Tech Support Forum - View Single Post - HJT log....a few things still hanging on :(

sUBs · 07-13-2005, 11:31 PM

Please download these additional files/programs :- (Do not run them unless instructed to do so)
Unplug your computer from the Internet when you have finished downloading

TDS-3 - & Install.
Close it after you have finished installation.
Download & overwrite the existing file - "radius.td3", located in folder >> C:\Program Files\TDS-3\ with this file

About Buster - Unzip to a new folder on Desktop.
Update About Buster & exit the program once that is completed.

Ewido Security Suite - Install & Update it's database but do not run it yet.

cwsserviceremove.zip - Unzip the contents of cwsserviceremove.zip (cwsserviceremove.reg) to your desktop.

Backdoor.Agent.B Removal Tool from Symantec.

Follow Symantec's instructions for how to run it.
Be sure to save the log file. I will need to see it later.
Restart your computer.

~~~~~~~~~~~~~~

Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.

C:\WINDOWS\msnu32.dll
C:\WINDOWS\ieto32.dll
C:\WINDOWS\system32\msrn32.dll
C:\WINDOWS\system32\apiqa32.dll
C:\WINDOWS\ieij.dll
C:\WINDOWS\iegh.dll
C:\WINDOWS\system32\javafq.dll
C:\WINDOWS\atlou.dll
C:\WINDOWS\mfcco32.dll
C:\WINDOWS\system32\apilk.dll
C:\WINDOWS\winvc.dll
C:\WINDOWS\system32\ntvx.dll
C:\WINDOWS\nthq32.dll
C:\WINDOWS\system32\ntjs32.dll
C:\WINDOWS\sdklb32.dll
C:\WINDOWS\system32\mspd32.dll
C:\WINDOWS\system32\mfceq32.dll
C:\WINDOWS\system32\appaa.dll
C:\WINDOWS\appwp32.dll
C:\WINDOWS\javazw.dll
C:\WINDOWS\system32\iprm.dll
C:\WINDOWS\iptw.dll
C:\WINDOWS\atlqw.dll
C:\WINDOWS\system32\sdknl32.dll
C:\WINDOWS\d3bj.dll
C:\WINDOWS\ntxh.dll
C:\WINDOWS\system32\atlml.dll
C:\WINDOWS\winyn32.dll
C:\WINDOWS\sdkpm32.dll
C:\WINDOWS\system32\appyq32.dll
C:\WINDOWS\system32\sysks.dll
C:\WINDOWS\system32\mfcsf32.dll
C:\WINDOWS\appkj.dll
C:\WINDOWS\winao32.dll
C:\WINDOWS\sysmu.dll
C:\WINDOWS\system32\ieey.dll
C:\WINDOWS\mfcgz32.dll
C:\WINDOWS\system32\msls32.dll
C:\WINDOWS\ipur.exe
C:\WINDOWS\ntol32.exe
C:\WINDOWS\system32\ieqz32.exe
C:\WINDOWS\system32\appxl32.exe
C:\WINDOWS\atlqj.exe
C:\WINDOWS\sdkaf.exe
C:\WINDOWS\system32\appyo.exe
C:\WINDOWS\system32\crmq.exe
C:\WINDOWS\d3gi.exe
C:\WINDOWS\system32\iegn32.exe
C:\WINDOWS\atlqm.exe
C:\WINDOWS\addoh.exe
C:\WINDOWS\system32\d3hx32.exe
C:\WINDOWS\system32\addar.exe
C:\WINDOWS\apinr32.exe
C:\WINDOWS\system32\atlri.exe
C:\WINDOWS\crap32.exe
C:\WINDOWS\ntsn.exe
C:\WINDOWS\ntne.exe
C:\WINDOWS\system32\d3ms32.exe
C:\WINDOWS\system32\d3ee.exe
C:\WINDOWS\ippv32.exe
C:\WINDOWS\msww.exe
C:\WINDOWS\d3mc.exe
C:\WINDOWS\iexy32.exe
C:\WINDOWS\system32\ieuy.exe
C:\WINDOWS\system32\d3st32.exe
C:\WINDOWS\system32\appvi32.exe
C:\WINDOWS\sdkqa32.exe
C:\WINDOWS\system32\crhk.exe
C:\WINDOWS\ipab.exe
C:\WINDOWS\iejh32.exe
C:\WINDOWS\system32\mfcyw.exe
C:\WINDOWS\netyk32.exe
C:\WINDOWS\mfcbl.exe
C:\WINDOWS\system32\winay.exe
C:\WINDOWS\netql.exe
C:\WINDOWS\msyw32.exe
C:\WINDOWS\ntlw32.exe
C:\WINDOWS\system32\cryy.exe

Start KillBox.

Go to the File menu, and choose Paste from Clipboard.
Verify that you've done this properly by clicking the dropdown-arrow next to the "Full Path of File to Delete" field. The filenames you pasted will be found in there.
Select/tick the following:
* Replace on Reboot
* Use Dummy
Click the RED X button.
Click [Yes] at the 'Delete on Reboot' prompt.
Click [Yes] at the Pending Operations prompt.

