I would really appreciate your help on this. My computer seems to be hijacked by something (CWS?) and I can't get rid of it using conventional methods.
The symptoms are; Hijacked desktop page, some weird searchpage as start up in explorer some svhost and dll processes are taking up a lot of CPU capacity, Norton Antivirus that I bought after the infection can't be installed. I can't start the Zone alarm firewall etc. When I close windows down I get Win Min End program error.
I have tried the steps you were outlining in your instructions i.e. running spybot, CWShredder 2.15 etc. but the problem does not seem to go away.
Please find below in order of apperance the CWShredder log, the Hijackthis log I ran before I used spy subtract and the hijacked this log I ran after using spysubtract.
I would appreciate any help I can get from you guys. I don't know what else to do.
Thanks!
CWShredder log
**** Run Keys ****
RUN: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
RUN: [nwiz] nwiz.exe /install
RUN: [AGRSMMSG] AGRSMMSG.exe
RUN: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
RUN: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
RUN: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
RUN: [MagicKeyboard] C:\Program Files\SAMSUNG\MagicKBD\PreMKBD.exe
RUN: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
RUN: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
RUN: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
RUN: [1A.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\1A.tmp.exe 1 10001
RUN: [1C.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\1C.tmp.exe 0 10001
RUN: [1A.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\1A.tmp.exe 1 10001
RUN: [addpf.exe] C:\WINDOWS\system32\addpf.exe
RUN: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
RUN: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
RUN: [Service Host] C:\WINDOWS\System32\Services\{13C9A711-2C9E-4920-8779-FF9A7A8ED99A}\SVCHOST.EXE
RUN: [sysii32.exe] C:\WINDOWS\system32\sysii32.exe
RUN: [crka.exe] C:\WINDOWS\crka.exe
RUN: [Disk Keeper] C:\WINDOWS\System32\Services\{13C9A711-2C9E-4920-8779-FF9A7A8ED99A}\SECURITY.EXE
RUN: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
RUN: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
RUN: [Abatwv] C:\WINDOWS\System32\n?tdde.exe
RUN: [jfqjhsi] c:\windows\apmkynw.exe
RUN: [ssikvdm] c:\windows\jlobmuh.exe
RUN: [gikvpdp] c:\windows\jlobmuh.exe
RUN: [pwfgaie] c:\windows\jlobmuh.exe
RUN: [issnhro] c:\windows\skdjkho.exe
RUN: [qkbbcfv] c:\windows\xxlmoth.exe
RUN: [vepnqoi] c:\windows\xxlmoth.exe
RUN: [ujpbnbc] c:\windows\xxlmoth.exe
RUN: [ocyxwyu] c:\windows\xxlmoth.exe
RUN: [fbmhegr] c:\windows\xxlmoth.exe
RUN: [ggigbei] c:\windows\xxlmoth.exe
RUN: [pnxkvnt] c:\windows\ldhdmvb.exe
RUN: [omxgrti] c:\windows\ldhdmvb.exe
RUN: [epvnqve] c:\windows\ldhdmvb.exe
RUN: [xwcfpgi] c:\windows\ldhdmvb.exe
RUN: [dijhuaq] c:\windows\uvxglyj.exe
RUN: [kdsnppe] c:\windows\mnnnmmx.exe
RUN: [vhmxabk] c:\windows\uvxglyj.exe
RUN: [oilomco] c:\windows\mnnnmmx.exe
RUN: [bmbdatt] c:\windows\uvxglyj.exe
RUN: [ntdtffj] c:\windows\mnnnmmx.exe
RUN: [uxurmqd] c:\windows\uvxglyj.exe
RUN: [qnifgim] c:\windows\mnnnmmx.exe
RUN: [pomttsq] c:\windows\uvxglyj.exe
RUN: [evedqrr] c:\windows\mnnnmmx.exe
RUN: [wdvsvgj] c:\windows\uiqxpur.exe
RUN: [lpjrkwe] c:\windows\uiqxpur.exe
RUN: [nrnvdhb] c:\windows\uiqxpur.exe
RUN: [aplqemu] c:\windows\uiqxpur.exe
RUN: [tkqjepy] c:\windows\pwxillq.exe
RUN: [fsywojx] c:\windows\fmsslkn.exe
RUN: [mohdjal] c:\windows\xfialxc.exe
RUN: [qxhmswi] c:\windows\pwxillq.exe
RUN: [xglhdmw] c:\windows\pwxillq.exe
RUN: [hnmtxrv] c:\windows\phlojmc.exe
RUN: [hmlrunv] c:\windows\cerlmqk.exe
RUN: [aqclaxi] c:\windows\kldemcv.exe
RUN: [susffhu] c:\windows\stnwlog.exe
RUN: [lwcvrok] c:\windows\kldemcv.exe
RUN: [rwdfeog] c:\windows\stnwlog.exe
RUN: [bpmpgin] c:\windows\hbnrnbf.exe
RUN: [dkcxrxm] c:\windows\hbnrnbf.exe
RUN: [tqjolyp] c:\windows\hbnrnbf.exe
RUN: [txmxoti] c:\windows\hbnrnbf.exe
RUN: [ldsjdob] c:\windows\hbnrnbf.exe
RUN: [ougyudl] c:\windows\ilbkgmk.exe
