User Response Needed: Think I have a trojan

Unknown · July 2005

I picked up CWS somewhere, and it seems to be spawning other rubbish too

I've been running adaware se 1.05 which is picking up like 40 bugs per shot, also running xoftspy which again recognises bugs each time and I've ran CWS Shredder numerous times too

Im aware theres more to it than that anyway so heres my hijack log, hopefully someone can help me out

thanks

Logfile of HijackThis v1.99.1
Scan saved at 20:29:35, on 08/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\crtr32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Documents and Settings\Paul\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rkved.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rkved.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rkved.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rkved.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rkved.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rkved.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rkved.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.freeserve.co.uk/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {B8E94CDC-6232-EAC7-FC61-677FDCA6C7FA} - C:\WINDOWS\system32\addpt.dll
O2 - BHO: Class - {FEB483F5-8A5D-3258-6771-68C68254E839} - C:\WINDOWS\system32\ipcj32.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\msgr.en-us.en-gb\msntb.dll
O4 - HKLM\..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [crtr32.exe] C:\WINDOWS\crtr32.exe
O4 - HKLM\..\RunOnce: [d3vt32.exe] C:\WINDOWS\system32\d3vt32.exe
O4 - HKLM\..\RunOnce: [mfcbs32.exe] C:\WINDOWS\mfcbs32.exe
O4 - HKLM\..\RunOnce: [mfcle.exe] C:\WINDOWS\system32\mfcle.exe
O4 - HKLM\..\RunOnce: [crzv32.exe] C:\WINDOWS\system32\crzv32.exe
O4 - HKLM\..\RunOnce: [msjz32.exe] C:\WINDOWS\msjz32.exe
O4 - HKLM\..\RunOnce: [atlsj.exe] C:\WINDOWS\atlsj.exe
O4 - HKLM\..\RunOnce: [winir.exe] C:\WINDOWS\winir.exe
O4 - HKLM\..\RunOnce: [atlvb.exe] C:\WINDOWS\atlvb.exe
O4 - HKLM\..\RunOnce: [winrf.exe] C:\WINDOWS\system32\winrf.exe
O4 - HKLM\..\RunOnce: [apiou32.exe] C:\WINDOWS\apiou32.exe
O4 - HKLM\..\RunOnce: [sysav32.exe] C:\WINDOWS\system32\sysav32.exe
O4 - HKLM\..\RunOnce: [winhd32.exe] C:\WINDOWS\system32\winhd32.exe
O4 - HKLM\..\RunOnce: [apirw32.exe] C:\WINDOWS\apirw32.exe
O4 - HKLM\..\RunOnce: [msre.exe] C:\WINDOWS\system32\msre.exe
O4 - HKLM\..\RunOnce: [javavq.exe] C:\WINDOWS\javavq.exe
O4 - HKLM\..\RunOnce: [atlbm32.exe] C:\WINDOWS\system32\atlbm32.exe
O4 - HKLM\..\RunOnce: [netii.exe] C:\WINDOWS\netii.exe
O4 - HKLM\..\RunOnce: [sysoe32.exe] C:\WINDOWS\system32\sysoe32.exe
O4 - HKLM\..\RunOnce: [addhy32.exe] C:\WINDOWS\addhy32.exe
O4 - HKLM\..\RunOnce: [crmu32.exe] C:\WINDOWS\crmu32.exe
O4 - HKLM\..\RunOnce: [iels32.exe] C:\WINDOWS\system32\iels32.exe
O4 - HKLM\..\RunOnce: [javabz.exe] C:\WINDOWS\javabz.exe
O4 - HKLM\..\RunOnce: [apiap32.exe] C:\WINDOWS\apiap32.exe
O4 - HKLM\..\RunOnce: [addye32.exe] C:\WINDOWS\system32\addye32.exe
O4 - HKLM\..\RunOnce: [appym.exe] C:\WINDOWS\system32\appym.exe
O4 - HKLM\..\RunOnce: [winhm.exe] C:\WINDOWS\winhm.exe
O4 - HKLM\..\RunOnce: [netwk32.exe] C:\WINDOWS\system32\netwk32.exe
O4 - HKLM\..\RunOnce: [sdkmr32.exe] C:\WINDOWS\system32\sdkmr32.exe
O4 - HKLM\..\RunOnce: [ippv.exe] C:\WINDOWS\system32\ippv.exe
O4 - HKLM\..\RunOnce: [appok32.exe] C:\WINDOWS\system32\appok32.exe
O4 - HKLM\..\RunOnce: [iefa32.exe] C:\WINDOWS\iefa32.exe
O4 - HKLM\..\RunOnce: [sysei.exe] C:\WINDOWS\sysei.exe
O4 - HKLM\..\RunOnce: [msni.exe] C:\WINDOWS\system32\msni.exe
O4 - HKLM\..\RunOnce: [ieia32.exe] C:\WINDOWS\ieia32.exe
O4 - HKLM\..\RunOnce: [ntne32.exe] C:\WINDOWS\system32\ntne32.exe
O4 - HKLM\..\RunOnce: [ieqq32.exe] C:\WINDOWS\ieqq32.exe
O4 - HKLM\..\RunOnce: [javaym.exe] C:\WINDOWS\javaym.exe
O4 - HKLM\..\RunOnce: [sdkyn.exe] C:\WINDOWS\system32\sdkyn.exe
O4 - HKLM\..\RunOnce: [d3pc.exe] C:\WINDOWS\system32\d3pc.exe
O4 - HKLM\..\RunOnce: [crqc.exe] C:\WINDOWS\crqc.exe
O4 - HKLM\..\RunOnce: [netsh32.exe] C:\WINDOWS\netsh32.exe
O4 - HKLM\..\RunOnce: [iesp.exe] C:\WINDOWS\system32\iesp.exe
O4 - HKLM\..\RunOnce: [atlbk32.exe] C:\WINDOWS\system32\atlbk32.exe
O4 - HKLM\..\RunOnce: [mfcnd32.exe] C:\WINDOWS\mfcnd32.exe
O4 - HKLM\..\RunOnce: [sysrz32.exe] C:\WINDOWS\sysrz32.exe
O4 - HKLM\..\RunOnce: [apiul.exe] C:\WINDOWS\apiul.exe
O4 - HKLM\..\RunOnce: [appqx.exe] C:\WINDOWS\system32\appqx.exe
O4 - HKLM\..\RunOnce: [ntom32.exe] C:\WINDOWS\ntom32.exe
O4 - HKLM\..\RunOnce: [netjo32.exe] C:\WINDOWS\system32\netjo32.exe
O4 - HKLM\..\RunOnce: [ipdh.exe] C:\WINDOWS\system32\ipdh.exe
O4 - HKLM\..\RunOnce: [crzl.exe] C:\WINDOWS\crzl.exe
O4 - HKLM\..\RunOnce: [sysre32.exe] C:\WINDOWS\system32\sysre32.exe
O4 - HKLM\..\RunOnce: [apphl.exe] C:\WINDOWS\system32\apphl.exe
O4 - HKLM\..\RunOnce: [iplp32.exe] C:\WINDOWS\iplp32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
O15 - Trusted Zone: *.line6.net
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{640033F0-C626-4A39-9723-8A7A657CBD7D}: NameServer = 195.92.195.95 195.92.195.94
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\d3vt32.exe" /s (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Shadow2018 · July 2005

You may want to print these instructions for your reference.

Download Ad-Aware se 1.06 . Save the setup file to your desktop and then run it. Update Ad-Aware se 1.06 with the latest definitions and exit this for now.

Place a checkmark next to these entries and click Fix Checked. Be sure to close all open windows before proceeding:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rkved.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rkved.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rkved.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rkved.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rkved.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rkved.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rkved.dll/sp.html#93256
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {B8E94CDC-6232-EAC7-FC61-677FDCA6C7FA} - C:\WINDOWS\system32\addpt.dll
O2 - BHO: Class - {FEB483F5-8A5D-3258-6771-68C68254E839} - C:\WINDOWS\system32\ipcj32.dll
O4 - HKLM\..\Run: [crtr32.exe] C:\WINDOWS\crtr32.exe
O4 - HKLM\..\RunOnce: [d3vt32.exe] C:\WINDOWS\system32\d3vt32.exe
O4 - HKLM\..\RunOnce: [mfcbs32.exe] C:\WINDOWS\mfcbs32.exe
O4 - HKLM\..\RunOnce: [mfcle.exe] C:\WINDOWS\system32\mfcle.exe
O4 - HKLM\..\RunOnce: [crzv32.exe] C:\WINDOWS\system32\crzv32.exe
O4 - HKLM\..\RunOnce: [msjz32.exe] C:\WINDOWS\msjz32.exe
O4 - HKLM\..\RunOnce: [atlsj.exe] C:\WINDOWS\atlsj.exe
O4 - HKLM\..\RunOnce: [winir.exe] C:\WINDOWS\winir.exe
O4 - HKLM\..\RunOnce: [atlvb.exe] C:\WINDOWS\atlvb.exe
O4 - HKLM\..\RunOnce: [winrf.exe] C:\WINDOWS\system32\winrf.exe
O4 - HKLM\..\RunOnce: [apiou32.exe] C:\WINDOWS\apiou32.exe
O4 - HKLM\..\RunOnce: [sysav32.exe] C:\WINDOWS\system32\sysav32.exe
O4 - HKLM\..\RunOnce: [winhd32.exe] C:\WINDOWS\system32\winhd32.exe
O4 - HKLM\..\RunOnce: [apirw32.exe] C:\WINDOWS\apirw32.exe
O4 - HKLM\..\RunOnce: [msre.exe] C:\WINDOWS\system32\msre.exe
O4 - HKLM\..\RunOnce: [javavq.exe] C:\WINDOWS\javavq.exe
O4 - HKLM\..\RunOnce: [atlbm32.exe] C:\WINDOWS\system32\atlbm32.exe
O4 - HKLM\..\RunOnce: [netii.exe] C:\WINDOWS\netii.exe
O4 - HKLM\..\RunOnce: [sysoe32.exe] C:\WINDOWS\system32\sysoe32.exe
O4 - HKLM\..\RunOnce: [addhy32.exe] C:\WINDOWS\addhy32.exe
O4 - HKLM\..\RunOnce: [crmu32.exe] C:\WINDOWS\crmu32.exe
O4 - HKLM\..\RunOnce: [iels32.exe] C:\WINDOWS\system32\iels32.exe
O4 - HKLM\..\RunOnce: [javabz.exe] C:\WINDOWS\javabz.exe
O4 - HKLM\..\RunOnce: [apiap32.exe] C:\WINDOWS\apiap32.exe
O4 - HKLM\..\RunOnce: [addye32.exe] C:\WINDOWS\system32\addye32.exe
O4 - HKLM\..\RunOnce: [appym.exe] C:\WINDOWS\system32\appym.exe
O4 - HKLM\..\RunOnce: [winhm.exe] C:\WINDOWS\winhm.exe
O4 - HKLM\..\RunOnce: [netwk32.exe] C:\WINDOWS\system32\netwk32.exe
O4 - HKLM\..\RunOnce: [sdkmr32.exe] C:\WINDOWS\system32\sdkmr32.exe
O4 - HKLM\..\RunOnce: [ippv.exe] C:\WINDOWS\system32\ippv.exe
O4 - HKLM\..\RunOnce: [appok32.exe] C:\WINDOWS\system32\appok32.exe
O4 - HKLM\..\RunOnce: [iefa32.exe] C:\WINDOWS\iefa32.exe
O4 - HKLM\..\RunOnce: [sysei.exe] C:\WINDOWS\sysei.exe
O4 - HKLM\..\RunOnce: [msni.exe] C:\WINDOWS\system32\msni.exe
O4 - HKLM\..\RunOnce: [ieia32.exe] C:\WINDOWS\ieia32.exe
O4 - HKLM\..\RunOnce: [ntne32.exe] C:\WINDOWS\system32\ntne32.exe
O4 - HKLM\..\RunOnce: [ieqq32.exe] C:\WINDOWS\ieqq32.exe
O4 - HKLM\..\RunOnce: [javaym.exe] C:\WINDOWS\javaym.exe
O4 - HKLM\..\RunOnce: [sdkyn.exe] C:\WINDOWS\system32\sdkyn.exe
O4 - HKLM\..\RunOnce: [d3pc.exe] C:\WINDOWS\system32\d3pc.exe
O4 - HKLM\..\RunOnce: [crqc.exe] C:\WINDOWS\crqc.exe
O4 - HKLM\..\RunOnce: [netsh32.exe] C:\WINDOWS\netsh32.exe
O4 - HKLM\..\RunOnce: [iesp.exe] C:\WINDOWS\system32\iesp.exe
O4 - HKLM\..\RunOnce: [atlbk32.exe] C:\WINDOWS\system32\atlbk32.exe
O4 - HKLM\..\RunOnce: [mfcnd32.exe] C:\WINDOWS\mfcnd32.exe
O4 - HKLM\..\RunOnce: [sysrz32.exe] C:\WINDOWS\sysrz32.exe
O4 - HKLM\..\RunOnce: [apiul.exe] C:\WINDOWS\apiul.exe
O4 - HKLM\..\RunOnce: [appqx.exe] C:\WINDOWS\system32\appqx.exe
O4 - HKLM\..\RunOnce: [ntom32.exe] C:\WINDOWS\ntom32.exe
O4 - HKLM\..\RunOnce: [netjo32.exe] C:\WINDOWS\system32\netjo32.exe
O4 - HKLM\..\RunOnce: [ipdh.exe] C:\WINDOWS\system32\ipdh.exe
O4 - HKLM\..\RunOnce: [crzl.exe] C:\WINDOWS\crzl.exe
O4 - HKLM\..\RunOnce: [sysre32.exe] C:\WINDOWS\system32\sysre32.exe
O4 - HKLM\..\RunOnce: [apphl.exe] C:\WINDOWS\system32\apphl.exe
O4 - HKLM\..\RunOnce: [iplp32.exe] C:\WINDOWS\iplp32.exe
O15 - Trusted Zone: *.line6.net

Reboot into safe mode. To enter safe mode> reboot> at the start up screen tap the f8 button>select safe mode from the menu.

Now delete these files if they exist:

C:\WINDOWS\rkved.dll
C:\WINDOWS\system32\addpt.dll
C:\WINDOWS\system32\ipcj32.dll
O4 - HKLM\..\Run: [crtr32.exe] C:\WINDOWS\crtr32.exe
O4 - HKLM\..\RunOnce: [d3vt32.exe] C:\WINDOWS\system32\d3vt32.exe
O4 - HKLM\..\RunOnce: [mfcbs32.exe] C:\WINDOWS\mfcbs32.exe
O4 - HKLM\..\RunOnce: [mfcle.exe] C:\WINDOWS\system32\mfcle.exe
O4 - HKLM\..\RunOnce: [crzv32.exe] C:\WINDOWS\system32\crzv32.exe
O4 - HKLM\..\RunOnce: [msjz32.exe] C:\WINDOWS\msjz32.exe
O4 - HKLM\..\RunOnce: [atlsj.exe] C:\WINDOWS\atlsj.exe
O4 - HKLM\..\RunOnce: [winir.exe] C:\WINDOWS\winir.exe
O4 - HKLM\..\RunOnce: [atlvb.exe] C:\WINDOWS\atlvb.exe
O4 - HKLM\..\RunOnce: [winrf.exe] C:\WINDOWS\system32\winrf.exe
O4 - HKLM\..\RunOnce: [apiou32.exe] C:\WINDOWS\apiou32.exe
O4 - HKLM\..\RunOnce: [sysav32.exe] C:\WINDOWS\system32\sysav32.exe
O4 - HKLM\..\RunOnce: [winhd32.exe] C:\WINDOWS\system32\winhd32.exe
O4 - HKLM\..\RunOnce: [apirw32.exe] C:\WINDOWS\apirw32.exe
O4 - HKLM\..\RunOnce: [msre.exe] C:\WINDOWS\system32\msre.exe
O4 - HKLM\..\RunOnce: [javavq.exe] C:\WINDOWS\javavq.exe
O4 - HKLM\..\RunOnce: [atlbm32.exe] C:\WINDOWS\system32\atlbm32.exe
O4 - HKLM\..\RunOnce: [netii.exe] C:\WINDOWS\netii.exe
O4 - HKLM\..\RunOnce: [sysoe32.exe] C:\WINDOWS\system32\sysoe32.exe
O4 - HKLM\..\RunOnce: [addhy32.exe] C:\WINDOWS\addhy32.exe
O4 - HKLM\..\RunOnce: [crmu32.exe] C:\WINDOWS\crmu32.exe
O4 - HKLM\..\RunOnce: [iels32.exe] C:\WINDOWS\system32\iels32.exe
O4 - HKLM\..\RunOnce: [javabz.exe] C:\WINDOWS\javabz.exe
O4 - HKLM\..\RunOnce: [apiap32.exe] C:\WINDOWS\apiap32.exe
O4 - HKLM\..\RunOnce: [addye32.exe] C:\WINDOWS\system32\addye32.exe
O4 - HKLM\..\RunOnce: [appym.exe] C:\WINDOWS\system32\appym.exe
O4 - HKLM\..\RunOnce: [winhm.exe] C:\WINDOWS\winhm.exe
O4 - HKLM\..\RunOnce: [netwk32.exe] C:\WINDOWS\system32\netwk32.exe
O4 - HKLM\..\RunOnce: [sdkmr32.exe] C:\WINDOWS\system32\sdkmr32.exe
O4 - HKLM\..\RunOnce: [ippv.exe] C:\WINDOWS\system32\ippv.exe
O4 - HKLM\..\RunOnce: [appok32.exe] C:\WINDOWS\system32\appok32.exe
O4 - HKLM\..\RunOnce: [iefa32.exe] C:\WINDOWS\iefa32.exe
O4 - HKLM\..\RunOnce: [sysei.exe] C:\WINDOWS\sysei.exe
O4 - HKLM\..\RunOnce: [msni.exe] C:\WINDOWS\system32\msni.exe
O4 - HKLM\..\RunOnce: [ieia32.exe] C:\WINDOWS\ieia32.exe
O4 - HKLM\..\RunOnce: [ntne32.exe] C:\WINDOWS\system32\ntne32.exe
O4 - HKLM\..\RunOnce: [ieqq32.exe] C:\WINDOWS\ieqq32.exe
O4 - HKLM\..\RunOnce: [javaym.exe] C:\WINDOWS\javaym.exe
O4 - HKLM\..\RunOnce: [sdkyn.exe] C:\WINDOWS\system32\sdkyn.exe
O4 - HKLM\..\RunOnce: [d3pc.exe] C:\WINDOWS\system32\d3pc.exe
O4 - HKLM\..\RunOnce: [crqc.exe] C:\WINDOWS\crqc.exe
O4 - HKLM\..\RunOnce: [netsh32.exe] C:\WINDOWS\netsh32.exe
O4 - HKLM\..\RunOnce: [iesp.exe] C:\WINDOWS\system32\iesp.exe
O4 - HKLM\..\RunOnce: [atlbk32.exe] C:\WINDOWS\system32\atlbk32.exe
O4 - HKLM\..\RunOnce: [mfcnd32.exe] C:\WINDOWS\mfcnd32.exe
O4 - HKLM\..\RunOnce: [sysrz32.exe] C:\WINDOWS\sysrz32.exe
O4 - HKLM\..\RunOnce: [apiul.exe] C:\WINDOWS\apiul.exe
O4 - HKLM\..\RunOnce: [appqx.exe] C:\WINDOWS\system32\appqx.exe
O4 - HKLM\..\RunOnce: [ntom32.exe] C:\WINDOWS\ntom32.exe
O4 - HKLM\..\RunOnce: [netjo32.exe] C:\WINDOWS\system32\netjo32.exe
O4 - HKLM\..\RunOnce: [ipdh.exe] C:\WINDOWS\system32\ipdh.exe
O4 - HKLM\..\RunOnce: [crzl.exe] C:\WINDOWS\crzl.exe
O4 - HKLM\..\RunOnce: [sysre32.exe] C:\WINDOWS\system32\sysre32.exe
O4 - HKLM\..\RunOnce: [apphl.exe] C:\WINDOWS\system32\apphl.exe
O4 - HKLM\..\RunOnce: [iplp32.exe] C:\WINDOWS\iplp32.exe

While still in safe mode run a full system scan with Ad-aware se 1.06.

Reboot into normal mode and run CWShredder.

Run Panda softwares' activescan.

If there is anything that activescan does not disinfect please include that information with a newHijack This log in your next post. Before posting a new Hijack This log please make sure all hidden files are viewable:

Open my computer>click tools>click folder options>
click view tab>check show hidden files>uncheck hide file extensions>click apply>click OK>exit

pauljukebox · July 2005

thanks man

ok heres what we got

Logfile of HijackThis v1.99.1
Scan saved at 23:43:43, on 08/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ntyv.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Paul\My Documents\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.freeserve.co.uk/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {31C94FA3-13E4-1D4B-B350-6A09F9B4EDDA} - C:\WINDOWS\systz.dll
O2 - BHO: Class - {33BB5A1B-CCE5-35FE-1AE8-D4D6F732FF51} - C:\WINDOWS\apinw32.dll
O2 - BHO: Class - {3CFD3203-DBF7-9AC2-1F16-A82557DA2F51} - C:\WINDOWS\system32\javayt.dll
O2 - BHO: Class - {90920AC0-CE70-911A-27A7-D53EDA3B6DED} - C:\WINDOWS\system32\d3no.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\msgr.en-us.en-gb\msntb.dll
O4 - HKLM\..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ntyv.exe] C:\WINDOWS\system32\ntyv.exe
O4 - HKLM\..\RunOnce: [appct.exe] C:\WINDOWS\appct.exe
O4 - HKLM\..\RunOnce: [ntvb.exe] C:\WINDOWS\ntvb.exe
O4 - HKLM\..\RunOnce: [sdkxc32.exe] C:\WINDOWS\sdkxc32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
O15 - Trusted Zone: *.line6.net
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\appct.exe" /s (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

pauljukebox · July 2005

and activescan report

Incident Status Location
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Paul\Favorites\Only sex website.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Paul\Favorites\Sites about\Ab scissor.url
Adware:Adware/CWS.Aboutblank No disinfected Windows Registry Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\system32\zlhve.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\foprqp.txt
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Paul\Favorites\Sites about\Credit counseling.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Paul\Favorites\Sites about\Insurance home.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Paul\Favorites\Sites about\Mortgage life insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Paul\Favorites\Sites about\Help desk software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Paul\Favorites\Sites about\Ab scissor.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Paul\Favorites\Sites about\Videos.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Paul\Favorites\Sites about\What is hydrocodone.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Paul\Favorites\Sites about\Online gambling casino.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Paul\Favorites\Sites about\Refinancing my mortgage.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Paul\Favorites\Sites about\Debt credit card.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Paul\Favorites\Sites about\Fha.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Paul\Favorites\Sites about\Loan for debt consolidation.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Paul\Favorites\Sites about\Health insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Paul\Favorites\Sites about\Personal loans online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Paul\Favorites\Sites about\Payroll advance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Paul\Favorites\Sites about\Marketing email.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Paul\Favorites\Sites about\Prescription Drugs Rx Online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Paul\Favorites\Sites about\Credit report.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Paul\Favorites\Sites about\Tahoe vacation rental.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Paul\Favorites\Sites about\Escorts.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Paul\Favorites\Sites about\Order phentermine.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Paul\Favorites\Sites about\Mortgage insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Paul\Favorites\Sites about\Personal loans with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Paul\Favorites\Sites about\Crm software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Paul\Favorites\Sites about\Nevada corporations.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Paul\Favorites\Sites about\Unsecured bad credit loans.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Paul\Favorites\Sites about\Loan for people with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Paul\Favorites\Sites about\Broadband comparison.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Paul\Favorites\Sites about\Online Betting Site.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Paul\Favorites\Sites about\Online instant loan.url
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Paul\Favorites\Search the web.url
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Paul\Favorites\Only sex website.url
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Paul\Favorites\Seven days of free porn.url

Shadow2018 · July 2005

Clean out your favorites folder. To access the favorites folder>open C: drive>open documents and settings>click user>open favorites folder>click edit>click select all>click file> click delete.

Close all open windows. Run Hijack This and place a checkmark next to these entries then click Fix Checked:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {31C94FA3-13E4-1D4B-B350-6A09F9B4EDDA} - C:\WINDOWS\systz.dll
O2 - BHO: Class - {33BB5A1B-CCE5-35FE-1AE8-D4D6F732FF51} - C:\WINDOWS\apinw32.dll
O2 - BHO: Class - {3CFD3203-DBF7-9AC2-1F16-A82557DA2F51} - C:\WINDOWS\system32\javayt.dll
O2 - BHO: Class - {90920AC0-CE70-911A-27A7-D53EDA3B6DED} - C:\WINDOWS\system32\d3no.dll
O4 - HKLM\..\Run: [ntyv.exe] C:\WINDOWS\system32\ntyv.exe
O4 - HKLM\..\RunOnce: [appct.exe] C:\WINDOWS\appct.exe
O4 - HKLM\..\RunOnce: [ntvb.exe] C:\WINDOWS\ntvb.exe
O4 - HKLM\..\RunOnce: [sdkxc32.exe] C:\WINDOWS\sdkxc32.exe
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\appct.exe" /s (file missing)

Reboot into safe mode and delete the following files:

C:\WINDOWS\systz.dll
C:\WINDOWS\apinw32.dll
C:\WINDOWS\system32\javayt.dll
C:\WINDOWS\system32\d3no.dll
C:\WINDOWS\system32\ntyv.exe
C:\WINDOWS\appct.exe
C:\WINDOWS\ntvb.exe
C:\WINDOWS\sdkxc32.exe

Post a new Hijack This log when finished.

pauljukebox · July 2005

cool cool

here goes

Logfile of HijackThis v1.99.1
Scan saved at 12:19:22, on 10/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Paul\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\eohaf.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\eohaf.dll/sp.html#93256
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\eohaf.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\eohaf.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\eohaf.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\eohaf.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\eohaf.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.freeserve.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\msgr.en-us.en-gb\msntb.dll
O4 - HKLM\..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
O15 - Trusted Zone: *.line6.net
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{640033F0-C626-4A39-9723-8A7A657CBD7D}: NameServer = 195.92.195.94 195.92.195.95
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntvb.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Shadow2018 · July 2005

You will need to print these instructions for your reference as most of this Removal process must be done in safe mode where you will not have access to the internet.
(Skip the steps if you have already performed them)

1. Download CWShredder . Save it to your desktop and extract the files to your desktop.
Exit CWShredder for now.

2. Download aboutbuster . Save it to your desktop and extract the files to your desktop.
Exit aboutbuster for now.

3. Download Ad-Aware SE 1.06 . Save the setup file to your desktop. Run the setup file and place a shortcut on your desktop. Open Ad-Aware and click check for updates>click connect. Click download updates if updates are available.

4. Make all hidden files viewable .

5. Boot up into safe mode .

6. Run Hijack this and place a checkmark next to the following entries. Click “Fix Checked”:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\eohaf.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\eohaf.dll/sp.html#93256
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\eohaf.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\eohaf.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\eohaf.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\eohaf.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\eohaf.dll/sp.html#93256
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntvb.exe (file missing)

7. Run CWShredder which you downloaded in step 1. Click the “Fix” button.

8. Now delete these files or directories if they exist:

C:\WINDOWS\system32\eohaf.dll
C:\WINDOWS\ntvb.exe

9. Run aboutbuster which you downloaded in step 2. Click ok>start>ok. Copy and paste the results of the aboutbuster scan to notepad. Save this as a .txt file.

10. Run a “full system scan" with Ad-Aware SE. Remove all files found.

11. Reboot and post a new Hijack This log with the results of the aboutbuster scan.

pauljukebox · July 2005

ok here goes

Logfile of HijackThis v1.99.1
Scan saved at 18:38:48, on 10/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Paul\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.freeserve.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\msgr.en-us.en-gb\msntb.dll
O4 - HKLM\..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
O15 - Trusted Zone: *.line6.net
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

i ran about buster and it removed quite a lot, but before i could copy the list it crashed.... ran it again and it found nothing next time round

Shadow2018 · July 2005

After removing this last entry your log will be clean.

Close all open windows. Run Hijack This and place a checkmark next to this entry. Click Fix Checked:

O15 - Trusted Zone: *.line6.net

I highly recommend getting Spywareblaster . This will help keep out unwanted spyware/malware.

Also make sure you keep updated with the Microsoft security patches as they are released.

Keep your temporary folder emptied on a regular basis.

Let me know if you are having anymore problems.

pauljukebox · July 2005

excellent, im clean already then

that line 6 entry is safe anyway

thank you very much for your help ! you guys rock

User Response Needed: Think I have a trojan

Comments