|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
07-11-2005, 05:23 PM
|
#1 (permalink) |
|
Registered User
Join Date: Sep 2004
Posts: 11
OS: XP Professional
|
HJT log....a few things still hanging on :(
I'm getting frazzled... I had the AV GOLD problem, and tried a couple fixes from other sites. I seem to be rid of that but have some leftover problems (popups, added favorites, etc.). I have run spy sweeper, adaware, CWS shredder, spybot search and destroy among others, but problems keep getting loaded (I've tried running all these in safe mode). Any help would be greatly appreciated.
Here's my HJT log. Logfile of HijackThis v1.98.2 Scan saved at 12:11:36 PM, on 7/11/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\d3ey32.exe C:\WINDOWS\System32\sistray.EXE C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\System32\dpmw32.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\system32\NWTRAY.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\DLink\Bluetooth Software\BTTray.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\hjt\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.charlotte.com/mld/charlotte R3 - Default URLSearchHook is missing O2 - BHO: Class - {2B4B5589-B4B7-A432-BCE4-C96F8E7DB2A0} - C:\WINDOWS\crax.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Class - {FBA819B5-BECF-B27B-6F9B-963F513D8D14} - C:\WINDOWS\apifz.dll O2 - BHO: Class - {FE7AA604-D603-D018-CCF2-941EB9FDFB36} - C:\WINDOWS\msqz.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\COMMAN~1\COMMAN~1\vchk.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKLM\..\Run: [d3ey32.exe] C:\WINDOWS\system32\d3ey32.exe O4 - HKLM\..\RunOnce: [winzd.exe] C:\WINDOWS\system32\winzd.exe O4 - HKLM\..\RunOnce: [apifz.exe] C:\WINDOWS\apifz.exe O4 - HKLM\..\RunOnce: [addek32.exe] C:\WINDOWS\system32\addek32.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: BTTray.lnk = ? O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\DLink\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v44/pool/pool.cab O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://mirror.worldwinner.com/games/...e/wordcube.cab O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {8BDF4BDB-7C40-4DC8-B2DD-138D8059698C} (Focus Control) - http://mirror.worldwinner.com/games/v41/focus/focus.cab O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldwinner.com/games/...o/wordmojo.cab O16 - DPF: {957BDEC2-50EA-4B01-ABF5-22F86364A914} (Trivia Control) - http://mirror.worldwinner.com//games...via/trivia.cab O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://mirror.worldwinner.com/games/...an/hangman.cab O16 - DPF: {C5142630-9BC9-4236-BAC9-2E3C24566EC8} (XWord Control) - http://mirror.worldwinner.com/games/v40/xword/xword.cab O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) - https://esis.ncwise.org/jinitiator/jinit.exe O16 - DPF: {D27FFC5F-D7B9-4349-9F41-F7458B585374} (SoloTriv Control) - http://mirror.worldwinner.com/games/...v/solotriv.cab O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
07-12-2005, 03:13 AM
|
#2 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,409
OS: N/A
|
Hi and Welcome to TSF!
Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread". It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then. It is also important you don't miss a step and perform everything in the right order!!. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below. Please disable Webroot SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean. To disable Webroot SpySweeper:
