Options
I have msrn.exe pop up every time IE opens a window.
Please help. had deleted a few of these .exe that kept popping up evertime i opened IE. tried to download mozilla but cannot download for some reason. Just need to get this taken care of. I really do not want to reformat. Thank you for your time.
Logfile of HijackThis v1.99.1
Scan saved at 12:19:31 PM, on 7/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\PROGRA~1\ISP50\dialer\DIALER.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Don\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hklym.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hklym.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hklym.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hklym.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hklym.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hklym.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {928234F6-C5C4-2850-6A67-BFEE94276F48} - C:\WINDOWS\system32\sdkat.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [appqh.exe] C:\WINDOWS\appqh.exe
O4 - HKLM\..\Run: [msll.exe] C:\WINDOWS\msll.exe
O4 - HKLM\..\Run: [mfcyd.exe] C:\WINDOWS\mfcyd.exe
O4 - HKLM\..\Run: [javanu.exe] C:\WINDOWS\system32\javanu.exe
O4 - HKLM\..\Run: [netmh32.exe] C:\WINDOWS\netmh32.exe
O4 - HKLM\..\Run: [netpw32.exe] C:\WINDOWS\system32\netpw32.exe
O4 - HKLM\..\Run: [appfm.exe] C:\WINDOWS\appfm.exe
O4 - HKLM\..\Run: [croa32.exe] C:\WINDOWS\system32\croa32.exe
O4 - HKLM\..\Run: [mspg32.exe] C:\WINDOWS\mspg32.exe
O4 - HKLM\..\Run: [atlpa32.exe] C:\WINDOWS\atlpa32.exe
O4 - HKLM\..\Run: [ntni.exe] C:\WINDOWS\system32\ntni.exe
O4 - HKLM\..\Run: [ipya32.exe] C:\WINDOWS\ipya32.exe
O4 - HKLM\..\Run: [ntri32.exe] C:\WINDOWS\system32\ntri32.exe
O4 - HKLM\..\Run: [winnf.exe] C:\WINDOWS\winnf.exe
O4 - HKLM\..\Run: [msrn.exe] C:\WINDOWS\msrn.exe
O4 - HKLM\..\RunOnce: [ntbl.exe] C:\WINDOWS\system32\ntbl.exe
O4 - HKLM\..\RunOnce: [crhm32.exe] C:\WINDOWS\crhm32.exe
O4 - HKLM\..\RunOnce: [iehp.exe] C:\WINDOWS\system32\iehp.exe
O4 - HKLM\..\RunOnce: [mfchc.exe] C:\WINDOWS\mfchc.exe
O4 - HKLM\..\RunOnce: [windq.exe] C:\WINDOWS\windq.exe
O4 - HKLM\..\RunOnce: [addzn.exe] C:\WINDOWS\addzn.exe
O4 - HKLM\..\RunOnce: [javaqu32.exe] C:\WINDOWS\javaqu32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/WebsiteAccess/ie/bridge-c11.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84EF7198-21AE-41A2-B4A8-49C8F45F462B}: NameServer = 209.244.0.3 209.244.0.4
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ipnm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Logfile of HijackThis v1.99.1
Scan saved at 12:19:31 PM, on 7/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\PROGRA~1\ISP50\dialer\DIALER.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Don\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hklym.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hklym.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hklym.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hklym.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hklym.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hklym.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {928234F6-C5C4-2850-6A67-BFEE94276F48} - C:\WINDOWS\system32\sdkat.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [appqh.exe] C:\WINDOWS\appqh.exe
O4 - HKLM\..\Run: [msll.exe] C:\WINDOWS\msll.exe
O4 - HKLM\..\Run: [mfcyd.exe] C:\WINDOWS\mfcyd.exe
O4 - HKLM\..\Run: [javanu.exe] C:\WINDOWS\system32\javanu.exe
O4 - HKLM\..\Run: [netmh32.exe] C:\WINDOWS\netmh32.exe
O4 - HKLM\..\Run: [netpw32.exe] C:\WINDOWS\system32\netpw32.exe
O4 - HKLM\..\Run: [appfm.exe] C:\WINDOWS\appfm.exe