~~~~~~~~~~~~~~

Reboot to SafeMode

Run CWShredder:

Double-click on CWShredder.exe.
Click "Fix ->" and click "OK" at the prompt.
CWShredder will scan and clean your system of CWS files.
Click "Next->" and then "Exit".

Remove the offending service:

Double-click on cwsserviceremove.reg you downloaded earlier.
When it asks you to merge the information to the registry click "Yes".

~~~~~~~~~~~~~~

Run a scan with HiJackThis & select(tick) the following & click [Fix checked] :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\txvun.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\txvun.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\txvun.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\txvun.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\txvun.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\txvun.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\txvun.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {095933F6-AE92-4230-E373-22A96F9C0C5F} - C:\WINDOWS\msnu32.dll
O2 - BHO: Class - {0B1EC0AC-4B60-2E3C-6008-EA958BCC19DD} - C:\WINDOWS\ieto32.dll
O2 - BHO: Class - {116B5897-9869-1B77-3DC7-646F9CB58D2B} - C:\WINDOWS\system32\msrn32.dll
O2 - BHO: Class - {14763206-F6A7-4D6F-D4D5-2E72E367ABB1} - C:\WINDOWS\system32\apiqa32.dll
O2 - BHO: Class - {33EC6E43-4826-94FA-3A03-B94290B62B85} - C:\WINDOWS\ieij.dll
O2 - BHO: Class - {378AE8EE-0426-C141-F3C8-F6BD25766BFA} - C:\WINDOWS\iegh.dll
O2 - BHO: Class - {4EC161EA-4FC8-150B-C21E-5378B07ABE5D} - C:\WINDOWS\system32\javafq.dll
O2 - BHO: Class - {4F9E4629-7EAF-1FF6-F770-E08CAFC44CC5} - C:\WINDOWS\atlou.dll
O2 - BHO: Class - {544B7F26-ABCC-6632-0DB7-C12341FA8D26} - C:\WINDOWS\mfcco32.dll
O2 - BHO: Class - {5650AA43-7586-D4A3-49D9-D9FB154279D6} - C:\WINDOWS\system32\apilk.dll
O2 - BHO: Class - {56791174-6E86-7AEF-B404-ED9E42ABFF73} - C:\WINDOWS\winvc.dll
O2 - BHO: Class - {64E5E8FA-69A1-48F4-8963-F00907CAAF17} - C:\WINDOWS\system32\ntvx.dll
O2 - BHO: Class - {686EDB70-FD7A-B9A7-77C0-4C7E44057CFF} - C:\WINDOWS\nthq32.dll
O2 - BHO: Class - {72B3B578-A76A-7C0A-70B4-F15E624D8319} - C:\WINDOWS\system32\ntjs32.dll
O2 - BHO: Class - {73C994D2-169A-3A21-18CA-289B70E63DA3} - C:\WINDOWS\sdklb32.dll
O2 - BHO: Class - {77CD9B7C-6604-FD84-83FE-47AE9E1477C2} - C:\WINDOWS\system32\mspd32.dll
O2 - BHO: Class - {793213B8-A74C-2C0F-94D1-DD4AC65FBE45} - C:\WINDOWS\system32\mfceq32.dll
O2 - BHO: Class - {7AEF1698-E8CD-4535-C196-EAEADE211A17} - C:\WINDOWS\system32\appaa.dll
O2 - BHO: Class - {7E895675-8786-0AE8-F4FB-E7CDC57A70B8} - C:\WINDOWS\appwp32.dll
O2 - BHO: Class - {80C01395-9FF4-13F4-EE8C-750CC0B764CF} - C:\WINDOWS\javazw.dll
O2 - BHO: Class - {90706F45-D241-085D-C3F4-2CA0366EF00C} - C:\WINDOWS\system32\iprm.dll
O2 - BHO: Class - {964D3DD2-09FB-6B41-D4A8-3F2010E2B8A5} - C:\WINDOWS\iptw.dll
O2 - BHO: Class - {979130FE-70C0-35E6-DFA3-4D4D55876849} - C:\WINDOWS\atlqw.dll
O2 - BHO: Class - {97C211C9-3E29-A7D3-5DB7-A9B8789A8C69} - C:\WINDOWS\system32\sdknl32.dll
O2 - BHO: Class - {AC8C8EF2-B1DB-E428-AE33-869E38C4F846} - C:\WINDOWS\d3bj.dll
O2 - BHO: Class - {AD057E36-3E90-9C24-A714-A8ADE460FBF9} - C:\WINDOWS\ntxh.dll
O2 - BHO: Class - {B3205B60-1D3F-AADD-01D0-77FF30CC211B} - C:\WINDOWS\system32\atlml.dll
O2 - BHO: Class - {B4CF1A3D-BFA2-5C15-720D-3E33706227F0} - C:\WINDOWS\winyn32.dll
