about blank virus...need help

**old hickory** · 07-15-2005, 12:42 PM

My computer seems to be infected with about.blank virus

Problems:

1) about.blank web page opens with ie at bootup
2)popups occur and my popup blocker not effective now against these popups
3) computer boots up slow
4)taskbar at bottom has changed
5)zonealarm keeps telling me netwj.exe is trying to access the internet

I couln't do the online virus scan because ie kept needing to shut down.

I tried to follow all the instructions. I used hijack this analyzer to get the "new" log. thanks for any help you can provide. Here is result.txt log:

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 2:20:25 PM, on 7/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\SMCSTA.EXE
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\WINDOWS\system32\netwj.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Documents and Settings\TIM\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lcsnw.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lcsnw.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lcsnw.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lcsnw.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lcsnw.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lcsnw.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {8A0DB32B-05DE-FEDD-EFA2-683C23669852} - C:\WINDOWS\system32\ipke32.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O4 - HKLM\..\Run: [SMCSTA.EXE] SMCSTA.EXE START
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [netwj.exe] C:\WINDOWS\system32\netwj.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunOnce: [netgt.exe] C:\WINDOWS\netgt.exe
O4 - HKLM\..\RunOnce: [ntuk.exe] C:\WINDOWS\ntuk.exe
O4 - HKLM\..\RunOnce: [mskf.exe] C:\WINDOWS\mskf.exe
O4 - HKLM\..\RunOnce: [sdklz.exe] C:\WINDOWS\system32\sdklz.exe
O4 - HKLM\..\RunOnce: [mfcor32.exe] C:\WINDOWS\system32\mfcor32.exe
O4 - HKLM\..\RunOnce: [crfq.exe] C:\WINDOWS\crfq.exe
O4 - HKLM\..\RunOnce: [winxm.exe] C:\WINDOWS\system32\winxm.exe
O4 - HKLM\..\RunOnce: [ipqa.exe] C:\WINDOWS\system32\ipqa.exe
O4 - HKLM\..\RunOnce: [appwi32.exe] C:\WINDOWS\system32\appwi32.exe
O4 - HKLM\..\RunOnce: [atlom32.exe] C:\WINDOWS\system32\atlom32.exe
O4 - HKLM\..\RunOnce: [sdkhj.exe] C:\WINDOWS\sdkhj.exe
O4 - HKLM\..\RunOnce: [mfciv32.exe] C:\WINDOWS\mfciv32.exe
O4 - HKLM\..\RunOnce: [atlgt32.exe] C:\WINDOWS\atlgt32.exe
O4 - HKLM\..\RunOnce: [crbz.exe] C:\WINDOWS\crbz.exe
O4 - HKLM\..\RunOnce: [appsi.exe] C:\WINDOWS\appsi.exe
O4 - HKLM\..\RunOnce: [netzk.exe] C:\WINDOWS\system32\netzk.exe
O4 - HKLM\..\RunOnce: [winun.exe] C:\WINDOWS\winun.exe
O4 - HKLM\..\RunOnce: [javahp32.exe] C:\WINDOWS\javahp32.exe
O4 - HKLM\..\RunOnce: [javaxk.exe] C:\WINDOWS\javaxk.exe
O4 - HKLM\..\RunOnce: [atlzc32.exe] C:\WINDOWS\system32\atlzc32.exe
O4 - HKLM\..\RunOnce: [ipbc32.exe] C:\WINDOWS\system32\ipbc32.exe
O4 - HKLM\..\RunOnce: [netyq.exe] C:\WINDOWS\netyq.exe
O4 - HKLM\..\RunOnce: [crrm32.exe] C:\WINDOWS\system32\crrm32.exe
O4 - HKLM\..\RunOnce: [sdkqd32.exe] C:\WINDOWS\system32\sdkqd32.exe
O4 - HKLM\..\RunOnce: [netmz.exe] C:\WINDOWS\system32\netmz.exe
O4 - HKLM\..\RunOnce: [crev.exe] C:\WINDOWS\crev.exe
O4 - HKLM\..\RunOnce: [netsb32.exe] C:\WINDOWS\netsb32.exe
O4 - HKLM\..\RunOnce: [addyv.exe] C:\WINDOWS\system32\addyv.exe
O4 - HKLM\..\RunOnce: [crze32.exe] C:\WINDOWS\crze32.exe
O4 - HKLM\..\RunOnce: [winxk32.exe] C:\WINDOWS\system32\winxk32.exe
O4 - HKLM\..\RunOnce: [javaad.exe] C:\WINDOWS\system32\javaad.exe
O4 - HKLM\..\RunOnce: [mfczk.exe] C:\WINDOWS\system32\mfczk.exe
O4 - HKLM\..\RunOnce: [sysfe.exe] C:\WINDOWS\system32\sysfe.exe
O4 - HKLM\..\RunOnce: [crpj.exe] C:\WINDOWS\crpj.exe
O4 - HKLM\..\RunOnce: [sdkxv32.exe] C:\WINDOWS\system32\sdkxv32.exe
O4 - HKLM\..\RunOnce: [sysyx.exe] C:\WINDOWS\system32\sysyx.exe
O4 - HKLM\..\RunOnce: [atlul.exe] C:\WINDOWS\atlul.exe
O4 - HKLM\..\RunOnce: [mszf32.exe] C:\WINDOWS\mszf32.exe
O4 - Startup: Palm Desktop.lnk = C:\Program Files\Palm\palm.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\update.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\netgt.exe" /s (file missing)

End of KRC HijackThis Analyzer Log.
====================================================================

Ried · 07-15-2005, 06:22 PM

Hello old hickory,

Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Again, you should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean.

Please download Adaware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Go to this Site to get the plug-in for fixing VX2 variants. Also make sure to Customize the settings in Adaware for better scan results. Run the scan and fix everything that it finds.

