Mollie2333

63 Posts

May 17th, 2005 22:00

Hijack this Log Windows XP

A few weeks ago I was sure I had a nasty virus, could not run any programs without freezing up, could not even open and run a hijack this program so that I could post a log. My wireless router was disabled, could not open it to check it etc. Someone from this board was trying to help me but I could not post a log so I felt trapped. Was waiting for someone from my husbands IT dept to look at it when it seems to have miraculously fixed itself. So I am now able to run a hijack log.

Please review and let me know if there is something lurking.

Thanks

Logfile of HijackThis v1.99.1
Scan saved at 7:46:17 PM, on 5/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ntng32.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\110082~1\EE\AOLHOS~1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\WINDOWS\system32\ntkx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\PROGRA~1\COMMON~1\AOL\110082~1\EE\AOLServiceHost.exe
C:\PROGRA~1\Snapfish\SNAPFI~1\data\xtras\mssysmgr.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Gail\LOCALS~1\Temp\Temporary Directory 1 for HJT.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\canal.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\canal.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\iwvdk.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\iwvdk.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\iwvdk.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\canal.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\iwvdk.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5E63AC3C-1971-B83C-E2FB-4038C435169B} - C:\WINDOWS\system32\adddu.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1100829214\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mimboot.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [waol.exe] C:\Program Files\America Online 9.0b\waol.exe
O4 - HKLM\..\Run: [ntkx.exe] C:\WINDOWS\system32\ntkx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Snapfish\SNAPFI~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/e3f38895/enter.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v7.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter.kodak.com/activex/LightSurfUploadControl.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://moviefone.kontiki.com/securedelivery/main/kdx.cab
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ntng32.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Responses(50)
Solutions(0)

ALgal

1.2K Posts

May 18th, 2005 16:00

Hello Mollie,

My name is Susan and I will be assisting you with your hijackthis log. Please be patient and I will be posting instructions shortly.

Come join us in the fight against malware at the Malware University at http://www.malwareremoval.com/

ALgal

1.2K Posts

May 18th, 2005 18:00

Hello and Welcome Mollie,

You have an infection that requires several tools to remove.
You need to download some programs for use later. You will be downloading them now because you will be disconnected from the Internet and must have them on your computer.

You need to unzip and move your Hijackthis to another location. Do not have it in a temporary folder because backups will not be available if needed. Be sure to have it unzipped – do not have it running from within the zip file. Move it to a folder such as C:\HJT

Winsockxpfix
Download Winsockxpfix from
http://www.spychecker.com/program/winsockxpfix.html
Do Not use it yet!

Cwsserviceremove
Download cwsserviceremove from http://ralphcaddell.com/Uploads/cwsserviceremove.zip
and unzip it to your desktop Do NOT use it yet

AboutBuster
Download AboutBuster from http://downloads.malwareremoval.com/AboutBuster.zip
Once it is downloaded extract it to c:\aboutbuster and check for updates. Do NOT use it yet

CWShredder
Download CWShredder from
http://www.intermute.com/spysubtract/cwshredder_download.html
install it, check for updates but again. Do NOT use it yet

Ad-aware Second Edition
Download Ad-aware Second Edition from
http://lavasoft.element5.com/support/download/
Install it. If you already have Ad-aware Second Edition skip to the next step.
Open Adaware and Click the "Check for updates now" line on the main screen.
CLick the "Connect" button on the webupdate screen.
If an update is available download it and install it.
Click the "Finish" button to go back to the main screen.
Click on the "Settings" button (gear symbol in the upper right corner of the main status screen) in the quick launch toolbar to open the General settings screen.
Check the "Automatically quarantine objects prior to removal" setting
Click "Proceed" to save your changes
Click the "Scan now" button in the main menu on the left side of the main status screen or use the "Start" button in lower right corner. This will open the Preparing System Scan screen
Deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
Select "Use custom scanning options"
Click "CUstomize". This will open the "Scan Settings Page.
Make sure all of the following are On with a "green" checkmark:
Scan within archives
Scan active processes
Scan Registry
Deep-scan Registry
Scan my IE Favorites for banned URLs
Scan my Hosts File

Then click on the "Tweak" Button to open up the tweak settings.

Open up the Scanning Engine section and make sure all of the following are On with a "green" checkmark:
Scan registry for all users instead of current user only
Make sure the following is unchecked with a "red" X:
Unload recognized processes & modules during scan.
Open up the Cleaning Engine section and make sure the entire following are On with a "green" checkmark:
Always try to unload modules before deletion
During Removal, unload Explorer and IE if necessary
Let Windows remove files in use at next reboot.

Be sure to stop after Proceed and don’t scan yet!
Click the "Proceed" button to save settings.
Don't scan yet.

Show Hidden Files and Folders
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Stop & Disable Services
Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called Network Security Service .
When you find it, double-click on it.
In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled.
Now hit Apply and then Ok and close any open windows.

Please disconnect from the Internet and unplug your modem for the duration of this fix You may want to print the rest of these instructions.

Safe Mode
Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE

Cwsserviceemove
While in safe mode, double click on the cwsserviceemove.reg file you downloaded at the beginning. Grant it permission to add the registry items.

Cwshredder
Then Open cwshredder that you downloaded in the first step. Close all browser windows and click on the fix/next button.

End Processes
Bring up task manager Ctrl-Alt-Del and end these processes if they are present
C:\WINDOWS\system32\ntkx.exe
C:\WINDOWS\system32\ntng32.exe

Delete Files
Now find and delete these files in red, if you can't find one then don't worry- just move on to the next one.
C:\WINDOWS\canal.dll

C:\WINDOWS\iwvdk.dll

C:\WINDOWS\system32\adddu.dll
C:\WINDOWS\system32\ntkx.exe
C:\WINDOWS\system32\ntng32.exe

Delete the folder
C:\Program Files\WildTangent

Hijackthis
I am reminding you again because it is important! You need to unzip and move your Hijackthis to another location. Do not have it in a temporary folder because backups will not be available if needed. Be sure to have it unzipped – do not have it running from within the zip file. Move it to a folder such as C:\HJT

Now run hijackthis and click the scan button, when it has finished scanning put a check against the following and click 'fix checked'
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\canal.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\canal.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\iwvdk.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\iwvdk.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\iwvdk.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\canal.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\iwvdk.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {5E63AC3C-1971-B83C-E2FB-4038C435169B} - C:\WINDOWS\system32\adddu.dll
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [ntkx.exe] C:\WINDOWS\system32\ntkx.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/e3f38895/enter.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O23 - Service: Network Security Service (NSS) ( 11Fßä #•ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ntng32.exe
Close ALL windows and browsers except HijackThis and click "Fix checked

Delete Temporary Files, Offline Content, Prefetch files
The following step is important as you may have several malware files in your temp directories.