O2 - BHO: Class - {C70A9850-BFBE-FA80-AEBC-F027897A9AC5} - C:\WINDOWS\sdkpm32.dll
O2 - BHO: Class - {C7F1A546-4FA4-2F1E-B74E-2A722FED05AC} - C:\WINDOWS\system32\appyq32.dll
O2 - BHO: Class - {C8B127F3-B154-FA38-4A64-BAAF01543DCD} - C:\WINDOWS\system32\sysks.dll
O2 - BHO: Class - {D34815E7-66F7-C465-A083-5BABECE896F5} - C:\WINDOWS\system32\mfcsf32.dll
O2 - BHO: Class - {D59AC151-F00C-3509-5093-1C3589B36680} - C:\WINDOWS\appkj.dll
O2 - BHO: Class - {E0E5A173-0CF3-BCA9-8543-4B6252CD9DA6} - C:\WINDOWS\winao32.dll
O2 - BHO: Class - {E22C1991-1181-9BEB-C171-E0B7E631A3AF} - C:\WINDOWS\sysmu.dll
O2 - BHO: Class - {E931541A-F610-204D-5340-6A7598B41F6B} - C:\WINDOWS\system32\ieey.dll
O2 - BHO: Class - {EAF521EB-5513-475B-B2B3-4D4B1195A1B0} - C:\WINDOWS\mfcgz32.dll
O2 - BHO: Class - {FC99EFF4-58A4-239B-1E0E-184CC2DCD960} - C:\WINDOWS\system32\msls32.dll
O4 - HKLM\..\Run: [ipur.exe] C:\WINDOWS\ipur.exe
O4 - HKLM\..\Run: [ntol32.exe] C:\WINDOWS\ntol32.exe
O4 - HKLM\..\RunOnce: [ieqz32.exe] C:\WINDOWS\system32\ieqz32.exe
O4 - HKLM\..\RunOnce: [appxl32.exe] C:\WINDOWS\system32\appxl32.exe
O4 - HKLM\..\RunOnce: [atlqj.exe] C:\WINDOWS\atlqj.exe
O4 - HKLM\..\RunOnce: [sdkaf.exe] C:\WINDOWS\sdkaf.exe
O4 - HKLM\..\RunOnce: [appyo.exe] C:\WINDOWS\system32\appyo.exe
O4 - HKLM\..\RunOnce: [crmq.exe] C:\WINDOWS\system32\crmq.exe
O4 - HKLM\..\RunOnce: [d3gi.exe] C:\WINDOWS\d3gi.exe
O4 - HKLM\..\RunOnce: [iegn32.exe] C:\WINDOWS\system32\iegn32.exe
O4 - HKLM\..\RunOnce: [atlqm.exe] C:\WINDOWS\atlqm.exe
O4 - HKLM\..\RunOnce: [addoh.exe] C:\WINDOWS\addoh.exe
O4 - HKLM\..\RunOnce: [d3hx32.exe] C:\WINDOWS\system32\d3hx32.exe
O4 - HKLM\..\RunOnce: [addar.exe] C:\WINDOWS\system32\addar.exe
O4 - HKLM\..\RunOnce: [apinr32.exe] C:\WINDOWS\apinr32.exe
O4 - HKLM\..\RunOnce: [atlri.exe] C:\WINDOWS\system32\atlri.exe
O4 - HKLM\..\RunOnce: [crap32.exe] C:\WINDOWS\crap32.exe
O4 - HKLM\..\RunOnce: [ntsn.exe] C:\WINDOWS\ntsn.exe
O4 - HKLM\..\RunOnce: [ntne.exe] C:\WINDOWS\ntne.exe
O4 - HKLM\..\RunOnce: [d3ms32.exe] C:\WINDOWS\system32\d3ms32.exe
O4 - HKLM\..\RunOnce: [d3ee.exe] C:\WINDOWS\system32\d3ee.exe
O4 - HKLM\..\RunOnce: [ippv32.exe] C:\WINDOWS\ippv32.exe
O4 - HKLM\..\RunOnce: [msww.exe] C:\WINDOWS\msww.exe
O4 - HKLM\..\RunOnce: [d3mc.exe] C:\WINDOWS\d3mc.exe
O4 - HKLM\..\RunOnce: [iexy32.exe] C:\WINDOWS\iexy32.exe
O4 - HKLM\..\RunOnce: [ieuy.exe] C:\WINDOWS\system32\ieuy.exe
O4 - HKLM\..\RunOnce: [d3st32.exe] C:\WINDOWS\system32\d3st32.exe
O4 - HKLM\..\RunOnce: [appvi32.exe] C:\WINDOWS\system32\appvi32.exe
O4 - HKLM\..\RunOnce: [sdkqa32.exe] C:\WINDOWS\sdkqa32.exe
O4 - HKLM\..\RunOnce: [crhk.exe] C:\WINDOWS\system32\crhk.exe
O4 - HKLM\..\RunOnce: [ipab.exe] C:\WINDOWS\ipab.exe
O4 - HKLM\..\RunOnce: [iejh32.exe] C:\WINDOWS\iejh32.exe
O4 - HKLM\..\RunOnce: [mfcyw.exe] C:\WINDOWS\system32\mfcyw.exe
O4 - HKLM\..\RunOnce: [netyk32.exe] C:\WINDOWS\netyk32.exe
O4 - HKLM\..\RunOnce: [mfcbl.exe] C:\WINDOWS\mfcbl.exe
O4 - HKLM\..\RunOnce: [winay.exe] C:\WINDOWS\system32\winay.exe
O4 - HKLM\..\RunOnce: [netql.exe] C:\WINDOWS\netql.exe
O4 - HKLM\..\RunOnce: [msyw32.exe] C:\WINDOWS\msyw32.exe
O4 - HKLM\..\RunOnce: [ntlw32.exe] C:\WINDOWS\ntlw32.exe
O4 - HKLM\..\RunOnce: [cryy.exe] C:\WINDOWS\system32\cryy.exe
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\addok32.exe" /s (file missing)

