Jump to content


Photo

Thought I beat it, but no.


  • Please log in to reply
15 replies to this topic

#1 wurseley

wurseley

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 21 June 2004 - 07:01 PM

I got hit yesterday morning. worked on it all day and thought I had it clean last night. However it came back again a couple of hours ago. I have read the forum FAQ page; I have used AdAware, CWShredder, BHODemon, Registry Mechanic, and SpyBot (updated, licensed & paid versions where possible). Multiple cleanings continue to find infection files (ffor example, running AdAaware 2X in a row).

I have run HijackThis! and my log is posted below. I have removed the IE mainpage entries (like res://C:\WINDOWS\rossf.dll/sp.html#96676) many times.

Any help you can give me would be appreciated. You are terrific for doing this with us; thanks in advance for your time.


Logfile of HijackThis v1.97.7
Scan saved at 7:40:53 PM, on 6/21/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SCARDSVR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\TABLET.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\CPQMLDET.EXE
C:\PROGRAM FILES\HP CD-WRITER\MMENU\HPCDTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMGR.EXE
C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
C:\PROGRAM FILES\WACOM\TABUSERW.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\WINDOWS\SYSTEM\APION.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\JAVALU32.EXE
C:\WINDOWS\CRWM32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\CRWM32.EXE
C:\WINDOWS\ADDOS.EXE
C:\WINDOWS\CRWM32.EXE
C:\WINDOWS\SYSTEM\CRSD32.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\CRWM32.EXE
C:\WINDOWS\ATLVL32.EXE
C:\WINDOWS\TEMP\TD_0009.DIR\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\CRWM32.EXE
C:\WINDOWS\D3FU32.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rossf.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rossf.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presa...&c=2C01&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presar...&c=2C01&lc=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rossf.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rossf.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rossf.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rossf.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.0.1:87
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www.direcwaysupport.com;192.168.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Netscape\Communicator\Program\NetHelp\Blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Netscape\Communicator\Program\NetHelp\Blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {BC234570-5592-DEEC-F787-4BF76F57427B} - C:\WINDOWS\SYSTEM\ntgc.dll (disabled by BHODemon)
O2 - BHO: (no name) - {A65F11A0-3D1B-37FD-F86D-9AB8607151F1} - C:\WINDOWS\WINZP.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {122E729E-BD50-EAC0-DD49-BAA0B1D3482E} - C:\WINDOWS\SYSTEM\SDKCV32.DLL (file missing)
O2 - BHO: (no name) - {7146CBCE-BA52-8263-EE95-BC1B11EE8EAA} - C:\WINDOWS\SYSTEM\ADDST.DLL (file missing)
O2 - BHO: (no name) - {9BEDA47D-F76A-8794-9E1F-E4E0C452C0B6} - C:\WINDOWS\SYSTEM\MSGV.DLL (file missing)
O2 - BHO: (no name) - {6F6ED08C-65F0-6F3F-300B-AB13DA5E5DBF} - C:\WINDOWS\SYSTEM\NTNF.DLL
O2 - BHO: (no name) - {843E1C14-A121-3D1F-8C45-751737E6A4F6} - C:\WINDOWS\SYSTEM\D3IY.DLL (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [WCOLOREAL] C:\Program Files\COMPAQ\COLOREAL\COLOREAL.EXE
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\CPQMLDET.exe
O4 - HKLM\..\Run: [CpqBootPerfDb] C:\Cpqs\Scom\CpqBootPerfDb.exe
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
O4 - HKLM\..\Run: [APION.EXE] C:\WINDOWS\SYSTEM\APION.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ScardSvr] C:\WINDOWS\SYSTEM\ScardSvr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [Tablet] C:\WINDOWS\SYSTEM\Tablet.exe
O4 - HKLM\..\RunServices: [APPHL32.EXE] C:\WINDOWS\APPHL32.EXE
O4 - HKLM\..\RunServices: [JAVALU32.EXE] C:\WINDOWS\SYSTEM\JAVALU32.EXE
O4 - HKLM\..\RunServices: [IPWN32.EXE] C:\WINDOWS\SYSTEM\IPWN32.EXE
O4 - HKLM\..\RunServices: [CRWM32.EXE] C:\WINDOWS\CRWM32.EXE
O4 - HKLM\..\RunServices: [ADDOS.EXE] C:\WINDOWS\ADDOS.EXE
O4 - HKLM\..\RunServices: [CRSD32.EXE] C:\WINDOWS\SYSTEM\CRSD32.EXE
O4 - HKLM\..\RunServices: [ATLVL32.EXE] C:\WINDOWS\ATLVL32.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINSM32.EXE
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Startup: IomegaWare.lnk = C:\Program Files\Iomega\Iomegaware\COMMANDER.EXE
O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR1.DLL/cmtrans.html
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sprintsite.com/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pu...er/isetupML.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://web14.compaq....co/SysQuery.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw14fd.law14....ex/HMAtchmt.ocx
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://141.153.11.11...sCamControl.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7567.2411458333
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe

#2 dmforst

dmforst

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 21 June 2004 - 07:15 PM

Here is the fix. As you are using wME you need to sub a bootable floopy for the recovery console. But the concept is the same. Good luck.

