1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Many new .dll files being created

Discussion in 'Virus & Other Malware Removal' started by almccm, Oct 8, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. almccm

    almccm Thread Starter

    Joined:
    Oct 8, 2004
    Messages:
    4
    I found a similar problem reported on your site. I have deleted thousands of dll that were 93,184 bytes or 0 bytes in size. However, I need to get rid of what's creating them. This is my son's computer and it hasn't bee used in a few weeks but this worm filled up the C: drive. I ran Hijack This and I'll put the log in this post.

    Thanks,

    Al

    Logfile of HijackThis v1.98.2
    Scan saved at 4:44:50 PM, on 10/8/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
    C:\WINDOWS\SYSTEM\NETIS.EXE
    C:\WINDOWS\ATLWJ32.EXE
    C:\WINDOWS\SYSTEM\SYSOL.EXE
    C:\WINDOWS\SYSTEM\APISQ32.EXE
    C:\WINDOWS\SYSTEM\D3OS.EXE
    C:\WINDOWS\SYSTEM\MSBL.EXE
    C:\WINDOWS\ATLRM.EXE
    C:\WINDOWS\SYSTEM\CRKH.EXE
    C:\WINDOWS\SYSTEM\CROE.EXE
    C:\WINDOWS\D3AD.EXE
    C:\WINDOWS\CRMV32.EXE
    C:\WINDOWS\APPLC32.EXE
    C:\WINDOWS\SYSTEM\PTUDFAPP.EXE
    C:\WINDOWS\SYSTEM\D3LI.EXE
    C:\WINDOWS\JAVAUZ.EXE
    C:\WINDOWS\IPUF32.EXE
    C:\WINDOWS\ADDRS32.EXE
    C:\WINDOWS\SYSTEM\IPQB32.EXE
    C:\WINDOWS\SYSTEM\CRQZ.EXE
    C:\WINDOWS\NTNB32.EXE
    C:\WINDOWS\SYSTEM\MFCCI.EXE
    C:\WINDOWS\SYSTEM\ATLWI.EXE
    C:\WINDOWS\MSGI32.EXE
    C:\WINDOWS\SYSTEM\MSPO.EXE
    C:\WINDOWS\JAVAGN.EXE
    C:\WINDOWS\SYSTEM\D3RO32.EXE
    C:\WINDOWS\SYSTEM\APIDK32.EXE
    C:\WINDOWS\ATLEN32.EXE
    C:\WINDOWS\MFCOY.EXE
    C:\WINDOWS\SYSTEM\NTTZ.EXE
    C:\WINDOWS\SYSTEM\NETKN.EXE
    C:\WINDOWS\SYSTEM\WINBP.EXE
    C:\WINDOWS\SYSTEM\APIKB32.EXE
    C:\WINDOWS\APPUD.EXE
    C:\WINDOWS\SYSTEM\NETTG.EXE
    C:\WINDOWS\SYSTEM\SYSLP.EXE
    C:\WINDOWS\SYSTEM\IEXU32.EXE
    C:\WINDOWS\SYSTEM\D3DZ32.EXE
    C:\WINDOWS\SYSTEM\CRSO.EXE
    C:\WINDOWS\SDKPB.EXE
    C:\WINDOWS\SYSTEM\APPCQ.EXE
    C:\WINDOWS\SYSPV32.EXE
    C:\WINDOWS\SYSTEM\MSML32.EXE
    C:\WINDOWS\MSAS32.EXE
    C:\WINDOWS\SYSTEM\NTPQ.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
    C:\WINDOWS\SYSTEM\HPZTSB02.EXE
    C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
    C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RULAUNCH.EXE
    C:\PROGRAM FILES\WINAD CLIENT\WINCLT.EXE
    C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\HIJACK THIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.65.101.250/sbms/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lxrue.dll/sp.html#29126
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lxrue.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lxrue.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lxrue.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lxrue.dll/sp.html#29126
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lxrue.dll/sp.html#29126
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lxrue.dll/sp.html#29126
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {01C6CDF5-AA54-D057-9086-211EEA30E063} - C:\WINDOWS\ADDPH.DLL (file missing)
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb02.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
    O4 - HKLM\..\Run: [Winad Client] C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
    O4 - HKLM\..\RunServices: [MSBL.EXE] C:\WINDOWS\SYSTEM\MSBL.EXE
    O4 - HKLM\..\RunServices: [ATLWJ32.EXE] C:\WINDOWS\ATLWJ32.EXE
    O4 - HKLM\..\RunServices: [NETIS.EXE] C:\WINDOWS\SYSTEM\NETIS.EXE
    O4 - HKLM\..\RunServices: [APISQ32.EXE] C:\WINDOWS\SYSTEM\APISQ32.EXE
    O4 - HKLM\..\RunServices: [D3OS.EXE] C:\WINDOWS\SYSTEM\D3OS.EXE
    O4 - HKLM\..\RunServices: [D3AD.EXE] C:\WINDOWS\D3AD.EXE
    O4 - HKLM\..\RunServices: [CRKH.EXE] C:\WINDOWS\SYSTEM\CRKH.EXE
    O4 - HKLM\..\RunServices: [SYSOL.EXE] C:\WINDOWS\SYSTEM\SYSOL.EXE
    O4 - HKLM\..\RunServices: [ATLRM.EXE] C:\WINDOWS\ATLRM.EXE
    O4 - HKLM\..\RunServices: [CROE.EXE] C:\WINDOWS\SYSTEM\CROE.EXE
    O4 - HKLM\..\RunServices: [CRMV32.EXE] C:\WINDOWS\CRMV32.EXE
    O4 - HKLM\..\RunServices: [APPLC32.EXE] C:\WINDOWS\APPLC32.EXE
    O4 - HKLM\..\RunServices: [D3LI.EXE] C:\WINDOWS\SYSTEM\D3LI.EXE
    O4 - HKLM\..\RunServices: [IPUF32.EXE] C:\WINDOWS\IPUF32.EXE
    O4 - HKLM\..\RunServices: [JAVAUZ.EXE] C:\WINDOWS\JAVAUZ.EXE
    O4 - HKLM\..\RunServices: [IPQB32.EXE] C:\WINDOWS\SYSTEM\IPQB32.EXE
    O4 - HKLM\..\RunServices: [ADDRS32.EXE] C:\WINDOWS\ADDRS32.EXE
    O4 - HKLM\..\RunServices: [CRQZ.EXE] C:\WINDOWS\SYSTEM\CRQZ.EXE
    O4 - HKLM\..\RunServices: [MFCCI.EXE] C:\WINDOWS\SYSTEM\MFCCI.EXE
    O4 - HKLM\..\RunServices: [ATLWI.EXE] C:\WINDOWS\SYSTEM\ATLWI.EXE
    O4 - HKLM\..\RunServices: [NTNB32.EXE] C:\WINDOWS\NTNB32.EXE
    O4 - HKLM\..\RunServices: [MSGI32.EXE] C:\WINDOWS\MSGI32.EXE
    O4 - HKLM\..\RunServices: [MSPO.EXE] C:\WINDOWS\SYSTEM\MSPO.EXE
    O4 - HKLM\..\RunServices: [JAVAGN.EXE] C:\WINDOWS\JAVAGN.EXE
    O4 - HKLM\..\RunServices: [D3RO32.EXE] C:\WINDOWS\SYSTEM\D3RO32.EXE
    O4 - HKLM\..\RunServices: [APIDK32.EXE] C:\WINDOWS\SYSTEM\APIDK32.EXE
    O4 - HKLM\..\RunServices: [ATLEN32.EXE] C:\WINDOWS\ATLEN32.EXE
    O4 - HKLM\..\RunServices: [MFCOY.EXE] C:\WINDOWS\MFCOY.EXE
    O4 - HKLM\..\RunServices: [NTTZ.EXE] C:\WINDOWS\SYSTEM\NTTZ.EXE
    O4 - HKLM\..\RunServices: [NETKN.EXE] C:\WINDOWS\SYSTEM\NETKN.EXE
    O4 - HKLM\..\RunServices: [WINBP.EXE] C:\WINDOWS\SYSTEM\WINBP.EXE
    O4 - HKLM\..\RunServices: [APIKB32.EXE] C:\WINDOWS\SYSTEM\APIKB32.EXE
    O4 - HKLM\..\RunServices: [APPUD.EXE] C:\WINDOWS\APPUD.EXE
    O4 - HKLM\..\RunServices: [NETTG.EXE] C:\WINDOWS\SYSTEM\NETTG.EXE
    O4 - HKLM\..\RunServices: [SYSLP.EXE] C:\WINDOWS\SYSTEM\SYSLP.EXE
    O4 - HKLM\..\RunServices: [IEXU32.EXE] C:\WINDOWS\SYSTEM\IEXU32.EXE
    O4 - HKLM\..\RunServices: [SDKPB.EXE] C:\WINDOWS\SDKPB.EXE
    O4 - HKLM\..\RunServices: [D3DZ32.EXE] C:\WINDOWS\SYSTEM\D3DZ32.EXE
    O4 - HKLM\..\RunServices: [CRSO.EXE] C:\WINDOWS\SYSTEM\CRSO.EXE
    O4 - HKLM\..\RunServices: [APPCQ.EXE] C:\WINDOWS\SYSTEM\APPCQ.EXE
    O4 - HKLM\..\RunServices: [SYSPV32.EXE] C:\WINDOWS\SYSPV32.EXE
    O4 - HKLM\..\RunServices: [MSML32.EXE] C:\WINDOWS\SYSTEM\MSML32.EXE
    O4 - HKLM\..\RunServices: [MSAS32.EXE] C:\WINDOWS\MSAS32.EXE
    O4 - HKLM\..\RunServices: [NTPQ.EXE] C:\WINDOWS\SYSTEM\NTPQ.EXE
    O4 - HKLM\..\RunServices: [CRDW32.EXE] C:\WINDOWS\CRDW32.EXE
    O4 - HKLM\..\RunServices: [SDKCQ32.EXE] C:\WINDOWS\SYSTEM\SDKCQ32.EXE
    O4 - HKLM\..\RunServices: [NETNM.EXE] C:\WINDOWS\NETNM.EXE
    O4 - HKLM\..\RunServices: [APPQM32.EXE] C:\WINDOWS\APPQM32.EXE
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
    O4 - Startup: PowerReg Scheduler.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
    O15 - Trusted Zone: *.05p.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.blazefind.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.scoobidoo.com
    O15 - Trusted Zone: *.searchbarcash.com
    O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet-5.8.5.21/freecell/freecell-ob-assets.cab
    O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\MSOPT.DLL
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,003
    Hi and welcome to TSG,