~~~~~~~~~~~~~~

Run Cleanup! & configure the program up as follows:

Click Options...
Move the arrow down to Custom CleanUp!
Put a check next to the following:
- Empty Recycle Bins
- Delete Cookies
- Delete Prefetch files
- [X]Scan local drives for temporary files (Please uncheck this option)
- Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

* CleanUp! will delete all the files in your temp folders without making a backup

~~~~~~~~~~~~~~

Run AboutBuster and save the logs:

Browse to where you saved AboutBuster and run AboutBuster.exe.
Click OK at the directions prompt.
Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
Click Yes to allow it to shutdown explorer.exe.
It will begin to your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log. Make sure you save it as I need a copy of it.

~~~~~~~~~~~~~~

** Please disable all other antivirus programs before proceeding.**

Run Ewido:

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files
With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click OK
Once finished, click the Save report button
Save the report to your desktop

Close Ewido

~~~~~~~~~~~~~~

Launch TDS-3 & it will scan your memory for running processes. This will take less than 30 seconds.

Go to System Testing on the menu bar & select Full System Scan.
After it has finished scanning, Delete ALL of those files found in the bottom window that shows as positives.
Rescan again
Select & Copy everything on the top pane into your next post.
If present, right click on any entry listed in the lower pane & select Save as text. This will create a logfile named scandump.txt in TDS-3's folder - post that in your next reply.

~~~~~~~~~~~~~~

Reboot to NormalMode.

Do an online scan at Kaspersky

Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Reboot Again & Run a new scan with HiJackThis. Save the log file and post the contents in your next reply.

In your next post, please include fresh copies of:

1. HiJackThis log
2. List of files that online scans failed to disinfect
3. About Buster's log
4. TDS-3's log
5. Backdoor.Agent.B Removal Tool's log
6. Ewido's log

Please provide details of any problems you encountered whilst performing the above steps.
Update us on how your computer behaves now

07-13-2005, 11:31 PM	#8 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,333 OS: N/A	Please download these additional files/programs :- (Do not run them unless instructed to do so) Unplug your computer from the Internet when you have finished downloading TDS-3 - & Install. Close it after you have finished installation. Download & overwrite the existing file - *"radius.td3", located in folder >> C:\Program Files\TDS-3\ with this file About Buster - Unzip to a new folder on Desktop. Update About Buster & exit the program once that is completed. Ewido Security Suite - Install & Update it's database but do not run it yet. cwsserviceremove.zip - Unzip the contents of cwsserviceremove.zip (cwsserviceremove.reg) to your desktop. Backdoor.Agent.B Removal Tool from Symantec. Follow Symantec's instructions for how to run it. Be sure to save the log file. I will need to see it later. Restart your computer. ~~~~~~~~~~~~~~ Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard. C:\WINDOWS\msnu32.dll C:\WINDOWS\ieto32.dll C:\WINDOWS\system32\msrn32.dll C:\WINDOWS\system32\apiqa32.dll C:\WINDOWS\ieij.dll C:\WINDOWS\iegh.dll C:\WINDOWS\system32\javafq.dll C:\WINDOWS\atlou.dll C:\WINDOWS\mfcco32.dll C:\WINDOWS\system32\apilk.dll C:\WINDOWS\winvc.dll C:\WINDOWS\system32\ntvx.dll C:\WINDOWS\nthq32.dll C:\WINDOWS\system32\ntjs32.dll C:\WINDOWS\sdklb32.dll C:\WINDOWS\system32\mspd32.dll C:\WINDOWS\system32\mfceq32.dll C:\WINDOWS\system32\appaa.dll C:\WINDOWS\appwp32.dll C:\WINDOWS\javazw.dll C:\WINDOWS\system32\iprm.dll C:\WINDOWS\iptw.dll C:\WINDOWS\atlqw.dll C:\WINDOWS\system32\sdknl32.dll C:\WINDOWS\d3bj.dll C:\WINDOWS\ntxh.dll C:\WINDOWS\system32\atlml.dll C:\WINDOWS\winyn32.dll C:\WINDOWS\sdkpm32.dll C:\WINDOWS\system32\appyq32.dll C:\WINDOWS\system32\sysks.dll C:\WINDOWS\system32\mfcsf32.dll C:\WINDOWS\appkj.dll C:\WINDOWS\winao32.dll C:\WINDOWS\sysmu.dll C:\WINDOWS\system32\ieey.dll C:\WINDOWS\mfcgz32.dll C:\WINDOWS\system32\msls32.dll C:\WINDOWS\ipur.exe C:\WINDOWS\ntol32.exe C:\WINDOWS\system32\ieqz32.exe C:\WINDOWS\system32\appxl32.exe C:\WINDOWS\atlqj.exe C:\WINDOWS\sdkaf.exe C:\WINDOWS\system32\appyo.exe C:\WINDOWS\system32\crmq.exe C:\WINDOWS\d3gi.exe C:\WINDOWS\system32\iegn32.exe C:\WINDOWS\atlqm.exe C:\WINDOWS\addoh.exe C:\WINDOWS\system32\d3hx32.exe C:\WINDOWS\system32\addar.exe C:\WINDOWS\apinr32.exe C:\WINDOWS\system32\atlri.exe C:\WINDOWS\crap32.exe C:\WINDOWS\ntsn.exe C:\WINDOWS\ntne.exe C:\WINDOWS\system32\d3ms32.exe C:\WINDOWS\system32\d3ee.exe C:\WINDOWS\ippv32.exe C:\WINDOWS\msww.exe C:\WINDOWS\d3mc.exe C:\WINDOWS\iexy32.exe C:\WINDOWS\system32\ieuy.exe C:\WINDOWS\system32\d3st32.exe C:\WINDOWS\system32\appvi32.exe C:\WINDOWS\sdkqa32.exe C:\WINDOWS\system32\crhk.exe C:\WINDOWS\ipab.exe C:\WINDOWS\iejh32.exe C:\WINDOWS\system32\mfcyw.exe C:\WINDOWS\netyk32.exe C:\WINDOWS\mfcbl.exe C:\WINDOWS\system32\winay.exe C:\WINDOWS\netql.exe C:\WINDOWS\msyw32.exe C:\WINDOWS\ntlw32.exe C:\WINDOWS\system32\cryy.exe Start KillBox. Go to the File menu, and choose Paste from Clipboard. Verify that you've done this properly by clicking the dropdown-arrow next to the "Full Path of File to Delete" field. The filenames you pasted will be found in there. Select/tick the following: Replace on Reboot * Use Dummy Click the RED X button. Click [Yes] at the 'Delete on Reboot' prompt. Click [Yes] at the Pending Operations prompt. ~~~~~~~~~~~~~~ Reboot to SafeMode Run CWShredder: Double-click on CWShredder.exe. Click "Fix ->" and click "OK" at the prompt. CWShredder will scan and clean your system of CWS files. Click "Next->" and then "Exit". Remove the offending service: Double-click on cwsserviceremove.reg you downloaded earlier. When it asks you to merge the information to the registry click "Yes". ~~~~~~~~~~~~~~ Run a scan with HiJackThis & select(tick) the following & click [Fix checked] : R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\txvun.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\txvun.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\txvun.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\txvun.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\txvun.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\txvun.dll/sp.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\txvun.dll/sp.html#37049 R3 - Default URLSearchHook is missing O2 - BHO: Class - {095933F6-AE92-4230-E373-22A96F9C0C5F} - C:\WINDOWS\msnu32.dll O2 - BHO: Class - {0B1EC0AC-4B60-2E3C-6008-EA958BCC19DD} - C:\WINDOWS\ieto32.dll O2 - BHO: Class - {116B5897-9869-1B77-3DC7-646F9CB58D2B} - C:\WINDOWS\system32\msrn32.dll O2 - BHO: Class - {14763206-F6A7-4D6F-D4D5-2E72E367ABB1} - C:\WINDOWS\system32\apiqa32.dll O2 - BHO: Class - {33EC6E43-4826-94FA-3A03-B94290B62B85} - C:\WINDOWS\ieij.dll O2 - BHO: Class - {378AE8EE-0426-C141-F3C8-F6BD25766BFA} - C:\WINDOWS\iegh.dll O2 - BHO: Class - {4EC161EA-4FC8-150B-C21E-5378B07ABE5D} - C:\WINDOWS\system32\javafq.dll O2 - BHO: Class - {4F9E4629-7EAF-1FF6-F770-E08CAFC44CC5} - C:\WINDOWS\atlou.dll O2 - BHO: Class - {544B7F26-ABCC-6632-0DB7-C12341FA8D26} - C:\WINDOWS\mfcco32.dll O2 - BHO: Class - {5650AA43-7586-D4A3-49D9-D9FB154279D6} - C:\WINDOWS\system32\apilk.dll O2 - BHO: Class - {56791174-6E86-7AEF-B404-ED9E42ABFF73} - C:\WINDOWS\winvc.dll O2 - BHO: Class - {64E5E8FA-69A1-48F4-8963-F00907CAAF17} - C:\WINDOWS\system32\ntvx.dll O2 - BHO: Class - {686EDB70-FD7A-B9A7-77C0-4C7E44057CFF} - C:\WINDOWS\nthq32.dll O2 - BHO: Class - {72B3B578-A76A-7C0A-70B4-F15E624D8319} - C:\WINDOWS\system32\ntjs32.dll O2 - BHO: Class - {73C994D2-169A-3A21-18CA-289B70E63DA3} - C:\WINDOWS\sdklb32.dll O2 - BHO: Class - {77CD9B7C-6604-FD84-83FE-47AE9E1477C2} - C:\WINDOWS\system32\mspd32.dll O2 - BHO: Class - {793213B8-A74C-2C0F-94D1-DD4AC65FBE45} - C:\WINDOWS\system32\mfceq32.dll O2 - BHO: Class - {7AEF1698-E8CD-4535-C196-EAEADE211A17} - C:\WINDOWS\system32\appaa.dll O2 - BHO: Class - {7E895675-8786-0AE8-F4FB-E7CDC57A70B8} - C:\WINDOWS\appwp32.dll O2 - BHO: Class - {80C01395-9FF4-13F4-EE8C-750CC0B764CF} - C:\WINDOWS\javazw.dll O2 - BHO: Class - {90706F45-D241-085D-C3F4-2CA0366EF00C} - C:\WINDOWS\system32\iprm.dll O2 - BHO: Class - {964D3DD2-09FB-6B41-D4A8-3F2010E2B8A5} - C:\WINDOWS\iptw.dll O2 - BHO: Class - {979130FE-70C0-35E6-DFA3-4D4D55876849} - C:\WINDOWS\atlqw.dll O2 - BHO: Class - {97C211C9-3E29-A7D3-5DB7-A9B8789A8C69} - C:\WINDOWS\system32\sdknl32.dll O2 - BHO: Class - {AC8C8EF2-B1DB-E428-AE33-869E38C4F846} - C:\WINDOWS\d3bj.dll O2 - BHO: Class - {AD057E36-3E90-9C24-A714-A8ADE460FBF9} - C:\WINDOWS\ntxh.dll O2 - BHO: Class - {B3205B60-1D3F-AADD-01D0-77FF30CC211B} - C:\WINDOWS\system32\atlml.dll O2 - BHO: Class - {B4CF1A3D-BFA2-5C15-720D-3E33706227F0} - C:\WINDOWS\winyn32.dll O2 - BHO: Class - {C70A9850-BFBE-FA80-AEBC-F027897A9AC5} - C:\WINDOWS\sdkpm32.dll O2 - BHO: Class - {C7F1A546-4FA4-2F1E-B74E-2A722FED05AC} - C:\WINDOWS\system32\appyq32.dll O2 - BHO: Class - {C8B127F3-B154-FA38-4A64-BAAF01543DCD} - C:\WINDOWS\system32\sysks.dll O2 - BHO: Class - {D34815E7-66F7-C465-A083-5BABECE896F5} - C:\WINDOWS\system32\mfcsf32.dll O2 - BHO: Class - {D59AC151-F00C-3509-5093-1C3589B36680} - C:\WINDOWS\appkj.dll O2 - BHO: Class - {E0E5A173-0CF3-BCA9-8543-4B6252CD9DA6} - C:\WINDOWS\winao32.dll O2 - BHO: Class - {E22C1991-1181-9BEB-C171-E0B7E631A3AF} - C:\WINDOWS\sysmu.dll O2 - BHO: Class - {E931541A-F610-204D-5340-6A7598B41F6B} - C:\WINDOWS\system32\ieey.dll O2 - BHO: Class - {EAF521EB-5513-475B-B2B3-4D4B1195A1B0} - C:\WINDOWS\mfcgz32.dll O2 - BHO: Class - {FC99EFF4-58A4-239B-1E0E-184CC2DCD960} - C:\WINDOWS\system32\msls32.dll O4 - HKLM\..\Run: [ipur.exe] C:\WINDOWS\ipur.exe O4 - HKLM\..\Run: [ntol32.exe] C:\WINDOWS\ntol32.exe O4 - HKLM\..\RunOnce: [ieqz32.exe] C:\WINDOWS\system32\ieqz32.exe O4 - HKLM\..\RunOnce: [appxl32.exe] C:\WINDOWS\system32\appxl32.exe O4 - HKLM\..\RunOnce: [atlqj.exe] C:\WINDOWS\atlqj.exe O4 - HKLM\..\RunOnce: [sdkaf.exe] C:\WINDOWS\sdkaf.exe O4 - HKLM\..\RunOnce: [appyo.exe] C:\WINDOWS\system32\appyo.exe O4 - HKLM\..\RunOnce: [crmq.exe] C:\WINDOWS\system32\crmq.exe O4 - HKLM\..\RunOnce: [d3gi.exe] C:\WINDOWS\d3gi.exe O4 - HKLM\..\RunOnce: [iegn32.exe] C:\WINDOWS\system32\iegn32.exe O4 - HKLM\..\RunOnce: [atlqm.exe] C:\WINDOWS\atlqm.exe O4 - HKLM\..\RunOnce: [addoh.exe] C:\WINDOWS\addoh.exe O4 - HKLM\..\RunOnce: [d3hx32.exe] C:\WINDOWS\system32\d3hx32.exe O4 - HKLM\..\RunOnce: [addar.exe] C:\WINDOWS\system32\addar.exe O4 - HKLM\..\RunOnce: [apinr32.exe] C:\WINDOWS\apinr32.exe O4 - HKLM\..\RunOnce: [atlri.exe] C:\WINDOWS\system32\atlri.exe O4 - HKLM\..\RunOnce: [crap32.exe] C:\WINDOWS\crap32.exe O4 - HKLM\..\RunOnce: [ntsn.exe] C:\WINDOWS\ntsn.exe O4 - HKLM\..\RunOnce: [ntne.exe] C:\WINDOWS\ntne.exe O4 - HKLM\..\RunOnce: [d3ms32.exe] C:\WINDOWS\system32\d3ms32.exe O4 - HKLM\..\RunOnce: [d3ee.exe] C:\WINDOWS\system32\d3ee.exe O4 - HKLM\..\RunOnce: [ippv32.exe] C:\WINDOWS\ippv32.exe O4 - HKLM\..\RunOnce: [msww.exe] C:\WINDOWS\msww.exe O4 - HKLM\..\RunOnce: [d3mc.exe] C:\WINDOWS\d3mc.exe O4 - HKLM\..\RunOnce: [iexy32.exe] C:\WINDOWS\iexy32.exe O4 - HKLM\..\RunOnce: [ieuy.exe] C:\WINDOWS\system32\ieuy.exe O4 - HKLM\..\RunOnce: [d3st32.exe] C:\WINDOWS\system32\d3st32.exe O4 - HKLM\..\RunOnce: [appvi32.exe] C:\WINDOWS\system32\appvi32.exe O4 - HKLM\..