RUN: [hywsanx] c:\windows\qslcgxv.exe
RUN: [qpfgyny] c:\windows\ilbkgmk.exe
RUN: [wogpmmu] c:\windows\qslcgxv.exe
RUN: [beflsoj] c:\windows\ilbkgmk.exe
RUN: [owdtncu] c:\windows\qslcgxv.exe
RUN: [nxcovyf] c:\windows\ilbkgmk.exe
RUN: [rjobchv] c:\windows\qslcgxv.exe
RUN: [metqsfr] c:\windows\ilbkgmk.exe
RUN: [xwchugr] c:\windows\qslcgxv.exe
RUN: [graubct] c:\windows\ilbkgmk.exe
RUN: [kjnjfmg] c:\windows\qslcgxv.exe
RUN: [fdyogpo] c:\windows\ilbkgmk.exe
RUN: [yjjohru] c:\windows\qslcgxv.exe
RUN: [qnvhmbk] c:\windows\trrkter.exe
RUN: [dvmlgpe] c:\windows\gievmjb.exe
RUN: [hprfybi] c:\windows\gievmjb.exe
RUN: [xnsuasa] c:\windows\gievmjb.exe
RUN: [ycengcm] c:\windows\murfrqy.exe
RUN: [vttobpl] c:\windows\saibqnr.exe
RUN: [kklbqvl] c:\windows\dknqqov.exe
RUN: [dpcuvfy] c:\windows\ksxiqbg.exe
RUN: [otvawim] c:\windows\vgvurrd.exe
RUN: [cxisqwf] c:\windows\saibqnr.exe
RUN: [vbgmits] c:\windows\saibqnr.exe
RUN: [dwgykjv] c:\windows\saibqnr.exe
RUN: [lupkuox] c:\windows\saibqnr.exe
RUN: [bdjvokd] c:\windows\saibqnr.exe
RUN: [gnedqun] c:\windows\saibqnr.exe
RUN: [rrusxym] c:\windows\saibqnr.exe
RUN: [epwyexv] c:\windows\thvslio.exe
RUN: [eujvuyf] c:\windows\thvslio.exe
RUN: [ahqxwqq] c:\windows\thvslio.exe
RUN: [rhdkfmn] c:\windows\thvslio.exe
RUN: [vjcnwhq] c:\windows\krojmfh.exe
RUN: [ytrxrfp] c:\windows\krojmfh.exe
RUN: [vhlxfwi] c:\windows\krojmfh.exe
RUN: [emtwjgy] c:\windows\krojmfh.exe
RUN: [bmmdskt] c:\windows\krojmfh.exe
RUN: [xokcxql] c:\windows\krojmfh.exe
RUN: [siawdpx] c:\windows\krojmfh.exe
RUN: [hyxndqq] c:\windows\krojmfh.exe
RUN: [coccpvw] c:\windows\krojmfh.exe
RUN: [xwtjyag] c:\windows\krojmfh.exe
RUN: [fwsqbgf] c:\windows\krojmfh.exe
RUN: [sbbupif] c:\windows\krojmfh.exe
RUN: [ocrbkpt] c:\windows\krojmfh.exe
RUN: [abqymms] c:\windows\krojmfh.exe
RUN: [udixscd] c:\windows\krojmfh.exe
RUN: [hdqigrj] c:\windows\krojmfh.exe
RUN: [rdlgsvj] c:\windows\krojmfh.exe
RUN: [rctndnl] c:\windows\krojmfh.exe
RUN: [uwhidhs] c:\windows\krojmfh.exe
RUN: [vuydrqf] c:\windows\krojmfh.exe
RUN: [meymxqj] c:\windows\eonhxmb.exe
RUN: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
RUN: [Lrrc] C:\Program Files\omsp\iatu.exe
RUN: [mejxwbu] c:\windows\agdqyqi.exe
RUN: [ofpoeda] c:\windows\agdqyqi.exe
RUN: [owgniif] c:\windows\xgaqyid.exe
RUN: [uvpvleo] c:\windows\xgaqyid.exe
**** Browser Helper Objects ****
BHO: [] C:\WINDOWS\system32\mscl32.dll
BHO: [CNavExtBho Class] C:\Program Files\Norton AntiVirus\NavShExt.dll
**** IE Toolbars ****
TOOLBAR: []
TOOLBAR: [Norton AntiVirus] C:\Program Files\Norton AntiVirus\NavShExt.dll
**** IE Extensions ****
**** Hosts File Entries ****
**** IE Settings ****
Default Page: about:blank
Default Search:
Local Page: C:\WINDOWS\System32\blank.htm
Search Bar: http://w-find.com/sp.htm
Search Page: http://w-find.com/index.htm
**** IE Context Menu (Right click) ****
**** Layered Service Providers ****
LSP: Microsoft security monitor over [MSAFD Tcpip [TCP/IP]]
LSP: Microsoft security monitor over [MSAFD Tcpip [UDP/IP]]
LSP: MSAFD Tcpip [TCP/IP]
LSP: MSAFD Tcpip [UDP/IP]
LSP: RSVP UDP Service Provider
LSP: RSVP TCP Service Provider
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D4DC1531-AB21-4CFB-AAF7-F9E85526F25A}] SEQPACKET 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D4DC1531-AB21-4CFB-AAF7-F9E85526F25A}] DATAGRAM 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DD068F39-13C3-42CD-BAAF-2AE9046F7321}] SEQPACKET 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DD068F39-13C3-42CD-BAAF-2AE9046F7321}] DATAGRAM 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{889C1CB3-8E7D-407D-9795-977D226D60CB}] SEQPACKET 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{889C1CB3-8E7D-407D-9795-977D226D60CB}] DATAGRAM 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{562CF38E-E0BF-4DD0-A979-596E0EAC0825}] SEQPACKET 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{562CF38E-E0BF-4DD0-A979-596E0EAC0825}] DATAGRAM 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{642AB177-2C7E-47AC-BF82-BB66900B61B1}] SEQPACKET 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{642AB177-2C7E-47AC-BF82-BB66900B61B1}] DATAGRAM 2
**** Blocked Control Panel Items ****
BLOCKED: [ncpa.cpl] No
BLOCKED: [odbccp32.cpl] No
**** Downloaded Program Files ****
{0000000A-9980-0010-8000-00AA00389B71} [http://download.micr...2/wmsp9dmo.cab]
{2517F764-6F60-4ADD-8FCF-137E5B220FF6} [http://www.globalpho...emsat_ver4.CAB] C:\WINDOWS\System32\objsafe.tlb C:\WINDOWS\Downloaded Program Files\emsat_ver4.ocx
{33564D57-9980-0010-8000-00AA00389B71} [http://codecs.micros...86/wmv9dmo.cab]
{79849612-A98F-45B8-95E9-4D13C7B6B35C} [http://iframedollars...tb/loader2.ocx]
**** Windows Services ****
[ 11Fßä#·ºÄÖ`I] C:\WINDOWS\system32\sdkyx.exe /s
[Alerter] %SystemRoot%\System32\svchost.exe -k LocalService
[ALG] %SystemRoot%\System32\alg.exe
[AppMgmt] %SystemRoot%\system32\svchost.exe -k netsvcs
[AudioSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[BITS] %SystemRoot%\System32\svchost.exe -k netsvcs
[Browser] %SystemRoot%\System32\svchost.exe -k netsvcs
[ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
[ccPwdSvc] "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe"
[ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
[CiSvc] %SystemRoot%\system32\cisvc.exe
[ClipSrv] %SystemRoot%\system32\clipsrv.exe
[COMSysApp] C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
[CryptSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[Dhcp] %SystemRoot%\System32\svchost.exe -k netsvcs
[dmadmin] %SystemRoot%\System32\dmadmin.exe /com
[dmserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[Dnscache] %SystemRoot%\System32\svchost.exe -k NetworkService
[ERSvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[Eventlog] %SystemRoot%\system32\services.exe
[EventSystem] C:\WINDOWS\System32\svchost.exe -k netsvcs
[FastUserSwitchingCompatibility] %SystemRoot%\System32\svchost.exe -k netsvcs
[helpsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[HidServ] %SystemRoot%\System32\svchost.exe -k netsvcs
[ImapiService] C:\WINDOWS\System32\imapi.exe
[iPodService] C:\Program Files\iPod\bin\iPodService.exe
[KDE] C:\WINDOWS\System32\cmdtel.exe
[LAGOS] C:\WINDOWS\System32\ahtun.exe
[lanmanserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[lanmanworkstation] %SystemRoot%\System32\svchost.exe -k netsvcs
[LmHosts] %SystemRoot%\System32\svchost.exe -k LocalService
[Messenger] %SystemRoot%\System32\svchost.exe -k netsvcs
[mnmsrvc] C:\WINDOWS\System32\mnmsrvc.exe
[MSDTC] C:\WINDOWS\System32\msdtc.exe
[MSIServer] C:\WINDOWS\System32\msiexec.exe /V
[navapsvc] "C:\Program Files\Norton AntiVirus\navapsvc.exe"
[NetDDE] %SystemRoot%\system32\netdde.exe
[NetDDEdsdm] %SystemRoot%\system32\netdde.exe
[Netlogon] %SystemRoot%\System32\lsass.exe
[Netman] %SystemRoot%\System32\svchost.exe -k netsvcs
[Nla] %SystemRoot%\System32\svchost.exe -k netsvcs
[NPFMntor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
[NtLmSsp] %SystemRoot%\System32\lsass.exe
[NtmsSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[NVSvc] %SystemRoot%\System32\nvsvc32.exe
[PlugPlay] %SystemRoot%\system32\services.exe
[PolicyAgent] %SystemRoot%\System32\lsass.exe
[ProtectedStorage] %SystemRoot%\system32\lsass.exe
[RasAuto] %SystemRoot%\System32\svchost.exe -k netsvcs
[RasMan] %SystemRoot%\System32\svchost.exe -k netsvcs
[RDSessMgr] C:\WINDOWS\system32\sessmgr.exe
[RegSrvc] C:\WINDOWS\System32\RegSrvc.exe
[RemoteAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[RpcLocator] %SystemRoot%\System32\locator.exe
[RpcSs] %SystemRoot%\system32\svchost -k rpcss
[RSVP] %SystemRoot%\System32\rsvp.exe
[S24EventMonitor] C:\WINDOWS\System32\S24EvMon.exe
[SamSs] %SystemRoot%\system32\lsass.exe
[SAVScan] C:\Program Files\Norton AntiVirus\SAVScan.exe
[SBService] C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
[SCardDrv] %SystemRoot%\System32\SCardSvr.exe
[SCardSvr] %SystemRoot%\System32\SCardSvr.exe
[Schedule] %SystemRoot%\System32\svchost.exe -k netsvcs
[seclogon] %SystemRoot%\System32\svchost.exe -k netsvcs
[SENS] %SystemRoot%\system32\svchost.exe -k netsvcs
[ShellHWDetection] %SystemRoot%\System32\svchost.exe -k netsvcs