    Please do this. Click here http://forums.techguy.org/attachment.php?attachmentid=38105 to download getservice.zip and unzip it to your desktop. Open the Getservice folder and click on the getservice.bat file. A notepad will open up with a long list of services. Please save that notepad file and attach it to your next reply to this thread. It will be easier to attach it rather than copy and paste because it will be too long to paste in one post.

    After you post the next Hijack This log and the getservice list, it is very important that you do not restart your computer or attempt to do anything to remove this until I have posted the removal directions because the files and the entries in HJT will change and we will have to start all over again. It would be best that you do nothing at all with the computer until you get the directions.
     
  3. Arky

    Arky

    Joined:
    Aug 17, 2004
    Messages:
    534
  4. almccm

    almccm Thread Starter

    Joined:
    Oct 8, 2004
    Messages:
    4
    I downloaded it and tried to run it. I got an Error Starting Program box. It said:

    The PSSERVICE.EXE file is linked to missing export NETAPI32.DLL:NetServerEnum.

    It won't run
     
  5. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,003
    Please download this tool called AboutBuster from:
    http://www.downloads.subratam.org/AboutBuster.zip

    Created by RubberDucky

    Unzip AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode.

    Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line. Copy these instructions to notepad and save them on your desktop for easy access.

    Restart to safe mode.

    How to start your computer in safe mode:

    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

    In safe mode run AboutBuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

    Once the tool is done scanning, copy the log and save it to paste back here in your thread.

    Restart your computer,

    Now run about:Buster again just to be sure it got everything.

    Make a copy of the log it creates again.

    Reboot and post the 2 about buster logs and a fresh HijackThis log.
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/282546

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice