1\Services\Tcpip\..\{6C9C1DDD-2375-4001-8B0C-2212BB86513C}: NameServer = 192.168.1.80
O17 - HKLM\System\CS2\Services\Tcpip\..\{6C9C1DDD-2375-4001-8B0C-2212BB86513C}: NameServer = 192.168.1.80
O17 - HKLM\System\CS3\Services\Tcpip\..\{6C9C1DDD-2375-4001-8B0C-2212BB86513C}: NameServer = 192.168.1.80
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINNT\msopt.dll

Thanks again!

#9 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 27 July 2004 - 09:59 AM

Hello please download About:Buster and unzip it to your desktop. Donīt run it yet.

How to use Ad-Aware to remove Spyware <= Please check this link for instructions on how to download, install and then use adaware. Donīt use it yet.
1 You already have Adaware installed. Make sure it's up to date. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen. You should now see Reference File # : 01R333 18.07.2004 or higher listed.

2 Print out these instructions so you have them handy as most of the steps need to be done in safe mode and you may not be able to go online.

3. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called "Network Security Service". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. This service is installed by the malware. If this service is not listed go ahead with the next step.

4. Reboot to Safe Mode
How to start the computer in Safe mode


5. Make sure your PC is configured to show hidden files

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

6.CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50140
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\zxpwj.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zxpwj.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zxpwj.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\zxpwj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50140
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\zxpwj.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zxpwj.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearc.../searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50140
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {A17679F9-3C53-35F0-7876-516D852366F9} - C:\WINNT\system32\appfg.dll
O4 - HKLM\..\Run: [intdctrr] C:\WINNT\system32\idctup20.exe
O4 - HKLM\..\Run: [] C:\WINNT\System32\
O4 - HKLM\..\Run: [neuogywbhji] C:\WINNT\System32\hcldnoze.exe
O4 - HKLM\..\Run: [LzioMediaUpdater] C:\WINNT\System32\LzioMediaUpdater.exe
O4 - HKLM\..\Run: [he3bbcff] rundll32.exe C:\WINNT\System32\he3bbcff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [wmcbaaca] rundll32.exe C:\WINNT\System32\wmcbaaca.dll,EnableRunDLL32
O4 - HKLM\..\Run: [icddefff] rundll32.exe C:\WINNT\System32\icddefff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [ielcaabe] rundll32.exe C:\WINNT\System32\ielcaabe.dll,EnableRunDLL32
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [AutoLoadersst71OTUNMXJ] "C:\WINNT\system32\mapstab.exe" /PC="AM.SKHN" /HideUninstall /HideDir
O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe
O4 - HKLM\..\Run: [appfg.exe] C:\WINNT\system32\appfg.exe
O4 - HKLM\..\Run: [sF2h34O] mapstab.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [windll32.exe] C:\WINNT\system32\windll32.exe
O4 - HKCU\..\Run: [Uios] C:\Documents and Settings\Administrator\Application Data\taas.exe
O4 - HKCU\..\Run: [dotnRQi4W] cortsn32.exe
O4 - HKCU\..\Run: [Bdd] C:\WINNT\System32\jpc.exe
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
O4 - Global Startup: Search.vbs
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINNT\msopt.dll



Then continue with win tools:
Please reboot into safe mode - How do I boot into "Safe" mode?

Once in Safe Mode:
Click on the Start Button, Control Panel. Double-click on Administrative Tools then on Services.
Look for a service called Wintools for IE Service. double-click it to open, then click the Stop button and change the "Startup type" to Disabled.
(If the service is not there, no worries...all the better!)

Next, right-click on the Windows Taskbar and select Task Manager.
In the Processes tab, look for WToolsA.exe, WToolsS.exe and WSup.exe. If any or all of these exist, right-click on each one and select End Process Tree, and answer affirmatively to any confirmation questions.

At this point, you can check the Add/Remove Programs Control Panel. If there is an uninstaller for Wintools, try running it now. I would still recommend proceeding through the rest of this fix even if there is an uninstaller, however.

Now, please open a command prompt (Start button -> Run, type cmd and click "OK"). at the prompt, type
regsvr32 /u /s "C:\Program Files\Toolbar\toolbar.dll" then <ENTER>.
Then type exit to close the command prompt window.


Go to Add/Remove Programs again and uninstall:
WebSavingsfromEbates
INTERNET SOMETHING, NOT EXPLORER
MyDailyHoroscope
if present.


7. Delete the following files if present.
C:\WINNT\zxpwj.dll
C:\WINNT\system32\appfg.dll
C:\WINNT\system32\idctup20.exe
C:\WINNT\System32\hcldnoze.exe

C:\WINNT\System32\LzioMediaUpdater.exe
C:\WINNT\System32\he3bbcff.dll
C:\WINNT\System32\wmcbaaca.dll
C:\WINNT\System32\icddefff.dll
C:\WINNT\System32\ielcaabe.dll
C:\WINNT\bxxs5.dll
C:\WINNT\system32\mapstab.exe
C:\WINNT\system32\appfg.exe
C:\WINNT\system32\windll32.exe
C:\Documents and Settings\Administrator\Application Data\taas.exe
C:\WINNT\System32\jpc.exe
C:\WINNT\msopt.dll
C:\WINNT\System32\Search.vbs
C:\WINNT\System32\cortsn32.exe

Now, we can proceed to delete these directories, located at:

C:\Program Files\Common Files\WinTools <-- Delete the BOLD directory.
C:\Program Files\Toolbar <-- Delete the BOLD directory.
C:\Program Files\AutoUpdate<-- Delete the BOLD directory.
C:\Program Files\INTERNet SOMETHING, NOT EXPLORER<-- Delete the BOLD directory. I mean NOT Internet Explorer, Internet Optimizer or something like that.
C:\Program Files\MyDailyHoroscope<-- Delete the BOLD directory.
C:\Program Files\WebSavingsfromEbates<-- Delete the BOLD directory.


8. Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

9. Scan with Adaware and let it remove any bad files found.

10. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:


Temporary Files
Temporary Internet Files
Recycle Bin


11. Reboot to normal mode, scan again with Hijack This and post a new log here.

12. Finally, do an online scan HERE. Let it remove any infected files found.

Replace Deleted Files
It is also possible that the infection may have deleted up to three files from your system. If these files are present, to be safe I suggest you overwrite them with a new copy.

Go here: http://www.spywarein...es.html#control and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.

Download the Hoster from here: http://members.aol.c...dbee/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.

If you have Spybot S&D installed you may also need to replace one file.
Go here: http://www.spywarein...s.html#sdhelper
and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.

Post a fresh HijackThis log and the AboutBuster report back here please.

#10 hibbs

hibbs

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 28 July 2004 - 01:56 AM

Ok. I went through all the steps (hopefully correctly) and here is the new HJT log:

Logfile of HijackThis v1.98.0
Scan saved at 12:51:22 AM, on 7/28/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hhtaugb.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\WINNT\System32\svchost.exe
C:\Documents and Settings\Administrator\My Documents\My Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Norton Program Scheduler Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [bone two] C:\PROGRA~1\CLOCKI~1\media 2.exe
O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\System32\hhtaugb.exe
O4 - HKLM\..\Run: [Dale surf tick funk] C:\Documents and Settings\All Users\Application Data\Dash Fast Dale Surf\AXISBALL.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.cab
O16 - DPF: {12589FA1-C456-11CE-BF01-10AA1055595A} - http://www.wsel.net/...lesilent610.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C9C1DDD-2375-4001-8B0C-2212BB86513C}: NameServer = 192.168.1.80
O17 - HKLM\System\CS1\Services\Tcpip\..\{6C9C1DDD-2375-4001-8B0C-2212BB86513C}: NameServer = 192.168.1.80
O17 - HKLM\System\CS2\Services\Tcpip\..\{6C9C1DDD-2375-4001-8B0C-2212BB86513C}: NameServer = 192.168.1.80
O17 - HKLM\System\CS3\Services\Tcpip\..\{6C9C1DDD-2375-4001-8B0C-2212BB86513C}: NameServer = 192.168.1.80


Also, here is the AboutBuster .txt file:

-- Scan 1 --------
About:Buster Version 1.32
Removed! : C:\WINNT\apprw32.exe
Removed! : C:\WINNT\appuf32.exe
Removed! : C:\WINNT\atlql.exe
Removed! : C:\WINNT\bdjlt.dat
Removed! : C:\WINNT\bmnnbm.dat
Removed! : C:\WINNT\crco.exe
Removed! : C:\WINNT\crdq32.exe
Removed! : C:\WINNT\crov32.exe
Removed! : C:\WINNT\cryb32.exe
Removed! : C:\WINNT\d3ev.exe
Removed! : C:\WINNT\d3jm.exe
Removed! : C:\WINNT\d3qg32.exe
Removed! : C:\WINNT\d3wk32.exe
Removed! : C:\WINNT\dqtgzv.dat
Removed! : C:\WINNT\etmdtb.dat
Removed! : C:\WINNT\ienb32.exe
Removed! : C:\WINNT\iwyffu.dat
Removed! : C:\WINNT\javaaa32.exe
Removed! : C:\WINNT\javalk.exe
Removed! : C:\WINNT\javals32.exe
Removed! : C:\WINNT\javavf32.exe
Removed! : C:\WINNT\javaxz32.exe
Removed! : C:\WINNT\jevofn.dat
Removed! : C:\WINNT\jhqbab.dat
Removed! : C:\WINNT\kpoks.dat
Removed! : C:\WINNT\mkmbp.dll
Removed! : C:\WINNT\mppynz.dat
Removed! : C:\WINNT\msyu32.exe
Removed! : C:\WINNT\mszgf.dat
Removed! : C:\WINNT\netcb32.exe
Removed! : C:\WINNT\nethl.exe
Removed! : C:\WINNT\netnu32.exe
Removed! : C:\WINNT\netpn32.exe
Removed! : C:\WINNT\nettp32.exe
Removed! : C:\WINNT\netvh.exe
Removed! : C:\WINNT\ntcy32.exe
Removed! : C:\WINNT\n_emhcsf.dat
Removed! : C:\WINNT\n_zyzven.dat
Removed! : C:\WINNT\ouamgz.dat
Removed! : C:\WINNT\palrkh.dat
Removed! : C:\WINNT\shrzta.dat
Removed! : C:\WINNT\sydvfz.dat
Removed! : C:\WINNT\sysdb.exe
Removed! : C:\WINNT\tbwrsf.dat
Removed! : C:\WINNT\tmwbas.dat
Removed! : C:\WINNT\vrqqls.dat
Removed! : C:\WINNT\windk32.exe
Removed! : C:\WINNT\winxc.exe
Removed! : C:\WINNT\winye32.exe
Removed! : C:\WINNT\wupdt.exe
Removed! : C:\WINNT\yeydgt.dat
Removed! : C:\WINNT\ysfdxb.dat
Removed! : C:\WINNT\yuxao.dat
Removed! : C:\WINNT\zqpxec.dat
Removed! : C:\WINNT\system32\adddv.exe
Removed! : C:\WINNT\system32\addgi32.exe
Removed! : C:\WINNT\system32\addnn.exe
Removed! : C:\WINNT\system32\addoo.exe
Removed! : C:\WINNT\system32\apiwj.exe
Removed! : C:\WINNT\system32\appyc.exe
Removed! : C:\WINNT\system32\appye32.exe
Removed! : C:\WINNT\system32\atleu32.exe
Removed! : C:\WINNT\system32\atlqm32.exe
Removed! : C:\WINNT\system32\atlvs.exe
Removed! : C:\WINNT\system32\d3fy32.exe
Removed! : C:\WINNT\system32\d3gb.exe
Removed! : C:\WINNT\system32\d3kb.exe
Removed! : C:\WINNT\system32\d3uw32.exe
Removed! : C:\WINNT\system32\iecq.exe
Removed! : C:\WINNT\system32\iecq32.exe
Removed! : C:\WINNT\system32\iehb.exe
Removed! : C:\WINNT\system32\ieri.exe
Removed! : C:\WINNT\system32\ieze32.exe
Removed! : C:\WINNT\system32\ipai32.exe
Removed! : C:\WINNT\system32\ipym32.exe
Removed! : C:\WINNT\system32\javabl.exe
Removed! : C:\WINNT\system32\javaco.exe
Removed! : C:\WINNT\system32\javaob.exe
Removed! : C:\WINNT\system32\jevof.dat
Removed! : C:\WINNT\system32\mfcco.exe
Removed! : C:\WINNT\system32\mfcjx32.exe
Removed! : C:\WINNT\system32\msxz32.dll
Removed! : C:\WINNT\system32\msxz32.exe
Removed! : C:\WINNT\system32\msyf.exe
Removed! : C:\WINNT\system32\netrq32.exe
Removed! : C:\WINNT\system32\netso32.exe
Removed! : C:\WINNT\system32\netwa.exe
Removed! : C:\WINNT\system32\ntso.exe
Removed! : C:\WINNT\system32\sdkdv32.exe
Removed! : C:\WINNT\system32\sdkhx32.exe
Removed! : C:\WINNT\system32\sdkqb.exe
Removed! : C:\WINNT\system32\sdkvq32.exe
Removed! : C:\WINNT\system32\sdkvs32.exe
Removed! : C:\WINNT\system32\sysix.exe
Removed! : C:\WINNT\system32\sysmj.exe
Removed! : C:\WINNT\system32\syssm32.exe
Removed! : C:\WINNT\system32\syswv.exe
Removed! : C:\WINNT\system32\winni.exe
Removed! : C:\WINNT\system32\winrz32.exe
Removed! : C:\WINNT\system32\yfkcy.dat
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 1.32
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Pages Reset... Done!

Thanks again. Is there anything else that needs to be done?

#11 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 28 July 2004 - 09:03 AM

CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"
O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\System32\hhtaugb.exe

restart in safe mode and delete this file:
C:\WINNT\System32\hhtaugb.exe
Reboot and post a new log.

What are these programs , did you installed them?
C:\PROGRAM FILES\CLOCKI~1

And
[Dale surf tick funk] C:\Documents and Settings\All Users\Application Data\Dash Fast Dale Surf\AXISBALL.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button