inetkw.dll is poping up all over the place!

Unknown

I have a window that is poping up many times. "Error loading C:\progra~1\intern~z\inetkw.dll"

Can someone please look at this file from Hijackthis and suggest what I need to get rid of.

Logfile of HijackThis v1.97.7
Scan saved at 4:13:18 PM, on 6/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys\Odyssey Client for Linksys\odClientService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINDOWS\crod.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\WINDOWS\system32\netfs.exe
C:\PROGRA~1\INTERN~2\inetmgr.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\PROGRA~1\INTERN~2\inetsvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\spkfs.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://spkfs.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://spkfs.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\spkfs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://spkfs.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\spkfs.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50140
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3EAAB545-5DA5-D593-1DC7-5C6B1EC765D8} - C:\WINDOWS\system32\sdkbw.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [ntax32.exe] C:\WINDOWS\system32\ntax32.exe
O4 - HKLM\..\Run: [netfs.exe] C:\WINDOWS\system32\netfs.exe
O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe
O4 - HKLM\..\RunOnce: [atllq.exe] C:\WINDOWS\system32\atllq.exe
O4 - HKLM\..\RunOnce: [netjf.exe] C:\WINDOWS\netjf.exe
O4 - HKLM\..\RunOnce: [mfcod32.exe] C:\WINDOWS\mfcod32.exe
O4 - HKLM\..\RunOnce: [ntuj32.exe] C:\WINDOWS\system32\ntuj32.exe
O4 - HKLM\..\RunOnce: [sysxm.exe] C:\WINDOWS\sysxm.exe
O4 - HKLM\..\RunOnce: [apizq.exe] C:\WINDOWS\apizq.exe
O4 - HKLM\..\RunOnce: [netpo32.exe] C:\WINDOWS\netpo32.exe
O4 - HKLM\..\RunOnce: [crwa32.exe] C:\WINDOWS\system32\crwa32.exe
O4 - HKLM\..\RunOnce: [javahf32.exe] C:\WINDOWS\javahf32.exe
O4 - HKLM\..\RunOnce: [sdkbl.exe] C:\WINDOWS\sdkbl.exe
O4 - HKLM\..\RunOnce: [syscw.exe] C:\WINDOWS\system32\syscw.exe
O4 - HKLM\..\RunOnce: [mfcwc32.exe] C:\WINDOWS\system32\mfcwc32.exe
O4 - HKLM\..\RunOnce: [winsg.exe] C:\WINDOWS\winsg.exe
O4 - HKLM\..\RunOnce: [netgp32.exe] C:\WINDOWS\system32\netgp32.exe
O4 - HKLM\..\RunOnce: [iept32.exe] C:\WINDOWS\iept32.exe
O4 - HKLM\..\RunOnce: [d3gm32.exe] C:\WINDOWS\d3gm32.exe
O4 - HKLM\..\RunOnce: [mfcwc.exe] C:\WINDOWS\system32\mfcwc.exe
O4 - HKLM\..\RunOnce: [msma.exe] C:\WINDOWS\msma.exe
O4 - HKLM\..\RunOnce: [d3ve32.exe] C:\WINDOWS\system32\d3ve32.exe
O4 - HKLM\..\RunOnce: [crdz.exe] C:\WINDOWS\system32\crdz.exe
O4 - HKLM\..\RunOnce: [apigk32.exe] C:\WINDOWS\system32\apigk32.exe
O4 - HKLM\..\RunOnce: [mfccz32.exe] C:\WINDOWS\mfccz32.exe
O4 - HKLM\..\RunOnce: [mfcyo32.exe] C:\WINDOWS\mfcyo32.exe
O4 - HKLM\..\RunOnce: [atloe.exe] C:\WINDOWS\system32\atloe.exe
O4 - HKLM\..\RunOnce: [ntfz32.exe] C:\WINDOWS\system32\ntfz32.exe
O4 - HKLM\..\RunOnce: [msnm32.exe] C:\WINDOWS\system32\msnm32.exe
O4 - HKLM\..\RunOnce: [appup32.exe] C:\WINDOWS\appup32.exe
O4 - HKLM\..\RunOnce: [d3xi.exe] C:\WINDOWS\d3xi.exe
O4 - HKLM\..\RunOnce: [d3vg.exe] C:\WINDOWS\system32\d3vg.exe
O4 - HKLM\..\RunOnce: [crhm32.exe] C:\WINDOWS\system32\crhm32.exe
O4 - HKLM\..\RunOnce: [apigm.exe] C:\WINDOWS\system32\apigm.exe
O4 - HKLM\..\RunOnce: [javadl32.exe] C:\WINDOWS\javadl32.exe
O4 - HKLM\..\RunOnce: [ntcb32.exe] C:\WINDOWS\system32\ntcb32.exe
O4 - HKLM\..\RunOnce: [msjn32.exe] C:\WINDOWS\msjn32.exe