Then browse to the C:\documents and settings\Your User Name (repeat for all other user names in documents and settings)\local settings\temp folder and delete all files and folders in it.
Then browse to the C:\Window\Temp folder and delete all files and folders in it.
Then in internet explore click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

Open C:\Windows\Prefetch\ Delete All files in the Prefetch folder—not the Prefetch folder itself

Aboutbuster
Now navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so. I will be asking you to post the log file with the hijackthis log in your next reply.

AdAware
Scan with Adaware by opening it and clicking the "Start" button to start the scan.
When the scan is completed the Performing System Scan screen will change name to "Scan Complete".
Click the "Next" button to get to the Scanning Results screens where more information about the objects detected during the scan is available.
Click the Critical Objects Tab. In general all of the items listed will be bad. Be carefull with the Hosts file entries. Malware uses the hosts file to redirect you websites. However you can use the hosts file as a way to prevent malware. If the object has 127.0.0.1 in it, it should most likely not be deleted as it is protecting against unwanted sites. For more information on how to use a host file to protect yourself read http://accs-net.com/hosts/what_is_hosts.html but you can do this after you connect to the Internet again.
So in short, you may or may not want to fix the hosts file entries.

To fix all the bad critical objects do the following:
Right click on one of them to open up the selection screen.
Click the "Select All" button to select all entries. (In general all should be selected with the exception of the good hosts file entries).
When all are selected Click "Next" and then "OK" in the pop-up window to confirm the removal.

Winsockxpfix
You indicated that you had previous problems connecting to the Internet. If you encounter this problem again, run this Winsockxpfix. You may not even need to do this but I want you to be aware of this fix if for some reason you cannot connect after rebooting.
Locate the Winsockxpfix.exe and double click and click Run.
The VB_WinFix Win 1.2 window will appear.
Click Fix

Now reboot,and run hijackthis again and post a fresh log along with the about buster log and we will see how we are progressing.

Mollie2333

63 Posts

May 18th, 2005 21:00

Thank you Susan. I will do as you instructed and get back to you.

Mollie2333

63 Posts

May 19th, 2005 01:00

Hi Susan:

I did as you instructed but hit a snag. I did everything but when I got to where I was to run the aboutbuster it would not run, no message just would not run. So I continued with the next steps up till running another HJT. I tried the aboutbuster again and at that time it told me the file was corrupt. So I downloaded it again and tried running it twice. Both times it began fine but when it got to 64% scanned my computer shut off and when I went back on it told me something about having to shut down to maintain temperature. Never saw such a message before. Before the computer turned off I could see in the message box "No ADS found on system" followed by about 10 lines all saying "Error removing! C:\Windows System32kbd.dll"

Anyway I ran a HJT log again as follows. I would welcome any other advise you have.

Thanks

Logfile of HijackThis v1.99.1
Scan saved at 9:58:39 PM, on 5/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\PROGRA~1\Snapfish\SNAPFI~1\data\xtras\mssysmgr.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\PROGRA~1\COMMON~1\AOL\110082~1\EE\AOLHOS~1.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\PROGRA~1\COMMON~1\AOL\110082~1\EE\AOLServiceHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\NewHJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1100829214\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mimboot.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [waol.exe] C:\Program Files\America Online 9.0b\waol.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Snapfish\SNAPFI~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v7.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter.kodak.com/activex/LightSurfUploadControl.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://moviefone.kontiki.com/securedelivery/main/kdx.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

ALgal

1.2K Posts

May 19th, 2005 13:00

Hello Mollie,

I am sorry about the snag with aboutbuster. We found out what we needed to know which was "No ADS found on system". This indicates that there are no Alternate Data Streams on your system which is good! Thank you for giving me that message! I will try to find out more information about the snag but let’s go on with the fixes.

Hijackthis

Now run hijackthis and click the scan button, when it has finished scanning put a check against the following and click 'fix checked'

O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
Close ALL windows and browsers except HijackThis and click "Fix checked

Restore Deleted Files

Now we need to see if we need to restore some deleted files:
Please check for the following files using the Windows Search Engine:

control.exe
rundll32.exe
wmplayer.exe
msconfig.exe
notepad.exe
shell.dll
SDHelper.dll

If any are missing or not working properly then you can download new copies from

http://www.richardthelionhearted.com/?url=merijn.richardthelionhearted.com

and follow the instructions at that site to install them where they belong for your OS.

Download the Hoster from http://www.funkytoad.com/download/hoster.zip

Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.

Antivirus

Run Trend Micro online antivirus scan at:

http://housecall.antivirus.com/housecall/start_frame.asp
Reboot

Finally, scan again with HijackThis once more and post your logfile just to make sure that there is nothing left to fix. If the virus scan found anything, please let me know this also.

Mollie2333

63 Posts

May 19th, 2005 14:00

Thanks Susan. I am at work, I will do as you advised when I get home this evening and let you know. Thanks so much.

Mollie2333

63 Posts

May 19th, 2005 22:00

Hi Susan:

OK...I fixed that 08 in the HJT

The only file I had to restore was the SDHelper.dll which I did.

House call found 204!!!! infected files HTML Coolweb, multiple instances of JAVA Bytever A-1, A and B, HTMLMHTREDIRU, multiple instances of Troj Apropo, TrojKeenval, Troj Agent MQ,PQ, MP, NP, PG and JS, TrojWinshowT, TrojU48A. All were deemded "non-cleanable" so I deleted them. Except there were 4 files which were infected (with coolweb A and byteverA) that "could not be accessed"

Here is the new HJT log: Once again, thanks for your help.

