Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

CWS problem!? [CLOSED]


  • This topic is locked This topic is locked

#1
Greven

Greven

    New Member

  • Member
  • Pip
  • 5 posts
Hi!

I would really appreciate your help on this. My computer seems to be hijacked by something (CWS?) and I can't get rid of it using conventional methods.

The symptoms are; Hijacked desktop page, some weird searchpage as start up in explorer some svhost and dll processes are taking up a lot of CPU capacity, Norton Antivirus that I bought after the infection can't be installed. I can't start the Zone alarm firewall etc. When I close windows down I get Win Min End program error.

I have tried the steps you were outlining in your instructions i.e. running spybot, CWShredder 2.15 etc. but the problem does not seem to go away.

Please find below in order of apperance the CWShredder log, the Hijackthis log I ran before I used spy subtract and the hijacked this log I ran after using spysubtract.

I would appreciate any help I can get from you guys. I don't know what else to do.

Thanks!

CWShredder log


**** Run Keys ****

RUN: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
RUN: [nwiz] nwiz.exe /install
RUN: [AGRSMMSG] AGRSMMSG.exe
RUN: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
RUN: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
RUN: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
RUN: [MagicKeyboard] C:\Program Files\SAMSUNG\MagicKBD\PreMKBD.exe
RUN: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
RUN: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
RUN: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
RUN: [1A.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\1A.tmp.exe 1 10001
RUN: [1C.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\1C.tmp.exe 0 10001
RUN: [1A.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\1A.tmp.exe 1 10001
RUN: [addpf.exe] C:\WINDOWS\system32\addpf.exe
RUN: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
RUN: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
RUN: [Service Host] C:\WINDOWS\System32\Services\{13C9A711-2C9E-4920-8779-FF9A7A8ED99A}\SVCHOST.EXE
RUN: [sysii32.exe] C:\WINDOWS\system32\sysii32.exe
RUN: [crka.exe] C:\WINDOWS\crka.exe
RUN: [Disk Keeper] C:\WINDOWS\System32\Services\{13C9A711-2C9E-4920-8779-FF9A7A8ED99A}\SECURITY.EXE
RUN: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
RUN: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
RUN: [Abatwv] C:\WINDOWS\System32\n?tdde.exe
RUN: [jfqjhsi] c:\windows\apmkynw.exe
RUN: [ssikvdm] c:\windows\jlobmuh.exe
RUN: [gikvpdp] c:\windows\jlobmuh.exe
RUN: [pwfgaie] c:\windows\jlobmuh.exe
RUN: [issnhro] c:\windows\skdjkho.exe
RUN: [qkbbcfv] c:\windows\xxlmoth.exe
RUN: [vepnqoi] c:\windows\xxlmoth.exe
RUN: [ujpbnbc] c:\windows\xxlmoth.exe
RUN: [ocyxwyu] c:\windows\xxlmoth.exe
RUN: [fbmhegr] c:\windows\xxlmoth.exe
RUN: [ggigbei] c:\windows\xxlmoth.exe
RUN: [pnxkvnt] c:\windows\ldhdmvb.exe
RUN: [omxgrti] c:\windows\ldhdmvb.exe
RUN: [epvnqve] c:\windows\ldhdmvb.exe
RUN: [xwcfpgi] c:\windows\ldhdmvb.exe
RUN: [dijhuaq] c:\windows\uvxglyj.exe
RUN: [kdsnppe] c:\windows\mnnnmmx.exe
RUN: [vhmxabk] c:\windows\uvxglyj.exe
RUN: [oilomco] c:\windows\mnnnmmx.exe
RUN: [bmbdatt] c:\windows\uvxglyj.exe
RUN: [ntdtffj] c:\windows\mnnnmmx.exe
RUN: [uxurmqd] c:\windows\uvxglyj.exe
RUN: [qnifgim] c:\windows\mnnnmmx.exe
RUN: [pomttsq] c:\windows\uvxglyj.exe
RUN: [evedqrr] c:\windows\mnnnmmx.exe
RUN: [wdvsvgj] c:\windows\uiqxpur.exe
RUN: [lpjrkwe] c:\windows\uiqxpur.exe
RUN: [nrnvdhb] c:\windows\uiqxpur.exe
RUN: [aplqemu] c:\windows\uiqxpur.exe
RUN: [tkqjepy] c:\windows\pwxillq.exe
RUN: [fsywojx] c:\windows\fmsslkn.exe
RUN: [mohdjal] c:\windows\xfialxc.exe
RUN: [qxhmswi] c:\windows\pwxillq.exe
RUN: [xglhdmw] c:\windows\pwxillq.exe
RUN: [hnmtxrv] c:\windows\phlojmc.exe
RUN: [hmlrunv] c:\windows\cerlmqk.exe
RUN: [aqclaxi] c:\windows\kldemcv.exe
RUN: [susffhu] c:\windows\stnwlog.exe
RUN: [lwcvrok] c:\windows\kldemcv.exe
RUN: [rwdfeog] c:\windows\stnwlog.exe
RUN: [bpmpgin] c:\windows\hbnrnbf.exe
RUN: [dkcxrxm] c:\windows\hbnrnbf.exe
RUN: [tqjolyp] c:\windows\hbnrnbf.exe
RUN: [txmxoti] c:\windows\hbnrnbf.exe
RUN: [ldsjdob] c:\windows\hbnrnbf.exe
RUN: [ougyudl] c:\windows\ilbkgmk.exe
RUN: [hywsanx] c:\windows\qslcgxv.exe
RUN: [qpfgyny] c:\windows\ilbkgmk.exe
RUN: [wogpmmu] c:\windows\qslcgxv.exe
RUN: [beflsoj] c:\windows\ilbkgmk.exe
RUN: [owdtncu] c:\windows\qslcgxv.exe
RUN: [nxcovyf] c:\windows\ilbkgmk.exe
RUN: [rjobchv] c:\windows\qslcgxv.exe
RUN: [metqsfr] c:\windows\ilbkgmk.exe
RUN: [xwchugr] c:\windows\qslcgxv.exe
RUN: [graubct] c:\windows\ilbkgmk.exe
RUN: [kjnjfmg] c:\windows\qslcgxv.exe
RUN: [fdyogpo] c:\windows\ilbkgmk.exe
RUN: [yjjohru] c:\windows\qslcgxv.exe
RUN: [qnvhmbk] c:\windows\trrkter.exe
RUN: [dvmlgpe] c:\windows\gievmjb.exe
RUN: [hprfybi] c:\windows\gievmjb.exe
RUN: [xnsuasa] c:\windows\gievmjb.exe
RUN: [ycengcm] c:\windows\murfrqy.exe
RUN: [vttobpl] c:\windows\saibqnr.exe
RUN: [kklbqvl] c:\windows\dknqqov.exe
RUN: [dpcuvfy] c:\windows\ksxiqbg.exe
RUN: [otvawim] c:\windows\vgvurrd.exe
RUN: [cxisqwf] c:\windows\saibqnr.exe
RUN: [vbgmits] c:\windows\saibqnr.exe
RUN: [dwgykjv] c:\windows\saibqnr.exe
RUN: [lupkuox] c:\windows\saibqnr.exe
RUN: [bdjvokd] c:\windows\saibqnr.exe
RUN: [gnedqun] c:\windows\saibqnr.exe
RUN: [rrusxym] c:\windows\saibqnr.exe
RUN: [epwyexv] c:\windows\thvslio.exe
RUN: [eujvuyf] c:\windows\thvslio.exe
RUN: [ahqxwqq] c:\windows\thvslio.exe
RUN: [rhdkfmn] c:\windows\thvslio.exe
RUN: [vjcnwhq] c:\windows\krojmfh.exe
RUN: [ytrxrfp] c:\windows\krojmfh.exe
RUN: [vhlxfwi] c:\windows\krojmfh.exe
RUN: [emtwjgy] c:\windows\krojmfh.exe
RUN: [bmmdskt] c:\windows\krojmfh.exe
RUN: [xokcxql] c:\windows\krojmfh.exe
RUN: [siawdpx] c:\windows\krojmfh.exe
RUN: [hyxndqq] c:\windows\krojmfh.exe
RUN: [coccpvw] c:\windows\krojmfh.exe
RUN: [xwtjyag] c:\windows\krojmfh.exe
RUN: [fwsqbgf] c:\windows\krojmfh.exe
RUN: [sbbupif] c:\windows\krojmfh.exe
RUN: [ocrbkpt] c:\windows\krojmfh.exe
RUN: [abqymms] c:\windows\krojmfh.exe
RUN: [udixscd] c:\windows\krojmfh.exe
RUN: [hdqigrj] c:\windows\krojmfh.exe
RUN: [rdlgsvj] c:\windows\krojmfh.exe
RUN: [rctndnl] c:\windows\krojmfh.exe
RUN: [uwhidhs] c:\windows\krojmfh.exe
RUN: [vuydrqf] c:\windows\krojmfh.exe
RUN: [meymxqj] c:\windows\eonhxmb.exe
RUN: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
RUN: [Lrrc] C:\Program Files\omsp\iatu.exe
RUN: [mejxwbu] c:\windows\agdqyqi.exe
RUN: [ofpoeda] c:\windows\agdqyqi.exe
RUN: [owgniif] c:\windows\xgaqyid.exe
RUN: [uvpvleo] c:\windows\xgaqyid.exe


**** Browser Helper Objects ****

BHO: [] C:\WINDOWS\system32\mscl32.dll
BHO: [CNavExtBho Class] C:\Program Files\Norton AntiVirus\NavShExt.dll


**** IE Toolbars ****

TOOLBAR: []
TOOLBAR: [Norton AntiVirus] C:\Program Files\Norton AntiVirus\NavShExt.dll


**** IE Extensions ****



**** Hosts File Entries ****



**** IE Settings ****

Default Page: about:blank
Default Search:
Local Page: C:\WINDOWS\System32\blank.htm
Search Bar: http://w-find.com/sp.htm
Search Page: http://w-find.com/index.htm


**** IE Context Menu (Right click) ****



**** Layered Service Providers ****

LSP: Microsoft security monitor over [MSAFD Tcpip [TCP/IP]]
LSP: Microsoft security monitor over [MSAFD Tcpip [UDP/IP]]
LSP: MSAFD Tcpip [TCP/IP]
LSP: MSAFD Tcpip [UDP/IP]
LSP: RSVP UDP Service Provider
LSP: RSVP TCP Service Provider
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D4DC1531-AB21-4CFB-AAF7-F9E85526F25A}] SEQPACKET 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D4DC1531-AB21-4CFB-AAF7-F9E85526F25A}] DATAGRAM 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DD068F39-13C3-42CD-BAAF-2AE9046F7321}] SEQPACKET 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DD068F39-13C3-42CD-BAAF-2AE9046F7321}] DATAGRAM 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{889C1CB3-8E7D-407D-9795-977D226D60CB}] SEQPACKET 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{889C1CB3-8E7D-407D-9795-977D226D60CB}] DATAGRAM 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{562CF38E-E0BF-4DD0-A979-596E0EAC0825}] SEQPACKET 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{562CF38E-E0BF-4DD0-A979-596E0EAC0825}] DATAGRAM 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{642AB177-2C7E-47AC-BF82-BB66900B61B1}] SEQPACKET 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{642AB177-2C7E-47AC-BF82-BB66900B61B1}] DATAGRAM 2


**** Blocked Control Panel Items ****

BLOCKED: [ncpa.cpl] No
BLOCKED: [odbccp32.cpl] No


**** Downloaded Program Files ****

{0000000A-9980-0010-8000-00AA00389B71} [http://download.micr...2/wmsp9dmo.cab]
{2517F764-6F60-4ADD-8FCF-137E5B220FF6} [http://www.globalpho...emsat_ver4.CAB] C:\WINDOWS\System32\objsafe.tlb C:\WINDOWS\Downloaded Program Files\emsat_ver4.ocx
{33564D57-9980-0010-8000-00AA00389B71} [http://codecs.micros...86/wmv9dmo.cab]
{79849612-A98F-45B8-95E9-4D13C7B6B35C} [http://iframedollars...tb/loader2.ocx]


**** Windows Services ****

[ 11F#`I] C:\WINDOWS\system32\sdkyx.exe /s
[Alerter] %SystemRoot%\System32\svchost.exe -k LocalService
[ALG] %SystemRoot%\System32\alg.exe
[AppMgmt] %SystemRoot%\system32\svchost.exe -k netsvcs
[AudioSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[BITS] %SystemRoot%\System32\svchost.exe -k netsvcs
[Browser] %SystemRoot%\System32\svchost.exe -k netsvcs
[ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
[ccPwdSvc] "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe"
[ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
[CiSvc] %SystemRoot%\system32\cisvc.exe
[ClipSrv] %SystemRoot%\system32\clipsrv.exe
[COMSysApp] C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
[CryptSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[Dhcp] %SystemRoot%\System32\svchost.exe -k netsvcs
[dmadmin] %SystemRoot%\System32\dmadmin.exe /com
[dmserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[Dnscache] %SystemRoot%\System32\svchost.exe -k NetworkService
[ERSvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[Eventlog] %SystemRoot%\system32\services.exe
[EventSystem] C:\WINDOWS\System32\svchost.exe -k netsvcs
[FastUserSwitchingCompatibility] %SystemRoot%\System32\svchost.exe -k netsvcs
[helpsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[HidServ] %SystemRoot%\System32\svchost.exe -k netsvcs
[ImapiService] C:\WINDOWS\System32\imapi.exe
[iPodService] C:\Program Files\iPod\bin\iPodService.exe
[KDE] C:\WINDOWS\System32\cmdtel.exe
[LAGOS] C:\WINDOWS\System32\ahtun.exe
[lanmanserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[lanmanworkstation] %SystemRoot%\System32\svchost.exe -k netsvcs
[LmHosts] %SystemRoot%\System32\svchost.exe -k LocalService
[Messenger] %SystemRoot%\System32\svchost.exe -k netsvcs
[mnmsrvc] C:\WINDOWS\System32\mnmsrvc.exe
[MSDTC] C:\WINDOWS\System32\msdtc.exe
[MSIServer] C:\WINDOWS\System32\msiexec.exe /V
[navapsvc] "C:\Program Files\Norton AntiVirus\navapsvc.exe"
[NetDDE] %SystemRoot%\system32\netdde.exe
[NetDDEdsdm] %SystemRoot%\system32\netdde.exe
[Netlogon] %SystemRoot%\System32\lsass.exe
[Netman] %SystemRoot%\System32\svchost.exe -k netsvcs
[Nla] %SystemRoot%\System32\svchost.exe -k netsvcs
[NPFMntor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
[NtLmSsp] %SystemRoot%\System32\lsass.exe
[NtmsSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[NVSvc] %SystemRoot%\System32\nvsvc32.exe
[PlugPlay] %SystemRoot%\system32\services.exe
[PolicyAgent] %SystemRoot%\System32\lsass.exe
[ProtectedStorage] %SystemRoot%\system32\lsass.exe
[RasAuto] %SystemRoot%\System32\svchost.exe -k netsvcs
[RasMan] %SystemRoot%\System32\svchost.exe -k netsvcs
[RDSessMgr] C:\WINDOWS\system32\sessmgr.exe
[RegSrvc] C:\WINDOWS\System32\RegSrvc.exe
[RemoteAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[RpcLocator] %SystemRoot%\System32\locator.exe
[RpcSs] %SystemRoot%\system32\svchost -k rpcss
[RSVP] %SystemRoot%\System32\rsvp.exe
[S24EventMonitor] C:\WINDOWS\System32\S24EvMon.exe
[SamSs] %SystemRoot%\system32\lsass.exe
[SAVScan] C:\Program Files\Norton AntiVirus\SAVScan.exe
[SBService] C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
[SCardDrv] %SystemRoot%\System32\SCardSvr.exe
[SCardSvr] %SystemRoot%\System32\SCardSvr.exe
[Schedule] %SystemRoot%\System32\svchost.exe -k netsvcs
[seclogon] %SystemRoot%\System32\svchost.exe -k netsvcs
[SENS] %SystemRoot%\system32\svchost.exe -k netsvcs
[ShellHWDetection] %SystemRoot%\System32\svchost.exe -k netsvcs
[SNDSrvc] C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
[SPBBCSvc] C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
[Spooler] %SystemRoot%\system32\spoolsv.exe
[srservice] %SystemRoot%\System32\svchost.exe -k netsvcs
[SSDPSRV] %SystemRoot%\System32\svchost.exe -k LocalService
[stisvc] %SystemRoot%\System32\svchost.exe -k imgsvc
[SwPrv] C:\WINDOWS\System32\dllhost.exe /Processid:{516BC737-A351-4FDE-821A-7CCA97E6C390}
[Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
[SysmonLog] %SystemRoot%\system32\smlogsvc.exe
[TapiSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[TermService] %SystemRoot%\System32\svchost.exe -k netsvcs
[Themes] %SystemRoot%\System32\svchost.exe -k netsvcs
[TrkWks] %SystemRoot%\system32\svchost.exe -k netsvcs
[uploadmgr] %SystemRoot%\System32\svchost.exe -k netsvcs
[upnphost] %SystemRoot%\System32\svchost.exe -k LocalService
[UPS] %SystemRoot%\System32\ups.exe
[vsmon] C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service
[VSS] %SystemRoot%\System32\vssvc.exe
[W32Time] %SystemRoot%\System32\svchost.exe -k netsvcs
[WebClient] %SystemRoot%\System32\svchost.exe -k LocalService
[winmgmt] %systemroot%\system32\svchost.exe -k netsvcs
[WmdmPmSp] %SystemRoot%\System32\svchost.exe -k netsvcs
[WmiApSrv] C:\WINDOWS\System32\wbem\wmiapsrv.exe
[WZCSVC] %SystemRoot%\System32\svchost.exe -k netsvcs


