ABout blank

  1. 18-02-2005  #1
    karenz
    karenz is offline Newbie

    ABout blank

    Logfile of HijackThis v1.99.0
    Scan saved at 9:45:09 p.m., on 18/02/2005
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
    C:\WINDOWS\APIHB.EXE
    C:\WINDOWS\ATLWC32.EXE
    C:\WINDOWS\APPFS.EXE
    C:\WINDOWS\NETQU.EXE
    C:\WINDOWS\SYSHI.EXE
    C:\WINDOWS\MSBN32.EXE
    C:\WINDOWS\SYSTEM\D3AI32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\SYSTEM\NTMN32.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\INTERVIDEO\COMMON\BIN\WINCINEMAMGR.EXE
    C:\WINDOWS\NETQU.EXE
    C:\WINDOWS\MSBN32.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\D3AI32.EXE
    C:\WINDOWS\ATLCH32.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\D3AI32.EXE
    C:\WINDOWS\SYSTEM\APPDR32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\HIJACK\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\lzwxj.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\lzwxj.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\lzwxj.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\lzwxj.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\lzwxj.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\lzwxj.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {CC8D4A53-DB28-84D7-6264-C094406850B8} - C:\WINDOWS\NTGV32.DLL
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
    O4 - HKLM\..\Run: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [eulnokipxdag] C:\WINDOWS\SYSTEM\vwkadb.exe
    O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
    O4 - HKLM\..\Run: [NTMN32.EXE] C:\WINDOWS\SYSTEM\NTMN32.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [MSMC.EXE] C:\WINDOWS\SYSTEM\MSMC.EXE
    O4 - HKLM\..\RunServices: [D3HD32.EXE] C:\WINDOWS\SYSTEM\D3HD32.EXE
    O4 - HKLM\..\RunServices: [CRCY32.EXE] C:\WINDOWS\SYSTEM\CRCY32.EXE
    O4 - HKLM\..\RunServices: [APPFS.EXE] C:\WINDOWS\APPFS.EXE
    O4 - HKLM\..\RunServices: [ATLWC32.EXE] C:\WINDOWS\ATLWC32.EXE
    O4 - HKLM\..\RunServices: [D3CG32.EXE] C:\WINDOWS\SYSTEM\D3CG32.EXE
    O4 - HKLM\..\RunServices: [APIHB.EXE] C:\WINDOWS\APIHB.EXE
    O4 - HKLM\..\RunServices: [SYSHI.EXE] C:\WINDOWS\SYSHI.EXE
    O4 - HKLM\..\RunServices: [NETSM.EXE] C:\WINDOWS\SYSTEM\NETSM.EXE
    O4 - HKLM\..\RunServices: [APIDT.EXE] C:\WINDOWS\SYSTEM\APIDT.EXE
    O4 - HKLM\..\RunServices: [CRPO32.EXE] C:\WINDOWS\SYSTEM\CRPO32.EXE
    O4 - HKLM\..\RunServices: [MSBN32.EXE] C:\WINDOWS\MSBN32.EXE
    O4 - HKLM\..\RunServices: [SYSVY32.EXE] C:\WINDOWS\SYSTEM\SYSVY32.EXE
    O4 - HKLM\..\RunServices: [IPOG.EXE] C:\WINDOWS\SYSTEM\IPOG.EXE
    O4 - HKLM\..\RunServices: [APIDT32.EXE] C:\WINDOWS\SYSTEM\APIDT32.EXE
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
    O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [NETQU.EXE] C:\WINDOWS\NETQU.EXE
    O4 - HKLM\..\RunServices: [D3AI32.EXE] C:\WINDOWS\SYSTEM\D3AI32.EXE
    O4 - HKLM\..\RunServices: [ATLCH32.EXE] C:\WINDOWS\ATLCH32.EXE
    O4 - HKLM\..\RunServices: [APPDR32.EXE] C:\WINDOWS\SYSTEM\APPDR32.EXE
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [romahere] C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
    O4 - Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
    O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6_s.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
  2. 18-02-2005  #2
    karenz
    karenz is offline Newbie
    don't know what to do even with NAV2005
  3. 19-02-2005  #3
    owen
    owen is offline D-A-L Team Member (UK)
    1. Download AboutBuster http://www.downloads.subratam.org/AboutBuster.zip

    Unzip it to your desktop but don't run it yet.

    2. Download Ad-aware from here. Open the Ad-aware program and near the bottom click the Check For Updates link. This will open the update manager. Follow the prompts to update your Ad-aware Reference File. Close Ad-aware for now, we will use it later.