Logfile of HijackThis v1.99.1
Scan saved at 7:46:26 PM, on 5/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\110082~1\EE\AOLHOS~1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\PROGRA~1\COMMON~1\AOL\110082~1\EE\AOLServiceHost.exe
C:\PROGRA~1\Snapfish\SNAPFI~1\data\xtras\mssysmgr.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\NewHJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1100829214\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mimboot.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [waol.exe] C:\Program Files\America Online 9.0b\waol.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Snapfish\SNAPFI~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v7.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter.kodak.com/activex/LightSurfUploadControl.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://moviefone.kontiki.com/securedelivery/main/kdx.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

ALgal

1.2K Posts

May 20th, 2005 16:00

Hello Mollie,

You are doing well! Your log is looking clean and you got rid of many viruses! I want you to run a different virus scan now.

Download MicroWorld’s mwav.exe from http://www.mwti.net/antivirus/mwav.asp then:
1. Double-click the mwav.exe icon to run it (it'll self extract).
2. Click "Scan".
3. When it completes, post back the results from the 'Virus log information' pane.

Mollie2333

63 Posts

May 20th, 2005 22:00

Hi Susan:

I was feeling pretty good about my progress but when I see this log I am discouraged. 66 viruses??? Why didn't my Norton or the House call we ran before find these?? It seems like every virus scan finds something the previous one didn't.

Anyway enough of my whining..what do you suggest next?

Fri May 20 19:35:20 2005 => ***** Scanning complete. *****

Fri May 20 19:35:20 2005 => Total Objects Scanned: 18493
Fri May 20 19:35:20 2005 => Total Virus(es) Found: 66
Fri May 20 19:35:20 2005 => Total Disinfected Files: 0
Fri May 20 19:35:20 2005 => Total Files Renamed: 0
Fri May 20 19:35:20 2005 => Total Deleted Objects: 0
Fri May 20 19:35:20 2005 => Total Errors: 52
Fri May 20 19:35:20 2005 => Time Elapsed: 00:13:30
Fri May 20 19:35:20 2005 => Virus Database Date: 2005/05/20
Fri May 20 19:35:20 2005 => Virus Database Count: 130890

Fri May 20 19:35:20 2005 => Scan Completed.

ALgal

1.2K Posts

May 21st, 2005 20:00

Hello Mollie,

Do not be discouraged! Wink

It is better than I thought it would be! My brother had 76 infected files and we cleaned it up! Midnight Star taught me a lot! But what I need is part of the log that looks similar to this and all of it. It can be edited and with instructions you will be able copy and paste and run an application and we will delete the files.

File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "Adintelligence.AproposToolbar Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "sidefind Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "dvx Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "cws.therealsearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\questmod.dll infected by "Trojan.Win32.Dialer.bi" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\LOCALNRD.DLL infected by "not-a-virus:AdWare.BiSpy.n" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\PREINSTT.EXE infected by "not-a-virus:AdWare.BiSpy.f" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\TEMPrad8982A.tmp.com infected by "Trojan-Downloader.Win32.Agent.k" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\TWAINTEC.DLL infected by "not-a-virus:AdWare.BiSpy.m" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\windial32.exe infected by "Trojan.Win32.Dialer.bh" Virus. Action Taken: No Action Taken.

Mollie2333

63 Posts

May 22nd, 2005 00:00

Hi Susan:

I hope this is what you need. I copied and pasted anything that sounded bad.

Thanks for your time.

Sat May 21 19:21:13 2005 => ***** Scanning Registry and File system for Adware/Spyware *****
Sat May 21 19:21:14 2005 => Offending Folder C:\PROGRA~1\maxspeed present...
Sat May 21 19:21:27 2005 => Object "MaxSpeed Spyware/Adware" found in File System! Action Taken: No Action Taken.

Sat May 21 19:21:28 2005 => Offending value found in HKLM\Software\microsoft\downloadmanager !!!
Sat May 21 19:21:28 2005 => Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.

Sat May 21 19:21:28 2005 => Offending value found in HKLM\Software\PERFECTNAV !!!
Sat May 21 19:21:28 2005 => Object "PerfectNav Spyware/Adware" found in File System! Action Taken: No Action Taken.

Sat May 21 19:21:28 2005 => Offending Folder C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\GAINPU~1 present...
Sat May 21 19:21:28 2005 => Object "Claria Spyware/Adware" found in File System! Action Taken: No Action Taken.

Sat May 21 19:22:31 2005 => System found infected with cws.therealsearch Spyware/Adware (waol.exe)! Action taken: No Action Taken.

Sat May 21 19:22:31 2005 => Object "cws.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.

Sat May 21 19:22:35 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\DIMM.DLL". Action Taken: No Action Taken.

Sat May 21 19:22:35 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\Default.rul". Action Taken: No Action Taken.

Sat May 21 19:22:36 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll". Action Taken: No Action Taken.

Sat May 21 19:22:36 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\axofupld.dll". Action Taken: No Action Taken.

Sat May 21 19:22:36 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\toolbar.dll". Action Taken: No Action Taken.

Sat May 21 19:22:38 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\inst2.dll". Action Taken: No Action Taken.

Sat May 21 19:22:39 2005 => Entry "HKCR\CLSID\{030CD4FD-3EC2-4D16-BCCA-45186B8E7497}" refers to invalid object "C:\PROGRA~1\AOLCOM~1\WEBSER~1.DLL". Action Taken: No Action Taken.

Sat May 21 19:22:40 2005 => Entry "HKCR\CLSID\{0AD31460-EF0E-402B-93CB-D92615A5C2E1}" refers to invalid object "C:\PROGRA~1\AOLCOM~1\AOLCON~1.DLL". Action Taken: No Action Taken.

Sat May 21 19:22:40 2005 => Entry "HKCR\CLSID\{11405E5B-9008-4121-B33C-7F6C5692F862}" refers to invalid object "C:\PROGRA~1\AOLCOM~1\ADDRES~1.DLL". Action Taken: No Action Taken.

Sat May 21 19:22:43 2005 => Entry "HKCR\CLSID\{35FE0D30-27F3-4E6A-82AE-784EF9B43D83}" refers to invalid object "C:\PROGRA~1\AOLCOM~1\Alerts.dll". Action Taken: No Action Taken.

Sat May 21 19:22:43 2005 => Entry "HKCR\CLSID\{3B1D476F-C743-43C2-9EA0-9852A0654C98}" refers to invalid object "C:\WINDOWS\System32\gefbp.dll". Action Taken: No Action Taken.

Sat May 21 19:22:43 2005 => Entry "HKCR\CLSID\{41948A6F-77EF-5189-3C2C-18FF25E06968}" refers to invalid object "C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll". Action Taken: No Action Taken.

Sat May 21 19:22:44 2005 => Entry "HKCR\CLSID\{4493EDDC-F245-479B-B256-09296B14C5B8}" refers to invalid object "C:\PROGRA~1\AOLCOM~1\Mail.dll". Action Taken: No Action Taken.

Sat May 21 19:22:44 2005 => Entry "HKCR\CLSID\{4EDDDDBC-3528-41AA-AA6E-237AA8092C08}" refers to invalid object "C:\PROGRA~1\AOLCOM~1\Buddy.dll". Action Taken: No Action Taken.

Sat May 21 19:22:48 2005 => Entry "HKCR\CLSID\{7F23E6E5-0E79-4aee-B723-B1463805D5A9}" refers to invalid object "C:\WINDOWS\wt\webdriver\4.1.1\sound.dll". Action Taken: No Action Taken.

Sat May 21 19:22:48 2005 => Entry "HKCR\CLSID\{823FA5B2-FD5A-4EA5-BCF9-18FCCC9884D2}" refers to invalid object "C:\PROGRA~1\AOLCOM~1\PUBLIS~1.DLL". Action Taken: No Action Taken.

Sat May 21 19:22:48 2005 => Entry "HKCR\CLSID\{83D4679F-B6D7-11D2-BF36-00C04FB90A03}" refers to invalid object "C:\PROGRA~1\MESSEN~1\rtcimsp.dll". Action Taken: No Action Taken.

Sat May 21 19:22:48 2005 => Entry "HKCR\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}" refers to invalid object "fde.dll". Action Taken: No Action Taken.

Sat May 21 19:22:49 2005 => Entry "HKCR\CLSID\{8DA5DF2C-798A-4CAB-8BB7-672C53DDDE94}" refers to invalid object "C:\PROGRA~1\AOLCOM~1\FAVORI~1.DLL". Action Taken: No Action Taken.

Sat May 21 19:22:49 2005 => Entry "HKCR\CLSID\{8ECF83A0-1AC9-11D4-8501-00A0CC5D1F63}" refers to invalid object "C:\WINDOWS\wt\webdriver\4.1.1\wtwmplug.ax". Action Taken: No Action Taken.

Sat May 21 19:22:49 2005 => Entry "HKCR\CLSID\{93DF49AE-0E92-4ebf-80E9-ED36498072AB}" refers to invalid object "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll". Action Taken: No Action Taken.

Sat May 21 19:22:49 2005 => Entry "HKCR\CLSID\{A0B65408-65FF-4FDF-9CF0-3763C3CA29C4}" refers to invalid object "C:\PROGRA~1\AOLCOM~1\IMs.dll". Action Taken: No Action Taken.

Sat May 21 19:22:50 2005 => Entry "HKCR\CLSID\{B9BA256A-075B-49ea-B9E2-7DBC2EF021D5}" refers to invalid object "C:\WINDOWS\wt\webdriver\4.1.1\sound.dll". Action Taken: No Action Taken.

Sat May 21 19:22:52 2005 => Entry "HKCR\CLSID\{D8524FF3-6676-4159-B95F-ACEE623540FC}" refers to invalid object "C:\WINDOWS\System32\kmfo.dll". Action Taken: No Action Taken.

Sat May 21 19:22:53 2005 => Entry "HKCR\CLSID\{ECFBE6E0-1AC8-11D4-8501-00A0CC5D1F63}" refers to invalid object "C:\WINDOWS\wt\webdriver\4.1.1\wtwmplug.ax". Action Taken: No Action Taken.

Sat May 21 19:22:53 2005 => Entry "HKCR\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}" refers to invalid object "C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll". Action Taken: No Action Taken.

Sat May 21 19:22:54 2005 => Entry "HKCR\CLSID\{F3206ECF-B7F9-4E61-9D15-ACC0627E2C59}" refers to invalid object "C:\PROGRA~1\AOLCOM~1\WEBSER~1.DLL". Action Taken: No Action Taken.

Sat May 21 19:22:54 2005 => Entry "HKCR\CLSID\{FA13A9FA-CA9B-11D2-9780-00104B242EA3}" refers to invalid object "C:\WINDOWS\wt\webdriver\4.1.1\webdriver.dll". Action Taken: No Action Taken.

Sat May 21 19:22:55 2005 => Entry "HKCR\Alg.AlgSetup" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.

Sat May 21 19:22:55 2005 => Entry "HKCR\Alg.AlgSetup.1" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.

Sat May 21 19:22:56 2005 => Entry "HKCR\AOL.IEToolbar" refers to invalid object "{4982D40A-C53B-4615-B15B-B5B5E98D167C}". Action Taken: No Action Taken.

Sat May 21 19:22:56 2005 => Entry "HKCR\AOL.IEToolbar.1" refers to invalid object "{4982D40A-C53B-4615-B15B-B5B5E98D167C}". Action Taken: No Action Taken.

Sat May 21 19:22:56 2005 => Entry "HKCR\ComPlusMetaData.MsCorHost" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.

Sat May 21 19:22:56 2005 => Entry "HKCR\ComPlusMetaData.MsCorHost.2" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.

Sat May 21 19:22:58 2005 => Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.

Sat May 21 19:22:58 2005 => Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.

Sat May 21 19:22:58 2005 => Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.

Sat May 21 19:22:59 2005 => Entry "HKCR\Nisbho.CNisExtBho" refers to invalid object "{9ECB9560-04F9-4bbc-943D-298DDF1699E1}". Action Taken: No Action Taken.

Sat May 21 19:22:59 2005 => Entry "HKCR\Nisbho.CNisExtBho.1" refers to invalid object "{9ECB9560-04F9-4bbc-943D-298DDF1699E1}". Action Taken: No Action Taken.

Sat May 21 19:23:00 2005 => Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.

Sat May 21 19:23:00 2005 => Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.

Sat May 21 19:23:00 2005 => Entry "HKCR\RTCCore.RTCClient" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.

Sat May 21 19:23:00 2005 => Entry "HKCR\RTCCore.RTCClient.1" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.

Sat May 21 19:23:00 2005 => Entry "HKCR\Symantec.AdBlocker.IEToolBand" refers to invalid object "{0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7}". Action Taken: No Action Taken.

