Empty dlls

edited August 2006 in Spyware & Virus Removal
Recently my webbrowser was jacked . And i cured the problem
immediately.

I found so many empty dlls and exe in windows directory ...

like as : mssy32.dll , netlm.dll , jpgs.dll ...

almost 700 of them .... what are these empties dlls and exes. ?

is it safe to remove them ?

I appreciate answer from any one.

I am new in fighting spyware problems .

thank you

Comments

  • NecropolisNecropolis Hawarden, Wales Icrontian
    edited July 2006
    Moved to SVT
  • TroganTrogan London, UK
    edited July 2006
    Hi luket,

    Can you post a HijackThis log please:

    Click here to download HJTsetup.exe
    Save HJTsetup.exe to your desktop.
    • Double click on the HJTsetup.exe icon on your desktop.
    • By default it will install to C:\Program Files\Hijack This.
    • Continue to click Next in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
    • Put a check by Create a desktop icon then click Next again.
    • Continue to follow the rest of the prompts from there.
    • At the final dialogue box click Finish and it will launch Hijack This.
    • Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    • Copy and paste the log here
    DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
  • edited July 2006
    Below is the log generated by hijack .....
    i removd ipir.exe and some other files ....

    but there are empty dlls .... remove all o not ?
    i removed about 20 of hem o test ....

    now my system is stable !

    ***************************

    Logfile of HijackThis v1.99.1
    Scan saved at 15:12:14, on 2006-07-31
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program\CA\SharedComponents\CA_LIC\LogWatNT.exe
    C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\BRMFRSMG.EXE
    C:\WINDOWS\system32\RunDll32.exe
    C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\mHotkey.exe
    C:\WINDOWS\CNYHKey.exe
    C:\WINDOWS\Dit.exe
    C:\Program\Scansoft\PaperPort\pptd40nt.exe
    C:\Program\Creative\ShareDLL\CtNotify.exe
    C:\Program\Creative\ShareDLL\Mediadet.exe
    C:\Program\Delade filer\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program\Java\jre1.5.0_06\bin\jusched.exe
    C:\WINDOWS\system32\crev32.exe
    C:\Program\Creative\NOMAD Jukebox Zen (USB2.0)\PlayCenter2\CTNMRUN.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program\Internet Explorer\iexplore.exe
    c:\program\intern~1\iexplore.exe
    C:\Program\Sony Ericsson\Mobile\audevicemgr.exe
    C:\Program\Scansoft\PaperPort\SmartUI\SmartUI.exe
    C:\Program\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
    C:\Program\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
    C:\Program\SONYER~1\Mobile\CONNEC~1\CapMan.exe
    C:\Program\SONYER~1\Mobile\CONNEC~1\ElogErr.exe
    C:\Program\SONYER~1\Mobile\CONNEC~1\BROADC~1.EXE
    C:\Program\SONYER~1\Mobile\CONNEC~1\SCRFS.exe
    C:\Program\SONYER~1\Mobile\MOBILE~1\EPMWOR~1.EXE
    C:\Program\Dangerous\browser.exe
    C:\Program\TABROTEX OFFICE\TABROTEX.exe
    C:\WINDOWS\system32\notepad.exe
    C:\hijackthis_199\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Class - {DCA47654-4A8F-4E15-3395-EB24B27E676B} - C:\WINDOWS\system32\sysmu32.dll
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
    O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
    O4 - HKLM\..\Run: [Dit] Dit.exe
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program\Scansoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program\Scansoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [Disc Detector] C:\Program\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [CTStartup] "C:\Program\Creative\Splash Screen\CTEaxSpl.EXE" /run
    O4 - HKLM\..\Run: [syswp.exe] C:\WINDOWS\system32\syswp.exe
    O4 - HKLM\..\Run: [winib.exe] C:\WINDOWS\system32\winib.exe
    O4 - HKLM\..\Run: [msnp.exe] C:\WINDOWS\msnp.exe
    O4 - HKLM\..\Run: [apiyr32.exe] C:\WINDOWS\system32\apiyr32.exe
    O4 - HKLM\..\Run: [mszk32.exe] C:\WINDOWS\system32\mszk32.exe
    O4 - HKLM\..\Run: [sdkkv.exe] C:\WINDOWS\sdkkv.exe
    O4 - HKLM\..\Run: [mfcel32.exe] C:\WINDOWS\system32\mfcel32.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\Program\NEWDOT~1\NEWDOT~1.DLL,ClientStartup -s
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [winhv32.exe] C:\WINDOWS\system32\winhv32.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program\Delade filer\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program\Delade filer\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [d3xl.exe] C:\WINDOWS\system32\d3xl.exe
    O4 - HKLM\..\Run: [winyg.exe] C:\WINDOWS\system32\winyg.exe
    O4 - HKLM\..\Run: [atlgb32.exe] C:\WINDOWS\atlgb32.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
    O4 - HKLM\..\Run: [addkx.exe] C:\WINDOWS\system32\addkx.exe
    O4 - HKLM\..\Run: [bits title okay funk] C:\Documents and Settings\All Users\Application Data\Meet defy bits title\shim poll.exe
    O4 - HKLM\..\Run: [crev32.exe] C:\WINDOWS\system32\crev32.exe
    O4 - HKLM\..\RunOnce: [d3tf.exe] C:\WINDOWS\system32\d3tf.exe
    O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program\Creative\NOMAD Jukebox Zen (USB2.0)\PlayCenter2\CTNMRUN.EXE"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [Free Download Manager] C:\Program\Free Download Manager\fdm.exe -autorun
    O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    O4 - Global Startup: Phone Connection Monitor.lnk = ?
    O4 - Global Startup: SmartUI.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
    O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Ladda ner Alla med NetXfer - C:\Program\Xi\NetXfer\NXAddList.html
    O8 - Extra context menu item: Ladda ner med NetXfer - C:\Program\Xi\NetXfer\NXAddLink.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - (no file)
    O9 - Extra 'Tools' menuitem: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} - http://www.cult3d.com/newuser/index.html
    O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/dev/code/IE_1070/DownloadManager.cab
    O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
    O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/sites/errorsafe.com/www/download/2006/cabs/ErrorSafeFreeInstall_se.cab
    O16 - DPF: {B7E76C25-791F-432E-BDB7-748D01A93FC2} (VacPro.int_ver30) - http://advnt01.com/dialer/int_ver30.CAB
    O16 - DPF: {CDCBE0F1-D13A-4F86-A963-3A272D3ABA7E} - http://advnt01.com/dialer/internazionale_ver15.CAB
    O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager/plugin/IENetOpPlugin.ocx
    O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/errorsafe.com/www/download/2006/cabs/ErrorSafeFreeInstall_se.cab
    O16 - DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} (AMI DicomDir TreeView Control 2.1) - file://F:\CDVIEWER\CdViewer.cab
    O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\d3tf.exe" /s (file missing)
    O23 - Service: Client de licence CA (CA_LIC_CLNT) - Computer Associates - C:\Program\CA\SharedComponents\CA_LIC\lic98rmt.exe
    O23 - Service: Serveur de licence CA (CA_LIC_SRVR) - Computer Associates - C:\Program\CA\SharedComponents\CA_LIC\lic98rmtd.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program\CA\SharedComponents\CA_LIC\LogWatNT.exe

    ********************end
  • TroganTrogan London, UK
    edited July 2006
    You have a nasty CWS infection, but before we fix that can you post one more log for me please.
    • Run Hijackthis.
    • Click on Open the Misc Tools section.
    • Next click on Open uninstall manager.
    • Press the Save list button. It will open a Notepad file.
    • Copy & Paste the entire contents of that file in your in your next post.
  • edited July 2006
    Ad-Aware SE Personal
    Adobe Acrobat - Reader 6.0.2 Update
    Adobe Acrobat and Reader 6.0.3 Update
    Adobe Acrobat and Reader 6.0.4 Update
    Adobe Acrobat and Reader 6.0.5 Update
    Adobe Reader 6.0.1 - Svenska
    ATI Control Panel
    ATI Display Driver
    avsSuitePack Millenium 1.0
    Brother MFC Software Suite
    Burn My Files
    CDMenuPro V4
    Clean My Registry v2.1
    C-Media WDM Audio Driver
    Creative Jukebox Driver
    Disk Washer
    elitemediagroup
    eTrust Antivirus Registration
    HighMAT-tillägg till Microsoft Windows XP-guiden Skriv till CD-skiva
    HijackThis 1.99.1
    Home Search Assistent
    Home Cinema
    J2SE Runtime Environment 5.0 Update 6
    Java 2 Runtime Environment, SE v1.4.2
    Macromedia Flash Player 8
    Magic ISO Maker v5.3 (build 0199)
    Medion Flash XL 2.0
    Microsoft Office XP Professional med FrontPage
    Microsoft Windows Media Video 9 VCM
    Microsoft Works 7.0
    MSN Messenger 6.2
    MUSICMATCH® Jukebox
    Nero Media Player
    Nero OEM
    NeroVision Express 2
    Netscape Navigator
    NetXfer 2.01.305
    New.net Domains 7.22
    NOMAD Jukebox Zen (USB2.0)
    PaperPort 8.0 SE
    PC Suite for P800 1.1.0
    Pic Cutter 3.0
    Pop-Up Stopper Free Edition
    PowerDVD
    PowerProducer
    RealPlayer
    SciTE4Autoit3 6/26/2006
    Search Extender
    Smart Manager
    SP2 Connection Patcher
    TABROTEX OFFICE 1.02
    The Off By One Web Browser
    USB Wireless Keyboard Driver
    W83L518D
    Windows Genuine Advantage v1.3.0254.0
    Windows Installer 3.1 (KB893803)
    Windows Media Format Runtime
    Windows Media Player 10
    Windows Säkerhetskopiering
    Windows XP Service Pack 2
    WinRAR archiver
    WordAndWeb
    XoftSpy
    Yahoo! Toolbar
  • TroganTrogan London, UK
    edited July 2006
    OK...

    Click Start > Run > type in appwiz.cpl and hit enter. From the list uninstall the following, if present:

    elitemediagroup
    Java 2 Runtime Environment, SE v1.4.2
    New.net Domains 7.22
    The Off By One Web Browser


    Reboot and post a new HijackThis log.
  • edited July 2006
    Logfile of HijackThis v1.99.1
    Scan saved at 16:42:54, on 2006-07-31
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\appzy32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program\CA\SharedComponents\CA_LIC\LogWatNT.exe
    C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\BRMFRSMG.EXE
    C:\WINDOWS\system32\RunDll32.exe
    C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\mHotkey.exe
    C:\WINDOWS\CNYHKey.exe
    C:\WINDOWS\Dit.exe
    C:\Program\Scansoft\PaperPort\pptd40nt.exe
    C:\Program\Creative\ShareDLL\CtNotify.exe
    C:\Program\Creative\ShareDLL\Mediadet.exe
    C:\Program\Delade filer\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program\Creative\NOMAD Jukebox Zen (USB2.0)\PlayCenter2\CTNMRUN.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program\Internet Explorer\iexplore.exe
    C:\Program\PANICW~1\POP-UP~1\PSFree.exe
    c:\program\intern~1\iexplore.exe
    C:\Program\Sony Ericsson\Mobile\audevicemgr.exe
    C:\Program\Scansoft\PaperPort\SmartUI\SmartUI.exe
    C:\Program\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
    C:\Program\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
    C:\Program\SONYER~1\Mobile\CONNEC~1\CapMan.exe
    C:\Program\SONYER~1\Mobile\CONNEC~1\ElogErr.exe
    C:\Program\SONYER~1\Mobile\CONNEC~1\BROADC~1.EXE
    C:\Program\SONYER~1\Mobile\CONNEC~1\SCRFS.exe
    C:\Program\SONYER~1\Mobile\MOBILE~1\EPMWOR~1.EXE
    C:\Program\Dangerous\browser.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\notepad.exe
    C:\hijackthis_199\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Class - {DCA47654-4A8F-4E15-3395-EB24B27E676B} - C:\WINDOWS\system32\sysmu32.dll
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
    O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
    O4 - HKLM\..\Run: [Dit] Dit.exe
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program\Scansoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program\Scansoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [Disc Detector] C:\Program\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [CTStartup] "C:\Program\Creative\Splash Screen\CTEaxSpl.EXE" /run
    O4 - HKLM\..\Run: [syswp.exe] C:\WINDOWS\system32\syswp.exe
    O4 - HKLM\..\Run: [winib.exe] C:\WINDOWS\system32\winib.exe
    O4 - HKLM\..\Run: [msnp.exe] C:\WINDOWS\msnp.exe
    O4 - HKLM\..\Run: [apiyr32.exe] C:\WINDOWS\system32\apiyr32.exe
    O4 - HKLM\..\Run: [mszk32.exe] C:\WINDOWS\system32\mszk32.exe
    O4 - HKLM\..\Run: [sdkkv.exe] C:\WINDOWS\sdkkv.exe
    O4 - HKLM\..\Run: [mfcel32.exe] C:\WINDOWS\system32\mfcel32.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [winhv32.exe] C:\WINDOWS\system32\winhv32.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program\Delade filer\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program\Delade filer\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [d3xl.exe] C:\WINDOWS\system32\d3xl.exe
    O4 - HKLM\..\Run: [winyg.exe] C:\WINDOWS\system32\winyg.exe
    O4 - HKLM\..\Run: [atlgb32.exe] C:\WINDOWS\atlgb32.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
    O4 - HKLM\..\Run: [addkx.exe] C:\WINDOWS\system32\addkx.exe
    O4 - HKLM\..\Run: [bits title okay funk] C:\Documents and Settings\All Users\Application Data\Meet defy bits title\shim poll.exe
    O4 - HKLM\..\Run: [appzy32.exe] C:\WINDOWS\appzy32.exe
    O4 - HKLM\..\RunOnce: [d3tf.exe] C:\WINDOWS\system32\d3tf.exe
    O4 - HKLM\..\RunOnce: [addno.exe] C:\WINDOWS\system32\addno.exe
    O4 - HKLM\..\RunOnce: [javaja32.exe] C:\WINDOWS\system32\javaja32.exe
    O4 - HKLM\..\RunOnce: [appvo.exe] C:\WINDOWS\appvo.exe
    O4 - HKLM\..\RunOnce: [atlde32.exe] C:\WINDOWS\system32\atlde32.exe
    O4 - HKLM\..\RunOnce: [mfcdu32.exe] C:\WINDOWS\system32\mfcdu32.exe
    O4 - HKLM\..\RunOnce: [sdkmn32.exe] C:\WINDOWS\sdkmn32.exe
    O4 - HKLM\..\RunOnce: [addmv.exe] C:\WINDOWS\system32\addmv.exe
    O4 - HKLM\..\RunOnce: [ieqz.exe] C:\WINDOWS\ieqz.exe
    O4 - HKLM\..\RunOnce: [mfcgw32.exe] C:\WINDOWS\system32\mfcgw32.exe
    O4 - HKLM\..\RunOnce: [iped.exe] C:\WINDOWS\system32\iped.exe
    O4 - HKLM\..\RunOnce: [crah32.exe] C:\WINDOWS\crah32.exe
    O4 - HKLM\..\RunOnce: [sdkeb32.exe] C:\WINDOWS\system32\sdkeb32.exe
    O4 - HKLM\..\RunOnce: [javalj32.exe] C:\WINDOWS\system32\javalj32.exe
    O4 - HKLM\..\RunOnce: [apiqv.exe] C:\WINDOWS\system32\apiqv.exe
    O4 - HKLM\..\RunOnce: [appuz32.exe] C:\WINDOWS\appuz32.exe
    O4 - HKLM\..\RunOnce: [msif.exe] C:\WINDOWS\msif.exe
    O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program\Creative\NOMAD Jukebox Zen (USB2.0)\PlayCenter2\CTNMRUN.EXE"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
    O4 - HKCU\..\Run: [PLATFORMBORE] C:\DOCUME~1\ahmed\APPLIC~1\INTERN~1\trans logo.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [Free Download Manager] C:\Program\Free Download Manager\fdm.exe -autorun
    O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    O4 - Global Startup: Phone Connection Monitor.lnk = ?
    O4 - Global Startup: SmartUI.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
    O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Ladda ner Alla med NetXfer - C:\Program\Xi\NetXfer\NXAddList.html
    O8 - Extra context menu item: Ladda ner med NetXfer - C:\Program\Xi\NetXfer\NXAddLink.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} - http://www.cult3d.com/newuser/index.html
    O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/dev/code/IE_1070/DownloadManager.cab
    O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
    O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/sites/errorsafe.com/www/download/2006/cabs/ErrorSafeFreeInstall_se.cab
    O16 - DPF: {B7E76C25-791F-432E-BDB7-748D01A93FC2} (VacPro.int_ver30) - http://advnt01.com/dialer/int_ver30.CAB
    O16 - DPF: {CDCBE0F1-D13A-4F86-A963-3A272D3ABA7E} - http://advnt01.com/dialer/internazionale_ver15.CAB
    O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager/plugin/IENetOpPlugin.ocx
    O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/errorsafe.com/www/download/2006/cabs/ErrorSafeFreeInstall_se.cab
    O16 - DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} (AMI DicomDir TreeView Control 2.1) - file://F:\CDVIEWER\CdViewer.cab
    O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\d3tf.exe" /s (file missing)
    O23 - Service: Client de licence CA (CA_LIC_CLNT) - Computer Associates - C:\Program\CA\SharedComponents\CA_LIC\lic98rmt.exe
    O23 - Service: Serveur de licence CA (CA_LIC_SRVR) - Computer Associates - C:\Program\CA\SharedComponents\CA_LIC\lic98rmtd.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program\CA\SharedComponents\CA_LIC\LogWatNT.exe
  • TroganTrogan London, UK
    edited July 2006
    You may want to print out these instructions for easy reference, as the internet will not be available for most parts!

    Lets begin!

    First of all I need you to download some programs for use later.

    Download this file and unzip it to your desktop

    Download About:Buster from here. Once it is downloaded extract it to c:\aboutbuster and check for updates. Do NOT use it yet

    Download CWShredder from here, install it, check for updates but again, don't use it yet.

    Download Ewido to your Desktop or to your usual Download Folder.
    http://www.ewido.net/en/download/
    • Install Ewido by double clicking the installer.
    • Follow the prompts. Make sure that Launch Ewido is checked.
    • On the main screen under Your Computer's security.
      • Click on Change state next to Resident shield. It should now change to inactive.
      • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
      • Wait until you see the Update succesfull message.
        Note: If the Update now option is grayed out, follow the steps below.
        • Click on Update on the toolbar.
        • Under Manual update, click on the Start Update button.
        • Wait until you see the Update succesfull message.
    • Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
    If you are having problems with the updater, you can use this link to manually update ewido.
    Ewido manual updates.
    Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that Ewido is closed before installing the update.

    Ensure hidden files and folders are set to show;
    • Click Start.
    • Open My Computer.
    • Select the Tools menu and click Folder Options.
    • Select the View Tab.
    • Under the Hidden files and folders heading select Show hidden files and folders.
    • Uncheck the Hide protected operating system files (recommended) option.
    • Click Yes to confirm.
    • Click OK.
    Next, go to Start->Run and type "Services.msc" (without quotes) then hit OK

    Scroll down and find the service called Network Security Service. When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

    Please disconnect from the Internet and unplug your modem for the duration of this fix You may want to print the rest of these instructions.

    Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE!

    While in safe mode, double click on the HSfix.reg file you downloaded at the beginning. Grant it permission to add the registry items.

    Then Open CWShredder that you downloaded in the first step. Close all browser windows and click on the Fix button.

    Bring up Task Manager (Ctrl-Alt-Del) and end these processes if they are present

    appzy32.exe
    apiyr32.exe
    syswp.exe
    winib.exe
    msnp.exe
    mszk32.exe
    sdkkv.exe
    mfcel32.exe
    winhv32.exe
    d3xl.exe
    winyg.exe
    atlgb32.exe
    susp.exe
    addkx.exe
    appzy32.exe
    d3tf.exe
    addno.exe
    javaja32.exe
    appvo.exe
    atlde32.exe
    mfcdu32.exe
    sdkmn32.exe
    addmv.exe
    ieqz.exe
    mfcgw32.exe
    iped.exe
    crah32.exe
    sdkeb32.exe
    javalj32.exe
    apiqv.exe
    appuz32.exe
    msif.exe


    Now find and delete these files, if you can't find one then don't worry.. just move on to the next one.

    C:\WINDOWS\system32\rjphf.dll
    C:\WINDOWS\system32\sysmu32.dll
    C:\WINDOWS\system32\syswp.exe
    C:\WINDOWS\system32\winib.exe
    C:\WINDOWS\system32\apiyr32.exe
    C:\WINDOWS\system32\mszk32.exe
    C:\WINDOWS\system32\mfcel32.exe
    C:\WINDOWS\system32\winhv32.exe
    C:\WINDOWS\system32\d3xl.exe
    C:\WINDOWS\system32\winyg.exe
    C:\WINDOWS\system32\susp.exe
    C:\WINDOWS\system32\addkx.exe
    C:\WINDOWS\system32\d3tf.exe
    C:\WINDOWS\system32\addno.exe
    C:\WINDOWS\system32\javaja32.exe
    C:\WINDOWS\system32\atlde32.exe
    C:\WINDOWS\system32\mfcdu32.exe
    C:\WINDOWS\system32\addmv.exe
    C:\WINDOWS\system32\mfcgw32.exe
    C:\WINDOWS\system32\iped.exe
    C:\WINDOWS\system32\sdkeb32.exe
    C:\WINDOWS\system32\javalj32.exe
    C:\WINDOWS\system32\apiqv.exe
    C:\WINDOWS\msnp.exe
    C:\WINDOWS\sdkkv.exe
    C:\WINDOWS\atlgb32.exe
    C:\WINDOWS\appzy32.exe
    C:\WINDOWS\appvo.exe
    C:\WINDOWS\sdkmn32.exe
    C:\WINDOWS\ieqz.exe
    C:\WINDOWS\crah32.exe
    C:\WINDOWS\appuz32.exe
    C:\WINDOWS\msif.exe


    Now run hijackthis and click the scan button, when it has finished scanning put a check against the following and click 'fix checked'

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049

    R3 - Default URLSearchHook is missing

    O2 - BHO: Class - {DCA47654-4A8F-4E15-3395-EB24B27E676B} - C:\WINDOWS\system32\sysmu32.dll

    O4 - HKLM\..\Run: [syswp.exe] C:\WINDOWS\system32\syswp.exe
    O4 - HKLM\..\Run: [winib.exe] C:\WINDOWS\system32\winib.exe
    O4 - HKLM\..\Run: [msnp.exe] C:\WINDOWS\msnp.exe
    O4 - HKLM\..\Run: [apiyr32.exe] C:\WINDOWS\system32\apiyr32.exe
    O4 - HKLM\..\Run: [mszk32.exe] C:\WINDOWS\system32\mszk32.exe
    O4 - HKLM\..\Run: [sdkkv.exe] C:\WINDOWS\sdkkv.exe
    O4 - HKLM\..\Run: [mfcel32.exe] C:\WINDOWS\system32\mfcel32.exe
    O4 - HKLM\..\Run: [winhv32.exe] C:\WINDOWS\system32\winhv32.exe
    O4 - HKLM\..\Run: [d3xl.exe] C:\WINDOWS\system32\d3xl.exe
    O4 - HKLM\..\Run: [winyg.exe] C:\WINDOWS\system32\winyg.exe
    O4 - HKLM\..\Run: [atlgb32.exe] C:\WINDOWS\atlgb32.exe[/col
    O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
    O4 - HKLM\..\Run: [addkx.exe] C:\WINDOWS\system32\addkx.exeor
    O4 - HKLM\..\Run: [appzy32.exe] C:\WINDOWS\appzy32.exe
    O4 - HKLM\..\RunOnce: [d3tf.exe] C:\WINDOWS\system32\d3tf.exe
    O4 - HKLM\..\RunOnce: [addno.exe] C:\WINDOWS\system32\addno.exe
    O4 - HKLM\..\RunOnce: [javaja32.exe] C:\WINDOWS\system32\javaja32.exe
    O4 - HKLM\..\RunOnce: [appvo.exe] C:\WINDOWS\appvo.exe
    O4 - HKLM\..\RunOnce: [atlde32.exe] C:\WINDOWS\system32\atlde32.exe
    O4 - HKLM\..\RunOnce: [mfcdu32.exe] C:\WINDOWS\system32\mfcdu32.exe
    O4 - HKLM\..\RunOnce: [sdkmn32.exe] C:\WINDOWS\sdkmn32.exe
    O4 - HKLM\..\RunOnce: [addmv.exe] C:\WINDOWS\system32\addmv.exe
    O4 - HKLM\..\RunOnce: [ieqz.exe] C:\WINDOWS\ieqz.exe
    O4 - HKLM\..\RunOnce: [mfcgw32.exe] C:\WINDOWS\system32\mfcgw32.exe
    O4 - HKLM\..\RunOnce: [iped.exe] C:\WINDOWS\system32\iped.exe
    O4 - HKLM\..\RunOnce: [crah32.exe] C:\WINDOWS\crah32.exe
    O4 - HKLM\..\RunOnce: [sdkeb32.exe] C:\WINDOWS\system32\sdkeb32.exe
    O4 - HKLM\..\RunOnce: [javalj32.exe] C:\WINDOWS\system32\javalj32.exe
    O4 - HKLM\..\RunOnce: [apiqv.exe] C:\WINDOWS\system32\apiqv.exe
    O4 - HKLM\..\RunOnce: [appuz32.exe] C:\WINDOWS\appuz32.exe
    O4 - HKLM\..\RunOnce: [msif.exe] C:\WINDOWS\msif.exe
    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program\MyWebSearch\bar\1.bin\MWSOEMON.EXE

    O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
    O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/si...Install_se.cab
    O16 - DPF: {B7E76C25-791F-432E-BDB7-748D01A93FC2} (VacPro.int_ver30) - http://advnt01.com/dialer/int_ver30.CAB
    O16 - DPF: {CDCBE0F1-D13A-4F86-A963-3A272D3ABA7E} - http://advnt01.com/dialer/internazionale_ver15.CAB
    O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager...etOpPlugin.ocx
    O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/si...Install_se.cab

    O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\d3tf.exe" /s (file missing)


    The following step is important as you may have several malware files in your temp directories.

    Browse to the C:\documents and settings\Your User Name (repeat for all other user names in documents and settings)\local settings\temp folder and delete all files and folders in it.

    Then browse to the C:\Window\Temp folder and delete all files and folders in it.

    Then in internet explore click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

    Now navigate to the c:\aboutbuster directory and double-click on AboutBuster.exe. Click Begin Removal to allow AboutBuster to scan. When it has finished, AboutBuster will open a 'Scan Completed' window. Click OK. Another information window will open. Click on Exit. AboutBuster will inform you that a log has been created. Click OK. I will need you to post that log later.

    Run Ewido
    Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan.
    • Click on Scanner on the toolbar.
    • Click on the Settings tab.
      • Under How to act?
        • Click on Recommended Action and choose Quarantine from the popup menu.
      • Under How to scan?
        • All checkboxes should be ticked.
      • Under Possibly unwanted software:
        • All checkboxes should be ticked.
      • Under Reports:
        • Select Automatically generate report after every scan and uncheck Only if threats were found.
      • Under What to scan?
        • Select Scan every file.
      • Click on the Scan tab.
      • Click on Complete System Scan to start the scan process.
      • Let the program scan the machine.
      • When the scan has finished, follow the instructions below.
      IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
      • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
      • At the bottom of the window click on the Apply all Actions button. (3)
        scan1nx.jpg
      • When done, click the Save Scan Report button.
        • Click the Save Report as button.
        • Save the report to your Desktop.
      • Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.


      Now reboot, and run hijackthis again and post a fresh log along with the about buster log and the Ewido log. :)
  • edited July 2006
    You may want to print out these instructions for easy reference, as the internet will not be available for most parts!

    Lets begin!

    First of all I need you to download some programs for use later.

    Download this file and unzip it to your desktop

    Download About:Buster from here. Once it is downloaded extract it to c:\aboutbuster and check for updates. Do NOT use it yet

    Download CWShredder from here, install it, check for updates but again, don't use it yet.

    Download Ewido to your Desktop or to your usual Download Folder.
    http://www.ewido.net/en/download/
    • Install Ewido by double clicking the installer.
    • Follow the prompts. Make sure that Launch Ewido is checked.
    • On the main screen under Your Computer's security.
      • Click on Change state next to Resident shield. It should now change to inactive.
      • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
      • Wait until you see the Update succesfull message.
        Note: If the Update now option is grayed out, follow the steps below.
        • Click on Update on the toolbar.
        • Under Manual update, click on the Start Update button.
        • Wait until you see the Update succesfull message.
    • Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
    If you are having problems with the updater, you can use this link to manually update ewido.
    Ewido manual updates.
    Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that Ewido is closed before installing the update.

    Ensure hidden files and folders are set to show;
    • Click Start.
    • Open My Computer.
    • Select the Tools menu and click Folder Options.
    • Select the View Tab.
    • Under the Hidden files and folders heading select Show hidden files and folders.
    • Uncheck the Hide protected operating system files (recommended) option.
    • Click Yes to confirm.
    • Click OK.
    Next, go to Start->Run and type "Services.msc" (without quotes) then hit OK

    Scroll down and find the service called Network Security Service. When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

    Please disconnect from the Internet and unplug your modem for the duration of this fix You may want to print the rest of these instructions.

    Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE!

    While in safe mode, double click on the HSfix.reg file you downloaded at the beginning. Grant it permission to add the registry items.

    Then Open CWShredder that you downloaded in the first step. Close all browser windows and click on the Fix button.

    Bring up Task Manager (Ctrl-Alt-Del) and end these processes if they are present

    appzy32.exe
    apiyr32.exe
    syswp.exe
    winib.exe
    msnp.exe
    mszk32.exe
    sdkkv.exe
    mfcel32.exe
    winhv32.exe
    d3xl.exe
    winyg.exe
    atlgb32.exe
    susp.exe
    addkx.exe
    appzy32.exe
    d3tf.exe
    addno.exe
    javaja32.exe
    appvo.exe
    atlde32.exe
    mfcdu32.exe
    sdkmn32.exe
    addmv.exe
    ieqz.exe
    mfcgw32.exe
    iped.exe
    crah32.exe
    sdkeb32.exe
    javalj32.exe
    apiqv.exe
    appuz32.exe
    msif.exe


    Now find and delete these files, if you can't find one then don't worry.. just move on to the next one.

    C:\WINDOWS\system32\rjphf.dll
    C:\WINDOWS\system32\sysmu32.dll
    C:\WINDOWS\system32\syswp.exe
    C:\WINDOWS\system32\winib.exe
    C:\WINDOWS\system32\apiyr32.exe
    C:\WINDOWS\system32\mszk32.exe
    C:\WINDOWS\system32\mfcel32.exe
    C:\WINDOWS\system32\winhv32.exe
    C:\WINDOWS\system32\d3xl.exe
    C:\WINDOWS\system32\winyg.exe
    C:\WINDOWS\system32\susp.exe
    C:\WINDOWS\system32\addkx.exe
    C:\WINDOWS\system32\d3tf.exe
    C:\WINDOWS\system32\addno.exe
    C:\WINDOWS\system32\javaja32.exe
    C:\WINDOWS\system32\atlde32.exe
    C:\WINDOWS\system32\mfcdu32.exe
    C:\WINDOWS\system32\addmv.exe
    C:\WINDOWS\system32\mfcgw32.exe
    C:\WINDOWS\system32\iped.exe
    C:\WINDOWS\system32\sdkeb32.exe
    C:\WINDOWS\system32\javalj32.exe
    C:\WINDOWS\system32\apiqv.exe
    C:\WINDOWS\msnp.exe
    C:\WINDOWS\sdkkv.exe
    C:\WINDOWS\atlgb32.exe
    C:\WINDOWS\appzy32.exe
    C:\WINDOWS\appvo.exe
    C:\WINDOWS\sdkmn32.exe
    C:\WINDOWS\ieqz.exe
    C:\WINDOWS\crah32.exe
    C:\WINDOWS\appuz32.exe
    C:\WINDOWS\msif.exe


    Now run hijackthis and click the scan button, when it has finished scanning put a check against the following and click 'fix checked'

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rjphf.dll/sp.html#37049

    R3 - Default URLSearchHook is missing

    O2 - BHO: Class - {DCA47654-4A8F-4E15-3395-EB24B27E676B} - C:\WINDOWS\system32\sysmu32.dll

    O4 - HKLM\..\Run: [syswp.exe] C:\WINDOWS\system32\syswp.exe
    O4 - HKLM\..\Run: [winib.exe] C:\WINDOWS\system32\winib.exe
    O4 - HKLM\..\Run: [msnp.exe] C:\WINDOWS\msnp.exe
    O4 - HKLM\..\Run: [apiyr32.exe] C:\WINDOWS\system32\apiyr32.exe
    O4 - HKLM\..\Run: [mszk32.exe] C:\WINDOWS\system32\mszk32.exe
    O4 - HKLM\..\Run: [sdkkv.exe] C:\WINDOWS\sdkkv.exe
    O4 - HKLM\..\Run: [mfcel32.exe] C:\WINDOWS\system32\mfcel32.exe
    O4 - HKLM\..\Run: [winhv32.exe] C:\WINDOWS\system32\winhv32.exe
    O4 - HKLM\..\Run: [d3xl.exe] C:\WINDOWS\system32\d3xl.exe
    O4 - HKLM\..\Run: [winyg.exe] C:\WINDOWS\system32\winyg.exe
    O4 - HKLM\..\Run: [atlgb32.exe] C:\WINDOWS\atlgb32.exe[/col
    O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
    O4 - HKLM\..\Run: [addkx.exe] C:\WINDOWS\system32\addkx.exeor
    O4 - HKLM\..\Run: [appzy32.exe] C:\WINDOWS\appzy32.exe
    O4 - HKLM\..\RunOnce: [d3tf.exe] C:\WINDOWS\system32\d3tf.exe
    O4 - HKLM\..\RunOnce: [addno.exe] C:\WINDOWS\system32\addno.exe
    O4 - HKLM\..\RunOnce: [javaja32.exe] C:\WINDOWS\system32\javaja32.exe
    O4 - HKLM\..\RunOnce: [appvo.exe] C:\WINDOWS\appvo.exe
    O4 - HKLM\..\RunOnce: [atlde32.exe] C:\WINDOWS\system32\atlde32.exe
    O4 - HKLM\..\RunOnce: [mfcdu32.exe] C:\WINDOWS\system32\mfcdu32.exe
    O4 - HKLM\..\RunOnce: [sdkmn32.exe] C:\WINDOWS\sdkmn32.exe
    O4 - HKLM\..\RunOnce: [addmv.exe] C:\WINDOWS\system32\addmv.exe
    O4 - HKLM\..\RunOnce: [ieqz.exe] C:\WINDOWS\ieqz.exe
    O4 - HKLM\..\RunOnce: [mfcgw32.exe] C:\WINDOWS\system32\mfcgw32.exe
    O4 - HKLM\..\RunOnce: [iped.exe] C:\WINDOWS\system32\iped.exe
    O4 - HKLM\..\RunOnce: [crah32.exe] C:\WINDOWS\crah32.exe
    O4 - HKLM\..\RunOnce: [sdkeb32.exe] C:\WINDOWS\system32\sdkeb32.exe
    O4 - HKLM\..\RunOnce: [javalj32.exe] C:\WINDOWS\system32\javalj32.exe
    O4 - HKLM\..\RunOnce: [apiqv.exe] C:\WINDOWS\system32\apiqv.exe
    O4 - HKLM\..\RunOnce: [appuz32.exe] C:\WINDOWS\appuz32.exe
    O4 - HKLM\..\RunOnce: [msif.exe] C:\WINDOWS\msif.exe
    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program\MyWebSearch\bar\1.bin\MWSOEMON.EXE

    O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
    O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/si...Install_se.cab
    O16 - DPF: {B7E76C25-791F-432E-BDB7-748D01A93FC2} (VacPro.int_ver30) - http://advnt01.com/dialer/int_ver30.CAB
    O16 - DPF: {CDCBE0F1-D13A-4F86-A963-3A272D3ABA7E} - http://advnt01.com/dialer/internazionale_ver15.CAB
    O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager...etOpPlugin.ocx
    O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/si...Install_se.cab

    O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\d3tf.exe" /s (file missing)


    The following step is important as you may have several malware files in your temp directories.

    Browse to the C:\documents and settings\Your User Name (repeat for all other user names in documents and settings)\local settings\temp folder and delete all files and folders in it.

    Then browse to the C:\Window\Temp folder and delete all files and folders in it.

    Then in internet explore click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

    Now navigate to the c:\aboutbuster directory and double-click on AboutBuster.exe. Click Begin Removal to allow AboutBuster to scan. When it has finished, AboutBuster will open a 'Scan Completed' window. Click OK. Another information window will open. Click on Exit. AboutBuster will inform you that a log has been created. Click OK. I will need you to post that log later.

    Run Ewido
    Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan.
    • Click on Scanner on the toolbar.
    • Click on the Settings tab.
      • Under How to act?
        • Click on Recommended Action and choose Quarantine from the popup menu.
      • Under How to scan?
        • All checkboxes should be ticked.
      • Under Possibly unwanted software:
        • All checkboxes should be ticked.
      • Under Reports:
        • Select Automatically generate report after every scan and uncheck Only if threats were found.
      • Under What to scan?
        • Select Scan every file.
      • Click on the Scan tab.
      • Click on Complete System Scan to start the scan process.
      • Let the program scan the machine.
      • When the scan has finished, follow the instructions below.
      IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
      • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
      • At the bottom of the window click on the Apply all Actions button. (3)
        scan1nx.jpg
      • When done, click the Save Scan Report button.
        • Click the Save Report as button.
        • Save the report to your Desktop.
      • Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.


      Now reboot, and run hijackthis again and post a fresh log along with the about buster log and the Ewido log. :)



    Result
    Files atached :

    exe files and dll files with a size of 0 kbt . are still remaining in the system ,
    as ai mentioned earlier .....
  • TroganTrogan London, UK
    edited July 2006
    There still some work to do, but its looking better.

    You need to disable Ewido as mentioned in the Ewido instructions I posted.
    • Open Ewido and on the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Close Ewido

    =====

    Could you go to Start > Control Panel > Add/Remove Programs and uninstall 'Window Search', 'Window Searching', 'Window Active' 'Lop.com', 'LOP SEARCH', 'Browser Enhancer', or 'Ultimate Browser Enhancer' if listed. You may be given a code to insert, do so and reboot when done.

    If none of the above are listed, run the Lop Remover from:
    http://66.220.17.157/help.html

    =====

    Download SmitfraudFix (by S!Ri) to your Desktop.
    http://siri.urz.free.fr/Fix/SmitfraudFix.zip
    Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press Enter
    This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

    IMPORTANT: Do NOT run any other options until you are asked to do so!

    =====

    Please post the following:

    C:\rapport.txt
    New HijackThis log
  • edited August 2006
    SmitFraudFix v2.76

    Scan done at 8:53:46,51, 2006-08-01
    Run from C:\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\luke\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\luke\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End






    Logfile of HijackThis v1.99.1
    Scan saved at 08:40:06, on 2006-08-01
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program\ewido anti-spyware 4.0\guard.exe
    C:\Program\CA\SharedComponents\CA_LIC\LogWatNT.exe
    C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\RunDll32.exe
    C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\mHotkey.exe
    C:\WINDOWS\CNYHKey.exe
    C:\WINDOWS\Dit.exe
    C:\Program\Scansoft\PaperPort\pptd40nt.exe
    C:\Program\Creative\ShareDLL\CtNotify.exe
    C:\Program\Delade filer\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program\Creative\NOMAD Jukebox Zen (USB2.0)\PlayCenter2\CTNMRUN.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program\Creative\ShareDLL\Mediadet.exe
    C:\Program\Sony Ericsson\Mobile\audevicemgr.exe
    C:\Program\Scansoft\PaperPort\SmartUI\SmartUI.exe
    C:\Program\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
    C:\Program\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
    C:\Program\SONYER~1\Mobile\CONNEC~1\CapMan.exe
    C:\Program\SONYER~1\Mobile\CONNEC~1\ElogErr.exe
    C:\Program\SONYER~1\Mobile\CONNEC~1\BROADC~1.EXE
    C:\Program\SONYER~1\Mobile\CONNEC~1\SCRFS.exe
    C:\Program\SONYER~1\Mobile\MOBILE~1\EPMWOR~1.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program\ewido anti-spyware 4.0\ewido.exe
    C:\hijackthis_199\HijackThis.exe

    O2 - BHO: Class - {F247658E-481B-CA46-2F1D-F487A19A8EF1} - C:\WINDOWS\system32\nethu.dll (file missing)
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
    O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
    O4 - HKLM\..\Run: [Dit] Dit.exe
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program\Scansoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program\Scansoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [Disc Detector] C:\Program\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [CTStartup] "C:\Program\Creative\Splash Screen\CTEaxSpl.EXE" /run
    O4 - HKLM\..\Run: [sdkkv.exe] C:\WINDOWS\sdkkv.exe
    O4 - HKLM\..\Run: [mfcel32.exe] C:\WINDOWS\system32\mfcel32.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program\Delade filer\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program\Delade filer\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [!ewido] "C:\Program\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program\Creative\NOMAD Jukebox Zen (USB2.0)\PlayCenter2\CTNMRUN.EXE"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [Free Download Manager] C:\Program\Free Download Manager\fdm.exe -autorun
    O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    O4 - Global Startup: Phone Connection Monitor.lnk = ?
    O4 - Global Startup: SmartUI.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
    O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Ladda ner Alla med NetXfer - C:\Program\Xi\NetXfer\NXAddList.html
    O8 - Extra context menu item: Ladda ner med NetXfer - C:\Program\Xi\NetXfer\NXAddLink.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} - http://www.cult3d.com/newuser/index.html
    O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/dev/code/IE_1070/DownloadManager.cab
    O16 - DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} (AMI DicomDir TreeView Control 2.1) - file://F:\CDVIEWER\CdViewer.cab
    O23 - Service: Client de licence CA (CA_LIC_CLNT) - Computer Associates - C:\Program\CA\SharedComponents\CA_LIC\lic98rmt.exe
    O23 - Service: Serveur de licence CA (CA_LIC_SRVR) - Computer Associates - C:\Program\CA\SharedComponents\CA_LIC\lic98rmtd.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program\ewido anti-spyware 4.0\guard.exe
    O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program\CA\SharedComponents\CA_LIC\LogWatNT.exe
  • TroganTrogan London, UK
    edited August 2006
    Good Job!

    You need to get an Anti-Virus & Firewall. Choose one from below - they are Free!

    AV
    Nod32
    AVG Free Edition
    AntiVir
    avast! 4 Home Edition

    Firewall
    Zone Alarm << I recommend this
    Sunbelt Kerio PF
    Outpost Firewall

    =====

    Did you turn Ewido inactive as asked before? If so, please try closing Ewido from the system tray, by right-clicking and selecting Exit.

    This needs to be done so Ewido does not interfere with the fix.

    =====

    Open HijackThis
    - Click the Do a system scan only button
    - Check the following entries (below)

    O2 - BHO: Class - {F247658E-481B-CA46-2F1D-F487A19A8EF1} - C:\WINDOWS\system32\nethu.dll (file missing)

    O4 - HKLM\..\Run: [sdkkv.exe] C:\WINDOWS\sdkkv.exe
    O4 - HKLM\..\Run: [mfcel32.exe] C:\WINDOWS\system32\mfcel32.exe
    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program\MyWebSearch\bar\1.bin\MWSOEMON.EXE


    - Close ALL open windows (especially Internet Explorer!)
    Click Fix Checked

    =====

    Now, we need to view hidden files and folders:
    • Click Start.
    • Open My Computer.
    • Select the Tools menu and click Folder Options.
    • Select the View Tab.
    • Under the Hidden files and folders heading select Show hidden files and folders.
    • Uncheck the Hide protected operating system files (recommended) option.
    • Click Yes to confirm.
    • Click OK.

    Next, find and delete the following, if present:

    C:\WINDOWS\sdkkv.exe << this file
    C:\WINDOWS\system32\mfcel32.exe << this file
    C:\Program\MyWebSearch << this folder
    C:\Program Files\SpySheriff << this folder


    =====

    Download ATF (Atribune Temp File) Cleaner© by Atribune to your Desktop.

    Double-click ATF Cleaner.exe
    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    Double-click ATF Cleaner.exe
    Under Main choose: Select All
    Click the Empty Selected button.

    Firefox:
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.

    For Technical Support, double-click the e-mail address located at the bottom of each menu

    =====

    Please run this online scan:

    Panda ActiveScan

    - Once you are on the Panda site, click the Scan your PC button
    - A new window will open...click the Check Now button
    - Enter your Country
    - Enter your State/Province
    - Enter your e-mail address and click send
    - Select either Home User or Company
    - Click the big Scan Now button
    - If it wants to install an ActiveX component allow it
    - It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    - When download is complete, click on Local Disks to start the scan
    - When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

    Post the contents of the Panda scan report, along with a new HijackThis Log
  • edited August 2006
    Good Job!

    You need to get an Anti-Virus & Firewall. Choose one from below - they are Free!

    AV
    Nod32
    AVG Free Edition
    AntiVir
    avast! 4 Home Edition

    Firewall
    Zone Alarm << I recommend this
    Sunbelt Kerio PF
    Outpost Firewall

    =====

    Did you turn Ewido inactive as asked before? If so, please try closing Ewido from the system tray, by right-clicking and selecting Exit.

    This needs to be done so Ewido does not interfere with the fix.

    =====

    Open HijackThis
    - Click the Do a system scan only button
    - Check the following entries (below)

    O2 - BHO: Class - {F247658E-481B-CA46-2F1D-F487A19A8EF1} - C:\WINDOWS\system32\nethu.dll (file missing)

    O4 - HKLM\..\Run: [sdkkv.exe] C:\WINDOWS\sdkkv.exe
    O4 - HKLM\..\Run: [mfcel32.exe] C:\WINDOWS\system32\mfcel32.exe
    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program\MyWebSearch\bar\1.bin\MWSOEMON.EXE


    - Close ALL open windows (especially Internet Explorer!)
    Click Fix Checked

    =====

    Now, we need to view hidden files and folders:
    • Click Start.
    • Open My Computer.
    • Select the Tools menu and click Folder Options.
    • Select the View Tab.
    • Under the Hidden files and folders heading select Show hidden files and folders.
    • Uncheck the Hide protected operating system files (recommended) option.
    • Click Yes to confirm.
    • Click OK.

    Next, find and delete the following, if present:

    C:\WINDOWS\sdkkv.exe << this file
    C:\WINDOWS\system32\mfcel32.exe << this file
    C:\Program\MyWebSearch << this folder
    C:\Program Files\SpySheriff << this folder


    =====

    Download ATF (Atribune Temp File) Cleaner© by Atribune to your Desktop.

    Double-click ATF Cleaner.exe
    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    Double-click ATF Cleaner.exe
    Under Main choose: Select All
    Click the Empty Selected button.

    Firefox:
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.

    For Technical Support, double-click the e-mail address located at the bottom of each menu

    =====

    Please run this online scan:

    Panda ActiveScan

    - Once you are on the Panda site, click the Scan your PC button
    - A new window will open...click the Check Now button
    - Enter your Country
    - Enter your State/Province
    - Enter your e-mail address and click send
    - Select either Home User or Company
    - Click the big Scan Now button
    - If it wants to install an ActiveX component allow it
    - It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    - When download is complete, click on Local Disks to start the scan
    - When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

    Post the contents of the Panda scan report, along with a new HijackThis Log




    Thank You so Much !
    We have eliminated a lot of files .
  • TroganTrogan London, UK
    edited August 2006
    Will you be following my instructions? You still need to remove those bad HijackThis entries...
  • edited August 2006
    Good Job!

    You need to get an Anti-Virus & Firewall. Choose one from below - they are Free!

    AV
    Nod32
    AVG Free Edition
    AntiVir
    avast! 4 Home Edition

    Firewall
    Zone Alarm << I recommend this
    Sunbelt Kerio PF
    Outpost Firewall

    =====

    Did you turn Ewido inactive as asked before? If so, please try closing Ewido from the system tray, by right-clicking and selecting Exit.

    This needs to be done so Ewido does not interfere with the fix.

    =====

    Open HijackThis
    - Click the Do a system scan only button
    - Check the following entries (below)

    O2 - BHO: Class - {F247658E-481B-CA46-2F1D-F487A19A8EF1} - C:\WINDOWS\system32\nethu.dll (file missing)

    O4 - HKLM\..\Run: [sdkkv.exe] C:\WINDOWS\sdkkv.exe
    O4 - HKLM\..\Run: [mfcel32.exe] C:\WINDOWS\system32\mfcel32.exe
    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program\MyWebSearch\bar\1.bin\MWSOEMON.EXE


    - Close ALL open windows (especially Internet Explorer!)
    Click Fix Checked

    =====

    Now, we need to view hidden files and folders:
    • Click Start.
    • Open My Computer.
    • Select the Tools menu and click Folder Options.
    • Select the View Tab.
    • Under the Hidden files and folders heading select Show hidden files and folders.
    • Uncheck the Hide protected operating system files (recommended) option.
    • Click Yes to confirm.
    • Click OK.

    Next, find and delete the following, if present:

    C:\WINDOWS\sdkkv.exe << this file
    C:\WINDOWS\system32\mfcel32.exe << this file
    C:\Program\MyWebSearch << this folder
    C:\Program Files\SpySheriff << this folder


    =====

    Download ATF (Atribune Temp File) Cleaner© by Atribune to your Desktop.

    Double-click ATF Cleaner.exe
    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    Double-click ATF Cleaner.exe
    Under Main choose: Select All
    Click the Empty Selected button.

    Firefox:
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.

    For Technical Support, double-click the e-mail address located at the bottom of each menu

    =====

    Please run this online scan:

    Panda ActiveScan

    - Once you are on the Panda site, click the Scan your PC button
    - A new window will open...click the Check Now button
    - Enter your Country
    - Enter your State/Province
    - Enter your e-mail address and click send
    - Select either Home User or Company
    - Click the big Scan Now button
    - If it wants to install an ActiveX component allow it
    - It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    - When download is complete, click on Local Disks to start the scan
    - When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

    Post the contents of the Panda scan report, along with a new HijackThis Log




    Thank You so Much !
    We have eliminated a lot of files .including some empty files .

    From the begining of this thread , I mentioned a lot of EMPTY FILES .
    These files still exist , although som are gone .

    please, would you explain in short , how this are created and if i eliminate all of them . for the time being , i have isolated a bunch of them , and the system is stable .

    I used ZONE ALARM before , even purchased it ! but it pops up very second
    if you move a file even locally !

    I learned your Birthday was Yesterday which i have not seen it on Time .

    in any way ! Happy BirthdaY! NEVER TO LATE ! AND Thank you , I learnt
    a lot !




    Scan saved at 14:35:04, on 2006-08-01
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RunDll32.exe
    C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\mHotkey.exe
    C:\WINDOWS\CNYHKey.exe
    C:\WINDOWS\Dit.exe
    C:\Program\Scansoft\PaperPort\pptd40nt.exe
    C:\Program\Creative\ShareDLL\CtNotify.exe
    C:\Program\Delade filer\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program\Creative\NOMAD Jukebox Zen (USB2.0)\PlayCenter2\CTNMRUN.EXE
    C:\Program\Creative\ShareDLL\Mediadet.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program\Sony Ericsson\Mobile\audevicemgr.exe
    C:\Program\Scansoft\PaperPort\SmartUI\SmartUI.exe
    C:\Program\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
    C:\Program\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
    C:\Program\SONYER~1\Mobile\CONNEC~1\CapMan.exe
    C:\Program\SONYER~1\Mobile\CONNEC~1\ElogErr.exe
    C:\Program\SONYER~1\Mobile\CONNEC~1\BROADC~1.EXE
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program\SONYER~1\Mobile\CONNEC~1\SCRFS.exe
    C:\Program\ewido anti-spyware 4.0\guard.exe
    C:\Program\CA\SharedComponents\CA_LIC\LogWatNT.exe
    C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program\SONYER~1\Mobile\MOBILE~1\EPMWOR~1.EXE
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program\TABROTEX OFFICE\TABROTEX.exe
    C:\hijackthis_199\HijackThis.exe

    O2 - BHO: Class - {F247658E-481B-CA46-2F1D-F487A19A8EF1} - C:\WINDOWS\system32\nethu.dll (file missing)
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
    O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
    O4 - HKLM\..\Run: [Dit] Dit.exe
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program\Scansoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program\Scansoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [Disc Detector] C:\Program\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [CTStartup] "C:\Program\Creative\Splash Screen\CTEaxSpl.EXE" /run
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program\Delade filer\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program\Delade filer\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [!ewido] "C:\Program\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program\Creative\NOMAD Jukebox Zen (USB2.0)\PlayCenter2\CTNMRUN.EXE"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [Free Download Manager] C:\Program\Free Download Manager\fdm.exe -autorun
    O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Phone Connection Monitor.lnk = ?
    O4 - Global Startup: SmartUI.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
    O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Ladda ner Alla med NetXfer - C:\Program\Xi\NetXfer\NXAddList.html
    O8 - Extra context menu item: Ladda ner med NetXfer - C:\Program\Xi\NetXfer\NXAddLink.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} - http://www.cult3d.com/newuser/index.html
    O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/dev/code/IE_1070/DownloadManager.cab
    O16 - DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} (AMI DicomDir TreeView Control 2.1) - file://F:\CDVIEWER\CdViewer.cab
    O23 - Service: Client de licence CA (CA_LIC_CLNT) - Computer Associates - C:\Program\CA\SharedComponents\CA_LIC\lic98rmt.exe
    O23 - Service: Serveur de licence CA (CA_LIC_SRVR) - Computer Associates - C:\Program\CA\SharedComponents\CA_LIC\lic98rmtd.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program\ewido anti-spyware 4.0\guard.exe
    O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program\CA\SharedComponents\CA_LIC\LogWatNT.exe
  • TroganTrogan London, UK
    edited August 2006
    My birthday was on the 22nd, but thank you! :)

    You got infected because you didn't have any protection i.e. no Anti-Virus or Firewall, and you still don't. Please download one of each as mentioned in my previous post. You can try Zone Alarm again to see if you still have the same problem, otherwise choose another Firewall.

    If you could list the files that are remaining and posting them here, that would be great.

    Please run the Panda ActiveScan, posting the log and a new HijackThis log please. :)
  • edited August 2006
    I saw A Congratulation somewhere . maybe the same Name ....

    Ok ... we will wait to the corect date !

    Since the begining , I learned a lot and got acquinted with softwares ..

    But i did not Get my answer about " Empty dlls " .



    I hope i may get this time ...

    attached a bunch of empty files which i generated from win , directory .

    pandas rapport and Hij .
  • TroganTrogan London, UK
    edited August 2006
    What do you mean by "Empty DLL's"?

    Please rename HijackThis.exe to HJT.exe and post a new log.
  • TroganTrogan London, UK
    edited August 2006
    Hi luket,

    I'm going away now for a week. I'l will be unable to help you until I get back. I hope you can wait. :)
This discussion has been closed.