Coolweb is a 2 stage infection. This fix is not for inexperienced users. You need to understand how to use the recovery console and also the registry editor. Everything here is for a W2K install which is what I have. Should be similar for XP. First how the infection works:

1) A small dll is loaded onto your machine in the \winnt\systems32 directory. I do not know the method of infection. My machine had the ByteVerifier patch so it wasn't through that backdoor.
2) This dll is loaded with very strange file permissions. It has all permissions but copy denied to everyone, including administrators. This set of permissions makes the file completely invisible inside windows. You can not see it using File explorer or dos prompts like dir. It also can not have its attributes set so that you can see it.
3) This little dll (resaf.dll on my machine, but proably different on each install) hooks itself to the HLKM/Software/Current Version/WindowsNT/Windows/AppInit_DLLs registry key. Of course you can't see the entry and searching for it will reveal nothing. Probably uses the same permissions trick but I was unable to verify this.
4) Once this dll is running it can do whatever it wants. What it does is load a full set of secondary infection files. It creates a file in your temp directory call sp.html. This is the file that is displayed each time you start IE. It also creates a bunch of registry entries to enforce this as the start page.
5) Next a second dll is loaded. This one you can see and remove. Of course it just comes back a few hours later. Not sure what this does.
6) Latest cut of Adaware gets rid of all of the secondary infections, but is unable to find the primary infection. After about 2-3 hours the infection just keeps coming back.

How to get rid of this.
1) You need a tool to find the nasty dll. A tool called "xfind" ( find it here http://home.mnet-onl...muc/index.html) does a text serach for a string within all files in the \winnt\system32 directory. Run it from the command line as XFIND "anything" C:\winnt\system32\*.dll. It turns out that the string itself is unimportant, it is the fact that this utility is unable to open the file that reveals the dlls identity. The utility posts an unable to read reaf.dll notice. This is your first clue.
2) Run adaware with the latest reference file and cleanup the secondary infection. Run it until no further infection is found. It may take a couple of passes.
3) Now you know the name of the file we need a way to get rid of it. Not possible inside Windows that I can see. Tried killbox and other programs but they are not able to find it. Using your original windows cd, start the recovery console.. This is done by booting from the cd and then when it finishes loading selecting R for repair and C for recovery console. Log in as requested and you are at a command prompt. The file can now be seen using dir. I just renamed it at this point in case I was wrong and it was a real windows file. I could then get it back if I needed it.
4) Restart the machine in windows. Using regedit, search for the AppInit_DLLs key. The value will now be visible. Delete the value, not the key!
5) The dll will now also be visible and can be deleted.
6) Run adaware one more time to make sure all of the secondary infection is gone and your done.

I would like to thank the dedicated folks who wrote the utilities I used to get this thing off. Good luck.

#3 wurseley

wurseley

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 21 June 2004 - 07:31 PM

Hey, DMForst:

Thanks for the reply. I have a couple of questions: First, I am unable to get to the link for http://home.mnet-onl....muc/index.html. The hijacker redirects me. Second, are you saying I cannot approach my fix in the same manner as others in the Forum? In other words, is there any way around the recovery console/bootable floppy method?

Thanks again.

#4 wurseley

wurseley

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 21 June 2004 - 07:44 PM

Okay, I have gotten XFIND. However, translating DMForst's directions from Win2K to ME for command-line use is beyond my abilities. Can someone walk me through this step-by-step?

#5 BCGovtMartyr

BCGovtMartyr

    Bug Hunter

  • Full Member
  • Pip
  • 29 posts

Posted 22 June 2004 - 07:52 PM

wurseley,
You will need to follow Archon Wing's directions from his June 19th 2004 9:41pm post on. Scroll down till you find the post with that date and follow it to the letter. That will be the final fix and your trouble will be over. Here is the topic link:
http://www.spywarein...wtopic=7416&hl=

I believe that this software will work for your OS as well as W2K and WinXP. If you have any problems repost and someone will check back. To repost Archon Wing's excellent post would be redundent. I will be sure to add your post to my watch list and make sure you are helped as I'm sure dmforst has done as well.
Bug Fighting Tools
Ad-Aware ~ HijackThis ~ CWShredder ~ Spybot

Other pesticides
Registrar Lite ~ Winfile

Help this site keep helping you
Please donate here

#6 BCGovtMartyr

BCGovtMartyr

    Bug Hunter

  • Full Member
  • Pip
  • 29 posts

Posted 22 June 2004 - 07:59 PM

run Adaware with the latest update after following Archon Wings directions let it clean up and repost a HijackThis log and someone will take a look at it for you. I see several things that need to be cleaned up but cut off the head of this serpent first then concentrate on cleanup.
Bug Fighting Tools
Ad-Aware ~ HijackThis ~ CWShredder ~ Spybot

Other pesticides
Registrar Lite ~ Winfile

Help this site keep helping you
Please donate here

#7 wurseley

wurseley

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 22 June 2004 - 09:16 PM

BCGM

Thanks for the response. I will implement tomorrow and post an update into this topic.

W

#8 Archon_Wing

Archon_Wing

    Donut Patron

  • Trusted Advisor
  • PipPipPipPip
  • 368 posts

Posted 22 June 2004 - 09:55 PM

This is a diffrent variant, and that fix won't help here.

Ad-Aware has been updated to stop this. Make sure you have all updates and have build 6.181 (You can find out what build you have by starting ad-aware and looking at the bottom right hand corner of the window.)

Restart your computer in safe mode. How to start in safe mode:here

Once in safe mode, run ad-aware and fix everything it finds.

Edited by Archon_Wing, 22 June 2004 - 09:57 PM.

Rights are never important until you don't have them.

#9 wurseley

wurseley

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 23 June 2004 - 12:18 PM

AW

Thanks for the further direction. I was a little stymied when running reglite to find that there was no

AppInit_DLLs file in

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows.

Anyway, I am running AdAware right now in Safe mode (typing this on a different computer). I will post the results.

W

#10 BCGovtMartyr

BCGovtMartyr

    Bug Hunter

  • Full Member
  • Pip
  • 29 posts

Posted 23 June 2004 - 12:47 PM

Thanks Archon... duly noted.

And yes Wurseley that was my "duh" your running WinME therefore WindowsNT would be just plain Windows. Archon has you all fixed up. :deal:
Bug Fighting Tools
Ad-Aware ~ HijackThis ~ CWShredder ~ Spybot

Other pesticides
Registrar Lite ~ Winfile

Help this site keep helping you
Please donate here

#11 wurseley

wurseley

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 23 June 2004 - 01:25 PM

BC and AW

Actually, there IS a WindowsNT folder in the HKEY directory.

Anyway, that aside, I have run AdAware twice in Safe mode and am sitll hijacked. What a nasty and tenacious little bugger.

Any further suggestions?

W

#12 wurseley

wurseley

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 23 June 2004 - 01:36 PM

Further action:

I read in one of the repair posts that one of the CWS (virus/trojan/hijacker) components is in C:\_FOLDERS\TEMP. Since AdAware has told me twice that it can't remove two of the files it is finding, but it is still not eradicating the nasty, I made HIDDEN FILES visible and changed the _FOLDERS RESTORE permissions before running AdAware. This time it has deleted 4 files (all CWS files). I am hopeful. I am running AdAware one more time in safe mode before restarting. If this is successful, I will change both permissions back to avoid disastrous _FOLDER changes.

Thoughts?
W

#13 wurseley

wurseley

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 23 June 2004 - 01:54 PM

Well, I am still hijacked. Here is my HiJackThis! log after trying the AdAware-in-safe-mode fix.

Logfile of HijackThis v1.97.7
Scan saved at 2:51:18 PM, on 6/23/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SCARDSVR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\TABLET.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\CPQMLDET.EXE
C:\PROGRAM FILES\HP CD-WRITER\MMENU\HPCDTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMGR.EXE
C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\APION.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
C:\PROGRAM FILES\WACOM\TABUSERW.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lfpiu.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presa...&c=2C01&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presar...&c=2C01&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lfpiu.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lfpiu.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.0.1:87
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www.direcwaysupport.com;192.168.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Netscape\Communicator\Program\NetHelp\Blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Netscape\Communicator\Program\NetHelp\Blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {BC234570-5592-DEEC-F787-4BF76F57427B} - (no file)
O2 - BHO: (no name) - {A65F11A0-3D1B-37FD-F86D-9AB8607151F1} - (no file)
O2 - BHO: (no name) - {122E729E-BD50-EAC0-DD49-BAA0B1D3482E} - (no file)
O2 - BHO: (no name) - {7146CBCE-BA52-8263-EE95-BC1B11EE8EAA} - (no file)
O2 - BHO: (no name) - {9BEDA47D-F76A-8794-9E1F-E4E0C452C0B6} - (no file)
O2 - BHO: (no name) - {6F6ED08C-65F0-6F3F-300B-AB13DA5E5DBF} - (no file)
O2 - BHO: (no name) - {843E1C14-A121-3D1F-8C45-751737E6A4F6} - (no file)
O2 - BHO: (no name) - {373CB088-CD8E-ECE1-5365-6072D85116A3} - (no file)
O2 - BHO: (no name) - {D3F6EC5D-83BA-FBCD-1424-2CB23092B7EA} - (no file)
O2 - BHO: (no name) - {B4A69B56-22D9-8447-25A2-7C18F175DBE9} - (no file)
O2 - BHO: (no name) - {6824FA3C-0320-4E20-EB91-ADC744D5119E} - (no file)
O2 - BHO: (no name) - {B4D3EDEC-4A78-9601-3C16-8BDA7652758F} - (no file)
O2 - BHO: (no name) - {55E7FCAD-77C1-35FF-8206-D7405C6CDFAB} - (no file)
O2 - BHO: (no name) - {97AB2DB6-2797-5E66-F69B-1C10B62342C2} - (no file)
O2 - BHO: (no name) - {C0DD9C88-5180-DCDE-8CC6-77C388044BD5} - (no file)
O2 - BHO: (no name) - {FF44CFF2-75F6-EC14-97CF-F61DFA427C09} - (no file)
O2 - BHO: (no name) - {341BB010-C2FC-0291-0C0B-03CA46CB74BD} - (no file)
O2 - BHO: (no name) - {E2B62B52-F19C-7DFB-0CAF-0AA0AF9FF61D} - (no file)
O2 - BHO: (no name) - {081758B8-1464-68B8-A672-5A257F23165E} - (no file)
O2 - BHO: (no name) - {26338A5E-80E5-E408-46ED-DCAEF1B152A9} - (no file)
O2 - BHO: (no name) - {49119A96-764B-1BED-15F2-D8DBBFBFBDDA} - (no file)
O2 - BHO: (no name) - {21E4D24D-BFDF-C114-094D-146BCC336764} - (no file)
O2 - BHO: (no name) - {02CFD1C2-140E-D24C-8F22-57E2D3199FBF} - (no file)
O2 - BHO: (no name) - {0B908CAD-3C8E-F8BB-BABB-D566F522D77D} - (no file)
O2 - BHO: (no name) - {A5B4A447-4CB8-30FC-F0B1-B1A30FD52B49} - (no file)
O2 - BHO: (no name) - {14760E42-77B3-8D32-FDD1-817072E4343D} - (no file)
O2 - BHO: (no name) - {F5E5E867-AC70-611C-0028-4861F4856A5C} - (no file)
O2 - BHO: (no name) - {128A9AC6-0956-F765-EFFA-04E4541172B8} - (no file)
O2 - BHO: (no name) - {2AA45655-34EB-71DE-6D6B-7FC5B883236D} - (no file)
O2 - BHO: (no name) - {6A6BA3A3-D4A2-627C-24E0-6F8ECFEC20AE} - (no file)
O2 - BHO: (no name) - {875F1A21-2AA4-19B4-4058-6257280E5874} - (no file)
O2 - BHO: (no name) - {D54341CA-64A2-C5C5-1517-213DBD86FA69} - (no file)
O2 - BHO: (no name) - {2F5D99FB-9063-BAAC-95E7-FEC0C3AF7BAB} - (no file)
O2 - BHO: (no name) - {388C2E34-686F-EB26-27A8-3DED78707177} - (no file)
O2 - BHO: (no name) - {CC22FEF2-3F13-D4D7-35C2-C66D30943149} - (no file)
O2 - BHO: (no name) - {49D79343-8AF0-E18F-1F68-3EBABD9EFC8E} - (no file)
O2 - BHO: (no name) - {B8758CB9-31CB-EDCD-9E5A-307A8A0E5851} - (no file)
O2 - BHO: (no name) - {F51732EE-1445-46BB-3740-655F49B0F738} - (no file)
O2 - BHO: (no name) - {E72064A2-FA8F-45FD-0CE7-0DCC151E7D85} - (no file)
O2 - BHO: (no name) - {A506E929-19D9-0C2F-5674-118C99313E95} - (no file)
O2 - BHO: (no name) - {DA607F98-7426-F515-81BC-B6FAA2D7AE86} - (no file)
O2 - BHO: (no name) - {E0DA5911-5137-7600-E631-98A3D1D307DB} - (no file)
O2 - BHO: (no name) - {95B83708-AF7B-115D-C460-ABCDB06515B5} - (no file)
O2 - BHO: (no name) - {41F3CA6F-89B1-AA39-EC13-EFBD507CB60F} - (no file)
O2 - BHO: (no name) - {0630C0D7-57B1-963E-4223-CA91BA95671D} - (no file)
O2 - BHO: (no name) - {00AD3519-3F00-5087-FF3D-ADBC964ABCAE} - (no file)
O2 - BHO: (no name) - {2A992854-C120-2344-3A53-938F60435FED} - (no file)
O2 - BHO: (no name) - {49908763-5962-9342-6324-D8165D757093} - (no file)
O2 - BHO: (no name) - {5AAF4606-ABB7-C880-6EAD-04A6D630C2E3} - (no file)
O2 - BHO: (no name) - {175D11C9-CFFB-0532-BABB-0A803A22C910} - (no file)
O2 - BHO: (no name) - {BDA708A5-8020-F30C-6759-546F47B30DFD} - C:\WINDOWS\appkl.dll (disabled by BHODemon)
O2 - BHO: (no name) - {77FBEC09-E61C-7034-1BB4-9F8EBB286BCA} - (no file)
O2 - BHO: (no name) - {FB2E5DAA-920A-ADEA-81BC-240312276F45} - (no file)
O2 - BHO: (no name) - {FBD6353C-D46D-064E-0DB4-A986D34AD0CE} - (no file)
O2 - BHO: (no name) - {44D6E07C-653A-2AAB-E15E-C8A8D058A69A} - (no file)
O2 - BHO: (no name) - {24EC266E-58F6-C76B-ECDF-18E86769E35F} - (no file)
O2 - BHO: (no name) - {058680EF-4C0E-9D88-7204-989DB27DFD59} - (no file)
O2 - BHO: (no name) - {D0FF75CF-3DCA-1897-9F9B-90441F0B23DB} - (no file)
O2 - BHO: (no name) - {DF96D0FB-1AF3-992F-8D49-D31C8A233AEB} - (no file)
O2 - BHO: (no name) - {2FD7B633-A927-FA82-4276-954F455935FD} - (no file)
O2 - BHO: (no name) - {0B5FA233-21D3-D511-CADA-148239911966} - C:\WINDOWS\APPIV32.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {24A8D284-235D-7942-16BA-7FE144D795A2} - C:\WINDOWS\SYSTEM\MFCGE.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [WCOLOREAL] C:\Program Files\COMPAQ\COLOREAL\COLOREAL.EXE
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\CPQMLDET.exe
O4 - HKLM\..\Run: [CpqBootPerfDb] C:\Cpqs\Scom\CpqBootPerfDb.exe
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
O4 - HKLM\..\Run: [APION.EXE] C:\WINDOWS\SYSTEM\APION.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ScardSvr] C:\WINDOWS\SYSTEM\ScardSvr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [Tablet] C:\WINDOWS\SYSTEM\Tablet.exe
O4 - HKLM\..\RunServices: [CRWM32.EXE] C:\WINDOWS\CRWM32.EXE
O4 - HKLM\..\RunServices: [ADDOS.EXE] C:\WINDOWS\ADDOS.EXE
O4 - HKLM\..\RunServices: [CRSD32.EXE] C:\WINDOWS\SYSTEM\CRSD32.EXE
O4 - HKLM\..\RunServices: [ATLVL32.EXE] C:\WINDOWS\ATLVL32.EXE
O4 - HKLM\..\RunServices: [D3FU32.EXE] C:\WINDOWS\D3FU32.EXE
O4 - HKLM\..\RunServices: [ATLXZ32.EXE] C:\WINDOWS\ATLXZ32.EXE
O4 - HKLM\..\RunServices: [NTEQ32.EXE] C:\WINDOWS\NTEQ32.EXE
O4 - HKLM\..\RunServices: [D3WJ32.EXE] C:\WINDOWS\SYSTEM\D3WJ32.EXE
O4 - HKLM\..\RunServices: [WINXD32.EXE] C:\WINDOWS\WINXD32.EXE
O4 - HKLM\..\RunServices: [SDKIT.EXE] C:\WINDOWS\SYSTEM\SDKIT.EXE
O4 - HKLM\..\RunServices: [MSKY.EXE] C:\WINDOWS\MSKY.EXE
O4 - HKLM\..\RunServices: [MFCGN32.EXE] C:\WINDOWS\SYSTEM\MFCGN32.EXE
O4 - HKLM\..\RunServices: [NTRB32.EXE] C:\WINDOWS\SYSTEM\NTRB32.EXE
O4 - HKLM\..\RunServices: [WINDH32.EXE] C:\WINDOWS\WINDH32.EXE
O4 - HKLM\..\RunServices: [NTCT.EXE] C:\WINDOWS\SYSTEM\NTCT.EXE
O4 - HKLM\..\RunServices: [ADDNY.EXE] C:\WINDOWS\ADDNY.EXE
O4 - HKLM\..\RunServices: [APIKO32.EXE] C:\WINDOWS\APIKO32.EXE
O4 - HKLM\..\RunServices: [MSQZ32.EXE] C:\WINDOWS\MSQZ32.EXE
O4 - HKLM\..\RunServices: [MSVN.EXE] C:\WINDOWS\MSVN.EXE
O4 - HKLM\..\RunServices: [IEPE.EXE] C:\WINDOWS\SYSTEM\IEPE.EXE
O4 - HKLM\..\RunServices: [IPDE32.EXE] C:\WINDOWS\IPDE32.EXE
O4 - HKLM\..\RunServices: [WINCY.EXE] C:\WINDOWS\WINCY.EXE
O4 - HKLM\..\RunServices: [NETGS32.EXE] C:\WINDOWS\SYSTEM\NETGS32.EXE
O4 - HKLM\..\RunServices: [NTXA32.EXE] C:\WINDOWS\SYSTEM\NTXA32.EXE
O4 - HKLM\..\RunServices: [SYSHW32.EXE] C:\WINDOWS\SYSTEM\SYSHW32.EXE
O4 - HKLM\..\RunServices: [SDKYW.EXE] C:\WINDOWS\SYSTEM\SDKYW.EXE
O4 - HKLM\..\RunServices: [MFCCH.EXE] C:\WINDOWS\MFCCH.EXE
O4 - HKLM\..\RunServices: [SYSAY.EXE] C:\WINDOWS\SYSAY.EXE
O4 - HKLM\..\RunServices: [IEXR.EXE] C:\WINDOWS\SYSTEM\IEXR.EXE
O4 - HKLM\..\RunServices: [SYSSY32.EXE] C:\WINDOWS\SYSSY32.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINSM32.EXE
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Startup: IomegaWare.lnk = C:\Program Files\Iomega\Iomegaware\COMMANDER.EXE
O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sprintsite.com/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pu...er/isetupML.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://web14.compaq....co/SysQuery.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw14fd.law14....ex/HMAtchmt.ocx
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://141.153.11.11...sCamControl.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7567.2411458333
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe

#14 BCGovtMartyr

BCGovtMartyr

    Bug Hunter

  • Full Member
  • Pip
  • 29 posts

Posted 23 June 2004 - 02:39 PM

wurseley,
If you could would you post a list of the files including full path of the files that Adaware will not remove to assist Archon. He is going to have to assist you with this one since I am not as familiar with Netscape as he is.
I apologize for any delays, these guys are really inundated with requests for help and the most experienced of them are in the biggest demand. Your patience is appreciated.
Bug Fighting Tools
Ad-Aware ~ HijackThis ~ CWShredder ~ Spybot

Other pesticides
Registrar Lite ~ Winfile

Help this site keep helping you
Please donate here

#15 wurseley

wurseley

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 23 June 2004 - 05:01 PM

BCGovtMartyr,

Sorry, I probably wasn't clear enough in my explanation. AdAware is now removing all files (because I have unlocked _FOLDERS, I think).

Also, I am NOT using Netscape at all (it's not installed on my machine), so your reference to it confuses me.

So the HJT file listed above is the current state of the machine.

W

#16 Archon_Wing

Archon_Wing

    Donut Patron

  • Trusted Advisor
  • PipPipPipPip
  • 368 posts

Posted 23 June 2004 - 05:26 PM

Please follow these instructions exactly:


Please download this tool called about:buster by Rubbyducky from

http://tools.zerosre...AboutBuster.zip or
http://www.downloads...AboutBuster.zip

Unzip it to your desktop.

You will want to print this out or copy the text somewhere because you will need to close all Internet Explorer Windows.

Now start Hijack this and tick the boxes next to these items..

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {BC234570-5592-DEEC-F787-4BF76F57427B} - (no file)
O2 - BHO: (no name) - {A65F11A0-3D1B-37FD-F86D-9AB8607151F1} - (no file)
O2 - BHO: (no name) - {122E729E-BD50-EAC0-DD49-BAA0B1D3482E} - (no file)
O2 - BHO: (no name) - {7146CBCE-BA52-8263-EE95-BC1B11EE8EAA} - (no file)
O2 - BHO: (no name) - {9BEDA47D-F76A-8794-9E1F-E4E0C452C0B6} - (no file)
O2 - BHO: (no name) - {6F6ED08C-65F0-6F3F-300B-AB13DA5E5DBF} - (no file)
O2 - BHO: (no name) - {843E1C14-A121-3D1F-8C45-751737E6A4F6} - (no file)
O2 - BHO: (no name) - {373CB088-CD8E-ECE1-5365-6072D85116A3} - (no file)
O2 - BHO: (no name) - {D3F6EC5D-83BA-FBCD-1424-2CB23092B7EA} - (no file)
O2 - BHO: (no name) - {B4A69B56-22D9-8447-25A2-7C18F175DBE9} - (no file)
O2 - BHO: (no name) - {6824FA3C-0320-4E20-EB91-ADC744D5119E} - (no file)
O2 - BHO: (no name) - {B4D3EDEC-4A78-9601-3C16-8BDA7652758F} - (no file)
O2 - BHO: (no name) - {55E7FCAD-77C1-35FF-8206-D7405C6CDFAB} - (no file)
O2 - BHO: (no name) - {97AB2DB6-2797-5E66-F69B-1C10B62342C2} - (no file)
O2 - BHO: (no name) - {C0DD9C88-5180-DCDE-8CC6-77C388044BD5} - (no file)
O2 - BHO: (no name) - {FF44CFF2-75F6-EC14-97CF-F61DFA427C09} - (no file)
O2 - BHO: (no name) - {341BB010-C2FC-0291-0C0B-03CA46CB74BD} - (no file)
O2 - BHO: (no name) - {E2B62B52-F19C-7DFB-0CAF-0AA0AF9FF61D} - (no file)
O2 - BHO: (no name) - {081758B8-1464-68B8-A672-5A257F23165E} - (no file)
O2 - BHO: (no name) - {26338A5E-80E5-E408-46ED-DCAEF1B152A9} - (no file)
O2 - BHO: (no name) - {49119A96-764B-1BED-15F2-D8DBBFBFBDDA} - (no file)
O2 - BHO: (no name) - {21E4D24D-BFDF-C114-094D-146BCC336764} - (no file)
O2 - BHO: (no name) - {02CFD1C2-140E-D24C-8F22-57E2D3199FBF} - (no file)
O2 - BHO: (no name) - {0B908CAD-3C8E-F8BB-BABB-D566F522D77D} - (no file)
O2 - BHO: (no name) - {A5B4A447-4CB8-30FC-F0B1-B1A30FD52B49} - (no file)
O2 - BHO: (no name) - {14760E42-77B3-8D32-FDD1-817072E4343D} - (no file)
O2 - BHO: (no name) - {F5E5E867-AC70-611C-0028-4861F4856A5C} - (no file)
O2 - BHO: (no name) - {128A9AC6-0956-F765-EFFA-04E4541172B8} - (no file)
O2 - BHO: (no name) - {2AA45655-34EB-71DE-6D6B-7FC5B883236D} - (no file)
O2 - BHO: (no name) - {6A6BA3A3-D4A2-627C-24E0-6F8ECFEC20AE} - (no file)
O2 - BHO: (no name) - {875F1A21-2AA4-19B4-4058-6257280E5874} - (no file)
O2 - BHO: (no name) - {D54341CA-64A2-C5C5-1517-213DBD86FA69} - (no file)
O2 - BHO: (no name) - {2F5D99FB-9063-BAAC-95E7-FEC0C3AF7BAB} - (no file)
O2 - BHO: (no name) - {388C2E34-686F-EB26-27A8-3DED78707177} - (no file)
O2 - BHO: (no name) - {CC22FEF2-3F13-D4D7-35C2-C66D30943149} - (no file)
O2 - BHO: (no name) - {49D79343-8AF0-E18F-1F68-3EBABD9EFC8E} - (no file)
O2 - BHO: (no name) - {B8758CB9-31CB-EDCD-9E5A-307A8A0E5851} - (no file)
O2 - BHO: (no name) - {F51732EE-1445-46BB-3740-655F49B0F738} - (no file)
O2 - BHO: (no name) - {E72064A2-FA8F-45FD-0CE7-0DCC151E7D85} - (no file)
O2 - BHO: (no name) - {A506E929-19D9-0C2F-5674-118C99313E95} - (no file)
O2 - BHO: (no name) - {DA607F98-7426-F515-81BC-B6FAA2D7AE86} - (no file)
O2 - BHO: (no name) - {E0DA5911-5137-7600-E631-98A3D1D307DB} - (no file)
O2 - BHO: (no name) - {95B83708-AF7B-115D-C460-ABCDB06515B5} - (no file)
O2 - BHO: (no name) - {41F3CA6F-89B1-AA39-EC13-EFBD507CB60F} - (no file)
O2 - BHO: (no name) - {0630C0D7-57B1-963E-4223-CA91BA95671D} - (no file)
O2 - BHO: (no name) - {00AD3519-3F00-5087-FF3D-ADBC964ABCAE} - (no file)
O2 - BHO: (no name) - {2A992854-C120-2344-3A53-938F60435FED} - (no file)
O2 - BHO: (no name) - {49908763-5962-9342-6324-D8165D757093} - (no file)
O2 - BHO: (no name) - {5AAF4606-ABB7-C880-6EAD-04A6D630C2E3} - (no file)
O2 - BHO: (no name) - {175D11C9-CFFB-0532-BABB-0A803A22C910} - (no file)
O2 - BHO: (no name) - {BDA708A5-8020-F30C-6759-546F47B30DFD} - C:\WINDOWS\appkl.dll (disabled by BHODemon)
O2 - BHO: (no name) - {77FBEC09-E61C-7034-1BB4-9F8EBB286BCA} - (no file)
O2 - BHO: (no name) - {FB2E5DAA-920A-ADEA-81BC-240312276F45} - (no file)
O2 - BHO: (no name) - {FBD6353C-D46D-064E-0DB4-A986D34AD0CE} - (no file)
O2 - BHO: (no name) - {44D6E07C-653A-2AAB-E15E-C8A8D058A69A} - (no file)
O2 - BHO: (no name) - {24EC266E-58F6-C76B-ECDF-18E86769E35F} - (no file)
O2 - BHO: (no name) - {058680EF-4C0E-9D88-7204-989DB27DFD59} - (no file)
O2 - BHO: (no name) - {D0FF75CF-3DCA-1897-9F9B-90441F0B23DB} - (no file)
O2 - BHO: (no name) - {DF96D0FB-1AF3-992F-8D49-D31C8A233AEB} - (no file)
O2 - BHO: (no name) - {2FD7B633-A927-FA82-4276-954F455935FD} - (no file)
O2 - BHO: (no name) - {0B5FA233-21D3-D511-CADA-148239911966} - C:\WINDOWS\APPIV32.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {24A8D284-235D-7942-16BA-7FE144D795A2} - C:\WINDOWS\SYSTEM\MFCGE.DLL

O4 - HKLM\..\RunServices: [CRWM32.EXE] C:\WINDOWS\CRWM32.EXE
O4 - HKLM\..\RunServices: [ADDOS.EXE] C:\WINDOWS\ADDOS.EXE
O4 - HKLM\..\RunServices: [CRSD32.EXE] C:\WINDOWS\SYSTEM\CRSD32.EXE
O4 - HKLM\..\RunServices: [ATLVL32.EXE] C:\WINDOWS\ATLVL32.EXE
O4 - HKLM\..\RunServices: [D3FU32.EXE] C:\WINDOWS\D3FU32.EXE
O4 - HKLM\..\RunServices: [ATLXZ32.EXE] C:\WINDOWS\ATLXZ32.EXE
O4 - HKLM\..\RunServices: [NTEQ32.EXE] C:\WINDOWS\NTEQ32.EXE
O4 - HKLM\..\RunServices: [D3WJ32.EXE] C:\WINDOWS\SYSTEM\D3WJ32.EXE
O4 - HKLM\..\RunServices: [WINXD32.EXE] C:\WINDOWS\WINXD32.EXE
O4 - HKLM\..\RunServices: [SDKIT.EXE] C:\WINDOWS\SYSTEM\SDKIT.EXE
O4 - HKLM\..\RunServices: [MSKY.EXE] C:\WINDOWS\MSKY.EXE
O4 - HKLM\..\RunServices: [MFCGN32.EXE] C:\WINDOWS\SYSTEM\MFCGN32.EXE
O4 - HKLM\..\RunServices: [NTRB32.EXE] C:\WINDOWS\SYSTEM\NTRB32.EXE
O4 - HKLM\..\RunServices: [WINDH32.EXE] C:\WINDOWS\WINDH32.EXE
O4 - HKLM\..\RunServices: [NTCT.EXE] C:\WINDOWS\SYSTEM\NTCT.EXE
O4 - HKLM\..\RunServices: [ADDNY.EXE] C:\WINDOWS\ADDNY.EXE
O4 - HKLM\..\RunServices: [APIKO32.EXE] C:\WINDOWS\APIKO32.EXE
O4 - HKLM\..\RunServices: [MSQZ32.EXE] C:\WINDOWS\MSQZ32.EXE
O4 - HKLM\..\RunServices: [MSVN.EXE] C:\WINDOWS\MSVN.EXE
O4 - HKLM\..\RunServices: [IEPE.EXE] C:\WINDOWS\SYSTEM\IEPE.EXE
O4 - HKLM\..\RunServices: [IPDE32.EXE] C:\WINDOWS\IPDE32.EXE
O4 - HKLM\..\RunServices: [WINCY.EXE] C:\WINDOWS\WINCY.EXE
O4 - HKLM\..\RunServices: [NETGS32.EXE] C:\WINDOWS\SYSTEM\NETGS32.EXE
O4 - HKLM\..\RunServices: [NTXA32.EXE] C:\WINDOWS\SYSTEM\NTXA32.EXE
O4 - HKLM\..\RunServices: [SYSHW32.EXE] C:\WINDOWS\SYSTEM\SYSHW32.EXE
O4 - HKLM\..\RunServices: [SDKYW.EXE] C:\WINDOWS\SYSTEM\SDKYW.EXE
O4 - HKLM\..\RunServices: [MFCCH.EXE] C:\WINDOWS\MFCCH.EXE
O4 - HKLM\..\RunServices: [SYSAY.EXE] C:\WINDOWS\SYSAY.EXE
O4 - HKLM\..\RunServices: [IEXR.EXE] C:\WINDOWS\SYSTEM\IEXR.EXE
O4 - HKLM\..\RunServices: [SYSSY32.EXE] C:\WINDOWS\SYSSY32.EXE

Do not open Internet Explorer to come back here until after running the AboutBuster tool.

Start about:buster and hit start. In the first white box input this - starting with
res://C:\WINDOWS\lfpiu.dll/sp.html#96676

Now hit ok.

Then startup Hijack this and tick the box next to the random 02 (dll) if still present.

Restart your computer and post the report and a new Hijack this log.

Edited by Archon_Wing, 23 June 2004 - 09:22 PM.

Rights are never important until you don't have them.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button