Empty dlls
Recently my webbrowser was jacked . And i cured the problem
immediately.
I found so many empty dlls and exe in windows directory ...
like as : mssy32.dll , netlm.dll , jpgs.dll ...
almost 700 of them .... what are these empties dlls and exes. ?
is it safe to remove them ?
I appreciate answer from any one.
I am new in fighting spyware problems .
thank you
immediately.
I found so many empty dlls and exe in windows directory ...
like as : mssy32.dll , netlm.dll , jpgs.dll ...
almost 700 of them .... what are these empties dlls and exes. ?
is it safe to remove them ?
I appreciate answer from any one.
I am new in fighting spyware problems .
thank you
0
This discussion has been closed.
Comments
Can you post a HijackThis log please:
Click here to download HJTsetup.exe
Save HJTsetup.exe to your desktop.
- Double click on the HJTsetup.exe icon on your desktop.
- By default it will install to C:\Program Files\Hijack This.
- Continue to click Next in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
- Put a check by Create a desktop icon then click Next again.
- Continue to follow the rest of the prompts from there.
- At the final dialogue box click Finish and it will launch Hijack This.
- Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
- Copy and paste the log here
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.i removd ipir.exe and some other files ....
but there are empty dlls .... remove all o not ?
i removed about 20 of hem o test ....
now my system is stable !
***************************
Logfile of HijackThis v1.99.1
Scan saved at 15:12:14, on 2006-07-31
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\Dit.exe
C:\Program\Scansoft\PaperPort\pptd40nt.exe
C:\Program\Creative\ShareDLL\CtNotify.exe
C:\Program\Creative\ShareDLL\Mediadet.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\crev32.exe
C:\Program\Creative\NOMAD Jukebox Zen (USB2.0)\PlayCenter2\CTNMRUN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program\PANICW~1\POP-UP~1\PSFree.exe
C:\Program\Internet Explorer\iexplore.exe
c:\program\intern~1\iexplore.exe
C:\Program\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
C:\Program\SONYER~1\Mobile\CONNEC~1\CapMan.exe
C:\Program\SONYER~1\Mobile\CONNEC~1\ElogErr.exe
C:\Program\SONYER~1\Mobile\CONNEC~1\BROADC~1.EXE
C:\Program\SONYER~1\Mobile\CONNEC~1\SCRFS.exe
C:\Program\SONYER~1\Mobile\MOBILE~1\EPMWOR~1.EXE
C:\Program\Dangerous\browser.exe
C:\Program\TABROTEX OFFICE\TABROTEX.exe
C:\WINDOWS\system32\notepad.exe
C:\hijackthis_199\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {DCA47654-4A8F-4E15-3395-EB24B27E676B} - C:\WINDOWS\system32\sysmu32.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] "C:\Program\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [syswp.exe] C:\WINDOWS\system32\syswp.exe
O4 - HKLM\..\Run: [winib.exe] C:\WINDOWS\system32\winib.exe
O4 - HKLM\..\Run: [msnp.exe] C:\WINDOWS\msnp.exe
O4 - HKLM\..\Run: [apiyr32.exe] C:\WINDOWS\system32\apiyr32.exe
O4 - HKLM\..\Run: [mszk32.exe] C:\WINDOWS\system32\mszk32.exe
O4 - HKLM\..\Run: [sdkkv.exe] C:\WINDOWS\sdkkv.exe
O4 - HKLM\..\Run: [mfcel32.exe] C:\WINDOWS\system32\mfcel32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\Program\NEWDOT~1\NEWDOT~1.DLL,ClientStartup -s
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [winhv32.exe] C:\WINDOWS\system32\winhv32.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program\Delade filer\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program\Delade filer\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [d3xl.exe] C:\WINDOWS\system32\d3xl.exe
O4 - HKLM\..\Run: [winyg.exe] C:\WINDOWS\system32\winyg.exe
O4 - HKLM\..\Run: [atlgb32.exe] C:\WINDOWS\atlgb32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKLM\..\Run: [addkx.exe] C:\WINDOWS\system32\addkx.exe