Download CWShredder at http://www.greyknight17.com/spy/CWShredder.sfx.exe and run it. Uncompress the file and run it. Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Download AboutBuster 5 www.malwarebytes.biz/AboutBuster5.zip and uncompress the files to a folder on your the Desktop. Run AboutBuster and click OK. Click Update button to see if there are any updates. Close the program now.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Go to Start->Run and type in services.msc and hit OK. Then look for Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lcsnw.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lcsnw.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lcsnw.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lcsnw.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lcsnw.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lcsnw.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {8A0DB32B-05DE-FEDD-EFA2-683C23669852} - C:\WINDOWS\system32\ipke32.dll
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [netwj.exe] C:\WINDOWS\system32\netwj.exe
O4 - HKLM\..\RunOnce: [netgt.exe] C:\WINDOWS\netgt.exe
O4 - HKLM\..\RunOnce: [ntuk.exe] C:\WINDOWS\ntuk.exe
O4 - HKLM\..\RunOnce: [mskf.exe] C:\WINDOWS\mskf.exe
O4 - HKLM\..\RunOnce: [sdklz.exe] C:\WINDOWS\system32\sdklz.exe
O4 - HKLM\..\RunOnce: [mfcor32.exe] C:\WINDOWS\system32\mfcor32.exe
O4 - HKLM\..\RunOnce: [crfq.exe] C:\WINDOWS\crfq.exe
O4 - HKLM\..\RunOnce: [winxm.exe] C:\WINDOWS\system32\winxm.exe
O4 - HKLM\..\RunOnce: [ipqa.exe] C:\WINDOWS\system32\ipqa.exe
O4 - HKLM\..\RunOnce: [appwi32.exe] C:\WINDOWS\system32\appwi32.exe
O4 - HKLM\..\RunOnce: [atlom32.exe] C:\WINDOWS\system32\atlom32.exe
O4 - HKLM\..\RunOnce: [sdkhj.exe] C:\WINDOWS\sdkhj.exe
O4 - HKLM\..\RunOnce: [mfciv32.exe] C:\WINDOWS\mfciv32.exe
O4 - HKLM\..\RunOnce: [atlgt32.exe] C:\WINDOWS\atlgt32.exe
O4 - HKLM\..\RunOnce: [crbz.exe] C:\WINDOWS\crbz.exe
O4 - HKLM\..\RunOnce: [appsi.exe] C:\WINDOWS\appsi.exe
O4 - HKLM\..\RunOnce: [netzk.exe] C:\WINDOWS\system32\netzk.exe
O4 - HKLM\..\RunOnce: [winun.exe] C:\WINDOWS\winun.exe
O4 - HKLM\..\RunOnce: [javahp32.exe] C:\WINDOWS\javahp32.exe
O4 - HKLM\..\RunOnce: [javaxk.exe] C:\WINDOWS\javaxk.exe
O4 - HKLM\..\RunOnce: [atlzc32.exe] C:\WINDOWS\system32\atlzc32.exe
O4 - HKLM\..\RunOnce: [ipbc32.exe] C:\WINDOWS\system32\ipbc32.exe
O4 - HKLM\..\RunOnce: [netyq.exe] C:\WINDOWS\netyq.exe
O4 - HKLM\..\RunOnce: [crrm32.exe] C:\WINDOWS\system32\crrm32.exe
O4 - HKLM\..\RunOnce: [sdkqd32.exe] C:\WINDOWS\system32\sdkqd32.exe
O4 - HKLM\..\RunOnce: [netmz.exe] C:\WINDOWS\system32\netmz.exe
O4 - HKLM\..\RunOnce: [crev.exe] C:\WINDOWS\crev.exe
O4 - HKLM\..\RunOnce: [netsb32.exe] C:\WINDOWS\netsb32.exe
O4 - HKLM\..\RunOnce: [addyv.exe] C:\WINDOWS\system32\addyv.exe
O4 - HKLM\..\RunOnce: [crze32.exe] C:\WINDOWS\crze32.exe
O4 - HKLM\..\RunOnce: [winxk32.exe] C:\WINDOWS\system32\winxk32.exe
O4 - HKLM\..\RunOnce: [javaad.exe] C:\WINDOWS\system32\javaad.exe
O4 - HKLM\..\RunOnce: [mfczk.exe] C:\WINDOWS\system32\mfczk.exe
O4 - HKLM\..\RunOnce: [sysfe.exe] C:\WINDOWS\system32\sysfe.exe
O4 - HKLM\..\RunOnce: [crpj.exe] C:\WINDOWS\crpj.exe
O4 - HKLM\..\RunOnce: [sdkxv32.exe] C:\WINDOWS\system32\sdkxv32.exe
O4 - HKLM\..\RunOnce: [sysyx.exe] C:\WINDOWS\system32\sysyx.exe
O4 - HKLM\..\RunOnce: [atlul.exe] C:\WINDOWS\atlul.exe
O4 - HKLM\..\RunOnce: [mszf32.exe] C:\WINDOWS\mszf32.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\update.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\netgt.exe" /s (file missing)

Using Windows Explorer, delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\lcsnw.dll
C:\WINDOWS\system32\ipke32.dll
C:\WINDOWS\system32\netwj.exe
C:\WINDOWS\netgt.exe
C:\WINDOWS\ntuk.exe
C:\WINDOWS\mskf.exe
C:\WINDOWS\system32\sdklz.exe
C:\WINDOWS\system32\mfcor32.exe
C:\WINDOWS\crfq.exe
C:\WINDOWS\system32\winxm.exe
C:\WINDOWS\system32\ipqa.exe
C:\WINDOWS\system32\appwi32.exe
C:\WINDOWS\system32\atlom32.exe
C:\WINDOWS\sdkhj.exe
C:\WINDOWS\mfciv32.exe
C:\WINDOWS\atlgt32.exe
C:\WINDOWS\crbz.exe
C:\WINDOWS\appsi.exe
C:\WINDOWS\system32\netzk.exe
C:\WINDOWS\winun.exe
C:\WINDOWS\javahp32.exe
C:\WINDOWS\javaxk.exe
C:\WINDOWS\system32\atlzc32.exe
C:\WINDOWS\system32\ipbc32.exe
C:\WINDOWS\netyq.exe
C:\WINDOWS\system32\crrm32.exe
C:\WINDOWS\system32\sdkqd32.exe
C:\WINDOWS\system32\netmz.exe
C:\WINDOWS\crev.exe
C:\WINDOWS\netsb32.exe
C:\WINDOWS\system32\addyv.exe
C:\WINDOWS\crze32.exe
C:\WINDOWS\system32\winxk32.exe
C:\WINDOWS\system32\javaad.exe
C:\WINDOWS\system32\mfczk.exe
C:\WINDOWS\system32\sysfe.exe
C:\WINDOWS\crpj.exe
C:\WINDOWS\system32\sdkxv32.exe
C:\WINDOWS\system32\sysyx.exe
C:\WINDOWS\atlul.exe
C:\WINDOWS\mszf32.exe

Run AboutBuster and click Begin Removal button. Once that's done, just hit the OK button. Click Exit once you are done. Click the OK button and it should exit. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here.

