Browser being hijack. Log attached.

Discussion in 'adware, spyware & hijack cleaning' started by Advam, Jun 15, 2004.

Thread Status:
Not open for further replies.
  1. Advam

    Advam Registered Member

    Joined:
    Jun 15, 2004
    Posts:
    5
    I've done Ad-aware, Spy Bot, and CWShredder and this thing will not go away. Please advise how to get this thing off my computer. Thanks in advance.

    Logfile of HijackThis v1.97.7
    Scan saved at 9:49:49 PM, on 6/15/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\pctspk.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\d3as32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\Program Files\DIRECWAY\BIN\dpcstart.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\WINDOWS\crie.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\DIRECWAY\bin\dpcnav.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ziogs.dll/sp.html#795634017
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ziogs.dll/sp.html#795634017
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ziogs.dll/index.html#795634017
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ziogs.dll/sp.html#795634017
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {8C5CCFEB-D80B-9087-AE97-C7343DA6EFDD} - C:\WINDOWS\system32\crux32.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [d3as32.exe] C:\WINDOWS\d3as32.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
    O9 - Extra button: Save (HKLM)
    O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.kdscomputers.com
    O16 - DPF: DigiChat Applet - http://albany.digi-net.com/DigiChat/DigiClasses/Client_IE.cab
    O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/29f254f00836d319a019/netzip/RdxIE601.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38150.4411111111
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/activedata/ActiveData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{198E2EAC-5E84-419D-8A89-3A4822302CB7}: Domain = direcway.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{198E2EAC-5E84-419D-8A89-3A4822302CB7}: NameServer = 66.82.4.8
     
    Advam, Jun 15, 2004
    #1
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi Advam,

    Bring up TaskManager and kill these processes:
    C:\WINDOWS\d3as32.exe
    C:\WINDOWS\crie.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ziogs.dll/sp.html#795634017

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ziogs.dll/sp.html#795634017
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ziogs.dll/index.html#795634017
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ziogs.dll/sp.html#795634017

    O2 - BHO: (no name) - {8C5CCFEB-D80B-9087-AE97-C7343DA6EFDD} - C:\WINDOWS\system32\crux32.dll

    O4 - HKLM\..\Run: [d3as32.exe] C:\WINDOWS\d3as32.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/29f254f00836d319a019/netzip/RdxIE601.cab

    Then reboot into safe mode and rename:
    C:\WINDOWS\d3as32.exe to d3as32.bak
    C:\WINDOWS\crie.exe to crie.bak and check the date it was created.
    Do a Find Files for anything that was created around the same time.
    Let me know if you find something interesting

    And delete C:\WINDOWS\ziogs.dll

    Regards,

    Pieter
     
    Pieter_Arntz, Jun 16, 2004
    #2
  3. Advam

    Advam Registered Member

    Joined:
    Jun 15, 2004
    Posts:
    5
    I think I messed up. When I changed the file names in safe mode, I did not "view" the entire file name with the extension before renaming. I rebooted and still have the bug....only with a different name....tunnv.dll

    I renamed the file names as first suggested, but seems to be too late.

    Also found efckbm.exe that was created on the same date as crie.exe

    New hijack log...

    Logfile of HijackThis v1.97.7
    Scan saved at 7:12:17 AM, on 6/16/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\ippe.exe
    C:\WINDOWS\System32\pctspk.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\netak32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\Program Files\DIRECWAY\BIN\dpcstart.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\DIRECWAY\bin\dpcnav.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tunnv.dll/sp.html#795634017
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tunnv.dll/sp.html#795634017
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://tunnv.dll/index.html#795634017
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\tunnv.dll/sp.html#795634017
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {D8786BEA-9AC4-2630-C771-3AF0D8E83958} - C:\WINDOWS\system32\addwn32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [netak32.exe] C:\WINDOWS\netak32.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
    O9 - Extra button: Save (HKLM)
    O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.kdscomputers.com
    O16 - DPF: DigiChat Applet - http://albany.digi-net.com/DigiChat/DigiClasses/Client_IE.cab
    O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38150.4411111111
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/activedata/ActiveData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{198E2EAC-5E84-419D-8A89-3A4822302CB7}: Domain = direcway.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{198E2EAC-5E84-419D-8A89-3A4822302CB7}: NameServer = 66.82.4.8

    Thank you for your help and patience.
     
    Advam, Jun 16, 2004
    #3
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi Advam,

    What patience? LOL
    This one is pretty new, so I am still trying out a bit to find the easiest way to get rid of it.
    Can you mail that efckbm.exe to the address in my profile (preferably zipped up)

    Close all IE windows and stop these processes:
    C:\WINDOWS\system32\ippe.exe
    C:\WINDOWS\netak32.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tunnv.dll/sp.html#795634017

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tunnv.dll/sp.html#795634017
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://tunnv.dll/index.html#795634017
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\tunnv.dll/sp.html#795634017

    O2 - BHO: (no name) - {D8786BEA-9AC4-2630-C771-3AF0D8E83958} - C:\WINDOWS\system32\addwn32.dll

    O4 - HKLM\..\Run: [netak32.exe] C:\WINDOWS\netak32.exe

    Then reboot into safe mode into safe mode and delete:
    C:\WINDOWS\netak32.exe
    C:\WINDOWS\system32\ippe.exe
    C:\WINDOWS\system32\tunnv.dll

    Regards,

    Pieter
     
    Pieter_Arntz, Jun 16, 2004
    #4
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Thanks for the file.

    efckbm.exe - packed with UPX
    efckbm.exe - infected by TrojanDownloader.Win32.Agent.z
     
    Pieter_Arntz, Jun 16, 2004
    #5
  6. Advam

    Advam Registered Member

    Joined:
    Jun 15, 2004
    Posts:
    5
    My head is spinning. Did what you advised, but did not see c:\windows\system32\ippe.exe in task manager. However, I still got the bug but with a different name. Imagine what these people who created these bugs could accomplish if they put their knowledge to something more useful.

    Logfile of HijackThis v1.97.7
    Scan saved at 4:30:40 PM, on 6/16/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\ieax.exe
    C:\WINDOWS\msrn32.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\pctspk.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\Program Files\DIRECWAY\BIN\dpcstart.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\PROGRA~1\DIRECWAY\bin\dpcnav.exe
    C:\Program Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mqzbr.dll/sp.html#795634017
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mqzbr.dll/sp.html#795634017
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mqzbr.dll/index.html#795634017
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\mqzbr.dll/sp.html#795634017
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {46E12037-4A39-43D9-3B76-14AD3F253732} - C:\WINDOWS\system32\wingj32.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [wingj32.exe] C:\WINDOWS\system32\wingj32.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKLM\..\RunOnce: [ieax.exe] C:\WINDOWS\ieax.exe
    O4 - HKLM\..\RunOnce: [addhl32.exe] C:\WINDOWS\addhl32.exe
    O4 - HKLM\..\RunOnce: [mfcul32.exe] C:\WINDOWS\mfcul32.exe
    O4 - HKLM\..\RunOnce: [sdkpo32.exe] C:\WINDOWS\sdkpo32.exe
    O4 - HKLM\..\RunOnce: [msdw.exe] C:\WINDOWS\system32\msdw.exe
    O4 - HKLM\..\RunOnce: [ntmd32.exe] C:\WINDOWS\system32\ntmd32.exe
    O4 - HKLM\..\RunOnce: [mfclo.exe] C:\WINDOWS\mfclo.exe
    O4 - HKLM\..\RunOnce: [ipbi32.exe] C:\WINDOWS\ipbi32.exe
    O4 - HKLM\..\RunOnce: [mfcjh32.exe] C:\WINDOWS\mfcjh32.exe
    O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: PKZIP Attachments Status.lnk = C:\Program Files\PKWARE\PKZIPM\8.00.0017\PKTray.exe
    O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
    O9 - Extra button: Save (HKLM)
    O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.kdscomputers.com
    O16 - DPF: DigiChat Applet - http://albany.digi-net.com/DigiChat/DigiClasses/Client_IE.cab
    O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38150.4411111111
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/activedata/ActiveData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{198E2EAC-5E84-419D-8A89-3A4822302CB7}: Domain = direcway.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{198E2EAC-5E84-419D-8A89-3A4822302CB7}: NameServer = 66.82.4.8

    Our family has separate user accounts. Is this keeping us infected?

    Thanks.
     
    Advam, Jun 16, 2004
    #6
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi Advam,

    [rant mode on]
    I think that from his point of view he is doing something useful with his skills.
    He used to write trojans for fun, now he writes spyware and gets paid for making other peoples live miserable. [/calmed down a bit]

    I will need a current HijackThis log from you. So please post one when you are back on. I will make sure I get notified when you post back.

    Regards,

    Pieter
     
    Pieter_Arntz, Jun 17, 2004
    #7
  8. Advam

    Advam Registered Member

    Joined:
    Jun 15, 2004
    Posts:
    5
    Current log as requested....

    Logfile of HijackThis v1.97.7
    Scan saved at 5:50:05 AM, on 6/17/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\ieax.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\DIRECWAY\bin\DPCNAV.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\HijackThis.exe
    C:\WINDOWS\System32\pctspk.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\wingj32.exe
    C:\Program Files\Symantec\LiveUpdate\AUpdate.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rhtzy.dll/sp.html#795634017
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zwddd.dll/index.html#795634017
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zwddd.dll/sp.html#795634017
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zwddd.dll/index.html#795634017
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zwddd.dll/sp.html#795634017
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {8CA0C19A-072F-E5BB-47B2-C2B1F0E69C3B} - C:\WINDOWS\system32\apiun.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [wingj32.exe] C:\WINDOWS\system32\wingj32.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKLM\..\RunOnce: [ieax.exe] C:\WINDOWS\ieax.exe
    O4 - HKLM\..\RunOnce: [addhl32.exe] C:\WINDOWS\addhl32.exe
    O4 - HKLM\..\RunOnce: [mfcul32.exe] C:\WINDOWS\mfcul32.exe
    O4 - HKLM\..\RunOnce: [sdkpo32.exe] C:\WINDOWS\sdkpo32.exe
    O4 - HKLM\..\RunOnce: [msdw.exe] C:\WINDOWS\system32\msdw.exe
    O4 - HKLM\..\RunOnce: [ntmd32.exe] C:\WINDOWS\system32\ntmd32.exe
    O4 - HKLM\..\RunOnce: [mfclo.exe] C:\WINDOWS\mfclo.exe
    O4 - HKLM\..\RunOnce: [ipbi32.exe] C:\WINDOWS\ipbi32.exe
    O4 - HKLM\..\RunOnce: [mfcjh32.exe] C:\WINDOWS\mfcjh32.exe
    O4 - HKLM\..\RunOnce: [ntff32.exe] C:\WINDOWS\ntff32.exe
    O4 - HKLM\..\RunOnce: [ntzj32.exe] C:\WINDOWS\ntzj32.exe
    O4 - HKLM\..\RunOnce: [d3uj32.exe] C:\WINDOWS\system32\d3uj32.exe
    O4 - HKLM\..\RunOnce: [winbp.exe] C:\WINDOWS\system32\winbp.exe
    O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
    O9 - Extra button: Save (HKLM)
    O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.kdscomputers.com
    O16 - DPF: DigiChat Applet - http://albany.digi-net.com/DigiChat/DigiClasses/Client_IE.cab
    O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38150.4411111111
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/activedata/ActiveData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{198E2EAC-5E84-419D-8A89-3A4822302CB7}: Domain = direcway.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{198E2EAC-5E84-419D-8A89-3A4822302CB7}: NameServer = 66.82.4.8

    Advam
     
    Advam, Jun 17, 2004
    #8
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi Advam,

    Click Start > Run > Services.msc > OK
    In the services window find Network Security Service.
    Rightclick and stop it. Put the Startup type to disabled under Properties > General tab

    Then open TaskManager and stop these two processes:
    C:\WINDOWS\ieax.exe
    C:\WINDOWS\system32\wingj32.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rhtzy.dll/sp.html#795634017

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zwddd.dll/index.html#795634017
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zwddd.dll/sp.html#795634017
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zwddd.dll/index.html#795634017
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zwddd.dll/sp.html#795634017

    O2 - BHO: (no name) - {8CA0C19A-072F-E5BB-47B2-C2B1F0E69C3B} - C:\WINDOWS\system32\apiun.dll

    O4 - HKLM\..\Run: [wingj32.exe] C:\WINDOWS\system32\wingj32.exe
    O4 - HKLM\..\RunOnce: [ieax.exe] C:\WINDOWS\ieax.exe
    O4 - HKLM\..\RunOnce: [addhl32.exe] C:\WINDOWS\addhl32.exe
    O4 - HKLM\..\RunOnce: [mfcul32.exe] C:\WINDOWS\mfcul32.exe
    O4 - HKLM\..\RunOnce: [sdkpo32.exe] C:\WINDOWS\sdkpo32.exe
    O4 - HKLM\..\RunOnce: [msdw.exe] C:\WINDOWS\system32\msdw.exe
    O4 - HKLM\..\RunOnce: [ntmd32.exe] C:\WINDOWS\system32\ntmd32.exe
    O4 - HKLM\..\RunOnce: [mfclo.exe] C:\WINDOWS\mfclo.exe
    O4 - HKLM\..\RunOnce: [ipbi32.exe] C:\WINDOWS\ipbi32.exe
    O4 - HKLM\..\RunOnce: [mfcjh32.exe] C:\WINDOWS\mfcjh32.exe
    O4 - HKLM\..\RunOnce: [ntff32.exe] C:\WINDOWS\ntff32.exe
    O4 - HKLM\..\RunOnce: [ntzj32.exe] C:\WINDOWS\ntzj32.exe
    O4 - HKLM\..\RunOnce: [d3uj32.exe] C:\WINDOWS\system32\d3uj32.exe
    O4 - HKLM\..\RunOnce: [winbp.exe] C:\WINDOWS\system32\winbp.exe

    Then reboot into safe mode and delete:
    C:\WINDOWS\ieax.exe
    C:\WINDOWS\system32\wingj32.exe
    C:\WINDOWS\system32\apiun.dat
    C:\WINDOWS\zwddd.dll

    Regards,

    Pieter
     
    Pieter_Arntz, Jun 17, 2004
    #9
  10. Advam

    Advam Registered Member

    Joined:
    Jun 15, 2004
    Posts:
    5
    :D :D :D
    Looks like I'm disfected. Thanks from our whole family. My kids can down safely surf.....for a little while at least.

    Your help was greatly appreciated.

    Advam
     
    Advam, Jun 18, 2004
    #10
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Pieter_Arntz, Jun 18, 2004
    #11
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...