O4 - HKLM\..\Run: [bits title okay funk] C:\Documents and Settings\All Users\Application Data\Meet defy bits title\shim poll.exe
O4 - HKLM\..\Run: [crev32.exe] C:\WINDOWS\system32\crev32.exe
O4 - HKLM\..\RunOnce: [d3tf.exe] C:\WINDOWS\system32\d3tf.exe
O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program\Creative\NOMAD Jukebox Zen (USB2.0)\PlayCenter2\CTNMRUN.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Free Download Manager] C:\Program\Free Download Manager\fdm.exe -autorun
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O4 - Global Startup: SmartUI.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Ladda ner Alla med NetXfer - C:\Program\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Ladda ner med NetXfer - C:\Program\Xi\NetXfer\NXAddLink.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - (no file)
O9 - Extra 'Tools' menuitem: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} - http://www.cult3d.com/newuser/index.html
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/dev/code/IE_1070/DownloadManager.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/sites/errorsafe.com/www/download/2006/cabs/ErrorSafeFreeInstall_se.cab
O16 - DPF: {B7E76C25-791F-432E-BDB7-748D01A93FC2} (VacPro.int_ver30) - http://advnt01.com/dialer/int_ver30.CAB
O16 - DPF: {CDCBE0F1-D13A-4F86-A963-3A272D3ABA7E} - http://advnt01.com/dialer/internazionale_ver15.CAB
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager/plugin/IENetOpPlugin.ocx
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/errorsafe.com/www/download/2006/cabs/ErrorSafeFreeInstall_se.cab
O16 - DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} (AMI DicomDir TreeView Control 2.1) - file://F:\CDVIEWER\CdViewer.cab
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\d3tf.exe" /s (file missing)
O23 - Service: Client de licence CA (CA_LIC_CLNT) - Computer Associates - C:\Program\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: Serveur de licence CA (CA_LIC_SRVR) - Computer Associates - C:\Program\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program\CA\SharedComponents\CA_LIC\LogWatNT.exe
********************end
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat and Reader 6.0.3 Update
Adobe Acrobat and Reader 6.0.4 Update
Adobe Acrobat and Reader 6.0.5 Update
Adobe Reader 6.0.1 - Svenska
ATI Control Panel
ATI Display Driver
avsSuitePack Millenium 1.0
Brother MFC Software Suite
Burn My Files
CDMenuPro V4
Clean My Registry v2.1
C-Media WDM Audio Driver
Creative Jukebox Driver
Disk Washer
elitemediagroup
eTrust Antivirus Registration
HighMAT-tillägg till Microsoft Windows XP-guiden Skriv till CD-skiva
HijackThis 1.99.1
Home Search Assistent
Home Cinema
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2
Macromedia Flash Player 8
Magic ISO Maker v5.3 (build 0199)
Medion Flash XL 2.0
Microsoft Office XP Professional med FrontPage
Microsoft Windows Media Video 9 VCM
Microsoft Works 7.0
MSN Messenger 6.2
MUSICMATCH® Jukebox
Nero Media Player
Nero OEM
NeroVision Express 2
Netscape Navigator
NetXfer 2.01.305
New.net Domains 7.22
NOMAD Jukebox Zen (USB2.0)
PaperPort 8.0 SE
PC Suite for P800 1.1.0
Pic Cutter 3.0
Pop-Up Stopper Free Edition
PowerDVD
PowerProducer
RealPlayer
SciTE4Autoit3 6/26/2006
Search Extender
Smart Manager
SP2 Connection Patcher
TABROTEX OFFICE 1.02
The Off By One Web Browser
USB Wireless Keyboard Driver
W83L518D
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Säkerhetskopiering
Windows XP Service Pack 2
WinRAR archiver
WordAndWeb
XoftSpy
Yahoo! Toolbar
Click Start > Run > type in appwiz.cpl and hit enter. From the list uninstall the following, if present:
elitemediagroup
Java 2 Runtime Environment, SE v1.4.2
New.net Domains 7.22
The Off By One Web Browser
Reboot and post a new HijackThis log.
Scan saved at 16:42:54, on 2006-07-31
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\appzy32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\Dit.exe
C:\Program\Scansoft\PaperPort\pptd40nt.exe
C:\Program\Creative\ShareDLL\CtNotify.exe
C:\Program\Creative\ShareDLL\Mediadet.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\Java\jre1.5.0_06\bin\jusched.exe
C:\Program\Creative\NOMAD Jukebox Zen (USB2.0)\PlayCenter2\CTNMRUN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\PANICW~1\POP-UP~1\PSFree.exe
c:\program\intern~1\iexplore.exe
C:\Program\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
C:\Program\SONYER~1\Mobile\CONNEC~1\CapMan.exe
C:\Program\SONYER~1\Mobile\CONNEC~1\ElogErr.exe
C:\Program\SONYER~1\Mobile\CONNEC~1\BROADC~1.EXE
C:\Program\SONYER~1\Mobile\CONNEC~1\SCRFS.exe
C:\Program\SONYER~1\Mobile\MOBILE~1\EPMWOR~1.EXE
C:\Program\Dangerous\browser.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\hijackthis_199\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {DCA47654-4A8F-4E15-3395-EB24B27E676B} - C:\WINDOWS\system32\sysmu32.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] "C:\Program\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [syswp.exe] C:\WINDOWS\system32\syswp.exe
O4 - HKLM\..\Run: [winib.exe] C:\WINDOWS\system32\winib.exe
O4 - HKLM\..\Run: [msnp.exe] C:\WINDOWS\msnp.exe
O4 - HKLM\..\Run: [apiyr32.exe] C:\WINDOWS\system32\apiyr32.exe
O4 - HKLM\..\Run: [mszk32.exe] C:\WINDOWS\system32\mszk32.exe
O4 - HKLM\..\Run: [sdkkv.exe] C:\WINDOWS\sdkkv.exe
O4 - HKLM\..\Run: [mfcel32.exe] C:\WINDOWS\system32\mfcel32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [winhv32.exe] C:\WINDOWS\system32\winhv32.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program\Delade filer\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program\Delade filer\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [d3xl.exe] C:\WINDOWS\system32\d3xl.exe
O4 - HKLM\..\Run: [winyg.exe] C:\WINDOWS\system32\winyg.exe
O4 - HKLM\..\Run: [atlgb32.exe] C:\WINDOWS\atlgb32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKLM\..\Run: [addkx.exe] C:\WINDOWS\system32\addkx.exe
O4 - HKLM\..\Run: [bits title okay funk] C:\Documents and Settings\All Users\Application Data\Meet defy bits title\shim poll.exe
O4 - HKLM\..\Run: [appzy32.exe] C:\WINDOWS\appzy32.exe
O4 - HKLM\..\RunOnce: [d3tf.exe] C:\WINDOWS\system32\d3tf.exe
O4 - HKLM\..\RunOnce: [addno.exe] C:\WINDOWS\system32\addno.exe
O4 - HKLM\..\RunOnce: [javaja32.exe] C:\WINDOWS\system32\javaja32.exe
O4 - HKLM\..\RunOnce: [appvo.exe] C:\WINDOWS\appvo.exe
O4 - HKLM\..\RunOnce: [atlde32.exe] C:\WINDOWS\system32\atlde32.exe
O4 - HKLM\..\RunOnce: [mfcdu32.exe] C:\WINDOWS\system32\mfcdu32.exe
O4 - HKLM\..\RunOnce: [sdkmn32.exe] C:\WINDOWS\sdkmn32.exe
O4 - HKLM\..\RunOnce: [addmv.exe] C:\WINDOWS\system32\addmv.exe
O4 - HKLM\..\RunOnce: [ieqz.exe] C:\WINDOWS\ieqz.exe
O4 - HKLM\..\RunOnce: [mfcgw32.exe] C:\WINDOWS\system32\mfcgw32.exe
O4 - HKLM\..\RunOnce: [iped.exe] C:\WINDOWS\system32\iped.exe
O4 - HKLM\..\RunOnce: [crah32.exe] C:\WINDOWS\crah32.exe
O4 - HKLM\..\RunOnce: [sdkeb32.exe] C:\WINDOWS\system32\sdkeb32.exe
O4 - HKLM\..\RunOnce: [javalj32.exe] C:\WINDOWS\system32\javalj32.exe
O4 - HKLM\..\RunOnce: [apiqv.exe] C:\WINDOWS\system32\apiqv.exe
O4 - HKLM\..\RunOnce: [appuz32.exe] C:\WINDOWS\appuz32.exe
O4 - HKLM\..\RunOnce: [msif.exe] C:\WINDOWS\msif.exe
O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program\Creative\NOMAD Jukebox Zen (USB2.0)\PlayCenter2\CTNMRUN.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [PLATFORMBORE] C:\DOCUME~1\ahmed\APPLIC~1\INTERN~1\trans logo.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Free Download Manager] C:\Program\Free Download Manager\fdm.exe -autorun
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O4 - Global Startup: SmartUI.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Ladda ner Alla med NetXfer - C:\Program\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Ladda ner med NetXfer - C:\Program\Xi\NetXfer\NXAddLink.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} - http://www.cult3d.com/newuser/index.html
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/dev/code/IE_1070/DownloadManager.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/sites/errorsafe.com/www/download/2006/cabs/ErrorSafeFreeInstall_se.cab
O16 - DPF: {B7E76C25-791F-432E-BDB7-748D01A93FC2} (VacPro.int_ver30) - http://advnt01.com/dialer/int_ver30.CAB
O16 - DPF: {CDCBE0F1-D13A-4F86-A963-3A272D3ABA7E} - http://advnt01.com/dialer/internazionale_ver15.CAB
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager/plugin/IENetOpPlugin.ocx
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/errorsafe.com/www/download/2006/cabs/ErrorSafeFreeInstall_se.cab
O16 - DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} (AMI DicomDir TreeView Control 2.1) - file://F:\CDVIEWER\CdViewer.cab
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\d3tf.exe" /s (file missing)
O23 - Service: Client de licence CA (CA_LIC_CLNT) - Computer Associates - C:\Program\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: Serveur de licence CA (CA_LIC_SRVR) - Computer Associates - C:\Program\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program\CA\SharedComponents\CA_LIC\LogWatNT.exe
Lets begin!
First of all I need you to download some programs for use later.
Download this file and unzip it to your desktop
Download About:Buster from here. Once it is downloaded extract it to c:\aboutbuster and check for updates. Do NOT use it yet
Download CWShredder from here, install it, check for updates but again, don't use it yet.
Download Ewido to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
- Install Ewido by double clicking the installer.
- Follow the prompts. Make sure that Launch Ewido is checked.
- On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
- Click on Update on the toolbar.
- Under Manual update, click on the Start Update button.
- Wait until you see the Update succesfull message.
- Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.Note: If the Update now option is grayed out, follow the steps below.
Ewido manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that Ewido is closed before installing the update.
Ensure hidden files and folders are set to show;
- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Show hidden files and folders.
- Uncheck the Hide protected operating system files (recommended) option.
- Click Yes to confirm.
- Click OK.
Next, go to Start->Run and type "Services.msc" (without quotes) then hit OKScroll down and find the service called Network Security Service. When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.
Please disconnect from the Internet and unplug your modem for the duration of this fix You may want to print the rest of these instructions.
Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE!
While in safe mode, double click on the HSfix.reg file you downloaded at the beginning. Grant it permission to add the registry items.
Then Open CWShredder that you downloaded in the first step. Close all browser windows and click on the Fix button.
Bring up Task Manager (Ctrl-Alt-Del) and end these processes if they are present
appzy32.exe
apiyr32.exe
syswp.exe
winib.exe
msnp.exe
mszk32.exe
sdkkv.exe
mfcel32.exe
winhv32.exe
d3xl.exe
winyg.exe
atlgb32.exe
susp.exe
addkx.exe
appzy32.exe
d3tf.exe
addno.exe
javaja32.exe
appvo.exe
atlde32.exe
mfcdu32.exe
sdkmn32.exe
addmv.exe
ieqz.exe
mfcgw32.exe
iped.exe
crah32.exe
sdkeb32.exe
javalj32.exe
apiqv.exe
appuz32.exe
msif.exe
Now find and delete these files, if you can't find one then don't worry.. just move on to the next one.
C:\WINDOWS\system32\rjphf.dll
C:\WINDOWS\system32\sysmu32.dll
C:\WINDOWS\system32\syswp.exe
C:\WINDOWS\system32\winib.exe
C:\WINDOWS\system32\apiyr32.exe
C:\WINDOWS\system32\mszk32.exe
C:\WINDOWS\system32\mfcel32.exe
C:\WINDOWS\system32\winhv32.exe
C:\WINDOWS\system32\d3xl.exe
C:\WINDOWS\system32\winyg.exe
C:\WINDOWS\system32\susp.exe
C:\WINDOWS\system32\addkx.exe
C:\WINDOWS\system32\d3tf.exe
C:\WINDOWS\system32\addno.exe
C:\WINDOWS\system32\javaja32.exe
C:\WINDOWS\system32\atlde32.exe
C:\WINDOWS\system32\mfcdu32.exe
C:\WINDOWS\system32\addmv.exe
C:\WINDOWS\system32\mfcgw32.exe
C:\WINDOWS\system32\iped.exe
C:\WINDOWS\system32\sdkeb32.exe
C:\WINDOWS\system32\javalj32.exe
C:\WINDOWS\system32\apiqv.exe
C:\WINDOWS\msnp.exe
C:\WINDOWS\sdkkv.exe
C:\WINDOWS\atlgb32.exe
C:\WINDOWS\appzy32.exe
C:\WINDOWS\appvo.exe
C:\WINDOWS\sdkmn32.exe
C:\WINDOWS\ieqz.exe
C:\WINDOWS\crah32.exe
C:\WINDOWS\appuz32.exe
C:\WINDOWS\msif.exe
Now run hijackthis and click the scan button, when it has finished scanning put a check against the following and click 'fix checked'
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {DCA47654-4A8F-4E15-3395-EB24B27E676B} - C:\WINDOWS\system32\sysmu32.dll
O4 - HKLM\..\Run: [syswp.exe] C:\WINDOWS\system32\syswp.exe
O4 - HKLM\..\Run: [winib.exe] C:\WINDOWS\system32\winib.exe
O4 - HKLM\..\Run: [msnp.exe] C:\WINDOWS\msnp.exe
O4 - HKLM\..\Run: [apiyr32.exe] C:\WINDOWS\system32\apiyr32.exe
O4 - HKLM\..\Run: [mszk32.exe] C:\WINDOWS\system32\mszk32.exe
O4 - HKLM\..\Run: [sdkkv.exe] C:\WINDOWS\sdkkv.exe
O4 - HKLM\..\Run: [mfcel32.exe] C:\WINDOWS\system32\mfcel32.exe
O4 - HKLM\..\Run: [winhv32.exe] C:\WINDOWS\system32\winhv32.exe
O4 - HKLM\..\Run: [d3xl.exe] C:\WINDOWS\system32\d3xl.exe
O4 - HKLM\..\Run: [winyg.exe] C:\WINDOWS\system32\winyg.exe
O4 - HKLM\..\Run: [atlgb32.exe] C:\WINDOWS\atlgb32.exe[/col
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKLM\..\Run: [addkx.exe] C:\WINDOWS\system32\addkx.exeor
O4 - HKLM\..\Run: [appzy32.exe] C:\WINDOWS\appzy32.exe
O4 - HKLM\..\RunOnce: [d3tf.exe] C:\WINDOWS\system32\d3tf.exe
O4 - HKLM\..\RunOnce: [addno.exe] C:\WINDOWS\system32\addno.exe
O4 - HKLM\..\RunOnce: [javaja32.exe] C:\WINDOWS\system32\javaja32.exe
O4 - HKLM\..\RunOnce: [appvo.exe] C:\WINDOWS\appvo.exe
O4 - HKLM\..\RunOnce: [atlde32.exe] C:\WINDOWS\system32\atlde32.exe
O4 - HKLM\..\RunOnce: [mfcdu32.exe] C:\WINDOWS\system32\mfcdu32.exe
O4 - HKLM\..\RunOnce: [sdkmn32.exe] C:\WINDOWS\sdkmn32.exe
O4 - HKLM\..\RunOnce: [addmv.exe] C:\WINDOWS\system32\addmv.exe
O4 - HKLM\..\RunOnce: [ieqz.exe] C:\WINDOWS\ieqz.exe
O4 - HKLM\..\RunOnce: [mfcgw32.exe] C:\WINDOWS\system32\mfcgw32.exe
O4 - HKLM\..\RunOnce: [iped.exe] C:\WINDOWS\system32\iped.exe
O4 - HKLM\..\RunOnce: [crah32.exe] C:\WINDOWS\crah32.exe
O4 - HKLM\..\RunOnce: [sdkeb32.exe] C:\WINDOWS\system32\sdkeb32.exe
O4 - HKLM\..\RunOnce: [javalj32.exe] C:\WINDOWS\system32\javalj32.exe
O4 - HKLM\..\RunOnce: [apiqv.exe] C:\WINDOWS\system32\apiqv.exe
O4 - HKLM\..\RunOnce: [appuz32.exe] C:\WINDOWS\appuz32.exe
O4 - HKLM\..\RunOnce: [msif.exe] C:\WINDOWS\msif.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/si...Install_se.cab
O16 - DPF: {B7E76C25-791F-432E-BDB7-748D01A93FC2} (VacPro.int_ver30) - http://advnt01.com/dialer/int_ver30.CAB
O16 - DPF: {CDCBE0F1-D13A-4F86-A963-3A272D3ABA7E} - http://advnt01.com/dialer/internazionale_ver15.CAB
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager...etOpPlugin.ocx
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/si...Install_se.cab
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\d3tf.exe" /s (file missing)
The following step is important as you may have several malware files in your temp directories.
Browse to the C:\documents and settings\Your User Name (repeat for all other user names in documents and settings)\local settings\temp folder and delete all files and folders in it.
Then browse to the C:\Window\Temp folder and delete all files and folders in it.
Then in internet explore click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.
Now navigate to the c:\aboutbuster directory and double-click on AboutBuster.exe. Click Begin Removal to allow AboutBuster to scan. When it has finished, AboutBuster will open a 'Scan Completed' window. Click OK. Another information window will open. Click on Exit. AboutBuster will inform you that a log has been created. Click OK. I will need you to post that log later.
Run Ewido
Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan.
- Click on the Scan tab.
- Click on Complete System Scan to start the scan process.
- Let the program scan the machine.
- When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.Now reboot, and run hijackthis again and post a fresh log along with the about buster log and the Ewido log.
Result
Files atached :
exe files and dll files with a size of 0 kbt . are still remaining in the system ,
as ai mentioned earlier .....
You need to disable Ewido as mentioned in the Ewido instructions I posted.
=====
Could you go to Start > Control Panel > Add/Remove Programs and uninstall 'Window Search', 'Window Searching', 'Window Active' 'Lop.com', 'LOP SEARCH', 'Browser Enhancer', or 'Ultimate Browser Enhancer' if listed. You may be given a code to insert, do so and reboot when done.
If none of the above are listed, run the Lop Remover from:
http://66.220.17.157/help.html
=====
Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
IMPORTANT: Do NOT run any other options until you are asked to do so!
=====
Please post the following:
C:\rapport.txt
New HijackThis log
Scan done at 8:53:46,51, 2006-08-01
Run from C:\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\luke\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\luke\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Logfile of HijackThis v1.99.1
Scan saved at 08:40:06, on 2006-08-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program\ewido anti-spyware 4.0\guard.exe
C:\Program\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\Dit.exe
C:\Program\Scansoft\PaperPort\pptd40nt.exe
C:\Program\Creative\ShareDLL\CtNotify.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\Java\jre1.5.0_06\bin\jusched.exe
C:\Program\Creative\NOMAD Jukebox Zen (USB2.0)\PlayCenter2\CTNMRUN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program\PANICW~1\POP-UP~1\PSFree.exe
C:\Program\Creative\ShareDLL\Mediadet.exe
C:\Program\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
C:\Program\SONYER~1\Mobile\CONNEC~1\CapMan.exe
C:\Program\SONYER~1\Mobile\CONNEC~1\ElogErr.exe
C:\Program\SONYER~1\Mobile\CONNEC~1\BROADC~1.EXE
C:\Program\SONYER~1\Mobile\CONNEC~1\SCRFS.exe
C:\Program\SONYER~1\Mobile\MOBILE~1\EPMWOR~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program\ewido anti-spyware 4.0\ewido.exe
C:\hijackthis_199\HijackThis.exe
O2 - BHO: Class - {F247658E-481B-CA46-2F1D-F487A19A8EF1} - C:\WINDOWS\system32\nethu.dll (file missing)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] "C:\Program\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [sdkkv.exe] C:\WINDOWS\sdkkv.exe
O4 - HKLM\..\Run: [mfcel32.exe] C:\WINDOWS\system32\mfcel32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program\Delade filer\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program\Delade filer\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program\Creative\NOMAD Jukebox Zen (USB2.0)\PlayCenter2\CTNMRUN.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Free Download Manager] C:\Program\Free Download Manager\fdm.exe -autorun
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O4 - Global Startup: SmartUI.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Ladda ner Alla med NetXfer - C:\Program\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Ladda ner med NetXfer - C:\Program\Xi\NetXfer\NXAddLink.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} - http://www.cult3d.com/newuser/index.html
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/dev/code/IE_1070/DownloadManager.cab
O16 - DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} (AMI DicomDir TreeView Control 2.1) - file://F:\CDVIEWER\CdViewer.cab
O23 - Service: Client de licence CA (CA_LIC_CLNT) - Computer Associates - C:\Program\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: Serveur de licence CA (CA_LIC_SRVR) - Computer Associates - C:\Program\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program\ewido anti-spyware 4.0\guard.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program\CA\SharedComponents\CA_LIC\LogWatNT.exe
You need to get an Anti-Virus & Firewall. Choose one from below - they are Free!
AV
Nod32
AVG Free Edition
AntiVir
avast! 4 Home Edition
Firewall
Zone Alarm << I recommend this
Sunbelt Kerio PF
Outpost Firewall
=====
Did you turn Ewido inactive as asked before? If so, please try closing Ewido from the system tray, by right-clicking and selecting Exit.
This needs to be done so Ewido does not interfere with the fix.
=====
Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)
O2 - BHO: Class - {F247658E-481B-CA46-2F1D-F487A19A8EF1} - C:\WINDOWS\system32\nethu.dll (file missing)
O4 - HKLM\..\Run: [sdkkv.exe] C:\WINDOWS\sdkkv.exe
O4 - HKLM\..\Run: [mfcel32.exe] C:\WINDOWS\system32\mfcel32.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program\MyWebSearch\bar\1.bin\MWSOEMON.EXE
- Close ALL open windows (especially Internet Explorer!)
Click Fix Checked
=====
Now, we need to view hidden files and folders:
Next, find and delete the following, if present:
C:\WINDOWS\sdkkv.exe << this file
C:\WINDOWS\system32\mfcel32.exe << this file
C:\Program\MyWebSearch << this folder
C:\Program Files\SpySheriff << this folder
=====
Download ATF (Atribune Temp File) Cleaner© by Atribune to your Desktop.
Double-click ATF Cleaner.exe
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
Double-click ATF Cleaner.exe
Under Main choose: Select All
Click the Empty Selected button.
Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu
=====
Please run this online scan:
Panda ActiveScan
- Once you are on the Panda site, click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log
Thank You so Much !
We have eliminated a lot of files .
Thank You so Much !
We have eliminated a lot of files .including some empty files .
From the begining of this thread , I mentioned a lot of EMPTY FILES .
These files still exist , although som are gone .
please, would you explain in short , how this are created and if i eliminate all of them . for the time being , i have isolated a bunch of them , and the system is stable .
I used ZONE ALARM before , even purchased it ! but it pops up very second
if you move a file even locally !
I learned your Birthday was Yesterday which i have not seen it on Time .
in any way ! Happy BirthdaY! NEVER TO LATE ! AND Thank you , I learnt
a lot !
Scan saved at 14:35:04, on 2006-08-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\Dit.exe
C:\Program\Scansoft\PaperPort\pptd40nt.exe
C:\Program\Creative\ShareDLL\CtNotify.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\Java\jre1.5.0_06\bin\jusched.exe
C:\Program\Creative\NOMAD Jukebox Zen (USB2.0)\PlayCenter2\CTNMRUN.EXE
C:\Program\Creative\ShareDLL\Mediadet.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\PANICW~1\POP-UP~1\PSFree.exe
C:\Program\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
C:\Program\SONYER~1\Mobile\CONNEC~1\CapMan.exe
C:\Program\SONYER~1\Mobile\CONNEC~1\ElogErr.exe
C:\Program\SONYER~1\Mobile\CONNEC~1\BROADC~1.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program\SONYER~1\Mobile\CONNEC~1\SCRFS.exe
C:\Program\ewido anti-spyware 4.0\guard.exe
C:\Program\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Program\SONYER~1\Mobile\MOBILE~1\EPMWOR~1.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program\TABROTEX OFFICE\TABROTEX.exe
C:\hijackthis_199\HijackThis.exe
O2 - BHO: Class - {F247658E-481B-CA46-2F1D-F487A19A8EF1} - C:\WINDOWS\system32\nethu.dll (file missing)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] "C:\Program\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program\Delade filer\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program\Delade filer\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program\Creative\NOMAD Jukebox Zen (USB2.0)\PlayCenter2\CTNMRUN.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Free Download Manager] C:\Program\Free Download Manager\fdm.exe -autorun
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O4 - Global Startup: SmartUI.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Ladda ner Alla med NetXfer - C:\Program\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Ladda ner med NetXfer - C:\Program\Xi\NetXfer\NXAddLink.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} - http://www.cult3d.com/newuser/index.html
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/dev/code/IE_1070/DownloadManager.cab
O16 - DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} (AMI DicomDir TreeView Control 2.1) - file://F:\CDVIEWER\CdViewer.cab
O23 - Service: Client de licence CA (CA_LIC_CLNT) - Computer Associates - C:\Program\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: Serveur de licence CA (CA_LIC_SRVR) - Computer Associates - C:\Program\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program\ewido anti-spyware 4.0\guard.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program\CA\SharedComponents\CA_LIC\LogWatNT.exe
You got infected because you didn't have any protection i.e. no Anti-Virus or Firewall, and you still don't. Please download one of each as mentioned in my previous post. You can try Zone Alarm again to see if you still have the same problem, otherwise choose another Firewall.
If you could list the files that are remaining and posting them here, that would be great.
Please run the Panda ActiveScan, posting the log and a new HijackThis log please.
Ok ... we will wait to the corect date !
Since the begining , I learned a lot and got acquinted with softwares ..
But i did not Get my answer about " Empty dlls " .
I hope i may get this time ...
attached a bunch of empty files which i generated from win , directory .
pandas rapport and Hij .
Please rename HijackThis.exe to HJT.exe and post a new log.
I'm going away now for a week. I'l will be unable to help you until I get back. I hope you can wait.