    3. You may want to print out these instructions for further reference when completing the following steps.

    4. Ensure you are showing Hidden Files and Folders as per instructions here.

    5. Then reboot your PC into Safe Mode. If you don't know how to do this, see here for further instructions.

    6. Restart Hijack This and put a checkmark next to the following entries and click Fix Checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\lzwxj.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\lzwxj.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\lzwxj.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\lzwxj.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\lzwxj.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\lzwxj.dll/sp.html#37049
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {CC8D4A53-DB28-84D7-6264-C094406850B8} - C:\WINDOWS\NTGV32.DLL
    O4 - HKLM\..\Run: [eulnokipxdag] C:\WINDOWS\SYSTEM\vwkadb.exe
    O4 - HKLM\..\Run: [NTMN32.EXE] C:\WINDOWS\SYSTEM\NTMN32.EXE
    O4 - HKLM\..\RunServices: [MSMC.EXE] C:\WINDOWS\SYSTEM\MSMC.EXE
    O4 - HKLM\..\RunServices: [D3HD32.EXE] C:\WINDOWS\SYSTEM\D3HD32.EXE
    O4 - HKLM\..\RunServices: [CRCY32.EXE] C:\WINDOWS\SYSTEM\CRCY32.EXE
    O4 - HKLM\..\RunServices: [APPFS.EXE] C:\WINDOWS\APPFS.EXE
    O4 - HKLM\..\RunServices: [ATLWC32.EXE] C:\WINDOWS\ATLWC32.EXE
    O4 - HKLM\..\RunServices: [D3CG32.EXE] C:\WINDOWS\SYSTEM\D3CG32.EXE
    O4 - HKLM\..\RunServices: [APIHB.EXE] C:\WINDOWS\APIHB.EXE
    O4 - HKLM\..\RunServices: [SYSHI.EXE] C:\WINDOWS\SYSHI.EXE
    O4 - HKLM\..\RunServices: [NETSM.EXE] C:\WINDOWS\SYSTEM\NETSM.EXE
    O4 - HKLM\..\RunServices: [APIDT.EXE] C:\WINDOWS\SYSTEM\APIDT.EXE
    O4 - HKLM\..\RunServices: [CRPO32.EXE] C:\WINDOWS\SYSTEM\CRPO32.EXE
    O4 - HKLM\..\RunServices: [MSBN32.EXE] C:\WINDOWS\MSBN32.EXE
    O4 - HKLM\..\RunServices: [SYSVY32.EXE] C:\WINDOWS\SYSTEM\SYSVY32.EXE
    O4 - HKLM\..\RunServices: [IPOG.EXE] C:\WINDOWS\SYSTEM\IPOG.EXE
    O4 - HKLM\..\RunServices: [APIDT32.EXE] C:\WINDOWS\SYSTEM\APIDT32.EXE
    O4 - HKLM\..\RunServices: [NETQU.EXE] C:\WINDOWS\NETQU.EXE
    O4 - HKLM\..\RunServices: [D3AI32.EXE] C:\WINDOWS\SYSTEM\D3AI32.EXE
    O4 - HKLM\..\RunServices: [ATLCH32.EXE] C:\WINDOWS\ATLCH32.EXE
    O4 - HKLM\..\RunServices: [APPDR32.EXE] C:\WINDOWS\SYSTEM\APPDR32.EXE
    O4 - HKCU\..\Run: [romahere] C:\WINDOWS\SYSTEM\MATRIXHERE.EXE

    Then delete the following files and folders:
    C:\WINDOWS\SYSTEM\vwkadb.exe
    C:\WINDOWS\SYSTEM\NTMN32.EXE
    C:\WINDOWS\SYSTEM\MSMC.EXE
    C:\WINDOWS\SYSTEM\D3HD32.EXE
    C:\WINDOWS\SYSTEM\CRCY32.EXE
    C:\WINDOWS\APPFS.EXE
    C:\WINDOWS\ATLWC32.EXE
    C:\WINDOWS\SYSTEM\D3CG32.EXE
    C:\WINDOWS\APIHB.EXE
    C:\WINDOWS\SYSHI.EXE
    C:\WINDOWS\SYSTEM\NETSM.EXE
    C:\WINDOWS\SYSTEM\APIDT.EXE
    C:\WINDOWS\SYSTEM\CRPO32.EXE
    C:\WINDOWS\MSBN32.EXE
    C:\WINDOWS\SYSTEM\SYSVY32.EXE
    C:\WINDOWS\SYSTEM\IPOG.EXE
    C:\WINDOWS\SYSTEM\APIDT32.EXE
    C:\WINDOWS\NETQU.EXE
    C:\WINDOWS\SYSTEM\D3AI32.EXE
    C:\WINDOWS\ATLCH32.EXE
    C:\WINDOWS\SYSTEM\APPDR32.EXE
    C:\WINDOWS\SYSTEM\MATRIXHERE.EXE

    7. Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

    8. Scan with Adaware and let it remove any bad files found.

    9. Download CCleaner from here. Run the program and let it clear out your PC.

    10. Reboot to normal mode

    11. Finally, pay a visit to Housecall. Scan for and remove any infected files found on your system.

    Post a fresh HijackThis log and the AboutBuster report back here please.
  4. 22-02-2005  #4
    karenz
    karenz is offline Newbie
    Logfile of HijackThis v1.99.0
    Scan saved at 11:02:31 p.m., on 22/02/2005
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
    C:\WINDOWS\SYSTEM\JAVAPT.EXE
    C:\WINDOWS\CRIE32.EXE
    C:\WINDOWS\SYSTEM\MSBS.EXE
    C:\WINDOWS\SYSTEM\SYSTX32.EXE
    C:\WINDOWS\SYSTEM\IPUJ32.EXE
    C:\WINDOWS\SYSTEM\D3OH.EXE
    C:\WINDOWS\SYSTEM\APPUY.EXE
    C:\WINDOWS\SYSTEM\CRZX.EXE
    C:\WINDOWS\ATLMW32.EXE
    C:\WINDOWS\SYSTEM\WINOW32.EXE
    C:\WINDOWS\WINPC.EXE
    C:\WINDOWS\CRQB32.EXE
    C:\WINDOWS\SYSTEM\MFCAI.EXE
    C:\WINDOWS\SDKZV32.EXE
    C:\WINDOWS\ADDYW.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\PATCH.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\HIJACK\HIJACKTHIS.EXE

    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
    O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [CRIE32.EXE] C:\WINDOWS\CRIE32.EXE
    O4 - HKLM\..\RunServices: [WINOW32.EXE] C:\WINDOWS\SYSTEM\WINOW32.EXE
    O4 - HKLM\..\RunServices: [MSBS.EXE] C:\WINDOWS\SYSTEM\MSBS.EXE
    O4 - HKLM\..\RunServices: [SDKZV32.EXE] C:\WINDOWS\SDKZV32.EXE
    O4 - HKLM\..\RunServices: [JAVAPT.EXE] C:\WINDOWS\SYSTEM\JAVAPT.EXE
    O4 - HKLM\..\RunServices: [SYSTX32.EXE] C:\WINDOWS\SYSTEM\SYSTX32.EXE
    O4 - HKLM\..\RunServices: [IPUJ32.EXE] C:\WINDOWS\SYSTEM\IPUJ32.EXE
    O4 - HKLM\..\RunServices: [ADDYW.EXE] C:\WINDOWS\ADDYW.EXE
    O4 - HKLM\..\RunServices: [MFCAI.EXE] C:\WINDOWS\SYSTEM\MFCAI.EXE
    O4 - HKLM\..\RunServices: [CRQB32.EXE] C:\WINDOWS\CRQB32.EXE
    O4 - HKLM\..\RunServices: [ATLMW32.EXE] C:\WINDOWS\ATLMW32.EXE
    O4 - HKLM\..\RunServices: [D3OH.EXE] C:\WINDOWS\SYSTEM\D3OH.EXE
    O4 - HKLM\..\RunServices: [WINPC.EXE] C:\WINDOWS\WINPC.EXE
    O4 - HKLM\..\RunServices: [CRZX.EXE] C:\WINDOWS\SYSTEM\CRZX.EXE
    O4 - HKLM\..\RunServices: [APPUY.EXE] C:\WINDOWS\SYSTEM\APPUY.EXE
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab


    Cannot seem to get to the housecall, freezes at 95% re active update, but it is running a bit better.
  5. 24-02-2005  #5
    owen
    owen is offline D-A-L Team Member (UK)
    Sorry about my slow response time.

    Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

    O4 - HKLM\..\RunServices: [CRIE32.EXE] C:\WINDOWS\CRIE32.EXE
    O4 - HKLM\..\RunServices: [WINOW32.EXE] C:\WINDOWS\SYSTEM\WINOW32.EXE
    O4 - HKLM\..\RunServices: [MSBS.EXE] C:\WINDOWS\SYSTEM\MSBS.EXE
    O4 - HKLM\..\RunServices: [SDKZV32.EXE] C:\WINDOWS\SDKZV32.EXE
    O4 - HKLM\..\RunServices: [JAVAPT.EXE] C:\WINDOWS\SYSTEM\JAVAPT.EXE
    O4 - HKLM\..\RunServices: [SYSTX32.EXE] C:\WINDOWS\SYSTEM\SYSTX32.EXE
    O4 - HKLM\..\RunServices: [IPUJ32.EXE] C:\WINDOWS\SYSTEM\IPUJ32.EXE
    O4 - HKLM\..\RunServices: [ADDYW.EXE] C:\WINDOWS\ADDYW.EXE
    O4 - HKLM\..\RunServices: [MFCAI.EXE] C:\WINDOWS\SYSTEM\MFCAI.EXE
    O4 - HKLM\..\RunServices: [CRQB32.EXE] C:\WINDOWS\CRQB32.EXE
    O4 - HKLM\..\RunServices: [ATLMW32.EXE] C:\WINDOWS\ATLMW32.EXE
    O4 - HKLM\..\RunServices: [D3OH.EXE] C:\WINDOWS\SYSTEM\D3OH.EXE
    O4 - HKLM\..\RunServices: [WINPC.EXE] C:\WINDOWS\WINPC.EXE
    O4 - HKLM\..\RunServices: [CRZX.EXE] C:\WINDOWS\SYSTEM\CRZX.EXE
    O4 - HKLM\..\RunServices: [APPUY.EXE] C:\WINDOWS\SYSTEM\APPUY.EXE

    Click Fix Checked

    Then boot into Safe Mode and ensure that you are showing Hidden Files and Folders.

    Delete the following files and folders:
    C:\WINDOWS\CRIE32.EXE
    C:\WINDOWS\SYSTEM\WINOW32.EXE
    C:\WINDOWS\SYSTEM\MSBS.EXE
    C:\WINDOWS\SDKZV32.EXE
    C:\WINDOWS\SYSTEM\JAVAPT.EXE
    C:\WINDOWS\SYSTEM\SYSTX32.EXE
    C:\WINDOWS\SYSTEM\IPUJ32.EXE
    C:\WINDOWS\ADDYW.EXE
    C:\WINDOWS\SYSTEM\MFCAI.EXE
    C:\WINDOWS\CRQB32.EXE
    C:\WINDOWS\ATLMW32.EXE
    C:\WINDOWS\SYSTEM\D3OH.EXE
    C:\WINDOWS\WINPC.EXE
    C:\WINDOWS\SYSTEM\CRZX.EXE
    C:\WINDOWS\SYSTEM\APPUY.EXE

    Reboot and post a fresh log
  6. 25-02-2005  #6
    karenz
    karenz is offline Newbie
    Logfile of HijackThis v1.99.0
    Scan saved at 4:46:43 p.m., on 25/02/2005
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\MACROMED\FLASH\GETFLASH.EXE
    C:\HIJACK\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tvnz.co.nz/view/tvnz_index_skin/tvnz_index_group
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
    O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

    I now have a spool32.exe that keeps coming up telling me the file is corrupt. Thanks for all your help, I will track a forum thread for the spool32.exe problem.
  7. 25-02-2005  #7
    owen
    owen is offline D-A-L Team Member (UK)
    Spool32 is not a valid system file, it is infact related to a Trojan called Yab.A.

    Perform an Online Virus Scan at http://housecall.trendmicro.com. Let it remove any infections it finds.

    That is a clean log btw.
  8. 25-02-2005  #8
    karenz
    karenz is offline Newbie
    Thanks Owen. Will do.
  9. 28-02-2005  #9
    owen
    owen is offline D-A-L Team Member (UK)
    Let me know how things go.
  10. 05-03-2005  #10
    karenz
    karenz is offline Newbie
    Save 20% on AVG Internet Security 2012 Suite!
    Hi Owen
    Things went pretty smoothly, blank removed, trojan spool32 removed, but messed up my Operating system so am working off another computer in the meantime trying to fix the HP operating system. Have downloaded Nortons AV and am now working on trying to recove my op system, but the recovery disks dont work.... am now looking at a windowsME full recovery system. Thanks for all your help.
+ Reply to Thread
Page 1 of 2 1 2 LastLast
« goes slower the longer it stays on | About:Blank, please help. »