Reboot into Normal Mode.

Download Ewido Security Suite at http://www.ewido.net/en/download/ and install it. Update to the newest definitions. If you have trouble updating, you may do it manually at http://www.ewido.net/en/download/updates/ Do NOT the Ewido scan yet.

Reboot into Safe Mode.

Run Ewido:
-Click [Scanner]
-Click [Complete System Scan] to begin scanning.
-Click [OK] when prompted to clean files

With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].

Once finished, click the [Save report] button

Save the report to your desktop

Close Ewido

Run another scan with HijackThis and post the log as well as the report from Ewido

**old hickory** · 07-15-2005, 09:06 PM

Ried, thanks....I'll follow your instructions to the best of my ability.

Old Hick

**old hickory** · 07-16-2005, 12:12 AM

Hi Ried,

Only problem I has was finding the rpc helper...I couldn't find it.

I believe everything is much improved....no about.blank nor popups....
My taskbar at bottom of screen still changed but no big deal.

Here is Hijackthis log and ewido report:

Logfile of HijackThis v1.99.1
Scan saved at 1:54:10 AM, on 7/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [SMCSTA.EXE] SMCSTA.EXE START
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\atlrm.exe" C:\WINDOWS\atlpv.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:51:35 AM, 7/16/2005
+ Report-Checksum: 1DBAE576

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{07D80144-9372-FEAC-AEDD-21AE8732F067} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1228458E-6B19-48F4-5449-A00AEE93F0FC} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2B5A2313-AE67-454E-9A8B-F74070E57F1B} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3BAA3AE9-9C0B-E08A-A982-9818F457337E} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5DA6CA48-7D98-BC0B-40EF-22AC6558668A} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{795714A8-C9C0-E8BD-30DB-A0DA3B603993} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{81AE8953-3335-A1BB-5174-F82625372B4E} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8DF52E69-BA52-5F6E-2A2A-0CD81E0F3492} -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW -> Spyware.CoolWebSearch : Cleaned with backup
C:\Documents and Settings\TIM\Cookies\tim@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\TIM\Cookies\tim@adtrak[1].txt -> Spyware.Cookie.Adtrak : Cleaned with backup
C:\Documents and Settings\TIM\Cookies\tim@familytherapy.net.33473.fb.dbbsrv[2].txt -> Spyware.Cookie.Dbbsrv : Cleaned with backup
C:\Documents and Settings\TIM\Local Settings\Temp\Cookies\tim@specificpop[1].txt -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\hjt\backups\backup-20050716-001435-144.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\S-1-5-21-687773745-3018675201-3296490199-500\Dc10.exe -> Trojan.Agent.bi : Cleaned with backup
C:\RECYCLER\S-1-5-21-687773745-3018675201-3296490199-500\Dc11.exe -> Trojan.Agent.bi : Cleaned with backup
C:\RECYCLER\S-1-5-21-687773745-3018675201-3296490199-500\Dc12.exe -> Trojan.Agent.bi : Cleaned with backup
C:\RECYCLER\S-1-5-21-687773745-3018675201-3296490199-500\Dc13.exe -> Trojan.Agent.bi : Cleaned with backup
C:\RECYCLER\S-1-5-21-687773745-3018675201-3296490199-500\Dc14.exe -> Trojan.Agent.bi : Cleaned with backup
C:\RECYCLER\S-1-5-21-687773745-3018675201-3296490199-500\Dc15.exe -> Trojan.Agent.bi : Cleaned with backup
C:\RECYCLER\S-1-5-21-687773745-3018675201-3296490199-500\Dc16.exe -> Trojan.Agent.bi : Cleaned with backup
C:\RECYCLER\S-1-5-21-687773745-3018675201-3296490199-500\Dc17.exe -> Trojan.Agent.bi : Cleaned with backup
C:\RECYCLER\S-1-5-21-687773745-3018675201-3296490199-500\Dc18.exe -> Trojan.Agent.bi : Cleaned with backup
C:\RECYCLER\S-1-5-21-687773745-3018675201-3296490199-500\Dc19.exe -> Trojan.Agent.bi : Cleaned with backup
C:\RECYCLER\S-1-5-21-687773745-3018675201-3296490199-500\Dc2.exe -> Trojan.Agent.bi : Cleaned with backup
C:\RECYCLER\S-1-5-21-687773745-3018675201-3296490199-500\Dc3.exe -> Trojan.Agent.bi : Cleaned with backup
C:\RECYCLER\S-1-5-21-687773745-3018675201-3296490199-500\Dc4.exe -> Trojan.Agent.bi : Cleaned with backup
C:\RECYCLER\S-1-5-21-687773745-3018675201-3296490199-500\Dc5.exe -> Trojan.Agent.bi : Cleaned with backup
C:\RECYCLER\S-1-5-21-687773745-3018675201-3296490199-500\Dc6.exe -> Trojan.Agent.bi : Cleaned with backup
C:\RECYCLER\S-1-5-21-687773745-3018675201-3296490199-500\Dc7.exe -> Trojan.Agent.bi : Cleaned with backup
C:\RECYCLER\S-1-5-21-687773745-3018675201-3296490199-500\Dc8.exe -> Trojan.Agent.bi : Cleaned with backup
C:\RECYCLER\S-1-5-21-687773745-3018675201-3296490199-500\Dc9.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addcd.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addet.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\addin32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\addlc32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\addlk32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\adduh.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apici.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\appfl32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\appha32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\appvv.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\appzq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atlpv.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\atlrm.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atlyi32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\CONTROL.INI:tsntw -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\crjf.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\crnw32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\CS_setup.ini:zfbtj -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\d3ab32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\d3oc32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\d3wl.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\DESKTOP.INI:jwqac -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\disney.ini:ckiif -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\disney.ini:schax -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\DVDSentry.ini:fsqiq -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\GRAPH5.INI:ovgac -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\GRAPH5.INI:rvomd -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\GRAPH5.INI:wxdyv -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\iebh.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\iedd.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\iedq.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\iegq32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ieml32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ieyq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\INTUIT.INI:odlog -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ipau32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ipgv.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ipia32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\iPlayer.INI:gddti -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ipnf32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ipxj.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\javabr.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javakw.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\javaua32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfcdd.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfcdf.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfcjm32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\MSFNTMAP.INI:tppiw -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\msoffice.ini:eojrt -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\msol32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mssn.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\neteh.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netfh32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\netgt.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netig.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntbtlog.txt:vrgnj -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ntkn.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntlf.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ntmn32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ODBC.INI:koizf -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ODBCINST.INI:hifpj -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\OEWABLog.txt:gsjxg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\orun32.ini:gdgrc -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\PI4_setup.ini:skqig -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\PROTOCOL.INI:giexe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\PROTOCOL.INI:omrxs -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SchedLgU.Txt:yvrtz -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\sdkdl.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkgj.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkms32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkpj32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdktv.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\sdkuh.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkwz32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkxi32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SETUPLOG.TXT:ntqzb -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\sysdq32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\sysiz.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sysmd.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM.INI:zuegi -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\SYSTEM32:uoaa.dll -> TrojanDownloader.Small.azk : Cleaned with backup
C:\WINDOWS\SYSTEM32\addhj.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\addms.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\addnl.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\addsx.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\addwf32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\addyv.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\apibe.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\apicx32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\apppy.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\appqo32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\appuq.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\appwi32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\appyu.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\atlcs32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\atlfu32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\atlgn32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\atlhh32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\atlom32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\atlzc32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\crac32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\crlw32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\crpy32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\crrm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\crss32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\crvh.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\crvk.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\crwk32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\d3ps32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\d3ql32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\d3xh.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\ieak.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\ieem.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\iepw32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ipbc32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ipbp32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\ipcn32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ipen32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ipie.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ipog.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\ipot.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\ipqa.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ipxf32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\ipxh32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ipyv.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\javaad.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\javacm32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\javacs.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\javazi.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mfcaw32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mfcbn.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\mfcor32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mfcvf.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\mfczk.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\msdz32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\msel32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\msgs.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\mssd32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\msun.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\msxp.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\netav.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\netcy.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\netmz.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\netoz32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\netwj.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\netxh.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\netzk.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ntes32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ntnb.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\ntrl32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\sdklz.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\sdkna32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\sdkqd32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\sdktr32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\SYSTEM32\sdkvo32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\sdkwq.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\sdkxv32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\sysdd.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\sysdm32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\sysfe.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\sysfq.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\sysis.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\sysjn.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\syslr32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\sysvq.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\sysxq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\sysyx.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\winfc32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\winir.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\winoh.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\wintq.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\winxk32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\winxm.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\winzb32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\winzw32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\winamp.ini:irfgbq -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winde.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\wines.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\winfx32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winge32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\WinInit.Ini:dqkxj -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\winjj.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\winnb32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\npwthost.dll -> Spyware.WildTangent : Cleaned with backup
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:aawhb -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:ackla -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:advwh -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:ajthf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:beftu -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:cmado -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:dksuf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:dxgbq -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:efxqd -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:fbqqb -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:gapae -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:ggyms -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:hhbba -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:iagyv -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:ipwwg -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:izely -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:jodii -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:jpvsj -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:kuqbb -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:laheu -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:lbhax -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:lgmqk -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:mbjlh -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:pokme -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:pukkb -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:qccrn -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:qylge -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:rlwts -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:rwujx -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:sjduz -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:tcrqs -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:tdfbb -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:tmmxh -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:tzpya -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:umowo -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:upgtf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:vvtux -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:vymqp -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:xbkdl -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:xkuav -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:xolmk -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:zjvhx -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:zsnqn -> TrojanDownloader.Agent.bq : Cleaned with backup

::Report End

Ried · 07-16-2005, 06:54 PM

Make sure you have this set properly:

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

Please download HSFix www.atribune.org/downloads/HSFix.zip Do NOT run it yet.

Download CWShredder at http://www.greyknight17.com/spy/CWShredder.sfx.exe .

*Open CWShredder and click [I AGREE]
*Click [Check For Update]
*Close CWShredder after updating

Reboot into Safe Mode (tapping F8 or F5)

Go to Start->Run and type in services.msc and hit OK. Then look for Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

DO NOT DISABLE
Remote Procedure Call (RPC) OR
Remote Procedure Call (RPC) Locator

Open HijackThis>Config>Misc Tools>Delete an NT Service

Copy/paste (11Fßä#·ºÄÖ`I) in the box and click OK

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\atlrm.exe" C:\WINDOWS\atlpv.exe (file missing)

Using Windows Explorer, delete the following files:

C:\WINDOWS\atlpv.exe
C:\WINDOWS\atlrm.exe

Run CWShredder & click on [Fix].

Run About Buster and click [Begin Removal].

Double-click on HSfix.reg & answer YES when prompted to merge into the registry.

Reboot into Normal Mode. run another scan with HijackThis and post the log here along with the AboutBuster log.

**old hickory** · 07-16-2005, 10:00 PM

Hi Ried.

I'm not sure what you mean here......
"If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked."

Can you elaborate on this instruction.

Old Hick

sUBs · 07-16-2005, 10:08 PM

Reid wants you to unhide hidden files. If unsure, please use the instructions outlined below.