Sat May 21 19:23:00 2005 => Entry "HKCR\Symantec.AdBlocker.IEToolBand.1" refers to invalid object "{0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7}". Action Taken: No Action Taken.

Sat May 21 19:23:01 2005 => Entry "HKCR\SymWriter.pdb" refers to invalid object "{520DC67A-752E-11D3-8D56-00C04F680B2B}". Action Taken: No Action Taken.

Sat May 21 19:23:01 2005 => Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.

Sat May 21 19:23:01 2005 => Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.

Sat May 21 19:23:02 2005 => Entry "HKCR\YBIOCtrl.CompanionBHO.4" refers to invalid object "{02478D38-C3F9-4efb-9B51-7695ECA05670}". Action Taken: No Action Taken.
Sat May 21 19:23:05 2005 => File C:\WINDOWS\apiek.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.

Sat May 21 19:23:05 2005 => File C:\WINDOWS\apilu32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:23:06 2005 => File C:\WINDOWS\apimn32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:23:06 2005 => File C:\WINDOWS\apiop32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:23:07 2005 => File C:\WINDOWS\apisx32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:23:08 2005 => File C:\WINDOWS\appfn32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:23:08 2005 => File C:\WINDOWS\appiv32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:23:10 2005 => File C:\WINDOWS\atlfp.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:23:10 2005 => File C:\WINDOWS\atljw32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:23:11 2005 => File C:\WINDOWS\atlsv.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:23:15 2005 => File C:\WINDOWS\d3cq32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:23:17 2005 => File C:\WINDOWS\d3sl32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:23:17 2005 => File C:\WINDOWS\d3zs32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:23:19 2005 => File C:\WINDOWS\ieiw32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:23:20 2005 => File C:\WINDOWS\iesd32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:23:20 2005 => File C:\WINDOWS\ieyt32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:23:23 2005 => File C:\WINDOWS\javaca32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:23:24 2005 => File C:\WINDOWS\javadm32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:23:24 2005 => File C:\WINDOWS\javafs.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:23:25 2005 => File C:\WINDOWS\javazx.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:23:31 2005 => File C:\WINDOWS\mscx32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:23:32 2005 => File C:\WINDOWS\msue.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:23:34 2005 => File C:\WINDOWS\netyp32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:23:35 2005 => File C:\WINDOWS\nteu.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:23:36 2005 => File C:\WINDOWS\ntgt.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:23:38 2005 => File C:\WINDOWS\n_oimfbr.log infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:23:44 2005 => File C:\WINDOWS\sdkid32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:23:45 2005 => File C:\WINDOWS\sdkza32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:23:48 2005 => File C:\WINDOWS\sysnm32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:23:49 2005 => File C:\WINDOWS\sysxv32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.

Sat May 21 19:23:53 2005 => File C:\WINDOWS\winkh.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:23:54 2005 => File C:\WINDOWS\wintg.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:23:57 2005 => File C:\WINDOWS\system32\addtw.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:23:57 2005 => File C:\WINDOWS\system32\addvl32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.

Sat May 21 19:24:00 2005 => File C:\WINDOWS\system32\apinj.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.

Sat May 21 19:24:00 2005 => File C:\WINDOWS\system32\apioj32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:24:01 2005 => File C:\WINDOWS\system32\appfl.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:24:02 2005 => File C:\WINDOWS\system32\appxm.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.

Sat May 21 19:24:17 2005 => File C:\WINDOWS\system32\crcd.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:24:17 2005 => Scanning File C:\WINDOWS\system32\crgw.dll
Sat May 21 19:24:18 2005 => File C:\WINDOWS\system32\crnw.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:24:21 2005 => File C:\WINDOWS\system32\d2kpax.exe infected by "Trojan-Downloader.Win32.Delf.ck" Virus! Action Taken: No Action Taken.

Sat May 21 19:24:23 2005 => File C:\WINDOWS\system32\d3hy32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.

Sat May 21 19:24:47 2005 => File C:\WINDOWS\system32\iexz32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:24:50 2005 => File C:\WINDOWS\system32\ipdh32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.

Sat May 21 19:24:51 2005 => File C:\WINDOWS\system32\ipkm32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:24:52 2005 => File C:\WINDOWS\system32\ipsf.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:24:56 2005 => File C:\WINDOWS\system32\javati32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:24:57 2005 => File C:\WINDOWS\system32\javazm32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:25:15 2005 => File C:\WINDOWS\system32\mscq32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:25:17 2005 => File C:\WINDOWS\system32\msfm32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:25:22 2005 => File C:\WINDOWS\system32\msoz32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:25:25 2005 => File C:\WINDOWS\system32\mstj.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:25:30 2005 => File C:\WINDOWS\system32\mszu32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:25:35 2005 => File C:\WINDOWS\system32\netve32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:26:03 2005 => File C:\WINDOWS\system32\sdkaa32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:26:04 2005 => File C:\WINDOWS\system32\sdkbs32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:26:05 2005 => File C:\WINDOWS\system32\sdkrr32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:26:05 2005 => File C:\WINDOWS\system32\sdkzg.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:26:18 2005 => File C:\WINDOWS\system32\sysho.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Sat May 21 19:26:19 2005 => File C:\WINDOWS\system32\syspo.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.

Mollie2333

63 Posts

May 22nd, 2005 19:00

I did what you instructed but when I click on Malware cleanup I get a window that says "the instruction at "0x00db0065" referneced memory at "0x00000000" The memory could not be "written. Click OK to terminate the program Click cancel to debug the program.

If I click OK it just brings me to the next file in the cleanup and the window comes up again. If I click cancel nothing happens. Now what???

I appreciate all of your help!