O4 - HKLM\..\RunOnce: [ieff32.exe] C:\WINDOWS\ieff32.exe
O4 - HKLM\..\RunOnce: [ntsu32.exe] C:\WINDOWS\ntsu32.exe
O4 - HKLM\..\RunOnce: [ipoj32.exe] C:\WINDOWS\system32\ipoj32.exe
O4 - HKLM\..\RunOnce: [d3ww32.exe] C:\WINDOWS\system32\d3ww32.exe
O4 - HKLM\..\RunOnce: [javajg32.exe] C:\WINDOWS\system32\javajg32.exe
O4 - HKLM\..\RunOnce: [addwm.exe] C:\WINDOWS\system32\addwm.exe
O4 - HKLM\..\RunOnce: [netae32.exe] C:\WINDOWS\system32\netae32.exe
O4 - HKLM\..\RunOnce: [javalf32.exe] C:\WINDOWS\system32\javalf32.exe
O4 - HKLM\..\RunOnce: [sdkvd32.exe] C:\WINDOWS\sdkvd32.exe
O4 - HKLM\..\RunOnce: [atlwm32.exe] C:\WINDOWS\system32\atlwm32.exe
O4 - HKLM\..\RunOnce: [apiys32.exe] C:\WINDOWS\system32\apiys32.exe
O4 - HKLM\..\RunOnce: [winpz32.exe] C:\WINDOWS\winpz32.exe
O4 - HKLM\..\RunOnce: [ntqd32.exe] C:\WINDOWS\system32\ntqd32.exe
O4 - HKLM\..\RunOnce: [msuf32.exe] C:\WINDOWS\msuf32.exe
O4 - HKLM\..\RunOnce: [netff.exe] C:\WINDOWS\system32\netff.exe
O4 - HKLM\..\RunOnce: [addgw32.exe] C:\WINDOWS\system32\addgw32.exe
O4 - HKLM\..\RunOnce: [mstw.exe] C:\WINDOWS\mstw.exe
O4 - HKLM\..\RunOnce: [apiyp32.exe] C:\WINDOWS\apiyp32.exe
O4 - HKLM\..\RunOnce: [syspp.exe] C:\WINDOWS\syspp.exe
O4 - HKLM\..\RunOnce: [appbl32.exe] C:\WINDOWS\appbl32.exe
O4 - HKLM\..\RunOnce: [ntms.exe] C:\WINDOWS\system32\ntms.exe
O4 - HKLM\..\RunOnce: [ntxa.exe] C:\WINDOWS\ntxa.exe
O4 - HKLM\..\RunOnce: [netfu32.exe] C:\WINDOWS\netfu32.exe
O4 - HKLM\..\RunOnce: [ntxz.exe] C:\WINDOWS\system32\ntxz.exe
O4 - HKLM\..\RunOnce: [ntlq.exe] C:\WINDOWS\ntlq.exe
O4 - HKLM\..\RunOnce: [crho32.exe] C:\WINDOWS\crho32.exe
O4 - HKLM\..\RunOnce: [winpj32.exe] C:\WINDOWS\winpj32.exe
O4 - HKLM\..\RunOnce: [msfq32.exe] C:\WINDOWS\msfq32.exe
O4 - HKLM\..\RunOnce: [wintw32.exe] C:\WINDOWS\system32\wintw32.exe
O4 - HKLM\..\RunOnce: [sysds.exe] C:\WINDOWS\sysds.exe
O4 - HKLM\..\RunOnce: [atlhu.exe] C:\WINDOWS\system32\atlhu.exe
O4 - HKLM\..\RunOnce: [netyf.exe] C:\WINDOWS\system32\netyf.exe
O4 - HKLM\..\RunOnce: [syski32.exe] C:\WINDOWS\system32\syski32.exe
O4 - HKLM\..\RunOnce: [ntjc32.exe] C:\WINDOWS\system32\ntjc32.exe
O4 - HKLM\..\RunOnce: [mscz32.exe] C:\WINDOWS\mscz32.exe
O4 - HKLM\..\RunOnce: [nettg.exe] C:\WINDOWS\nettg.exe
O4 - HKLM\..\RunOnce: [mfcuy.exe] C:\WINDOWS\system32\mfcuy.exe
O4 - HKLM\..\RunOnce: [sdkbk.exe] C:\WINDOWS\system32\sdkbk.exe
O4 - HKLM\..\RunOnce: [appqi32.exe] C:\WINDOWS\appqi32.exe
O4 - HKLM\..\RunOnce: [apipo32.exe] C:\WINDOWS\system32\apipo32.exe
O4 - HKLM\..\RunOnce: [croz32.exe] C:\WINDOWS\croz32.exe
O4 - HKLM\..\RunOnce: [atlii.exe] C:\WINDOWS\system32\atlii.exe
O4 - HKLM\..\RunOnce: [msiq32.exe] C:\WINDOWS\system32\msiq32.exe
O4 - HKLM\..\RunOnce: [ipli.exe] C:\WINDOWS\system32\ipli.exe
O4 - HKLM\..\RunOnce: [ipbz.exe] C:\WINDOWS\ipbz.exe
O4 - HKLM\..\RunOnce: [crfb.exe] C:\WINDOWS\crfb.exe
O4 - HKLM\..\RunOnce: [apigk.exe] C:\WINDOWS\system32\apigk.exe
O4 - HKLM\..\RunOnce: [apicz.exe] C:\WINDOWS\apicz.exe
O4 - HKLM\..\RunOnce: [msqf.exe] C:\WINDOWS\msqf.exe
O4 - HKLM\..\RunOnce: [atlqz.exe] C:\WINDOWS\atlqz.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://hard-virgins.com/dkvaget/x.chm::/load.exe
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/support/access/aslibmain/content/IbmEgath.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mattscomputermedics.local
O17 - HKLM\Software\..\Telephony: DomainName = mattscomputermedics.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mattscomputermedics.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = mattscomputermedics.local