Enable the viewing of Hidden files

From Windows Explorer, go to Tools>Folder Options>View tab.
Enable the option for `Show hidden files and folder´
Disable the option for `Hide file extensions for known types´
Disable the option for `Hide protected operating system files´
Click Yes to confirm & then click OK

If you have anymore questions, please feel free to ask.

**old hickory** · 07-17-2005, 08:49 PM

subs, thanks....i did what you instructed

Old Hickory

**old hickory** · 07-17-2005, 09:16 PM

"Open HijackThis>Config>Misc Tools>Delete an NT Service

Copy/paste (11Fßä#·ºÄÖ`I) in the box and click OK"

Ried,

I don't know how to do the above....can you elaborate? Where do I copy/paste this weird file(rpc helper file?)? I know I can't type it.

Old Hick

skate_punk_21 · 07-17-2005, 09:24 PM

in hijackthis click the button labelled either Config or Miscellaneous Tools, then click the button, labelled Delete an NT service.
You should then see a popup with a warning paragraph etc. In the text field below the warning, copy/paste the following into that text field:

(11Fßä#·ºÄÖ`I)

not sure if the brackets are necessary here, but give it a try

now, continue with ried's instructions...

sUBs · 07-17-2005, 10:31 PM

Please download an updated HSFix.zip from http://users.telenet.be/marcvn/regfiles/HSfix.zip.

Delete the previous version & use this in place of it.

Thank you.

**old hickory** · 07-18-2005, 08:05 AM

Hi Ried and others:

the rpc helper was already "stopped" but I did "disable" it under start up.

Hijackthis could not find the rpc helper file in the registry.

I could only find one file to delete with hijackthis and windows explorer as the others apparently did not exist.

Here is hijack log and about buster log....thanks again:

AboutBuster 5.0 reference file 28
Scan started on [7/12/2005] at [9:37:38 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\MSDFMAP.INI:hggyli
Removed Stream! C:\WINDOWS\nsw.log:kicwbf
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:pwwtql
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:xveooa
------------------------------------------------
Removed File! : C:\Windows\koxgt.dat
Removed File! : C:\Windows\lcsnw.dll
Removed File! : C:\Windows\System32\dlmes.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 9:38:06 PM

AboutBuster 5.0 reference file 28
Scan started on [7/12/2005] at [10:13:35 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:xveooa
------------------------------------------------
Removed File! : C:\Windows\lcsnw.dll
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:14:01 PM

AboutBuster 5.0 reference file 28
Scan started on [7/12/2005] at [10:23:49 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:24:16 PM

AboutBuster 5.0 reference file 28
Scan started on [7/13/2005] at [10:18:19 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\SETUPERR.LOG:ixskb
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:pwwtql
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:xveooa
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:18:46 PM

AboutBuster 5.0 reference file 30
Scan started on [7/15/2005] at [11:40:28 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:pwwtql
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:xveooa
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 11:41:01 PM

AboutBuster 5.0 reference file 30
Scan started on [7/16/2005] at [12:37:53 AM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 12:38:20 AM

AboutBuster 5.0 reference file 30
Scan started on [7/18/2005] at [9:47:41 AM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 9:48:04 AM

Logfile of HijackThis v1.99.1
Scan saved at 9:55:04 AM, on 7/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\SMCSTA.EXE
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [SMCSTA.EXE] SMCSTA.EXE START
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: Palm Desktop.lnk = C:\Program Files\Palm\palm.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

sUBs · 07-18-2005, 08:25 AM

Congratulations!! Your log is clean.

Don't worry about the RPC helper. The HSFix.zip I had you download was designed to tackle the issue.

Do you have any more problems with your computer? If not, you should be set to go.

Just remains a few bits of housekeeping ...

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run a scan with HiJackThis & select(tick) the following & click [Fix checked] :

R3 - Default URLSearchHook is missing

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Reset hidden/system files and folders

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide file extensions for known types option.
Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Create a new System Restore point

click Start >> Run - type SYSDM.CPL & press Enter
select the System Restore Tab
tick on the checkbox - "Turn off System Restore on all drives"
click Apply
then untick the same checkbox & click OK

Enable Windows Auto Update

Go to Start>Run - type wuaucpl.cpl
tick on the checkbox - "Keep my computer up to date"
Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

SpywareBlaster to help prevent spyware from installing in the first place.
SpywareGuard to catch and block spyware before it can execute.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

If you do not have a firewall, here are 3 free ones available for personal use:

In light of your recent hiccup, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

**old hickory** · 07-20-2005, 08:02 PM

Everything is 99% better ....thanks.

My zonealarm keeps telling me that rundll32.exe wants to be an App to access the internet. Is this a bad file? should I let it access the internet?

Old Hickory

07-15-2005, 12:42 PM	#1 (permalink)
old hickory I helped the forums. Join Date: Jul 2005 Posts: 39 OS: XP PRO	about blank virus...need help My computer seems to be infected with about.blank virus Problems: 1) about.blank web page opens with ie at bootup 2)popups occur and my popup blocker not effective now against these popups 3) computer boots up slow 4)taskbar at bottom has changed 5)zonealarm keeps telling me netwj.exe is trying to access the internet I couln't do the online virus scan because ie kept needing to shut down. I tried to follow all the instructions. I used hijack this analyzer to get the "new" log. thanks for any help you can provide. Here is result.txt log: ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 2:20:25 PM, on 7/15/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\system32\SMCSTA.EXE C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe C:\WINDOWS\system32\netwj.exe C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe C:\Documents and Settings\TIM\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lcsnw.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lcsnw.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lcsnw.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lcsnw.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lcsnw.dll/sp.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lcsnw.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R3 - Default URLSearchHook is missing O2 - BHO: Class - {8A0DB32B-05DE-FEDD-EFA2-683C23669852} - C:\WINDOWS\system32\ipke32.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll O4 - HKLM\..\Run: [SMCSTA.EXE] SMCSTA.EXE START O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe" O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe O4 - HKLM\..\Run: [netwj.exe] C:\WINDOWS\system32\netwj.exe O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe" O4 - HKLM\..\RunOnce: [netgt.exe] C:\WINDOWS\netgt.exe O4 - HKLM\..\RunOnce: [ntuk.exe] C:\WINDOWS\ntuk.exe O4 - HKLM\..\RunOnce: [mskf.exe] C:\WINDOWS\mskf.exe O4 - HKLM\..\RunOnce: [sdklz.exe] C:\WINDOWS\system32\sdklz.exe O4 - HKLM\..\RunOnce: [mfcor32.exe] C:\WINDOWS\system32\mfcor32.exe O4 - HKLM\..\RunOnce: [crfq.exe] C:\WINDOWS\crfq.exe O4 - HKLM\..\RunOnce: [winxm.exe] C:\WINDOWS\system32\winxm.exe O4 - HKLM\..\RunOnce: [ipqa.exe] C:\WINDOWS\system32\ipqa.exe O4 - HKLM\..\RunOnce: [appwi32.exe] C:\WINDOWS\system32\appwi32.exe O4 - HKLM\..\RunOnce: [atlom32.exe] C:\WINDOWS\system32\atlom32.exe O4 - HKLM\..\RunOnce: [sdkhj.exe] C:\WINDOWS\sdkhj.exe O4 - HKLM\..\RunOnce: [mfciv32.exe] C:\WINDOWS\mfciv32.exe O4 - HKLM\..\RunOnce: [atlgt32.exe] C:\WINDOWS\atlgt32.exe O4 - HKLM\..\RunOnce: [crbz.exe] C:\WINDOWS\crbz.exe O4 - HKLM\..\RunOnce: [appsi.exe] C:\WINDOWS\appsi.exe O4 - HKLM\..\RunOnce: [netzk.exe] C:\WINDOWS\system32\netzk.exe O4 - HKLM\..\RunOnce: [winun.exe] C:\WINDOWS\winun.exe O4 - HKLM\..\RunOnce: [javahp32.exe] C:\WINDOWS\javahp32.exe O4 - HKLM\..\RunOnce: [javaxk.exe] C:\WINDOWS\javaxk.exe O4 - HKLM\..\RunOnce: [atlzc32.exe] C:\WINDOWS\system32\atlzc32.exe O4 - HKLM\..\RunOnce: [ipbc32.exe] C:\WINDOWS\system32\ipbc32.exe O4 - HKLM\..\RunOnce: [netyq.exe] C:\WINDOWS\netyq.exe O4 - HKLM\..\RunOnce: [crrm32.exe] C:\WINDOWS\system32\crrm32.exe O4 - HKLM\..\RunOnce: [sdkqd32.exe] C:\WINDOWS\system32\sdkqd32.exe O4 - HKLM\..\RunOnce: [netmz.exe] C:\WINDOWS\system32\netmz.exe O4 - HKLM\..\RunOnce: [crev.exe] C:\WINDOWS\crev.exe O4 - HKLM\..\RunOnce: [netsb32.exe] C:\WINDOWS\netsb32.exe O4 - HKLM\..\RunOnce: [addyv.exe] C:\WINDOWS\system32\addyv.exe O4 - HKLM\..\RunOnce: [crze32.exe] C:\WINDOWS\crze32.exe O4 - HKLM\..\RunOnce: [winxk32.exe] C:\WINDOWS\system32\winxk32.exe O4 - HKLM\..\RunOnce: [javaad.exe] C:\WINDOWS\system32\javaad.exe O4 - HKLM\..\RunOnce: [mfczk.exe] C:\WINDOWS\system32\mfczk.exe O4 - HKLM\..\RunOnce: [sysfe.exe] C:\WINDOWS\system32\sysfe.exe O4 - HKLM\..\RunOnce: [crpj.exe] C:\WINDOWS\crpj.exe O4 - HKLM\..\RunOnce: [sdkxv32.exe] C:\WINDOWS\system32\sdkxv32.exe O4 - HKLM\..\RunOnce: [sysyx.exe] C:\WINDOWS\system32\sysyx.exe O4 - HKLM\..\RunOnce: [atlul.exe] C:\WINDOWS\atlul.exe O4 - HKLM\..\RunOnce: [mszf32.exe] C:\WINDOWS\mszf32.exe O4 - Startup: Palm Desktop.lnk = C:\Program Files\Palm\palm.exe O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\update.exe O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\netgt.exe" /s (file missing) End of KRC HijackThis Analyzer Log. ==================================================================== Last edited by old hickory; 07-15-2005 at 12:48 PM.

