JAVA & TROJ pests

I visited the Trend site for a virus scan which uncovered some pests:

JAVA...
BYTEVER.A
BYTEVER.A-1

TROJAN...
STILEN.A

I then ran AdAware, followed by Spybot S & D, followed by SpywareBlaster, followed by running AVG anti-virus, then returned to the Trend site only to find the pests still there. I then ran a Belarc audit so you guys'll know ALL there is to know about my machine. What follows is the Belarc audit, then the HiJackThis log.


This is a Belarc Advisor audit of my system:




--------------------------------------------------------------------------------

The license associated with the Belarc Advisor product allows for free personal use only. Use on multiple PCs in a corporate, educational, military or government installation is prohibited. See the license agreement for details. The information on this page was created locally on your PC by the Belarc Advisor. Your computer profile was not sent to a web server. Click here for more info.

--------------------------------------------------------------------------------


About Belarc

PC Management Products

Your Privacy



In page Links:

Installed Hotfixes

Software Licenses

Software Versions



Computer Profile Summary
Computer Name: Na-lfcwddk1htv9 (in WORKGROUP)
Profile Date: Wednesday, June 16, 2004 10:26:52 PM
Advisor Version: 6.1
Windows Logon: na


Click here for Belarc's PC Management products, for large and small companies.

Operating System System Model
Windows 2000 Professional Service Pack 4 (build 2195) Intel Corporation Whitney System CR Board Revision A0
Processor a Main Circuit Board b
567 megahertz Intel Celeron
32 kilobyte primary memory cache
128 kilobyte secondary memory cache Board: Intel Corporation Whitney System CR Platform
BIOS: Phoenix Technologies LTD 6.00 08/29/2001
Drives Memory Modules c,d
6.49 Gigabytes Usable Hard Drive Capacity
3.06 Gigabytes Hard Drive Free Space

ATAPI COMBO48XMAX [CD-ROM drive]
3.5" format removeable media [Floppy drive]

QUANTUM BIGFOOT_CY6480A [Hard drive] (6.50 GB) -- drive 0, s/n 166764921676, rev A03.0800, SMART Status: Healthy 128 Megabytes Installed Memory

Slot 'M1' has 128 MB
Slot 'M2' is Empty
Local Drive Volumes

c: (on drive 0) 6.49 GB 3.06 GB free

Network Drives


Users Printers
local user accounts last logon
na 6/16/2004 5:34:50 PM (admin)
local system accounts
admin1 never (admin)
Administrator 5/17/2004 9:19:58 PM (admin)
Guest never


Marks a disabled account; Marks a locked account CAPTURE FAX BVRP on NUL:
HP DeskJet 722C on LPT1:
Lexmark X1100 Series on USB001

Controllers Display
Standard floppy disk controller
Intel(r) 82801AA Bus Master IDE Controller
Primary IDE Channel [Controller]
Secondary IDE Channel [Controller] Intel Corporation 810 Graphics Controller Hub [Display adapter]
GATEWAY EV700 [Monitor] (16.1"vis, October 1997)
Bus Adapters Multimedia
Intel(r) 82801AA USB Universal Host Controller AC'97 Driver for Intel(r) 82801AA Controller
MPU-401 Compatible MIDI Device
Standard Game Port
Communications Other Devices
ADMtek AN983 10/100Mbps Fast Ethernet Adapter
Network Card MAC Address: 00:00:E8:12:BC:CD
Network IP Address: 64.254.216.134 / 24 Dual-Mode DSC(2770)
Lexmark X1100 Series
Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Microsoft PS/2 Port Mouse (IntelliPoint)
Generic USB Hub
Generic USB Hub
USB Printing Support
USB Root Hub
Virus Protection
No AntiVirus details available
Installed Microsoft Hotfixes [Back to Top]
DataAccess
Q329414-25 on 3/20/2004 (details...)
Q832483 on 3/20/2004 (details...)
Internet Explorer
Q330994 (details...)
Q832894 (details...)
SP1 (SP1)
Windows 2000
SP2
KB833330 on 3/20/2004 (details...)
SP4
Q327194[SP] on 3/20/2004 (details...)
SP5
KB329115 on 3/20/2004 (details...)
KB820888 on 3/20/2004 (details...)
KB822831 on 3/20/2004 (details...)
KB823182 on 3/20/2004 (details...)
Windows 2000
SP5 (continued)
KB823559 on 3/20/2004 (details...)
KB824105 on 3/20/2004 (details...)
KB824141 on 3/20/2004 (details...)
KB824146 on 3/20/2004 (details...)
KB825119 on 3/20/2004 (details...)
KB826232 on 3/20/2004 (details...)
KB828028 on 3/20/2004 (details...)
KB828035 on 3/20/2004 (details...)
KB828749 on 3/20/2004 (details...)
KB829558 on 3/20/2004 (details...)
Q818043 on 3/20/2004 (details...)
Windows Media Player
WM819639 (details...)
SP0
Q828026 on 3/20/2004 (details...) Reinstall!



Click here to see all available Microsoft security hotfixes for this computer.

Marks a HotFix that verifies correctly
Marks a HotFix that fails verification
(note that failing hotfixes need to be reinstalled)
Unmarked HotFixes lack the data to allow verification

Software Licenses [Back to Top]

Microsoft - IntelliPoint 11111-111-1111111-11111
Microsoft - Internet Explorer 55736-355-7993545-04348 (Key: R2D43-3DHG9-DQ79W-W3DXQ-929DY)
Microsoft - MediaPlayer 69808-520-8044282-04673
Microsoft - WebFldrs 12345-111-1111111-18200
Microsoft - Windows 2000 Professional 51873-270-7738296-09607 (Key: HB9CF-JTKJF-722HV-VPBRF-9VKVM)

Software Versions [Back to Top]
ABBYY (BIT Software) - FineReader Version 5.0.0.482 (private) *
Adobe Acrobat Version 4.05 *
Agnitum - Outpost Firewall Version 1.0 *
Ahead Software AG Karlsbad Germany Phone: +49-7248-911-800 Fax: +49-7248-911-888 e-mail: info@nero.com - LANGUAGE_English2 Version 5, 5, 10, 45 *
Ahead Software AG - InCD Version 4, 0, 1, 18 *
Ahead Software AG - InfoTool Application Version 1, 0, 3, 3 *
Ahead Software AG - Nero CD Speed Application Version 1, 0, 2, 1 *
Ahead Software Gmbh NeroCheck Version 1, 0, 0, 2 *
ahead software gmbh, karlsbad - Cover Designer Version 2, 2, 1, 11 *
AHEAD Software incdsrv Version 4, 0, 1, 18 *
ArcSoft Inc. - Multimedia Email Version 3.0.0.29 *
ArcSoft Inc. - PhotoPrinter 2000Pro Version 3, 0, 100, 5 *
ArcSoft PhotoStudio Version 4, 1, 0, 0 *
ArcSoft PhotoStudio Version 4,3,0,24 *
AvatarSoft - Back2zip Version 1.0.0.0 *
AvatarSoft - JustZIPit Version 1.0.0.0 *
Belarc, Inc. - BelManage Client Version 6.1 *
BVRP Software - FaxTools Version 1.00 *
Caere Corporation - OmniPage Pro Version 9.0 *
CANON INC. - ScanGear Toolbox CS Application Version 2.2.0 *
Cinematronics - 3D Pinball Version 5.00.2134.1 *
crwl.exe *
CyberLink Corp. - CLDMA Version 1, 0, 0, 2502 *
CyberLink Corp. - PowerDVD Version 5.00.0711 *
d3ux.exe *
Decoder Configuration Utility *
DivX Player *
dvdplay Application Version 1, 0, 0, 1 *
Eastman Software, Inc., A Kodak Business - Imaging for Windows® Version 5.00.2138.1 *
Erik Deppe - DriveSpeed Version 1, 6, 1, 0 *
Gabest - Media Player Classic Version 6, 4, 8, 2 *
GRISOFT s.r.o - AVG6 Version 6.0.1.696 *
GRISOFT s.r.o. - AVG Anti-Virus System Version 6, 0, 0, 0 *
GRISOFT(c) SOFTWARE - AVG Anti-Virus System Version 6, 0, 0, 0 *
GRISOFT, s.r.o. - AVG Anti-Virus System Version 6, 0, 0, 0 *
Inkjet Printer Version 1.0.0.0 *
Inno Setup *
Java Web Start *
javaw.exe *
Lavasoft Ad-aware Plus Version 6.0.0.0 *
Lexmark International Inc. - AIO exe Version 2.0.2.2 *
Lexmark International, Inc. - Button Manager Executable Version 0.1.1.1 *
Lexmark International, Inc. - MarkVision for Windows (32 bit) Version 8.29 * Lexmark Photo Editor Version 0.1.1.1 *
Logitech QuickCam Version 5.2.0.2099 *
mfckt.exe *
Microsoft (r) Windows Script Host Version 5.6.0.6626 *
Microsoft Corporation - Internet Explorer Version 6.00.2800.1106 *
Microsoft Corporation - Messenger Version 6.1 *
Microsoft Corporation - Windows Installer - Unicode Version 2.0.2600.1183 *
Microsoft Corporation - Windows Journal Viewer Version 1.5.2315.3 *
Microsoft Corporation - Windows® NetMeeting® Version 3.01 *
Microsoft Data Access Components Version 3.525.1022.0 *
Microsoft Pointing Device Software Version 3.10.0393 *
Microsoft PowerPoint Viewer for Windows Version 8.0 *
Microsoft Windows Media Player Version 6.4.09.1125 *
Microsoft® NetShow Version 2.0.0.912 *
Mozilla - Firefox Personal *
Mozilla.org - Thunderbird Version 1.7: 2004050210 *
NEATO - MediaFACE Version 3, 0, 0, 0 *
Network Security Service *
PCCam *
PepiMK Software - Spybot - Search & Destroy Version 1, 3, 0, 12 *
PhotoBase 2.0 *
Remove the DivX Bundle *
Remove the DivX Codec *
Remove the DivX Player *
Safer Networking Limited - SpyBot-S&D Version 1, 3, 0, 12 *
Script Defender *
Shoot The Messenger, by Steve Gibson Version 1.0 *
Shortcut to hjsplit.exe Version 1.0.0.0 *
Shortcut to sdefendi.exe *
Soeperman Enterprises Ltd. - HijackThis Version 1.97.0007 *
SpywareBlaster AutoUpdate Version 3.01 *
SpywareBlaster Version 3.01 *
Stop StartupMonitor *
SunJavaUpdateSched *
Symantec Corporation - LiveUpdate Version 1.62.17.0 *
Symantec Corporation - Norton Utilities for Windows Version 14.00.0.28 *
Symantec Corporation - Norton Utilities Version 14.00.0.28 *
UpdateIPR.exe *
USB DSC Version 1, 7, 2, 8 *
Viewer.exe *
Virtos GmbH - WaveEdit DLL Version 1, 0, 5, 0 *
wmplayer.exe *
Yahoo! Messenger Version 5, 6, 0, 1358 *

--------------------------------------------------------------------------------

* Click to see where software is installed.
a. Megahertz measurement may be inaccurate if other programs were busy during last analysis.
b. Data may be transferred on the bus at one, two, or four times the Bus Clock rate.
c. Memory slot contents may not add up to Installed Memory if some memory is not recognized by Windows.
d. Memory slot contents is reported by the motherboard BIOS. Contact system vendor if slot contents are wrong.
e. This may be the manufacturer's factory installed product key rather than yours.
Copyright 2000-4, Belarc, Inc. All rights reserved.
Legal notice. U.S. Patents 6085229, 5665951 and Patents pending.

--------------------------------------------------------------------------------




Logfile of HijackThis v1.97.7
Scan saved at 10:12:23 PM, on 6/16/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINNT\StartupMonitor.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\system32\d3ux.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\ieua.exe
C:\WINNT\netmk.exe
C:\Documents and Settings\na\My Documents\Flix\HijackThis.exe

O2 - BHO: (no name) - {3E68846A-B6CA-BDA8-E434-82EC1BEE2FC5} - C:\WINNT\system32\netlw32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [crwl.exe] C:\WINNT\system32\crwl.exe
O4 - HKLM\..\Run: [mfckt.exe] C:\WINNT\system32\mfckt.exe
O4 - HKLM\..\Run: [d3ux.exe] C:\WINNT\system32\d3ux.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17c72f8587c4d72b0e23/netzip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38066.3549768519
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/mail/autocomplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab

You guys are ! And I'm you're available to those of us who are \strike{computer dumbasses} technically challenged . Thanks

 

Hi jimmj43,

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - {3E68846A-B6CA-BDA8-E434-82EC1BEE2FC5} - C:\WINNT\system32\netlw32.dll

O4 - HKLM\..\Run: [crwl.exe] C:\WINNT\system32\crwl.exe
O4 - HKLM\..\Run: [mfckt.exe] C:\WINNT\system32\mfckt.exe
O4 - HKLM\..\Run: [d3ux.exe] C:\WINNT\system32\d3ux.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17c72f8587c4d72b0e23/netzip/RdxIE601.cab

Then reboot into safe mode and delete:
C:\WINNT\system32\crwl.exe
C:\WINNT\system32\mfckt.exe
C:\WINNT\system32\d3ux.exe

Post a new log when you are done, so we can see if everything worked out as planned.

Regards,

Pieter

 

My apologies.... I neglected to mention that I am a \strike{certifiable} certified Computer Dumbass.

After following the HijackThis instructions I was able to reboot into safe mode.
Unfortunately, I was faced with 2 options to proceed - one said something about command prompts so I selected that one. Tsk, tsk,.... I had NO idea what do do from there!

Accordingly, I'm back for more detailed instructions. Please include the specifics with respect to HOW one goes about deleting stuff in safe mode.

Thanks.

Again, sorry I failed to alert you to my level of ignorance.

 

Maybe it's not necessary to do that.
Can you post a new HijackThis log?

Regards,

Pieter

 

It's necessary.

My homepage got re-hijacked and I continue getting a popup window asking me if I want a certain file to execute. If images can be posted here, I'll do a printscreen save the next time it pops up, then convert it to a jpg with a civilized filesize.

It just poped up, courtesy of my Startup Monitor program. I doubt you'll need the image.

"The program crwl.exe has registered the executable C:\WINNT\System32\crwl.exe to run at startup. Do you wish to allow this change?"

I click "no", but that same popup will return again and again.

 

I will need to see a fresh HijackThis log in order to help you.

Regards,

Pieter

 

Here's the latest HijackThis log - mere minutes old:

Logfile of HijackThis v1.97.7
Scan saved at 10:12:23 PM, on 6/16/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINNT\StartupMonitor.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\system32\d3ux.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\ieua.exe
C:\WINNT\netmk.exe
C:\Documents and Settings\na\My Documents\Flix\HijackThis.exe

O2 - BHO: (no name) - {3E68846A-B6CA-BDA8-E434-82EC1BEE2FC5} - C:\WINNT\system32\netlw32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [crwl.exe] C:\WINNT\system32\crwl.exe
O4 - HKLM\..\Run: [mfckt.exe] C:\WINNT\system32\mfckt.exe
O4 - HKLM\..\Run: [d3ux.exe] C:\WINNT\system32\d3ux.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17c72f8587c4d72b0e23/netzip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38066.3549768519
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/mail/autocomplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab

 

Hi jimmj43,

Bring up TaskManager (Ctrl-Alt-Del) and stop these processes:
C:\WINNT\system32\d3ux.exe
C:\WINNT\ieua.exe
C:\WINNT\netmk.exe

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:
O2 - BHO: (no name) - {3E68846A-B6CA-BDA8-E434-82EC1BEE2FC5} - C:\WINNT\system32\netlw32.dll

O4 - HKLM\..\Run: [crwl.exe] C:\WINNT\system32\crwl.exe
O4 - HKLM\..\Run: [mfckt.exe] C:\WINNT\system32\mfckt.exe
O4 - HKLM\..\Run: [d3ux.exe] C:\WINNT\system32\d3ux.exe

Then surf to http://www.kaspersky.com/scanforvirus
and have C:\WINNT\system32\d3ux.exe checked there. Let me know the results.

Regards,

Pieter

 

Upon bringing up the Task Manager, only the irau.exe was shown. After twice attempting to shut it down, the results were the same: "The opera could not be completed. Access denied."

The HijackThis scan did not display the [mfckt.exe] or the [3dux.exe].

The visit to the virus scan site appears to have been unproductive. I entered:
C:\WINNT\system32\d3ux.exe
into the browse window twice with the same result --> a new, blank browse window.

 

"opera" = operation

That lousy popup interrupted my typing and I couldn't figure out how to get in and edit/correct.

 

Either the file is hiding:
To "unhide" hidden files and folders:
Launch My Computer from the Desktop Icon.
Select View, Details.
Select the Folders button.
Select Tools, Folder Options. Then select the View Tab. Select the Show hidden files and folders radio button is selected
and that the Hide file extensions for known file types check box is unchecked. Once this is done, select Apply and then
Like Current Folder (located near the top of the Folder Options box). Then select OK.

Or it is name changing: Post a new HijackThis log.

Regards,

Pieter

 

Following your instructions with respect to opening "My Computer", no changes were necessary since the existing settings complies with your instructions.

Here's the latest HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 10:18:54 AM, on 6/18/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\ieua.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINNT\StartupMonitor.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Documents and Settings\na\My Documents\regprot\regprot.exe
C:\WINNT\System32\crwl.exe
C:\Documents and Settings\na\My Documents\Flix\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\epuxp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://epuxp.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://epuxp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\epuxp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://epuxp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\epuxp.dll/sp.html#37049
O2 - BHO: (no name) - {938F6D91-A9B6-716B-ADA4-3BD801E94290} - C:\WINNT\system32\ntkt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: PopupPopper Control Panel (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38066.3549768519
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/mail/autocomplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab

 

OK This is my last attempt for today.
If it does not work I posted general instructions here:
https://www.wilderssecurity.com/showthread.php?p=198412#post198412

Click Start > Run > Services.msc > OK
In the services window find Network Security Service.
Rightclick and stop it. Put the Startup type to disabled under Properties > General tab

Then open TaskManager and stop these two processes:
C:\WINNT\ieua.exe
C:\WINNT\System32\crwl.exe

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\epuxp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://epuxp.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://epuxp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\epuxp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://epuxp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\epuxp.dll/sp.html#37049
O2 - BHO: (no name) - {938F6D91-A9B6-716B-ADA4-3BD801E94290} - C:\WINNT\system32\ntkt.dll

Then reboot into safe mode and delete:
C:\WINNT\ieua.exe
C:\WINNT\System32\crwl.exe
C:\WINNT\system32\ntkt.dat
C:\WINNT\system32\epuxp.dll

Regards,

Pieter

 

Pieter, I sincerely appreciate your patience. Thank you!

I'll do as you suggested and report back...

Thanks again,

Jim