culinfl

Please Help!

Recommended Posts

I keep getting this about.blank web page when I open IE. I also get pop ups advertising spyware removers!!!!

I ran Hijackthis and here is the log:

Logfile of HijackThis v1.99.1

Scan saved at 10:02:17 AM, on 4/28/2005

Platform: Windows 2000 SP3 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe

c:\insight\tools\AICLIENT.EXE

C:\WINNT\System32\Ati2evxx.exe

c:\interSOC\ids\blackd.exe

C:\WINNT\system32\CRYPSERV.EXE

C:\PROGRA~1\NavNT\DefWatch.exe

C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe

C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe

C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe

C:\Program Files\Entropia\Entropia Client\Bin\LogServerShell.exe

C:\Program Files\JavaSoft\JRE\1.3.0_01\bin\javaw.exe

C:\WINNT\system32\LxrJD31s.exe

C:\Program Files\Panasonic\MeiWDS\MeiWds.exe

C:\PROGRA~1\NavNT\rtvscan.exe

C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe

C:\WINNT\system32\regsvc.exe

C:\PROGRA~1\NavNT\savroam.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\Program Files\Entropia\Entropia Client\Bin\TaskManagerShell.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\fpapli.exe

C:\WINNT\System32\hkeyman.exe

C:\WINNT\system32\Tprbtn.exe

C:\WINNT\system32\atiptaxx.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINNT\system32\PRPCUI.exe

C:\PROGRA~1\NavNT\vptray.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINNT\system32\winsn.exe

C:\WINNT\system32\syssg32.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Entropia\Entropia Client\bin\entropia.exe

C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

C:\Program Files\Panasonic\MEISKB\MeiSKB.exe

C:\PROGRA~1\Webshots\webshots.scr

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINNT\System32\wisptis.exe

C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe

C:\WINNT\system32\spool\DRIVERS\W32X86\3\HPZSTC07.EXE

C:\PROGRA~1\WinZip\winzip32.exe

C:\DOCUME~1\peraleju\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=http-proxy.geps.ge.com:3128;gopher=http-proxy.geps.ge.com:3128;http=http-proxy.geps.ge.com:3128;https=https-proxy.geps.ge.com:3128;socks=http-proxy.geps.ge.com:3128

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {402791F6-FBDB-0DE4-9CCF-B2B6F4AD32B2} - C:\WINNT\iplq.dll

O2 - BHO: GetPostLog module - {C9B0D3DC-DC2B-4a17-8E34-02CD4C1E573F} - C:\WINNT\gpl.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [scroller] fpapli.exe

O4 - HKLM\..\Run: [Hotkey] C:\WINNT\System32\hkeyman.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe

O4 - HKLM\..\Run: [RUNCIS] C:\Program Files\1E\CIS\\RUNCIS.EXE

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Entropia Client] C:\Program Files\Entropia\Entropia Client\bin\Launcher.exe -Startup

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [winsn.exe] C:\WINNT\system32\winsn.exe

O4 - HKLM\..\RunOnce: [syssg32.exe] C:\WINNT\system32\syssg32.exe

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1

O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w

O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

O4 - Global Startup: Software Keyboard.lnk = C:\Program Files\Panasonic\MEISKB\MeiSKB.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/15b531c1828480...ip/RdxIE601.cab

O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = psamer.ps.ge.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = psamer.ps.ge.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = psamer.ps.ge.com

O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll

O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\winwg32.exe (file missing)

O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe

O23 - Service: Asset Insight Client (AICLIENT) - Tangram® Enterprise Solutions, Inc - c:\insight\tools\AICLIENT.EXE

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe

O23 - Service: BlackICE - Internet Security Systems, Inc. - c:\interSOC\ids\blackd.exe

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINNT\SYSTEM32\CRYPSERV.EXE

O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe

O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe

O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe

O23 - Service: LogServerShell - Unknown owner - C:\Program Files\Entropia\Entropia Client\Bin\LogServerShell.exe

O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINNT\SYSTEM32\LxrJD31s.exe

O23 - Service: WDS Server (meiwds) - Unknown owner - C:\Program Files\Panasonic\MeiWDS\MeiWds.exe" -service (file missing)

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe

O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe

O23 - Service: SAVRoam - symantec - C:\PROGRA~1\NavNT\savroam.exe

O23 - Service: TaskManagerShell - Unknown owner - C:\Program Files\Entropia\Entropia Client\Bin\TaskManagerShell.exe

Please advise...any help will be greatly appreciated!

J.

Share this post


Link to post
Share on other sites

culinfl,

Hello! and welcome to our forums.

===============

Go to add/remove programs and uninstall AWS..aka Weatherbug. We'll get you a safer alternative when were done cleaning up your computer.

===============

Go to www.trendmicro.com, and then:

1. Click "Free Online Scan".

2. Click "Scan now, it's free".

It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's done:

1. Select all available drives.

2. Check(tick) "Auto Clean".

3. Click "Scan".

When it completes, copy the full filename of any files that cannot be cleaned or deleted and post them when your done with the following fix.

===============

We'll need to download these program(s) to help us deal with the "About:Blank" infection:

-

Download, unzip to your desktop CWShredder and run it, then:

1. Click "Check For Update"

(If an update isn't available, skip to step #4.)

2. Click "Click here to Download the update".

3. When the new version has been downloaded, click "Save".

4. Exit the program.

-

Download, unzip to your desktop About:Buster and run it, then:

1. Click "Update".

2. Click "Check For Update"

(If no new version is available, skip to step #4.)

3. Click "Download Update", and wait for it to be installed.

4. Exit the program.

===============

Reboot your computer into "Safe Mode"

===============

Next, locate CWShredder that you downloaded earlier and run it, then:

1. Click "Fix ->"

===============

Next, locate About:Buster that you downloaded earlier and run it, then:

1. Click "Start".

(Wait for the initial ADS scan to complete.)

2. Click "Yes", to shutdown any IE session currently open.

(Wait for the about:blank scan to complete.)

3. Click "Ok", to scan once more.

4. Click "Yes", to shutdown any IE sessions currently open.

5. Click "Yes", to begin the second pass.

6. Click "Save log", and post this log back along with your new log.

7. Click "Exit".

8. Click "Exit".

===============

Reboot your computer normally.

===============

Before we begin, let's move HiJackThis to it's own folder; like c:\HJT. When we're done 'cleaning' off your system, we're going to 'flush' the temporary folders which, with HiJackThis in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later.

Also move the "Backups" folder, for HiJackThis, if present.

===============

Go to Start->Run and type "Services.msc" (without quotes) then hit OK

Scroll down and find the service called.

Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I)

Make sure it is selected in color. Right click on the service and click on stop. Right click on it again and go to Properties. In the Properties screen and under the General Tab, change the Startup Type to Disabled in the dropdown box. Click on Apply. Then OK. If the service isn't listed go ahead with the rest of these instructions anyway.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {402791F6-FBDB-0DE4-9CCF-B2B6F4AD32B2} - C:\WINNT\iplq.dll

O4 - HKLM\..\Run: [winsn.exe] C:\WINNT\system32\winsn.exe

O4 - HKLM\..\RunOnce: [syssg32.exe] C:\WINNT\system32\syssg32.exe

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/15b531c1828480...ip/RdxIE601.cab

O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\winwg32.exe (file missing)

Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to"view system and hidden files/folders":

folders...

C:\PROGRAM FILES\AWS

files...

C:\WINNT\system32\winsn.exe

C:\WINNT\system32\syssg32.exe

C:\WINNT\system32\gqkrs.dll

C:\WINNT\iplq.dll

C:\WINNT\system32\winwg32.exe

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".

===============

Reboot your computer.

Post back a new log, report any problems and let me know how everything goes.

IMPORTANT! PLEASE do not restart your computer unless asked, restarting can reinfect your computer resulting in us starting the cleaning up process all over!

-

~Njustice~

Share this post


Link to post
Share on other sites

I did as you suggested and found a few problems. I found gqkrs.dll and deleted it. I also cleaned the machine using HJT. How ever I still have the "about" home page problem. Here is the new log:

Logfile of HijackThis v1.99.1

Scan saved at 3:01:24 PM, on 5/4/2005

Platform: Windows 2000 SP3 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\system32\addvq32.exe

C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe

c:\insight\tools\AICLIENT.EXE

C:\WINNT\System32\Ati2evxx.exe

c:\interSOC\ids\blackd.exe

C:\WINNT\system32\CRYPSERV.EXE

C:\PROGRA~1\NavNT\DefWatch.exe

C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe

C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe

C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe

C:\Program Files\Entropia\Entropia Client\Bin\LogServerShell.exe

C:\Program Files\JavaSoft\JRE\1.3.0_01\bin\javaw.exe

C:\WINNT\system32\LxrJD31s.exe

C:\Program Files\Panasonic\MeiWDS\MeiWds.exe

C:\PROGRA~1\NavNT\rtvscan.exe

C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe

C:\WINNT\system32\regsvc.exe

C:\PROGRA~1\NavNT\savroam.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\Program Files\Entropia\Entropia Client\Bin\TaskManagerShell.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\fpapli.exe

C:\WINNT\System32\hkeyman.exe

C:\WINNT\system32\Tprbtn.exe

C:\WINNT\system32\atiptaxx.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINNT\system32\PRPCUI.exe

C:\PROGRA~1\NavNT\vptray.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINNT\system32\addfy.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

C:\Program Files\Panasonic\MEISKB\MeiSKB.exe

C:\PROGRA~1\Webshots\webshots.scr

C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=http-proxy.geps.ge.com:3128;gopher=http-proxy.geps.ge.com:3128;http=http-proxy.geps.ge.com:3128;https=https-proxy.geps.ge.com:3128;socks=http-proxy.geps.ge.com:3128

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {5F15F26C-81EE-4FFA-8B9A-39913016CD37} - C:\WINNT\system32\netra.dll

O2 - BHO: (no name) - {D287B913-740E-605C-9967-D4EEFBA2E464} - C:\WINNT\system32\ntgw.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [scroller] fpapli.exe

O4 - HKLM\..\Run: [Hotkey] C:\WINNT\System32\hkeyman.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [addfy.exe] C:\WINNT\system32\addfy.exe

O4 - HKLM\..\Run: [sdkpn.exe] C:\WINNT\system32\sdkpn.exe

O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w

O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

O4 - Global Startup: Software Keyboard.lnk = C:\Program Files\Panasonic\MEISKB\MeiSKB.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = psamer.ps.ge.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = psamer.ps.ge.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = psamer.ps.ge.com

O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\addvq32.exe

O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe

O23 - Service: Asset Insight Client (AICLIENT) - Tangram® Enterprise Solutions, Inc - c:\insight\tools\AICLIENT.EXE

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe

O23 - Service: BlackICE - Internet Security Systems, Inc. - c:\interSOC\ids\blackd.exe

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINNT\SYSTEM32\CRYPSERV.EXE

O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe

O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe

O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe

O23 - Service: LogServerShell - Unknown owner - C:\Program Files\Entropia\Entropia Client\Bin\LogServerShell.exe

O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINNT\SYSTEM32\LxrJD31s.exe

O23 - Service: WDS Server (meiwds) - Unknown owner - C:\Program Files\Panasonic\MeiWDS\MeiWds.exe" -service (file missing)

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe

O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe

O23 - Service: SAVRoam - symantec - C:\PROGRA~1\NavNT\savroam.exe

O23 - Service: TaskManagerShell - Unknown owner - C:\Program Files\Entropia\Entropia Client\Bin\TaskManagerShell.exe

Again thanks for your help.

Share this post


Link to post
Share on other sites

culinfi,

===============

Let's look for, and delete, any program segments(prefetches) that might be present, and are associated with the 'problems' we're trying to remove from this system. To do this, let's:

1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders:

fpapli.exe*

2) Then if any are found in the 'prefetch' folder, delete them.

Look closely, since the 'base' name will have a bunch of random numbers and letters attached to it.

===============

Next, Open a command prompt by:

1. Clicking "Start", then "Run...".

2. Enter "cmd" (without the quotes).

3. Enter "services.msc" (without the quotes).

-

Now, locate and 'stop' the following services, if present:

Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) owner ... (C:\WINNT\system32\addvq32.exe)

Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services.

===============

Run HiJackThis then:

1. Click "Config..."

2. Click "Misc Tools"

3. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\WINNT\system32\addvq32.exe

C:\WINNT\system32\fpapli.exe

C:\WINNT\system32\addfy.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u netra.dll

regsvr32 /u ntgw.dll

It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {5F15F26C-81EE-4FFA-8B9A-39913016CD37} - C:\WINNT\system32\netra.dll

O2 - BHO: (no name) - {D287B913-740E-605C-9967-D4EEFBA2E464} - C:\WINNT\system32\ntgw.dll

O4 - HKLM\..\Run: [addfy.exe] C:\WINNT\system32\addfy.exe

O4 - HKLM\..\Run: [sdkpn.exe] C:\WINNT\system32\sdkpn.exe

O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w

O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\addvq32.exe

Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to"view system and hidden files/folders":

folders...

C:\Program Files\NZSearch

files...

C:\WINNT\system32\addvq32.exe

C:\WINNT\system32\fpapli.exe

C:\WINNT\system32\addfy.exe

C:\WINNT\system32\netra.dll

C:\WINNT\system32\ntgw.dll

C:\WINNT\system32\sdkpn.exe

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".

===============

Reboot your computer.

===============

Go to www.trendmicro.com, and then:

1. Click "Free Online Scan".

2. Click "Scan now, it's free".

It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's done:

1. Select all available drives.

2. Check(tick) "Auto Clean".

3. Click "Scan".

When it completes, copy the full filename of any files that cannot be cleaned or deleted and post them when your done with the following fix.

Post back a new log, report any problems and let me know how everything goes.

IMPORTANT! PLEASE do not restart your computer unless asked, restarting can reinfect your computer resulting in us starting the cleaning up process all over!

-

~Njustice~

Edited by njustice

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.