Options
HELP ME PLEEEEEEEEEASE! I'm pretty new at this
I don't know where to start...
I have
1. Search Extender
2. Shopping Wizard
3. Home Search Assistant
And goodness knows what else....
I use Avast! antivirus (because I'm too broke to buy Norton) which hasn't found anything, until when I open IE...then the fun starts.
For the first coupla dozen times, it said it detected Win32:Winshow [trj] which through the forums I see is a not-so-uncommon trojan...anyway, it says that, and the file name was something like "cwxyb.dll" or something similar...I found a step-by-step on this forum, which I followed with the exception of the "aboutbuster" application, which yesterday, I couldn't find to download, and the link on the page wasn't working...anyway I have the program now, for future reference...so I used the tutorial, which said I could proceed without the Buster program. In the end, it didn't work, I still have the program, though now the file that keeps creating itself EVERY TIME I NAVIGATE TO A DIFFERENT WEBPAGE is called "xatjf.dll" and the virus name is the same, Win32:Winshow....I don't know what to do! Pleeeeease someone help me.
Some notes:
I have run hsremove, which doesn't fix the problem...nor does the online scan available at CS. I have run spybot S&D, AdAware. Neither of those work. I have "aboutbuster" and "hijack this", so if anyone gives me any help, I have those programs to use.
I don't have a printer, so I can't print the log file from Hijack this...but I guess it's ok if I copy + paste it into wordpad?
On a side note, my AIM keeps crashing, which it NEVER EVER did before this all started, so I don't know...
And finally, and I don't know if this is related...my email account URL is "email.fment.com" and now when I try to load it, it says cannot find server, and the URL is changed to "res://xatjf.dll/url_error.html" which is the same name as that stupid virus, or something...
Just in case it's relevant, this is my "hijack this" log....
Logfile of HijackThis v1.98.2
Scan saved at 8:57:59 PM, on 12/16/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\netcu.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\Atiptaxx.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\system32\apiyj.exe
C:\Program Files\Apoint\Apntex.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\justin\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {249CC0A1-9ABC-B843-D795-80061B76632D} - C:\WINDOWS\system32\mfckp32.dll
O2 - BHO: (no name) - {42AF77F8-8F80-593A-6033-1F5340E12130} - C:\WINDOWS\system32\msci32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [apiyj.exe] C:\WINDOWS\system32\apiyj.exe
O4 - HKLM\..\RunOnce: [netcu.exe] C:\WINDOWS\system32\netcu.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [sqlwoa] C:\WINDOWS\System32\sqlwoa.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2169e9643604ab297101/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A305FBA3-4A87-483D-A53B-138F9F635357} (PCInfo.CMClass) - http://ciscdb.sel.sony.com/support/pops/mdldetect/PCInfo.CAB
PLEASE SOMEONE RESPOND SOON!!! If possible...
Thanx ahead of time for any help offered!!
I have
1. Search Extender
2. Shopping Wizard
3. Home Search Assistant
And goodness knows what else....
I use Avast! antivirus (because I'm too broke to buy Norton) which hasn't found anything, until when I open IE...then the fun starts.
For the first coupla dozen times, it said it detected Win32:Winshow [trj] which through the forums I see is a not-so-uncommon trojan...anyway, it says that, and the file name was something like "cwxyb.dll" or something similar...I found a step-by-step on this forum, which I followed with the exception of the "aboutbuster" application, which yesterday, I couldn't find to download, and the link on the page wasn't working...anyway I have the program now, for future reference...so I used the tutorial, which said I could proceed without the Buster program. In the end, it didn't work, I still have the program, though now the file that keeps creating itself EVERY TIME I NAVIGATE TO A DIFFERENT WEBPAGE is called "xatjf.dll" and the virus name is the same, Win32:Winshow....I don't know what to do! Pleeeeease someone help me.
Some notes:
I have run hsremove, which doesn't fix the problem...nor does the online scan available at CS. I have run spybot S&D, AdAware. Neither of those work. I have "aboutbuster" and "hijack this", so if anyone gives me any help, I have those programs to use.
I don't have a printer, so I can't print the log file from Hijack this...but I guess it's ok if I copy + paste it into wordpad?
On a side note, my AIM keeps crashing, which it NEVER EVER did before this all started, so I don't know...
And finally, and I don't know if this is related...my email account URL is "email.fment.com" and now when I try to load it, it says cannot find server, and the URL is changed to "res://xatjf.dll/url_error.html" which is the same name as that stupid virus, or something...
Just in case it's relevant, this is my "hijack this" log....
Logfile of HijackThis v1.98.2
Scan saved at 8:57:59 PM, on 12/16/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\netcu.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\Atiptaxx.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\system32\apiyj.exe
C:\Program Files\Apoint\Apntex.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\justin\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {249CC0A1-9ABC-B843-D795-80061B76632D} - C:\WINDOWS\system32\mfckp32.dll
O2 - BHO: (no name) - {42AF77F8-8F80-593A-6033-1F5340E12130} - C:\WINDOWS\system32\msci32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [apiyj.exe] C:\WINDOWS\system32\apiyj.exe
O4 - HKLM\..\RunOnce: [netcu.exe] C:\WINDOWS\system32\netcu.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [sqlwoa] C:\WINDOWS\System32\sqlwoa.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2169e9643604ab297101/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A305FBA3-4A87-483D-A53B-138F9F635357} (PCInfo.CMClass) - http://ciscdb.sel.sony.com/support/pops/mdldetect/PCInfo.CAB
PLEASE SOMEONE RESPOND SOON!!! If possible...
Thanx ahead of time for any help offered!!
0
Comments
O2 - BHO: (no name) - {42AF77F8-8F80-593A-6033-1F5340E12130} - C:\WINDOWS\system32\msci32.dll
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [apiyj.exe] C:\WINDOWS\system32\apiyj.exe
O4 - HKLM\..\RunOnce: [netcu.exe] C:\WINDOWS\system32\netcu.exe
O4 - HKCU\..\Run: [sqlwoa] C:\WINDOWS\System32\sqlwoa.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2169e96...ip/RdxIE601.cab
Fix those entries then find and delete the files listed above, reboot and post a new log.
O2 - BHO: (no name) - {249CC0A1-9ABC-B843-D795-80061B76632D} - C:\WINDOWS\system32\mfckp32.dll
Isn't there....
I found the rest of the entries you listed, and am about to fix them...
As far as deleting the files, can I search my hard drive or do I need to go into that regedit thing? I'm really sorry for the uninformed questions, but I'm new to most of this....
Logfile of HijackThis v1.98.2
Scan saved at 9:56:11 PM, on 12/16/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\Atiptaxx.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\apiyj.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\netcu.exe
C:\WINDOWS\System32\wuauclt.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\justin\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {E16ABF8F-83C2-19DB-8289-DC73827B4EE6} - C:\WINDOWS\system32\crma.dll
O2 - BHO: (no name) - {EBC02FBC-0AED-C6BD-89AC-B1EF230B8178} - C:\WINDOWS\system32\sysdi.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [apiyj.exe] C:\WINDOWS\system32\apiyj.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\RunOnce: [netcu.exe] C:\WINDOWS\system32\netcu.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A305FBA3-4A87-483D-A53B-138F9F635357} (PCInfo.CMClass) - http://ciscdb.sel.sony.com/support/pops/mdldetect/PCInfo.CAB
By the way,
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
I got to the P2P folder, but there was no P2PNetworking.exe....???
THANKS soooo much for the help, pleeeease don't abandon ship on me!
stfgq.dll
O2 - BHO: (no name) - {E16ABF8F-83C2-19DB-8289-DC73827B4EE6} - C:\WINDOWS\system32\crma.dll
O2 - BHO: (no name) - {EBC02FBC-0AED-C6BD-89AC-B1EF230B8178} - C:\WINDOWS\system32\sysdi.dll
O4 - HKLM\..\Run: [apiyj.exe] C:\WINDOWS\system32\apiyj.exe
Fix those entries then find and delete these files:
C:\WINDOWS\system32\crma.dll
C:\WINDOWS\system32\sysdi.dll
C:\WINDOWS\system32\apiyj.exe
C:\WINDOWS\system32\netcu.exe
Then reboot and post a new log.
Do not use Internet Explorer until this is solved.