ALgal

1.2K Posts

May 22nd, 2005 19:00

Hello Mollie,

Let’s use a DOS script to delete those files and clean up your PC. It beats locating every file and deleting it manually! Do the following:

1) Using the mouse, drag-select-copy the text in the section below.
--------Begin here------

regsvr32 /u apiek.dll
regsvr32 /u apilu32.dll
regsvr32 /u apimn32.dll
regsvr32 /u apiop32.dll
regsvr32 /u apisx32.dll
regsvr32 /u appfn32.dll
regsvr32 /u appiv32.dll
regsvr32 /u atlfp.dll
regsvr32 /u atljw32.dll".
regsvr32 /u atlsv.dll
regsvr32 /u d3cq32.dll
regsvr32 /u d3sl32.dll
regsvr32 /u ieiw32.dll
regsvr32 /u iesd32.dll
regsvr32 /u ieyt32.dll
regsvr32 /u javaca32.dll
regsvr32 /u javadm32.dll
regsvr32 /u javafs.dll
regsvr32 /u javazx.dll
regsvr32 /u mscx32.dll
regsvr32 /u msue.dll
regsvr32 /u netyp32.dll
regsvr32 /u nteu.dll
regsvr32 /u ntgt.dll
regsvr32 /u sdkid32.dll
regsvr32 /u sdkza32.dll
regsvr32 /u sysnm32.dll
regsvr32 /u sysxv32.dll
regsvr32 /u wintg.dll
regsvr32 /u addtw.dll
regsvr32 /u addvl32.dll
regsvr32 /u apinj.dll
regsvr32 /u apioj32.dll
regsvr32 /u appfl.dll
regsvr32 /u ppxm.dll
regsvr32 /u crcd.dll
regsvr32 /u crgw.dll
regsvr32 /u crnw.dll
regsvr32 /u d2kpax.exe
regsvr32 /u d3hy32.dll
regsvr32 /u iexz32.dl
regsvr32 /u ipdh32.dll
regsvr32 /u ipkm32.dll
regsvr32 /u ipsf.dll
regsvr32 /u javati32.dll
regsvr32 /u javazm32.dll
regsvr32 /u mscq32.dll
regsvr32 /u msfm32.dll
regsvr32 /u msoz32.dll
regsvr32 /u mstj.dll
regsvr32 /u mszu32.dll
regsvr32 /u netve32.dll
regsvr32 /u sdkaa32.dll
regsvr32 /u sdkbs32.dll
regsvr32 /u sdkrr32.dll
regsvr32 /u sdkzg.dll
regsvr32 /u sysho.dll
regsvr32 /u syspo.dll
attrib -s -h -r “C:\WINDOWS\apiek.dll”
attrib -s -h -r “C:\WINDOWS\apilu32.dll”
attrib -s -h -r “C:\WINDOWS\apimn32.dll”
attrib -s -h -r “C:\WINDOWS\apiop32.dll”
attrib -s -h -r “C:\WINDOWS\apisx32.dll”
attrib -s -h -r “C:\WINDOWS\appfn32.dll”
attrib -s -h -r “C:\WINDOWS\appiv32.dll”
attrib -s -h -r “C:\WINDOWS\atlfp.dll”
attrib -s -h -r “C:\WINDOWS\atljw32.dll”
attrib -s -h -r “C:\WINDOWS\atlsv.dll”
attrib -s -h -r “C:\WINDOWS\d3cq32.dll”
attrib -s -h -r “C:\WINDOWS\d3sl32.dll”
attrib -s -h -r “C:\WINDOWS\d3zs32”
attrib -s -h -r “C:\WINDOWS\ieiw32.dll”
attrib -s -h -r “C:\WINDOWS\iesd32.dll”
attrib -s -h -r “C:\WINDOWS\ieyt32.dll”
attrib -s -h -r “C:\WINDOWS\javaca32.dll”
attrib -s -h -r “C:\WINDOWS\javadm32.dll”
attrib -s -h -r “C:\WINDOWS\javafs.dll”
attrib -s -h -r “C:\WINDOWS\javazx.dll”
attrib -s -h -r “C:\WINDOWS\mscx32.dll”
attrib -s -h -r “C:\WINDOWS\msue.dll”
attrib -s -h -r “C:\WINDOWS\netyp32.dll”
attrib -s -h -r “C:\WINDOWS\nteu.dll”
attrib -s -h -r “C:\WINDOWS\ntgt.dll”
attrib -s -h -r “C:\WINDOWS\n_oimfbr.log”
attrib -s -h -r “C:\WINDOWS\sdkid32.dll”
attrib -s -h -r “C:\WINDOWS\sdkza32.dll”
attrib -s -h -r “C:\WINDOWS\sysnm32.dll”
attrib -s -h -r “C:\WINDOWS\sysxv32.dll”
attrib -s -h -r “C:\WINDOWS\winkh.dll”
attrib -s -h -r “C:\WINDOWS\wintg.dll”
attrib -s -h -r “C:\WINDOWS\system32\addtw.dll”
attrib -s -h -r “C:\WINDOWS\system32\addvl32.dll”
attrib -s -h -r “C:\WINDOWS\system32\apinj.dll”
attrib -s -h -r “C:\WINDOWS\system32\apioj32.dll”
attrib -s -h -r “C:\WINDOWS\system32\appfl.dll”
attrib -s -h -r “C:\WINDOWS\system32\appxm.dll”
attrib -s -h -r “C:\WINDOWS\system32\crcd.dll”
attrib -s -h -r “C:\WINDOWS\system32\crgw.dll”
attrib -s -h -r “C:\WINDOWS\system32\crnw.dll”
attrib -s -h -r “C:\WINDOWS\system32\d2kpax.exe”
attrib -s -h -r “C:\WINDOWS\system32\d3hy32.dll”
attrib -s -h -r “C:\WINDOWS\system32\iexz32.dl
attrib -s -h -r “C:\WINDOWS\system32\ipdh32.dll”
attrib -s -h -r “C:\WINDOWS\system32\ipkm32.dll”
attrib -s -h -r “C:\WINDOWS\system32\ipsf.dll”
attrib -s -h -r “C:\WINDOWS\system32\javati32.dll”
attrib -s -h -r “C:\WINDOWS\system32\javazm32.dll”
attrib -s -h -r “C:\WINDOWS\system32\mscq32.dll”
attrib -s -h -r “C:\WINDOWS\system32\msfm32.dll”
attrib -s -h -r “C:\WINDOWS\system32\msoz32.dll”
attrib -s -h -r “C:\WINDOWS\system32\mstj.dll”
attrib -s -h -r “C:\WINDOWS\system32\mszu32.dll”
attrib -s -h -r “C:\WINDOWS\system32\netve32.dll”
attrib -s -h -r “C:\WINDOWS\system32\sdkaa32.dll”
attrib -s -h -r “C:\WINDOWS\system32\sdkbs32.dll”
attrib -s -h -r “C:\WINDOWS\system32\sdkrr32.dll”
attrib -s -h -r “C:\WINDOWS\system32\sdkzg.dll”
attrib -s -h -r “C:\WINDOWS\system32\sysho.dll”
attrib -s -h -r “C:\WINDOWS\system32\syspo.dll”
del “C:\WINDOWS\apiek.dll”
del “C:\WINDOWS\apilu32.dll”
del “C:\WINDOWS\apimn32.dll”
del “C:\WINDOWS\apiop32.dll”
del “C:\WINDOWS\apisx32.dll”
del “C:\WINDOWS\appfn32.dll”
del “C:\WINDOWS\appiv32.dll”
del “C:\WINDOWS\atlfp.dll”
del “C:\WINDOWS\atljw32.dll”
del “C:\WINDOWS\atlsv.dll”
del “C:\WINDOWS\d3cq32.dll”
del “C:\WINDOWS\d3sl32.dll”
del “C:\WINDOWS\d3zs32”
del “C:\WINDOWS\ieiw32.dll”
del “C:\WINDOWS\iesd32.dll”
del “C:\WINDOWS\ieyt32.dll”
del “C:\WINDOWS\javaca32.dll”
del “C:\WINDOWS\javadm32.dll”
del “C:\WINDOWS\javafs.dll”
del “C:\WINDOWS\javazx.dll”
del “C:\WINDOWS\mscx32.dll”
del “C:\WINDOWS\msue.dll”
del “C:\WINDOWS\netyp32.dll”
del “C:\WINDOWS\nteu.dll”
del “C:\WINDOWS\ntgt.dll”
del “C:\WINDOWS\n_oimfbr.log”
del “C:\WINDOWS\sdkid32.dll”
del “C:\WINDOWS\sdkza32.dll”
del “C:\WINDOWS\sysnm32.dll”
del “C:\WINDOWS\sysxv32.dll”
del “C:\WINDOWS\winkh.dll”
del “C:\WINDOWS\wintg.dll”
del “C:\WINDOWS\system32\addtw.dll”
del “C:\WINDOWS\system32\addvl32.dll”
del “C:\WINDOWS\system32\apinj.dll”
del “C:\WINDOWS\system32\apioj32.dll”
del “C:\WINDOWS\system32\appfl.dll”
del “C:\WINDOWS\system32\appxm.dll”
del “C:\WINDOWS\system32\crcd.dll”
del “C:\WINDOWS\system32\crgw.dll”
del “C:\WINDOWS\system32\crnw.dll”
del “C:\WINDOWS\system32\d2kpax.exe”
del “C:\WINDOWS\system32\d3hy32.dll”
del “C:\WINDOWS\system32\iexz32.dl”
del “C:\WINDOWS\system32\ipdh32.dll”
del “C:\WINDOWS\system32\ipkm32.dll”
del “C:\WINDOWS\system32\ipsf.dll”
del “C:\WINDOWS\system32\javati32.dll”
del “C:\WINDOWS\system32\javazm32.dll”
del “C:\WINDOWS\system32\mscq32.dll”
del “C:\WINDOWS\system32\msfm32.dll”
del “C:\WINDOWS\system32\msoz32.dll”
del “C:\WINDOWS\system32\mstj.dll”
del “C:\WINDOWS\system32\mszu32.dll”
del “C:\WINDOWS\system32\netve32.dll”
del “C:\WINDOWS\system32\sdkaa32.dll”
del “C:\WINDOWS\system32\sdkbs32.dll”
del “C:\WINDOWS\system32\sdkrr32.dll”
del “C:\WINDOWS\system32\sdkzg.dll”
del “C:\WINDOWS\system32\sysho.dll”
del “C:\WINDOWS\system32\syspo.dll”
pause

