Hijack this log, help!!!!

Unknown

hi all!

i have been having a horrible time trying to get my computer clear of any bugs it may have. i think i've been infected with spyware, ad ware, and anything else you could think of. i've been using spyboy search & destroy but to no avail. i downloaded hijack this and i don't know what to do from here. this is th log from today:


Logfile of HijackThis v1.99.1
Scan saved at 8:10:11 PM, on 10/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\CDProxyServ.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\d3ay32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tony\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pwccu.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pwccu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pwccu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pwccu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pwccu.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pwccu.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pwccu.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = www.hotmail.com
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {309B0370-9499-BD83-5B63-522A8DC7EFD4} - C:\WINDOWS\system32\ntmi.dll
O2 - BHO: Class - {3F4A50AD-904E-7E61-9D73-3F174291F4B2} - C:\WINDOWS\system32\netjz.dll
O2 - BHO: Class - {546EB25A-6A5D-99EF-7458-F82F8D257E62} - C:\WINDOWS\system32\ievr.dll
O2 - BHO: Class - {7D84605B-257F-35AC-B82F-7E711C985FBD} - C:\WINDOWS\system32\winup32.dll
O2 - BHO: Class - {8A3A1428-A50F-394F-7CFB-789596227CC4} - C:\WINDOWS\sdknl32.dll
O2 - BHO: Class - {8EF1A0D7-1F28-169C-CDC6-204EFF24D24A} - C:\WINDOWS\netga32.dll
O2 - BHO: Class - {B249DC94-2E17-7065-F181-A8A240375B89} - C:\WINDOWS\system32\netth32.dll
O2 - BHO: Class - {B9087056-572E-C46F-41EA-766D3370ABEF} - C:\WINDOWS\ieqc32.dll
O2 - BHO: Class - {D8044D91-A88E-8AF1-9321-849D547AAE8C} - C:\WINDOWS\system32\ntkv.dll
O2 - BHO: Class - {DB41F021-5AC5-A9B7-B3CF-8039B91DD632} - C:\WINDOWS\system32\addwy.dll
O2 - BHO: Class - {EF3DA427-88BA-69AC-D4EE-CE669ADD36B2} - C:\WINDOWS\system32\ntwk.dll
O2 - BHO: Class - {F99061EE-BCEC-AA3C-EDD1-FD4D490410FD} - C:\WINDOWS\system32\wincn.dll
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [crvn32.exe] C:\WINDOWS\system32\crvn32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [d3ay32.exe] C:\WINDOWS\system32\d3ay32.exe
O4 - HKLM\..\Run: [mfckj32.exe] C:\WINDOWS\system32\mfckj32.exe
O4 - HKLM\..\Run: [addnh.exe] C:\WINDOWS\system32\addnh.exe
O4 - HKLM\..\Run: [netda32.exe] C:\WINDOWS\system32\netda32.exe
O4 - HKLM\..\Run: [winye32.exe] C:\WINDOWS\system32\winye32.exe
O4 - HKLM\..\Run: [crgy32.exe] C:\WINDOWS\system32\crgy32.exe
O4 - HKLM\..\Run: [javalz32.exe] C:\WINDOWS\system32\javalz32.exe
O4 - HKLM\..\Run: [atlpg.exe] C:\WINDOWS\system32\atlpg.exe
O4 - HKLM\..\Run: [apivx32.exe] C:\WINDOWS\system32\apivx32.exe
O4 - HKLM\..\Run: [appjg.exe] C:\WINDOWS\system32\appjg.exe
O4 - HKLM\..\Run: [d3hz.exe] C:\WINDOWS\system32\d3hz.exe
O4 - HKLM\..\Run: [ntff.exe] C:\WINDOWS\system32\ntff.exe
O4 - HKLM\..\Run: [mstb32.exe] C:\WINDOWS\system32\mstb32.exe
O4 - HKLM\..\Run: [ntez.exe] C:\WINDOWS\system32\ntez.exe
O4 - HKLM\..\Run: [atlse32.exe] C:\WINDOWS\system32\atlse32.exe
O4 - HKLM\..\Run: [netlt.exe] C:\WINDOWS\system32\netlt.exe
O4 - HKLM\..\RunOnce: [sysry32.exe] C:\WINDOWS\sysry32.exe
O4 - HKLM\..\RunOnce: [apput32.exe] C:\WINDOWS\system32\apput32.exe
O4 - HKLM\..\RunOnce: [ntmy.exe] C:\WINDOWS\ntmy.exe
O4 - HKLM\..\RunOnce: [atlul32.exe] C:\WINDOWS\atlul32.exe
O4 - HKLM\..\RunOnce: [iezw.exe] C:\WINDOWS\iezw.exe
O4 - HKLM\..\RunOnce: [javafw.exe] C:\WINDOWS\javafw.exe
O4 - HKLM\..\RunOnce: [windy.exe] C:\WINDOWS\system32\windy.exe
O4 - HKLM\..\RunOnce: [javabi.exe] C:\WINDOWS\javabi.exe
O4 - HKLM\..\RunOnce: [msux.exe] C:\WINDOWS\system32\msux.exe
O4 - HKLM\..\RunOnce: [apipx.exe] C:\WINDOWS\system32\apipx.exe
O4 - HKLM\..\RunOnce: [sysaq32.exe] C:\WINDOWS\sysaq32.exe
O4 - HKLM\..\RunOnce: [atlft.exe] C:\WINDOWS\atlft.exe
O4 - HKLM\..\RunOnce: [msgf32.exe] C:\WINDOWS\system32\msgf32.exe
O4 - HKLM\..\RunOnce: [ntco32.exe] C:\WINDOWS\system32\ntco32.exe
O4 - HKLM\..\RunOnce: [apicf32.exe] C:\WINDOWS\apicf32.exe
O4 - HKLM\..\RunOnce: [winkw.exe] C:\WINDOWS\winkw.exe
O4 - HKLM\..\RunOnce: [mssl.exe] C:\WINDOWS\mssl.exe
O4 - HKLM\..\RunOnce: [ntge32.exe] C:\WINDOWS\system32\ntge32.exe
O4 - HKLM\..\RunOnce: [ntko32.exe] C:\WINDOWS\system32\ntko32.exe
O4 - HKLM\..\RunOnce: [ipyl32.exe] C:\WINDOWS\ipyl32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apput32.exe" /s (file missing)
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

any help would be greatly appreciated.

-VenChick02

Crunchie

Download CWShredder 2.15 from here. Run it and press the *fix,* not scan and allow it to clean the infection. Close all browser and explorer windows before hitting the fix button.

===============

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

===============

Download AboutBuster 5:

http://www.besttechie.net/tools/AboutBuster5.zip
http://www.malwarebytes.biz/AboutBuster5.zip

Once downloaded, unzip it, and put the folder on your desktop. Then double-click on the AboutBuster icon to start the program.

Click Update. This will start updating AboutBuster with the latest definition database.

Once it's done updating and you see that dialog, click Ok.

Close AboutBuster.

Reboot into safe mode following the instructions here.

Start AboutBuster and click Begin Removal.

When the scan is done, click Ok.


Run Ewido, and do a full scan. During the scan it will prompt you to clean files, click OK.

Save the logfile from the scan. Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

venchick02

thank you for your help. i ran into some trouble though. i made it all the way down to clicking on the update option once i downloaded aboutbuster. after clicking on "update" i got an error that said "run-time error '5', invalid procedure call or argument". it would let me go any further. what should i do now?


thanks,
venchick02

Crunchie

The host site for the update is down so you will have to forego the update and just follow the rest of the instructions .

venchick02

this is my most recent log...


Logfile of HijackThis v1.99.1
Scan saved at 5:00:59 PM, on 10/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\sysry32.exe
C:\WINDOWS\CDProxyServ.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\sysry32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ipkd.exe
C:\Documents and Settings\Tony\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kurtx.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kurtx.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kurtx.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kurtx.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kurtx.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kurtx.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kurtx.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = www.hotmail.com
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {2CE5CDE3-CDE1-DC80-2907-A183C22ABB18} - C:\WINDOWS\system32\apikd32.dll
O2 - BHO: Class - {E28302FE-B381-7680-D448-064B3F4763EE} - C:\WINDOWS\sdkbi32.dll
O4 - HKLM\..\Run: [crvn32.exe] C:\WINDOWS\system32\crvn32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winye32.exe] C:\WINDOWS\system32\winye32.exe
O4 - HKLM\..\Run: [ipkd.exe] C:\WINDOWS\system32\ipkd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sysry32.exe" /s (file missing)
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Tony\Desktop\cwshredder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

venchick02

the second log.....

the second log is over a million characters long and i can't post it. do you have a plan B.

Crunchie

I take it that was the Ewido log? We will leave that one alone if it's that long .

==

Can you please do the following.

===============

Now, let's open a command prompt by going to the start menu and then select 'Run'.

In the box that pops up type in 'cmd'. The command prompt will open.

OR

You can go to Start -> Programs -> Accessories -> Command Prompt. Unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u apikd32.dll
regsvr32 /u sdkbi32.dll

It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save typing them in.

===============

Open a command prompt again and enter "services.msc" (without the quotes).

-

Now, locate and 'stop' the following services, if present:

Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) owner ... (C:\WINDOWS\sysry32.exe)

Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services. Once stopped, set this service to disabled.

===============

Run HiJackThis then:

1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\WINDOWS\sysry32.exe
C:\WINDOWS\system32\ipkd.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Still in HiJackThis, click "Scan", then check(tick) the following, if present:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kurtx.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kurtx.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kurtx.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kurtx.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kurtx.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kurtx.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kurtx.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {2CE5CDE3-CDE1-DC80-2907-A183C22ABB18} - C:\WINDOWS\system32\apikd32.dll
O2 - BHO: Class - {E28302FE-B381-7680-D448-064B3F4763EE} - C:\WINDOWS\sdkbi32.dll

O4 - HKLM\..\Run: [crvn32.exe] C:\WINDOWS\system32\crvn32.exe
O4 - HKLM\..\Run: [winye32.exe] C:\WINDOWS\system32\winye32.exe
O4 - HKLM\..\Run: [ipkd.exe] C:\WINDOWS\system32\ipkd.exe

O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU)

O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sysry32.exe


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

files...

C:\WINDOWS\sysry32.exe
C:\WINDOWS\system32\ipkd.exe
C:\WINDOWS\kurtx.dll
C:\WINDOWS\system32\apikd32.dll
C:\WINDOWS\sdkbi32.dll
C:\WINDOWS\system32\crvn32.exe
C:\WINDOWS\system32\winye32.exe

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

Run Ewido again and let it clean what it finds.

==

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

venchick02

Now, locate and 'stop' the following services, if present:

Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) owner ... (C:\WINDOWS\sysry32.exe)

i'm confused do i stop the above service if it is listed exactly like above. i see some in the registry that start off wit remote procedure call helper but it doesn't end with those funky characters.

Crunchie

No need to enter the registry. Just go to services and locate the above and stop the service, then disable it. It must be the Remote Procedure Call (RPC) Helper service.

venchick02

this is the most recent log......


C:\WINDOWS\CDProxyServ.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\netpe.exe
C:\WINDOWS\system32\apidt32.exe
C:\Documents and Settings\Tony\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tfewz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tfewz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\tfewz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tfewz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tfewz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tfewz.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tfewz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = www.hotmail.com
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0F70277D-289E-55DF-CC2E-2ED795705AF8} - C:\WINDOWS\atlnw32.dll (file missing)
O2 - BHO: Class - {6CA0DD23-29FF-7BA9-BCDE-21BA40065FF7} - C:\WINDOWS\system32\mfchw32.dll
O2 - BHO: Class - {9E57DB01-8D19-85F2-6848-874E14539906} - C:\WINDOWS\d3ed32.dll
O2 - BHO: Class - {E6B5BD9E-F3FF-E5A3-4B37-210B4F9B2CFF} - C:\WINDOWS\apprd32.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [apidt32.exe] C:\WINDOWS\system32\apidt32.exe
O4 - HKLM\..\RunOnce: [netpe.exe] C:\WINDOWS\system32\netpe.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sysry32.exe" /s (file missing)
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Tony\Desktop\cwshredder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe


computer still runs weird. i can't access media player, half of my web pages still won't load properly, and if i click on a hyperlink, it takes me to a search assistant type deal.

-venchick02

Crunchie

Download\'SpSeHjfix\' to the desktop and then
right click a blank part of the desktop and select new folder, call it spfix
unzip the file into that folder.

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage.

Run CWShredder and press the *fix,* not scan and allow it to clean the infection. Close all browser and explorer windows before hitting the fix button.

Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'.

venchick02

here are the recent logs......



(10/17/05 7:38:18 PM) SPSeHjFix started v1.1.2
(10/17/05 7:38:19 PM) OS: WinXP Service Pack 2 (5.1.2600)
(10/17/05 7:38:19 PM) Language: english
(10/17/05 7:38:19 PM) Win-Path: C:\WINDOWS
(10/17/05 7:38:19 PM) System-Path: C:\WINDOWS\system32
(10/17/05 7:38:19 PM) Temp-Path: C:\DOCUME~1\Tony\LOCALS~1\Temp\
(10/17/05 7:39:41 PM) Disinfection started
(10/17/05 7:39:41 PM) Bad-Dll(IEP): c:\windows\tfewz.dll
(10/17/05 7:39:42 PM) UBF: 4 - UBB: 11 - UBR: 3
(10/17/05 7:39:42 PM) UBF: 4 - UBB: 11 - UBR: 3
(10/17/05 7:39:42 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\windows\tfewz.dll/sp.html#37049
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: res://c:\windows\tfewz.dll/sp.html#37049
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: res://c:\windows\tfewz.dll/sp.html#37049
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\windows\tfewz.dll/sp.html#37049
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: res://c:\windows\tfewz.dll/sp.html#37049
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Page_URL: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Search_URL: res://c:\windows\tfewz.dll/sp.html#37049
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: res://c:\windows\tfewz.dll/sp.html#37049
(10/17/05 7:39:42 PM) Stealth-String not found
(10/17/05 7:39:42 PM) No locked Files to delete. End without Reboot
(10/17/05 7:39:50 PM) Disinfection started
(10/17/05 7:39:50 PM) Bad-Dll(IEP): c:\windows\tfewz.dll
(10/17/05 7:39:50 PM) UBF: 4 - UBB: 11 - UBR: 3
(10/17/05 7:39:50 PM) UBF: 4 - UBB: 11 - UBR: 3
(10/17/05 7:39:50 PM) Bad IE-pages: (none)
(10/17/05 7:39:50 PM) Stealth-String not found
(10/17/05 7:39:50 PM) No locked Files to delete. End without Reboot
(10/17/05 7:40:15 PM) Disinfection started
(10/17/05 7:40:15 PM) Bad-Dll(IEP): c:\windows\tfewz.dll
(10/17/05 7:40:15 PM) UBF: 4 - UBB: 11 - UBR: 3
(10/17/05 7:40:15 PM) UBF: 4 - UBB: 11 - UBR: 3
(10/17/05 7:40:15 PM) Bad IE-pages: (none)
(10/17/05 7:40:15 PM) Stealth-String not found
(10/17/05 7:40:15 PM) No locked Files to delete. End without Reboot


(10/17/05 7:43:37 PM) SPSeHjFix started v1.1.2
(10/17/05 7:43:37 PM) OS: WinXP Service Pack 2 (5.1.2600)
(10/17/05 7:43:37 PM) Language: english
(10/17/05 7:43:37 PM) Win-Path: C:\WINDOWS
(10/17/05 7:43:37 PM) System-Path: C:\WINDOWS\system32
(10/17/05 7:43:37 PM) Temp-Path: C:\DOCUME~1\Tony\LOCALS~1\Temp\
(10/17/05 7:43:38 PM) Disinfection started
(10/17/05 7:43:38 PM) Bad-Dll(IEP): (not found)
(10/17/05 7:43:38 PM) Bad-Dll(IEP) in BHO: (not found)
(10/17/05 7:43:38 PM) UBF: 4 - UBB: 11 - UBR: 3
(10/17/05 7:43:38 PM) UBF: 4 - UBB: 11 - UBR: 3
(10/17/05 7:43:38 PM) Bad IE-pages: (none)
(10/17/05 7:43:38 PM) Stealth-String not found
(10/17/05 7:43:38 PM) Not infected->END


(10/17/05 8:16:12 PM) SPSeHjFix started v1.1.2
(10/17/05 8:16:12 PM) OS: WinXP Service Pack 2 (5.1.2600)
(10/17/05 8:16:12 PM) Language: english
(10/17/05 8:16:12 PM) Win-Path: C:\WINDOWS
(10/17/05 8:16:12 PM) System-Path: C:\WINDOWS\system32
(10/17/05 8:16:12 PM) Temp-Path: C:\DOCUME~1\Tony\LOCALS~1\Temp\
(10/17/05 8:16:13 PM) Disinfection started
(10/17/05 8:16:13 PM) Bad-Dll(IEP): c:\windows\tfewz.dll
(10/17/05 8:16:13 PM) UBF: 4 - UBB: 11 - UBR: 3
(10/17/05 8:16:13 PM) UBF: 4 - UBB: 11 - UBR: 3
(10/17/05 8:16:13 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\windows\tfewz.dll/sp.html#37049
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: res://c:\windows\tfewz.dll/sp.html#37049
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: res://c:\windows\tfewz.dll/sp.html#37049
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\windows\tfewz.dll/sp.html#37049
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: res://c:\windows\tfewz.dll/sp.html#37049
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Page_URL: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Search_URL: res://c:\windows\tfewz.dll/sp.html#37049
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: res://c:\windows\tfewz.dll/sp.html#37049
(10/17/05 8:16:13 PM) Stealth-String not found
(10/17/05 8:16:13 PM) No locked Files to delete. End without Reboot
(10/17/05 8:16:16 PM) Disinfection started
(10/17/05 8:16:16 PM) Bad-Dll(IEP): c:\windows\tfewz.dll
(10/17/05 8:16:16 PM) UBF: 4 - UBB: 11 - UBR: 3
(10/17/05 8:16:16 PM) UBF: 4 - UBB: 11 - UBR: 3
(10/17/05 8:16:16 PM) Bad IE-pages: (none)
(10/17/05 8:16:16 PM) Stealth-String not found
(10/17/05 8:16:16 PM) No locked Files to delete. End without Reboot


Logfile of HijackThis v1.99.1
Scan saved at 9:07:00 PM, on 10/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\CDProxyServ.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\javayw32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Tony\Desktop\New Folder\HijackThis.exe
C:\Documents and Settings\Tony\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = www.hotmail.com
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {385AA24F-32B3-1899-6F78-97FEADD3DD88} - C:\WINDOWS\system32\addsd.dll
O2 - BHO: Class - {D0D46A3D-77D7-A7FC-0D99-4C0E4E3C686F} - C:\WINDOWS\system32\ipvi32.dll
O2 - BHO: Class - {DCAC4288-4597-CC9C-88ED-6AFF6D21C6A6} - C:\WINDOWS\ntfk.dll
O2 - BHO: Class - {F3CE29D7-1F3D-C3AE-8BFA-949DD938C336} - C:\WINDOWS\system32\mfckv32.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [javayw32.exe] C:\WINDOWS\javayw32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\javayw32.exe" /s (file missing)
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Tony\Desktop\cwshredder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

Crunchie

Download the latest version of about:buster from http://www.majorgeeks.com/download4289.html and then follow all the instructions from my first post.
You had more than one version of this infection present. You may want to use a different browser until we get this cleaned up.