Tech Support Forum - View Single Post - HJT log....a few things still hanging on :(

sUBs · 07-12-2005, 09:33 PM

Looks so much cleaner. We're getting close to home. The log done by the updated HJT has shown a new entry.

Please disable Webroot SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean.
To disable Webroot SpySweeper:

Go to the Options>Program Options
Uncheck Load at Windows Startup
Click Shields & uncheck all items there
Uncheck Home page shield.
Automaticly restore default without notifiction

~~~~~~~~~~~~~~

Remove a Malware Service

Click Start>Run - type services.msc.
Locate the Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) service and double-click on it to open the Properties dialog.
Click the Stop button.
In the Startup type dropdown select Disabled.
Click the Apply button and then the Ok button.
Close the Services window
Then start HiJackThis & go to Config>Misc.Tools...>Delete an NT service...
In the popup box that appears, type in " 11Fßä#·ºÄÖ`I" (without the quotes) & click the OK button.

~~~~~~~~~~~~~~

Start HiJackThis & go to Config>Misc Tools>Open process manager
Select the following and click [Kill process] one at a time. Some entries may no longer exist.

C:\WINDOWS\iegn32.exe

~~~~~~~~~~~~~~

Run a scan with HiJackThis & select(tick) the following & click [Fix checked] :

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {710D83F2-D312-9683-955D-E46F3DC64541} - C:\WINDOWS\ipyk32.dll
O2 - BHO: Class - {A512FB1C-927A-CC1E-86A8-0057B192600A} - C:\WINDOWS\msde.dll
O2 - BHO: Class - {C9AAF6C6-1AF0-F61B-55AB-4198770AA549} - C:\WINDOWS\system32\ipwa.dll
O2 - BHO: Class - {DA692D53-0117-E647-4FC9-E8D29D3E7D5F} - C:\WINDOWS\system32\ntog32.dll
O2 - BHO: Class - {E2CF3F20-7B47-7FDF-0B4B-317598789569} - C:\WINDOWS\system32\appnn.dll
O2 - BHO: Class - {F00ADCBD-1759-E8D3-3EB9-1B8318EAC367} - C:\WINDOWS\mssh32.dll
O4 - HKLM\..\Run: [ntal32.exe] C:\WINDOWS\system32\ntal32.exe
O4 - HKLM\..\Run: [iegn32.exe] C:\WINDOWS\iegn32.exe
O4 - HKLM\..\RunOnce: [addok32.exe] C:\WINDOWS\system32\addok32.exe
O4 - HKLM\..\RunOnce: [mfcso32.exe] C:\WINDOWS\mfcso32.exe
O4 - HKLM\..\RunOnce: [sysgi.exe] C:\WINDOWS\sysgi.exe
O4 - HKLM\..\RunOnce: [ntml.exe] C:\WINDOWS\ntml.exe
O4 - HKLM\..\RunOnce: [apinx.exe] C:\WINDOWS\apinx.exe
O4 - HKLM\..\RunOnce: [wingp32.exe] C:\WINDOWS\system32\wingp32.exe
O4 - HKLM\..\RunOnce: [atlls.exe] C:\WINDOWS\atlls.exe
O4 - HKLM\..\RunOnce: [apiop32.exe] C:\WINDOWS\system32\apiop32.exe
O4 - HKLM\..\RunOnce: [netpc32.exe] C:\WINDOWS\system32\netpc32.exe
O4 - HKLM\..\RunOnce: [appfq32.exe] C:\WINDOWS\appfq32.exe
O4 - HKLM\..\RunOnce: [ipju32.exe] C:\WINDOWS\system32\ipju32.exe
O4 - HKLM\..\RunOnce: [ipaq.exe] C:\WINDOWS\system32\ipaq.exe
O4 - HKLM\..\RunOnce: [d3qv.exe] C:\WINDOWS\d3qv.exe
O4 - HKLM\..\RunOnce: [crzb.exe] C:\WINDOWS\system32\crzb.exe
O4 - HKLM\..\RunOnce: [winel.exe] C:\WINDOWS\winel.exe
O4 - HKLM\..\RunOnce: [mfcxk.exe] C:\WINDOWS\system32\mfcxk.exe
O4 - HKLM\..\RunOnce: [msde.exe] C:\WINDOWS\msde.exe
O4 - HKLM\..\RunOnce: [mfcuk32.exe] C:\WINDOWS\mfcuk32.exe
O4 - HKLM\..\RunOnce: [javajh.exe] C:\WINDOWS\system32\javajh.exe
O4 - HKLM\..\RunOnce: [javanh32.exe] C:\WINDOWS\system32\javanh32.exe
O4 - HKLM\..\RunOnce: [netde.exe] C:\WINDOWS\netde.exe
O4 - HKLM\..\RunOnce: [addca32.exe] C:\WINDOWS\addca32.exe
O4 - HKLM\..\RunOnce: [sdkfr.exe] C:\WINDOWS\sdkfr.exe
O4 - HKLM\..\RunOnce: [d3jv32.exe] C:\WINDOWS\system32\d3jv32.exe
O4 - HKLM\..\RunOnce: [atlnf32.exe] C:\WINDOWS\system32\atlnf32.exe
O4 - HKLM\..\RunOnce: [netdm.exe] C:\WINDOWS\system32\netdm.exe
O4 - HKLM\..\RunOnce: [d3bh32.exe] C:\WINDOWS\d3bh32.exe
O4 - HKLM\..\RunOnce: [winxl32.exe] C:\WINDOWS\winxl32.exe
O4 - HKLM\..\RunOnce: [addqq32.exe] C:\WINDOWS\system32\addqq32.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\addok32.exe" /s (file missing)