------end------

2) Start "NotePad", then right click anywhere on "Notepad" and select "Paste"

3) Click "File", then "Save As...".

4) Click the 'drop down menu' in "Save in:", and select "Desktop"

5) Click the 'drop down menu' in "Save as type:", and select "All Files"

6) Click in the "File name:" field, and enter "MalwareCleanup.bat"

7) Click "Save"

8- Now, check your desktop and double-click "MalwareCleanup"

Then run the mwav.exe scan again and post the log with the files as before and we will see how much progress we made.

ALgal

1.2K Posts

May 23rd, 2005 12:00

Hello Mollie,
I am sorry about this snag. Go into Safe Mode.
(Remember to get into Safe Mode use F8 while booting up like you did before.)

Locate MalwareCleanup and right-click and select Edit.
Delete all the lines that start with regsvr32 and then save it.
Click the MalwareCleanup to run it.

If MalwareCleanup does not work then try to delete the files manually. Use Windows Explorer to navigate to the files and delete the files in red.

C:\WINDOWS\apiek.dll
C:\WINDOWS\apilu32.dll
C:\WINDOWS\apimn32.dll
C:\WINDOWS\apiop32.dll
C:\WINDOWS\apisx32.dll
C:\WINDOWS\appfn32.dll
C:\WINDOWS\appiv32.dll
C:\WINDOWS\atlfp.dll
C:\WINDOWS\atljw32.dll
C:\WINDOWS\atlsv.dll
C:\WINDOWS\d3cq32.dll
C:\WINDOWS\d3sl32.dll
C:\WINDOWS\d3zs32
C:\WINDOWS\ieiw32.dll
C:\WINDOWS\iesd32.dll
C:\WINDOWS\ieyt32.dll
C:\WINDOWS\javaca32.dll
C:\WINDOWS\javadm32.dll
C:\WINDOWS\javafs.dll
C:\WINDOWS\javazx.dll
C:\WINDOWS\mscx32.dll
C:\WINDOWS\msue.dll
C:\WINDOWS\netyp32.dll
C:\WINDOWS\nteu.dll
C:\WINDOWS\ntgt.dll
C:\WINDOWS\n_oimfbr.log
C:\WINDOWS\sdkid32.dll
C:\WINDOWS\sdkza32.dll
C:\WINDOWS\sysnm32.dll
C:\WINDOWS\sysxv32.dll
C:\WINDOWS\winkh.dll
C:\WINDOWS\wintg.dll
C:\WINDOWS\system32\addtw.dll
C:\WINDOWS\system32\addvl32.dll
C:\WINDOWS\system32\apinj.dll
C:\WINDOWS\system32\apioj32.dll
C:\WINDOWS\system32\appfl.dll
C:\WINDOWS\system32\appxm.dll
C:\WINDOWS\system32\crcd.dll
C:\WINDOWS\system32\crgw.dll
C:\WINDOWS\system32\crnw.dll
C:\WINDOWS\system32\d2kpax.exe
C:\WINDOWS\system32\d3hy32.dll
C:\WINDOWS\system32\iexz32.dll
C:\WINDOWS\system32\ipdh32.dll
C:\WINDOWS\system32\ipkm32.dll
C:\WINDOWS\system32\ipsf.dll
C:\WINDOWS\system32\javati32.dll
C:\WINDOWS\system32\javazm32.dll
C:\WINDOWS\system32\mscq32.dll
C:\WINDOWS\system32\msfm32.dll
C:\WINDOWS\system32\msoz32.dll
C:\WINDOWS\system32\mstj.dll
C:\WINDOWS\system32\mszu32.dll
C:\WINDOWS\system32\netve32.dll
C:\WINDOWS\system32\sdkaa32.dll
C:\WINDOWS\system32\sdkbs32.dll
C:\WINDOWS\system32\sdkrr32.dll
C:\WINDOWS\system32\sdkzg.dll
C:\WINDOWS\system32\sysho.dll
C:\WINDOWS\system32\syspo.dll