[SNDSrvc] C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
[SPBBCSvc] C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
[Spooler] %SystemRoot%\system32\spoolsv.exe
[srservice] %SystemRoot%\System32\svchost.exe -k netsvcs
[SSDPSRV] %SystemRoot%\System32\svchost.exe -k LocalService
[stisvc] %SystemRoot%\System32\svchost.exe -k imgsvc
[SwPrv] C:\WINDOWS\System32\dllhost.exe /Processid:{516BC737-A351-4FDE-821A-7CCA97E6C390}
[Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
[SysmonLog] %SystemRoot%\system32\smlogsvc.exe
[TapiSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[TermService] %SystemRoot%\System32\svchost.exe -k netsvcs
[Themes] %SystemRoot%\System32\svchost.exe -k netsvcs
[TrkWks] %SystemRoot%\system32\svchost.exe -k netsvcs
[uploadmgr] %SystemRoot%\System32\svchost.exe -k netsvcs
[upnphost] %SystemRoot%\System32\svchost.exe -k LocalService
[UPS] %SystemRoot%\System32\ups.exe
[vsmon] C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service
[VSS] %SystemRoot%\System32\vssvc.exe
[W32Time] %SystemRoot%\System32\svchost.exe -k netsvcs
[WebClient] %SystemRoot%\System32\svchost.exe -k LocalService
[winmgmt] %systemroot%\system32\svchost.exe -k netsvcs
[WmdmPmSp] %SystemRoot%\System32\svchost.exe -k netsvcs
[WmiApSrv] C:\WINDOWS\System32\wbem\wmiapsrv.exe
[WZCSVC] %SystemRoot%\System32\svchost.exe -k netsvcs
**** Custom IE Search Items ****
SEARCH: [SearchAssistant]
SEARCH: [SearchAssistant] http://w-find.com/sp.htm
SEARCH: [CustomizeSearch] http://ie.search.msn...st/srchcust.htm
**** Complete IE Options ****
IEOPT: [NoUpdateCheck]
IEOPT: [NoJITSetup]
IEOPT: [Disable Script Debugger] yes
IEOPT: [Show_ChannelBand] No
IEOPT: [Anchor Underline] yes
IEOPT: [Cache_Update_Frequency] Once_Per_Session
IEOPT: [Display Inline Images] yes
IEOPT: [Do404Search]
IEOPT: [Local Page] C:\WINDOWS\System32\blank.htm
IEOPT: [Save_Session_History_On_Exit] no
IEOPT: [Show_FullURL] no
IEOPT: [Show_StatusBar] yes
IEOPT: [Show_ToolBar] yes
IEOPT: [Show_URLinStatusBar] yes
IEOPT: [Show_URLToolBar] yes
IEOPT: [Start Page] http://ipassist.biz/index.php?id=11258
IEOPT: [Use_DlgBox_Colors] yes
IEOPT: [Search Page] http://w-find.com/index.htm
IEOPT: [SmoothScroll]
IEOPT: [FullScreen] no
IEOPT: [Window_Placement] ,
IEOPT: [ShowedCheckBrowser] Yes
IEOPT: [Check_Associations] No
IEOPT: [AddToFavoritesExpanded]
IEOPT: [Error Dlg Displayed On Every Error] no
IEOPT: [Error Dlg Details Pane Open] no
IEOPT: [NotifyDownloadComplete] no
IEOPT: [Use FormSuggest] no
IEOPT: [Toolbars_Placement]
IEOPT: [Search Bar] http://w-find.com/sp.htm
IEOPT: [Use Search Asst] no
IEOPT: [Use Custom Search URL]
IEOPT: [conc]
IEOPT: [Friendly http errors] yes
IEOPT: [AutoSearch]
IEOPT: [Default_Page_URL]
IEOPT: [Default_Page_URL] about:blank
IEOPT: [Default_Search_URL]
IEOPT: [Search Page]
IEOPT: [Enable_Disk_Cache] yes
IEOPT: [Cache_Percent_of_Disk]
IEOPT: [Delete_Temp_Files_On_Exit] yes
IEOPT: [Local Page] C:\WINDOWS\System32\blank.htm
IEOPT: [Anchor_Visitation_Horizon]
IEOPT: [Use_Async_DNS] yes
IEOPT: [Placeholder_Width]
IEOPT: [Placeholder_Height]
IEOPT: [Start Page] about:blank
IEOPT: [CompanyName] Microsoft Corporation
IEOPT: [Custom_Key] MICROSO
IEOPT: [Wizard_Version] 6.0.2600.0000
IEOPT: [FullScreen] no
IEOPT: [Search Bar]
IEOPT: [Use Search Asst] no
IEOPT: [Use Custom Search URL]
IEOPT: []
Hijackthis log before spy subtract
Logfile of HijackThis v1.99.1
Scan saved at 09:10:04, on 10/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\sdkyx.exe
C:\WINDOWS\System32\cmdtel.exe
C:\WINDOWS\System32\ahtun.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\Services\{13C9A711-2C9E-4920-8779-FF9A7A8ED99A}\SVCHOST.EXE
C:\WINDOWS\crka.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\n?tdde.exe
C:\windows\uiqxpur.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\omsp\iatu.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ipassist.biz/index.php?id=11258
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {52CB9176-0942-9A96-3BC7-AA2295EA037F} - C:\WINDOWS\system32\mscl32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MagicKeyboard] C:\Program Files\SAMSUNG\MagicKBD\PreMKBD.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [1A.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\1A.tmp.exe 1 10001
O4 - HKLM\..\Run: [1C.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\1C.tmp.exe 0 10001
O4 - HKLM\..\Run: [1A.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\1A.tmp.exe 1 10001
O4 - HKLM\..\Run: [addpf.exe] C:\WINDOWS\system32\addpf.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{13C9A711-2C9E-4920-8779-FF9A7A8ED99A}\SVCHOST.EXE
O4 - HKLM\..\Run: [sysii32.exe] C:\WINDOWS\system32\sysii32.exe
O4 - HKLM\..\Run: [crka.exe] C:\WINDOWS\crka.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{13C9A711-2C9E-4920-8779-FF9A7A8ED99A}\SECURITY.EXE
O4 - HKLM\..\RunServices: [logon.exe] C:\WINDOWS\System32\logon.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Abatwv] C:\WINDOWS\System32\n?tdde.exe
O4 - HKCU\..\Run: [jfqjhsi] c:\windows\apmkynw.exe
O4 - HKCU\..\Run: [ssikvdm] c:\windows\jlobmuh.exe
O4 - HKCU\..\Run: [gikvpdp] c:\windows\jlobmuh.exe
O4 - HKCU\..\Run: [pwfgaie] c:\windows\jlobmuh.exe
O4 - HKCU\..\Run: [issnhro] c:\windows\skdjkho.exe
O4 - HKCU\..\Run: [qkbbcfv] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [vepnqoi] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [ujpbnbc] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [ocyxwyu] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [fbmhegr] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [ggigbei] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [pnxkvnt] c:\windows\ldhdmvb.exe
O4 - HKCU\..\Run: [omxgrti] c:\windows\ldhdmvb.exe
O4 - HKCU\..\Run: [epvnqve] c:\windows\ldhdmvb.exe
O4 - HKCU\..\Run: [xwcfpgi] c:\windows\ldhdmvb.exe
O4 - HKCU\..\Run: [dijhuaq] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [kdsnppe] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [vhmxabk] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [oilomco] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [bmbdatt] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [ntdtffj] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [uxurmqd] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [qnifgim] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [pomttsq] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [evedqrr] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [wdvsvgj] c:\windows\uiqxpur.exe
O4 - HKCU\..\Run: [lpjrkwe] c:\windows\uiqxpur.exe
O4 - HKCU\..\Run: [nrnvdhb] c:\windows\uiqxpur.exe
O4 - HKCU\..\Run: [aplqemu] c:\windows\uiqxpur.exe
O4 - HKCU\..\Run: [tkqjepy] c:\windows\pwxillq.exe
O4 - HKCU\..\Run: [fsywojx] c:\windows\fmsslkn.exe
O4 - HKCU\..\Run: [mohdjal] c:\windows\xfialxc.exe
O4 - HKCU\..\Run: [qxhmswi] c:\windows\pwxillq.exe
O4 - HKCU\..\Run: [xglhdmw] c:\windows\pwxillq.exe
O4 - HKCU\..\Run: [hnmtxrv] c:\windows\phlojmc.exe
O4 - HKCU\..\Run: [hmlrunv] c:\windows\cerlmqk.exe
O4 - HKCU\..\Run: [aqclaxi] c:\windows\kldemcv.exe
O4 - HKCU\..\Run: [susffhu] c:\windows\stnwlog.exe
O4 - HKCU\..\Run: [lwcvrok] c:\windows\kldemcv.exe
O4 - HKCU\..\Run: [rwdfeog] c:\windows\stnwlog.exe
O4 - HKCU\..\Run: [bpmpgin] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [dkcxrxm] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [tqjolyp] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [txmxoti] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [ldsjdob] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [ougyudl] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [hywsanx] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [qpfgyny] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [wogpmmu] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [beflsoj] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [owdtncu] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [nxcovyf] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [rjobchv] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [metqsfr] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [xwchugr] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [graubct] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [kjnjfmg] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [fdyogpo] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [yjjohru] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [qnvhmbk] c:\windows\trrkter.exe
O4 - HKCU\..\Run: [dvmlgpe] c:\windows\gievmjb.exe
O4 - HKCU\..\Run: [hprfybi] c:\windows\gievmjb.exe
O4 - HKCU\..\Run: [xnsuasa] c:\windows\gievmjb.exe
O4 - HKCU\..\Run: [ycengcm] c:\windows\murfrqy.exe
O4 - HKCU\..\Run: [vttobpl] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [kklbqvl] c:\windows\dknqqov.exe
O4 - HKCU\..\Run: [dpcuvfy] c:\windows\ksxiqbg.exe
O4 - HKCU\..\Run: [otvawim] c:\windows\vgvurrd.exe
O4 - HKCU\..\Run: [cxisqwf] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [vbgmits] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [dwgykjv] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [lupkuox] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [bdjvokd] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [gnedqun] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [rrusxym] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [epwyexv] c:\windows\thvslio.exe
O4 - HKCU\..\Run: [eujvuyf] c:\windows\thvslio.exe
O4 - HKCU\..\Run: [ahqxwqq] c:\windows\thvslio.exe
O4 - HKCU\..\Run: [rhdkfmn] c:\windows\thvslio.exe
O4 - HKCU\..\Run: [vjcnwhq] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [ytrxrfp] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [vhlxfwi] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [emtwjgy] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [bmmdskt] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [xokcxql] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [siawdpx] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [hyxndqq] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [coccpvw] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [xwtjyag] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [fwsqbgf] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [sbbupif] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [ocrbkpt] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [abqymms] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [udixscd] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [hdqigrj] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [rdlgsvj] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [rctndnl] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [uwhidhs] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [vuydrqf] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [meymxqj] c:\windows\eonhxmb.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Lrrc] C:\Program Files\omsp\iatu.exe
O4 - HKCU\..\Run: [mejxwbu] c:\windows\agdqyqi.exe
O4 - HKCU\..\Run: [ofpoeda] c:\windows\agdqyqi.exe
O4 - HKCU\..\Run: [owgniif] c:\windows\xgaqyid.exe
O4 - HKCU\..\Run: [uvpvleo] c:\windows\xgaqyid.exe
O4 - HKCU\..\RunServices: [logon.exe] C:\WINDOWS\System32\logon.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O16 - DPF: {2517F764-6F60-4ADD-8FCF-137E5B220FF6} (VacPro.emsat_ver4) - http://www.globalpho.../emsat_ver4.CAB
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://iframedollars.../tb/loader2.ocx
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sdkyx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe
O23 - Service: Debug oupost relations (LAGOS) - Unknown owner - C:\WINDOWS\System32\ahtun.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)
Hijackthis log after running the programs mentioned above
Logfile of HijackThis v1.99.1
Scan saved at 09:49:14, on 10/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\sdkyx.exe
C:\WINDOWS\System32\cmdtel.exe
C:\WINDOWS\System32\ahtun.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\Services\{13C9A711-2C9E-4920-8779-FF9A7A8ED99A}\SVCHOST.EXE
C:\WINDOWS\crka.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\n?tdde.exe
C:\windows\uiqxpur.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\omsp\iatu.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
c:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ipassist.biz/index.php?id=11258
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {52CB9176-0942-9A96-3BC7-AA2295EA037F} - C:\WINDOWS\system32\mscl32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MagicKeyboard] C:\Program Files\SAMSUNG\MagicKBD\PreMKBD.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [1A.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\1A.tmp.exe 1 10001
O4 - HKLM\..\Run: [1C.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\1C.tmp.exe 0 10001
O4 - HKLM\..\Run: [1A.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\1A.tmp.exe 1 10001
O4 - HKLM\..\Run: [addpf.exe] C:\WINDOWS\system32\addpf.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{13C9A711-2C9E-4920-8779-FF9A7A8ED99A}\SVCHOST.EXE
O4 - HKLM\..\Run: [sysii32.exe] C:\WINDOWS\system32\sysii32.exe
O4 - HKLM\..\Run: [crka.exe] C:\WINDOWS\crka.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{13C9A711-2C9E-4920-8779-FF9A7A8ED99A}\SECURITY.EXE
O4 - HKLM\..\RunServices: [logon.exe] C:\WINDOWS\System32\logon.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Abatwv] C:\WINDOWS\System32\n?tdde.exe
O4 - HKCU\..\Run: [jfqjhsi] c:\windows\apmkynw.exe
O4 - HKCU\..\Run: [ssikvdm] c:\windows\jlobmuh.exe
O4 - HKCU\..\Run: [gikvpdp] c:\windows\jlobmuh.exe
O4 - HKCU\..\Run: [pwfgaie] c:\windows\jlobmuh.exe
O4 - HKCU\..\Run: [issnhro] c:\windows\skdjkho.exe
O4 - HKCU\..\Run: [qkbbcfv] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [vepnqoi] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [ujpbnbc] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [ocyxwyu] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [fbmhegr] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [ggigbei] c:\windows\xxlmoth.exe
O4 - HKCU\..\Run: [pnxkvnt] c:\windows\ldhdmvb.exe
O4 - HKCU\..\Run: [omxgrti] c:\windows\ldhdmvb.exe
O4 - HKCU\..\Run: [epvnqve] c:\windows\ldhdmvb.exe
O4 - HKCU\..\Run: [xwcfpgi] c:\windows\ldhdmvb.exe
O4 - HKCU\..\Run: [dijhuaq] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [kdsnppe] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [vhmxabk] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [oilomco] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [bmbdatt] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [ntdtffj] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [uxurmqd] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [qnifgim] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [pomttsq] c:\windows\uvxglyj.exe
O4 - HKCU\..\Run: [evedqrr] c:\windows\mnnnmmx.exe
O4 - HKCU\..\Run: [wdvsvgj] c:\windows\uiqxpur.exe
O4 - HKCU\..\Run: [lpjrkwe] c:\windows\uiqxpur.exe
O4 - HKCU\..\Run: [nrnvdhb] c:\windows\uiqxpur.exe
O4 - HKCU\..\Run: [aplqemu] c:\windows\uiqxpur.exe
O4 - HKCU\..\Run: [tkqjepy] c:\windows\pwxillq.exe
O4 - HKCU\..\Run: [fsywojx] c:\windows\fmsslkn.exe
O4 - HKCU\..\Run: [mohdjal] c:\windows\xfialxc.exe
O4 - HKCU\..\Run: [qxhmswi] c:\windows\pwxillq.exe
O4 - HKCU\..\Run: [xglhdmw] c:\windows\pwxillq.exe
O4 - HKCU\..\Run: [hnmtxrv] c:\windows\phlojmc.exe
O4 - HKCU\..\Run: [hmlrunv] c:\windows\cerlmqk.exe
O4 - HKCU\..\Run: [aqclaxi] c:\windows\kldemcv.exe
O4 - HKCU\..\Run: [susffhu] c:\windows\stnwlog.exe
O4 - HKCU\..\Run: [lwcvrok] c:\windows\kldemcv.exe
O4 - HKCU\..\Run: [rwdfeog] c:\windows\stnwlog.exe
O4 - HKCU\..\Run: [bpmpgin] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [dkcxrxm] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [tqjolyp] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [txmxoti] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [ldsjdob] c:\windows\hbnrnbf.exe
O4 - HKCU\..\Run: [ougyudl] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [hywsanx] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [qpfgyny] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [wogpmmu] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [beflsoj] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [owdtncu] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [nxcovyf] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [rjobchv] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [metqsfr] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [xwchugr] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [graubct] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [kjnjfmg] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [fdyogpo] c:\windows\ilbkgmk.exe
O4 - HKCU\..\Run: [yjjohru] c:\windows\qslcgxv.exe
O4 - HKCU\..\Run: [qnvhmbk] c:\windows\trrkter.exe
O4 - HKCU\..\Run: [dvmlgpe] c:\windows\gievmjb.exe
O4 - HKCU\..\Run: [hprfybi] c:\windows\gievmjb.exe
O4 - HKCU\..\Run: [xnsuasa] c:\windows\gievmjb.exe
O4 - HKCU\..\Run: [ycengcm] c:\windows\murfrqy.exe
O4 - HKCU\..\Run: [vttobpl] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [kklbqvl] c:\windows\dknqqov.exe
O4 - HKCU\..\Run: [dpcuvfy] c:\windows\ksxiqbg.exe
O4 - HKCU\..\Run: [otvawim] c:\windows\vgvurrd.exe
O4 - HKCU\..\Run: [cxisqwf] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [vbgmits] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [dwgykjv] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [lupkuox] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [bdjvokd] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [gnedqun] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [rrusxym] c:\windows\saibqnr.exe
O4 - HKCU\..\Run: [epwyexv] c:\windows\thvslio.exe
O4 - HKCU\..\Run: [eujvuyf] c:\windows\thvslio.exe
O4 - HKCU\..\Run: [ahqxwqq] c:\windows\thvslio.exe
O4 - HKCU\..\Run: [rhdkfmn] c:\windows\thvslio.exe
O4 - HKCU\..\Run: [vjcnwhq] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [ytrxrfp] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [vhlxfwi] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [emtwjgy] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [bmmdskt] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [xokcxql] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [siawdpx] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [hyxndqq] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [coccpvw] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [xwtjyag] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [fwsqbgf] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [sbbupif] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [ocrbkpt] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [abqymms] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [udixscd] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [hdqigrj] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [rdlgsvj] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [rctndnl] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [uwhidhs] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [vuydrqf] c:\windows\krojmfh.exe
O4 - HKCU\..\Run: [meymxqj] c:\windows\eonhxmb.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Lrrc] C:\Program Files\omsp\iatu.exe
O4 - HKCU\..\Run: [mejxwbu] c:\windows\agdqyqi.exe
O4 - HKCU\..\Run: [ofpoeda] c:\windows\agdqyqi.exe
O4 - HKCU\..\Run: [owgniif] c:\windows\xgaqyid.exe
O4 - HKCU\..\Run: [uvpvleo] c:\windows\xgaqyid.exe
O4 - HKCU\..\Run: [yrkgnpr] c:\windows\xgaqyid.exe
O4 - HKCU\..\Run: [rodeikj] c:\windows\xgaqyid.exe
O4 - HKCU\..\Run: [dwhavvg] c:\windows\xgaqyid.exe
O4 - HKCU\..\Run: [smiyxam] c:\windows\xgaqyid.exe
O4 - HKCU\..\Run: [yuqrvop] c:\windows\xgaqyid.exe
O4 - HKCU\..\Run: [ydbamub] c:\windows\xgaqyid.exe
O4 - HKCU\..\Run: [oigjcqo] c:\windows\xgaqyid.exe
O4 - HKCU\..\Run: [qavwylc] c:\windows\xgaqyid.exe
O4 - HKCU\..\RunServices: [logon.exe] C:\WINDOWS\System32\logon.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O16 - DPF: {2517F764-6F60-4ADD-8FCF-137E5B220FF6} (VacPro.emsat_ver4) - http://www.globalpho.../emsat_ver4.CAB
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sdkyx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe
O23 - Service: Debug oupost relations (LAGOS) - Unknown owner - C:\WINDOWS\System32\ahtun.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)