Thanks

vanagon40

Wow!!!!!!

Welcome to Short Media.

First things first.

Please move HJT out of the Temp folder and into its own folder. When HJT removes items, a backup is made that will get lost in the Temp folder.

Next, download, update, and run AdAware and Spybot S&D. You can get them here => http://www.short-media.com/download.php?dc=69

Then, for good measure, download, update, and run CWShredder. You can get it here => http://www.spywareinfo.com/~merijn/downloads.html

Then post a new log. Hopefully, the above programs will remove much (maybe all) of the problems (and you've got a lot of them). We'll clean up whatever is left.

Dexter

Holy crap, this is a nasty one, and we are starting to see more of it.

Here's what you need to do...

put HJT into its own folder, eg: C:\HJT. That way the backups of your fixes will have a safe place to hang out.

Next, click the link in my sig for our security downloads and download LSP-Fix. Put that in the same folder as HJT for simplicity.

Disable System Restore (Start Menu -> Control Panels -> System -> System Restore. Turn off System Restore for all drives. Apply and OK.

Reboot in SAFE MODE (tap F8 key at boot until you get the boot options menu. Choose SAFE MODE with no options.)

Run HJT. Scan. Fix the following:



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\spkfs.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://spkfs.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://spkfs.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\spkfs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://spkfs.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\spkfs.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50140
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