\RunOnce: [sdkqa32.exe] C:\WINDOWS\sdkqa32.exe O4 - HKLM\..\RunOnce: [crhk.exe] C:\WINDOWS\system32\crhk.exe O4 - HKLM\..\RunOnce: [ipab.exe] C:\WINDOWS\ipab.exe O4 - HKLM\..\RunOnce: [iejh32.exe] C:\WINDOWS\iejh32.exe O4 - HKLM\..\RunOnce: [mfcyw.exe] C:\WINDOWS\system32\mfcyw.exe O4 - HKLM\..\RunOnce: [netyk32.exe] C:\WINDOWS\netyk32.exe O4 - HKLM\..\RunOnce: [mfcbl.exe] C:\WINDOWS\mfcbl.exe O4 - HKLM\..\RunOnce: [winay.exe] C:\WINDOWS\system32\winay.exe O4 - HKLM\..\RunOnce: [netql.exe] C:\WINDOWS\netql.exe O4 - HKLM\..\RunOnce: [msyw32.exe] C:\WINDOWS\msyw32.exe O4 - HKLM\..\RunOnce: [ntlw32.exe] C:\WINDOWS\ntlw32.exe O4 - HKLM\..\RunOnce: [cryy.exe] C:\WINDOWS\system32\cryy.exe O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\addok32.exe" /s (file missing) ~~~~~~~~~~~~~~ Run Cleanup! & configure the program up as follows: Click Options... Move the arrow down to Custom CleanUp! Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files [X]Scan local drives for temporary files (Please uncheck this option) Cleanup! All Users Click OK Press the CleanUp! button to start the program. Reboot/logoff when prompted. * CleanUp! will delete all the files in your temp folders without making a backup ~~~~~~~~~~~~~~ Run AboutBuster and save the logs: Browse to where you saved AboutBuster and run AboutBuster.exe. Click OK at the directions prompt. Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams. Click Yes to allow it to shutdown explorer.exe. It will begin to your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so. When it has finished, click Save Log. Make sure you save it as I need a copy of it. ~~~~~~~~~~~~~~ Please disable all other antivirus programs before proceeding. Run Ewido: Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click OK Once finished, click the Save report button Save the report to your desktop Close Ewido ~~~~~~~~~~~~~~ Launch TDS-3 & it will scan your memory for running processes. This will take less than 30 seconds. Go to System Testing on the menu bar & select Full System Scan. After it has finished scanning, Delete ALL of those files found in the bottom window that shows as positives. Rescan again Select & Copy everything on the top pane into your next post. If present, right click on any entry listed in the lower pane & select Save as text. This will create a logfile named scandump.txt in TDS-3's folder - post that in your next reply. ~~~~~~~~~~~~~~ Reboot to NormalMode. Do an online scan at Kaspersky Take note the names and locations of any file it detects but fails to clean. * Turn off the real time scanner of any existing antivirus program while performing the online scan Reboot Again & Run a new scan with HiJackThis. Save the log file and post the contents in your next reply. In your next post, please include fresh copies of: 1. HiJackThis log 2. List of files that online scans failed to disinfect 3. About Buster's log 4. TDS-3's log 5. Backdoor.Agent.B Removal Tool's log 6. Ewido's log Please provide details of any problems you encountered whilst performing the above steps. Update us on how your computer behaves now __________________ Question - what have you done for the community today?