O4 - HKLM\..\Run: [croa32.exe] C:\WINDOWS\system32\croa32.exe
O4 - HKLM\..\Run: [mspg32.exe] C:\WINDOWS\mspg32.exe
O4 - HKLM\..\Run: [atlpa32.exe] C:\WINDOWS\atlpa32.exe
O4 - HKLM\..\Run: [ntni.exe] C:\WINDOWS\system32\ntni.exe
O4 - HKLM\..\Run: [ipya32.exe] C:\WINDOWS\ipya32.exe
O4 - HKLM\..\Run: [ntri32.exe] C:\WINDOWS\system32\ntri32.exe
O4 - HKLM\..\Run: [winnf.exe] C:\WINDOWS\winnf.exe
O4 - HKLM\..\Run: [msrn.exe] C:\WINDOWS\msrn.exe
O4 - HKLM\..\RunOnce: [ntbl.exe] C:\WINDOWS\system32\ntbl.exe
O4 - HKLM\..\RunOnce: [crhm32.exe] C:\WINDOWS\crhm32.exe
O4 - HKLM\..\RunOnce: [iehp.exe] C:\WINDOWS\system32\iehp.exe
O4 - HKLM\..\RunOnce: [mfchc.exe] C:\WINDOWS\mfchc.exe
O4 - HKLM\..\RunOnce: [windq.exe] C:\WINDOWS\windq.exe
O4 - HKLM\..\RunOnce: [addzn.exe] C:\WINDOWS\addzn.exe
O4 - HKLM\..\RunOnce: [javaqu32.exe] C:\WINDOWS\javaqu32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/WebsiteAccess/ie/bridge-c11.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84EF7198-21AE-41A2-B4A8-49C8F45F462B}: NameServer = 209.244.0.3 209.244.0.4
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ipnm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
0
Comments
Much of this fix has to be performed in Safe Mode where you won't be able to access the Internet.
Please print out these instructions.
Step 1
Download CWShredder but don't run it yet.
Step 2
Download AboutBuster
Unzip it to your desktop but don't run it yet.
Step 3
Download Ad-aware SE 1.06
Install the program and launch it. First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files. Exit Adaware for now.
Step 5
Make sure that you can VIEW ALL HIDDEN FILES.
Step 6
Reboot your computer into SAFE MODE
Step 7
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hklym.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hklym.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hklym.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hklym.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hklym.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hklym.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {928234F6-C5C4-2850-6A67-BFEE94276F48} - C:\WINDOWS\system32\sdkat.dll
O4 - HKLM\..\Run: [appqh.exe] C:\WINDOWS\appqh.exe
O4 - HKLM\..\Run: [msll.exe] C:\WINDOWS\msll.exe
O4 - HKLM\..\Run: [mfcyd.exe] C:\WINDOWS\mfcyd.exe
O4 - HKLM\..\Run: [javanu.exe] C:\WINDOWS\system32\javanu.exe
O4 - HKLM\..\Run: [netmh32.exe] C:\WINDOWS\netmh32.exe
O4 - HKLM\..\Run: [netpw32.exe] C:\WINDOWS\system32\netpw32.exe
O4 - HKLM\..\Run: [appfm.exe] C:\WINDOWS\appfm.exe
O4 - HKLM\..\Run: [croa32.exe] C:\WINDOWS\system32\croa32.exe
O4 - HKLM\..\Run: [mspg32.exe] C:\WINDOWS\mspg32.exe
O4 - HKLM\..\Run: [atlpa32.exe] C:\WINDOWS\atlpa32.exe
O4 - HKLM\..\Run: [ntni.exe] C:\WINDOWS\system32\ntni.exe
O4 - HKLM\..\Run: [ipya32.exe] C:\WINDOWS\ipya32.exe
O4 - HKLM\..\Run: [ntri32.exe] C:\WINDOWS\system32\ntri32.exe
O4 - HKLM\..\Run: [winnf.exe] C:\WINDOWS\winnf.exe
O4 - HKLM\..\Run: [msrn.exe] C:\WINDOWS\msrn.exe
O4 - HKLM\..\RunOnce: [ntbl.exe] C:\WINDOWS\system32\ntbl.exe
O4 - HKLM\..\RunOnce: [crhm32.exe] C:\WINDOWS\crhm32.exe
O4 - HKLM\..\RunOnce: [iehp.exe] C:\WINDOWS\system32\iehp.exe
O4 - HKLM\..\RunOnce: [mfchc.exe] C:\WINDOWS\mfchc.exe
O4 - HKLM\..\RunOnce: [windq.exe] C:\WINDOWS\windq.exe
O4 - HKLM\..\RunOnce: [addzn.exe] C:\WINDOWS\addzn.exe
O4 - HKLM\..\RunOnce: [javaqu32.exe] C:\WINDOWS\javaqu32.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/W.../bridge-c11.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...up1.0.0.8-2.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ipnm.exe
Step 8
Now run CWShredder, making sure to click "Fix".
Step 9
Delete these files or directories (Do not be concerned if they do not exist)
C:\WINDOWS\system32\hklym.dll
C:\WINDOWS\system32\sdkat.dll
C:\WINDOWS\system32\javanu.exe
C:\WINDOWS\system32\netpw32.exe
C:\WINDOWS\system32\croa32.exe
C:\WINDOWS\system32\ntni.exe
C:\WINDOWS\system32\ntri32.exe
C:\WINDOWS\system32\ntbl.exe
C:\WINDOWS\system32\iehp.exe
C:\WINDOWS\system32\ipnm.exe
C:\WINDOWS\appqh.exe
C:\WINDOWS\msll.exe
C:\WINDOWS\mfcyd.exe
C:\WINDOWS\netmh32.exe
C:\WINDOWS\appfm.exe
C:\WINDOWS\mspg32.exe
C:\WINDOWS\atlpa32.exe
C:\WINDOWS\ipya32.exe
C:\WINDOWS\winnf.exe
C:\WINDOWS\msrn.exe
C:\WINDOWS\crhm32.exe
C:\WINDOWS\mfchc.exe
C:\WINDOWS\windq.exe
C:\WINDOWS\addzn.exe
C:\WINDOWS\javaqu32.exe
Step 10
Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.
Step 11
Run a full scan with Adaware.
Reboot your computer to go back to normal mode and post a new hijackthis log and the log from About Buster.
Logfile of HijackThis v1.99.1
Scan saved at 2:42:22 PM, on 7/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\iewy.exe
C:\Documents and Settings\Don\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xrdrr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xrdrr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xrdrr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xrdrr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xrdrr.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xrdrr.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {7ADE1326-D284-F0A5-10FF-77792B035B54} - C:\WINDOWS\mspn.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {E45A180C-02A8-D9D9-3A2F-A8BA2A458B2C} - C:\WINDOWS\system32\crsj32.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [iewy.exe] C:\WINDOWS\iewy.exe
O4 - HKLM\..\RunOnce: [javagj32.exe] C:\WINDOWS\system32\javagj32.exe
O4 - HKLM\..\RunOnce: [d3oy.exe] C:\WINDOWS\system32\d3oy.exe
O4 - HKLM\..\RunOnce: [winch.exe] C:\WINDOWS\system32\winch.exe
O4 - HKLM\..\RunOnce: [apiew32.exe] C:\WINDOWS\apiew32.exe
O4 - HKLM\..\RunOnce: [addtx.exe] C:\WINDOWS\addtx.exe
O4 - HKLM\..\RunOnce: [netwf32.exe] C:\WINDOWS\netwf32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javagj32.exe" /s (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
AboutBuster 5.0 Short Tutorial
============================================================
Table Of Contents
I. Tutorial on how to use
II. Resetting your homepage
III. Error codes
IV. Credits
I. Tutorial on how to use
Make sure this program is run in safe mode.
1) Unzip all files to a folder.
2) Start AboutBuster 5.0 and press Update to make sure you have the latest reference file version
3) Hit BEGIN REMOVAL. Allow the program to run.
4) AboutBuster will finish and open a new page. Follow the instructions for protection on that page.
5) Shut down AboutBuster. A log should have been created. *IF ASKED FOR*, please post that log on the forum.
II. Resetting your homepage
Due to the complaints i have been getting i will not allow AboutBuster 5.0 to set your hompage to google.com. Instead i have created a short tutorial to do it here.
1) Open Internet Explorer.
2) Go into the tools tab and press INTERNET OPTIONS.
3) In the text box on the Home page frame type in your preferred address and hit apply at the very bottom.
Your Set!
III. Error codes
~ Problem: Missing msvbvm60.dll
~ Solution: Download patch from
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=BA9D7924-4122-44AF-8AB4-7C039D9BF629
~ Problem: Error 339 Missing comctl32.ocx
~ Solution: Download file from
http://www.ascentive.com/support/new/images/lib/COMCTL32.OCX
Copy it into your system folder (Windows XP, 2000, NT = C:\Windows\System32) or (Win ME, 98, 95 = C:\Windows\System) and register it.
~ Any other bugs or errors please report them on the forum.
IV. Credits
If you need any more help please visit www.malwarebytes.biz/forums.
- Marcin (Creator of AboutBuster)
I assume no responsibility for any damage that happens to your computer while running AboutBuster 5.0. I also assure you i did not create the virus this program removes.
I couldn't have done it without the wonderful people listed below.
miekiemoes, jeff, coyote, mitch, mike, noggie, pomp, merijn, therock247uk, bubbabear, all the wonderful people in the spywareinfo chatroom, anybody mirroring AboutBuster.
Special thanks to SomeUser for creating our wonderful website.
AboutBuster 5.0 reference file 28
Scan started on [7/4/2005] at [2:17:11 PM]
Removed Stream! C:\WINDOWS\comsetup.log:khmws
Removed Stream! C:\WINDOWS\eReg.dat:uwizp
Removed Stream! C:\WINDOWS\KB885835.log:hnbil
Removed Stream! C:\WINDOWS\LUINSTALL.LOG:fcznr
Removed Stream! C:\WINDOWS\otfzt.dat:uxmaxr
Removed Stream! C:\WINDOWS\proxy.xml:zedndh
Removed Stream! C:\WINDOWS\Rhododendron.bmp:oknnu
Removed Stream! C:\WINDOWS\Sti_Trace.log:ysckf
Removed Stream! C:\WINDOWS\SYMEVENT.LOG:lrocfm
Removed Stream! C:\WINDOWS\WindowsUpdate.log:edstu
Removed Stream! C:\WINDOWS\wininit.tmp:sunlse
Removed Stream! C:\WINDOWS\WINNT32.LOG:kvfqmg
Removed Stream! C:\WINDOWS\_default.pif:apbrf
Removed Stream! C:\WINDOWS\_default.pif:bcmtf
No Files Found!
Scan was COMPLETED SUCCESSFULLY at 2:17:46 PM
Print out these directions and then reboot into Safe mode.
Fix these lines with Hijackthis.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xrdrr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xrdrr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xrdrr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xrdrr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xrdrr.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xrdrr.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {7ADE1326-D284-F0A5-10FF-77792B035B54} - C:\WINDOWS\mspn.dll
O2 - BHO: Class - {E45A180C-02A8-D9D9-3A2F-A8BA2A458B2C} - C:\WINDOWS\system32\crsj32.dll
O4 - HKLM\..\Run: [iewy.exe] C:\WINDOWS\iewy.exe
O4 - HKLM\..\RunOnce: [javagj32.exe] C:\WINDOWS\system32\javagj32.exe
O4 - HKLM\..\RunOnce: [d3oy.exe] C:\WINDOWS\system32\d3oy.exe
O4 - HKLM\..\RunOnce: [winch.exe] C:\WINDOWS\system32\winch.exe
O4 - HKLM\..\RunOnce: [apiew32.exe] C:\WINDOWS\apiew32.exe
O4 - HKLM\..\RunOnce: [addtx.exe] C:\WINDOWS\addtx.exe
O4 - HKLM\..\RunOnce: [netwf32.exe] C:\WINDOWS\netwf32.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javagj32.exe" /s (file missing)
Delete these files:
C:\WINDOWS\system32\xrdrr.dll
C:\WINDOWS\system32\javagj32.exe
C:\WINDOWS\system32\crsj32.dll
C:\WINDOWS\system32\javagj32.exe
C:\WINDOWS\system32\d3oy.exe
C:\WINDOWS\system32\winch.exe
C:\WINDOWS\apiew32.exe
C:\WINDOWS\addtx.exe
C:\WINDOWS\netwf32.exe
C:\WINDOWS\mspn.dll
C:\WINDOWS\iewy.exe
Run CWShredder.
Run About Buster.
Delete temp files
Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Navigate to the C:\Windows\Prefetch folder. Open the Prefetch folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Prefetch folder.
Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.
Empty the Recycle Bin.
Reboot back to normal mode.
Run AboutBuster once again in normal mode.
Run this online virus scan.
TrendMicro Housecall
Reboot once more and post a new hijackthis log.
Logfile of HijackThis v1.99.1
Scan saved at 7:39:39 PM, on 7/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\PROGRA~1\ISP50\dialer\DIALER.EXE
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\Documents and Settings\Don\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zwqlt.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zwqlt.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zwqlt.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zwqlt.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zwqlt.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zwqlt.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0CAF50AA-AF9F-61D0-F50D-41F52F032FDF} - C:\WINDOWS\system32\apist.dll
O2 - BHO: Class - {1E5865E5-FF6F-A5FA-646C-038A3C2F5165} - C:\WINDOWS\system32\winix32.dll
O2 - BHO: Class - {75DB1C5D-4338-B2DA-7E2E-486E23737320} - C:\WINDOWS\system32\crnz.dll
O2 - BHO: Class - {AB9E092A-BF8D-71DD-9AA4-6E0B78BFA0CE} - C:\WINDOWS\system32\crcx32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {FEC3013D-7A0B-B9E6-A740-E5BB02853BA3} - C:\WINDOWS\system32\cruo.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [iewy.exe] C:\WINDOWS\iewy.exe
O4 - HKLM\..\Run: [appnv32.exe] C:\WINDOWS\system32\appnv32.exe
O4 - HKLM\..\Run: [mfcnu.exe] C:\WINDOWS\mfcnu.exe
O4 - HKLM\..\Run: [sysjr32.exe] C:\WINDOWS\sysjr32.exe
O4 - HKLM\..\RunOnce: [javagj32.exe] C:\WINDOWS\system32\javagj32.exe
O4 - HKLM\..\RunOnce: [d3oy.exe] C:\WINDOWS\system32\d3oy.exe
O4 - HKLM\..\RunOnce: [msgj32.exe] C:\WINDOWS\msgj32.exe
O4 - HKLM\..\RunOnce: [msxi32.exe] C:\WINDOWS\msxi32.exe
O4 - HKLM\..\RunOnce: [sdkag32.exe] C:\WINDOWS\system32\sdkag32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javagj32.exe" /s (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zwqlt.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zwqlt.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zwqlt.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zwqlt.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zwqlt.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zwqlt.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0CAF50AA-AF9F-61D0-F50D-41F52F032FDF} - C:\WINDOWS\system32\apist.dll
O2 - BHO: Class - {1E5865E5-FF6F-A5FA-646C-038A3C2F5165} - C:\WINDOWS\system32\winix32.dll
O2 - BHO: Class - {75DB1C5D-4338-B2DA-7E2E-486E23737320} - C:\WINDOWS\system32\crnz.dll
O2 - BHO: Class - {AB9E092A-BF8D-71DD-9AA4-6E0B78BFA0CE} - C:\WINDOWS\system32\crcx32.dll
O2 - BHO: Class - {FEC3013D-7A0B-B9E6-A740-E5BB02853BA3} - C:\WINDOWS\system32\cruo.dll
O4 - HKLM\..\Run: [iewy.exe] C:\WINDOWS\iewy.exe
O4 - HKLM\..\Run: [appnv32.exe] C:\WINDOWS\system32\appnv32.exe
O4 - HKLM\..\Run: [mfcnu.exe] C:\WINDOWS\mfcnu.exe
O4 - HKLM\..\Run: [sysjr32.exe] C:\WINDOWS\sysjr32.exe
O4 - HKLM\..\RunOnce: [javagj32.exe] C:\WINDOWS\system32\javagj32.exe
O4 - HKLM\..\RunOnce: [d3oy.exe] C:\WINDOWS\system32\d3oy.exe
O4 - HKLM\..\RunOnce: [msgj32.exe] C:\WINDOWS\msgj32.exe
O4 - HKLM\..\RunOnce: [msxi32.exe] C:\WINDOWS\msxi32.exe
O4 - HKLM\..\RunOnce: [sdkag32.exe] C:\WINDOWS\system32\sdkag32.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javagj32.exe" /s (file missing)
============
Run CWShredder.
============
Run AboutBuster.
============
Delete these files, if present.
C:\WINDOWS\zwqlt.dll
C:\WINDOWS\system32\apist.dll
C:\WINDOWS\system32\winix32.dll
C:\WINDOWS\system32\crnz.dll
C:\WINDOWS\system32\crcx32.dll
C:\WINDOWS\system32\cruo.dll
C:\WINDOWS\iewy.exe
C:\WINDOWS\system32\appnv32.exe
C:\WINDOWS\mfcnu.exe
C:\WINDOWS\sysjr32.exe
C:\WINDOWS\system32\javagj32.exe
C:\WINDOWS\system32\d3oy.exe
C:\WINDOWS\msgj32.exe
C:\WINDOWS\msxi32.exe
C:\WINDOWS\system32\sdkag32.exe
C:\WINDOWS\system32\javagj32.exe
Reboot and post a new hijackthis log and a the log from About Buster.