Then empty the Recycle Bin and reboot. Please let me know what you had to do.
Run the mwav.exe and post the log. We will see what progress we have made.

Mollie2333

63 Posts

May 23rd, 2005 21:00

part 2....

Mon May 23 17:31:51 2005 => File C:\WINDOWS\apiek.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:31:52 2005 => File C:\WINDOWS\apilu32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:31:52 2005 => File C:\WINDOWS\apimn32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:31:52 2005 => File C:\WINDOWS\apiop32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:31:53 2005 => File C:\WINDOWS\apisx32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:31:54 2005 => File C:\WINDOWS\appfn32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:31:54 2005 => File C:\WINDOWS\appiv32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:31:55 2005 => File C:\WINDOWS\atlfp.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:31:56 2005 => File C:\WINDOWS\atljw32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:31:57 2005 => File C:\WINDOWS\atlsv.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:32:00 2005 => File C:\WINDOWS\d3cq32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:32:02 2005 => File C:\WINDOWS\d3sl32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:32:05 2005 => File C:\WINDOWS\iesd32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:32:06 2005 => File C:\WINDOWS\ieyt32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:32:09 2005 => File C:\WINDOWS\javaca32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:32:09 2005 => File C:\WINDOWS\javadm32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:32:10 2005 => File C:\WINDOWS\javafs.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:32:11 2005 => File C:\WINDOWS\javazx.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:32:17 2005 => File C:\WINDOWS\mscx32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:32:18 2005 => File C:\WINDOWS\msue.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:32:20 2005 => File C:\WINDOWS\netyp32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:32:21 2005 => File C:\WINDOWS\nteu.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:32:22 2005 => File C:\WINDOWS\ntgt.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:32:23 2005 => File C:\WINDOWS\n_oimfbr.log infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:32:23 2005 => File C:\WINDOWS\n_oimfbr.log infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:32:30 2005 => File C:\WINDOWS\sdkza32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:32:33 2005 => File C:\WINDOWS\sysnm32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:32:34 2005 => File C:\WINDOWS\sysxv32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:32:39 2005 => File C:\WINDOWS\winkh.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:32:39 2005 => File C:\WINDOWS\wintg.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:32:43 2005 => File C:\WINDOWS\system32\addtw.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.

Mon May 23 17:32:43 2005 => File C:\WINDOWS\system32\addvl32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:32:45 2005 => File C:\WINDOWS\system32\apinj.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.

Mon May 23 17:32:45 2005 => File C:\WINDOWS\system32\apioj32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:32:46 2005 => File C:\WINDOWS\system32\appfl.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:32:47 2005 => File C:\WINDOWS\system32\appxm.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:33:00 2005 => File C:\WINDOWS\system32\crcd.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.

Mon May 23 17:33:01 2005 => File C:\WINDOWS\system32\crgw.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.

Mon May 23 17:33:01 2005 => File C:\WINDOWS\system32\crnw.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:33:04 2005 => File C:\WINDOWS\system32\d2kpax.exe infected by "Trojan-Downloader.Win32.Delf.ck" Virus! Action Taken: No Action Taken.

Mon May 23 17:33:06 2005 => File C:\WINDOWS\system32\d3hy32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:33:27 2005 => File C:\WINDOWS\system32\iexz32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:33:30 2005 => File C:\WINDOWS\system32\ipdh32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:33:30 2005 => File C:\WINDOWS\system32\ipkm32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:33:31 2005 => File C:\WINDOWS\system32\ipsf.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:33:36 2005 => File C:\WINDOWS\system32\javati32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:33:36 2005 => File C:\WINDOWS\system32\javazm32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:33:53 2005 => File C:\WINDOWS\system32\mscq32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:33:55 2005 => File C:\WINDOWS\system32\msfm32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:33:59 2005 => File C:\WINDOWS\system32\msoz32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:34:03 2005 => File C:\WINDOWS\system32\mstj.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:34:07 2005 => File C:\WINDOWS\system32\mszu32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:34:10 2005 => File C:\WINDOWS\system32\netve32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:34:38 2005 => File C:\WINDOWS\system32\sdkaa32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:34:38 2005 => File C:\WINDOWS\system32\sdkbs32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:34:39 2005 => File C:\WINDOWS\system32\sdkrr32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:34:40 2005 => File C:\WINDOWS\system32\sdkzg.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:34:51 2005 => File C:\WINDOWS\system32\sysho.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:34:51 2005 => File C:\WINDOWS\system32\syspo.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Mon May 23 17:40:57 2005 => Total Objects Scanned: 24488
Mon May 23 17:40:57 2005 => Total Virus(es) Found: 66
Mon May 23 17:40:57 2005 => Total Disinfected Files: 0
Mon May 23 17:40:57 2005 => Total Files Renamed: 0
Mon May 23 17:40:57 2005 => Total Deleted Objects: 0
Mon May 23 17:40:57 2005 => Total Errors: 50
Mon May 23 17:40:57 2005 => Time Elapsed: 00:12:31
Mon May 23 17:40:57 2005 => Virus Database Date: 2005/05/20
Mon May 23 17:40:57 2005 => Virus Database Count: 130890

View All

Virus & Spyware

Hijack this Log Windows XP

Was this post helpful?