~~~~~~~~~~~~~~ Please download these additional files/programs :- (Do not run them unless instructed to do so) Unplug your computer from the Internet when you have finished downloading CleanUp! - Install KillBox v2.0.0.175 - Save to Desktop. ~~~~~~~~~~~~~~ Start HiJackThis & go to Config>Misc Tools>Open process manager Select the following and click [Kill process] one at a time. Some entries may no longer exist. C:\WINDOWS\system32\d3ey32.exe ~~~~~~~~~~~~~~ Run a scan with HiJackThis & select(tick) the following & click [Fix checked] : R3 - Default URLSearchHook is missing O2 - BHO: Class - {2B4B5589-B4B7-A432-BCE4-C96F8E7DB2A0} - C:\WINDOWS\crax.dll O2 - BHO: Class - {FBA819B5-BECF-B27B-6F9B-963F513D8D14} - C:\WINDOWS\apifz.dll O2 - BHO: Class - {FE7AA604-D603-D018-CCF2-941EB9FDFB36} - C:\WINDOWS\msqz.dll O4 - HKLM\..\Run: [d3ey32.exe] C:\WINDOWS\system32\d3ey32.exe O4 - HKLM\..\RunOnce: [winzd.exe] C:\WINDOWS\system32\winzd.exe O4 - HKLM\..\RunOnce: [apifz.exe] C:\WINDOWS\apifz.exe O4 - HKLM\..\RunOnce: [addek32.exe] C:\WINDOWS\system32\addek32.exe O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v44/pool/pool.cab O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://mirror.worldwinner.com/games...be/wordcube.cab O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {8BDF4BDB-7C40-4DC8-B2DD-138D8059698C} (Focus Control) - http://mirror.worldwinner.com/games/v41/focus/focus.cab O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldwinner.com/games...jo/wordmojo.cab O16 - DPF: {957BDEC2-50EA-4B01-ABF5-22F86364A914} (Trivia Control) - http://mirror.worldwinner.com//game...ivia/trivia.cab O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://mirror.worldwinner.com/games...man/hangman.cab O16 - DPF: {C5142630-9BC9-4236-BAC9-2E3C24566EC8} (XWord Control) - http://mirror.worldwinner.com/games/v40/xword/xword.cab O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) - https://esis.ncwise.org/jinitiator/jinit.exe O16 - DPF: {D27FFC5F-D7B9-4349-9F41-F7458B585374} (SoloTriv Control) - http://mirror.worldwinner.com/games...iv/solotriv.cab ~~~~~~~~~~~~~~ Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard. C:\WINDOWS\crax.dllStart KillBox.
* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again. ~~~~~~~~~~~~~~ Upon reboot, Run Cleanup! & configure the program up as follows:
~~~~~~~~~~~~~~ Do an online scan at one of the following sites:Take note the names and locations of any file it detects but fails to clean. * Turn off the real time scanner of any existing antivirus program while performing the online scan Reboot Again & Run a new scan with HiJackThis. Save the log file and post the contents in your next reply. In your next post, please include fresh copies of: 1. Copy of HiJackThis log 2. List of files that online scans failed to disinfect Please provide details of any problems you encountered whilst performing the above steps. Update us on how your computer behaves now
__________________
Question - what have you done for the community today? |
|
|
|
|
07-12-2005, 12:13 PM
|
#3 (permalink) |
|
Registered User
Join Date: Sep 2004
Posts: 11
OS: XP Professional
|
Ok... I've done that...
Done... Still slow on startup, still getting a pop-up here and there, and also getting these messages on startup:
The application or DLL C:\WINDOWS\javato.dll is not a valid Windows image. The application or DLL C:\WINDOWS\system32\crrn.dll is not a valid Windows image. Updated HJT Log: Logfile of HijackThis v1.98.2 Scan saved at 2:05:35 PM, on 7/12/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe C:\Program Files\Common Files\Command Software\dvpapi.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\crbk32.exe C:\WINDOWS\system32\crff32.exe C:\WINDOWS\System32\sistray.EXE C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\System32\dpmw32.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\NWTRAY.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\DLink\Bluetooth Software\BTTray.exe C:\hjt\HijackThis.exe C:\WINDOWS\system32\MsiExec.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049 R3 - Default URLSearchHook is missing O2 - BHO: Class - {003156AA-B2AD-54C8-CF6D-1C992B937149} - C:\WINDOWS\system32\apidt.dll O2 - BHO: Class - {146A4A8B-66F9-80FA-6E14-51A6991BAC7D} - C:\WINDOWS\system32\apibs32.dll O2 - BHO: Class - {4ABB5929-6D33-1BD3-5889-307B70AC94D2} - C:\WINDOWS\system32\crxz.dll O2 - BHO: Class - {5CE5B985-51B1-3958-E5DB-92DD9091CFBB} - C:\WINDOWS\javavq.dll O2 - BHO: Class - {63C3B90C-CAE8-913A-DBA5-AC8E0D0896D0} - C:\WINDOWS\system32\crbk32.dll O2 - BHO: Class - {6827E44A-FCD1-5704-0FF9-EE64FBCBD77F} - C:\WINDOWS\system32\wingm32.dll O2 - BHO: Class - {7D52FC72-76A8-77EF-270D-8A1A8EA30F96} - C:\WINDOWS\system32\winsx32.dll O2 - BHO: Class - {91D042E7-25DF-B6F2-5C0C-B0963EF3EA01} - C:\WINDOWS\winqv32.dll O2 - BHO: Class - {A4913EBE-69AB-7C2E-EA16-13F6C5E79E14} - C:\WINDOWS\system32\ipvh32.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Class - {C1A7352F-7207-2C2F-6A41-8C46196F8284} - C:\WINDOWS\system32\winug32.dll O2 - BHO: Class - {C2EFCA32-D3CF-3801-B32F-6A7589AA0A8A} - C:\WINDOWS\netfd.dll O2 - BHO: Class - {FEF289B2-6015-9A71-D02D-8394ED825678} - C:\WINDOWS\system32\javany.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\COMMAN~1\COMMAN~1\vchk.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE O4 - HKLM\..\Run: [iesn.exe] C:\WINDOWS\system32\iesn.exe O4 - HKLM\..\Run: [crbk32.exe] C:\WINDOWS\system32\crbk32.exe O4 - HKLM\..\RunOnce: [apiua.exe] C:\WINDOWS\apiua.exe O4 - HKLM\..\RunOnce: [crnf.exe] C:\WINDOWS\crnf.exe O4 - HKLM\..\RunOnce: [appxr32.exe] C:\WINDOWS\system32\appxr32.exe O4 - HKLM\..\RunOnce: [mfcpj32.exe] C:\WINDOWS\system32\mfcpj32.exe O4 - HKLM\..\RunOnce: [mfcsy32.exe] C:\WINDOWS\mfcsy32.exe O4 - HKLM\..\RunOnce: [javaad32.exe] C:\WINDOWS\system32\javaad32.exe O4 - HKLM\..\RunOnce: [iexj.exe] C:\WINDOWS\system32\iexj.exe O4 - HKLM\..\RunOnce: [ipfp.exe] C:\WINDOWS\system32\ipfp.exe O4 - HKLM\..\RunOnce: [addvf.exe] C:\WINDOWS\system32\addvf.exe O4 - HKLM\..\RunOnce: [appkj32.exe] C:\WINDOWS\appkj32.exe O4 - HKLM\..\RunOnce: [addyu.exe] C:\WINDOWS\system32\addyu.exe O4 - HKLM\..\RunOnce: [netkc32.exe] C:\WINDOWS\netkc32.exe O4 - HKLM\..\RunOnce: [crcy.exe] C:\WINDOWS\system32\crcy.exe O4 - HKLM\..\RunOnce: [sysxo.exe] C:\WINDOWS\sysxo.exe O4 - HKLM\..\RunOnce: [msvh32.exe] C:\WINDOWS\msvh32.exe O4 - HKLM\..\RunOnce: [addua.exe] C:\WINDOWS\addua.exe O4 - HKLM\..\RunOnce: [addyp.exe] C:\WINDOWS\addyp.exe O4 - HKLM\..\RunOnce: [crzj32.exe] C:\WINDOWS\crzj32.exe O4 - HKLM\..\RunOnce: [msul32.exe] C:\WINDOWS\msul32.exe O4 - HKLM\..\RunOnce: [crnn.exe] C:\WINDOWS\crnn.exe O4 - HKLM\..\RunOnce: [winsx.exe] C:\WINDOWS\winsx.exe O4 - HKLM\..\RunOnce: [crff32.exe] C:\WINDOWS\system32\crff32.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: BTTray.lnk = ? O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\DLink\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) - https://esis.ncwise.org/jinitiator/jinit.exe O16 - DPF: {D27FFC5F-D7B9-4349-9F41-F7458B585374} (SoloTriv Control) - http://mirror.worldwinner.com/games/...v/solotriv.cab O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab ******** And here's the results from Panda's online scan: Incident Status Location Adware:Adware/nCase No disinfected C:\WINDOWS\180solutions Adware:Adware/SearchAid No disinfected C:\Documents and Settings\jthomps\Favorites\Only sex website.url Adware:Adware/SideStep No disinfected C:\WINDOWS\Downloaded Program Files\SbCIe???.??? Adware:Adware/Midaddle No disinfected Windows Registry Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Ab scissor.url Adware:Adware/CWS.Aboutblank No disinfected Windows Registry Adware:Adware/CWS.008k No disinfected C:\WINDOWS\appaz32.exe Adware:Adware/CWS.HomeSearchAsisstantNo disinfected Windows Registry Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-4ce0ce54.zip[a.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-4ce0ce54.zip[Dummy.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-4ce0ce54.zip[VerifierBug.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6fd1d987-4758c273.zip[BlackBox.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6fd1d987-4758c273.zip[VB.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6fd1d987-4758c273.zip[Dummy.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6fd1d987-4758c273.zip[Beyond.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-6a0ae450.zip[BlackBox.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-6a0ae450.zip[VerifierBug.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-6a0ae450.zip[Dummy.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-6a0ae450.zip[Beyond.class] Adware:Adware/SearchAid No disinfected C:\Documents and Settings\jthomps\Favorites\Only sex website.url Adware:Adware/SearchAid No disinfected C:\Documents and Settings\jthomps\Favorites\Search the web.url Adware:Adware/SearchAid No disinfected C:\Documents and Settings\jthomps\Favorites\Seven days of free porn.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Ab scissor.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Broadband comparison.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Credit counseling.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Credit report.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Crm software.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Debt credit card.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Escorts.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Fha.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Health insurance.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Help desk software.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Insurance home.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Loan for debt consolidation.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Loan for people with bad credit.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Marketing email.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Mortgage insurance.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Mortgage life insurance.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Nevada corporations.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Online Betting Site.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Online gambling casino.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Online instant loan.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Order phentermine.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Payroll advance.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Personal loans online.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Personal loans with bad credit.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Prescription Drugs Rx Online.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Refinancing my mortgage.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Tahoe vacation rental.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Unsecured bad credit loans.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Videos.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\What is hydrocodone.url Adware:Adware/nCase No disinfected C:\WINDOWS\180loader.exe Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\addvn32.exe Adware:Adware/CWS.008k No disinfected C:\WINDOWS\appaz32.exe Adware:Adware/SideStep No disinfected C:\WINDOWS\Downloaded Program Files\SbCIe026.dll Virus:Trj/Downloader.DKJ Disinfected C:\WINDOWS\sdkqu32.exe Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\system32\netgk32.exe **** Thanks so much for the help... what next? |
|
|
|
|
07-12-2005, 01:01 PM
|
#4 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,409
OS: N/A
|
Looks like we opened Pandora's Box & all the worms came crawling out.
 First thing on the agenda (something which I failed to notice earlier) You are currently running an outdated version of HiJackThis. Please click on the link below to download the most current version:Delete your current HiJackThis.exe file and double-click on the file you just downloaded and then click on the Unzip button to install the newer version. It will be installed to the C:\Program Files\HiJackThis\ directory by default. I would require your next HJT log to be from this newer version ~~~~~~~~~~~~~~ Please download these additional files/programs :- (Do not run them unless instructed to do so) Unplug your computer from the Internet when you have finished downloading CWShredder - Save on Desktop. Run CWShredder & click on the [Check for update] button. Exit the program after it has updated itself. SpSeHjfix - Save to a new folder on desktop ~~~~~~~~~~~~~~ Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard. C:\WINDOWS\system32\auapd.dllStart KillBox.
* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again. ~~~~~~~~~~~~~~ Reboot to SafeMode
~~~~~~~~~~~~~~ Run a scan with HiJackThis & select(tick) the following & click [Fix checked] : R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049 R3 - Default URLSearchHook is missing O2 - BHO: Class - {003156AA-B2AD-54C8-CF6D-1C992B937149} - C:\WINDOWS\system32\apidt.dll O2 - BHO: Class - {146A4A8B-66F9-80FA-6E14-51A6991BAC7D} - C:\WINDOWS\system32\apibs32.dll O2 - BHO: Class - {4ABB5929-6D33-1BD3-5889-307B70AC94D2} - C:\WINDOWS\system32\crxz.dll O2 - BHO: Class - {5CE5B985-51B1-3958-E5DB-92DD9091CFBB} - C:\WINDOWS\javavq.dll O2 - BHO: Class - {63C3B90C-CAE8-913A-DBA5-AC8E0D0896D0} - C:\WINDOWS\system32\crbk32.dll O2 - BHO: Class - {6827E44A-FCD1-5704-0FF9-EE64FBCBD77F} - C:\WINDOWS\system32\wingm32.dll O2 - BHO: Class - {7D52FC72-76A8-77EF-270D-8A1A8EA30F96} - C:\WINDOWS\system32\winsx32.dll O2 - BHO: Class - {91D042E7-25DF-B6F2-5C0C-B0963EF3EA01} - C:\WINDOWS\winqv32.dll O2 - BHO: Class - {A4913EBE-69AB-7C2E-EA16-13F6C5E79E14} - C:\WINDOWS\system32\ipvh32.dll O2 - BHO: Class - {C1A7352F-7207-2C2F-6A41-8C46196F8284} - C:\WINDOWS\system32\winug32.dll O2 - BHO: Class - {C2EFCA32-D3CF-3801-B32F-6A7589AA0A8A} - C:\WINDOWS\netfd.dll O2 - BHO: Class - {FEF289B2-6015-9A71-D02D-8394ED825678} - C:\WINDOWS\system32\javany.dll O4 - HKLM\..\Run: [iesn.exe] C:\WINDOWS\system32\iesn.exe O4 - HKLM\..\Run: [crbk32.exe] C:\WINDOWS\system32\crbk32.exe O4 - HKLM\..\RunOnce: [apiua.exe] C:\WINDOWS\apiua.exe O4 - HKLM\..\RunOnce: [crnf.exe] C:\WINDOWS\crnf.exe O4 - HKLM\..\RunOnce: [appxr32.exe] C:\WINDOWS\system32\appxr32.exe O4 - HKLM\..\RunOnce: [mfcpj32.exe] C:\WINDOWS\system32\mfcpj32.exe O4 - HKLM\..\RunOnce: [mfcsy32.exe] C:\WINDOWS\mfcsy32.exe O4 - HKLM\..\RunOnce: [javaad32.exe] C:\WINDOWS\system32\javaad32.exe O4 - HKLM\..\RunOnce: [iexj.exe] C:\WINDOWS\system32\iexj.exe O4 - HKLM\..\RunOnce: [ipfp.exe] C:\WINDOWS\system32\ipfp.exe O4 - HKLM\..\RunOnce: [addvf.exe] C:\WINDOWS\system32\addvf.exe O4 - HKLM\..\RunOnce: [appkj32.exe] C:\WINDOWS\appkj32.exe O4 - HKLM\..\RunOnce: [addyu.exe] C:\WINDOWS\system32\addyu.exe O4 - HKLM\..\RunOnce: [netkc32.exe] C:\WINDOWS\netkc32.exe O4 - HKLM\..\RunOnce: [crcy.exe] C:\WINDOWS\system32\crcy.exe O4 - HKLM\..\RunOnce: [sysxo.exe] C:\WINDOWS\sysxo.exe O4 - HKLM\..\RunOnce: [msvh32.exe] C:\WINDOWS\msvh32.exe O4 - HKLM\..\RunOnce: [addua.exe] C:\WINDOWS\addua.exe O4 - HKLM\..\RunOnce: [addyp.exe] C:\WINDOWS\addyp.exe O4 - HKLM\..\RunOnce: [crzj32.exe] C:\WINDOWS\crzj32.exe O4 - HKLM\..\RunOnce: [msul32.exe] C:\WINDOWS\msul32.exe O4 - HKLM\..\RunOnce: [crnn.exe] C:\WINDOWS\crnn.exe O4 - HKLM\..\RunOnce: [winsx.exe] C:\WINDOWS\winsx.exe O4 - HKLM\..\RunOnce: [crff32.exe] C:\WINDOWS\system32\crff32.exe O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) - https://esis.ncwise.org/jinitiator/jinit.exe O16 - DPF: {D27FFC5F-D7B9-4349-9F41-F7458B585374} (SoloTriv Control) - http://mirror.worldwinner.com/games...iv/solotriv.cab ~~~~~~~~~~~~~~ Enable the viewing of Hidden files
Locate and delete the following folder(s), if present:
~~~~~~~~~~~~~~ Run Cleanup! & configure the program up as follows:
~~~~~~~~~~~~~~ Run SpSeHjfix and click on [Start Disinfection]. If SpSeHjfix finds the "system clean", it will not proceed with the next stage. Otherwise, it may reboot your machine to finish the cleaning process. A log of the fix will be created in the containing folder. Run CWShredder & Click the [Fix] button. ~~~~~~~~~~~~~~ Reboot and download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
In your next post, please include fresh copies of: 1. HiJackThis log 2. Antispyware.log 3. SpSeHjfix's log Please provide details of any problems you encountered whilst performing the above steps. Update us on how your computer behaves now
__________________
Question - what have you done for the community today? |
|
|
|
