Options

enjoywebsurf

Unknown
edited March 2005 in Spyware & Virus Removal
PLEASE HELP
i have been taken over by enjoywebsurf,i have used AD-AWARE SE & SPY BOT
both with latest update.I am running WINDOWS ME
THANKS FOR THE HELP.Logfile of HijackThis v1.97.7
Scan saved at 22:20:34, on 11/03/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\ATLRT32.EXE
C:\WINDOWS\SYSTEM\WINZI32.EXE
C:\WINDOWS\SYSTEM\NTKO32.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\APPLS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\GSICON.EXE
C:\WINDOWS\SYSTEM\DSLAGENT.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE ANTISPYWARE\MSSCLI.EXE
C:\WINDOWS\MFCNB32.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SAMSUNG\DIGIMAX VIEWER 2.1\STIMGBROWSER.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\BT BROADBAND\HELP\BIN\MAD.EXE
C:\PROGRAM FILES\BT BROADBAND\HELP\BIN\MPBTN.EXE
C:\PROGRAM FILES\MOTIVE\ASSTCOMMON\MOTIVEDIRECTORY.EXE
C:\WINDOWS\DESKTOP\MY BRIEFCASE\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\zpsxr.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\zpsxr.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\zpsxr.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\zpsxr.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\zpsxr.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\zpsxr.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\zpsxr.dll/sp.html#44768
O2 - BHO: (no name) - {2C177D9C-7181-6F49-B74B-E365FF3AC68C} - C:\WINDOWS\SYSTEM\NETZF.DLL
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\EN-US\MSNTB.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [reminder.exe] C:\Program Files\BackWeb\tuner\reminder.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [EPSON Stylus C42 Serie (Copy 2)] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P31 "EPSON Stylus C42 Serie (Copy 2)" /O7 "EPUSB1:" /M "Stylus C42"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Essdc] essdc.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - HKLM\..\Run: [RemHelp] remhelp.exe
O4 - HKLM\..\Run: [UninstallString] "C:\Program Files\InstallShield Installation Information\{C7B39B40-52C3-11D4-AFCE-00E0B8138A4A}\setup.exe" -l0x9 REMOVE
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [_AntiSpyware] C:\PROGRAM FILES\MCAFEE\MCAFEE ANTISPYWARE\MssCli.exe
O4 - HKLM\..\Run: [MFCNB32.EXE] C:\WINDOWS\MFCNB32.EXE
O4 - HKLM\..\RunServices: [NTKO32.EXE] C:\WINDOWS\SYSTEM\NTKO32.EXE
O4 - HKLM\..\RunServices: [ATLRT32.EXE] C:\WINDOWS\ATLRT32.EXE
O4 - HKLM\..\RunServices: [WINZI32.EXE] C:\WINDOWS\SYSTEM\WINZI32.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [APPLS.EXE] C:\WINDOWS\APPLS.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Startup: Digimax Viewer 2.1.lnk = C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Kangaroo (HKLM)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38421.5202893519

Comments

  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited March 2005
    Hi jim crickett.


    ===============

    Download CWShredder 2 from here. Run it and press the *fix,* not scan and allow it to clean the infection. Close all browser and explorer windows before hitting the fix button.

    ===============

    Download, unzip to your desktop About:Buster and run it, then:

    1. Click "Update".
    2. Click "Check For Update"

    (If no new version is available, skip to step #4.)

    3. Click "Download Update", and wait for it to be installed.
    4. Click "Start".

    (Wait for the initial ADS scan to complete.)

    5. Click "Yes", to shutdown any IE session currently open.

    (Wait for the about:blank scan to complete.)

    6. Click "Ok", to scan once more.
    7. Click "Yes", to shutdown any IE sessions currently open.
    8. Click "Yes", to begin the second pass.

    9. Click "Save log", and post this log back along with your new log.
    10. Click "Exit".
    11. Click "Exit".


    ===============

    Download the newest version of HiJackThis; version 1.99.1. Then repost your log, either now, or after following the steps in the solution (if provided in this post). This version has features that might be more helpful in 'cleaning' up your system.

    ===============

    Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:

    regsvr32 /u NETZF.DLL

    It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.

    ===============

    Run HiJackThis then:

    1. Click "Config..."
    2. Click "Misc Tools"
    3. Click "Open Process manager"

    -

    Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

    C:\WINDOWS\ATLRT32.EXE
    C:\WINDOWS\SYSTEM\WINZI32.EXE
    C:\WINDOWS\SYSTEM\NTKO32.EXE
    C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
    C:\WINDOWS\APPLS.EXE
    C:\WINDOWS\MFCNB32.EXE

    Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.
    ===============

    Run HiJackThis and click "Scan", then check(tick) the following, if present:


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\zpsxr.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\zpsxr.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\zpsxr.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\zpsxr.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\zpsxr.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\zpsxr.dll/sp.html#44768
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\zpsxr.dll/sp.html#44768

    O2 - BHO: (no name) - {2C177D9C-7181-6F49-B74B-E365FF3AC68C} - C:\WINDOWS\SYSTEM\NETZF.DLL

    O4 - HKLM\..\Run: [MFCNB32.EXE] C:\WINDOWS\MFCNB32.EXE
    O4 - HKLM\..\RunServices: [NTKO32.EXE] C:\WINDOWS\SYSTEM\NTKO32.EXE
    O4 - HKLM\..\RunServices: [ATLRT32.EXE] C:\WINDOWS\ATLRT32.EXE
    O4 - HKLM\..\RunServices: [WINZI32.EXE] C:\WINDOWS\SYSTEM\WINZI32.EXE
    O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
    O4 - HKLM\..\RunServices: [APPLS.EXE] C:\WINDOWS\APPLS.EXE

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    ...(Unless you've set these with a anti-spyware program like SpyBot's Immunize feature, have HiJackThis fix this.)


    Now, with all windows closed except HiJackThis, click "Fix checked".

    ===============

    Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

    folders...

    C:\WINDOWS\SYSTEM\KB891711

    files...

    C:\WINDOWS\ATLRT32.EXE
    C:\WINDOWS\SYSTEM\WINZI32.EXE
    C:\WINDOWS\SYSTEM\NTKO32.EXE
    C:\WINDOWS\APPLS.EXE
    C:\WINDOWS\MFCNB32.EXE
    C:\WINDOWS\system\zpsxr.dll
    C:\WINDOWS\SYSTEM\NETZF.DLL

    -

    Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".

    ===============

    Post back a new log after rebooting and let me know how everything goes.
Sign In or Register to comment.