culinfl Posted April 28, 2005 Report Share Posted April 28, 2005 I keep getting this about.blank web page when I open IE. I also get pop ups advertising spyware removers!!!!I ran Hijackthis and here is the log:Logfile of HijackThis v1.99.1Scan saved at 10:02:17 AM, on 4/28/2005Platform: Windows 2000 SP3 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exec:\insight\tools\AICLIENT.EXEC:\WINNT\System32\Ati2evxx.exec:\interSOC\ids\blackd.exeC:\WINNT\system32\CRYPSERV.EXEC:\PROGRA~1\NavNT\DefWatch.exeC:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exeC:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exeC:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exeC:\Program Files\Entropia\Entropia Client\Bin\LogServerShell.exeC:\Program Files\JavaSoft\JRE\1.3.0_01\bin\javaw.exeC:\WINNT\system32\LxrJD31s.exeC:\Program Files\Panasonic\MeiWDS\MeiWds.exeC:\PROGRA~1\NavNT\rtvscan.exeC:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exeC:\WINNT\system32\regsvc.exeC:\PROGRA~1\NavNT\savroam.exeC:\WINNT\system32\MSTask.exeC:\WINNT\system32\stisvc.exeC:\Program Files\Entropia\Entropia Client\Bin\TaskManagerShell.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\System32\mspmspsv.exeC:\WINNT\system32\svchost.exeC:\WINNT\Explorer.EXEC:\WINNT\system32\fpapli.exeC:\WINNT\System32\hkeyman.exeC:\WINNT\system32\Tprbtn.exeC:\WINNT\system32\atiptaxx.exeC:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exeC:\WINNT\system32\PRPCUI.exeC:\PROGRA~1\NavNT\vptray.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\WINNT\system32\winsn.exeC:\WINNT\system32\syssg32.exeC:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exeC:\Program Files\Entropia\Entropia Client\bin\entropia.exeC:\Program Files\Nikon\PictureProject\NkbMonitor.exeC:\Program Files\Panasonic\MEISKB\MeiSKB.exeC:\PROGRA~1\Webshots\webshots.scrC:\Program Files\Mozilla Firefox\firefox.exeC:\WINNT\System32\wisptis.exeC:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exeC:\WINNT\system32\spool\DRIVERS\W32X86\3\HPZSTC07.EXEC:\PROGRA~1\WinZip\winzip32.exeC:\DOCUME~1\peraleju\LOCALS~1\Temp\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearchR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=http-proxy.geps.ge.com:3128;gopher=http-proxy.geps.ge.com:3128;http=http-proxy.geps.ge.com:3128;https=https-proxy.geps.ge.com:3128;socks=http-proxy.geps.ge.com:3128R3 - Default URLSearchHook is missingO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {402791F6-FBDB-0DE4-9CCF-B2B6F4AD32B2} - C:\WINNT\iplq.dllO2 - BHO: GetPostLog module - {C9B0D3DC-DC2B-4a17-8E34-02CD4C1E573F} - C:\WINNT\gpl.dllO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [scroller] fpapli.exeO4 - HKLM\..\Run: [Hotkey] C:\WINNT\System32\hkeyman.exeO4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exeO4 - HKLM\..\Run: [AtiPTA] atiptaxx.exeO4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUpO4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exeO4 - HKLM\..\Run: [RUNCIS] C:\Program Files\1E\CIS\\RUNCIS.EXEO4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [Entropia Client] C:\Program Files\Entropia\Entropia Client\bin\Launcher.exe -StartupO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [winsn.exe] C:\WINNT\system32\winsn.exeO4 - HKLM\..\RunOnce: [syssg32.exe] C:\WINNT\system32\syssg32.exeO4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -wO4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exeO4 - Global Startup: Software Keyboard.lnk = C:\Program Files\Panasonic\MEISKB\MeiSKB.exeO9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exeO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exeO9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/15b531c1828480...ip/RdxIE601.cabO16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = psamer.ps.ge.comO17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = psamer.ps.ge.comO17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = psamer.ps.ge.comO20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dllO23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\winwg32.exe (file missing)O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exeO23 - Service: Asset Insight Client (AICLIENT) - Tangram® Enterprise Solutions, Inc - c:\insight\tools\AICLIENT.EXEO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exeO23 - Service: BlackICE - Internet Security Systems, Inc. - c:\interSOC\ids\blackd.exeO23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINNT\SYSTEM32\CRYPSERV.EXEO23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exeO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exeO23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exeO23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exeO23 - Service: LogServerShell - Unknown owner - C:\Program Files\Entropia\Entropia Client\Bin\LogServerShell.exeO23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINNT\SYSTEM32\LxrJD31s.exeO23 - Service: WDS Server (meiwds) - Unknown owner - C:\Program Files\Panasonic\MeiWDS\MeiWds.exe" -service (file missing)O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exeO23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exeO23 - Service: SAVRoam - symantec - C:\PROGRA~1\NavNT\savroam.exeO23 - Service: TaskManagerShell - Unknown owner - C:\Program Files\Entropia\Entropia Client\Bin\TaskManagerShell.exePlease advise...any help will be greatly appreciated!J. Link to post Share on other sites
njustice Posted April 28, 2005 Report Share Posted April 28, 2005 culinfl,Hello! and welcome to our forums.===============Go to add/remove programs and uninstall AWS..aka Weatherbug. We'll get you a safer alternative when were done cleaning up your computer.===============Go to www.trendmicro.com, and then:1. Click "Free Online Scan".2. Click "Scan now, it's free".It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's done:1. Select all available drives.2. Check(tick) "Auto Clean".3. Click "Scan".When it completes, copy the full filename of any files that cannot be cleaned or deleted and post them when your done with the following fix.===============We'll need to download these program(s) to help us deal with the "About:Blank" infection:-Download, unzip to your desktop CWShredder and run it, then:1. Click "Check For Update" (If an update isn't available, skip to step #4.)2. Click "Click here to Download the update".3. When the new version has been downloaded, click "Save".4. Exit the program.-Download, unzip to your desktop About:Buster and run it, then: 1. Click "Update". 2. Click "Check For Update" (If no new version is available, skip to step #4.) 3. Click "Download Update", and wait for it to be installed. 4. Exit the program.===============Reboot your computer into "Safe Mode"===============Next, locate CWShredder that you downloaded earlier and run it, then:1. Click "Fix ->"===============Next, locate About:Buster that you downloaded earlier and run it, then: 1. Click "Start". (Wait for the initial ADS scan to complete.) 2. Click "Yes", to shutdown any IE session currently open. (Wait for the about:blank scan to complete.) 3. Click "Ok", to scan once more. 4. Click "Yes", to shutdown any IE sessions currently open. 5. Click "Yes", to begin the second pass. 6. Click "Save log", and post this log back along with your new log. 7. Click "Exit". 8. Click "Exit".===============Reboot your computer normally.===============Before we begin, let's move HiJackThis to it's own folder; like c:\HJT. When we're done 'cleaning' off your system, we're going to 'flush' the temporary folders which, with HiJackThis in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later.Also move the "Backups" folder, for HiJackThis, if present.===============Go to Start->Run and type "Services.msc" (without quotes) then hit OKScroll down and find the service called. Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I)Make sure it is selected in color. Right click on the service and click on stop. Right click on it again and go to Properties. In the Properties screen and under the General Tab, change the Startup Type to Disabled in the dropdown box. Click on Apply. Then OK. If the service isn't listed go ahead with the rest of these instructions anyway.===============Run HiJackThis and click "Scan", then check(tick) the following, if present: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129 R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {402791F6-FBDB-0DE4-9CCF-B2B6F4AD32B2} - C:\WINNT\iplq.dll O4 - HKLM\..\Run: [winsn.exe] C:\WINNT\system32\winsn.exe O4 - HKLM\..\RunOnce: [syssg32.exe] C:\WINNT\system32\syssg32.exe O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1 O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU) O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/15b531c1828480...ip/RdxIE601.cab O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\winwg32.exe (file missing) Now, with all windows closed except HiJackThis, click "Fix checked".===============Locate and delete the following item(s), if present. Make sure your able to"view system and hidden files/folders":folders... C:\PROGRAM FILES\AWSfiles... C:\WINNT\system32\winsn.exe C:\WINNT\system32\syssg32.exe C:\WINNT\system32\gqkrs.dll C:\WINNT\iplq.dll C:\WINNT\system32\winwg32.exe-Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".===============Reboot your computer.Post back a new log, report any problems and let me know how everything goes.IMPORTANT! PLEASE do not restart your computer unless asked, restarting can reinfect your computer resulting in us starting the cleaning up process all over!-~Njustice~ Link to post Share on other sites
culinfl Posted May 3, 2005 Author Report Share Posted May 3, 2005 I will be doing all this tonite. Thanks for teh help. I'll post results.C. Link to post Share on other sites
culinfl Posted May 4, 2005 Author Report Share Posted May 4, 2005 I did as you suggested and found a few problems. I found gqkrs.dll and deleted it. I also cleaned the machine using HJT. How ever I still have the "about" home page problem. Here is the new log:Logfile of HijackThis v1.99.1Scan saved at 3:01:24 PM, on 5/4/2005Platform: Windows 2000 SP3 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\WINNT\system32\addvq32.exeC:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exec:\insight\tools\AICLIENT.EXEC:\WINNT\System32\Ati2evxx.exec:\interSOC\ids\blackd.exeC:\WINNT\system32\CRYPSERV.EXEC:\PROGRA~1\NavNT\DefWatch.exeC:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exeC:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exeC:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exeC:\Program Files\Entropia\Entropia Client\Bin\LogServerShell.exeC:\Program Files\JavaSoft\JRE\1.3.0_01\bin\javaw.exeC:\WINNT\system32\LxrJD31s.exeC:\Program Files\Panasonic\MeiWDS\MeiWds.exeC:\PROGRA~1\NavNT\rtvscan.exeC:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exeC:\WINNT\system32\regsvc.exeC:\PROGRA~1\NavNT\savroam.exeC:\WINNT\system32\MSTask.exeC:\WINNT\system32\stisvc.exeC:\Program Files\Entropia\Entropia Client\Bin\TaskManagerShell.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\System32\mspmspsv.exeC:\WINNT\system32\svchost.exeC:\WINNT\Explorer.EXEC:\WINNT\system32\fpapli.exeC:\WINNT\System32\hkeyman.exeC:\WINNT\system32\Tprbtn.exeC:\WINNT\system32\atiptaxx.exeC:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exeC:\WINNT\system32\PRPCUI.exeC:\PROGRA~1\NavNT\vptray.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\WINNT\system32\addfy.exeC:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exeC:\Program Files\Nikon\PictureProject\NkbMonitor.exeC:\Program Files\Panasonic\MEISKB\MeiSKB.exeC:\PROGRA~1\Webshots\webshots.scrC:\HJT\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearchR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=http-proxy.geps.ge.com:3128;gopher=http-proxy.geps.ge.com:3128;http=http-proxy.geps.ge.com:3128;https=https-proxy.geps.ge.com:3128;socks=http-proxy.geps.ge.com:3128R3 - Default URLSearchHook is missingO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {5F15F26C-81EE-4FFA-8B9A-39913016CD37} - C:\WINNT\system32\netra.dllO2 - BHO: (no name) - {D287B913-740E-605C-9967-D4EEFBA2E464} - C:\WINNT\system32\ntgw.dllO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [scroller] fpapli.exeO4 - HKLM\..\Run: [Hotkey] C:\WINNT\System32\hkeyman.exeO4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exeO4 - HKLM\..\Run: [AtiPTA] atiptaxx.exeO4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUpO4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exeO4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [addfy.exe] C:\WINNT\system32\addfy.exeO4 - HKLM\..\Run: [sdkpn.exe] C:\WINNT\system32\sdkpn.exeO4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -wO4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exeO4 - Global Startup: Software Keyboard.lnk = C:\Program Files\Panasonic\MEISKB\MeiSKB.exeO9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exeO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cabO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cabO16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = psamer.ps.ge.comO17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = psamer.ps.ge.comO17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = psamer.ps.ge.comO20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dllO23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\addvq32.exeO23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exeO23 - Service: Asset Insight Client (AICLIENT) - Tangram® Enterprise Solutions, Inc - c:\insight\tools\AICLIENT.EXEO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exeO23 - Service: BlackICE - Internet Security Systems, Inc. - c:\interSOC\ids\blackd.exeO23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINNT\SYSTEM32\CRYPSERV.EXEO23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exeO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exeO23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exeO23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exeO23 - Service: LogServerShell - Unknown owner - C:\Program Files\Entropia\Entropia Client\Bin\LogServerShell.exeO23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINNT\SYSTEM32\LxrJD31s.exeO23 - Service: WDS Server (meiwds) - Unknown owner - C:\Program Files\Panasonic\MeiWDS\MeiWds.exe" -service (file missing)O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exeO23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exeO23 - Service: SAVRoam - symantec - C:\PROGRA~1\NavNT\savroam.exeO23 - Service: TaskManagerShell - Unknown owner - C:\Program Files\Entropia\Entropia Client\Bin\TaskManagerShell.exeAgain thanks for your help. Link to post Share on other sites
culinfl Posted May 4, 2005 Author Report Share Posted May 4, 2005 Also whenever I try to run the virus scan www.trendmicro.com IE crashes, see attached. Link to post Share on other sites
njustice Posted May 5, 2005 Report Share Posted May 5, 2005 (edited) culinfi,===============Let's look for, and delete, any program segments(prefetches) that might be present, and are associated with the 'problems' we're trying to remove from this system. To do this, let's:1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders: fpapli.exe*2) Then if any are found in the 'prefetch' folder, delete them. Look closely, since the 'base' name will have a bunch of random numbers and letters attached to it.===============Next, Open a command prompt by:1. Clicking "Start", then "Run...".2. Enter "cmd" (without the quotes).3. Enter "services.msc" (without the quotes).-Now, locate and 'stop' the following services, if present:Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) owner ... (C:\WINNT\system32\addvq32.exe)Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services.===============Run HiJackThis then:1. Click "Config..."2. Click "Misc Tools"3. Click "Open Process manager"-Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following: C:\WINNT\system32\addvq32.exe C:\WINNT\system32\fpapli.exe C:\WINNT\system32\addfy.exeNow double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.===============Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:regsvr32 /u netra.dllregsvr32 /u ntgw.dllIt's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.===============Run HiJackThis and click "Scan", then check(tick) the following, if present: R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {5F15F26C-81EE-4FFA-8B9A-39913016CD37} - C:\WINNT\system32\netra.dll O2 - BHO: (no name) - {D287B913-740E-605C-9967-D4EEFBA2E464} - C:\WINNT\system32\ntgw.dll O4 - HKLM\..\Run: [addfy.exe] C:\WINNT\system32\addfy.exe O4 - HKLM\..\Run: [sdkpn.exe] C:\WINNT\system32\sdkpn.exe O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\addvq32.exe Now, with all windows closed except HiJackThis, click "Fix checked".===============Locate and delete the following item(s), if present. Make sure your able to"view system and hidden files/folders":folders... C:\Program Files\NZSearchfiles... C:\WINNT\system32\addvq32.exe C:\WINNT\system32\fpapli.exe C:\WINNT\system32\addfy.exe C:\WINNT\system32\netra.dll C:\WINNT\system32\ntgw.dll C:\WINNT\system32\sdkpn.exe-Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".===============Reboot your computer.===============Go to www.trendmicro.com, and then:1. Click "Free Online Scan".2. Click "Scan now, it's free".It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's done:1. Select all available drives.2. Check(tick) "Auto Clean".3. Click "Scan".When it completes, copy the full filename of any files that cannot be cleaned or deleted and post them when your done with the following fix.Post back a new log, report any problems and let me know how everything goes.IMPORTANT! PLEASE do not restart your computer unless asked, restarting can reinfect your computer resulting in us starting the cleaning up process all over!-~Njustice~ Edited May 5, 2005 by njustice Link to post Share on other sites
Recommended Posts