**** Custom IE Search Items ****

SEARCH: [SearchAssistant]
SEARCH: [SearchAssistant] http://w-find.com/sp.htm
SEARCH: [CustomizeSearch] http://ie.search.msn...st/srchcust.htm


**** Complete IE Options ****

IEOPT: [NoUpdateCheck]
IEOPT: [NoJITSetup]
IEOPT: [Disable Script Debugger] yes
IEOPT: [Show_ChannelBand] No
IEOPT: [Anchor Underline] yes
IEOPT: [Cache_Update_Frequency] Once_Per_Session
IEOPT: [Display Inline Images] yes
IEOPT: [Do404Search]
IEOPT: [Local Page] C:\WINDOWS\System32\blank.htm
IEOPT: [Save_Session_History_On_Exit] no
IEOPT: [Show_FullURL] no
IEOPT: [Show_StatusBar] yes
IEOPT: [Show_ToolBar] yes
IEOPT: [Show_URLinStatusBar] yes
IEOPT: [Show_URLToolBar] yes
IEOPT: [Start Page] http://ipassist.biz/index.php?id=11258
IEOPT: [Use_DlgBox_Colors] yes
IEOPT: [Search Page] http://w-find.com/index.htm
IEOPT: [SmoothScroll]
IEOPT: [FullScreen] no
IEOPT: [Window_Placement] ,
IEOPT: [ShowedCheckBrowser] Yes
IEOPT: [Check_Associations] No
IEOPT: [AddToFavoritesExpanded]
IEOPT: [Error Dlg Displayed On Every Error] no
IEOPT: [Error Dlg Details Pane Open] no
IEOPT: [NotifyDownloadComplete] no
IEOPT: [Use FormSuggest] no
IEOPT: [Toolbars_Placement]
IEOPT: [Search Bar] http://w-find.com/sp.htm
IEOPT: [Use Search Asst] no
IEOPT: [Use Custom Search URL]
IEOPT: [conc]
IEOPT: [Friendly http errors] yes
IEOPT: [AutoSearch]
IEOPT: [Default_Page_URL]
IEOPT: [Default_Page_URL] about:blank
IEOPT: [Default_Search_URL]
IEOPT: [Search Page]
IEOPT: [Enable_Disk_Cache] yes
IEOPT: [Cache_Percent_of_Disk]
IEOPT: [Delete_Temp_Files_On_Exit] yes
IEOPT: [Local Page] C:\WINDOWS\System32\blank.htm
IEOPT: [Anchor_Visitation_Horizon]
IEOPT: [Use_Async_DNS] yes
IEOPT: [Placeholder_Width]
IEOPT: [Placeholder_Height]
IEOPT: [Start Page] about:blank
IEOPT: [CompanyName] Microsoft Corporation
IEOPT: [Custom_Key] MICROSO
IEOPT: [Wizard_Version] 6.0.2600.0000
IEOPT: [FullScreen] no
IEOPT: [Search Bar]
IEOPT: [Use Search Asst] no
IEOPT: [Use Custom Search URL]
IEOPT: []

Hijackthis log before spy subtract

Logfile of HijackThis v1.99.1
Scan saved at 09:10:04, on 10/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\sdkyx.exe
C:\WINDOWS\System32\cmdtel.exe
C:\WINDOWS\System32\ahtun.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\Services\{13C9A711-2C9E-4920-8779-FF9A7A8ED99A}\SVCHOST.EXE
C:\WINDOWS\crka.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\n?tdde.exe
C:\windows\uiqxpur.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\omsp\iatu.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ipassist.biz/index.php?id=11258
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {52CB9176-0942-9A96-3BC7-AA2295EA037F} - C:\WINDOWS\system32\mscl32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MagicKeyboard] C:\Program Files\SAMSUNG\MagicKBD\PreMKBD.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [1A.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\1A.tmp.exe 1 10001
O4 - HKLM\..\Run: [1C.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\1C.tmp.exe 0 10001
O4 - HKLM\..\Run: [1A.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\1A.tmp.exe 1 10001
O4 - HKLM\..\Run: [addpf.exe] C:\WINDOWS\system32\addpf.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{13C9A711-2C9E-4920-8779-FF9A7A8ED99A}\SVCHOST.EXE
O4 - HKLM\..\Run: [sysii32.exe] C:\WINDOWS\system32\sysii32.exe
O4 - HKLM\..\Run: [crka.exe] C:\WINDOWS\crka.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{13C9A711-2C9E-4920-8779-FF9A7A8ED99A}\SECURITY.EXE
O4 - HKLM\..\RunServices: [logon.exe] C:\WINDOWS\System32\logon.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Abatwv] C:\WINDOWS\System32\n?tdde.exe
O4 - HKCU\..\Run: [jfqjhsi] c:\windows\apmkynw.exe
O4 - HKCU\..\Run: [ssikvdm] c:\windows\jlobmuh.exe
O4 - HKCU\..\Run: [gikvpdp] c:\windows\jlobmuh.exe
O4 - HKCU\..\Run: [pwfgaie] c:\windows\jlobmuh.exe
O4 - HKCU\..\Run: [issnhro] c:\windows\skdjkho.exe
O4 - HKCU\..\Run: [qkbbcfv] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [vepnqoi] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [ujpbnbc] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [ocyxwyu] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [fbmhegr] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [ggigbei] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [pnxkvnt] c:\windows\ldhdmvb.exe
O4 - HKCU\..\Run: [omxgrti] c:\windows\ldhdmvb.exe
O4 - HKCU\..\Run: [epvnqve] c:\windows\ldhdmvb.exe
O4 - HKCU\..\Run: [xwcfpgi] c:\windows\ldhdmvb.exe
O4 - HKCU\..\Run: [dijhuaq] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [kdsnppe] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [vhmxabk] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [oilomco] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [bmbdatt] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [ntdtffj] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [uxurmqd] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [qnifgim] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [pomttsq] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [evedqrr] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [wdvsvgj] c:\windows\uiqxpur.exe
O4 - HKCU\..\Run: [lpjrkwe] c:\windows\uiqxpur.exe
O4 - HKCU\..\Run: [nrnvdhb] c:\windows\uiqxpur.exe
O4 - HKCU\..\Run: [aplqemu] c:\windows\uiqxpur.exe
O4 - HKCU\..\Run: [tkqjepy] c:\windows\pwxillq.exe
O4 - HKCU\..\Run: [fsywojx] c:\windows\fmsslkn.exe
O4 - HKCU\..\Run: [mohdjal] c:\windows\xfialxc.exe
O4 - HKCU\..\Run: [qxhmswi] c:\windows\pwxillq.exe
O4 - HKCU\..\Run: [xglhdmw] c:\windows\pwxillq.exe
O4 - HKCU\..\Run: [hnmtxrv] c:\windows\phlojmc.exe
O4 - HKCU\..\Run: [hmlrunv] c:\windows\cerlmqk.exe
O4 - HKCU\..\Run: [aqclaxi] c:\windows\kldemcv.exe
O4 - HKCU\..\Run: [susffhu] c:\windows\stnwlog.exe
O4 - HKCU\..\Run: [lwcvrok] c:\windows\kldemcv.exe
O4 - HKCU\..\Run: [rwdfeog] c:\windows\stnwlog.exe
O4 - HKCU\..\Run: [bpmpgin] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [dkcxrxm] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [tqjolyp] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [txmxoti] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [ldsjdob] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [ougyudl] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [hywsanx] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [qpfgyny] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [wogpmmu] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [beflsoj] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [owdtncu] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [nxcovyf] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [rjobchv] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [metqsfr] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [xwchugr] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [graubct] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [kjnjfmg] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [fdyogpo] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [yjjohru] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [qnvhmbk] c:\windows\trrkter.exe
O4 - HKCU\..\Run: [dvmlgpe] c:\windows\gievmjb.exe
O4 - HKCU\..\Run: [hprfybi] c:\windows\gievmjb.exe
O4 - HKCU\..\Run: [xnsuasa] c:\windows\gievmjb.exe
O4 - HKCU\..\Run: [ycengcm] c:\windows\murfrqy.exe
O4 - HKCU\..\Run: [vttobpl] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [kklbqvl] c:\windows\dknqqov.exe
O4 - HKCU\..\Run: [dpcuvfy] c:\windows\ksxiqbg.exe
O4 - HKCU\..\Run: [otvawim] c:\windows\vgvurrd.exe
O4 - HKCU\..\Run: [cxisqwf] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [vbgmits] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [dwgykjv] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [lupkuox] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [bdjvokd] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [gnedqun] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [rrusxym] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [epwyexv] c:\windows\thvslio.exe
O4 - HKCU\..\Run: [eujvuyf] c:\windows\thvslio.exe
O4 - HKCU\..\Run: [ahqxwqq] c:\windows\thvslio.exe
O4 - HKCU\..\Run: [rhdkfmn] c:\windows\thvslio.exe
O4 - HKCU\..\Run: [vjcnwhq] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [ytrxrfp] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [vhlxfwi] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [emtwjgy] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [bmmdskt] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [xokcxql] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [siawdpx] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [hyxndqq] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [coccpvw] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [xwtjyag] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [fwsqbgf] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [sbbupif] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [ocrbkpt] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [abqymms] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [udixscd] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [hdqigrj] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [rdlgsvj] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [rctndnl] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [uwhidhs] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [vuydrqf] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [meymxqj] c:\windows\eonhxmb.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Lrrc] C:\Program Files\omsp\iatu.exe
O4 - HKCU\..\Run: [mejxwbu] c:\windows\agdqyqi.exe
O4 - HKCU\..\Run: [ofpoeda] c:\windows\agdqyqi.exe
O4 - HKCU\..\Run: [owgniif] c:\windows\xgaqyid.exe
O4 - HKCU\..\Run: [uvpvleo] c:\windows\xgaqyid.exe
O4 - HKCU\..\RunServices: [logon.exe] C:\WINDOWS\System32\logon.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O16 - DPF: {2517F764-6F60-4ADD-8FCF-137E5B220FF6} (VacPro.emsat_ver4) - http://www.globalpho.../emsat_ver4.CAB
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://iframedollars.../tb/loader2.ocx
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\sdkyx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe
O23 - Service: Debug oupost relations (LAGOS) - Unknown owner - C:\WINDOWS\System32\ahtun.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)


Hijackthis log after running the programs mentioned above

Logfile of HijackThis v1.99.1
Scan saved at 09:49:14, on 10/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\sdkyx.exe
C:\WINDOWS\System32\cmdtel.exe
C:\WINDOWS\System32\ahtun.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\Services\{13C9A711-2C9E-4920-8779-FF9A7A8ED99A}\SVCHOST.EXE
C:\WINDOWS\crka.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\n?tdde.exe
C:\windows\uiqxpur.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\omsp\iatu.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
c:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ipassist.biz/index.php?id=11258
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {52CB9176-0942-9A96-3BC7-AA2295EA037F} - C:\WINDOWS\system32\mscl32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MagicKeyboard] C:\Program Files\SAMSUNG\MagicKBD\PreMKBD.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [1A.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\1A.tmp.exe 1 10001
O4 - HKLM\..\Run: [1C.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\1C.tmp.exe 0 10001
O4 - HKLM\..\Run: [1A.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\1A.tmp.exe 1 10001
O4 - HKLM\..\Run: [addpf.exe] C:\WINDOWS\system32\addpf.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{13C9A711-2C9E-4920-8779-FF9A7A8ED99A}\SVCHOST.EXE
O4 - HKLM\..\Run: [sysii32.exe] C:\WINDOWS\system32\sysii32.exe
O4 - HKLM\..\Run: [crka.exe] C:\WINDOWS\crka.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{13C9A711-2C9E-4920-8779-FF9A7A8ED99A}\SECURITY.EXE
O4 - HKLM\..\RunServices: [logon.exe] C:\WINDOWS\System32\logon.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Abatwv] C:\WINDOWS\System32\n?tdde.exe
O4 - HKCU\..\Run: [jfqjhsi] c:\windows\apmkynw.exe
O4 - HKCU\..\Run: [ssikvdm] c:\windows\jlobmuh.exe
O4 - HKCU\..\Run: [gikvpdp] c:\windows\jlobmuh.exe
O4 - HKCU\..\Run: [pwfgaie] c:\windows\jlobmuh.exe
O4 - HKCU\..\Run: [issnhro] c:\windows\skdjkho.exe
O4 - HKCU\..\Run: [qkbbcfv] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [vepnqoi] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [ujpbnbc] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [ocyxwyu] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [fbmhegr] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [ggigbei] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [pnxkvnt] c:\windows\ldhdmvb.exe
O4 - HKCU\..\Run: [omxgrti] c:\windows\ldhdmvb.exe
O4 - HKCU\..\Run: [epvnqve] c:\windows\ldhdmvb.exe
O4 - HKCU\..\Run: [xwcfpgi] c:\windows\ldhdmvb.exe
O4 - HKCU\..\Run: [dijhuaq] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [kdsnppe] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [vhmxabk] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [oilomco] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [bmbdatt] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [ntdtffj] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [uxurmqd] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [qnifgim] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [pomttsq] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [evedqrr] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [wdvsvgj] c:\windows\uiqxpur.exe
O4 - HKCU\..\Run: [lpjrkwe] c:\windows\uiqxpur.exe
O4 - HKCU\..\Run: [nrnvdhb] c:\windows\uiqxpur.exe
O4 - HKCU\..\Run: [aplqemu] c:\windows\uiqxpur.exe
O4 - HKCU\..\Run: [tkqjepy] c:\windows\pwxillq.exe
O4 - HKCU\..\Run: [fsywojx] c:\windows\fmsslkn.exe
O4 - HKCU\..\Run: [mohdjal] c:\windows\xfialxc.exe
O4 - HKCU\..\Run: [qxhmswi] c:\windows\pwxillq.exe
O4 - HKCU\..\Run: [xglhdmw] c:\windows\pwxillq.exe
O4 - HKCU\..\Run: [hnmtxrv] c:\windows\phlojmc.exe
O4 - HKCU\..\Run: [hmlrunv] c:\windows\cerlmqk.exe
O4 - HKCU\..\Run: [aqclaxi] c:\windows\kldemcv.exe
O4 - HKCU\..\Run: [susffhu] c:\windows\stnwlog.exe
O4 - HKCU\..\Run: [lwcvrok] c:\windows\kldemcv.exe
O4 - HKCU\..\Run: [rwdfeog] c:\windows\stnwlog.exe
O4 - HKCU\..\Run: [bpmpgin] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [dkcxrxm] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [tqjolyp] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [txmxoti] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [ldsjdob] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [ougyudl] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [hywsanx] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [qpfgyny] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [wogpmmu] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [beflsoj] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [owdtncu] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [nxcovyf] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [rjobchv] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [metqsfr] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [xwchugr] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [graubct] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [kjnjfmg] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [fdyogpo] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [yjjohru] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [qnvhmbk] c:\windows\trrkter.exe
O4 - HKCU\..\Run: [dvmlgpe] c:\windows\gievmjb.exe
O4 - HKCU\..\Run: [hprfybi] c:\windows\gievmjb.exe
O4 - HKCU\..\Run: [xnsuasa] c:\windows\gievmjb.exe
O4 - HKCU\..\Run: [ycengcm] c:\windows\murfrqy.exe
O4 - HKCU\..\Run: [vttobpl] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [kklbqvl] c:\windows\dknqqov.exe
O4 - HKCU\..\Run: [dpcuvfy] c:\windows\ksxiqbg.exe
O4 - HKCU\..\Run: [otvawim] c:\windows\vgvurrd.exe
O4 - HKCU\..\Run: [cxisqwf] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [vbgmits] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [dwgykjv] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [lupkuox] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [bdjvokd] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [gnedqun] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [rrusxym] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [epwyexv] c:\windows\thvslio.exe
O4 - HKCU\..\Run: [eujvuyf] c:\windows\thvslio.exe
O4 - HKCU\..\Run: [ahqxwqq] c:\windows\thvslio.exe
O4 - HKCU\..\Run: [rhdkfmn] c:\windows\thvslio.exe
O4 - HKCU\..\Run: [vjcnwhq] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [ytrxrfp] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [vhlxfwi] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [emtwjgy] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [bmmdskt] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [xokcxql] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [siawdpx] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [hyxndqq] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [coccpvw] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [xwtjyag] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [fwsqbgf] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [sbbupif] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [ocrbkpt] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [abqymms] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [udixscd] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [hdqigrj] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [rdlgsvj] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [rctndnl] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [uwhidhs] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [vuydrqf] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [meymxqj] c:\windows\eonhxmb.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Lrrc] C:\Program Files\omsp\iatu.exe
O4 - HKCU\..\Run: [mejxwbu] c:\windows\agdqyqi.exe
O4 - HKCU\..\Run: [ofpoeda] c:\windows\agdqyqi.exe
O4 - HKCU\..\Run: [owgniif] c:\windows\xgaqyid.exe
O4 - HKCU\..\Run: [uvpvleo] c:\windows\xgaqyid.exe
O4 - HKCU\..\Run: [yrkgnpr] c:\windows\xgaqyid.exe
O4 - HKCU\..\Run: [rodeikj] c:\windows\xgaqyid.exe
O4 - HKCU\..\Run: [dwhavvg] c:\windows\xgaqyid.exe
O4 - HKCU\..\Run: [smiyxam] c:\windows\xgaqyid.exe
O4 - HKCU\..\Run: [yuqrvop] c:\windows\xgaqyid.exe
O4 - HKCU\..\Run: [ydbamub] c:\windows\xgaqyid.exe
O4 - HKCU\..\Run: [oigjcqo] c:\windows\xgaqyid.exe
O4 - HKCU\..\Run: [qavwylc] c:\windows\xgaqyid.exe
O4 - HKCU\..\RunServices: [logon.exe] C:\WINDOWS\System32\logon.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O16 - DPF: {2517F764-6F60-4ADD-8FCF-137E5B220FF6} (VacPro.emsat_ver4) - http://www.globalpho.../emsat_ver4.CAB
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\sdkyx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe
O23 - Service: Debug oupost relations (LAGOS) - Unknown owner - C:\WINDOWS\System32\ahtun.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)
  • 0

Advertisements


#2
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello ;)

Sorry for the delayed response, it has been very busy lately.

If you still require help please post a new Hijack log in this
thread and I will help you. (Please just post one hijack log :tazz: )

Thanks

Edited by loophole, 17 June 2005 - 03:27 PM.

  • 0

#3
Greven

Greven

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi Loophole,

Thanks for getting back to me! Unfortunately I have not got rid of the problems (hijacked desktop, explorer, Win Min program running when I'm closing down windows etc) so please find below the latest hijack log.

I greatly appreciate your help on this!

Thanks!


Logfile of HijackThis v1.99.1
Scan saved at 09:49:14, on 10/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\sdkyx.exe
C:\WINDOWS\System32\cmdtel.exe
C:\WINDOWS\System32\ahtun.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\Services\{13C9A711-2C9E-4920-8779-FF9A7A8ED99A}\SVCHOST.EXE
C:\WINDOWS\crka.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\n?tdde.exe
C:\windows\uiqxpur.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\omsp\iatu.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
c:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ipassist.biz/index.php?id=11258
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {52CB9176-0942-9A96-3BC7-AA2295EA037F} - C:\WINDOWS\system32\mscl32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MagicKeyboard] C:\Program Files\SAMSUNG\MagicKBD\PreMKBD.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [1A.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\1A.tmp.exe 1 10001
O4 - HKLM\..\Run: [1C.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\1C.tmp.exe 0 10001
O4 - HKLM\..\Run: [1A.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\1A.tmp.exe 1 10001
O4 - HKLM\..\Run: [addpf.exe] C:\WINDOWS\system32\addpf.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{13C9A711-2C9E-4920-8779-FF9A7A8ED99A}\SVCHOST.EXE
O4 - HKLM\..\Run: [sysii32.exe] C:\WINDOWS\system32\sysii32.exe
O4 - HKLM\..\Run: [crka.exe] C:\WINDOWS\crka.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{13C9A711-2C9E-4920-8779-FF9A7A8ED99A}\SECURITY.EXE
O4 - HKLM\..\RunServices: [logon.exe] C:\WINDOWS\System32\logon.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Abatwv] C:\WINDOWS\System32\n?tdde.exe
O4 - HKCU\..\Run: [jfqjhsi] c:\windows\apmkynw.exe
O4 - HKCU\..\Run: [ssikvdm] c:\windows\jlobmuh.exe
O4 - HKCU\..\Run: [gikvpdp] c:\windows\jlobmuh.exe
O4 - HKCU\..\Run: [pwfgaie] c:\windows\jlobmuh.exe
O4 - HKCU\..\Run: [issnhro] c:\windows\skdjkho.exe
O4 - HKCU\..\Run: [qkbbcfv] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [vepnqoi] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [ujpbnbc] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [ocyxwyu] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [fbmhegr] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [ggigbei] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [pnxkvnt] c:\windows\ldhdmvb.exe
O4 - HKCU\..\Run: [omxgrti] c:\windows\ldhdmvb.exe
O4 - HKCU\..\Run: [epvnqve] c:\windows\ldhdmvb.exe
O4 - HKCU\..\Run: [xwcfpgi] c:\windows\ldhdmvb.exe
O4 - HKCU\..\Run: [dijhuaq] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [kdsnppe] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [vhmxabk] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [oilomco] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [bmbdatt] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [ntdtffj] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [uxurmqd] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [qnifgim] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [pomttsq] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [evedqrr] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [wdvsvgj] c:\windows\uiqxpur.exe
O4 - HKCU\..\Run: [lpjrkwe] c:\windows\uiqxpur.exe
O4 - HKCU\..\Run: [nrnvdhb] c:\windows\uiqxpur.exe
O4 - HKCU\..\Run: [aplqemu] c:\windows\uiqxpur.exe
O4 - HKCU\..\Run: [tkqjepy] c:\windows\pwxillq.exe
O4 - HKCU\..\Run: [fsywojx] c:\windows\fmsslkn.exe
O4 - HKCU\..\Run: [mohdjal] c:\windows\xfialxc.exe
O4 - HKCU\..\Run: [qxhmswi] c:\windows\pwxillq.exe
O4 - HKCU\..\Run: [xglhdmw] c:\windows\pwxillq.exe
O4 - HKCU\..\Run: [hnmtxrv] c:\windows\phlojmc.exe
O4 - HKCU\..\Run: [hmlrunv] c:\windows\cerlmqk.exe
O4 - HKCU\..\Run: [aqclaxi] c:\windows\kldemcv.exe
O4 - HKCU\..\Run: [susffhu] c:\windows\stnwlog.exe
O4 - HKCU\..\Run: [lwcvrok] c:\windows\kldemcv.exe
O4 - HKCU\..\Run: [rwdfeog] c:\windows\stnwlog.exe
O4 - HKCU\..\Run: [bpmpgin] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [dkcxrxm] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [tqjolyp] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [txmxoti] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [ldsjdob] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [ougyudl] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [hywsanx] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [qpfgyny] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [wogpmmu] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [beflsoj] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [owdtncu] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [nxcovyf] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [rjobchv] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [metqsfr] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [xwchugr] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [graubct] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [kjnjfmg] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [fdyogpo] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [yjjohru] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [qnvhmbk] c:\windows\trrkter.exe
O4 - HKCU\..\Run: [dvmlgpe] c:\windows\gievmjb.exe
O4 - HKCU\..\Run: [hprfybi] c:\windows\gievmjb.exe
O4 - HKCU\..\Run: [xnsuasa] c:\windows\gievmjb.exe
O4 - HKCU\..\Run: [ycengcm] c:\windows\murfrqy.exe
O4 - HKCU\..\Run: [vttobpl] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [kklbqvl] c:\windows\dknqqov.exe
O4 - HKCU\..\Run: [dpcuvfy] c:\windows\ksxiqbg.exe
O4 - HKCU\..\Run: [otvawim] c:\windows\vgvurrd.exe
O4 - HKCU\..\Run: [cxisqwf] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [vbgmits] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [dwgykjv] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [lupkuox] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [bdjvokd] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [gnedqun] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [rrusxym] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [epwyexv] c:\windows\thvslio.exe
O4 - HKCU\..\Run: [eujvuyf] c:\windows\thvslio.exe
O4 - HKCU\..\Run: [ahqxwqq] c:\windows\thvslio.exe
O4 - HKCU\..\Run: [rhdkfmn] c:\windows\thvslio.exe
O4 - HKCU\..\Run: [vjcnwhq] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [ytrxrfp] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [vhlxfwi] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [emtwjgy] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [bmmdskt] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [xokcxql] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [siawdpx] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [hyxndqq] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [coccpvw] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [xwtjyag] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [fwsqbgf] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [sbbupif] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [ocrbkpt] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [abqymms] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [udixscd] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [hdqigrj] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [rdlgsvj] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [rctndnl] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [uwhidhs] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [vuydrqf] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [meymxqj] c:\windows\eonhxmb.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Lrrc] C:\Program Files\omsp\iatu.exe
O4 - HKCU\..\Run: [mejxwbu] c:\windows\agdqyqi.exe
O4 - HKCU\..\Run: [ofpoeda] c:\windows\agdqyqi.exe
O4 - HKCU\..\Run: [owgniif] c:\windows\xgaqyid.exe
O4 - HKCU\..\Run: [uvpvleo] c:\windows\xgaqyid.exe
O4 - HKCU\..\Run: [yrkgnpr] c:\windows\xgaqyid.exe
O4 - HKCU\..\Run: [rodeikj] c:\windows\xgaqyid.exe
O4 - HKCU\..\Run: [dwhavvg] c:\windows\xgaqyid.exe
O4 - HKCU\..\Run: [smiyxam] c:\windows\xgaqyid.exe
O4 - HKCU\..\Run: [yuqrvop] c:\windows\xgaqyid.exe
O4 - HKCU\..\Run: [ydbamub] c:\windows\xgaqyid.exe
O4 - HKCU\..\Run: [oigjcqo] c:\windows\xgaqyid.exe
O4 - HKCU\..\Run: [qavwylc] c:\windows\xgaqyid.exe
O4 - HKCU\..\RunServices: [logon.exe] C:\WINDOWS\System32\logon.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O16 - DPF: {2517F764-6F60-4ADD-8FCF-137E5B220FF6} (VacPro.emsat_ver4) - http://www.globalpho.../emsat_ver4.CAB
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\sdkyx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe
O23 - Service: Debug oupost relations (LAGOS) - Unknown owner - C:\WINDOWS\System32\ahtun.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)
  • 0

#4
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello Greven ;)

Unfortunately it appears you have a nasty one. :tazz:

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.

1. Please download LSPFix from here.
2. Run the LSPFix.exe that you have just finished downloading.
3. Check the I know what I'm doing box.
4. In the Keep box you should see one or more instances of flsmngr.dll.
5. Select every instance of flsmngr.dll and move each one to the Remove box by clicking the >> button.
6. When you are done click Finish>>.

Now go here http://castlecops.com/postt106277.html and follow the steps.
Then post a new Hijack log in this thread and we will clean out the rest

Thanks
  • 0

#5
Greven

Greven

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi Loophole,

I installed KAV as per your intructions. Unfortunately I was unable to uninstall Norton AV since something is stopping me from running it...

Please find attached the new hijack log.

Thanks!


Logfile of HijackThis v1.99.1
Scan saved at 09:14:16, on 20/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\n?tdde.exe
C:\Program Files\omsp\iatu.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {52CB9176-0942-9A96-3BC7-AA2295EA037F} - C:\WINDOWS\system32\mscl32.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MagicKeyboard] C:\Program Files\SAMSUNG\MagicKBD\PreMKBD.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [1A.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\1A.tmp.exe 1 10001
O4 - HKLM\..\Run: [1C.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\1C.tmp.exe 0 10001
O4 - HKLM\..\Run: [1A.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\1A.tmp.exe 1 10001
O4 - HKLM\..\Run: [addpf.exe] C:\WINDOWS\system32\addpf.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [sysii32.exe] C:\WINDOWS\system32\sysii32.exe
O4 - HKLM\..\Run: [crka.exe] C:\WINDOWS\crka.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Abatwv] C:\WINDOWS\System32\n?tdde.exe
O4 - HKCU\..\Run: [jfqjhsi] c:\windows\apmkynw.exe
O4 - HKCU\..\Run: [ssikvdm] c:\windows\jlobmuh.exe
O4 - HKCU\..\Run: [gikvpdp] c:\windows\jlobmuh.exe
O4 - HKCU\..\Run: [pwfgaie] c:\windows\jlobmuh.exe
O4 - HKCU\..\Run: [issnhro] c:\windows\skdjkho.exe
O4 - HKCU\..\Run: [qkbbcfv] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [vepnqoi] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [ujpbnbc] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [ocyxwyu] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [fbmhegr] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [ggigbei] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [pnxkvnt] c:\windows\ldhdmvb.exe
O4 - HKCU\..\Run: [omxgrti] c:\windows\ldhdmvb.exe
O4 - HKCU\..\Run: [epvnqve] c:\windows\ldhdmvb.exe
O4 - HKCU\..\Run: [xwcfpgi] c:\windows\ldhdmvb.exe
O4 - HKCU\..\Run: [dijhuaq] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [kdsnppe] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [vhmxabk] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [oilomco] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [bmbdatt] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [ntdtffj] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [uxurmqd] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [qnifgim] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [pomttsq] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [evedqrr] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [wdvsvgj] c:\windows\uiqxpur.exe
O4 - HKCU\..\Run: [lpjrkwe] c:\windows\uiqxpur.exe
O4 - HKCU\..\Run: [nrnvdhb] c:\windows\uiqxpur.exe
O4 - HKCU\..\Run: [aplqemu] c:\windows\uiqxpur.exe
O4 - HKCU\..\Run: [tkqjepy] c:\windows\pwxillq.exe
O4 - HKCU\..\Run: [fsywojx] c:\windows\fmsslkn.exe
O4 - HKCU\..\Run: [mohdjal] c:\windows\xfialxc.exe
O4 - HKCU\..\Run: [qxhmswi] c:\windows\pwxillq.exe
O4 - HKCU\..\Run: [xglhdmw] c:\windows\pwxillq.exe
O4 - HKCU\..\Run: [hnmtxrv] c:\windows\phlojmc.exe
O4 - HKCU\..\Run: [hmlrunv] c:\windows\cerlmqk.exe
O4 - HKCU\..\Run: [aqclaxi] c:\windows\kldemcv.exe
O4 - HKCU\..\Run: [susffhu] c:\windows\stnwlog.exe
O4 - HKCU\..\Run: [lwcvrok] c:\windows\kldemcv.exe
O4 - HKCU\..\Run: [rwdfeog] c:\windows\stnwlog.exe
O4 - HKCU\..\Run: [bpmpgin] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [dkcxrxm] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [tqjolyp] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [txmxoti] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [ldsjdob] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [ougyudl] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [hywsanx] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [qpfgyny] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [wogpmmu] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [beflsoj] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [owdtncu] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [nxcovyf] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [rjobchv] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [metqsfr] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [xwchugr] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [graubct] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [kjnjfmg] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [fdyogpo] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [yjjohru] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [qnvhmbk] c:\windows\trrkter.exe
O4 - HKCU\..\Run: [dvmlgpe] c:\windows\gievmjb.exe
O4 - HKCU\..\Run: [hprfybi] c:\windows\gievmjb.exe
O4 - HKCU\..\Run: [xnsuasa] c:\windows\gievmjb.exe
O4 - HKCU\..\Run: [ycengcm] c:\windows\murfrqy.exe
O4 - HKCU\..\Run: [vttobpl] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [kklbqvl] c:\windows\dknqqov.exe
O4 - HKCU\..\Run: [dpcuvfy] c:\windows\ksxiqbg.exe
O4 - HKCU\..\Run: [otvawim] c:\windows\vgvurrd.exe
O4 - HKCU\..\Run: [cxisqwf] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [vbgmits] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [dwgykjv] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [lupkuox] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [bdjvokd] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [gnedqun] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [rrusxym] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [epwyexv] c:\windows\thvslio.exe
O4 - HKCU\..\Run: [eujvuyf] c:\windows\thvslio.exe
O4 - HKCU\..\Run: [ahqxwqq] c:\windows\thvslio.exe
O4 - HKCU\..\Run: [rhdkfmn] c:\windows\thvslio.exe
O4 - HKCU\..\Run: [vjcnwhq] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [ytrxrfp] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [vhlxfwi] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [emtwjgy] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [bmmdskt] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [xokcxql] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [siawdpx] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [hyxndqq] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [coccpvw] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [xwtjyag] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [fwsqbgf] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [sbbupif] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [ocrbkpt] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [abqymms] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [udixscd] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [hdqigrj] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [rdlgsvj] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [rctndnl] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [uwhidhs] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [vuydrqf] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [meymxqj] c:\windows\eonhxmb.exe
O4 - HKCU\..\Run: [Lrrc] C:\Program Files\omsp\iatu.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\RunServices: [logon.exe] C:\WINDOWS\System32\logon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O16 - DPF: {2517F764-6F60-4ADD-8FCF-137E5B220FF6} (VacPro.emsat_ver4) - http://www.globalpho.../emsat_ver4.CAB
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)
  • 0

#6
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hey Grevin :tazz:

Dont worry about uninstalling norton yet you can just disable it.Did you run the Kav scan yet according to the instructions Calamity jane provided (Your post said you just installed it)

Oh and Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible

Please advise

Edited by loophole, 20 June 2005 - 11:56 AM.

  • 0

#7
Greven

Greven

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi Loophole,

Sorry for not being entirely clear. The Hijack log I posted last was run after that I installed and used KAV. It found and removed 106(!) viruses, but quite a few it was unable to disinfect due some conflict with the system resources(?). I ran Spybot and CWShredder (2.15) again afterwards. According to the former I still have some CWS thing but neither one of them could remove it...

Thanks!
  • 0

#8
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Ok Grevin post a new Hijack log and we will continue. :tazz:
  • 0

#9
Greven

Greven

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Ok, here we go...

Logfile of HijackThis v1.99.1
Scan saved at 09:14:16, on 20/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\n?tdde.exe
C:\Program Files\omsp\iatu.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {52CB9176-0942-9A96-3BC7-AA2295EA037F} - C:\WINDOWS\system32\mscl32.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MagicKeyboard] C:\Program Files\SAMSUNG\MagicKBD\PreMKBD.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [1A.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\1A.tmp.exe 1 10001
O4 - HKLM\..\Run: [1C.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\1C.tmp.exe 0 10001
O4 - HKLM\..\Run: [1A.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\1A.tmp.exe 1 10001
O4 - HKLM\..\Run: [addpf.exe] C:\WINDOWS\system32\addpf.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [sysii32.exe] C:\WINDOWS\system32\sysii32.exe
O4 - HKLM\..\Run: [crka.exe] C:\WINDOWS\crka.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Abatwv] C:\WINDOWS\System32\n?tdde.exe
O4 - HKCU\..\Run: [jfqjhsi] c:\windows\apmkynw.exe
O4 - HKCU\..\Run: [ssikvdm] c:\windows\jlobmuh.exe
O4 - HKCU\..\Run: [gikvpdp] c:\windows\jlobmuh.exe
O4 - HKCU\..\Run: [pwfgaie] c:\windows\jlobmuh.exe
O4 - HKCU\..\Run: [issnhro] c:\windows\skdjkho.exe
O4 - HKCU\..\Run: [qkbbcfv] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [vepnqoi] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [ujpbnbc] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [ocyxwyu] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [fbmhegr] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [ggigbei] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [pnxkvnt] c:\windows\ldhdmvb.exe
O4 - HKCU\..\Run: [omxgrti] c:\windows\ldhdmvb.exe
O4 - HKCU\..\Run: [epvnqve] c:\windows\ldhdmvb.exe
O4 - HKCU\..\Run: [xwcfpgi] c:\windows\ldhdmvb.exe
O4 - HKCU\..\Run: [dijhuaq] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [kdsnppe] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [vhmxabk] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [oilomco] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [bmbdatt] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [ntdtffj] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [uxurmqd] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [qnifgim] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [pomttsq] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [evedqrr] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [wdvsvgj] c:\windows\uiqxpur.exe
O4 - HKCU\..\Run: [lpjrkwe] c:\windows\uiqxpur.exe
O4 - HKCU\..\Run: [nrnvdhb] c:\windows\uiqxpur.exe
O4 - HKCU\..\Run: [aplqemu] c:\windows\uiqxpur.exe
O4 - HKCU\..\Run: [tkqjepy] c:\windows\pwxillq.exe
O4 - HKCU\..\Run: [fsywojx] c:\windows\fmsslkn.exe
O4 - HKCU\..\Run: [mohdjal] c:\windows\xfialxc.exe
O4 - HKCU\..\Run: [qxhmswi] c:\windows\pwxillq.exe
O4 - HKCU\..\Run: [xglhdmw] c:\windows\pwxillq.exe
O4 - HKCU\..\Run: [hnmtxrv] c:\windows\phlojmc.exe
O4 - HKCU\..\Run: [hmlrunv] c:\windows\cerlmqk.exe
O4 - HKCU\..\Run: [aqclaxi] c:\windows\kldemcv.exe
O4 - HKCU\..\Run: [susffhu] c:\windows\stnwlog.exe
O4 - HKCU\..\Run: [lwcvrok] c:\windows\kldemcv.exe
O4 - HKCU\..\Run: [rwdfeog] c:\windows\stnwlog.exe
O4 - HKCU\..\Run: [bpmpgin] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [dkcxrxm] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [tqjolyp] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [txmxoti] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [ldsjdob] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [ougyudl] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [hywsanx] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [qpfgyny] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [wogpmmu] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [beflsoj] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [owdtncu] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [nxcovyf] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [rjobchv] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [metqsfr] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [xwchugr] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [graubct] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [kjnjfmg] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [fdyogpo] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [yjjohru] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [qnvhmbk] c:\windows\trrkter.exe
O4 - HKCU\..\Run: [dvmlgpe] c:\windows\gievmjb.exe
O4 - HKCU\..\Run: [hprfybi] c:\windows\gievmjb.exe
O4 - HKCU\..\Run: [xnsuasa] c:\windows\gievmjb.exe
O4 - HKCU\..\Run: [ycengcm] c:\windows\murfrqy.exe
O4 - HKCU\..\Run: [vttobpl] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [kklbqvl] c:\windows\dknqqov.exe
O4 - HKCU\..\Run: [dpcuvfy] c:\windows\ksxiqbg.exe
O4 - HKCU\..\Run: [otvawim] c:\windows\vgvurrd.exe
O4 - HKCU\..\Run: [cxisqwf] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [vbgmits] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [dwgykjv] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [lupkuox] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [bdjvokd] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [gnedqun] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [rrusxym] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [epwyexv] c:\windows\thvslio.exe
O4 - HKCU\..\Run: [eujvuyf] c:\windows\thvslio.exe
O4 - HKCU\..\Run: [ahqxwqq] c:\windows\thvslio.exe
O4 - HKCU\..\Run: [rhdkfmn] c:\windows\thvslio.exe
O4 - HKCU\..\Run: [vjcnwhq] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [ytrxrfp] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [vhlxfwi] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [emtwjgy] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [bmmdskt] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [xokcxql] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [siawdpx] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [hyxndqq] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [coccpvw] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [xwtjyag] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [fwsqbgf] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [sbbupif] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [ocrbkpt] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [abqymms] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [udixscd] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [hdqigrj] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [rdlgsvj] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [rctndnl] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [uwhidhs] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [vuydrqf] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [meymxqj] c:\windows\eonhxmb.exe
O4 - HKCU\..\Run: [Lrrc] C:\Program Files\omsp\iatu.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\RunServices: [logon.exe] C:\WINDOWS\System32\logon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O16 - DPF: {2517F764-6F60-4ADD-8FCF-137E5B220FF6} (VacPro.emsat_ver4) - http://www.globalpho.../emsat_ver4.CAB
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)
  • 0

#10
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hey Grevin this is quite a large fix as you are infected pretty bad. I will try to have a fix up tonight or in the morning.
  • 0

#11
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello, I'm taking over your thread, because it needs a special 'treatment'

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* Hijackthis is still in your temp-folder and you haven't unzipped it, so I strongly advise to unzip it and create a permanent folder and move hijackthis.exe into it. The reason is because hijackthis creates backups and when it's in your temp-folder it can be accidentally deleted.
How do you make a permanent folder:

Click My Computer, then C:\ and then on Program Files.
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
Now you have C:\Program Files\HijackThis. Put your HijackThis.exe there.

Download AboutBuster.
Unzip AboutBuster in an own folder such as C:\AboutBuster.
Start AboutBuster.exe. Click OK, Update, Check For Update and download the updates if present.
Close aboutbuster now, because you may not run it yet, that's for later.
If You are getting an error when updating, please let me know first before you proceed with the next steps.

* Download and install CCleaner
Do not use it yet.

* Download CWShredder. Don't let it run yet!

* Download this regfix: HSfix
Unzip it and place it on your desktop, don't use it yet!

* Please set your system to show all files; please see here if you're unsure how to do this.

* open notepad and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /0"


Save this as fix.reg Choose to save as *all files and place it on your desktop.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {52CB9176-0942-9A96-3BC7-AA2295EA037F} - C:\WINDOWS\system32\mscl32.dll (file missing)
O4 - HKLM\..\Run: [1A.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\1A.tmp.exe 1 10001
O4 - HKLM\..\Run: [1C.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\1C.tmp.exe 0 10001
O4 - HKLM\..\Run: [1A.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\1A.tmp.exe 1 10001
O4 - HKLM\..\Run: [addpf.exe] C:\WINDOWS\system32\addpf.exe
O4 - HKLM\..\Run: [sysii32.exe] C:\WINDOWS\system32\sysii32.exe
O4 - HKLM\..\Run: [crka.exe] C:\WINDOWS\crka.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKCU\..\RunServices: [logon.exe] C:\WINDOWS\System32\logon.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O16 - DPF: {2517F764-6F60-4ADD-8FCF-137E5B220FF6} (VacPro.emsat_ver4) - http://www.globalpho.../emsat_ver4.CAB


* Click on Fix Checked when finished and exit HijackThis.


* Reboot into Safe Mode`: ( without networking support !)
To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

Doubleclick on fix.reg I let you make before and when it asks you if you want to merge the contents to the registry, click yes/ok.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\Program Files\omsp <== folder
C:\WINDOWS\System32\wldr.dll
C:\WINDOWS\system32\addpf.exe
C:\WINDOWS\system32\sysii32.exe
C:\WINDOWS\crka.exe
c:\windows\apmkynw.exe
c:\windows\jlobmuh.exe
c:\windows\skdjkho.exe
c:\windows\xxlmoth.exe
c:\windows\ldhdmvb.exe
c:\windows\uvxglyj.exe
c:\windows\mnnnmmx.exe
c:\windows\uiqxpur.exe
c:\windows\fmsslkn.exe
c:\windows\xfialxc.exe
c:\windows\pwxillq.exe
c:\windows\phlojmc.exe
c:\windows\cerlmqk.exe
c:\windows\kldemcv.exe
c:\windows\stnwlog.exe
c:\windows\hbnrnbf.exe
c:\windows\ilbkgmk.exe
c:\windows\qslcgxv.exe
c:\windows\trrkter.exe
c:\windows\gievmjb.exe
c:\windows\murfrqy.exe
c:\windows\dknqqov.exe
c:\windows\ksxiqbg.exe
c:\windows\vgvurrd.exe
c:\windows\saibqnr.exe
c:\windows\thvslio.exe
c:\windows\krojmfh.exe
c:\windows\eonhxmb.exe
C:\Program Files\Security iGuard <== folder
C:\WINDOWS\System32\logon.exe (please don't delete winlogon.exe!!)

*Start Aboutbuster and let it scan. When the scan is done and you choose exit, it will automatically create a log in the same folder where aboutbuster is in.

*Start Cwshredder and click FIX

* Doubleclick on HSfix you downloaded earlier before which is present on your desktop and when it asks you if you want to add the contents to the registry, click yes/ok

* Still in safe mode Run Ccleaner and click Run Cleaner (bottom right)

*Go to start>Control Panel>Internet Options>tab programs> and click restore websettings.

* Reboot your PC back to normal.

* Download DelDomains.inf and save it to your desktop.
Rightclick on it and choose 'install'.

Open notepad, copy and paste next content (bold) in it:

dir C:\WINDOWS\System32\n?tdde.exe /a h > files.txt
notepad files.txt


Save this as look.bat ,choose to save as *all files and save it to your desktop.
Doubleclick on it and notepad will open with some text in it.
Copy and paste this in your next reply together with a new hijackthis-log + log aboutbuster which you'll find in the aboutbuster-folder.
  • 0

#12
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP