Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

topgunev

7 Posts

799

October 2nd, 2005 17:00

Aboutblank infection: New Hijakthis log

​ ​
​ Logfile of HijackThis v1.99.1 ​
​Scan saved at 11:56:01 PM, on 10/1/2005 ​
​Platform: Windows XP SP2 (WinNT 5.01.2600) ​
​MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) ​
​ ​
​ Running processes: ​
​C:\WINDOWS\System32\smss.exe ​
​C:\WINDOWS\system32\winlogon.exe ​
​C:\WINDOWS\system32\services.exe ​
​C:\WINDOWS\system32\lsass.exe ​
​C:\WINDOWS\system32\svchost.exe ​
​C:\WINDOWS\System32\svchost.exe ​
​C:\WINDOWS\Explorer.EXE ​
​C:\WINDOWS\system32\LEXBCES.EXE ​
​C:\WINDOWS\system32\LEXPPS.EXE ​
​C:\WINDOWS\system32\spoolsv.exe ​
​C:\WINDOWS\System32\nvsvc32.exe ​
​C:\WINDOWS\System32\svchost.exe ​
​C:\WINDOWS\system32\rundll32.exe ​
​C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE ​
​C:\WINDOWS\system32\CTHELPER.EXE ​
​C:\Program Files\Microsoft IntelliType Pro\type32.exe ​
​C:\Program Files\Microsoft IntelliPoint\point32.exe ​
​C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe ​
​C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe ​
​C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe ​
​C:\Program Files\Common Files\Real\Update_OB\realsched.exe ​
​C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe ​
​C:\WINDOWS\system32\mfcnr.exe ​
​C:\Program Files\Real\RealPlayer\realplay.exe ​
​C:\WINDOWS\system32\sdkko.exe ​
​C:\Documents and Settings\Eric\Desktop\HijackThis.exe ​
​ ​
​ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ddcfc.dll/sp.html#87649 ​
​R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ddcfc.dll/sp.html#87649 ​
​R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank ​
​R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ddcfc.dll/sp.html#87649 ​
​R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ddcfc.dll/sp.html#87649 ​
​R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ddcfc.dll/sp.html#87649 ​
​R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ddcfc.dll/sp.html#87649 ​
​R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ddcfc.dll/sp.html#87649 ​
​R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 ​
​R3 - Default URLSearchHook is missing ​
​O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll ​
​O2 - BHO: Class - {1676763F-15C3-F5F2-9C0B-0631705661ED} - C:\WINDOWS\ntng32.dll ​
​O2 - BHO: Class - {18F184D5-EC0A-4A95-FF5D-65F11A013D1B} - C:\WINDOWS\sysar.dll (file missing) ​
​O2 - BHO: Class - {28A5E86A-BEB3-2A6B-44A8-08239C13BA8E} - C:\WINDOWS\nethi.dll ​
​O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll ​
​O2 - BHO: Class - {8D4D6EDD-3BE2-C07E-77E5-EE66F53997FC} - C:\WINDOWS\system32\d3sz.dll ​
​O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll ​
​O2 - BHO: Class - {B2790597-DA3D-CB0A-4509-7597E0896D28} - C:\WINDOWS\javazz32.dll ​
​O2 - BHO: Class - {B4B127D9-941C-DF50-6E09-19E9881B830A} - C:\WINDOWS\system32\winva32.dll ​
​O2 - BHO: Class - {F509D80A-8460-C897-E7E2-CDE2D55C3BD9} - C:\WINDOWS\system32\ipoi32.dll ​
​O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll ​
​O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup ​
​O4 - HKLM\..\Run: [nwiz] nwiz.exe /install ​
​O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r ​
​O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE ​
​O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE ​
​O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r ​
​O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE ​
​O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" ​
​O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" ​
​O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" ​
​O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe ​
​O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot ​
​O4 - HKLM\..\Run: [awqrtodw] C:\WINDOWS\system32\ptfabujb.exe ​
​O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe ​
​O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime ​
​O4 - HKLM\..\Run: [msqr.exe] C:\WINDOWS\system32\msqr.exe ​
​O4 - HKLM\..\Run: [apijd32.exe] C:\WINDOWS\system32\apijd32.exe ​
​O4 - HKLM\..\Run: [ntvx32.exe] C:\WINDOWS\ntvx32.exe ​
​O4 - HKLM\..\Run: [addrm.exe] C:\WINDOWS\addrm.exe ​
​O4 - HKLM\..\Run: [appzk.exe] C:\WINDOWS\appzk.exe ​
​O4 - HKLM\..\Run: [mfcnr.exe] C:\WINDOWS\system32\mfcnr.exe ​
​O4 - HKLM\..\Run: [netsk.exe] C:\WINDOWS\netsk.exe ​
​O4 - HKLM\..\Run: [crfi32.exe] C:\WINDOWS\system32\crfi32.exe ​
​O4 - HKLM\..\Run: [mssz.exe] C:\WINDOWS\mssz.exe ​
​O4 - HKLM\..\Run: [mfcyp32.exe] C:\WINDOWS\system32\mfcyp32.exe ​
​O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor ​
​O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent ​
​O4 - HKLM\..\Run: [ipww.exe] C:\WINDOWS\system32\ipww.exe ​
​O4 - HKLM\..\Run: [apivu.exe] C:\WINDOWS\system32\apivu.exe ​
​O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\Eric\Local Settings\Temporary Internet Files\Content.IE5\F80T2XU9\MSCONFIG[1].EXE /auto ​
​O4 - HKLM\..\RunOnce: [sdkko.exe] C:\WINDOWS\system32\sdkko.exe ​
​O4 - HKLM\..\RunOnce: [sdkph32.exe] C:\WINDOWS\system32\sdkph32.exe ​
​O4 - HKLM\..\RunOnce: [javacj.exe] C:\WINDOWS\system32\javacj.exe ​
​O4 - HKLM\..\RunOnce: [mfcql32.exe] C:\WINDOWS\system32\mfcql32.exe ​
​O4 - HKLM\..\RunOnce: [appfi32.exe] C:\WINDOWS\system32\appfi32.exe ​
​O4 - HKLM\..\RunOnce: [mskc.exe] C:\WINDOWS\mskc.exe ​
​O4 - HKLM\..\RunOnce: [ievx.exe] C:\WINDOWS\ievx.exe ​
​O4 - HKLM\..\RunOnce: [sdkir32.exe] C:\WINDOWS\system32\sdkir32.exe ​
​O4 - HKLM\..\RunOnce: [d3zz.exe] C:\WINDOWS\system32\d3zz.exe ​
​O4 - HKLM\..\RunOnce: [ipeb32.exe] C:\WINDOWS\system32\ipeb32.exe ​
​O4 - HKLM\..\RunOnce: [winsw32.exe] C:\WINDOWS\winsw32.exe ​
​O4 - HKLM\..\RunOnce: [crxy.exe] C:\WINDOWS\system32\crxy.exe ​
​O4 - HKLM\..\RunOnce: [winnn.exe] C:\WINDOWS\winnn.exe ​
​O4 - HKLM\..\RunOnce: [crah32.exe] C:\WINDOWS\crah32.exe ​
​O4 - HKLM\..\RunOnce: [apifl32.exe] C:\WINDOWS\system32\apifl32.exe ​
​O4 - HKLM\..\RunOnce: [d3ax32.exe] C:\WINDOWS\d3ax32.exe ​
​O4 - HKLM\..\RunOnce: [sysfb.exe] C:\WINDOWS\system32\sysfb.exe ​
​O4 - HKLM\..\RunOnce: [msnc32.exe] C:\WINDOWS\msnc32.exe ​
​O4 - HKLM\..\RunOnce: [mscy32.exe] C:\WINDOWS\system32\mscy32.exe ​
​O4 - HKLM\..\RunOnce: [iphv32.exe] C:\WINDOWS\iphv32.exe ​
​O4 - HKLM\..\RunOnce: [iecg32.exe] C:\WINDOWS\system32\iecg32.exe ​
​O4 - HKLM\..\RunOnce: [wingl.exe] C:\WINDOWS\wingl.exe ​
​O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe" ​
​O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm ​
​O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML ​
​O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html ​
​O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html ​
​O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html ​
​O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html ​
​O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 ​
​O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html ​
​O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html ​
​O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll ​
​O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll ​
​O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing) ​
​O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing) ​
​O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL ​
​O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe ​
​O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe ​
​O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe ​
​O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe ​
​O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - ​​http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409​​ ​
​O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - ​​http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093992369201​ ​
​O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - ​​http://hotsearchbar.com/toolbar2/winhot32.cab​​ ​
​O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sdkko.exe ​
​O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE ​
​O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe ​
​ ​
​ ​

RKinner

5.9K Posts

October 6th, 2005 00:00


Download the Hoster from:


http://www.funkytoad.com/

Unpack to your desktop and run it.  If you have green print at the top then just press Restore Original Hosts then OK. 
IF you have red print then press make Hosts Writeable first.
 

 

Get DelDomain.inf from:
 
http://www.mvps.org/winhelp2002/DelDomains.inf  and then right click on it and Install. 

Start then right click on My Computer and press Manage. In the new window
Service and Applications then Services. In the right pane scroll down and find
the Remote Procedure Call (RPC) Helper. (Make sure you get the right one.  THere are two others with similar names)
Double click on it and and then set the Start Type
to Disabled. Then Apply then STOP the service.

 

Download and install ccleaner.exe from http://www.ccleaner.com. Don't let
it clean anything yet.

Download AboutBuster  and check for updates but don't run it yet.

 http://www.besttechie.net/forums/index.php?showtopic=1488

Download the killbox:

http://www.bleepingcomputer.com/files/killbox.php

Unzip it to your desktop and run it.


Where it says Full Path of File to Delete you need to type or copy (Hightlight and Ctrl + c)
and Paste (move to the killbox and place the cursor in the box and Ctrl + V):

C:\WINDOWS\system32\sdkko.exe

Then check the Delete on Reboot box   then the red button. 
Agree you want to remove the file but and let it reboot.


Shutdown and Restart and Boot into Safe Mode by tapping the F8 key when you see the PC
maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option.

 

Run HijackThis and just do a Scan only. Check (if any returned) then Fix

Checked the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ddcfc.dll/sp.html#87649
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ddcfc.dll/sp.html#87649
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ddcfc.dll/sp.html#87649
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ddcfc.dll/sp.html#87649
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ddcfc.dll/sp.html#87649
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ddcfc.dll/sp.html#87649
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ddcfc.dll/sp.html#87649
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {1676763F-15C3-F5F2-9C0B-0631705661ED} - C:\WINDOWS\ntng32.dll
O2 - BHO: Class - {18F184D5-EC0A-4A95-FF5D-65F11A013D1B} - C:\WINDOWS\sysar.dll (file missing)
O2 - BHO: Class - {28A5E86A-BEB3-2A6B-44A8-08239C13BA8E} - C:\WINDOWS\nethi.dll
O2 - BHO: Class - {8D4D6EDD-3BE2-C07E-77E5-EE66F53997FC} - C:\WINDOWS\system32\d3sz.dll
O2 - BHO: Class - {B2790597-DA3D-CB0A-4509-7597E0896D28} - C:\WINDOWS\javazz32.dll
O2 - BHO: Class - {B4B127D9-941C-DF50-6E09-19E9881B830A} - C:\WINDOWS\system32\winva32.dll
O2 - BHO: Class - {F509D80A-8460-C897-E7E2-CDE2D55C3BD9} - C:\WINDOWS\system32\ipoi32.dll
4 - HKLM\..\Run: [awqrtodw] C:\WINDOWS\system32\ptfabujb.exe
O4 - HKLM\..\Run: [msqr.exe] C:\WINDOWS\system32\msqr.exe
O4 - HKLM\..\Run: [apijd32.exe] C:\WINDOWS\system32\apijd32.exe
O4 - HKLM\..\Run: [ntvx32.exe] C:\WINDOWS\ntvx32.exe
O4 - HKLM\..\Run: [addrm.exe] C:\WINDOWS\addrm.exe
O4 - HKLM\..\Run: [appzk.exe] C:\WINDOWS\appzk.exe
O4 - HKLM\..\Run: [mfcnr.exe] C:\WINDOWS\system32\mfcnr.exe
O4 - HKLM\..\Run: [netsk.exe] C:\WINDOWS\netsk.exe
O4 - HKLM\..\Run: [crfi32.exe] C:\WINDOWS\system32\crfi32.exe
O4 - HKLM\..\Run: [mssz.exe] C:\WINDOWS\mssz.exe
O4 - HKLM\..\Run: [mfcyp32.exe] C:\WINDOWS\system32\mfcyp32.exe
O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor
O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent
O4 - HKLM\..\Run: [ipww.exe] C:\WINDOWS\system32\ipww.exe
O4 - HKLM\..\Run: [apivu.exe] C:\WINDOWS\system32\apivu.exe
O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\Eric\Local Settings\Temporary Internet Files\Content.IE5\F80T2XU9\MSCONFIG[1].EXE /auto
O4 - HKLM\..\RunOnce: [sdkko.exe] C:\WINDOWS\system32\sdkko.exe
O4 - HKLM\..\RunOnce: [sdkph32.exe] C:\WINDOWS\system32\sdkph32.exe
O4 - HKLM\..\RunOnce: [javacj.exe] C:\WINDOWS\system32\javacj.exe
O4 - HKLM\..\RunOnce: [mfcql32.exe] C:\WINDOWS\system32\mfcql32.exe
O4 - HKLM\..\RunOnce: [appfi32.exe] C:\WINDOWS\system32\appfi32.exe
O4 - HKLM\..\RunOnce: [mskc.exe] C:\WINDOWS\mskc.exe
O4 - HKLM\..\RunOnce: [ievx.exe] C:\WINDOWS\ievx.exe
O4 - HKLM\..\RunOnce: [sdkir32.exe] C:\WINDOWS\system32\sdkir32.exe
O4 - HKLM\..\RunOnce: [d3zz.exe] C:\WINDOWS\system32\d3zz.exe
O4 - HKLM\..\RunOnce: [ipeb32.exe] C:\WINDOWS\system32\ipeb32.exe
O4 - HKLM\..\RunOnce: [winsw32.exe] C:\WINDOWS\winsw32.exe
O4 - HKLM\..\RunOnce: [crxy.exe] C:\WINDOWS\system32\crxy.exe
O4 - HKLM\..\RunOnce: [winnn.exe] C:\WINDOWS\winnn.exe
O4 - HKLM\..\RunOnce: [crah32.exe] C:\WINDOWS\crah32.exe
O4 - HKLM\..\RunOnce: [apifl32.exe] C:\WINDOWS\system32\apifl32.exe
O4 - HKLM\..\RunOnce: [d3ax32.exe] C:\WINDOWS\d3ax32.exe
O4 - HKLM\..\RunOnce: [sysfb.exe] C:\WINDOWS\system32\sysfb.exe
O4 - HKLM\..\RunOnce: [msnc32.exe] C:\WINDOWS\msnc32.exe
O4 - HKLM\..\RunOnce: [mscy32.exe] C:\WINDOWS\system32\mscy32.exe
O4 - HKLM\..\RunOnce: [iphv32.exe] C:\WINDOWS\iphv32.exe
O4 - HKLM\..\RunOnce: [iecg32.exe] C:\WINDOWS\system32\iecg32.exe
O4 - HKLM\..\RunOnce: [wingl.exe] C:\WINDOWS\wingl.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar.com/toolbar2/winhot32.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sdkko.exe


Run AboutBuster twice.

Run ccleaner.exe, uncheck everything on the first page except the two entries
with Temporary and then Run Cleaner.

Reboot into regular mode and run AboutBuster one more time.


Run another HijackThis log and post it as a reply. Let's
see how we did.

Ron

topgunev

7 Posts

October 7th, 2005 18:00

Logfile of HijackThis v1.99.1
Scan saved at 3:03:54 PM, on 10/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\mssz.exe
C:\WINDOWS\systd32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tqapr.dll/sp.html#87649
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tqapr.dll/sp.html#87649
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\tqapr.dll/sp.html#87649
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tqapr.dll/sp.html#87649
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tqapr.dll/sp.html#87649
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tqapr.dll/sp.html#87649
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tqapr.dll/sp.html#87649
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {3B092820-33F4-D1C6-2308-63513EC22B4F} - C:\WINDOWS\winqu32.dll
O2 - BHO: Class - {7B30C370-FA75-1822-2540-7558BEE71EA1} - C:\WINDOWS\msuh.dll
O2 - BHO: Class - {88C96295-FCAE-0B3D-8F00-3F0E0A009428} - C:\WINDOWS\system32\wingl32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {E8ED8F6E-64FB-63F3-7FD3-E369AB822AAB} - C:\WINDOWS\winqo32.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ntbo.exe] C:\WINDOWS\system32\ntbo.exe
O4 - HKLM\..\Run: [netak.exe] C:\WINDOWS\netak.exe
O4 - HKLM\..\Run: [ieqz.exe] C:\WINDOWS\ieqz.exe
O4 - HKLM\..\Run: [mfciy.exe] C:\WINDOWS\mfciy.exe
O4 - HKLM\..\Run: [winaa32.exe] C:\WINDOWS\system32\winaa32.exe
O4 - HKLM\..\Run: [mssz.exe] C:\WINDOWS\mssz.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [netyw.exe] C:\WINDOWS\system32\netyw.exe
O4 - HKLM\..\RunOnce: [systd32.exe] C:\WINDOWS\systd32.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093992369201
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar.com/toolbar2/winhot32.cab
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Ron, My About Blaster will not remove the coolwebsearch, that is the problem

topgunev

7 Posts

October 7th, 2005 21:00

Ron, I had trouble following your directions because i was unable to perform some of the operations as dirrected. I could not locate the RPC helper, I only have a RPC and RPC Locater. Those are the only services available to change, next when i started in safe mode to do the hjt, I have none of those options to do. It only has my recycling bin, my computer, and network services on the desktop. I guess I dont have any acess to any of those problems. About blaster can not remove 14 files dealing with a program called WWWCOOLWEBSEARCH. This is what infected my computer I believe. I followed all the steps to the best of my ability and everything you told me to check comes right back. If there is any other ways I can go about htis it wopuld be a great help. TY

RKinner

5.9K Posts

October 8th, 2005 11:00

The Service is gone anyway so AboutBuster must have at least gotten rid of it.  Try again.   If you do not have a desktop in Safe Mode you can Ctrl + Alt + Del and select Task Manager then Files, New Task (run), C:\Program Files\HijackThis\HijackThis.exe, OK
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tqapr.dll/sp.html#87649
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tqapr.dll/sp.html#87649
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\tqapr.dll/sp.html#87649
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tqapr.dll/sp.html#87649
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tqapr.dll/sp.html#87649
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tqapr.dll/sp.html#87649
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tqapr.dll/sp.html#87649
O2 - BHO: Class - {3B092820-33F4-D1C6-2308-63513EC22B4F} - C:\WINDOWS\winqu32.dll
O2 - BHO: Class - {7B30C370-FA75-1822-2540-7558BEE71EA1} - C:\WINDOWS\msuh.dll
O2 - BHO: Class - {88C96295-FCAE-0B3D-8F00-3F0E0A009428} - C:\WINDOWS\system32\wingl32.dll
O2 - BHO: Class - {E8ED8F6E-64FB-63F3-7FD3-E369AB822AAB} - C:\WINDOWS\winqo32.dll
O4 - HKLM\..\Run: [ntbo.exe] C:\WINDOWS\system32\ntbo.exe
O4 - HKLM\..\Run: [netak.exe] C:\WINDOWS\netak.exe
O4 - HKLM\..\Run: [ieqz.exe] C:\WINDOWS\ieqz.exe
O4 - HKLM\..\Run: [mfciy.exe] C:\WINDOWS\mfciy.exe
O4 - HKLM\..\Run: [winaa32.exe] C:\WINDOWS\system32\winaa32.exe
O4 - HKLM\..\Run: [mssz.exe] C:\WINDOWS\mssz.exe
O4 - HKLM\..\RunOnce: [netyw.exe] C:\WINDOWS\system32\netyw.exe
O4 - HKLM\..\RunOnce: [systd32.exe] C:\WINDOWS\systd32.exe
 
Some of these may change their names so look for any random named entries that were not in your last log and check them.
 
I don't know where you put aboutbuster but if you Save or move it to C:\ then you should be able to run it the same way just use:  C:\aboutbuster.exe
 
Ron

topgunev

7 Posts

October 10th, 2005 15:00

Ron I was able to boot in safe mode and run hjt and remove all the items you told me too. I also ran about buster, cc cleaner, and adaware before this log was sent. there are still 14 problems I can not fix in about buster related to the file WWWCOOLWEBSEARCH. Here is the most recent Log.

Scan saved at 12:42:06 PM, on 10/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\netak.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\systd32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {9B02CB83-DCD2-2DB6-02DC-2D81D1BE1FE7} - C:\WINDOWS\d3of32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [netak.exe] C:\WINDOWS\netak.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093992369201
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar.com/toolbar2/winhot32.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\systd32.exe
br>23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
br>23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
br>23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
br>23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
br>23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
br>23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
br>23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
br>23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
br>23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
br>23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
br>23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

RKinner

5.9K Posts

October 10th, 2005 18:00

The HijackThis log is down to two entries so we are making some progress
 

 
See if the Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) service is there now then Stop it and Disable it.
Then run HijackThis and check then Fix Checked.
 
O4 - HKLM\..\Run: [netak.exe] C:\WINDOWS\netak.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\systd32.exe
then run Killbox and Delete on Reboot both of these:
 
C:\WINDOWS\netak.exe
C:\WINDOWS\systd32.exe
then reboot.
 
If that doesn't help then try:
 
Download cwshredder from http://housecall.trendmicro.com/
 
I  haven't run it in a while but it would probably benefit from being run in Safe Mode.
 
 
Also there is the Silent Runners fix:
 
 
Ron
 

View More

View All

No Events found!

Top