New Hijack This Log

billrod33 · #1 (**permalink**) 25-05-2005, 12:06 AM

I did what you asked, here is the new hijack this log.

Here is the new log

Logfile of HijackThis v1.99.1
Scan saved at 8:00:15 PM, on 5/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Sony\Jog Dial Navigator\JogServ2.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\WINDOWS\crsw32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Billy j Rodriguez\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ynmic.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ynmic.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ynmic.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = sas.r3.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = sas.r3.attbi.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Class - {B878818F-2279-A2FE-62AA-5B8166B041ED} - C:\WINDOWS\javama32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {F2059101-A0B5-E7E4-66E2-7F036D7A0E72} - C:\WINDOWS\winho.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Navigator\JogServ2.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINDOWS\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [crsw32.exe] C:\WINDOWS\crsw32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunOnce: [ippm.exe] C:\WINDOWS\ippm.exe
O4 - HKLM\..\RunOnce: [d3ht32.exe] C:\WINDOWS\d3ht32.exe
O4 - HKLM\..\RunOnce: [sdkar.exe] C:\WINDOWS\system32\sdkar.exe
O4 - HKLM\..\RunOnce: [iepp32.exe] C:\WINDOWS\iepp32.exe
O4 - HKLM\..\RunOnce: [appfw32.exe] C:\WINDOWS\appfw32.exe
O4 - HKLM\..\RunOnce: [winaa.exe] C:\WINDOWS\system32\winaa.exe
O4 - HKLM\..\RunOnce: [ieej32.exe] C:\WINDOWS\system32\ieej32.exe
O4 - HKLM\..\RunOnce: [atlwa.exe] C:\WINDOWS\atlwa.exe
O4 - HKLM\..\RunOnce: [atlai32.exe] C:\WINDOWS\system32\atlai32.exe
O4 - HKLM\..\RunOnce: [msfk32.exe] C:\WINDOWS\system32\msfk32.exe
O4 - HKLM\..\RunOnce: [sdksu.exe] C:\WINDOWS\sdksu.exe
O4 - HKLM\..\RunOnce: [nthp32.exe] C:\WINDOWS\system32\nthp32.exe
O4 - HKLM\..\RunOnce: [javawp.exe] C:\WINDOWS\system32\javawp.exe
O4 - HKLM\..\RunOnce: [ipow.exe] C:\WINDOWS\system32\ipow.exe
O4 - HKLM\..\RunOnce: [netmo32.exe] C:\WINDOWS\system32\netmo32.exe
O4 - HKLM\..\RunOnce: [winrj.exe] C:\WINDOWS\system32\winrj.exe
O4 - HKLM\..\RunOnce: [syssr32.exe] C:\WINDOWS\syssr32.exe
O4 - HKLM\..\RunOnce: [iehg32.exe] C:\WINDOWS\system32\iehg32.exe
O4 - HKLM\..\RunOnce: [addgt.exe] C:\WINDOWS\addgt.exe
O4 - HKLM\..\RunOnce: [iewb.exe] C:\WINDOWS\iewb.exe
O4 - HKLM\..\RunOnce: [atlox.exe] C:\WINDOWS\system32\atlox.exe
O4 - HKLM\..\RunOnce: [addjl.exe] C:\WINDOWS\addjl.exe
O4 - HKLM\..\RunOnce: [crof32.exe] C:\WINDOWS\crof32.exe
O4 - HKLM\..\RunOnce: [apihy32.exe] C:\WINDOWS\apihy32.exe
O4 - HKLM\..\RunOnce: [winna.exe] C:\WINDOWS\winna.exe
O4 - HKLM\..\RunOnce: [javama32.exe] C:\WINDOWS\javama32.exe
O4 - HKLM\..\RunOnce: [mfcrc.exe] C:\WINDOWS\mfcrc.exe
O4 - HKLM\..\RunOnce: [addsp.exe] C:\WINDOWS\addsp.exe
O4 - HKLM\..\RunOnce: [crgr32.exe] C:\WINDOWS\system32\crgr32.exe
O4 - HKLM\..\RunOnce: [d3gx32.exe] C:\WINDOWS\d3gx32.exe
O4 - HKLM\..\RunOnce: [ipok32.exe] C:\WINDOWS\ipok32.exe
O4 - HKLM\..\RunOnce: [iemr.exe] C:\WINDOWS\system32\iemr.exe
O4 - HKLM\..\RunOnce: [atlhp32.exe] C:\WINDOWS\system32\atlhp32.exe
O4 - HKLM\..\RunOnce: [ipsy.exe] C:\WINDOWS\system32\ipsy.exe
O4 - HKLM\..\RunOnce: [addxs32.exe] C:\WINDOWS\addxs32.exe
O4 - HKLM\..\RunOnce: [apiqr32.exe] C:\WINDOWS\system32\apiqr32.exe
O4 - HKLM\..\RunOnce: [atldf32.exe] C:\WINDOWS\atldf32.exe
O4 - HKLM\..\RunOnce: [msqz.exe] C:\WINDOWS\msqz.exe
O4 - HKLM\..\RunOnce: [addvy32.exe] C:\WINDOWS\system32\addvy32.exe
O4 - HKLM\..\RunOnce: [addba.exe] C:\WINDOWS\addba.exe
O4 - HKLM\..\RunOnce: [d3gu.exe] C:\WINDOWS\d3gu.exe
O4 - HKLM\..\RunOnce: [ntja.exe] C:\WINDOWS\system32\ntja.exe
O4 - HKLM\..\RunOnce: [atlpc32.exe] C:\WINDOWS\atlpc32.exe
O4 - HKLM\..\RunOnce: [windl.exe] C:\WINDOWS\windl.exe
O4 - HKLM\..\RunOnce: [ntyd32.exe] C:\WINDOWS\system32\ntyd32.exe
O4 - HKLM\..\RunOnce: [winyd.exe] C:\WINDOWS\system32\winyd.exe
O4 - HKLM\..\RunOnce: [mscp.exe] C:\WINDOWS\system32\mscp.exe
O4 - HKLM\..\RunOnce: [appre32.exe] C:\WINDOWS\appre32.exe
O4 - HKLM\..\RunOnce: [netil32.exe] C:\WINDOWS\netil32.exe
O4 - HKLM\..\RunOnce: [mfclx.exe] C:\WINDOWS\system32\mfclx.exe
O4 - HKLM\..\RunOnce: [iekf32.exe] C:\WINDOWS\iekf32.exe
O4 - HKLM\..\RunOnce: [javaau32.exe] C:\WINDOWS\system32\javaau32.exe
O4 - HKLM\..\RunOnce: [crik.exe] C:\WINDOWS\system32\crik.exe
O4 - HKLM\..\RunOnce: [javajk.exe] C:\WINDOWS\javajk.exe
O4 - HKLM\..\RunOnce: [sysya32.exe] C:\WINDOWS\system32\sysya32.exe
O4 - HKLM\..\RunOnce: [mfcqy32.exe] C:\WINDOWS\mfcqy32.exe
O4 - HKLM\..\RunOnce: [crlk32.exe] C:\WINDOWS\system32\crlk32.exe
O4 - HKLM\..\RunOnce: [ieqo.exe] C:\WINDOWS\system32\ieqo.exe
O4 - HKLM\..\RunOnce: [d3zo32.exe] C:\WINDOWS\system32\d3zo32.exe
O4 - HKLM\..\RunOnce: [d3fl32.exe] C:\WINDOWS\system32\d3fl32.exe
O4 - HKLM\..\RunOnce: [netkh.exe] C:\WINDOWS\system32\netkh.exe
O4 - HKLM\..\RunOnce: [mfcid.exe] C:\WINDOWS\system32\mfcid.exe
O4 - HKLM\..\RunOnce: [mfccw32.exe] C:\WINDOWS\mfccw32.exe
O4 - HKLM\..\RunOnce: [ievp32.exe] C:\WINDOWS\ievp32.exe
O4 - HKLM\..\RunOnce: [sysvx32.exe] C:\WINDOWS\sysvx32.exe
O4 - HKLM\..\RunOnce: [mfcfy32.exe] C:\WINDOWS\system32\mfcfy32.exe
O4 - HKLM\..\RunOnce: [mfchp.exe] C:\WINDOWS\mfchp.exe
O4 - HKLM\..\RunOnce: [appxw.exe] C:\WINDOWS\appxw.exe
O4 - HKLM\..\RunOnce: [mshp32.exe] C:\WINDOWS\system32\mshp32.exe
O4 - HKLM\..\RunOnce: [iesi32.exe] C:\WINDOWS\iesi32.exe
O4 - HKLM\..\RunOnce: [mfcps32.exe] C:\WINDOWS\mfcps32.exe
O4 - HKLM\..\RunOnce: [sdkxe32.exe] C:\WINDOWS\sdkxe32.exe
O4 - HKLM\..\RunOnce: [sysaq.exe] C:\WINDOWS\system32\sysaq.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://www.quotit.net/viewer/activeXViewer/activexviewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = coc.com
O17 - HKLM\Software\..\Telephony: DomainName = coc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = coc.com
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ntgl32.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

HJThis · #2 (**permalink**) 25-05-2005, 01:58 AM

Hi,billrod33

First

Please change the location of HijackThis.exe.
Create a new folder in your C: Drive
Name it C:\HJT or HijackThis and move the HijackThis.exe file in it.
It's best for this tool NOT TO be located in your Desktop or in a TEMP folder.
This way you can undo any changes if something goes wrong

First make sure you can view all hidden files and folders, use this link for help.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Copy all my instructions into wordpad and save to your desktop. You can't have any open browser windows.

Go to Start->Run and type "Services.msc" (without quotes) then hit OK
Scroll down and find the service called.

Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I)

Make sure it is selected in color. Right click on the service and click on stop. Right click on it again and go to Properties. In the Properties screen and under the General Tab, change the Startup Type to Disabled in the dropdown box. Click on Apply. Then OK. If the service isn't listed go ahead with the rest of these instructions anyway.

Now Download the following Cleanup! About:Buster, CWshredder,Ad-aware, & Spy-Bot.

* Updating Ad-aware:
Double-Click the Desktop Icon > Click 'Check For Updates Now' > Click 'Connect'
* Updating Spybot:
Double-Click the Desktop Icon > Click Update > Drop-Down Box UniDo(Europe) > Select Pure-Elite(USA) or EON (AU) > Click 'Search for Updates' > Click 'Download Updates'

Please Copy ALL My Notes Below Into Notepad and Save the File to Your Desktop. You Need to be Offline and In Safe Mode to Remove Everything in your Log

Now rebooot into safe mode (press f8 during reboot, select safe mode) and DON'T reconnect to the net. You MUST be in safe mode to remove the About:Blank Bug on your system.

Run Hijackthis and place a check next to the following

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ynmic.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ynmic.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ynmic.dll/sp.html#37049

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {B878818F-2279-A2FE-62AA-5B8166B041ED} - C:\WINDOWS\javama32.dll
O2 - BHO: Class - {F2059101-A0B5-E7E4-66E2-7F036D7A0E72} - C:\WINDOWS\winho.dll

O4 - HKLM\..\Run: [crsw32.exe] C:\WINDOWS\crsw32.exe
O4 - HKLM\..\RunOnce: [ippm.exe] C:\WINDOWS\ippm.exe
O4 - HKLM\..\RunOnce: [d3ht32.exe] C:\WINDOWS\d3ht32.exe
O4 - HKLM\..\RunOnce: [sdkar.exe] C:\WINDOWS\system32\sdkar.exe
O4 - HKLM\..\RunOnce: [iepp32.exe] C:\WINDOWS\iepp32.exe
O4 - HKLM\..\RunOnce: [appfw32.exe] C:\WINDOWS\appfw32.exe
O4 - HKLM\..\RunOnce: [winaa.exe] C:\WINDOWS\system32\winaa.exe
O4 - HKLM\..\RunOnce: [ieej32.exe] C:\WINDOWS\system32\ieej32.exe
O4 - HKLM\..\RunOnce: [atlwa.exe] C:\WINDOWS\atlwa.exe
O4 - HKLM\..\RunOnce: [atlai32.exe] C:\WINDOWS\system32\atlai32.exe
O4 - HKLM\..\RunOnce: [msfk32.exe] C:\WINDOWS\system32\msfk32.exe
O4 - HKLM\..\RunOnce: [sdksu.exe] C:\WINDOWS\sdksu.exe
O4 - HKLM\..\RunOnce: [nthp32.exe] C:\WINDOWS\system32\nthp32.exe
O4 - HKLM\..\RunOnce: [javawp.exe] C:\WINDOWS\system32\javawp.exe
O4 - HKLM\..\RunOnce: [ipow.exe] C:\WINDOWS\system32\ipow.exe
O4 - HKLM\..\RunOnce: [netmo32.exe] C:\WINDOWS\system32\netmo32.exe
O4 - HKLM\..\RunOnce: [winrj.exe] C:\WINDOWS\system32\winrj.exe
O4 - HKLM\..\RunOnce: [syssr32.exe] C:\WINDOWS\syssr32.exe
O4 - HKLM\..\RunOnce: [iehg32.exe] C:\WINDOWS\system32\iehg32.exe
O4 - HKLM\..\RunOnce: [addgt.exe] C:\WINDOWS\addgt.exe
O4 - HKLM\..\RunOnce: [iewb.exe] C:\WINDOWS\iewb.exe
O4 - HKLM\..\RunOnce: [atlox.exe] C:\WINDOWS\system32\atlox.exe
O4 - HKLM\..\RunOnce: [addjl.exe] C:\WINDOWS\addjl.exe
O4 - HKLM\..\RunOnce: [crof32.exe] C:\WINDOWS\crof32.exe
O4 - HKLM\..\RunOnce: [apihy32.exe] C:\WINDOWS\apihy32.exe
O4 - HKLM\..\RunOnce: [winna.exe] C:\WINDOWS\winna.exe
O4 - HKLM\..\RunOnce: [javama32.exe] C:\WINDOWS\javama32.exe
O4 - HKLM\..\RunOnce: [mfcrc.exe] C:\WINDOWS\mfcrc.exe
O4 - HKLM\..\RunOnce: [addsp.exe] C:\WINDOWS\addsp.exe
O4 - HKLM\..\RunOnce: [crgr32.exe] C:\WINDOWS\system32\crgr32.exe
O4 - HKLM\..\RunOnce: [d3gx32.exe] C:\WINDOWS\d3gx32.exe
O4 - HKLM\..\RunOnce: [ipok32.exe] C:\WINDOWS\ipok32.exe
O4 - HKLM\..\RunOnce: [iemr.exe] C:\WINDOWS\system32\iemr.exe
O4 - HKLM\..\RunOnce: [atlhp32.exe] C:\WINDOWS\system32\atlhp32.exe
O4 - HKLM\..\RunOnce: [ipsy.exe] C:\WINDOWS\system32\ipsy.exe
O4 - HKLM\..\RunOnce: [addxs32.exe] C:\WINDOWS\addxs32.exe
O4 - HKLM\..\RunOnce: [apiqr32.exe] C:\WINDOWS\system32\apiqr32.exe
O4 - HKLM\..\RunOnce: [atldf32.exe] C:\WINDOWS\atldf32.exe
O4 - HKLM\..\RunOnce: [msqz.exe] C:\WINDOWS\msqz.exe
O4 - HKLM\..\RunOnce: [addvy32.exe] C:\WINDOWS\system32\addvy32.exe
O4 - HKLM\..\RunOnce: [addba.exe] C:\WINDOWS\addba.exe
O4 - HKLM\..\RunOnce: [d3gu.exe] C:\WINDOWS\d3gu.exe
O4 - HKLM\..\RunOnce: [ntja.exe] C:\WINDOWS\system32\ntja.exe
O4 - HKLM\..\RunOnce: [atlpc32.exe] C:\WINDOWS\atlpc32.exe
O4 - HKLM\..\RunOnce: [windl.exe] C:\WINDOWS\windl.exe
O4 - HKLM\..\RunOnce: [ntyd32.exe] C:\WINDOWS\system32\ntyd32.exe
O4 - HKLM\..\RunOnce: [winyd.exe] C:\WINDOWS\system32\winyd.exe
O4 - HKLM\..\RunOnce: [mscp.exe] C:\WINDOWS\system32\mscp.exe
O4 - HKLM\..\RunOnce: [appre32.exe] C:\WINDOWS\appre32.exe
O4 - HKLM\..\RunOnce: [netil32.exe] C:\WINDOWS\netil32.exe
O4 - HKLM\..\RunOnce: [mfclx.exe] C:\WINDOWS\system32\mfclx.exe
O4 - HKLM\..\RunOnce: [iekf32.exe] C:\WINDOWS\iekf32.exe
O4 - HKLM\..\RunOnce: [javaau32.exe] C:\WINDOWS\system32\javaau32.exe
O4 - HKLM\..\RunOnce: [crik.exe] C:\WINDOWS\system32\crik.exe
O4 - HKLM\..\RunOnce: [javajk.exe] C:\WINDOWS\javajk.exe
O4 - HKLM\..\RunOnce: [sysya32.exe] C:\WINDOWS\system32\sysya32.exe
O4 - HKLM\..\RunOnce: [mfcqy32.exe] C:\WINDOWS\mfcqy32.exe
O4 - HKLM\..\RunOnce: [crlk32.exe] C:\WINDOWS\system32\crlk32.exe
O4 - HKLM\..\RunOnce: [ieqo.exe] C:\WINDOWS\system32\ieqo.exe
O4 - HKLM\..\RunOnce: [d3zo32.exe] C:\WINDOWS\system32\d3zo32.exe
O4 - HKLM\..\RunOnce: [d3fl32.exe] C:\WINDOWS\system32\d3fl32.exe
O4 - HKLM\..\RunOnce: [netkh.exe] C:\WINDOWS\system32\netkh.exe
O4 - HKLM\..\RunOnce: [mfcid.exe] C:\WINDOWS\system32\mfcid.exe
O4 - HKLM\..\RunOnce: [mfccw32.exe] C:\WINDOWS\mfccw32.exe
O4 - HKLM\..\RunOnce: [ievp32.exe] C:\WINDOWS\ievp32.exe
O4 - HKLM\..\RunOnce: [sysvx32.exe] C:\WINDOWS\sysvx32.exe
O4 - HKLM\..\RunOnce: [mfcfy32.exe] C:\WINDOWS\system32\mfcfy32.exe
O4 - HKLM\..\RunOnce: [mfchp.exe] C:\WINDOWS\mfchp.exe
O4 - HKLM\..\RunOnce: [appxw.exe] C:\WINDOWS\appxw.exe
O4 - HKLM\..\RunOnce: [mshp32.exe] C:\WINDOWS\system32\mshp32.exe
O4 - HKLM\..\RunOnce: [iesi32.exe] C:\WINDOWS\iesi32.exe
O4 - HKLM\..\RunOnce: [mfcps32.exe] C:\WINDOWS\mfcps32.exe
O4 - HKLM\..\RunOnce: [sdkxe32.exe] C:\WINDOWS\sdkxe32.exe
O4 - HKLM\..\RunOnce: [sysaq.exe] C:\WINDOWS\system32\sysaq.exe

O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ntgl32.exe" /s (file missing)

and click fix.

Remain in safe mode for the next part of the removal.

- First Run the Cleanit! Program

- Next, Unzip the About:Buster Program to your desktop > Double-Click the Folder > Double-Click About:Buster > Click 'OK' > Click 'Start' >

now the program will start to run, it will take a few minutes, once the program is complete go ahead and run the program again.

- Double-Click CWShredder and click 'Fix'

* Close CWShredder, open Ad-aware and make the following changes to the settings in Ad-aware.
o Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Scanning Engine:
check: "Unload recognized processes during scanning."
o Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Cleaning Engine:
Check: "Let Windows remove files in use at next reboot."

Press 'Proceed'

Press 'Start'

* Select option 'Use Custom scanning options'
* Click 'Activate in-depth scan'
* Press 'Select drives\folders to scan' Select the active partition which is usually C:

Click 'Customize'

* Make sure the following are all are Checked:
o 'Scan Within Archives'
o 'Scan Active Processes'
o 'Scan Registry'
o 'Deep Scan Registry'
o 'Scan My IE Favorites For Banned URL'S
o 'Scan My Hosts File'

Click 'Proceed'

* Now press "Next" to let Ad-aware scan your drives.
* Once Ad-aware has completed its scan click 'Next' > Now Click 'Scan Summary' > Click All the Boxes with a Green Check Mark
* Now Click 'Next' and Finally Click 'OK'

Close Out Ad-aware

Open Spybot.

* Click 'Search & Destroy'
* Click 'Check for problems' (the program will now search your HDD)
* Make sure all finding are checked and click 'Fix Selected Problems'

Close SpyBot!

Reboot back into normal mode
Download the Hoster from here: http://www.funkytoad.com/download/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.

Once complete post a fresh Hijackthis log in your thread.

HGD