~~~~~~~~~~~~~~

Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.

C:\WINDOWS\ipyk32.dll
C:\WINDOWS\msde.dll
C:\WINDOWS\system32\ipwa.dll
C:\WINDOWS\system32\ntog32.dll
C:\WINDOWS\system32\appnn.dll
C:\WINDOWS\mssh32.dll
C:\WINDOWS\system32\ntal32.exe
C:\WINDOWS\iegn32.exe
C:\WINDOWS\system32\addok32.exe
C:\WINDOWS\mfcso32.exe
C:\WINDOWS\sysgi.exe
C:\WINDOWS\ntml.exe
C:\WINDOWS\apinx.exe
C:\WINDOWS\system32\wingp32.exe
C:\WINDOWS\atlls.exe
C:\WINDOWS\system32\apiop32.exe
C:\WINDOWS\system32\netpc32.exe
C:\WINDOWS\appfq32.exe
C:\WINDOWS\system32\ipju32.exe
C:\WINDOWS\system32\ipaq.exe
C:\WINDOWS\d3qv.exe
C:\WINDOWS\system32\crzb.exe
C:\WINDOWS\winel.exe
C:\WINDOWS\system32\mfcxk.exe
C:\WINDOWS\msde.exe
C:\WINDOWS\mfcuk32.exe
C:\WINDOWS\system32\javajh.exe
C:\WINDOWS\system32\javanh32.exe
C:\WINDOWS\netde.exe
C:\WINDOWS\addca32.exe
C:\WINDOWS\sdkfr.exe
C:\WINDOWS\system32\d3jv32.exe
C:\WINDOWS\system32\atlnf32.exe
C:\WINDOWS\system32\netdm.exe
C:\WINDOWS\d3bh32.exe
C:\WINDOWS\winxl32.exe
C:\WINDOWS\system32\addqq32.exe
C:\WINDOWS\system32\addok32.exe

Start KillBox.

Go to the File menu, and choose Paste from Clipboard.
Verify that you've done this properly by clicking the dropdown-arrow next to the "Full Path of File to Delete" field. The filenames you pasted will be found in there. Do not be alarmed if several of these entries do not appear. Let me know which one appeared.
Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* "Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.
Click [Yes] at the 'Delete on Reboot' prompt.
Click [Yes] at the Pending Operations prompt.

~~~~~~~~~~~~~~

Upon reboot, post a fresh HJT log

07-12-2005, 09:33 PM	#6 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,341 OS: N/A	Looks so much cleaner. We're getting close to home. The log done by the updated HJT has shown a new entry. Please disable Webroot SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean. To disable Webroot SpySweeper: Go to the Options>Program Options Uncheck Load at Windows Startup Click Shields & uncheck all items there Uncheck Home page shield. Automaticly restore default without notifiction ~~~~~~~~~~~~~~ Remove a Malware Service Click Start>Run - type services.msc. Locate the Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) service and double-click on it to open the Properties dialog. Click the Stop button. In the Startup type dropdown select Disabled. Click the Apply button and then the Ok button. Close the Services window Then start HiJackThis & go to Config>Misc.Tools...>Delete an NT service... In the popup box that appears, type in " 11Fßä#·ºÄÖ`I" (without the quotes) & click the OK button. ~~~~~~~~~~~~~~ Start HiJackThis & go to Config>Misc Tools>Open process manager Select the following and click [Kill process] one at a time. Some entries may no longer exist. C:\WINDOWS\iegn32.exe ~~~~~~~~~~~~~~ Run a scan with HiJackThis & select(tick) the following & click [Fix checked] : R3 - Default URLSearchHook is missing O2 - BHO: Class - {710D83F2-D312-9683-955D-E46F3DC64541} - C:\WINDOWS\ipyk32.dll O2 - BHO: Class - {A512FB1C-927A-CC1E-86A8-0057B192600A} - C:\WINDOWS\msde.dll O2 - BHO: Class - {C9AAF6C6-1AF0-F61B-55AB-4198770AA549} - C:\WINDOWS\system32\ipwa.dll O2 - BHO: Class - {DA692D53-0117-E647-4FC9-E8D29D3E7D5F} - C:\WINDOWS\system32\ntog32.dll O2 - BHO: Class - {E2CF3F20-7B47-7FDF-0B4B-317598789569} - C:\WINDOWS\system32\appnn.dll O2 - BHO: Class - {F00ADCBD-1759-E8D3-3EB9-1B8318EAC367} - C:\WINDOWS\mssh32.dll O4 - HKLM\..\Run: [ntal32.exe] C:\WINDOWS\system32\ntal32.exe O4 - HKLM\..\Run: [iegn32.exe] C:\WINDOWS\iegn32.exe O4 - HKLM\..\RunOnce: [addok32.exe] C:\WINDOWS\system32\addok32.exe O4 - HKLM\..\RunOnce: [mfcso32.exe] C:\WINDOWS\mfcso32.exe O4 - HKLM\..\RunOnce: [sysgi.exe] C:\WINDOWS\sysgi.exe O4 - HKLM\..\RunOnce: [ntml.exe] C:\WINDOWS\ntml.exe O4 - HKLM\..\RunOnce: [apinx.exe] C:\WINDOWS\apinx.exe O4 - HKLM\..\RunOnce: [wingp32.exe] C:\WINDOWS\system32\wingp32.exe O4 - HKLM\..\RunOnce: [atlls.exe] C:\WINDOWS\atlls.exe O4 - HKLM\..\RunOnce: [apiop32.exe] C:\WINDOWS\system32\apiop32.exe O4 - HKLM\..\RunOnce: [netpc32.exe] C:\WINDOWS\system32\netpc32.exe O4 - HKLM\..\RunOnce: [appfq32.exe] C:\WINDOWS\appfq32.exe O4 - HKLM\..\RunOnce: [ipju32.exe] C:\WINDOWS\system32\ipju32.exe O4 - HKLM\..\RunOnce: [ipaq.exe] C:\WINDOWS\system32\ipaq.exe O4 - HKLM\..\RunOnce: [d3qv.exe] C:\WINDOWS\d3qv.exe O4 - HKLM\..\RunOnce: [crzb.exe] C:\WINDOWS\system32\crzb.exe O4 - HKLM\..\RunOnce: [winel.exe] C:\WINDOWS\winel.exe O4 - HKLM\..\RunOnce: [mfcxk.exe] C:\WINDOWS\system32\mfcxk.exe O4 - HKLM\..\RunOnce: [msde.exe] C:\WINDOWS\msde.exe O4 - HKLM\..\RunOnce: [mfcuk32.exe] C:\WINDOWS\mfcuk32.exe O4 - HKLM\..\RunOnce: [javajh.exe] C:\WINDOWS\system32\javajh.exe O4 - HKLM\..\RunOnce: [javanh32.exe] C:\WINDOWS\system32\javanh32.exe O4 - HKLM\..\RunOnce: [netde.exe] C:\WINDOWS\netde.exe O4 - HKLM\..\RunOnce: [addca32.exe] C:\WINDOWS\addca32.exe O4 - HKLM\..\RunOnce: [sdkfr.exe] C:\WINDOWS\sdkfr.exe O4 - HKLM\..\RunOnce: [d3jv32.exe] C:\WINDOWS\system32\d3jv32.exe O4 - HKLM\..\RunOnce: [atlnf32.exe] C:\WINDOWS\system32\atlnf32.exe O4 - HKLM\..\RunOnce: [netdm.exe] C:\WINDOWS\system32\netdm.exe O4 - HKLM\..\RunOnce: [d3bh32.exe] C:\WINDOWS\d3bh32.exe O4 - HKLM\..\RunOnce: [winxl32.exe] C:\WINDOWS\winxl32.exe O4 - HKLM\..\RunOnce: [addqq32.exe] C:\WINDOWS\system32\addqq32.exe O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\addok32.exe" /s (file missing) ~~~~~~~~~~~~~~ Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard. C:\WINDOWS\ipyk32.dll C:\WINDOWS\msde.dll C:\WINDOWS\system32\ipwa.dll C:\WINDOWS\system32\ntog32.dll C:\WINDOWS\system32\appnn.dll C:\WINDOWS\mssh32.dll C:\WINDOWS\system32\ntal32.exe C:\WINDOWS\iegn32.exe C:\WINDOWS\system32\addok32.exe C:\WINDOWS\mfcso32.exe C:\WINDOWS\sysgi.exe C:\WINDOWS\ntml.exe C:\WINDOWS\apinx.exe C:\WINDOWS\system32\wingp32.exe C:\WINDOWS\atlls.exe C:\WINDOWS\system32\apiop32.exe C:\WINDOWS\system32\netpc32.exe C:\WINDOWS\appfq32.exe C:\WINDOWS\system32\ipju32.exe C:\WINDOWS\system32\ipaq.exe C:\WINDOWS\d3qv.exe C:\WINDOWS\system32\crzb.exe C:\WINDOWS\winel.exe C:\WINDOWS\system32\mfcxk.exe C:\WINDOWS\msde.exe C:\WINDOWS\mfcuk32.exe C:\WINDOWS\system32\javajh.exe C:\WINDOWS\system32\javanh32.exe C:\WINDOWS\netde.exe C:\WINDOWS\addca32.exe C:\WINDOWS\sdkfr.exe C:\WINDOWS\system32\d3jv32.exe C:\WINDOWS\system32\atlnf32.exe C:\WINDOWS\system32\netdm.exe C:\WINDOWS\d3bh32.exe C:\WINDOWS\winxl32.exe C:\WINDOWS\system32\addqq32.exe C:\WINDOWS\system32\addok32.exe Start KillBox. Go to the File menu, and choose Paste from Clipboard. Verify that you've done this properly by clicking the dropdown-arrow next to the "Full Path of File to Delete" field. The filenames you pasted will be found in there. Do not be alarmed if several of these entries do not appear. Let me know which one appeared. Select/tick the following: * Delete on Reboot * End Explorer Shell While Killing File * "Unregister.dll Before Deleting" if it's not grayed out. Click the RED X button. Click [Yes] at the 'Delete on Reboot' prompt. Click [Yes] at the Pending Operations prompt. ~~~~~~~~~~~~~~ Upon reboot, post a fresh HJT log __________________ Question - what have you done for the community today? Last edited by sUBs; 07-12-2005 at 09:35 PM.