Solved: Slow computer, popups, self-propagating infected programs

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Duomi

Thread Starter
Joined
Jan 9, 2006
Messages
5
System: Windows XP
Problem: Especially in Windows and System 32, I've had an increasing problem with programs increasing everyday that seem to be caused by a virus. Also, IEXPLORE.EXE opens every time the computer does, and has to be turned off through the task manager. My other spyware removal programs can't help.

I found this site through Googling one of the programs that appeared in sys32, and it showed up on this thread-- http://forums.techguy.org/security/392342-solved-troj_startpag-re-psguard-desktop-hijack.html. I seem to have most of that thread's problems, only without the hijacked desktop. I followed the advice from the first step and it helped quite a bit, but many of the programs are still there, and IEXPLORE still pops up. I got hijackthis!, but I'm not certain which programs I can delete or not, or what the root of the problem is. Help would be very appreciated! I'm attaching my hijackthis log, and won't restart the computer.
 

Attachments

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
Welcome to TSG :)

Your log is a mess. :eek:

Download CW-Shredder at the link below:
http://cwshredder.net/bin/CWShredder.exe

Download 'SpSeHjfix'. to the desktop and then
right click a blank part of desktop & select new folder, call it spfix
unzip the file into that folder
http://www.derbilk.de/SpSeHjfix112.zip

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage

Now run the Shredder - Hit The FIX button!

Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'.

Note: On a few occasions it has been reported that after using the SPSEHjfix you cannot open Internet Explorer. To fix this, go into Control Panel>Internet Options>Programs & press Reset Web Settings, then you can set your home page to what you want on the General tab.
 

Duomi

Thread Starter
Joined
Jan 9, 2006
Messages
5
The way my log looks now is absolutely sparkling compared to how it looked before I ran Ewido. Thank you for responding!

Here are the new log files, as requested. My computer is running a bit faster now-- folders only take three seconds to open instead of 10 - 15.
 

Attachments

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
I'm looking through your log now.

It seems as though you have 3 anti-virus programs running. Never a good idea to have multiple AVs. They will conflict. Once we get the logged cleaned up, you should remove 2 of the AVs.

Be back soon with instructions. I may need to break them up into multiple posts as your log is very long.
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
You will need to download the following tools and have them ready to run. Do not run any of them until instructed to do so:

Click here to download cwsserviceremove.zip: http://castlecops.com/zx/flrman1/cwsserviceremove.zip
Unzip it to your desktop and have it ready to run later.

*Download Cleanup from Here
  • A window will open and choose SAVE, then DESKTOP as the destination.
  • On your Desktop, click on Cleanup40.exe icon.
  • Then, click RUN and place a checkmark beside "I Agree"
  • Then click NEXT followed by START and OK.
  • A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
  • Click OK
  • DO NOT RUN IT YET

Download KillBox here: http://www.downloads.subratam.org/KillBox.zip
Save it to your desktop.
DO NOT run it yet.

Click here to download AboutBuster created by Rubber Ducky: http://www.majorgeeks.com/AboutBuster_d4289.html

Unzip AboutBuster to the desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit".

DO NOT run it yet.
Just update the program for later.

Now go ahead and set your computer to show hidden files like so:

Go to Start – Search and under More advanced search options, make sure there is a check by Search System Folders and Search hidden files and folders and Search system subfolders.

Next, click on My Computer, Go to Tools – Folder Options. Click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files and Hide extensions for known file types. Now click Apply to all folders. Click Apply and then OK.

After you have downloaded all the above tools, sign off the Internet and remain offline until this procedure is complete. Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it.

Boot into Safe Mode (start tapping the F8 key at Startup, before the Windows logo screen)

Double click on the cwsserviceremove.reg file you downloaded at the beginning to enter into the registry.......Answer yes when asked to have it's contents added to the registry.

Run HijackThis and put a check by these entries:

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {01575B9F-13D1-712F-6453-1A4855B87338} - C:\WINDOWS\atljc32.dll

O2 - BHO: (no name) - {048B1CF7-E92A-45EB-8E94-D0EEF944F4E2} - (no file)

O2 - BHO: Class - {06479FBD-B7F4-E4BF-7FBF-CDD5E2D81431} - C:\WINDOWS\msix.dll

O2 - BHO: Class - {07DCD1F0-3431-2061-572B-9CC2066EF30E} - C:\WINDOWS\system32\addiz.dll

O2 - BHO: Class - {092CC6AA-538B-D8B7-4D6D-94C9785175B6} - C:\WINDOWS\system32\msut32.dll

O2 - BHO: Class - {0CAD02B6-1D21-B89C-1BE0-5AEC10B7D9CD} - C:\WINDOWS\system32\crsb.dll

O2 - BHO: Class - {0FCDFA68-74F9-605A-8029-180E50A9964A} - C:\WINDOWS\system32\netbq.dll

O2 - BHO: Class - {12042AD6-2288-D1E9-F949-F3F045C64303} - C:\WINDOWS\system32\sdkfg32.dll

O2 - BHO: Class - {13BE3AF1-F48D-BFAA-2F95-207C430E138C} - C:\WINDOWS\system32\winfj.dll (file missing)

O2 - BHO: Class - {15441FF2-7B4A-9558-4AB1-B594DAA19E8A} - C:\WINDOWS\system32\d3ud.dll

O2 - BHO: Class - {1786759F-BABF-3C1F-C683-643B7BAA6EFD} - C:\WINDOWS\system32\sysfp.dll (file missing)

O2 - BHO: Class - {18EA91F9-6792-38ED-9791-EC436A3BB3CF} - C:\WINDOWS\syssa.dll

O2 - BHO: Class - {1AEA2593-C091-9686-442B-97F632D48210} - C:\WINDOWS\winhi.dll

O2 - BHO: Class - {1F226F17-45A5-9601-8565-5F00839429FD} - C:\WINDOWS\sysyu32.dll (file missing)

O2 - BHO: Class - {22A99D53-6CB9-33A5-DED6-D04F5F0F1AE8} - C:\WINDOWS\system32\d3nm32.dll

O2 - BHO: Class - {26292D92-C47D-8978-68F1-EADFBF80E5DD} - C:\WINDOWS\system32\msjh.dll

O2 - BHO: Class - {27DFD847-512E-4338-58F6-FD49FC94A8E7} - C:\WINDOWS\apicr32.dll

O2 - BHO: Class - {2AA0FE3E-BB7C-7DE4-3FD1-D24B5ACFB827} - C:\WINDOWS\mfcnl32.dll

O2 - BHO: Class - {2CA0CAD1-B247-07AB-7C43-FD61C655D5E2} - C:\WINDOWS\system32\atlra32.dll

O2 - BHO: (no name) - {2E781978-520C-4593-9B1D-9BF690518C1E} - (no file)

O2 - BHO: Class - {30ABC95B-52F7-AEF2-E72C-2A91C5C21257} - C:\WINDOWS\system32\apizx32.dll (file missing)

O2 - BHO: Class - {32A6CEC2-152D-9C47-1D16-97AAFF45661E} - C:\WINDOWS\msej32.dll

O2 - BHO: Class - {3455E720-1605-48F5-CC68-B37432CDDF45} - C:\WINDOWS\msch.dll

O2 - BHO: Class - {366E86CC-5311-CFEB-E078-79D632ED797D} - C:\WINDOWS\system32\crna32.dll

O2 - BHO: Class - {3798A552-6CBC-1C98-D30E-30A4F43F481A} - C:\WINDOWS\crbv32.dll

O2 - BHO: Class - {3A1BDA7E-F499-48DE-E72D-92C016F9B8A9} - C:\WINDOWS\netpm32.dll

O2 - BHO: Class - {3C7704C7-84F0-0346-63DA-6FA2CBE71EAC} - C:\WINDOWS\apium.dll (file missing)

O2 - BHO: (no name) - {408BFAB3-5D40-4D26-BEA8-3A64FFF7DEE1} - (no file)

O2 - BHO: Class - {42322883-FD7C-1B6B-788E-6B35F4A74278} - C:\WINDOWS\crcs32.dll

O2 - BHO: (no name) - {433D0B59-077E-4A77-A0E9-ED67AC56AA45} - (no file)

O2 - BHO: Class - {44A73433-E13D-79D4-D26D-9CDD83E71551} - C:\WINDOWS\iefz32.dll

O2 - BHO: Class - {461AE737-3B83-63AB-9348-0DE2E0FE7E7E} - C:\WINDOWS\system32\iphc32.dll

O2 - BHO: Class - {47E71DA2-60FF-677A-1484-28704F9ABE46} - C:\WINDOWS\system32\sdkke.dll (file missing)

O2 - BHO: Class - {4ABE41DC-C2D6-27FC-DA9B-029097147C6C} - C:\WINDOWS\system32\apihd32.dll (file missing)

O2 - BHO: Class - {4BE23432-C392-D735-5711-ADB1E652BF8E} - C:\WINDOWS\system32\atlzk.dll

O2 - BHO: Class - {4CF3F22B-5DA9-5DE0-5DEB-EE4100912572} - C:\WINDOWS\netiq32.dll (file missing)

O2 - BHO: Class - {4FD5405E-0C06-B7B6-1BDA-2E2D18C8E9EF} - C:\WINDOWS\ieap.dll

O2 - BHO: Class - {536824BD-C71E-7088-44EE-035E4C95BB66} - C:\WINDOWS\system32\msnk32.dll

O2 - BHO: Class - {55631A23-8A44-6ECD-6BD7-705877180E2C} - C:\WINDOWS\system32\appjk32.dll

O2 - BHO: Class - {5945BCCC-B343-B041-1707-BD5680FF5341} - C:\WINDOWS\system32\atlka32.dll

O2 - BHO: Class - {5B4CDB33-2B86-D9EF-D61C-C95A2346F9C1} - C:\WINDOWS\crzb.dll

O2 - BHO: Class - {5C772FB3-343E-2D8E-AD06-101478BB1F4D} - C:\WINDOWS\system32\ntww.dll

O2 - BHO: Class - {5E66F423-D2A7-92CD-518E-4550B593208D} - C:\WINDOWS\system32\crvu.dll (file missing)

O2 - BHO: Class - {5FFCDEE9-901B-22A9-1E8A-80C150D6A16B} - C:\WINDOWS\system32\netab.dll

O2 - BHO: Class - {62AAF848-9010-0094-6A6B-611B828A74F6} - C:\WINDOWS\syslu.dll

O2 - BHO: Class - {63EC0566-AADA-7B19-96E8-E6A70595EAC3} - C:\WINDOWS\ietg32.dll

O2 - BHO: Class - {64FC896F-F223-9929-AE61-5B3CD69B9146} - C:\WINDOWS\winwt32.dll (file missing)

O2 - BHO: Class - {65736478-AC2E-A9B7-9E15-4F53BB623C0D} - C:\WINDOWS\sysfw.dll

O2 - BHO: Class - {674D012F-6A8F-3061-C6A3-EAEE4CA2D4CA} - C:\WINDOWS\msuc.dll (file missing)

O2 - BHO: Class - {68DF4301-46D8-B04E-BB31-824CAF524126} - C:\WINDOWS\system32\netqd.dll

O2 - BHO: Class - {69FEAC45-7BA9-7690-3417-89B30EFA0A97} - C:\WINDOWS\system32\mfcei32.dll

O2 - BHO: Class - {6BE5C394-AA25-266E-D794-88256569CD9D} - C:\WINDOWS\d3ro32.dll

O2 - BHO: Class - {6D600C50-B30D-7B91-BE2C-1E7DC61A7648} - C:\WINDOWS\system32\d3sp.dll

O2 - BHO: Class - {6EE686C9-3962-1C5E-2CB9-F389B660FD1C} - C:\WINDOWS\ippy32.dll

O2 - BHO: Class - {6F99FDED-7DA7-05E7-9D9B-E6541DE22E40} - C:\WINDOWS\ipad32.dll

O2 - BHO: Class - {710D4788-B064-A3C4-EC29-A9E67ABEF953} - C:\WINDOWS\system32\ipgi32.dll

O2 - BHO: Class - {741EFF45-56BE-9629-68EB-F349FC91F792} - C:\WINDOWS\msbd.dll

O2 - BHO: Class - {74D26490-9E7F-905B-3BAA-08765509E086} - C:\WINDOWS\atlpf32.dll

O2 - BHO: Class - {779D4817-72EC-CAD1-C47C-A430B508B1E9} - C:\WINDOWS\crsu.dll

O2 - BHO: Class - {7AADB064-A5E8-89CE-8C2D-97FBBFCEDB99} - C:\WINDOWS\system32\sdkbj.dll

O2 - BHO: Class - {7ADEFF17-44D6-CB89-646C-A7E10B4A53BA} - C:\WINDOWS\javarf.dll (file missing)

O2 - BHO: Class - {7C14A652-C14C-7D83-41F1-1A38DF460379} - C:\WINDOWS\iprc.dll

O2 - BHO: Class - {7CCE424A-B1F0-679F-DE39-341AF2ED99EF} - C:\WINDOWS\system32\winhc.dll (file missing)

O2 - BHO: Class - {7DB380D6-8BBD-EA17-5115-BCE653B93B08} - C:\WINDOWS\system32\appzz32.dll (file missing)

O2 - BHO: Class - {7FCAD8DF-0B29-F72D-3A4A-26C69B0EE416} - C:\WINDOWS\mfcxs.dll

O2 - BHO: Class - {83962868-6A3A-9ABE-3EAD-6C841963E70A} - C:\WINDOWS\d3lg32.dll

O2 - BHO: Class - {86CB9367-12D4-E652-89AB-956913BAE9E0} - C:\WINDOWS\winwj.dll

O2 - BHO: Class - {88F0CDFE-DF98-7175-91EB-A0B33DEB64AA} - C:\WINDOWS\apixq.dll (file missing)

O2 - BHO: Class - {8B001F81-D1AE-44C9-343F-9CF52FD2A7EF} - C:\WINDOWS\system32\d3ku.dll

O2 - BHO: Class - {8BC61747-3461-EFEE-D05D-964D875677AB} - C:\WINDOWS\system32\atlmm32.dll

O2 - BHO: Class - {8CC8C8BC-AC70-7455-4A51-2FD0E216EE8D} - C:\WINDOWS\system32\winog32.dll

O2 - BHO: Class - {8EAC964B-D91F-48F1-342B-7350D99F7128} - C:\WINDOWS\atlnp32.dll

O2 - BHO: Class - {8F3F86E9-61D5-FA76-4B27-E8BB6258BB1C} - C:\WINDOWS\netus.dll

O2 - BHO: Class - {905B7AAD-BAA1-4039-E15E-7C009F72A8EF} - C:\WINDOWS\system32\sdkya32.dll

O2 - BHO: Class - {91D36B11-7557-849E-10CC-AF26257149A8} - C:\WINDOWS\sdkfe32.dll (file missing)

O2 - BHO: (no name) - {92839DB2-2333-447B-BFA9-D999E1761B06} - (no file)

O2 - BHO: Class - {95AF038E-DB03-0373-1BE1-7E70DDABCC2E} - C:\WINDOWS\systo.dll

O2 - BHO: Class - {97E69A69-394F-FEBB-02E2-194D4BE08C63} - C:\WINDOWS\ipej32.dll

O2 - BHO: Class - {994EDA46-B661-5A1B-A507-6884B4BF72B3} - C:\WINDOWS\system32
\iesj32.dll

O2 - BHO: Class - {9B7B8469-5DD6-2CC3-6510-338DE167588F} - C:\WINDOWS\appwt32.dll

O2 - BHO: Class - {9DE2FBCC-AD05-1958-B77D-913F493B121A} - C:\WINDOWS\system32\netfe32.dll

O2 - BHO: Class - {A09E3A49-C5F2-CF30-088D-4102E426492C} - C:\WINDOWS\system32\addcr32.dll

O2 - BHO: Class - {A1AE6514-7CAC-E83C-FA39-EA959372821A} - C:\WINDOWS\system32\iexg32.dll

O2 - BHO: Class - {A493684E-9B4F-2C08-E3D3-1677B7786D2B} - C:\WINDOWS\system32\d3fd32.dll

O2 - BHO: Class - {A5EBB322-6C58-44D5-16C4-28B40418989B} - C:\WINDOWS\iezw32.dll

O2 - BHO: Class - {A6C8BD73-1203-8D03-0964-66D2ABE08986} - C:\WINDOWS\system32\netbm32.dll (file missing)

O2 - BHO: (no name) - {AA213DE0-A825-A481-2E12-BFC97FC36733} - (no file)

O2 - BHO: Class - {ABE47D97-A0E4-6AFF-425A-480B402A89B8} - C:\WINDOWS\system32\ipol32.dll

O2 - BHO: Class - {ADCAF3DF-AFF5-EA8A-4E12-1BF8D0029FBF} - C:\WINDOWS\system32\ipol.dll

O2 - BHO: Class - {AEE98A84-9A76-BE17-DF76-A88F982D2404} - C:\WINDOWS\system32\netsy32.dll

O2 - BHO: Class - {B27E8BCF-1A21-257E-958D-00B94008A3E8} - C:\WINDOWS\d3mn32.dll

O2 - BHO: Class - {B570A1EF-6102-88E9-0F0F-FA8F17FED6B2} - C:\WINDOWS\system32\mfcpf32.dll

O2 - BHO: Class - {B81B06F6-5EC4-55AF-F6BE-70DA417086A8} - C:\WINDOWS\system32\iewx32.dll

O2 - BHO: Class - {BA6A7285-A488-F292-5E38-FED53B83902B} - C:\WINDOWS\winml.dll

O2 - BHO: Class - {BBDF205D-D7B4-704D-6DEC-5CF2904B2F03} - C:\WINDOWS\system32\javaiw32.dll

O2 - BHO: Class - {BD77B3F4-090A-D29E-0580-4289DE3949AC} - C:\WINDOWS\system32\mfcan32.dll

O2 - BHO: Class - {BFB0102C-C699-7A0C-6B1A-FC5C546EAEE5} - C:\WINDOWS\system32\atlcw32.dll

O2 - BHO: Class - {C2FA3EAF-821F-A9B6-25C2-AF456704EDC8} - C:\WINDOWS\system32\iegx.dll

O2 - BHO: Class - {C4321F79-4119-FC9A-FB04-062C3F916C8D} - C:\WINDOWS\winqp32.dll

O2 - BHO: Class - {C5181690-38C8-DDED-C0A9-7E7D8268395A} - C:\WINDOWS\system32\sdkyl.dll (file missing)

O2 - BHO: Class - {C6D6D264-D1BF-2B26-E95A-909FFD54938F} - C:\WINDOWS\sdkid.dll

O2 - BHO: Class - {C7E5D9CF-F188-7139-C6B3-852F9DA6D3F5} - C:\WINDOWS\system32\msvj.dll

O2 - BHO: Class - {CA012092-005E-0437-3C82-DEC5395C3706} - C:\WINDOWS\system32\netly.dll (file missing)

O2 - BHO: Class - {CC22FEF2-3F13-D4D7-35C2-C66D30943149} - C:\WINDOWS\appna32.dll

O2 - BHO: Class - {CEBAD012-13C4-4D24-410D-C7155144CF79} - C:\WINDOWS\system32\msvz32.dll

O2 - BHO: Class - {CFFA8321-97AC-D558-B2CD-D278699292B1} - C:\WINDOWS\system32\appiq32.dll

O2 - BHO: Class - {D19908D1-5F02-0B32-CCA5-61D2788550FF} - C:\WINDOWS\system32\iech32.dll

O2 - BHO: Class - {D313C43F-6956-1BDC-13C5-B32E2A8D2325} - C:\WINDOWS\apide32.dll

O2 - BHO: Class - {D5656802-6E90-5AEE-E0B5-D63166B32D47} - C:\WINDOWS\ntpy32.dll

O2 - BHO: Class - {D8DE090C-57F8-9A7F-58B1-260247595BBF} - C:\WINDOWS\ntvx.dll

O2 - BHO: Class - {DBFC5A92-4FA4-C151-1D59-8CA0FBBFD49C} - C:\WINDOWS\atlao.dll

O2 - BHO: Class - {DE9E19CF-4511-CFDF-5432-EABB6602A7D8} - C:\WINDOWS\system32\ipka32.dll

O2 - BHO: Class - {E2129379-CF0A-75BA-C7E4-83F511B2E290} - C:\WINDOWS\system32\sdkif32.dll

O2 - BHO: Class - {E38BBEC2-8E70-3C46-43FC-DD9D8553C2B0} - C:\WINDOWS\system32\atlws.dll

O2 - BHO: Class - {E594D9FB-2903-944E-1F01-F8F22E8EC180} - C:\WINDOWS\system32\crgx32.dll (file missing)

O2 - BHO: Class - {E85DB2A8-73A7-0E64-0B9F-3B3DF072FE21} - C:\WINDOWS\system32\syste32.dll (file missing)

O2 - BHO: Class - {E962AC74-29D8-A4A9-1DBF-38F236D56CF5} - C:\WINDOWS\system32\ntxd32.dll

O2 - BHO: Class - {EB230CF2-D770-7CDD-3A01-21C63ADD0123} - C:\WINDOWS\crze.dll

O2 - BHO: Class - {EE2A819A-7B6D-3396-6030-52CEC509153A} - C:\WINDOWS\addfn32.dll

O2 - BHO: Class - {EFD32CB9-039B-2B11-A357-D6D56A398537} - C:\WINDOWS\apppr32.dll

O2 - BHO: Class - {F0E43199-5174-F601-B6ED-5BE690BB4830} - C:\WINDOWS\appat.dll

O2 - BHO: Class - {F292FDF9-73D1-15E7-DA6B-DA2D7932EB4D} - C:\WINDOWS\apign32.dll

O2 - BHO: Class - {F3201037-ECE5-9352-CB6F-34EC153D01F1} - C:\WINDOWS\appvh32.dll

O2 - BHO: (no name) - {F4A66BE4-1A9C-2818-9E39-14600AA3DE7A} - (no file)

O2 - BHO: Class - {F94A7365-02EF-86A8-A674-9941E8B9CFED} - C:\WINDOWS\system32\iean.dll

O2 - BHO: Class - {FBCD1A1B-A16F-5168-4F82-7CC0C15086D2} - C:\WINDOWS\netwh.dll

O2 - BHO: Class - {FDFB032B-81CA-5B7E-7876-05C4543E674E} - C:\WINDOWS\appzd.dll

O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.windupdates.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{4D245EC9-B98A-4D6C-B1A7-520DD69638A9}: NameServer = 85.255.116.126,85.255.112.226

O17 - HKLM\System\CCS\Services\Tcpip\..\{886D18D6-1018-460F-9155-23BF6C1DA14B}: NameServer = 85.255.116.126,85.255.112.226

O17 - HKLM\System\CCS\Services\Tcpip\..\{8A7DF695-B49D-474E-9151-31B498805762}: NameServer = 85.255.116.126,85.255.112.226

O17 - HKLM\System\CCS\Services\Tcpip\..\{D5F6035A-0DB0-4AFD-AF16-EEF933A38BEE}: NameServer = 85.255.116.126,85.255.112.226

O17 - HKLM\System\CCS\Services\Tcpip\..\{E547788F-9FF3-4EFA-968B-268FF8BA76EC}: NameServer = 85.255.116.126,85.255.112.226


Once you’ve checked all of the above entries, click the Fix Checked button.

Exit Hijack This.

* Go to Control Panel. - If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step.

Double-click the Network Connections icon
Right-click the Local Area Connection icon and select Properties.
Higlight Internet Protocol (TCP/IP) and click the Properties button.
Be sure Obtain DNS server address automatically is selected.
OK your way out.

* Go to Start > Run and type in cmd
Click OK.
This will open a command prompt.
Type or copy and paste the following line in the command window:

ipconfig /flushdns

Hit Enter.
Exit the command window.

Double-click on Killbox.exe to run it.
Now put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.
Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\msix.dll
C:\WINDOWS\system32\addiz.dll
C:\WINDOWS\system32\msut32.dll
C:\WINDOWS\system32\crsb.dll
C:\WINDOWS\system32\netbq.dll
C:\WINDOWS\system32\sdkfg32.dll
C:\WINDOWS\system32\d3ud.dll
C:\WINDOWS\syssa.dll
C:\WINDOWS\winhi.dll
C:\WINDOWS\system32\d3nm32.dll
C:\WINDOWS\system32\msjh.dll
C:\WINDOWS\apicr32.dll
C:\WINDOWS\mfcnl32.dll
C:\WINDOWS\system32\atlra32.dll
C:\WINDOWS\msej32.dll
C:\WINDOWS\msch.dll
C:\WINDOWS\system32\crna32.dll
C:\WINDOWS\crbv32.dll
C:\WINDOWS\netpm32.dll
C:\WINDOWS\crcs32.dll
C:\WINDOWS\iefz32.dll
C:\WINDOWS\system32\iphc32.dll
C:\WINDOWS\system32\atlzk.dll
C:\WINDOWS\ieap.dll
C:\WINDOWS\system32\msnk32.dll
C:\WINDOWS\system32\appjk32.dll
C:\WINDOWS\system32\atlka32.dll
C:\WINDOWS\crzb.dll
C:\WINDOWS\system32\ntww.dll
C:\WINDOWS\system32\netab.dll
C:\WINDOWS\syslu.dll
C:\WINDOWS\ietg32.dll
C:\WINDOWS\sysfw.dll
C:\WINDOWS\system32\netqd.dll
C:\WINDOWS\system32\mfcei32.dll
C:\WINDOWS\d3ro32.dll
C:\WINDOWS\system32\d3sp.dll
C:\WINDOWS\ippy32.dll
C:\WINDOWS\ipad32.dll
C:\WINDOWS\system32\ipgi32.dll
C:\WINDOWS\msbd.dll
C:\WINDOWS\atlpf32.dll
C:\WINDOWS\crsu.dll
C:\WINDOWS\system32\sdkbj.dll
C:\WINDOWS\iprc.dll
C:\WINDOWS\mfcxs.dll
C:\WINDOWS\d3lg32.dll
C:\WINDOWS\winwj.dll
C:\WINDOWS\system32\d3ku.dll
C:\WINDOWS\system32\atlmm32.dll
C:\WINDOWS\system32\winog32.dll
C:\WINDOWS\atlnp32.dll
C:\WINDOWS\netus.dll
C:\WINDOWS\system32\sdkya32.dll
C:\WINDOWS\systo.dll
C:\WINDOWS\ipej32.dll
C:\WINDOWS\system32\iesj32.dll
C:\WINDOWS\appwt32.dll
C:\WINDOWS\system32\netfe32.dll
C:\WINDOWS\system32\addcr32.dll
C:\WINDOWS\system32\iexg32.dll
C:\WINDOWS\system32\d3fd32.dll
C:\WINDOWS\iezw32.dll
C:\WINDOWS\system32\ipol32.dll
C:\WINDOWS\system32\ipol.dll
C:\WINDOWS\system32\netsy32.dll
C:\WINDOWS\d3mn32.dll
C:\WINDOWS\system32\mfcpf32.dll
C:\WINDOWS\system32\iewx32.dll
C:\WINDOWS\winml.dll
C:\WINDOWS\system32\javaiw32.dll
C:\WINDOWS\system32\mfcan32.dll
C:\WINDOWS\system32\atlcw32.dll
C:\WINDOWS\system32\iegx.dll
C:\WINDOWS\winqp32.dll
C:\WINDOWS\sdkid.dll
C:\WINDOWS\system32\msvj.dll
C:\WINDOWS\appna32.dll
C:\WINDOWS\system32\msvz32.dll
C:\WINDOWS\system32\appiq32.dll
C:\WINDOWS\system32\iech32.dll
C:\WINDOWS\apide32.dll
C:\WINDOWS\ntpy32.dll
C:\WINDOWS\ntvx.dll
C:\WINDOWS\atlao.dll
C:\WINDOWS\system32\ipka32.dll
C:\WINDOWS\system32\sdkif32.dll
C:\WINDOWS\system32\atlws.dll
C:\WINDOWS\system32\ntxd32.dll
C:\WINDOWS\crze.dll
C:\WINDOWS\addfn32.dll
C:\WINDOWS\apppr32.dll
C:\WINDOWS\appat.dll
C:\WINDOWS\apign32.dll
C:\WINDOWS\appvh32.dll
C:\WINDOWS\system32\iean.dll
C:\WINDOWS\netwh.dll
C:\WINDOWS\appzd.dll


Note: It is possible that Killbox will tell you that one or more files do not exist.
If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the KillBox.

Navigate to the C:\Windows\Temp folder.
Open the Temp folder and go to Edit>Select All then Edit>Delete to delete the entire contents of the Temp folder.

Go to Start>Run and type %temp% in the Run box.
The Temp folder will open. Click Edit>Select All then Edit>Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel>Internet Options.
On the General tab under "Temporary Internet Files" Click "Delete Files".
Put a check by "Delete Offline Content" and click OK.
Click on the Programs tab then click the "Reset Web Settings" button.
Click Apply then OK.

Next run AboutBuster. Double click Aboutbuster.exe, click OK, click Start then click OK. This will scan your computer for the bad files and delete them.

Now, rerun CWShredder. Just click on the cwshredder.exe then click Fix (Not Scan only) and let it do its thing.

* Run Cleanup:
  • Click on the "Cleanup" button and let it run.
  • Once its done, close the program.

Restart to Normal Mode.

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer.

Go here and do an online virus scan: http://housecall.trendmicro.com/

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself. Housecall will detect the leftover files from this hijacker.

This hijacker is known to alter or delete certain files so check this out please:

Download the Hoster from here:
www.funkytoad.com/download/hoster.zip
Run Hoster and press Restore Original Hosts, OK, and Exit Program.

If you have Spybot S&D installed you will also need to replace one file.
Go here: http://www.spywareinfo.com/~merijn/winfiles.html
Download SDHelper.dll
Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Check in the C:\Windows\system32 folder to be sure you have a file named Shell.dll.
If you do not have one, go to the C:\Windows\system32\dllcache folder.
Find shell.dll and right click on it. Choose Copy from the menu.
Open the System32 folder and right click on an empty space in the window. Choose Paste from the menu.

The file "Control.exe" may have been deleted.
See if Control.exe is present in C:\windows\system32

If Control.exe isn't there, go here: http://www.spywareinfo.com/~merijn/winfiles.html
Download control.exe per the instructions at the site.

IMPORTANT!: Please check your ActiveX security settings.
They may have been changed by this CWS variant to allow ALL ActiveX!
Reset your ActiveX security settings like so...
Go to Internet Options - Security - Internet, press 'default level', then OK.
Now press "Custom Level."

In the ActiveX section, set the first two options "Download Signed and Unsigned ActiveX controls" to 'Prompt', and "Initialize and Script ActiveX Controls not marked as Safe" to 'Disable'.

Reboot and post another Hijack This log please.
 

Duomi

Thread Starter
Joined
Jan 9, 2006
Messages
5
:confused: I downloaded all of the files you linked to, and unzipped them, put them onto my desktop-- but when I go into safe mode, none of the programs show up. Should I just run all of them with my internet turned off in regular mode?
 

Duomi

Thread Starter
Joined
Jan 9, 2006
Messages
5
Sorry it took me so long to respond again-- I was fixing the computer between work and college, and the first time I ran through AboutBuster it got rid of 'hal.dll' and my computer wouldn't start again, so I had to fix it.

But the programs seem to have helped quite a bit! Here's my new hjt log. Thank you very much for your help!
 

Attachments

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
Pasting this for easier view...

Logfile of HijackThis v1.99.1
Scan saved at 3:57:06 PM, on 1/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterMute\PopSubtract\PopSub.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Soulseek\slsk.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\InterMute\PopSubtract\PopSub.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\spysub.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Gear Security Service (GEARSecurity) - Unknown owner - C:\WINDOWS\System32\gearsec.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
 

Duomi

Thread Starter
Joined
Jan 9, 2006
Messages
5
Muuuuch better, except for a few things popping up when I open folders-- just messages like, "Please wait while Windows configures HPIZ350", and if I do wait, it doesn't work, but it opens every time I open any folder. That's... probably the only problem I see anymore. No more IE popping up, or the little random popups, and the speed is much better. Also, I checked WINDOWS and Sys32 and they seem fine-- still many files, but they seem okay, since they were last modified years ago, and not days ago or weeks ago. So thank you! I didn't know how else to fix this, the programs I was downloading weren't helping.
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
You're welcome :)

You can mark your thread "Solved" from the Thread Tools drop down menu.
 
Joined
Jul 26, 2002
Messages
46,349
Since this problem has been solved, I'm closing this thread. If you need it reopened please PM me or one of the other mods.

Anyone else with a similar problem please start a "New Thread".
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top