Looks like we opened Pandora's Box & all the worms came crawling out.
First thing on the agenda (something which I failed to notice earlier)
You are currently running an outdated version of HiJackThis. Please click on the link below to download the most current version:
Delete your current HiJackThis.exe file and double-click on the file you just downloaded and then click on the
Unzip button to install the newer version. It will be installed to the
C:\Program Files\HiJackThis\ directory by default. I would require your next HJT log to be from this newer version
~~~~~~~~~~~~~~
Please download these additional files/programs :- (Do not run them unless instructed to do so)
Unplug your computer from the Internet when you have finished downloading
CWShredder - Save on Desktop. Run CWShredder & click on the [Check for update] button. Exit the program after it has updated itself.
SpSeHjfix - Save to a new folder on desktop
~~~~~~~~~~~~~~
Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.
C:\WINDOWS\system32\auapd.dll
C:\WINDOWS\system32\apidt.dll
C:\WINDOWS\system32\apibs32.dll
C:\WINDOWS\system32\crxz.dll
C:\WINDOWS\javavq.dll
C:\WINDOWS\system32\crbk32.dll
C:\WINDOWS\system32\wingm32.dll
C:\WINDOWS\system32\winsx32.dll
C:\WINDOWS\winqv32.dll
C:\WINDOWS\system32\ipvh32.dll
C:\WINDOWS\system32\winug32.dll
C:\WINDOWS\netfd.dll
C:\WINDOWS\system32\javany.dll
C:\WINDOWS\system32\iesn.exe
C:\WINDOWS\system32\crbk32.exe
C:\WINDOWS\apiua.exe
C:\WINDOWS\crnf.exe
C:\WINDOWS\system32\appxr32.exe
C:\WINDOWS\system32\mfcpj32.exe
C:\WINDOWS\mfcsy32.exe
C:\WINDOWS\system32\javaad32.exe
C:\WINDOWS\system32\iexj.exe
C:\WINDOWS\system32\ipfp.exe
C:\WINDOWS\system32\addvf.exe
C:\WINDOWS\appkj32.exe
C:\WINDOWS\system32\addyu.exe
C:\WINDOWS\netkc32.exe
C:\WINDOWS\system32\crcy.exe
C:\WINDOWS\sysxo.exe
C:\WINDOWS\msvh32.exe
C:\WINDOWS\addua.exe
C:\WINDOWS\addyp.exe
C:\WINDOWS\crzj32.exe
C:\WINDOWS\msul32.exe
C:\WINDOWS\crnn.exe
C:\WINDOWS\winsx.exe
C:\WINDOWS\system32\crff32.exe
C:\Documents and Settings\jthomps\Favorites\Only sex website.url
C:\WINDOWS\Downloaded Program Files\SbCIe???.???
C:\WINDOWS\appaz32.exe
CWS.HomeSearchAsisstantNo disinfected Windows Registry
C:\Documents and Settings\jthomps\Favorites\Only sex website.url
C:\Documents and Settings\jthomps\Favorites\Search the web.url
C:\Documents and Settings\jthomps\Favorites\Seven days of free porn.url
C:\WINDOWS\180loader.exe
C:\WINDOWS\addvn32.exe
C:\WINDOWS\appaz32.exe
C:\WINDOWS\Downloaded Program Files\SbCIe026.dll
C:\WINDOWS\sdkqu32.exe
C:\WINDOWS\system32\netgk32.exe
Start KillBox.
- Go to the File menu, and choose Paste from Clipboard.
Verify that you've done this properly by clicking the dropdown-arrow next to the Full Path of File to Delete field. The filenames you pasted will be found in there.
- Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
- Click the RED X button.
- Click [Yes] at the 'Delete on Reboot' prompt. Click [Yes] at the Pending Operations prompt.
* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again.
~~~~~~~~~~~~~~
Reboot to SafeMode
- Shut Windows down, and then turn off the computer.
- Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
- As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the
[Windows Advanced Options] menu appears.
- Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.
~~~~~~~~~~~~~~
Run a scan with HiJackThis & select(tick) the following & click [Fix checked] :
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {003156AA-B2AD-54C8-CF6D-1C992B937149} - C:\WINDOWS\system32\apidt.dll
O2 - BHO: Class - {146A4A8B-66F9-80FA-6E14-51A6991BAC7D} - C:\WINDOWS\system32\apibs32.dll
O2 - BHO: Class - {4ABB5929-6D33-1BD3-5889-307B70AC94D2} - C:\WINDOWS\system32\crxz.dll
O2 - BHO: Class - {5CE5B985-51B1-3958-E5DB-92DD9091CFBB} - C:\WINDOWS\javavq.dll
O2 - BHO: Class - {63C3B90C-CAE8-913A-DBA5-AC8E0D0896D0} - C:\WINDOWS\system32\crbk32.dll
O2 - BHO: Class - {6827E44A-FCD1-5704-0FF9-EE64FBCBD77F} - C:\WINDOWS\system32\wingm32.dll
O2 - BHO: Class - {7D52FC72-76A8-77EF-270D-8A1A8EA30F96} - C:\WINDOWS\system32\winsx32.dll
O2 - BHO: Class - {91D042E7-25DF-B6F2-5C0C-B0963EF3EA01} - C:\WINDOWS\winqv32.dll
O2 - BHO: Class - {A4913EBE-69AB-7C2E-EA16-13F6C5E79E14} - C:\WINDOWS\system32\ipvh32.dll
O2 - BHO: Class - {C1A7352F-7207-2C2F-6A41-8C46196F8284} - C:\WINDOWS\system32\winug32.dll
O2 - BHO: Class - {C2EFCA32-D3CF-3801-B32F-6A7589AA0A8A} - C:\WINDOWS\netfd.dll
O2 - BHO: Class - {FEF289B2-6015-9A71-D02D-8394ED825678} - C:\WINDOWS\system32\javany.dll
O4 - HKLM\..\Run: [iesn.exe] C:\WINDOWS\system32\iesn.exe
O4 - HKLM\..\Run: [crbk32.exe] C:\WINDOWS\system32\crbk32.exe
O4 - HKLM\..\RunOnce: [apiua.exe] C:\WINDOWS\apiua.exe
O4 - HKLM\..\RunOnce: [crnf.exe] C:\WINDOWS\crnf.exe
O4 - HKLM\..\RunOnce: [appxr32.exe] C:\WINDOWS\system32\appxr32.exe
O4 - HKLM\..\RunOnce: [mfcpj32.exe] C:\WINDOWS\system32\mfcpj32.exe
O4 - HKLM\..\RunOnce: [mfcsy32.exe] C:\WINDOWS\mfcsy32.exe
O4 - HKLM\..\RunOnce: [javaad32.exe] C:\WINDOWS\system32\javaad32.exe
O4 - HKLM\..\RunOnce: [iexj.exe] C:\WINDOWS\system32\iexj.exe
O4 - HKLM\..\RunOnce: [ipfp.exe] C:\WINDOWS\system32\ipfp.exe
O4 - HKLM\..\RunOnce: [addvf.exe] C:\WINDOWS\system32\addvf.exe
O4 - HKLM\..\RunOnce: [appkj32.exe] C:\WINDOWS\appkj32.exe
O4 - HKLM\..\RunOnce: [addyu.exe] C:\WINDOWS\system32\addyu.exe
O4 - HKLM\..\RunOnce: [netkc32.exe] C:\WINDOWS\netkc32.exe
O4 - HKLM\..\RunOnce: [crcy.exe] C:\WINDOWS\system32\crcy.exe
O4 - HKLM\..\RunOnce: [sysxo.exe] C:\WINDOWS\sysxo.exe
O4 - HKLM\..\RunOnce: [msvh32.exe] C:\WINDOWS\msvh32.exe
O4 - HKLM\..\RunOnce: [addua.exe] C:\WINDOWS\addua.exe
O4 - HKLM\..\RunOnce: [addyp.exe] C:\WINDOWS\addyp.exe
O4 - HKLM\..\RunOnce: [crzj32.exe] C:\WINDOWS\crzj32.exe
O4 - HKLM\..\RunOnce: [msul32.exe] C:\WINDOWS\msul32.exe
O4 - HKLM\..\RunOnce: [crnn.exe] C:\WINDOWS\crnn.exe
O4 - HKLM\..\RunOnce: [winsx.exe] C:\WINDOWS\winsx.exe
O4 - HKLM\..\RunOnce: [crff32.exe] C:\WINDOWS\system32\crff32.exe
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) - https://esis.ncwise.org/jinitiator/jinit.exe
O16 - DPF: {D27FFC5F-D7B9-4349-9F41-F7458B585374} (SoloTriv Control) - http://mirror.worldwinner.com/games...iv/solotriv.cab
~~~~~~~~~~~~~~
Enable the viewing of Hidden files
- Open Windows Explorer
- Go to Tools>Folder Options>View tab.
- enable the option for `Show hidden files and folder´
- disable the option for `Hide file extensions for known types´
- disable the option for `Hide protected operating system files´
- click "Yes" to confirm & then click "OK"
Locate and delete the following folder(s), if present:
- C:\WINDOWS\180solutions
C:\Documents and Settings\jthomps\Favorites\Sites about\
Locate and delete the following file(s), if present:
- C:\WINDOWS\Downloaded Program Files\SbCIe???.???
~~~~~~~~~~~~~~
Run Cleanup! & configure the program up as follows:
- Click Options...
- Move the arrow down to Custom CleanUp!
- Put a check next to the following:
- Empty Recycle Bins
- Delete Cookies
- Delete Prefetch files
- [X]Scan local drives for temporary files (Please uncheck this option)
- Cleanup! All Users
- Click OK
- Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will delete all the files in your temp folders without making a backup
~~~~~~~~~~~~~~
Run
SpSeHjfix and click on [Start Disinfection].
If SpSeHjfix finds the "system clean", it will not proceed with the next stage. Otherwise, it may reboot your machine to finish the cleaning process. A log of the fix will be created in the containing folder.
Run
CWShredder & Click the [Fix] button.
~~~~~~~~~~~~~~
Reboot and download
Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
- Save it to your desktop.
- Double-click the new icon on your desktop (tmas-web-scan.exe)
- It will say "Loading TrendMicro definitions".
- Once the definitions are loaded, the program will appear to close then re-open.
- Click "Start Scan"
- After it's done scanning, click "Scan Results"
- Make sure all items found have a check next to them, then click "Clean Threats Now".
- Click Exit.
Reboot your computer. In place of the TrendMicro icon will be a text file called "
Antispyware.log", please double-click that log and copy the entire contents and paste them here.
In your next post, please include fresh copies of:
1. HiJackThis log
2. Antispyware.log
3. SpSeHjfix's log
Please provide details of any problems you encountered whilst performing the above steps.
Update us on how your computer behaves now
__________________
Question - what have you done for the community today?