07-15-2005, 06:22 PM	#2 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,971 OS: WinXP and Vista	Hello old hickory, Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Again, you should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. Please download Adaware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Go to this Site to get the plug-in for fixing VX2 variants. Also make sure to Customize the settings in Adaware for better scan results. Run the scan and fix everything that it finds. Download CWShredder at http://www.greyknight17.com/spy/CWShredder.sfx.exe and run it. Uncompress the file and run it. Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit. Download AboutBuster 5 www.malwarebytes.biz/AboutBuster5.zip and uncompress the files to a folder on your the Desktop. Run AboutBuster and click OK. Click Update button to see if there are any updates. Close the program now. Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Go to Start->Run and type in services.msc and hit OK. Then look for Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) and double click on it. Click on the Stop button and under Startup type, choose Disabled. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lcsnw.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lcsnw.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lcsnw.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lcsnw.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lcsnw.dll/sp.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lcsnw.dll/sp.html#37049 R3 - Default URLSearchHook is missing O2 - BHO: Class - {8A0DB32B-05DE-FEDD-EFA2-683C23669852} - C:\WINDOWS\system32\ipke32.dll O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe O4 - HKLM\..\Run: [netwj.exe] C:\WINDOWS\system32\netwj.exe O4 - HKLM\..\RunOnce: [netgt.exe] C:\WINDOWS\netgt.exe O4 - HKLM\..\RunOnce: [ntuk.exe] C:\WINDOWS\ntuk.exe O4 - HKLM\..\RunOnce: [mskf.exe] C:\WINDOWS\mskf.exe O4 - HKLM\..\RunOnce: [sdklz.exe] C:\WINDOWS\system32\sdklz.exe O4 - HKLM\..\RunOnce: [mfcor32.exe] C:\WINDOWS\system32\mfcor32.exe O4 - HKLM\..\RunOnce: [crfq.exe] C:\WINDOWS\crfq.exe O4 - HKLM\..\RunOnce: [winxm.exe] C:\WINDOWS\system32\winxm.exe O4 - HKLM\..\RunOnce: [ipqa.exe] C:\WINDOWS\system32\ipqa.exe O4 - HKLM\..\RunOnce: [appwi32.exe] C:\WINDOWS\system32\appwi32.exe O4 - HKLM\..\RunOnce: [atlom32.exe] C:\WINDOWS\system32\atlom32.exe O4 - HKLM\..\RunOnce: [sdkhj.exe] C:\WINDOWS\sdkhj.exe O4 - HKLM\..\RunOnce: [mfciv32.exe] C:\WINDOWS\mfciv32.exe O4 - HKLM\..\RunOnce: [atlgt32.exe] C:\WINDOWS\atlgt32.exe O4 - HKLM\..\RunOnce: [crbz.exe] C:\WINDOWS\crbz.exe O4 - HKLM\..\RunOnce: [appsi.exe] C:\WINDOWS\appsi.exe O4 - HKLM\..\RunOnce: [netzk.exe] C:\WINDOWS\system32\netzk.exe O4 - HKLM\..\RunOnce: [winun.exe] C:\WINDOWS\winun.exe O4 - HKLM\..\RunOnce: [javahp32.exe] C:\WINDOWS\javahp32.exe O4 - HKLM\..\RunOnce: [javaxk.exe] C:\WINDOWS\javaxk.exe O4 - HKLM\..\RunOnce: [atlzc32.exe] C:\WINDOWS\system32\atlzc32.exe O4 - HKLM\..\RunOnce: [ipbc32.exe] C:\WINDOWS\system32\ipbc32.exe O4 - HKLM\..\RunOnce: [netyq.exe] C:\WINDOWS\netyq.exe O4 - HKLM\..\RunOnce: [crrm32.exe] C:\WINDOWS\system32\crrm32.exe O4 - HKLM\..\RunOnce: [sdkqd32.exe] C:\WINDOWS\system32\sdkqd32.exe O4 - HKLM\..\RunOnce: [netmz.exe] C:\WINDOWS\system32\netmz.exe O4 - HKLM\..\RunOnce: [crev.exe] C:\WINDOWS\crev.exe O4 - HKLM\..\RunOnce: [netsb32.exe] C:\WINDOWS\netsb32.exe O4 - HKLM\..\RunOnce: [addyv.exe] C:\WINDOWS\system32\addyv.exe O4 - HKLM\..\RunOnce: [crze32.exe] C:\WINDOWS\crze32.exe O4 - HKLM\..\RunOnce: [winxk32.exe] C:\WINDOWS\system32\winxk32.exe O4 - HKLM\..\RunOnce: [javaad.exe] C:\WINDOWS\system32\javaad.exe O4 - HKLM\..\RunOnce: [mfczk.exe] C:\WINDOWS\system32\mfczk.exe O4 - HKLM\..\RunOnce: [sysfe.exe] C:\WINDOWS\system32\sysfe.exe O4 - HKLM\..\RunOnce: [crpj.exe] C:\WINDOWS\crpj.exe O4 - HKLM\..\RunOnce: [sdkxv32.exe] C:\WINDOWS\system32\sdkxv32.exe O4 - HKLM\..\RunOnce: [sysyx.exe] C:\WINDOWS\system32\sysyx.exe O4 - HKLM\..\RunOnce: [atlul.exe] C:\WINDOWS\atlul.exe O4 - HKLM\..\RunOnce: [mszf32.exe] C:\WINDOWS\mszf32.exe O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\update.exe O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\netgt.exe" /s (file missing) Using Windows Explorer, delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\WINDOWS\lcsnw.dll C:\WINDOWS\system32\ipke32.dll C:\WINDOWS\system32\netwj.exe C:\WINDOWS\netgt.exe C:\WINDOWS\ntuk.exe C:\WINDOWS\mskf.exe C:\WINDOWS\system32\sdklz.exe C:\WINDOWS\system32\mfcor32.exe C:\WINDOWS\crfq.exe C:\WINDOWS\system32\winxm.exe C:\WINDOWS\system32\ipqa.exe C:\WINDOWS\system32\appwi32.exe C:\WINDOWS\system32\atlom32.exe C:\WINDOWS\sdkhj.exe C:\WINDOWS\mfciv32.exe C:\WINDOWS\atlgt32.exe C:\WINDOWS\crbz.exe C:\WINDOWS\appsi.exe C:\WINDOWS\system32\netzk.exe C:\WINDOWS\winun.exe C:\WINDOWS\javahp32.exe C:\WINDOWS\javaxk.exe C:\WINDOWS\system32\atlzc32.exe C:\WINDOWS\system32\ipbc32.exe C:\WINDOWS\netyq.exe C:\WINDOWS\system32\crrm32.exe C:\WINDOWS\system32\sdkqd32.exe C:\WINDOWS\system32\netmz.exe C:\WINDOWS\crev.exe C:\WINDOWS\netsb32.exe C:\WINDOWS\system32\addyv.exe C:\WINDOWS\crze32.exe C:\WINDOWS\system32\winxk32.exe C:\WINDOWS\system32\javaad.exe C:\WINDOWS\system32\mfczk.exe C:\WINDOWS\system32\sysfe.exe C:\WINDOWS\crpj.exe C:\WINDOWS\system32\sdkxv32.exe C:\WINDOWS\system32\sysyx.exe C:\WINDOWS\atlul.exe C:\WINDOWS\mszf32.exe Run AboutBuster and click Begin Removal button. Once that's done, just hit the OK button. Click Exit once you are done. Click the OK button and it should exit. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here. Reboot into Normal Mode. Download Ewido Security Suite at http://www.ewido.net/en/download/ and install it. Update to the newest definitions. If you have trouble updating, you may do it manually at http://www.ewido.net/en/download/updates/ Do NOT the Ewido scan yet. Reboot into Safe Mode. Run Ewido: -Click [Scanner] -Click [Complete System Scan] to begin scanning. -Click [OK] when prompted to clean files With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK]. Once finished, click the [Save report] button Save the report to your desktop Close Ewido Run another scan with HijackThis and post the log as well as the report from Ewido __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

07-16-2005, 06:54 PM	#5 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,971 OS: WinXP and Vista	Make sure you have this set properly: Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked. Please download HSFix www.atribune.org/downloads/HSFix.zip Do NOT run it yet. Download CWShredder at http://www.greyknight17.com/spy/CWShredder.sfx.exe . Open CWShredder and click [I AGREE] Click [Check For Update] Close CWShredder after updating Reboot into Safe Mode (tapping F8 or F5) Go to Start->Run and type in services.msc* and hit OK. Then look for Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) and double click on it. Click on the Stop button and under Startup type, choose Disabled. DO NOT DISABLE Remote Procedure Call (RPC) OR Remote Procedure Call (RPC) Locator Open HijackThis>Config>Misc Tools>Delete an NT Service Copy/paste (11Fßä#·ºÄÖ`I) in the box and click OK Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\atlrm.exe" C:\WINDOWS\atlpv.exe (file missing) Using Windows Explorer, delete the following files: C:\WINDOWS\atlpv.exe C:\WINDOWS\atlrm.exe Run CWShredder & click on [Fix]. Run About Buster and click [Begin Removal]. Double-click on HSfix.reg & answer YES when prompted to merge into the registry. Reboot into Normal Mode. run another scan with HijackThis and post the log here along with the AboutBuster log. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

07-16-2005, 10:08 PM	#7 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,245 OS: N/A	Reid wants you to unhide hidden files. If unsure, please use the instructions outlined below. Enable the viewing of Hidden files From Windows Explorer, go to Tools>Folder Options>View tab. Enable the option for `Show hidden files and folder´ Disable the option for `Hide file extensions for known types´ Disable the option for `Hide protected operating system files´ Click Yes to confirm & then click OK If you have anymore questions, please feel free to ask. __________________

07-17-2005, 09:24 PM	#10 (permalink)
skate_punk_21 1337 C0D3R Join Date: Mar 2005 Location: Canada Posts: 1,457 OS: Server 2K3/XP Pro/XP MCE/Win 98/Ubuntu Linux/BackTrack 2 My System	in hijackthis click the button labelled either Config or Miscellaneous Tools, then click the button, labelled Delete an NT service. You should then see a popup with a warning paragraph etc. In the text field below the warning, copy/paste the following into that text field: *(11Fßä#·ºÄÖ`I)* not sure if the brackets are necessary here, but give it a try now, continue with ried's instructions... __________________ Have I Helped you? Please Consider a Donation to TechSupportForums Last edited by skate_punk_21; 07-17-2005 at 09:26 PM.

07-15-2005, 09:06 PM	#3 (permalink)
old hickory I helped the forums. Join Date: Jul 2005 Posts: 39 OS: XP PRO	Ried, thanks....I'll follow your instructions to the best of my ability. Old Hick

07-16-2005, 10:00 PM	#6 (permalink)
old hickory I helped the forums. Join Date: Jul 2005 Posts: 39 OS: XP PRO	Hi Ried. I'm not sure what you mean here...... "If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked." Can you elaborate on this instruction. Old Hick

07-17-2005, 08:49 PM	#8 (permalink)
old hickory I helped the forums. Join Date: Jul 2005 Posts: 39 OS: XP PRO	subs, thanks....i did what you instructed Old Hickory

07-17-2005, 09:16 PM	#9 (permalink)
old hickory I helped the forums. Join Date: Jul 2005 Posts: 39 OS: XP PRO	"Open HijackThis>Config>Misc Tools>Delete an NT Service Copy/paste (11Fßä#·ºÄÖ`I) in the box and click OK" Ried, I don't know how to do the above....can you elaborate? Where do I copy/paste this weird file(rpc helper file?)? I know I can't type it. Old Hick

07-17-2005, 10:31 PM	#11 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,245 OS: N/A	Please download an updated HSFix.zip from http://users.telenet.be/marcvn/regfiles/HSfix.zip. Delete the previous version & use this in place of it. Thank you. __________________

07-18-2005, 08:25 AM	#13 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,245 OS: N/A	Congratulations!! Your log is clean. Don't worry about the RPC helper. The HSFix.zip I had you download was designed to tackle the issue. Do you have any more problems with your computer? If not, you should be set to go. Just remains a few bits of housekeeping ... = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Run a scan with HiJackThis & select(tick) the following & click [Fix checked] : R3 - Default URLSearchHook is missing = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Reset hidden/system files and folders Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View tab. Deselect the Show hidden files and folders option. Select the Hide file extensions for known types option. Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Create a new System Restore point click Start >> Run - type SYSDM.CPL & press Enter select the System Restore Tab tick on the checkbox - "Turn off System Restore on all drives" click Apply then untick the same checkbox & click OK Enable Windows Auto Update Go to Start>Run - type wuaucpl.cpl tick on the checkbox - "Keep my computer up to date" Under settings, choose "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: SpywareBlaster to help prevent spyware from installing in the first place. SpywareGuard to catch and block spyware before it can execute. IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email. If you do not have a firewall, here are 3 free ones available for personal use: Sygate Personal Firewall Kerio Personal Firewall ZoneAlarm In light of your recent hiccup, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles HOW DID I GET INFECTED IN THE FIRST PLACE? THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Have a safe & happy computing day. Please respond to this thread one more time so we can mark this thread as resolved. __________________

07-20-2005, 08:02 PM	#14 (permalink)
old hickory I helped the forums. Join Date: Jul 2005 Posts: 39 OS: XP PRO	Everything is 99% better ....thanks. My zonealarm keeps telling me that rundll32.exe wants to be an App to access the internet. Is this a bad file? should I let it access the internet? Old Hickory