re: Spyware problems Friday, May 27, 2005 at 11:49 am Windows XP Annoyances Discussion Forum Posted by MrCharlie (4472 messages posted) You have a nasty CoolWebSearch infection, it may take several steps to nail it so don't get discouraged. First please move HJT into its own permanent folder so backups can be made. example: C:\MyHJT\HJT.exe or C:\MyDocuments\MyHJT\HJT.exe Please read through the instructions before you start (you may want to print this out). Please download and install these programs - don't run them yet!! Please download and unzip AboutBuster to a folder. Inside the folder is a readme file that has instructions on the use of the program. AboutBuster MUST be updated before you use it. Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box . Don't run it yet. AboutBuster Tutorial Download CW-Shredder at the link below: http://cwshredder.net/bin/CWShredder.exe Download and unzip cwsserviceremove to your desktop. use link below: http://lineofire.geekstogo.com/cwsserviceremove.zip Copy the text below into notepad, call it fix.reg, save as all files Windows Registry Editor Version 5.00 [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11Fßä#·ºÄÖ`I] [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\11Fßä#·ºÄÖ`I] [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\11Fßä#·ºÄÖ`I] [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\11Fßä#·ºÄÖ`I] Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders" Click "Apply" then "OK" How To Reboot into Safe Mode <---Make sure you know how to do this!! +++++++++++++++++++++++++++++++++++++++++++++++++ Here's the fix: Important Step 1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok Scroll down and find the service called: Workstation NetLogon Service When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps. 2. Reboot into Safe Mode. 3. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for: cruy.exe If you find the files, click on them, and then click End Process => Exit the Task Manager. 4. CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked" R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jfunf.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jfunf.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jfunf.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jfunf.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jfunf.dll/sp.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jfunf.dll/sp.html#37049 R3 - Default URLSearchHook is missing O2 - BHO: Class - {E421BB4D-509A-1CBB-3BFF-5B9036A6C8B9} - C:\WINDOWS\system32\netia32.dll O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE O4 - HKLM\..\Run: [creb.exe] C:\WINDOWS\creb.exe O4 - HKLM\..\Run: [nethf.exe] C:\WINDOWS\nethf.exe O4 - HKLM\..\Run: [cruy.exe] C:\WINDOWS\system32\cruy.exe O4 - HKLM\..\Run: [sdkpc.exe] C:\WINDOWS\system32\sdkpc.exe O4 - HKLM\..\RunOnce: [d3rl32.exe] C:\WINDOWS\system32\d3rl32.exe O4 - HKLM\..\RunOnce: [winxb32.exe] C:\WINDOWS\system32\winxb32.exe O4 - HKLM\..\RunOnce: [mspg32.exe] C:\WINDOWS\system32\mspg32.exe O4 - HKLM\..\RunOnce: [netkx.exe] C:\WINDOWS\system32\netkx.exe O4 - HKLM\..\RunOnce: [applc.exe] C:\WINDOWS\applc.exe O4 - HKLM\..\RunOnce: [javavg32.exe] C:\WINDOWS\system32\javavg32.exe O4 - HKLM\..\RunOnce: [apiyb.exe] C:\WINDOWS\system32\apiyb.exe O4 - HKLM\..\RunOnce: [winmj32.exe] C:\WINDOWS\system32\winmj32.exe O4 - HKLM\..\RunOnce: [crpm32.exe] C:\WINDOWS\system32\crpm32.exe O4 - HKLM\..\RunOnce: [mfcmv32.exe] C:\WINDOWS\system32\mfcmv32.exe O4 - HKLM\..\RunOnce: [apijv.exe] C:\WINDOWS\system32\apijv.exe O4 - HKLM\..\RunOnce: [sdkxm.exe] C:\WINDOWS\system32\sdkxm.exe O4 - HKLM\..\RunOnce: [ipav.exe] C:\WINDOWS\system32\ipav.exe O4 - HKLM\..\RunOnce: [apijt.exe] C:\WINDOWS\apijt.exe O4 - HKLM\..\RunOnce: [crod32.exe] C:\WINDOWS\crod32.exe O4 - HKLM\..\RunOnce: [msti.exe] C:\WINDOWS\msti.exe O8 - Extra context menu item: &Search - http://kc.bar.need2find.com/KC/menusearch.html?p=KC O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apiht32.exe" /s (file missing) 5. Delete the following files if present: C:\WINDOWS\system32\apiht32.exe <---Typical C:\WINDOWS\system32\netia32.dll C:\WINDOWS\system32\cruy.exe C:\WINDOWS\system32\sdkpc.exe C:\WINDOWS\system32\d3rl32.exe C:\WINDOWS\system32\winxb32.exe C:\WINDOWS\system32\mspg32.exe C:\WINDOWS\system32\netkx.exe C:\WINDOWS\system32\javavg32.exe C:\WINDOWS\system32\apiyb.exe C:\WINDOWS\system32\winmj32.exe C:\WINDOWS\system32\crpm32.exe C:\WINDOWS\system32\mfcmv32.exe C:\WINDOWS\system32\apijv.exe C:\WINDOWS\system32\sdkxm.exe C:\WINDOWS\system32\ipav.exe C:\WINDOWS\apijt.exe C:\WINDOWS\crod32.exe C:\WINDOWS\msti.exe C:\WINDOWS\jfunf.dll C:\WINDOWS\creb.exe C:\WINDOWS\nethf.exe C:\WINDOWS\applc.exe (and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat) If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again. 6. Run AboutBuster . This will scan your computer for the bad files and delete them. It will ask to scan the system again, let it. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps. 7. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove: Temporary Files Temporary Internet Files Recycle Bin 8. Double click on the cwsserviceremove and when asked to merge say yes. Do the same for FIX.REG 9. Run CW-Shredder - Hit the FIX button - let it run and fix what it finds. 10. Reboot into normal mode. 11. Download and run this online virus scan: <---Important http://housecall.trendmicro.com/housecall/start_corp.asp Make sure you check "AutoClean" 12. Reboot and post a fresh HJT log back here and lets see how we did, MrC Written in response to: re: Spyware problems (Vincent: Friday, May 27, 2005 at 11:22 am) Responses to this message: re: Spyware problems (Vincent: Friday, May 27, 2005 at 1:19 pm) All messages in this thread [show all] Spyware problems (Vincent: Fri, May 27, 2005, 10:39 am) re: Spyware problems (David: Fri, May 27, 2005, 10:56 am) re: Spyware problems (MrCharlie: Fri, May 27, 2005, 11:06 am) re: Spyware problems (Vincent: Fri, May 27, 2005, 11:22 am) re: Spyware problems (MrCharlie: Fri, May 27, 2005, 11:49 am) re: Spyware problems (Vincent: Fri, May 27, 2005, 1:19 pm) re: Spyware problems (MrCharlie: Fri, May 27, 2005, 1:56 pm) re: Spyware problems (Vincent: Fri, May 27, 2005, 2:51 pm) re: Spyware problems (MrCharlie: Fri, May 27, 2005, 3:10 pm) re: Spyware problems (Vincent: Fri, May 27, 2005, 3:31 pm) re: Spyware problems (MrCharlie: Fri, May 27, 2005, 3:59 pm) re: Spyware problems (Vincent: Fri, May 27, 2005, 4:18 pm) re: Spyware problems (MrCharlie: Fri, May 27, 2005, 4:43 pm) re: Spyware problems (Vincent: Fri, May 27, 2005, 4:53 pm) re: Spyware problems (MrCharlie: Fri, May 27, 2005, 5:41 pm) Reply or follow-up to this message Search this forum Start a new thread on a different subject Report abuse of the forum Return to the Windows XP Discussion Forum