Annoyances.org - Spyware problems (Windows XP Discussion Forum)


Home » Windows XP Discussion Forum » Message 1117215590 » Entire Thread	Search \| Help \| Home

Spyware problems
Showing all messages in thread #1117215590
Windows XP Annoyances Discussion Forum

The following are all of the messages in this thread (15 in all), shown in chronological order. Click any message subject to view that message by itself or to view the thread hierarchy.

Spyware problems
Friday, May 27, 2005 at 10:39 am
Posted by Vincent (14 messages posted)

Hi guys,

Have been very busy trying to get all the spyware of my laptop but still some left 
that I can't get rid of. I have done Falcon's clean machine routine but some problems 
with this:
- most of these scans I get a explorer error message and the program closes; almost 
like the spyware (this name even disappears when I post it: I mean SP Y WARE) knows 
that I am running a check.
- spybot I have on my machine, but every time the same search page hook keeps coming 
back
- if I run HijackThis I keep on getting all the browser changers in the R0 and R1 
lines: I delete them every time but they keep on coming back.

What to do? Can anybody help me with this one. I probably have to kill some processes 
in the Hijack scan but I don't know which ones....

[Reply or follow-up to this message]

Tip: Run a free scan for common Windows errors ad

re: Spyware problems
Friday, May 27, 2005 at 10:56 am
Posted by David (45 messages posted)

Do you know the name of the spyware that you're trying to remove? If you have a variant of CoolWeb Search, you'll need to download and run CWShredder. Have you tried using AdAware? d.

On Friday, May 27, 2005 at 10:39 am, Vincent wrote:
>Hi guys,
>
>Have been very busy trying to get all the spyware of my laptop but still some left
>that I can't get rid of. I have done Falcon's clean machine routine but some problems
>with this:
>- most of these scans I get a explorer error message and the program closes; almost
>like the spyware (this name even disappears when I post it: I mean SP Y WARE) knows
>that I am running a check.
>- spybot I have on my machine, but every time the same search page hook keeps coming
>back
>- if I run HijackThis I keep on getting all the browser changers in the R0 and R1
>lines: I delete them every time but they keep on coming back.
>
>What to do? Can anybody help me with this one. I probably have to kill some processes
>in the Hijack scan but I don't know which ones....

[Reply or follow-up to this message]
re: Spyware problems
Friday, May 27, 2005 at 11:06 am
Posted by MrCharlie (4474 messages posted)

Post the HJT log and lets see what's on the system.... Lets see what's on the system. Can you please post a HiJackThis scan of your system. Download HJT into its own folder, double click on the HJT.exe, scan and save log, note or word pad will open and the log will be saved. Copy and paste that log into your reply. Please make sure you check the "preserve spacing button" on the bottom of the posting page. Download HJT.exe MrC

[Reply or follow-up to this message]
re: Spyware problems
Friday, May 27, 2005 at 11:22 am
Posted by Vincent (14 messages posted)

I will try and download Shredder on a different computer and then put on my laptop. For now here's my log: Logfile of HijackThis v1.99.1 Scan saved at 20:15:32, on 27-05-2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\Explorer.EXE C:\Program Files\FSI\F-Prot\fpavupdm.exe C:\WINDOWS\system32\HPConfig.exe C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Dantz\Retrospect\retrorun.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\carpserv.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\HPQ\One-Touch\OneTouch.EXE C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\FSI\F-Prot\F-StopW.EXE C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe C:\Program Files\ASUS\WLAN Card Utilities\Center.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\WINDOWS\system32\cruy.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\WINDOWS\System32\svchost.exe C:\DOCUME~1\Jaap\LOCALS~1\Temp\Tijdelijke map 2 voor hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jfunf.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jfunf.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jfunf.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jfunf.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jfunf.dll/sp.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jfunf.dll/sp.html#37049 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.paragliding.nl R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.paragliding.nl R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Class - {E421BB4D-509A-1CBB-3BFF-5B9036A6C8B9} - C:\WINDOWS\system32\netia32.dll O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe" O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE O4 - HKLM\..\Run: [creb.exe] C:\WINDOWS\creb.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [nethf.exe] C:\WINDOWS\nethf.exe O4 - HKLM\..\Run: [cruy.exe] C:\WINDOWS\system32\cruy.exe O4 - HKLM\..\Run: [sdkpc.exe] C:\WINDOWS\system32\sdkpc.exe O4 - HKLM\..\RunOnce: [d3rl32.exe] C:\WINDOWS\system32\d3rl32.exe O4 - HKLM\..\RunOnce: [winxb32.exe] C:\WINDOWS\system32\winxb32.exe O4 - HKLM\..\RunOnce: [mspg32.exe] C:\WINDOWS\system32\mspg32.exe O4 - HKLM\..\RunOnce: [netkx.exe] C:\WINDOWS\system32\netkx.exe O4 - HKLM\..\RunOnce: [applc.exe] C:\WINDOWS\applc.exe O4 - HKLM\..\RunOnce: [javavg32.exe] C:\WINDOWS\system32\javavg32.exe O4 - HKLM\..\RunOnce: [apiyb.exe] C:\WINDOWS\system32\apiyb.exe O4 - HKLM\..\RunOnce: [winmj32.exe] C:\WINDOWS\system32\winmj32.exe O4 - HKLM\..\RunOnce: [crpm32.exe] C:\WINDOWS\system32\crpm32.exe O4 - HKLM\..\RunOnce: [mfcmv32.exe] C:\WINDOWS\system32\mfcmv32.exe O4 - HKLM\..\RunOnce: [apijv.exe] C:\WINDOWS\system32\apijv.exe O4 - HKLM\..\RunOnce: [sdkxm.exe] C:\WINDOWS\system32\sdkxm.exe O4 - HKLM\..\RunOnce: [ipav.exe] C:\WINDOWS\system32\ipav.exe O4 - HKLM\..\RunOnce: [apijt.exe] C:\WINDOWS\apijt.exe O4 - HKLM\..\RunOnce: [crod32.exe] C:\WINDOWS\crod32.exe O4 - HKLM\..\RunOnce: [msti.exe] C:\WINDOWS\msti.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: Microsoft Office Outlook.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O8 - Extra context menu item: &Search - http://kc.bar.need2find.com/KC/menusearch.html?p=KC O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apiht32.exe" /s (file missing) O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

On Friday, May 27, 2005 at 11:06 am, MrCharlie wrote:
>
>Post the HJT log and lets see what's on the system....
>
>Lets see what's on the system.
>
> Can you please post a HiJackThis scan of your system. Download HJT into its own
>folder, double click on the HJT.exe, scan and save log, note or word pad will open
>and the log will be saved. Copy and paste that log into your reply.
>
>Please make sure you check the "preserve spacing button" on the bottom of
>the posting page.
>Download HJT.exe
>
>MrC
>

[Reply or follow-up to this message]
re: Spyware problems
Friday, May 27, 2005 at 11:49 am
Posted by MrCharlie (4474 messages posted)

You have a nasty CoolWebSearch infection, it may take several steps to nail it so don't get discouraged. First please move HJT into its own permanent folder so backups can be made. example: C:\MyHJT\HJT.exe or C:\MyDocuments\MyHJT\HJT.exe Please read through the instructions before you start (you may want to print this out). Please download and install these programs - don't run them yet!! Please download and unzip AboutBuster to a folder. Inside the folder is a readme file that has instructions on the use of the program. AboutBuster MUST be updated before you use it. Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box . Don't run it yet. AboutBuster Tutorial Download CW-Shredder at the link below: http://cwshredder.net/bin/CWShredder.exe Download and unzip cwsserviceremove to your desktop. use link below: http://lineofire.geekstogo.com/cwsserviceremove.zip Copy the text below into notepad, call it fix.reg, save as all files Windows Registry Editor Version 5.00 [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11Fßä#·ºÄÖ`I] [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\11Fßä#·ºÄÖ`I] [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\11Fßä#·ºÄÖ`I] [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\11Fßä#·ºÄÖ`I] Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders" Click "Apply" then "OK" How To Reboot into Safe Mode <---Make sure you know how to do this!! +++++++++++++++++++++++++++++++++++++++++++++++++ Here's the fix: Important Step 1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok Scroll down and find the service called: Workstation NetLogon Service When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps. 2. Reboot into Safe Mode. 3. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for: cruy.exe If you find the files, click on them, and then click End Process => Exit the Task Manager. 4. CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked" R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jfunf.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jfunf.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jfunf.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jfunf.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jfunf.dll/sp.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jfunf.dll/sp.html#37049 R3 - Default URLSearchHook is missing O2 - BHO: Class - {E421BB4D-509A-1CBB-3BFF-5B9036A6C8B9} - C:\WINDOWS\system32\netia32.dll O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE O4 - HKLM\..\Run: [creb.exe] C:\WINDOWS\creb.exe O4 - HKLM\..\Run: [nethf.exe] C:\WINDOWS\nethf.exe O4 - HKLM\..\Run: [cruy.exe] C:\WINDOWS\system32\cruy.exe O4 - HKLM\..\Run: [sdkpc.exe] C:\WINDOWS\system32\sdkpc.exe O4 - HKLM\..\RunOnce: [d3rl32.exe] C:\WINDOWS\system32\d3rl32.exe O4 - HKLM\..\RunOnce: [winxb32.exe] C:\WINDOWS\system32\winxb32.exe O4 - HKLM\..\RunOnce: [mspg32.exe] C:\WINDOWS\system32\mspg32.exe O4 - HKLM\..\RunOnce: [netkx.exe] C:\WINDOWS\system32\netkx.exe O4 - HKLM\..\RunOnce: [applc.exe] C:\WINDOWS\applc.exe O4 - HKLM\..\RunOnce: [javavg32.exe] C:\WINDOWS\system32\javavg32.exe O4 - HKLM\..\RunOnce: [apiyb.exe] C:\WINDOWS\system32\apiyb.exe O4 - HKLM\..\RunOnce: [winmj32.exe] C:\WINDOWS\system32\winmj32.exe O4 - HKLM\..\RunOnce: [crpm32.exe] C:\WINDOWS\system32\crpm32.exe O4 - HKLM\..\RunOnce: [mfcmv32.exe] C:\WINDOWS\system32\mfcmv32.exe O4 - HKLM\..\RunOnce: [apijv.exe] C:\WINDOWS\system32\apijv.exe O4 - HKLM\..\RunOnce: [sdkxm.exe] C:\WINDOWS\system32\sdkxm.exe O4 - HKLM\..\RunOnce: [ipav.exe] C:\WINDOWS\system32\ipav.exe O4 - HKLM\..\RunOnce: [apijt.exe] C:\WINDOWS\apijt.exe O4 - HKLM\..\RunOnce: [crod32.exe] C:\WINDOWS\crod32.exe O4 - HKLM\..\RunOnce: [msti.exe] C:\WINDOWS\msti.exe O8 - Extra context menu item: &Search - http://kc.bar.need2find.com/KC/menusearch.html?p=KC O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apiht32.exe" /s (file missing) 5. Delete the following files if present: C:\WINDOWS\system32\apiht32.exe <---Typical C:\WINDOWS\system32\netia32.dll C:\WINDOWS\system32\cruy.exe C:\WINDOWS\system32\sdkpc.exe C:\WINDOWS\system32\d3rl32.exe C:\WINDOWS\system32\winxb32.exe C:\WINDOWS\system32\mspg32.exe C:\WINDOWS\system32\netkx.exe C:\WINDOWS\system32\javavg32.exe C:\WINDOWS\system32\apiyb.exe C:\WINDOWS\system32\winmj32.exe C:\WINDOWS\system32\crpm32.exe C:\WINDOWS\system32\mfcmv32.exe C:\WINDOWS\system32\apijv.exe C:\WINDOWS\system32\sdkxm.exe C:\WINDOWS\system32\ipav.exe C:\WINDOWS\apijt.exe C:\WINDOWS\crod32.exe C:\WINDOWS\msti.exe C:\WINDOWS\jfunf.dll C:\WINDOWS\creb.exe C:\WINDOWS\nethf.exe C:\WINDOWS\applc.exe (and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat) If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again. 6. Run AboutBuster . This will scan your computer for the bad files and delete them. It will ask to scan the system again, let it. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps. 7. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove: Temporary Files Temporary Internet Files Recycle Bin 8. Double click on the cwsserviceremove and when asked to merge say yes. Do the same for FIX.REG 9. Run CW-Shredder - Hit the FIX button - let it run and fix what it finds. 10. Reboot into normal mode. 11. Download and run this online virus scan: <---Important http://housecall.trendmicro.com/housecall/start_corp.asp Make sure you check "AutoClean" 12. Reboot and post a fresh HJT log back here and lets see how we did, MrC

[Reply or follow-up to this message]
re: Spyware problems
Friday, May 27, 2005 at 1:19 pm
Posted by Vincent (14 messages posted)

Hello McCharlie, Thanks a lot for your advices. It has helped somewhat. Here some things that happened: *I did not have a Workstation NetLogon Service, only a Workstation which was stopped already (but not disabled) *I did not have cruy.exe (perhaps CWShredder deleted it already) *I still can't run the internet scan cause as soon as I open the page internet explorer closes due to an error I still have the virus cause extra hyperlinks appear in my screen and all sorts of pop ups appear as well. Here my current logfile: Logfile of HijackThis v1.99.1 Scan saved at 22:20:24, on 27-05-2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\Explorer.EXE C:\Program Files\FSI\F-Prot\fpavupdm.exe C:\WINDOWS\system32\HPConfig.exe C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Dantz\Retrospect\retrorun.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\carpserv.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\HPQ\One-Touch\OneTouch.EXE C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe C:\Program Files\ASUS\WLAN Card Utilities\Center.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\InterMute\SpySubtract\SpySub.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\windn32.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\MyHJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mrtqm.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mrtqm.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\mrtqm.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mrtqm.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mrtqm.dll/sp.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mrtqm.dll/sp.html#37049 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.paragliding.nl R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.paragliding.nl R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Class - {172A767E-22AD-09EE-8C96-720970A7FA45} - C:\WINDOWS\system32\crqw32.dll O2 - BHO: Class - {CAEBAB9D-5B6A-D04D-3DF1-1992B30E11BB} - C:\WINDOWS\system32\appnh.dll O2 - BHO: Class - {FCBEFCA2-4337-C522-B757-2FED10040650} - C:\WINDOWS\apivy.dll O2 - BHO: Class - {FF5B4CBC-CE93-4290-8860-69D7C23478BE} - C:\WINDOWS\system32\mfcue32.dll O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe" O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe O4 - HKLM\..\RunOnce: [mfcta.exe] C:\WINDOWS\mfcta.exe O4 - HKLM\..\RunOnce: [ietk.exe] C:\WINDOWS\system32\ietk.exe O4 - HKLM\..\RunOnce: [ipib.exe] C:\WINDOWS\ipib.exe O4 - HKLM\..\RunOnce: [d3rt.exe] C:\WINDOWS\d3rt.exe O4 - HKLM\..\RunOnce: [apihv.exe] C:\WINDOWS\apihv.exe O4 - HKLM\..\RunOnce: [netgv.exe] C:\WINDOWS\netgv.exe O4 - HKLM\..\RunOnce: [mssb32.exe] C:\WINDOWS\system32\mssb32.exe O4 - HKLM\..\RunOnce: [winbs32.exe] C:\WINDOWS\winbs32.exe O4 - HKLM\..\RunOnce: [ntjy.exe] C:\WINDOWS\system32\ntjy.exe O4 - HKLM\..\RunOnce: [netzn.exe] C:\WINDOWS\system32\netzn.exe O4 - HKLM\..\RunOnce: [sdkep.exe] C:\WINDOWS\sdkep.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: Microsoft Office Outlook.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\d3rl32.exe" /s (file missing) O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe As you can see the R0 and R1 files are still there....what to do now?!

On Friday, May 27, 2005 at 11:49 am, MrCharlie wrote:
>
>You have a nasty CoolWebSearch infection, it may take several steps to nail it so
>don't get discouraged.
>
>First please move HJT into its own permanent folder so backups can be made.
>example: C:\MyHJT\HJT.exe or C:\MyDocuments\MyHJT\HJT.exe
>
>Please read through the instructions before you start (you may want to print this
>out).
>
>Please download and install these programs - don't run them yet!!
>
>Please download and unzip
>AboutBuster to a folder. Inside
>the folder is a readme file that has instructions on the use of the program.
>AboutBuster MUST be updated before you use it.
>Start AboutBuster, click the update button, check for update, drag the box to the
>side and hit download updates, close the box . Don't run it yet.
>AboutBuster Tutorial
>
>
>Download CW-Shredder at the link below:
>http://cwshredder.net/bin/CWShredder.exe
>
>Download and unzip cwsserviceremove to your desktop. use link below:
>http://lineofire.geekstogo.com/cwsserviceremove.zip
>
>Copy the text below into notepad, call it fix.reg, save as all files
>
>Windows Registry Editor Version 5.00
>
>[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11Fßä#·ºÄÖ`I]
>
>[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\11Fßä#·ºÄÖ`I]
>
>[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\11Fßä#·ºÄÖ`I]
>
>[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\11Fßä#·ºÄÖ`I]
>
>
>Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make
>sure that "Show hidden files and folders" is checked.
>Also uncheck "Hide protected operating system files" and untick "hide extensions
>for known file types" . Now click "Apply to all folders"
>Click "Apply" then "OK"
>
> How
>To Reboot into Safe Mode <---Make sure you know how to do this!!
>
>
>+++++++++++++++++++++++++++++++++++++++++++++++++
>
>Here's the fix:
>
> Important Step
>1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
>Scroll down and find the service called:
>
>Workstation NetLogon Service
>
>
>When you find it, double-click on it. In the next window that opens, click the Stop
>button, then click on properties and under the General Tab, change the Startup Type
>to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find
>this service listed go ahead with the next steps.
>
>2. Reboot into Safe Mode.
>
>3. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab =>
>Double-click the Image Name column header to alphabetically sort the processes =>
>Scroll through the list and look for:
>
>cruy.exe
>
>If you find the files, click on them, and then click End Process => Exit the Task
>Manager.
>
>
>4. CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all
>the following, then click "Fix Checked"
>
>
>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jfunf.dll/sp.html#37049
>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jfunf.dll/sp.html#37049
>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jfunf.dll/sp.html#37049
>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jfunf.dll/sp.html#37049
>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jfunf.dll/sp.html#37049
>R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jfunf.dll/sp.html#37049
>R3 - Default URLSearchHook is missing
>O2 - BHO: Class - {E421BB4D-509A-1CBB-3BFF-5B9036A6C8B9} - C:\WINDOWS\system32\netia32.dll
>O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
>O4 - HKLM\..\Run: [creb.exe] C:\WINDOWS\creb.exe
>O4 - HKLM\..\Run: [nethf.exe] C:\WINDOWS\nethf.exe
>O4 - HKLM\..\Run: [cruy.exe] C:\WINDOWS\system32\cruy.exe
>O4 - HKLM\..\Run: [sdkpc.exe] C:\WINDOWS\system32\sdkpc.exe
>O4 - HKLM\..\RunOnce: [d3rl32.exe] C:\WINDOWS\system32\d3rl32.exe
>O4 - HKLM\..\RunOnce: [winxb32.exe] C:\WINDOWS\system32\winxb32.exe
>O4 - HKLM\..\RunOnce: [mspg32.exe] C:\WINDOWS\system32\mspg32.exe
>O4 - HKLM\..\RunOnce: [netkx.exe] C:\WINDOWS\system32\netkx.exe
>O4 - HKLM\..\RunOnce: [applc.exe] C:\WINDOWS\applc.exe
>O4 - HKLM\..\RunOnce: [javavg32.exe] C:\WINDOWS\system32\javavg32.exe
>O4 - HKLM\..\RunOnce: [apiyb.exe] C:\WINDOWS\system32\apiyb.exe
>O4 - HKLM\..\RunOnce: [winmj32.exe] C:\WINDOWS\system32\winmj32.exe
>O4 - HKLM\..\RunOnce: [crpm32.exe] C:\WINDOWS\system32\crpm32.exe
>O4 - HKLM\..\RunOnce: [mfcmv32.exe] C:\WINDOWS\system32\mfcmv32.exe
>O4 - HKLM\..\RunOnce: [apijv.exe] C:\WINDOWS\system32\apijv.exe
>O4 - HKLM\..\RunOnce: [sdkxm.exe] C:\WINDOWS\system32\sdkxm.exe
>O4 - HKLM\..\RunOnce: [ipav.exe] C:\WINDOWS\system32\ipav.exe
>O4 - HKLM\..\RunOnce: [apijt.exe] C:\WINDOWS\apijt.exe
>O4 - HKLM\..\RunOnce: [crod32.exe] C:\WINDOWS\crod32.exe
>O4 - HKLM\..\RunOnce: [msti.exe] C:\WINDOWS\msti.exe
>O8 - Extra context menu item: &Search - http://kc.bar.need2find.com/KC/menusearch.html?p=KC
>O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apiht32.exe"
> /s (file missing)
>
>
>5. Delete the following files if present:
>
>C:\WINDOWS\system32\apiht32.exe <---Typical
>C:\WINDOWS\system32\netia32.dll
>C:\WINDOWS\system32\cruy.exe
>C:\WINDOWS\system32\sdkpc.exe
> C:\WINDOWS\system32\d3rl32.exe
>C:\WINDOWS\system32\winxb32.exe
> C:\WINDOWS\system32\mspg32.exe
> C:\WINDOWS\system32\netkx.exe
>C:\WINDOWS\system32\javavg32.exe
> C:\WINDOWS\system32\apiyb.exe
> C:\WINDOWS\system32\winmj32.exe
> C:\WINDOWS\system32\crpm32.exe
>C:\WINDOWS\system32\mfcmv32.exe
>C:\WINDOWS\system32\apijv.exe
>C:\WINDOWS\system32\sdkxm.exe
>C:\WINDOWS\system32\ipav.exe
> C:\WINDOWS\apijt.exe
> C:\WINDOWS\crod32.exe
> C:\WINDOWS\msti.exe
>C:\WINDOWS\jfunf.dll
> C:\WINDOWS\creb.exe
>C:\WINDOWS\nethf.exe
>C:\WINDOWS\applc.exe
>
> (and any other files with the same name that end in .dll, .exe or .dat, you may
>find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)
>
>If you get an error when deleting a file. Right click on the file and check to see
>if the read only attribute is checked. if it is uncheck it and try again.
>
>
>6. Run AboutBuster . This will scan your computer for the bad files and delete them.
>It will ask to scan the system again, let it. Save the report (copy and paste into
>notepad or wordpad and save as a .txt file) and post a copy back here when you are
>done with all the steps.
>
>
>7. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr.
>Let it scan your system for files to remove. Make sure these 3 are checked and then
>press *ok* to remove:
>
>Temporary Files
>Temporary Internet Files
>Recycle Bin
>
>8. Double click on the cwsserviceremove and when asked to merge say yes.
>Do the same for FIX.REG
>
>9. Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.
>
>10. Reboot into normal mode.
>
>
>11. Download and run this online virus scan: <---Important
>http://housecall.trendmicro.com/housecall/start_corp.asp
>Make sure you check "AutoClean"
>
>12. Reboot and post a fresh HJT log back here and lets see how we did, MrC
>
>
>
>
>
>
>
>
>
>
>

[Reply or follow-up to this message]
re: Spyware problems
Friday, May 27, 2005 at 1:56 pm
Posted by MrCharlie (4474 messages posted)

Like I said it's going to take several steps to nail this hijacker. Try this in regular mode Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for: windn32.exe If you find the files, click on them, and then click End Process => Exit the Task Manager. CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked" R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mrtqm.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mrtqm.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\mrtqm.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mrtqm.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mrtqm.dll/sp.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mrtqm.dll/sp.html#37049 R3 - Default URLSearchHook is missing O2 - BHO: Class - {172A767E-22AD-09EE-8C96-720970A7FA45} - C:\WINDOWS\system32\crqw32.dll O2 - BHO: Class - {CAEBAB9D-5B6A-D04D-3DF1-1992B30E11BB} - C:\WINDOWS\system32\appnh.dll O2 - BHO: Class - {FCBEFCA2-4337-C522-B757-2FED10040650} - C:\WINDOWS\apivy.dll O2 - BHO: Class - {FF5B4CBC-CE93-4290-8860-69D7C23478BE} - C:\WINDOWS\system32\mfcue32.dll O4 - HKLM\..\RunOnce: [mfcta.exe] C:\WINDOWS\mfcta.exe O4 - HKLM\..\RunOnce: [ietk.exe] C:\WINDOWS\system32\ietk.exe O4 - HKLM\..\RunOnce: [ipib.exe] C:\WINDOWS\ipib.exe O4 - HKLM\..\RunOnce: [d3rt.exe] C:\WINDOWS\d3rt.exe O4 - HKLM\..\RunOnce: [apihv.exe] C:\WINDOWS\apihv.exe O4 - HKLM\..\RunOnce: [netgv.exe] C:\WINDOWS\netgv.exe O4 - HKLM\..\RunOnce: [mssb32.exe] C:\WINDOWS\system32\mssb32.exe O4 - HKLM\..\RunOnce: [winbs32.exe] C:\WINDOWS\winbs32.exe O4 - HKLM\..\RunOnce: [ntjy.exe] C:\WINDOWS\system32\ntjy.exe O4 - HKLM\..\RunOnce: [netzn.exe] C:\WINDOWS\system32\netzn.exe O4 - HKLM\..\RunOnce: [sdkep.exe] C:\WINDOWS\sdkep.exe O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\d3rl32.exe" /s (file missing) Delete the following files if present: C:\WINDOWS\system32\windn32.exe<----Typical C:\WINDOWS\system32\crqw32.dll C:\WINDOWS\system32\appnh.dll C:\WINDOWS\system32\mfcue32.dll C:\WINDOWS\system32\ietk.exe C:\WINDOWS\system32\mssb32.exe C:\WINDOWS\system32\ntjy.exe C:\WINDOWS\system32\netzn.exe C:\WINDOWS\system32\d3rl32.exe C:\WINDOWS\mrtqm.dll C:\WINDOWS\apivy.dll C:\WINDOWS\mfcta.exe C:\WINDOWS\ipib.exe C:\WINDOWS\d3rt.exe C:\WINDOWS\apihv.exe C:\WINDOWS\netgv.exe C:\WINDOWS\sdkep.exe C:\WINDOWS\winbs32.exe (and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat) If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again. Run AboutBuster . This will scan your computer for the bad files and delete them. It will ask to scan the system again, let it. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps. Run CW-Shredder - Hit the FIX button - let it run and fix what it finds. Reboot and post a fresh HJT log back here and lets see how we did, MrC

[Reply or follow-up to this message]
re: Spyware problems
Friday, May 27, 2005 at 2:51 pm
Posted by Vincent (14 messages posted)

Think we're back to square one...everything still there: Logfile of HijackThis v1.99.1 Scan saved at 23:44:33, on 27-05-2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\Explorer.EXE C:\Program Files\FSI\F-Prot\fpavupdm.exe C:\WINDOWS\system32\HPConfig.exe C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Dantz\Retrospect\retrorun.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\carpserv.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\HPQ\One-Touch\OneTouch.EXE C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe C:\Program Files\ASUS\WLAN Card Utilities\Center.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\InterMute\SpySubtract\SpySub.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\MyBuster\AboutBuster.exe C:\WINDOWS\system32\appap32.exe C:\MyHJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qyztn.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qyztn.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qyztn.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qyztn.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qyztn.dll/sp.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qyztn.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Class - {FF5B4CBC-CE93-4290-8860-69D7C23478BE} - C:\WINDOWS\system32\mfcue32.dll O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe" O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe O4 - HKLM\..\Run: [appap32.exe] C:\WINDOWS\system32\appap32.exe O4 - HKLM\..\RunOnce: [apihv.exe] C:\WINDOWS\apihv.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\d3rl32.exe" /s (file missing) O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe and this is from AboutBuster: Scanned at: 21:42:14 on: 27-5-2005 -- Scan 1 --------------------------- About:Buster Version 4.0 Reference List : 26 No ADS found on system Attempted Clean Of Temp folder. Pages Reset... Done! -- Scan 2 --------------------------- About:Buster Version 4.0 Reference List : 26 No ADS found on system Attempted Clean Of Temp folder. Pages Reset... Done! Scanned at: 23:31:05 on: 27-05-2005 -- Scan 1 --------------------------- About:Buster Version 4.0 Reference List : 26 No ADS found on system Removed 4 Random Key Entries Removed! : C:\WINDOWS\system32\mtgbt.dat Removed! : C:\WINDOWS\system32\zimxj.dat Attempted Clean Of Temp folder. Removed Uninstall Key (HSA) Removed Uninstall Key (SE) Removed Uninstall Key (SW) Pages Reset... Done! -- Scan 2 --------------------------- About:Buster Version 4.0 Reference List : 26 No ADS found on system Attempted Clean Of Temp folder. Removed Uninstall Key (HSA) Removed Uninstall Key (SE) Removed Uninstall Key (SW) Pages Reset... Done! Scanned at: 23:41:17 on: 27-05-2005 -- Scan 1 --------------------------- About:Buster Version 4.0 Reference List : 26 No ADS found on system Attempted Clean Of Temp folder. Removed Uninstall Key (HSA) Removed Uninstall Key (SE) Removed Uninstall Key (SW) Pages Reset... Done! -- Scan 2 --------------------------- About:Buster Version 4.0 Reference List : 26 No ADS found on system Attempted Clean Of Temp folder. Removed Uninstall Key (HSA) Removed Uninstall Key (SE) Removed Uninstall Key (SW) Pages Reset... Done! What's our next move...

On Friday, May 27, 2005 at 1:56 pm, MrCharlie wrote:
>
>Like I said it's going to take several steps to nail this hijacker.
>
>Try this in regular mode
>
> Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click
>the Image Name column header to alphabetically sort the processes => Scroll through
>the list and look for:
>
>windn32.exe
>
>If you find the files, click on them, and then click End Process => Exit the Task
>Manager.
>
>
> CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all
>the following, then click "Fix Checked"
>
>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mrtqm.dll/sp.html#37049
>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mrtqm.dll/sp.html#37049
>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\mrtqm.dll/sp.html#37049
>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mrtqm.dll/sp.html#37049
>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mrtqm.dll/sp.html#37049
>R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mrtqm.dll/sp.html#37049
>R3 - Default URLSearchHook is missing
>O2 - BHO: Class - {172A767E-22AD-09EE-8C96-720970A7FA45} - C:\WINDOWS\system32\crqw32.dll
>O2 - BHO: Class - {CAEBAB9D-5B6A-D04D-3DF1-1992B30E11BB} - C:\WINDOWS\system32\appnh.dll
>O2 - BHO: Class - {FCBEFCA2-4337-C522-B757-2FED10040650} - C:\WINDOWS\apivy.dll
>O2 - BHO: Class - {FF5B4CBC-CE93-4290-8860-69D7C23478BE} - C:\WINDOWS\system32\mfcue32.dll
>O4 - HKLM\..\RunOnce: [mfcta.exe] C:\WINDOWS\mfcta.exe
>O4 - HKLM\..\RunOnce: [ietk.exe] C:\WINDOWS\system32\ietk.exe
>O4 - HKLM\..\RunOnce: [ipib.exe] C:\WINDOWS\ipib.exe
>O4 - HKLM\..\RunOnce: [d3rt.exe] C:\WINDOWS\d3rt.exe
>O4 - HKLM\..\RunOnce: [apihv.exe] C:\WINDOWS\apihv.exe
>O4 - HKLM\..\RunOnce: [netgv.exe] C:\WINDOWS\netgv.exe
>O4 - HKLM\..\RunOnce: [mssb32.exe] C:\WINDOWS\system32\mssb32.exe
>O4 - HKLM\..\RunOnce: [winbs32.exe] C:\WINDOWS\winbs32.exe
>O4 - HKLM\..\RunOnce: [ntjy.exe] C:\WINDOWS\system32\ntjy.exe
>O4 - HKLM\..\RunOnce: [netzn.exe] C:\WINDOWS\system32\netzn.exe
>O4 - HKLM\..\RunOnce: [sdkep.exe] C:\WINDOWS\sdkep.exe
>O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner
>- C:\WINDOWS\system32\d3rl32.exe" /s (file missing)
>
>
> Delete the following files if present:
>
>C:\WINDOWS\system32\windn32.exe<----Typical
>C:\WINDOWS\system32\crqw32.dll
> C:\WINDOWS\system32\appnh.dll
> C:\WINDOWS\system32\mfcue32.dll
>C:\WINDOWS\system32\ietk.exe
> C:\WINDOWS\system32\mssb32.exe
>C:\WINDOWS\system32\ntjy.exe
> C:\WINDOWS\system32\netzn.exe
>C:\WINDOWS\system32\d3rl32.exe
>C:\WINDOWS\mrtqm.dll
>C:\WINDOWS\apivy.dll
>C:\WINDOWS\mfcta.exe
> C:\WINDOWS\ipib.exe
> C:\WINDOWS\d3rt.exe
>C:\WINDOWS\apihv.exe
>C:\WINDOWS\netgv.exe
> C:\WINDOWS\sdkep.exe
>C:\WINDOWS\winbs32.exe
>
> (and any other files with the same name that end in .dll, .exe or .dat, you may
>find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)
>
>If you get an error when deleting a file. Right click on the file and check to see
>if the read only attribute is checked. if it is uncheck it and try again.
>
>
> Run AboutBuster . This will scan your computer for the bad files and delete them.
>It will ask to scan the system again, let it. Save the report (copy and paste into
>notepad or wordpad and save as a .txt file) and post a copy back here when you are
>done with all the steps.
>
> Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.
>
> Reboot and post a fresh HJT log back here and lets see how we did, MrC
>
>
>
>
>
>

[Reply or follow-up to this message]
re: Spyware problems
Friday, May 27, 2005 at 3:10 pm
Posted by MrCharlie (4474 messages posted)

We are making good progress. Press Control-Alt-Del to enter the Task Manager. Click on the Processes tab and end the following processes if listed: appap32.exe Exit the Task Manager when finished Close [color=blue]ALL[/color] programs down, leaving [color=blue]ONLY[/color] HijackThis running. Place a check against the following items: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qyztn.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qyztn.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qyztn.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qyztn.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qyztn.dll/sp.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qyztn.dll/sp.html#37049 R3 - Default URLSearchHook is missing O2 - BHO: Class - {FF5B4CBC-CE93-4290-8860-69D7C23478BE} - C:\WINDOWS\system32\mfcue32.dll O4 - HKLM\..\Run: [appap32.exe] C:\WINDOWS\system32\appap32.exe O4 - HKLM\..\RunOnce: [apihv.exe] C:\WINDOWS\apihv.exe O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\d3rl32.exe" /s (file missing) Click on Fix Checked and exit HijackThis. Delete these files: C:\WINDOWS\system32\appap32.exe C:\WINDOWS\system32\qyztn.dll C:\WINDOWS\system32\d3rl32.exe C:\WINDOWS\system32\mfcue32.dll C:\WINDOWS\apihv.exe Run AboutBuster. Reboot and post a fresh HijackThis log and we'll take another look. MrC ---------------------------------------------------------------------------------- Just so you'll know why I'm saying that it will take several steps to get this hijacker. You can take a look at ThisPost , he has the same variant as you, which is a new variant of this hijacker. You can see the amount of files he had to delete and the number of steps it took. AboutBuster usually does a great job on deleting the files installed by the hijacker, but because it's so new, AboutBuster hasn't been updated yet to take care of this variant. O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) MrC
[Reply or follow-up to this message]
re: Spyware problems
Friday, May 27, 2005 at 3:31 pm
Posted by Vincent (14 messages posted)

It is getting better indeed. I am gettin a hang of it and had already stopped appap32.exe and deleted it, this made things much better. All the R1 and R0 lines are now gone. Here's my log now: Logfile of HijackThis v1.99.1 Scan saved at 0:24:42, on 28-05-2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\Explorer.EXE C:\Program Files\FSI\F-Prot\fpavupdm.exe C:\WINDOWS\system32\HPConfig.exe C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Dantz\Retrospect\retrorun.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\netrm.exe C:\WINDOWS\system32\carpserv.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\HPQ\One-Touch\OneTouch.EXE C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe C:\Program Files\ASUS\WLAN Card Utilities\Center.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\InterMute\SpySubtract\SpySub.exe C:\MyHJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Class - {0AEDCEB7-DB98-2AC8-C751-7602FC73372C} - C:\WINDOWS\addgq32.dll O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe" O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe O4 - HKLM\..\Run: [netrm.exe] C:\WINDOWS\system32\netrm.exe O4 - HKLM\..\RunOnce: [d3wd.exe] C:\WINDOWS\system32\d3wd.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\d3rl32.exe" /s (file missing) O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe And from AboutBuster: Scanned at: 21:42:14 on: 27-5-2005 -- Scan 1 --------------------------- About:Buster Version 4.0 Reference List : 26 No ADS found on system Attempted Clean Of Temp folder. Pages Reset... Done! -- Scan 2 --------------------------- About:Buster Version 4.0 Reference List : 26 No ADS found on system Attempted Clean Of Temp folder. Pages Reset... Done! Scanned at: 23:31:05 on: 27-05-2005 -- Scan 1 --------------------------- About:Buster Version 4.0 Reference List : 26 No ADS found on system Removed 4 Random Key Entries Removed! : C:\WINDOWS\system32\mtgbt.dat Removed! : C:\WINDOWS\system32\zimxj.dat Attempted Clean Of Temp folder. Removed Uninstall Key (HSA) Removed Uninstall Key (SE) Removed Uninstall Key (SW) Pages Reset... Done! -- Scan 2 --------------------------- About:Buster Version 4.0 Reference List : 26 No ADS found on system Attempted Clean Of Temp folder. Removed Uninstall Key (HSA) Removed Uninstall Key (SE) Removed Uninstall Key (SW) Pages Reset... Done! Scanned at: 23:41:17 on: 27-05-2005 -- Scan 1 --------------------------- About:Buster Version 4.0 Reference List : 26 No ADS found on system Attempted Clean Of Temp folder. Removed Uninstall Key (HSA) Removed Uninstall Key (SE) Removed Uninstall Key (SW) Pages Reset... Done! -- Scan 2 --------------------------- About:Buster Version 4.0 Reference List : 26 No ADS found on system Attempted Clean Of Temp folder. Removed Uninstall Key (HSA) Removed Uninstall Key (SE) Removed Uninstall Key (SW) Pages Reset... Done! I have never found the apihv.exe and the d3rl32.exe files. You mention them every time but I can't find them in the folder.... Almost there?

On Friday, May 27, 2005 at 3:10 pm, MrCharlie wrote:
>
>We are making good progress.
>
>Press Control-Alt-Del to enter the Task Manager.
>Click on the Processes tab and end the following processes if listed:
>
>appap32.exe
>
>Exit the Task Manager when finished
>
>Close [color=blue]ALL[/color] programs down, leaving [color=blue]ONLY[/color] HijackThis
>running.
>Place a check against the following items:
>
>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qyztn.dll/sp.html#37049
>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qyztn.dll/sp.html#37049
>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qyztn.dll/sp.html#37049
>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qyztn.dll/sp.html#37049
>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qyztn.dll/sp.html#37049
>R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qyztn.dll/sp.html#37049
>R3 - Default URLSearchHook is missing
>O2 - BHO: Class - {FF5B4CBC-CE93-4290-8860-69D7C23478BE} - C:\WINDOWS\system32\mfcue32.dll
>O4 - HKLM\..\Run: [appap32.exe] C:\WINDOWS\system32\appap32.exe
>O4 - HKLM\..\RunOnce: [apihv.exe] C:\WINDOWS\apihv.exe
>O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner
>- C:\WINDOWS\system32\d3rl32.exe" /s (file missing)
>
>Click on Fix Checked and exit HijackThis.
>
>
>Delete these files:
>
>C:\WINDOWS\system32\appap32.exe
>C:\WINDOWS\system32\qyztn.dll
> C:\WINDOWS\system32\d3rl32.exe
> C:\WINDOWS\system32\mfcue32.dll
>C:\WINDOWS\apihv.exe
>
>Run AboutBuster.
>
>Reboot and post a fresh HijackThis log and we'll take another look. MrC
>
>----------------------------------------------------------------------------------
>
>Just so you'll know why I'm saying that it will take several steps to get this hijacker.
>You can take a look at ThisPost
>, he has the same variant as you, which is a new variant of this hijacker.
>You can see the amount of files he had to delete and the number of steps it took.
>AboutBuster usually does a great job on deleting the files installed by the hijacker,
>but because it's so new, AboutBuster hasn't been updated yet to take care of this
>variant.
>O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I)
>MrC
>
> >

[Reply or follow-up to this message]
re: Spyware problems
Friday, May 27, 2005 at 3:59 pm
Posted by MrCharlie (4474 messages posted)

Hang in there, we'll get it. Press Control-Alt-Del to enter the Task Manager. Click on the Processes tab and end the following processes if listed: netrm.exe Exit the Task Manager when finished Close ALLprograms down, leaving ONLY HijackThis running. Place a check against the following items: R3 - Default URLSearchHook is missing O2 - BHO: Class - {0AEDCEB7-DB98-2AC8-C751-7602FC73372C} - C:\WINDOWS\addgq32.dll O4 - HKLM\..\Run: [netrm.exe] C:\WINDOWS\system32\netrm.exe O4 - HKLM\..\RunOnce: [d3wd.exe] C:\WINDOWS\system32\d3wd.exe O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\d3rl32.exe" /s (file missing) Click on Fix Checked and exit HijackThis. Delete these files if found: C:\WINDOWS\addgq32.dll C:\WINDOWS\system32\netrm.exe C:\WINDOWS\system32\d3wd.exe C:\WINDOWS\system32\d3rl32.exe <--this one may not be there Run AboutBuster Reboot and post a fresh HijackThis log and we'll take another look. MrC

[Reply or follow-up to this message]
re: Spyware problems
Friday, May 27, 2005 at 4:18 pm
Posted by Vincent (14 messages posted)

Looking better again, just the remote procedure call that doesn't want to disappear... Logfile of HijackThis v1.99.1 Scan saved at 1:11:38, on 28-05-2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\Explorer.EXE C:\Program Files\FSI\F-Prot\fpavupdm.exe C:\WINDOWS\system32\HPConfig.exe C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Dantz\Retrospect\retrorun.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\carpserv.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\HPQ\One-Touch\OneTouch.EXE C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe C:\Program Files\ASUS\WLAN Card Utilities\Center.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\InterMute\SpySubtract\SpySub.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\MyHJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe" O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\d3rl32.exe" /s (file missing) O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe And in my internet browser I have two weblinks under my favourites to sexsites that I didn't put there and are impossible to delete, they keep coming back....

On Friday, May 27, 2005 at 3:59 pm, MrCharlie wrote:
>
>Hang in there, we'll get it.
>
>Press Control-Alt-Del to enter the Task Manager.
>Click on the Processes tab and end the following processes if listed:
>
>netrm.exe
>
>Exit the Task Manager when finished
>
>Close ALLprograms down, leaving ONLY HijackThis running.
>Place a check against the following items:
>
>R3 - Default URLSearchHook is missing
>O2 - BHO: Class - {0AEDCEB7-DB98-2AC8-C751-7602FC73372C} - C:\WINDOWS\addgq32.dll
>O4 - HKLM\..\Run: [netrm.exe] C:\WINDOWS\system32\netrm.exe
>O4 - HKLM\..\RunOnce: [d3wd.exe] C:\WINDOWS\system32\d3wd.exe
>O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner
>- C:\WINDOWS\system32\d3rl32.exe" /s (file missing)
>
>Click on Fix Checked and exit HijackThis.
>
>Delete these files if found:
>
>C:\WINDOWS\addgq32.dll
>C:\WINDOWS\system32\netrm.exe
>C:\WINDOWS\system32\d3wd.exe
> C:\WINDOWS\system32\d3rl32.exe <--this one may not be there
>
>Run AboutBuster
>
>Reboot and post a fresh HijackThis log and we'll take another look. MrC
>

[Reply or follow-up to this message]
re: Spyware problems
Friday, May 27, 2005 at 4:43 pm
Posted by MrCharlie (4474 messages posted)

Download this version of Cwsserviceremove.reg. http://www.thetechguide.com/forum/index.php?act=Attach&type=post&id=220 Double click on it and allow it to merge into the registry. Then run HJT and fix this one: O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\d3rl32.exe" /s (file missing) Reboot and see if it's gone in the log. MrC

[Reply or follow-up to this message]
re: Spyware problems
Friday, May 27, 2005 at 4:53 pm
Posted by Vincent (14 messages posted)

It worked!!!!! Gone it is, thank god. It was gone immediately after adding that file to the registry, didn't even have to fix it with HJT. I ran the Housecall online scan as well and it looks all is back to normal now. Thank you VERY much for your help. If you're ever in Holland I owe you a free tandem paragliding flight, look us up on www.paragliding.nl (sorry all in dutch)! Vincent

On Friday, May 27, 2005 at 4:43 pm, MrCharlie wrote:
>
>Download this version of Cwsserviceremove.reg.
>http://www.thetechguide.com/forum/index.php?act=Attach&type=post&id=220
>
>
>Double click on it and allow it to merge into the registry.
>
>Then run HJT and fix this one:
>
>O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner
>- C:\WINDOWS\system32\d3rl32.exe" /s (file missing)
>
>Reboot and see if it's gone in the log.
>
>MrC
>

[Reply or follow-up to this message]
re: Spyware problems
Friday, May 27, 2005 at 5:41 pm
Posted by MrCharlie (4474 messages posted)

Well Done! Please look at My Preventive Maintenance to avoid being reinfected. Thanks, MrC

[Reply or follow-up to this message]

Tip: Use one of the [Reply or follow-up to this message] links above to add a message to this thread

Search this forum
Start a new thread on a different subject
Report abuse of the forum
Return to the Windows XP Discussion Forum