Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trek Blue Error Nuker, CoolWWWSearch [RESOLVED]

Started by Trigger426 , Aug 15 2005 12:26 AM

  • This topic is locked This topic is locked

#1
Trigger426
Posted 15 August 2005 - 12:26 AM

Trigger426

    Member

  • Member
  • PipPip
  • 14 posts
My first post here, unfortunately I seem to have a pretty nasty for of spyware (or whatever you experts call it).
Syptoms-
Start page changes constantly
Spybot is tripping out with all kinds of reg changes "Deny" seems not to help.
Spybot lists Trek Blue Error Nuker and Cool WWW search everytime I run it.
Windows backround changed (when I try to change back the Desktop option is missing from properties list).
Pop ups anytime it feels like it.
Edit: I should also add when I try to click on certain options in Norton Firewall it generates error and says it needs to close.

Here is hijack this file:

Logfile of HijackThis v1.99.1
Scan saved at 12:08:50 AM, on 8/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ipst.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\msou.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\NORTON~1\NORTON~3\navw32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\thxle.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\thxle.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\thxle.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\thxle.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\thxle.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\thxle.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\thxle.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/go/PhotoWorks-eLife
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {B1C677B3-B411-DB4C-5060-4FBCDCDEE682} - C:\WINDOWS\appmh.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ipst.exe] C:\WINDOWS\ipst.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Compaq Connections.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: NkbMonitor.exe.lnk.disabled
O4 - Global Startup: Quicken Scheduled Updates.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\gfckujdp.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://bin.wordsx.cc...m::/on-line.exe
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123623076171
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup155.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

I also just noticed I am running XP SP1 so I know I need to download update but the FAQ said downloading it to an infected PC can create more problems.
I have dowloaded Aboutbuster and cwsserviceremove, but I have not run either yet. Awaiting instructions.
Thanks,
Jason

Edited by Trigger426, 15 August 2005 - 12:40 AM.

  • 0

Advertisements

#2
tampabelle
Posted 15 August 2005 - 08:56 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Jason,

It is good that you didnt install SP2 as it could have compounded your problems


Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.
  • 0

#3
Trigger426
Posted 15 August 2005 - 12:57 PM

Trigger426

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Ok I'm back. This will be a looong post.
Had trouble with the RubberDucky link (says I dont have permission), but I already had About Buster is it the same? I performed all steps assuming that these About Busters were the same.


Results:
Safe Mode
AboutBuster 5.0 reference file 31
Scan started on [8/15/2005] at [10:17:17 AM]
------------------------------------------------
Removed Stream! C:\WINDOWS\clock.avi:jbywhc
Removed Stream! C:\WINDOWS\desktop.ini:udcodx
Removed Stream! C:\WINDOWS\FaxSetup.log:fefzzk
Removed Stream! C:\WINDOWS\Thumbs.db:encryptable
------------------------------------------------
Removed File! : C:\Windows\gqjpd.dll
Removed File! : C:\Windows\System32\wskwz.dat
Removed File! : C:\Windows\System32\wumfe.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:17:39 AM


Upon reset and rerun it came up "clean".
CWShredder didn't have anything to fix.
Ran SpSeHjfix (several times oops):


(8/15/05 10:22:01 AM) SPSeHjFix started v1.1.2
(8/15/05 10:22:01 AM) OS: WinXP Service Pack 1 (5.1.2600)
(8/15/05 10:22:01 AM) Language: english
(8/15/05 10:22:01 AM) Win-Path: C:\WINDOWS
(8/15/05 10:22:01 AM) System-Path: C:\WINDOWS\System32
(8/15/05 10:22:01 AM) Temp-Path: C:\DOCUME~1\Owner\LOCALS~1\Temp\
(8/15/05 10:22:19 AM) Disinfection started
(8/15/05 10:22:19 AM) Bad-Dll(IEP): c:\windows\system32\xrnjj.dll
(8/15/05 10:22:19 AM) UBF: 4 - UBB: 2 - UBR: 12
(8/15/05 10:22:19 AM) UBF: 4 - UBB: 2 - UBR: 12
(8/15/05 10:22:19 AM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: res://c:\windows\system32\xrnjj.dll/sp.html#14044
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Page_URL: about:blank
(8/15/05 10:22:19 AM) Stealth-String not found
(8/15/05 10:22:19 AM) No locked Files to delete. End without Reboot
(8/15/05 10:22:26 AM) Disinfection started
(8/15/05 10:22:26 AM) Bad-Dll(IEP): c:\windows\gqjpd.dll
(8/15/05 10:22:26 AM) UBF: 4 - UBB: 2 - UBR: 12
(8/15/05 10:22:26 AM) UBF: 4 - UBB: 2 - UBR: 12
(8/15/05 10:22:26 AM) Bad IE-pages:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Search_URL: res://c:\windows\gqjpd.dll/sp.html#14044
(8/15/05 10:22:26 AM) Stealth-String not found
(8/15/05 10:22:26 AM) No locked Files to delete. End without Reboot
(8/15/05 10:22:39 AM) Disinfection started
(8/15/05 10:22:39 AM) Bad-Dll(IEP): c:\windows\gqjpd.dll
(8/15/05 10:22:39 AM) UBF: 4 - UBB: 2 - UBR: 12
(8/15/05 10:22:39 AM) UBF: 4 - UBB: 2 - UBR: 12
(8/15/05 10:22:39 AM) Bad IE-pages: (none)
(8/15/05 10:22:39 AM) Stealth-String not found
(8/15/05 10:22:39 AM) No locked Files to delete. End without Reboot
(8/15/05 10:22:58 AM) Disinfection started
(8/15/05 10:22:58 AM) Bad-Dll(IEP): c:\windows\gqjpd.dll
(8/15/05 10:22:58 AM) UBF: 4 - UBB: 2 - UBR: 12
(8/15/05 10:22:58 AM) UBF: 4 - UBB: 2 - UBR: 12
(8/15/05 10:22:58 AM) Bad IE-pages: (none)
(8/15/05 10:22:58 AM) Stealth-String not found
(8/15/05 10:22:58 AM) No locked Files to delete. End without Reboot
(8/15/05 10:23:39 AM) Disinfection started
(8/15/05 10:23:39 AM) Bad-Dll(IEP): c:\windows\gqjpd.dll
(8/15/05 10:23:39 AM) UBF: 4 - UBB: 2 - UBR: 12
(8/15/05 10:23:39 AM) UBF: 4 - UBB: 2 - UBR: 12
(8/15/05 10:23:39 AM) Bad IE-pages: (none)
(8/15/05 10:23:39 AM) Stealth-String not found
(8/15/05 10:23:39 AM) No locked Files to delete. End without Reboot

Next ran Cleanup it removed close to 500mb of junk.
Then rebooted in normal mode my backround is back to normal however when I click on internet explorer Spybot warns me that things are changing in registry.
Ran Kaspersky: Found all kinds of bad stuff. There was no "fix" button on Kaspersky so I assume this was just a check.

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\Owner\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 21182
Number of viruses found: 5
Number of infected objects: 19
Number of suspicious objects: 0
Duration of the scan process: 1150 sec

Infected Object Name - Virus Name
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\albedfik.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\alhellpk.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\chnbpdfd.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\hppanfcd.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\icckfaga.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\jafbpqng.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\jdkjqgef.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\lkekdonq.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\lmfglgdo.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\lncgpjmd.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\mkhqqlnk.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\ngffkcdm.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\nghdllke.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\njdcbhmk.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\PerfectNavUninstall.exe/data0003 Infected: Trojan-Downloader.Win32.Keenval.f
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\PerfectNavUninstall.exe Infected: Trojan-Downloader.Win32.Keenval.f
C:\WINDOWS\system32\config\systemprofile\x.html Infected: Trojan.WinREG.LowZones.a
C:\WINDOWS\system32\i Infected: Trojan-Downloader.BAT.Ftp.ab
C:\WINDOWS\system32\oleext.dll Infected: Trojan.Win32.Small.ev

Scan process completed.
can Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 94417
Number of viruses found: 28
Number of infected objects: 108
Number of suspicious objects: 13
Duration of the scan process: 5384 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Default User\x.html Infected: Trojan.WinREG.LowZones.a
C:\Documents and Settings\Owner\Desktop\hijackthis\hijackthis1 Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Owner\x.html Infected: Trojan.WinREG.LowZones.a
C:\ntfirewall.exe Infected: Trojan-Downloader.Win32.Small.mt
C:\Program Files\Kazaa\PerfectNavUninstall.exe/data0003 Infected: Trojan-Downloader.Win32.Keenval.f
C:\Program Files\Kazaa\PerfectNavUninstall.exe Infected: Trojan-Downloader.Win32.Keenval.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\04CC449E.exe Infected: Backdoor.Win32.SdBot.acf
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0A3137F6.REG Infected: Trojan.WinREG.LowZones.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0AE11334.REG Infected: Trojan.WinREG.LowZones.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0B12212B.exe/ Infected: Trojan-Downloader.Win32.Agent.ae
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0B12212B.exe Infected: Trojan-Downloader.Win32.Agent.ae
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\13A618E7.exe/kans.reg Infected: Trojan.WinREG.LowZones.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\13A618E7.exe/kansup.reg Infected: Trojan.WinREG.LowZones.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\13A618E7.exe Infected: Trojan.WinREG.LowZones.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18AF21DC.exe Infected: Trojan-Downloader.Win32.Tibs.h
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C25509A Infected: Email-Worm.Win32.Mimail.r
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\205D6646.exe Infected: Trojan.Win32.StartPage.tj
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\27D90953.REG Infected: Trojan.WinREG.LowZones.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2BD137ED.dll Infected: Trojan-Clicker.Win32.Agent.ac
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2CCB2EAE Infected: Backdoor.Win32.Rbot.gen
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\31281132.exe Infected: Trojan-Downloader.Win32.Small.mt
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\32B26872.exe Infected: Trojan.Win32.StartPage.tj
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\36B32CE2.exe Infected: Backdoor.Win32.SdBot.acf
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3B204975.reg Infected: Trojan.WinREG.LowZones.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3B6D08CD.exe Infected: Trojan-Downloader.Win32.Intexp.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3DDB6274.reg Infected: Trojan.WinREG.LowZones.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\41F87047.reg Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\433C2040.reg Infected: Trojan.WinREG.LowZones.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\454A432B.exe Infected: Trojan-Downloader.Win32.PurityScan.e
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5B253224.dll Infected: Trojan-Clicker.Win32.Agent.ac
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5B253224.reg Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5B253224.sys Infected: Backdoor.Win32.SdBot.zo
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5C111770.exe/kans.reg Infected: Trojan.WinREG.LowZones.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5C111770.exe/kansup.reg Infected: Trojan.WinREG.LowZones.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5C111770.exe Infected: Trojan.WinREG.LowZones.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5C14416C.exe/kans.reg Infected: Trojan.WinREG.LowZones.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5C14416C.exe/kansup.reg Infected: Trojan.WinREG.LowZones.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5C14416C.exe Infected: Trojan.WinREG.LowZones.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5ED5337B.dll Infected: Virus.Win32.Nsag.b
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5F8E4992.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\603B7AD3.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\603B7AD3.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\603B7AD3.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\603B7AD3.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\603B7AD3.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\604822C5.cla Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\60554AB7.cla Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\605974B3.cla Infected: Exploit.Java.Bytverify
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\61181052.dll Infected: Trojan-Downloader.Win32.Agent.mh
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6C5C3A0C.exe Infected: Trojan-Downloader.Win32.Small.mt
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\720935CC.exe Infected: Trojan-Downloader.Win32.PurityScan.e
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\720C5FC9.dll Infected: Trojan-Downloader.Win32.IstBar.fa
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\720C5FC9.exe/ Infected: Trojan-Downloader.Win32.Agent.ae
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\720C5FC9.exe Infected: Trojan-Downloader.Win32.Agent.ae
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\721009C5.exe Infected: Trojan-Downloader.Win32.Agent.ae
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\721333C2.exe Infected: Trojan-Downloader.Win32.Stubby.d
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\72165DBE.exe Infected: Trojan-Downloader.Win32.Stubby.d
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\721907BB.exe Infected: Trojan-Downloader.Win32.Stubby.d
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\721D31B7.dll Infected: Trojan-Downloader.Win32.Dyfuca.cv
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\732E077B.cab/polall1m.exe/polall1m.exe Infected: Trojan-Downloader.Win32.Agent.ae
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\732E077B.cab/polall1m.exe Infected: Trojan-Downloader.Win32.Agent.ae
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\732E077B.cab Infected: Trojan-Downloader.Win32.Agent.ae
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\75391783.cab/polall1m.exe/polall1m.exe Infected: Trojan-Downloader.Win32.Agent.ae
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\75391783.cab/polall1m.exe Infected: Trojan-Downloader.Win32.Agent.ae
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\75391783.cab Infected: Trojan-Downloader.Win32.Agent.ae
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7F82652C.exe Infected: Trojan-Downloader.Win32.PurityScan.e
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP102\A0019508.dll Infected: Trojan-Downloader.Win32.Agent.mh
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP103\A0019528.DLL Infected: Trojan-Clicker.Win32.Agent.ac
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\A0026148.reg Suspicious: Exploit.HTML.Mht
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP135\A0026173.reg Suspicious: Exploit.HTML.Mht
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP137\A0026204.reg Suspicious: Exploit.HTML.Mht
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP137\A0027204.reg Suspicious: Exploit.HTML.Mht
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP137\A0028229.reg Suspicious: Exploit.HTML.Mht
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP138\A0028281.reg Suspicious: Exploit.HTML.Mht
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP138\A0028300.reg Suspicious: Exploit.HTML.Mht
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP143\A0028418.reg Suspicious: Exploit.HTML.Mht
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP150\A0030507.sys Infected: Backdoor.Win32.SdBot.zo
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP150\A0030534.exe/kans.reg Infected: Trojan.WinREG.LowZones.f
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP150\A0030534.exe/kansup.reg Infected: Trojan.WinREG.LowZones.f
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP150\A0030534.exe Infected: Trojan.WinREG.LowZones.f
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP150\A0031526.sys Infected: Backdoor.Win32.SdBot.zo
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP150\A0031570.exe/kans.reg Infected: Trojan.WinREG.LowZones.f
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP150\A0031570.exe/kansup.reg Infected: Trojan.WinREG.LowZones.f
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP150\A0031570.exe Infected: Trojan.WinREG.LowZones.f
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP150\A0032526.sys Infected: Backdoor.Win32.SdBot.zo
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP150\A0032535.exe/kans.reg Infected: Trojan.WinREG.LowZones.f
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP150\A0032535.exe/kansup.reg Infected: Trojan.WinREG.LowZones.f
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP150\A0032535.exe Infected: Trojan.WinREG.LowZones.f
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP152\A0032593.exe Infected: Backdoor.Win32.SdBot.acf
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP155\A0033599.EXE Infected: Backdoor.Win32.SdBot.acf
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP155\A0033600.sys Infected: Backdoor.Win32.SdBot.zo
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP155\A0033602.sys Infected: Backdoor.Win32.SdBot.zo
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP157\A0033631.exe Infected: Backdoor.Win32.SdBot.acf
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP163\A0034867.dll Infected: Trojan-Clicker.Win32.Agent.ac
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP163\A0034942.reg Infected: Trojan.WinREG.LowZones.f
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP163\A0034943.reg Suspicious: Exploit.HTML.Mht
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0035919.dll Infected: Trojan-Clicker.Win32.Agent.ac
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0035924.reg Suspicious: Exploit.HTML.Mht
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0035925.sys Infected: Backdoor.Win32.SdBot.zo
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP185\A0039555.exe Infected: Trojan.Win32.Small.ev
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP185\A0039556.exe Infected: Trojan.Win32.Small.ev
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP99\A0018497.dll Infected: Trojan-Clicker.Win32.Agent.ac
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\albedfik.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\alhellpk.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\chnbpdfd.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\hppanfcd.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\icckfaga.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\jafbpqng.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\jdkjqgef.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\lkekdonq.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\lmfglgdo.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\lncgpjmd.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\mkhqqlnk.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\ngffkcdm.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\nghdllke.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\njdcbhmk.htm Infected: Trojan.JS.Pooter.b
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\PerfectNavUninstall.exe/data0003 Infected: Trojan-Downloader.Win32.Keenval.f
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\PerfectNavUninstall.exe Infected: Trojan-Downloader.Win32.Keenval.f
C:\WINDOWS\system32\config\systemprofile\x.html Infected: Trojan.WinREG.LowZones.a
C:\WINDOWS\system32\i Infected: Trojan-Downloader.BAT.Ftp.ab
C:\WINDOWS\system32\oleext.dll Infected: Trojan.Win32.Small.ev

Scan process completed.

Here is my new Hijack this:


Logfile of HijackThis v1.99.1
Scan saved at 12:38:48 PM, on 8/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ipst.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\msou.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gqjpd.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gqjpd.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\gqjpd.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/go/PhotoWorks-eLife
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: Class - {B1C677B3-B411-DB4C-5060-4FBCDCDEE682} - C:\WINDOWS\appmh.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ipst.exe] C:\WINDOWS\ipst.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Compaq Connections.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: NkbMonitor.exe.lnk.disabled
O4 - Global Startup: Quicken Scheduled Updates.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\gfckujdp.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://bin.wordsx.cc...m::/on-line.exe
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123623076171
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup155.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\msou.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


To summarize I think we got part of it until I clicked on internet explorer then it seems to have spawned itself again. MY startpage is still changing although I havent seen any popups. Thanks for your help keep it coming.
  • 0

#4
tampabelle
Posted 15 August 2005 - 01:41 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi,


Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall some programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

CleanUp
Ewido Security Suite

Install Ewido, and update the definitions to the newest files. Do NOT run a scan yet.


2. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gqjpd.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gqjpd.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\gqjpd.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: Class - {B1C677B3-B411-DB4C-5060-4FBCDCDEE682} - C:\WINDOWS\appmh.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\gfckujdp.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://bin.wordsx.cc...m::/on-line.exe
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

3. Delete Rogue files

Run CleanUp and delete all temp files including temporary internet files

Run Ewido full scan. Let it fix any items it finds.

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following files -

c:\eied_s7.cab
c:\ex.cab
C:\WINDOWS\web\related.htm
C:\WINDOWS\gqjpd.dll

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch. It will open the folder Prefetch. Delete all the files in that folder. Dont delete the folder, only the files in it !!!!!!!!


Reboot the PC in Normal Mode.


Run Hijack This and post a fresh HJT log along with Ewido scan report.
  • 0

#5
Trigger426
Posted 15 August 2005 - 04:42 PM

Trigger426

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Ok completed steps 1 and 2 without incident. Here is ewido log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:22:56 PM, 8/15/2005
+ Report-Checksum: 64F0BCAB

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW -> Spyware.CoolWebSearch : Cleaned with backup
C:\Documents and Settings\Owner\Desktop\hijackthis\backups\backup-20050815-141423-767.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\ntfirewall.exe -> TrojanDownloader.Small.mt : Cleaned with backup
C:\Program Files\CSBB\csAOLldr.exe -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\CSBB\CSBB.DLL -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\CSBB\CSSSINST.DLL -> Spyware.ClearSearch : Cleaned with backup
C:\RECYCLER\NPROTECT\00017054.DLL -> Spyware.SearchPage : Cleaned with backup
C:\RECYCLER\NPROTECT\00017160.DLL -> Spyware.SearchPage : Cleaned with backup
C:\RECYCLER\NPROTECT\00018196.EXE -> Spyware.NewDotNet : Cleaned with backup
C:\RECYCLER\NPROTECT\00018377.DLL -> Spyware.SearchPage : Cleaned with backup
C:\RECYCLER\NPROTECT\00018563.DLL -> Spyware.SearchPage : Cleaned with backup
:mozilla.7:C:\RECYCLER\NPROTECT\00018801.MOZ -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.7:C:\RECYCLER\NPROTECT\00018802.MOZ -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.7:C:\RECYCLER\NPROTECT\00018803.MOZ -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.9:C:\RECYCLER\NPROTECT\00018804.MOZ -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.11:C:\RECYCLER\NPROTECT\00018806.MOZ -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.9:C:\RECYCLER\NPROTECT\00018807.MOZ -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.10:C:\RECYCLER\NPROTECT\00018807.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.11:C:\RECYCLER\NPROTECT\00018807.MOZ -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.14:C:\RECYCLER\NPROTECT\00018807.MOZ -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.9:C:\RECYCLER\NPROTECT\00018810.MOZ -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.10:C:\RECYCLER\NPROTECT\00018810.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.11:C:\RECYCLER\NPROTECT\00018810.MOZ -> Spyware.Cookie.Bridgetrack : Cleaned with backup
-> : Error during cleaning
C:\RECYCLER\NPROTECT\00019158.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\apiuy32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\control.ini:xqjsa -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\dwnldr.dll -> Spyware.Dwnldr : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\HDPlugin1019.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\FaxSetup.log:fefzzk -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\gqjpd.dll -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\ipst.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\mfcyy.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\msou.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\sdkim32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkmg.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32:nlaa.dll -> TrojanDownloader.Small.azk : Cleaned with backup
C:\WINDOWS\system32\addiw.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@linksynergy[2].txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][1].txt -> Spyware.Cookie.Gator : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\cd_clint.dll -> Spyware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\__unin__.exe -> Spyware.Altnet : Cleaned with backup
C:\WINDOWS\system32\sysru.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\TFTP2900 -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\WindowsUpdate.log:erlzq -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\WMSysPrx.prx:pswsm -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{34E5D0F6-B03D-4AA1-87D2-7277A98006B1}.dat:crestq -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\{34E5D0F6-B03D-4AA1-87D2-7277A98006B1}.dat:fhdyqf -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\{34E5D0F6-B03D-4AA1-87D2-7277A98006B1}.dat:kqtnyn -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\{34E5D0F6-B03D-4AA1-87D2-7277A98006B1}.dat:rpaiw -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\{34E5D0F6-B03D-4AA1-87D2-7277A98006B1}.dat:yanlkp -> TrojanDownloader.Agent.bq : Cleaned with backup


::Report End

The only issues I had were on step 3 deleting the files. The only one I could find and delete was C:\Windows\web\related.htm. The others I could not find even when I did a search.

Deleted the prefetch files (not the folder :tazz: ). Rebooted in normal here is my latest HJT:
Logfile of HijackThis v1.99.1
Scan saved at 4:40:26 PM, on 8/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geekstogo...showtopic=50323
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/go/PhotoWorks-eLife
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Class - {6A8FA9C0-1C40-8A47-8010-34264B4D7631} - C:\WINDOWS\apiuy32.dll (file missing)
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Compaq Connections.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: NkbMonitor.exe.lnk.disabled
O4 - Global Startup: Quicken Scheduled Updates.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123623076171
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup155.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\msou.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

When I started IE to send this out my homepage was changed to about:blank again, but it didnt seem like anything else was having a problem. Edit: After looking at my HJT log I noticed some of the ones I deleted have returned I am pretty sure I deleted them. Are we winning?

Edited by Trigger426, 15 August 2005 - 04:47 PM.

  • 0

#6
tampabelle
Posted 15 August 2005 - 04:51 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Yes, we are cleaning up your PC in steps but definitely!!!!!


Click on Start ---> Run. Type Services.msc and hit enter. Locate the item - Remote Procedure Call (RPC) Helper . Right click on it and then click on properties. In the Startup Type choose the option Disable. Close the window.


Run Hijack This and click on scan. The following items need to be fixed -

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Class - {6A8FA9C0-1C40-8A47-8010-34264B4D7631} - C:\WINDOWS\apiuy32.dll (file missing)
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.


Reboot the PC and post a fresh HJT log.
  • 0

#7
Trigger426
Posted 15 August 2005 - 05:30 PM

Trigger426

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Followed all directions without problem. Here is my latest HJT:

Logfile of HijackThis v1.99.1
Scan saved at 5:25:29 PM, on 8/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geekstogo...37&t=54793&st=0
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/go/PhotoWorks-eLife
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {6A8FA9C0-1C40-8A47-8010-34264B4D7631} - (no file)
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Compaq Connections.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: NkbMonitor.exe.lnk.disabled
O4 - Global Startup: Quicken Scheduled Updates.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123623076171
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup155.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

I notice those O2 entries keep returning, this time however I experienced no symptoms. My backround is fine as are my start pages and all of that.
  • 0

#8
tampabelle
Posted 15 August 2005 - 05:36 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi trigger,

Yeah looks like Spybot Tea Timer is interfering with the fix.

Lets do it one more time.


First close Spybot. Right Click on Spybot icon in the systray at the bottom right hand corner. Click on Exit Spybot S&D Resident.


Run Hijack This and click on scan. The following items need to be fixed -

O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {6A8FA9C0-1C40-8A47-8010-34264B4D7631} - (no file)
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Compaq Connections.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: NkbMonitor.exe.lnk.disabled
O4 - Global Startup: Quicken Scheduled Updates.lnk.disabled


Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

Reboot the PC.

Run Spybot. It will automatically become memory resident.

Post a fresh HJT log.
  • 0

#9
Trigger426
Posted 15 August 2005 - 05:49 PM

Trigger426

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Latest HJT log. I exited spybot before I fixed those items. HJT mentions something about closing all IE and windows explorer files before deleting, but all my windows are closed. Do I need to somehow close windows explorer that may be running in backround?


Logfile of HijackThis v1.99.1
Scan saved at 5:43:31 PM, on 8/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geekstogo...37&t=54793&st=0
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/go/PhotoWorks-eLife
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {6A8FA9C0-1C40-8A47-8010-34264B4D7631} - (no file)
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123623076171
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup155.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#10
tampabelle
Posted 16 August 2005 - 07:06 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Trigger,


These O2 entries need to be fixed by registry edit.

Please download the attached tool and unzip it to save the enclosed regsrch.vbs file to the desktop. Double click on regsrch.vbs to run it. The tool will search your registry for the key words. Your anti-virus program may throw up a warning about a script running. Let it run.

Keep your reply window at this forum open. Search for the following key words, one after the other -

4A2AACF3-ADF6-11D5-98A9-00E018981B9E
53707962-6F74-2D53-2644-206D7942484F
6A8FA9C0-1C40-8A47-8010-34264B4D7631
9ECB9560-04F9-4bbc-943D-298DDF1699E1

Once the search is over, it will throw up a log file after every search. Post back the log files here.

Attached Files


Edited by tampabelle, 16 August 2005 - 07:08 AM.

  • 0

Advertisements

#11
Trigger426
Posted 16 August 2005 - 10:26 AM

Trigger426

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Here we are.

1
REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "4A2AACF3-ADF6-11D5-98A9-00E018981B9E" 8/16/2005 10:18:23 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}]

2
REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "53707962-6F74-2D53-2644-206D7942484F" 8/16/2005 10:20:00 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

3
REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "6A8FA9C0-1C40-8A47-8010-34264B4D7631" 8/16/2005 10:20:59 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks]
"{6A8FA9C0-1C40-8A47-8010-34264B4D7631}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6A8FA9C0-1C40-8A47-8010-34264B4D7631}]

4
REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "9ECB9560-04F9-4bbc-943D-298DDF1699E1" 8/16/2005 10:21:57 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1}]
  • 0

#12
tampabelle
Posted 16 August 2005 - 10:32 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please copy the following a new text file in Notepad and save it as fix.reg (make sure the Save as Type is set to All Files) -


REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks]
"{6A8FA9C0-1C40-8A47-8010-34264B4D7631}"=""

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6A8FA9C0-1C40-8A47-8010-34264B4D7631}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1}]



Double click on fix.reg and let it merge with your registry.

Reboot the PC and post a fresh HJT log.
  • 0

#13
Trigger426
Posted 16 August 2005 - 10:39 AM

Trigger426

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Even though spybot sent me no warnings I forgot to turn it off before merging fix.reg to registry should I try it again with spybot off?

Logfile of HijackThis v1.99.1
Scan saved at 10:37:07 AM, on 8/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geekstogo...37&t=54793&st=0
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/go/PhotoWorks-eLife
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {6A8FA9C0-1C40-8A47-8010-34264B4D7631} - (no file)
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123623076171
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup155.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Edit: In case your curious I did another reg search the entries do not have dashes in front of them (I am assuming that said dashes make the entries inactive).

Edited by Trigger426, 16 August 2005 - 10:45 AM.

  • 0

#14
tampabelle
Posted 16 August 2005 - 10:44 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Trigger,


Please reboot the PC in Safe Mode.

Make sure that Spybot is not running.

Please check the fix.reg file in Notepad. REGEDIT4 should be the first line in the file.

Now double click on fix.reg and let it merge with your registry.

Reboot the PC and post a fresh HJT log
  • 0

#15
Trigger426
Posted 16 August 2005 - 10:54 AM

Trigger426

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
The first line in fix file is regedit 4 spybot not running merge completed in safe mode. HJT:

Logfile of HijackThis v1.99.1
Scan saved at 10:51:47 AM, on 8/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geekstogo...37&t=54793&st=0
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/go/PhotoWorks-eLife
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {6A8FA9C0-1C40-8A47-8010-34264B4D7631} - (no file)
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123623076171
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup155.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP