Go Back   Cyber Tech Help Support Forums > Software > Malware Removal
Reload this Page blank/search start page on IE
Register FAQ Calendar Today's Active Topics Search

Notices

Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs

Reply
Page 1 of 3 1 23
 
Topic Tools
  #1  
Old August 13th, 2005, 08:56 PM
JamieE JamieE is offline
Senior Member
  
Join Date: Jun 2004
Posts: 175
blank/search start page on IE
Hi below is my log file also I have Ran Adaware SE and Norton in safe mode.

Logfile of HijackThis v1.99.0
Scan saved at 6:35:06 PM, on 8/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 5.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\BTYAHO~1\Help\SMARTB~1\MotiveSB.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\BT Yahoo!\Help\bin\mpbtn.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmjb.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_director.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MM_TDM~1.EXE
C:\WINDOWS\netyx.exe
C:\HJT\HijackThis.exe
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {F22B79FB-1D55-C94F-4938-EAA13A2FB4ED} - C:\WINDOWS\d3yl.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0. dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 5.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTYAHO~1\Help\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [crrq32.exe] C:\WINDOWS\system32\crrq32.exe
O4 - HKLM\..\Run: [netyx.exe] C:\WINDOWS\netyx.exe
O4 - HKLM\..\RunOnce: [netzu.exe] C:\WINDOWS\system32\netzu.exe
O4 - HKLM\..\RunOnce: [adddd.exe] C:\WINDOWS\system32\adddd.exe
O4 - HKLM\..\RunOnce: [apigp32.exe] C:\WINDOWS\system32\apigp32.exe
O4 - HKLM\..\RunOnce: [d3xn.exe] C:\WINDOWS\d3xn.exe
O4 - HKLM\..\RunOnce: [winzf.exe] C:\WINDOWS\system32\winzf.exe
O4 - HKLM\..\RunOnce: [sysll32.exe] C:\WINDOWS\system32\sysll32.exe
O4 - HKLM\..\RunOnce: [sdkmu.exe] C:\WINDOWS\sdkmu.exe
O4 - HKLM\..\RunOnce: [msiy32.exe] C:\WINDOWS\msiy32.exe
O4 - HKLM\..\RunOnce: [syset.exe] C:\WINDOWS\syset.exe
O4 - HKLM\..\RunOnce: [apien.exe] C:\WINDOWS\apien.exe
O4 - HKLM\..\RunOnce: [ienr32.exe] C:\WINDOWS\system32\ienr32.exe
O4 - HKLM\..\RunOnce: [appst32.exe] C:\WINDOWS\system32\appst32.exe
O4 - HKLM\..\RunOnce: [d3ra.exe] C:\WINDOWS\system32\d3ra.exe
O4 - HKLM\..\RunOnce: [netwv32.exe] C:\WINDOWS\system32\netwv32.exe
O4 - HKLM\..\RunOnce: [craf32.exe] C:\WINDOWS\craf32.exe
O4 - HKLM\..\RunOnce: [apico.exe] C:\WINDOWS\system32\apico.exe
O4 - HKLM\..\RunOnce: [atlxp32.exe] C:\WINDOWS\system32\atlxp32.exe
O4 - HKLM\..\RunOnce: [d3km32.exe] C:\WINDOWS\d3km32.exe
O4 - HKLM\..\RunOnce: [ipyg.exe] C:\WINDOWS\ipyg.exe
O4 - HKLM\..\RunOnce: [msro.exe] C:\WINDOWS\system32\msro.exe
O4 - HKLM\..\RunOnce: [sdkoq32.exe] C:\WINDOWS\system32\sdkoq32.exe
O4 - HKLM\..\RunOnce: [iehm32.exe] C:\WINDOWS\iehm32.exe
O4 - HKLM\..\RunOnce: [apils.exe] C:\WINDOWS\system32\apils.exe
O4 - HKLM\..\RunOnce: [javavq32.exe] C:\WINDOWS\javavq32.exe
O4 - HKLM\..\RunOnce: [ipko.exe] C:\WINDOWS\ipko.exe
O4 - HKLM\..\RunOnce: [appng32.exe] C:\WINDOWS\system32\appng32.exe
O4 - HKLM\..\RunOnce: [ipfv32.exe] C:\WINDOWS\ipfv32.exe
O4 - HKLM\..\RunOnce: [ieot.exe] C:\WINDOWS\system32\ieot.exe
O4 - HKLM\..\RunOnce: [sdkbv32.exe] C:\WINDOWS\sdkbv32.exe
O4 - HKLM\..\RunOnce: [addyg32.exe] C:\WINDOWS\system32\addyg32.exe
O4 - HKLM\..\RunOnce: [crdi.exe] C:\WINDOWS\system32\crdi.exe
O4 - HKLM\..\RunOnce: [apium.exe] C:\WINDOWS\system32\apium.exe
O4 - HKLM\..\RunOnce: [sysho32.exe] C:\WINDOWS\sysho32.exe
O4 - HKLM\..\RunOnce: [atlxw32.exe] C:\WINDOWS\atlxw32.exe
O4 - HKLM\..\RunOnce: [adduj.exe] C:\WINDOWS\system32\adduj.exe
O4 - HKLM\..\RunOnce: [d3id32.exe] C:\WINDOWS\d3id32.exe
O4 - HKLM\..\RunOnce: [crtl32.exe] C:\WINDOWS\system32\crtl32.exe
O4 - HKLM\..\RunOnce: [apiyn32.exe] C:\WINDOWS\apiyn32.exe
O4 - HKLM\..\RunOnce: [apily.exe] C:\WINDOWS\apily.exe
O4 - HKLM\..\RunOnce: [mfcat32.exe] C:\WINDOWS\system32\mfcat32.exe
O4 - HKLM\..\RunOnce: [ipnv32.exe] C:\WINDOWS\system32\ipnv32.exe
O4 - HKLM\..\RunOnce: [atltf32.exe] C:\WINDOWS\system32\atltf32.exe
O4 - HKLM\..\RunOnce: [sysxp.exe] C:\WINDOWS\sysxp.exe
O4 - HKLM\..\RunOnce: [msvk.exe] C:\WINDOWS\msvk.exe
O4 - HKLM\..\RunOnce: [netkd.exe] C:\WINDOWS\system32\netkd.exe
O4 - HKLM\..\RunOnce: [d3nb32.exe] C:\WINDOWS\system32\d3nb32.exe
O4 - HKLM\..\RunOnce: [netsd.exe] C:\WINDOWS\system32\netsd.exe
O4 - HKLM\..\RunOnce: [addvw.exe] C:\WINDOWS\addvw.exe
O4 - HKLM\..\RunOnce: [crik.exe] C:\WINDOWS\system32\crik.exe
O4 - HKLM\..\RunOnce: [apinn.exe] C:\WINDOWS\system32\apinn.exe
O4 - HKLM\..\RunOnce: [mshy.exe] C:\WINDOWS\mshy.exe
O4 - HKLM\..\RunOnce: [ipms32.exe] C:\WINDOWS\ipms32.exe
O4 - HKLM\..\RunOnce: [javanm.exe] C:\WINDOWS\javanm.exe
O4 - HKLM\..\RunOnce: [mfcsg32.exe] C:\WINDOWS\mfcsg32.exe
O4 - HKLM\..\RunOnce: [d3bt32.exe] C:\WINDOWS\d3bt32.exe
O4 - HKLM\..\RunOnce: [ipgn.exe] C:\WINDOWS\ipgn.exe
O4 - HKLM\..\RunOnce: [appik32.exe] C:\WINDOWS\appik32.exe
O4 - HKLM\..\RunOnce: [d3jt.exe] C:\WINDOWS\system32\d3jt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: BT Yahoo! Help.lnk = C:\Program Files\BT Yahoo!\Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/UK/install.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe...nttracking.cab
O16 - DPF: {80922B68-D8DE-11D5-8D10-0050DAD09327} (Batch Processing Control) - http://www.thomsononeanalytics.com/p...tchPrintNT.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Thank you
Reply With Quote
  #2  
Old August 13th, 2005, 09:10 PM
Acrobaze Acrobaze is offline
Malware Removal Team
  
Join Date: Nov 2003
O/S: Windows 10 Home
Location: France
Posts: 11,994
Hi,

ControlAltDel
End the process : netyx.exe


Close all browser windows, run only HijackThis and tick :

O2 - BHO: Class - {F22B79FB-1D55-C94F-4938-EAA13A2FB4ED} - C:\WINDOWS\d3yl.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0. dll (file missing)

O4 - HKLM\..\Run: [crrq32.exe] C:\WINDOWS\system32\crrq32.exe
O4 - HKLM\..\Run: [netyx.exe] C:\WINDOWS\netyx.exe
O4 - HKLM\..\RunOnce: [netzu.exe] C:\WINDOWS\system32\netzu.exe
O4 - HKLM\..\RunOnce: [adddd.exe] C:\WINDOWS\system32\adddd.exe
O4 - HKLM\..\RunOnce: [apigp32.exe] C:\WINDOWS\system32\apigp32.exe
O4 - HKLM\..\RunOnce: [d3xn.exe] C:\WINDOWS\d3xn.exe
O4 - HKLM\..\RunOnce: [winzf.exe] C:\WINDOWS\system32\winzf.exe
O4 - HKLM\..\RunOnce: [sysll32.exe] C:\WINDOWS\system32\sysll32.exe
O4 - HKLM\..\RunOnce: [sdkmu.exe] C:\WINDOWS\sdkmu.exe
O4 - HKLM\..\RunOnce: [msiy32.exe] C:\WINDOWS\msiy32.exe
O4 - HKLM\..\RunOnce: [syset.exe] C:\WINDOWS\syset.exe
O4 - HKLM\..\RunOnce: [apien.exe] C:\WINDOWS\apien.exe
O4 - HKLM\..\RunOnce: [ienr32.exe] C:\WINDOWS\system32\ienr32.exe
O4 - HKLM\..\RunOnce: [appst32.exe] C:\WINDOWS\system32\appst32.exe
O4 - HKLM\..\RunOnce: [d3ra.exe] C:\WINDOWS\system32\d3ra.exe
O4 - HKLM\..\RunOnce: [netwv32.exe] C:\WINDOWS\system32\netwv32.exe
O4 - HKLM\..\RunOnce: [craf32.exe] C:\WINDOWS\craf32.exe
O4 - HKLM\..\RunOnce: [apico.exe] C:\WINDOWS\system32\apico.exe
O4 - HKLM\..\RunOnce: [atlxp32.exe] C:\WINDOWS\system32\atlxp32.exe
O4 - HKLM\..\RunOnce: [d3km32.exe] C:\WINDOWS\d3km32.exe
O4 - HKLM\..\RunOnce: [ipyg.exe] C:\WINDOWS\ipyg.exe
O4 - HKLM\..\RunOnce: [msro.exe] C:\WINDOWS\system32\msro.exe
O4 - HKLM\..\RunOnce: [sdkoq32.exe] C:\WINDOWS\system32\sdkoq32.exe
O4 - HKLM\..\RunOnce: [iehm32.exe] C:\WINDOWS\iehm32.exe
O4 - HKLM\..\RunOnce: [apils.exe] C:\WINDOWS\system32\apils.exe
O4 - HKLM\..\RunOnce: [javavq32.exe] C:\WINDOWS\javavq32.exe
O4 - HKLM\..\RunOnce: [ipko.exe] C:\WINDOWS\ipko.exe
O4 - HKLM\..\RunOnce: [appng32.exe] C:\WINDOWS\system32\appng32.exe
O4 - HKLM\..\RunOnce: [ipfv32.exe] C:\WINDOWS\ipfv32.exe
O4 - HKLM\..\RunOnce: [ieot.exe] C:\WINDOWS\system32\ieot.exe
O4 - HKLM\..\RunOnce: [sdkbv32.exe] C:\WINDOWS\sdkbv32.exe
O4 - HKLM\..\RunOnce: [addyg32.exe] C:\WINDOWS\system32\addyg32.exe
O4 - HKLM\..\RunOnce: [crdi.exe] C:\WINDOWS\system32\crdi.exe
O4 - HKLM\..\RunOnce: [apium.exe] C:\WINDOWS\system32\apium.exe
O4 - HKLM\..\RunOnce: [sysho32.exe] C:\WINDOWS\sysho32.exe
O4 - HKLM\..\RunOnce: [atlxw32.exe] C:\WINDOWS\atlxw32.exe
O4 - HKLM\..\RunOnce: [adduj.exe] C:\WINDOWS\system32\adduj.exe
O4 - HKLM\..\RunOnce: [d3id32.exe] C:\WINDOWS\d3id32.exe
O4 - HKLM\..\RunOnce: [crtl32.exe] C:\WINDOWS\system32\crtl32.exe
O4 - HKLM\..\RunOnce: [apiyn32.exe] C:\WINDOWS\apiyn32.exe
O4 - HKLM\..\RunOnce: [apily.exe] C:\WINDOWS\apily.exe
O4 - HKLM\..\RunOnce: [mfcat32.exe] C:\WINDOWS\system32\mfcat32.exe
O4 - HKLM\..\RunOnce: [ipnv32.exe] C:\WINDOWS\system32\ipnv32.exe
O4 - HKLM\..\RunOnce: [atltf32.exe] C:\WINDOWS\system32\atltf32.exe
O4 - HKLM\..\RunOnce: [sysxp.exe] C:\WINDOWS\sysxp.exe
O4 - HKLM\..\RunOnce: [msvk.exe] C:\WINDOWS\msvk.exe
O4 - HKLM\..\RunOnce: [netkd.exe] C:\WINDOWS\system32\netkd.exe
O4 - HKLM\..\RunOnce: [d3nb32.exe] C:\WINDOWS\system32\d3nb32.exe
O4 - HKLM\..\RunOnce: [netsd.exe] C:\WINDOWS\system32\netsd.exe
O4 - HKLM\..\RunOnce: [addvw.exe] C:\WINDOWS\addvw.exe
O4 - HKLM\..\RunOnce: [crik.exe] C:\WINDOWS\system32\crik.exe
O4 - HKLM\..\RunOnce: [apinn.exe] C:\WINDOWS\system32\apinn.exe
O4 - HKLM\..\RunOnce: [mshy.exe] C:\WINDOWS\mshy.exe
O4 - HKLM\..\RunOnce: [ipms32.exe] C:\WINDOWS\ipms32.exe
O4 - HKLM\..\RunOnce: [javanm.exe] C:\WINDOWS\javanm.exe
O4 - HKLM\..\RunOnce: [mfcsg32.exe] C:\WINDOWS\mfcsg32.exe
O4 - HKLM\..\RunOnce: [d3bt32.exe] C:\WINDOWS\d3bt32.exe
O4 - HKLM\..\RunOnce: [ipgn.exe] C:\WINDOWS\ipgn.exe
O4 - HKLM\..\RunOnce: [appik32.exe] C:\WINDOWS\appik32.exe
O4 - HKLM\..\RunOnce: [d3jt.exe] C:\WINDOWS\system32\d3jt.exe

Click "Fix checked".

Download Pocket Killbox from HERE.
Unzip it and run it.
Tick "Delete on reboot".
In "Paste full path of file..", copy/paste : C:\WINDOWS\netyx.exe
Click "Delete file" (the white cross).

Let the computer reboot and post a new log, please.
Reply With Quote
  #3  
Old August 14th, 2005, 12:46 AM
JamieE JamieE is offline
Senior Member
  
Join Date: Jun 2004
Posts: 175
Hi Thanks for your help I followed your instructions howeverthe netyx.exe process was not running and the following files where not showing in HJT so I could not fix them.

O4 - HKLM\..\Run: [crrq32.exe] C:\WINDOWS\system32\crrq32.exe
O4 - HKLM\..\Run: [netyx.exe] C:\WINDOWS\netyx.exe

O4 - HKLM\..\RunOnce: [syset.exe] C:\WINDOWS\syset.exe
O4 - HKLM\..\RunOnce: [apien.exe] C:\WINDOWS\apien.exe
O4 - HKLM\..\RunOnce: [ienr32.exe] C:\WINDOWS\system32\ienr32.exe
O4 - HKLM\..\RunOnce: [appst32.exe] C:\WINDOWS\system32\appst32.exe

I ran P Killbox and rebooted and IE came back on boot with the blank/search page also I am getting pop ups now .

New log below

Logfile of HijackThis v1.99.0
Scan saved at 12:46:19 AM, on 8/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\winrk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 5.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\BTYAHO~1\Help\SMARTB~1\MotiveSB.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\BT Yahoo!\Help\bin\mpbtn.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zxelk.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zxelk.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zxelk.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zxelk.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zxelk.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zxelk.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zxelk.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {F22B79FB-1D55-C94F-4938-EAA13A2FB4ED} - C:\WINDOWS\d3yl.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 5.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTYAHO~1\Help\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [crrq32.exe] C:\WINDOWS\system32\crrq32.exe
O4 - HKLM\..\Run: [netyx.exe] C:\WINDOWS\netyx.exe
O4 - HKLM\..\Run: [msao32.exe] C:\WINDOWS\system32\msao32.exe
O4 - HKLM\..\Run: [winrk.exe] C:\WINDOWS\system32\winrk.exe
O4 - HKLM\..\RunOnce: [ieib.exe] C:\WINDOWS\ieib.exe
O4 - HKLM\..\RunOnce: [iphj32.exe] C:\WINDOWS\iphj32.exe
O4 - HKLM\..\RunOnce: [winel.exe] C:\WINDOWS\winel.exe
O4 - HKLM\..\RunOnce: [iemx32.exe] C:\WINDOWS\iemx32.exe
O4 - HKLM\..\RunOnce: [sdkpq.exe] C:\WINDOWS\system32\sdkpq.exe
O4 - HKLM\..\RunOnce: [javanc32.exe] C:\WINDOWS\javanc32.exe
O4 - HKLM\..\RunOnce: [netep32.exe] C:\WINDOWS\system32\netep32.exe
O4 - HKLM\..\RunOnce: [addjm32.exe] C:\WINDOWS\addjm32.exe
O4 - HKLM\..\RunOnce: [sdkkz.exe] C:\WINDOWS\system32\sdkkz.exe
O4 - HKLM\..\RunOnce: [netoj32.exe] C:\WINDOWS\system32\netoj32.exe
O4 - HKLM\..\RunOnce: [appbu.exe] C:\WINDOWS\system32\appbu.exe
O4 - HKLM\..\RunOnce: [mfclc.exe] C:\WINDOWS\system32\mfclc.exe
O4 - HKLM\..\RunOnce: [netzu.exe] C:\WINDOWS\system32\netzu.exe
O4 - HKLM\..\RunOnce: [atlrl32.exe] C:\WINDOWS\system32\atlrl32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: BT Yahoo! Help.lnk = C:\Program Files\BT Yahoo!\Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/UK/install.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe...nttracking.cab
O16 - DPF: {80922B68-D8DE-11D5-8D10-0050DAD09327} (Batch Processing Control) - http://www.thomsononeanalytics.com/p...tchPrintNT.cab
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\system32\netzu.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
Reply With Quote
  #4  
Old August 14th, 2005, 12:50 AM
JamieE JamieE is offline
Senior Member
  
Join Date: Jun 2004
Posts: 175
Sorry forgot to metion I am getting a box with a message saying


WINDOWS SECURITY CENTRE
WARNING: Windows firewall detected suspicious network activity on your computer etc.
Reply With Quote
  #5  
Old August 14th, 2005, 11:30 AM
Acrobaze Acrobaze is offline
Malware Removal Team
  
Join Date: Nov 2003
O/S: Windows 10 Home
Location: France
Posts: 11,994
Hi,
Yes, in the first log, we didn't see the service which generates all that. But now, yes.

-----------

1- Start -> run -> type: services.msc
Double click : Network Security Service
Stop and disable it.

2- Download cwsserviceremove. Only unzip it.

3- Download About:Buster. Unzip it and run it. Check for updates and download them. But don't click "Start" yet.

4- ControlAltDel
End the process : winrk.exe

Reboot in safe mode.

1- Run only HijackThis and tick :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zxelk.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zxelk.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zxelk.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zxelk.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zxelk.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zxelk.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zxelk.dll/sp.html#44768
R3 - Default URLSearchHook is missing

O2 - BHO: Class - {F22B79FB-1D55-C94F-4938-EAA13A2FB4ED} - C:\WINDOWS\d3yl.dll

O4 - HKLM\..\Run: [crrq32.exe] C:\WINDOWS\system32\crrq32.exe
O4 - HKLM\..\Run: [netyx.exe] C:\WINDOWS\netyx.exe
O4 - HKLM\..\Run: [msao32.exe] C:\WINDOWS\system32\msao32.exe
O4 - HKLM\..\Run: [winrk.exe] C:\WINDOWS\system32\winrk.exe
O4 - HKLM\..\RunOnce: [ieib.exe] C:\WINDOWS\ieib.exe
O4 - HKLM\..\RunOnce: [iphj32.exe] C:\WINDOWS\iphj32.exe
O4 - HKLM\..\RunOnce: [winel.exe] C:\WINDOWS\winel.exe
O4 - HKLM\..\RunOnce: [iemx32.exe] C:\WINDOWS\iemx32.exe
O4 - HKLM\..\RunOnce: [sdkpq.exe] C:\WINDOWS\system32\sdkpq.exe
O4 - HKLM\..\RunOnce: [javanc32.exe] C:\WINDOWS\javanc32.exe
O4 - HKLM\..\RunOnce: [netep32.exe] C:\WINDOWS\system32\netep32.exe
O4 - HKLM\..\RunOnce: [addjm32.exe] C:\WINDOWS\addjm32.exe
O4 - HKLM\..\RunOnce: [sdkkz.exe] C:\WINDOWS\system32\sdkkz.exe
O4 - HKLM\..\RunOnce: [netoj32.exe] C:\WINDOWS\system32\netoj32.exe
O4 - HKLM\..\RunOnce: [appbu.exe] C:\WINDOWS\system32\appbu.exe
O4 - HKLM\..\RunOnce: [mfclc.exe] C:\WINDOWS\system32\mfclc.exe
O4 - HKLM\..\RunOnce: [netzu.exe] C:\WINDOWS\system32\netzu.exe
O4 - HKLM\..\RunOnce: [atlrl32.exe] C:\WINDOWS\system32\atlrl32.exe

O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\system32\netzu.exe

Click "Fix checked".

Make sure that you can see the hidden files and delete :
C:\WINDOWS\system32\netzu.exe
C:\WINDOWS\system32\winrk.exe
and all these I highlighted in bold.

Empty the recycle bin.

2- Run TWICE About:Buster. ("Start", now)

3- Open the unzipped cwsserviceremove folder, double click the reg file and merge it with the registry.

Reboot in normal mode and post a new log, please.
Reply With Quote
  #6  
Old August 14th, 2005, 12:45 PM
JamieE JamieE is offline
Senior Member
  
Join Date: Jun 2004
Posts: 175
Hi new log below


Logfile of HijackThis v1.99.0
Scan saved at 12:43:16 PM, on 8/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\ipvm.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 5.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\BTYAHO~1\Help\SMARTB~1\MotiveSB.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\BT Yahoo!\Help\bin\mpbtn.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xlgso.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xlgso.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xlgso.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xlgso.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xlgso.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xlgso.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xlgso.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {F6E2FCAE-1198-A1BC-63E6-EFD2567AC69A} - C:\WINDOWS\ipvm.dll
O2 - BHO: Class - {F9611D23-F7B8-A44B-E962-46EE65E5DBA4} - C:\WINDOWS\sysom32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 5.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTYAHO~1\Help\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [winfz32.exe] C:\WINDOWS\system32\winfz32.exe
O4 - HKLM\..\Run: [ipvm.exe] C:\WINDOWS\ipvm.exe
O4 - HKLM\..\RunOnce: [apixv.exe] C:\WINDOWS\system32\apixv.exe
O4 - HKLM\..\RunOnce: [atlxa.exe] C:\WINDOWS\system32\atlxa.exe
O4 - HKLM\..\RunOnce: [mfchr32.exe] C:\WINDOWS\mfchr32.exe
O4 - HKLM\..\RunOnce: [javapr32.exe] C:\WINDOWS\javapr32.exe
O4 - HKLM\..\RunOnce: [nettx32.exe] C:\WINDOWS\system32\nettx32.exe
O4 - HKLM\..\RunOnce: [netye.exe] C:\WINDOWS\netye.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: BT Yahoo! Help.lnk = C:\Program Files\BT Yahoo!\Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/UK/install.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe...nttracking.cab
O16 - DPF: {80922B68-D8DE-11D5-8D10-0050DAD09327} (Batch Processing Control) - http://www.thomsononeanalytics.com/p...tchPrintNT.cab
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\system32\netzu.exe (file missing)
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
Reply With Quote
  #7  
Old August 14th, 2005, 01:00 PM
Acrobaze Acrobaze is offline
Malware Removal Team
  
Join Date: Nov 2003
O/S: Windows 10 Home
Location: France
Posts: 11,994
It created new files.

- Start->run->type : services.msc
Verify that the service Network Security Service is really stopped and disabled.

- Keep About:Buster ready.

- Download Pocket Killbox from HERE. Only unzip it.

- ControlAltDel
End the process : ipvm.exe

Reboot in safe mode. Run HijackThis and tick :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xlgso.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xlgso.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xlgso.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xlgso.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xlgso.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xlgso.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xlgso.dll/sp.html#44768
R3 - Default URLSearchHook is missing

O2 - BHO: Class - {F6E2FCAE-1198-A1BC-63E6-EFD2567AC69A} - C:\WINDOWS\ipvm.dll
O2 - BHO: Class - {F9611D23-F7B8-A44B-E962-46EE65E5DBA4} - C:\WINDOWS\sysom32.dll

O4 - HKLM\..\Run: [winfz32.exe] C:\WINDOWS\system32\winfz32.exe
O4 - HKLM\..\Run: [ipvm.exe] C:\WINDOWS\ipvm.exe
O4 - HKLM\..\RunOnce: [apixv.exe] C:\WINDOWS\system32\apixv.exe
O4 - HKLM\..\RunOnce: [atlxa.exe] C:\WINDOWS\system32\atlxa.exe
O4 - HKLM\..\RunOnce: [mfchr32.exe] C:\WINDOWS\mfchr32.exe
O4 - HKLM\..\RunOnce: [javapr32.exe] C:\WINDOWS\javapr32.exe
O4 - HKLM\..\RunOnce: [nettx32.exe] C:\WINDOWS\system32\nettx32.exe
O4 - HKLM\..\RunOnce: [netye.exe] C:\WINDOWS\netye.exe

O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\system32\netzu.exe (file missing)

Click "Fix checked". Close HijackThis.

- Run it again -> config->misc tools->delete an NT service
in the box, type : NSS
->ok

- Run again About:Buster TWICE.

- Run Killbox and paste the full file path of each of the below files
in the box and tick "Delete on Reboot".
Next click on the button with the
red circle and an X in the middle ("Delete file"). You will get a message saying
"File will be deleted on next reboot" Click "Yes" and another : " Files will be removed on reboot.
Do you want to reboot now ?" . Click "No"
Click "Yes" after the last file and post a new log when you have rebooted.

C:\WINDOWS\system32\winfz32.exe
C:\WINDOWS\ipvm.exe
C:\WINDOWS\system32\apixv.exe
C:\WINDOWS\system32\atlxa.exe
C:\WINDOWS\mfchr32.exe
C:\WINDOWS\javapr32.exe
C:\WINDOWS\system32\nettx32.exe
C:\WINDOWS\netye.exe
C:\WINDOWS\xlgso.dll
C:\WINDOWS\ipvm.dll
C:\WINDOWS\sysom32.dll

Let the computer reboot and post a new log, please.
Reply With Quote
  #8  
Old August 14th, 2005, 02:53 PM
JamieE JamieE is offline
Senior Member
  
Join Date: Jun 2004
Posts: 175
Hi got to the stage below and can't find "delete an NT service"
have found Config > Misc Tools


- Run it again -> config->misc tools->delete an NT service
in the box, type : NSS
->ok
Reply With Quote
  #9  
Old August 14th, 2005, 02:57 PM
Acrobaze Acrobaze is offline
Malware Removal Team
  
Join Date: Nov 2003
O/S: Windows 10 Home
Location: France
Posts: 11,994
Ha! You need the last version (1.99.1) of HijackThis:
http://www.spywareinfo.com/~merijn/
Reply With Quote
  #10  
Old August 14th, 2005, 03:50 PM
JamieE JamieE is offline
Senior Member
  
Join Date: Jun 2004
Posts: 175
Hi ok started again

NSS was not started but was at Auto so I disabled it.
killed ipvm.exe process

ran HJT in safe and fixed all but below files were not there.

O2 - BHO: Class - {F6E2FCAE-1198-A1BC-63E6-EFD2567AC69A} - C:\WINDOWS\ipvm.dll
O2 - BHO: Class - {F9611D23-F7B8-A44B-E962-46EE65E5DBA4} - C:\WINDOWS\sysom32.dll
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\system32\netzu.exe (file missing)

ran buster twice 1st time it deleted some files 2nd time it found none.

ran killbox and did as advised

still got prob

Log below
Logfile of HijackThis v1.99.1
Scan saved at 3:43:54 PM, on 8/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 5.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\BTYAHO~1\Help\SMARTB~1\MotiveSB.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\BT Yahoo!\Help\bin\mpbtn.exe
C:\WINDOWS\system32\atljd32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gvgtw.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gvgtw.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\gvgtw.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gvgtw.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gvgtw.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\gvgtw.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\gvgtw.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {76F53757-9FEA-7D69-1396-53BBD24BD3EB} - C:\WINDOWS\system32\javail32.dll
O2 - BHO: Class - {A44A72AD-BA94-291C-E676-DC6544A2D511} - C:\WINDOWS\system32\ntdj32.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 5.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTYAHO~1\Help\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [atljd32.exe] C:\WINDOWS\system32\atljd32.exe
O4 - HKLM\..\RunOnce: [iesq.exe] C:\WINDOWS\system32\iesq.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: BT Yahoo! Help.lnk = C:\Program Files\BT Yahoo!\Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/UK/install.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe...nttracking.cab
O16 - DPF: {80922B68-D8DE-11D5-8D10-0050DAD09327} (Batch Processing Control) - http://www.thomsononeanalytics.com/p...tchPrintNT.cab
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\netzu.exe" /s (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
Reply With Quote
  #11  
Old August 14th, 2005, 05:07 PM
Acrobaze Acrobaze is offline
Malware Removal Team
  
Join Date: Nov 2003
O/S: Windows 10 Home
Location: France
Posts: 11,994
Ok. It resists.

- Keep About:Buster and CWSServiceRemove ready
- Download CWSchredder -Alone-
Only update it.
- Go here and download CleanUp!, install
it but do not run it yet.
--------
ControlAltDel
End the process : atljd32.exe
---------

Reboot in safe mode.

- Start->run->services.msc
Stop and disable : Network Security Service

- Run HijackThis and tick :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gvgtw.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gvgtw.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\gvgtw.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gvgtw.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gvgtw.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\gvgtw.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\gvgtw.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {76F53757-9FEA-7D69-1396-53BBD24BD3EB} - C:\WINDOWS\system32\javail32.dll
O2 - BHO: Class - {A44A72AD-BA94-291C-E676-DC6544A2D511} - C:\WINDOWS\system32\ntdj32.dll

O4 - HKLM\..\Run: [atljd32.exe] C:\WINDOWS\system32\atljd32.exe
O4 - HKLM\..\RunOnce: [iesq.exe] C:\WINDOWS\system32\iesq.exe

O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\netzu.exe" /s (file missing)

Click "Fix checked".

- Delete the files :
C:\WINDOWS\system32\atljd32.exe
C:\WINDOWS\system32\iesq.exe
Empty the recycle bin.

- Double-click on cwsserviceremove.reg you downloaded earlier.
When it asks you to merge the information to the registry click "Yes".

- Run again About:Buster TWICE.

- Run CWShredder (Fix->next).

- Open CleanUp! Click on Options and uncheck all preferences except for
"Scan Local Drives for Temporary Files". Click OK and click on CleanUp!
Let it work.

Reboot in normal mode.

Launch this online scan. Copy its final report.

Now, in this thread :
- post a new HijackThis log
- copy/paste the BitDefender report, please.
Reply With Quote
  #12  
Old August 15th, 2005, 01:11 AM
JamieE JamieE is offline
Senior Member
  
Join Date: Jun 2004
Posts: 175
Urgent
Hi followed your instructions got to reboot in normal mode then
tried to start IE but it says ieexplore.exe has been moved or changed , nearest match c:\windows\servicepackfiles\i386\iexplore.exe
Reply With Quote
  #13  
Old August 15th, 2005, 11:14 AM
Acrobaze Acrobaze is offline
Malware Removal Team
  
Join Date: Nov 2003
O/S: Windows 10 Home
Location: France
Posts: 11,994
The normal path is : C:\Program Files\Internet Explorer\IEXPLORE.EXE
Is it there ?
Reply With Quote
  #14  
Old August 15th, 2005, 11:59 AM
JamieE JamieE is offline
Senior Member
  
Join Date: Jun 2004
Posts: 175
no the only .exe file in that folder is iedw.exe
Reply With Quote
  #15  
Old August 15th, 2005, 12:07 PM
Acrobaze Acrobaze is offline
Malware Removal Team
  
Join Date: Nov 2003
O/S: Windows 10 Home
Location: France
Posts: 11,994
Have you deleted it ?

I verified the version : 6.0.2900.2180

Go to : c:\windows\servicepackfiles\i386\
Right click : iexplore.exe and choose "Copy"

Now, go to : C:\Program Files\Internet Explorer\
right click in the folder and choose "Paste".
Reply With Quote
Reply
Page 1 of 3 1 23

Bookmarks

« Previous Topic | Next Topic »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Topics
Topic Topic Starter Forum Replies Last Post
Please Help with this Trojan - search page About:blank sunnysthename Malware Removal 6 January 12th, 2005 05:55 PM
can't get rid of easy-search.biz start page magnafide Malware Removal 5 November 5th, 2004 07:19 PM
about:blank start-up page Rryanc Malware Removal 1 September 2nd, 2004 04:13 PM
About:Blank is not a blank start up page... some generic search engine JustMe602 Malware Removal 31 June 3rd, 2004 09:18 AM
Homepage keeps changing to about:blank search page! help plz Nordhauser Malware Removal 2 May 18th, 2004 07:15 PM


All times are GMT +1. The time now is 04:16 PM.