O2 - BHO: (no name) - {3EAAB545-5DA5-D593-1DC7-5C6B1EC765D8} - C:\WINDOWS\system32\sdkbw.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [ntax32.exe] C:\WINDOWS\system32\ntax32.exe
O4 - HKLM\..\Run: [netfs.exe] C:\WINDOWS\system32\netfs.exe
O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe
O4 - HKLM\..\RunOnce: [atllq.exe] C:\WINDOWS\system32\atllq.exe
O4 - HKLM\..\RunOnce: [netjf.exe] C:\WINDOWS\netjf.exe
O4 - HKLM\..\RunOnce: [mfcod32.exe] C:\WINDOWS\mfcod32.exe
O4 - HKLM\..\RunOnce: [ntuj32.exe] C:\WINDOWS\system32\ntuj32.exe
O4 - HKLM\..\RunOnce: [sysxm.exe] C:\WINDOWS\sysxm.exe
O4 - HKLM\..\RunOnce: [apizq.exe] C:\WINDOWS\apizq.exe
O4 - HKLM\..\RunOnce: [netpo32.exe] C:\WINDOWS\netpo32.exe
O4 - HKLM\..\RunOnce: [crwa32.exe] C:\WINDOWS\system32\crwa32.exe
O4 - HKLM\..\RunOnce: [javahf32.exe] C:\WINDOWS\javahf32.exe
O4 - HKLM\..\RunOnce: [sdkbl.exe] C:\WINDOWS\sdkbl.exe
O4 - HKLM\..\RunOnce: [syscw.exe] C:\WINDOWS\system32\syscw.exe
O4 - HKLM\..\RunOnce: [mfcwc32.exe] C:\WINDOWS\system32\mfcwc32.exe
O4 - HKLM\..\RunOnce: [winsg.exe] C:\WINDOWS\winsg.exe
O4 - HKLM\..\RunOnce: [netgp32.exe] C:\WINDOWS\system32\netgp32.exe
O4 - HKLM\..\RunOnce: [iept32.exe] C:\WINDOWS\iept32.exe
O4 - HKLM\..\RunOnce: [d3gm32.exe] C:\WINDOWS\d3gm32.exe
O4 - HKLM\..\RunOnce: [mfcwc.exe] C:\WINDOWS\system32\mfcwc.exe
O4 - HKLM\..\RunOnce: [msma.exe] C:\WINDOWS\msma.exe
O4 - HKLM\..\RunOnce: [d3ve32.exe] C:\WINDOWS\system32\d3ve32.exe
O4 - HKLM\..\RunOnce: [crdz.exe] C:\WINDOWS\system32\crdz.exe
O4 - HKLM\..\RunOnce: [apigk32.exe] C:\WINDOWS\system32\apigk32.exe
O4 - HKLM\..\RunOnce: [mfccz32.exe] C:\WINDOWS\mfccz32.exe
O4 - HKLM\..\RunOnce: [mfcyo32.exe] C:\WINDOWS\mfcyo32.exe
O4 - HKLM\..\RunOnce: [atloe.exe] C:\WINDOWS\system32\atloe.exe
O4 - HKLM\..\RunOnce: [ntfz32.exe] C:\WINDOWS\system32\ntfz32.exe
O4 - HKLM\..\RunOnce: [msnm32.exe] C:\WINDOWS\system32\msnm32.exe
O4 - HKLM\..\RunOnce: [appup32.exe] C:\WINDOWS\appup32.exe
O4 - HKLM\..\RunOnce: [d3xi.exe] C:\WINDOWS\d3xi.exe
O4 - HKLM\..\RunOnce: [d3vg.exe] C:\WINDOWS\system32\d3vg.exe
O4 - HKLM\..\RunOnce: [crhm32.exe] C:\WINDOWS\system32\crhm32.exe
O4 - HKLM\..\RunOnce: [apigm.exe] C:\WINDOWS\system32\apigm.exe
O4 - HKLM\..\RunOnce: [javadl32.exe] C:\WINDOWS\javadl32.exe
O4 - HKLM\..\RunOnce: [ntcb32.exe] C:\WINDOWS\system32\ntcb32.exe
O4 - HKLM\..\RunOnce: [msjn32.exe] C:\WINDOWS\msjn32.exe
O4 - HKLM\..\RunOnce: [ieff32.exe] C:\WINDOWS\ieff32.exe
O4 - HKLM\..\RunOnce: [ntsu32.exe] C:\WINDOWS\ntsu32.exe
O4 - HKLM\..\RunOnce: [ipoj32.exe] C:\WINDOWS\system32\ipoj32.exe
O4 - HKLM\..\RunOnce: [d3ww32.exe] C:\WINDOWS\system32\d3ww32.exe
O4 - HKLM\..\RunOnce: [javajg32.exe] C:\WINDOWS\system32\javajg32.exe
O4 - HKLM\..\RunOnce: [addwm.exe] C:\WINDOWS\system32\addwm.exe
O4 - HKLM\..\RunOnce: [netae32.exe] C:\WINDOWS\system32\netae32.exe
O4 - HKLM\..\RunOnce: [javalf32.exe] C:\WINDOWS\system32\javalf32.exe
O4 - HKLM\..\RunOnce: [sdkvd32.exe] C:\WINDOWS\sdkvd32.exe
O4 - HKLM\..\RunOnce: [atlwm32.exe] C:\WINDOWS\system32\atlwm32.exe
O4 - HKLM\..\RunOnce: [apiys32.exe] C:\WINDOWS\system32\apiys32.exe
O4 - HKLM\..\RunOnce: [winpz32.exe] C:\WINDOWS\winpz32.exe
O4 - HKLM\..\RunOnce: [ntqd32.exe] C:\WINDOWS\system32\ntqd32.exe
O4 - HKLM\..\RunOnce: [msuf32.exe] C:\WINDOWS\msuf32.exe
O4 - HKLM\..\RunOnce: [netff.exe] C:\WINDOWS\system32\netff.exe
O4 - HKLM\..\RunOnce: [addgw32.exe] C:\WINDOWS\system32\addgw32.exe
O4 - HKLM\..\RunOnce: [mstw.exe] C:\WINDOWS\mstw.exe
O4 - HKLM\..\RunOnce: [apiyp32.exe] C:\WINDOWS\apiyp32.exe
O4 - HKLM\..\RunOnce: [syspp.exe] C:\WINDOWS\syspp.exe
O4 - HKLM\..\RunOnce: [appbl32.exe] C:\WINDOWS\appbl32.exe
O4 - HKLM\..\RunOnce: [ntms.exe] C:\WINDOWS\system32\ntms.exe
O4 - HKLM\..\RunOnce: [ntxa.exe] C:\WINDOWS\ntxa.exe
O4 - HKLM\..\RunOnce: [netfu32.exe] C:\WINDOWS\netfu32.exe
O4 - HKLM\..\RunOnce: [ntxz.exe] C:\WINDOWS\system32\ntxz.exe
O4 - HKLM\..\RunOnce: [ntlq.exe] C:\WINDOWS\ntlq.exe
O4 - HKLM\..\RunOnce: [crho32.exe] C:\WINDOWS\crho32.exe
O4 - HKLM\..\RunOnce: [winpj32.exe] C:\WINDOWS\winpj32.exe
O4 - HKLM\..\RunOnce: [msfq32.exe] C:\WINDOWS\msfq32.exe
O4 - HKLM\..\RunOnce: [wintw32.exe] C:\WINDOWS\system32\wintw32.exe
O4 - HKLM\..\RunOnce: [sysds.exe] C:\WINDOWS\sysds.exe
O4 - HKLM\..\RunOnce: [atlhu.exe] C:\WINDOWS\system32\atlhu.exe
O4 - HKLM\..\RunOnce: [netyf.exe] C:\WINDOWS\system32\netyf.exe
O4 - HKLM\..\RunOnce: [syski32.exe] C:\WINDOWS\system32\syski32.exe
O4 - HKLM\..\RunOnce: [ntjc32.exe] C:\WINDOWS\system32\ntjc32.exe
O4 - HKLM\..\RunOnce: [mscz32.exe] C:\WINDOWS\mscz32.exe
O4 - HKLM\..\RunOnce: [nettg.exe] C:\WINDOWS\nettg.exe
O4 - HKLM\..\RunOnce: [mfcuy.exe] C:\WINDOWS\system32\mfcuy.exe
O4 - HKLM\..\RunOnce: [sdkbk.exe] C:\WINDOWS\system32\sdkbk.exe
O4 - HKLM\..\RunOnce: [appqi32.exe] C:\WINDOWS\appqi32.exe
O4 - HKLM\..\RunOnce: [apipo32.exe] C:\WINDOWS\system32\apipo32.exe
O4 - HKLM\..\RunOnce: [croz32.exe] C:\WINDOWS\croz32.exe
O4 - HKLM\..\RunOnce: [atlii.exe] C:\WINDOWS\system32\atlii.exe
O4 - HKLM\..\RunOnce: [msiq32.exe] C:\WINDOWS\system32\msiq32.exe
O4 - HKLM\..\RunOnce: [ipli.exe] C:\WINDOWS\system32\ipli.exe
O4 - HKLM\..\RunOnce: [ipbz.exe] C:\WINDOWS\ipbz.exe
O4 - HKLM\..\RunOnce: [crfb.exe] C:\WINDOWS\crfb.exe
O4 - HKLM\..\RunOnce: [apigk.exe] C:\WINDOWS\system32\apigk.exe
O4 - HKLM\..\RunOnce: [apicz.exe] C:\WINDOWS\apicz.exe
O4 - HKLM\..\RunOnce: [msqf.exe] C:\WINDOWS\msqf.exe
O4 - HKLM\..\RunOnce: [atlqz.exe] C:\WINDOWS\atlqz.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML


Okay, that's the bulk of them. You may also want to clean up:


O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://hard-virgins.com/dkvaget/x.chm::/load.exe

(Someone has been download some sort of porn installer on your computer...and you never know what kind of crap you got with that.)

O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab

(A generically named file. Toast it.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mattscomputermedics.local
O17 - HKLM\Software\..\Telephony: DomainName = mattscomputermedics.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mattscomputermedics.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = mattscomputermedics.local

(Unless you know someone at "mattscomputermedics", I'd delete all these entries.)

After fixing those entries, exit HJT. Stay in SAFE MODE, and manually locate
every single one of those .exe files, .dll files and .html files.

Move these to a new folder called :C:\Quarantine. Rename the .dll's to .ddd, the .exe's to .xxx and the .html's to .hhhh. That way you can always replace them if it somehow turns out that I am completely wrong and these are necessary files....which is not likely, but quarantining is safer than
deleting them.

Next, run LSP-Fix, and fix any problems it finds.

Reboot, and check things out. Scan with HJT and post a fresh log to let us know how it worked.

Dexter...

Dexter

vanagon45 wrote:

Then, for good measure, download, update, and run CWShredder. You can get it here => http://www.spywareinfo.com/~merijn/downloads.html

Vanagon,

this is a new variant of CWS, and the CWS Shredder program does not remove it yet. Have to go manual with this one. As you can see with the number of entries in the RunOnce reg...they are getting desperate...

Dexter...