[J4YH4WK]

Hello, and thanks for looking at this!

I use Google as a search engine, I type something in, links come up, I click on a link, but it doesn't take me to the page it's supposed to, it takes me to some other site, usually trying to sell me spyware protection or any number of other things!

Yahoo search doesn't do it, only Google.

Here's my Hijack This log, any help would be greatly appreciated!!!

Logfile of HijackThis v1.99.1
Scan saved at 2:50:13 PM, on 9/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\Fast.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120741072718
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe

[Advertisements]

Welcome J4YH4WK to Geeks to Go!

Download the Hoster Here
Please do not use program yet

Unzip Hoster to your desktop

Open up the Hoster program.

• Make sure that the "make hosts writable?" button in the upper right corner is enabled.
• Click back up Host files
• then click Restore orginal host files
• close program

**

Download CleanUp!.
If that doesn’t work, use this link.
Here is a tutorial which describes its usage:
http://www.bleepingc...tutorial93.html

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options"
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Scan local drives for temporary files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

Once it's done, press Close. Reboot the system. This will remove files that were in use during the scan.

***

Please download, install, and update the free version of Ewido trojan scanner:

• When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
• Run Ewido --- When you run it for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
• From the main ewido screen, click on update in the left menu, then click the Start update button.
• After the update finishes (the status bar at the bottom will display "Update successful")
• Exit Ewido. DO NOT scan yet.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Next, run Ewido again.

• Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
• If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
• When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

***

Finally, restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

[g2i2r4]

Welcome J4YH4WK to Geeks to Go!

Download the Hoster Here
Please do not use program yet

Unzip Hoster to your desktop

Open up the Hoster program.

• Make sure that the "make hosts writable?" button in the upper right corner is enabled.
• Click back up Host files
• then click Restore orginal host files
• close program

**

Download CleanUp!.
If that doesn’t work, use this link.
Here is a tutorial which describes its usage:
http://www.bleepingc...tutorial93.html

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options"
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Scan local drives for temporary files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

Once it's done, press Close. Reboot the system. This will remove files that were in use during the scan.

***

Please download, install, and update the free version of Ewido trojan scanner:

• When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
• Run Ewido --- When you run it for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
• From the main ewido screen, click on update in the left menu, then click the Start update button.
• After the update finishes (the status bar at the bottom will display "Update successful")
• Exit Ewido. DO NOT scan yet.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Next, run Ewido again.

• Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
• If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
• When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

***

Finally, restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

[J4YH4WK]

Hello g2i2r4,

Here are the log files:

ewido:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:25:59 AM, 9/3/2005
+ Report-Checksum: 9FE4D941

+ Scan result:

:mozilla.6:C:\Recycled\NPROTECT\00045114.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.6:C:\Recycled\NPROTECT\00045115.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.7:C:\Recycled\NPROTECT\00045116.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.7:C:\Recycled\NPROTECT\00045117.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.7:C:\Recycled\NPROTECT\00045119.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.7:C:\Recycled\NPROTECT\00045120.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.9:C:\Recycled\NPROTECT\00045121.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.9:C:\Recycled\NPROTECT\00045129.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.9:C:\Recycled\NPROTECT\00045131.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.10:C:\Recycled\NPROTECT\00045135.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.7:C:\Recycled\NPROTECT\00045154.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.10:C:\Recycled\NPROTECT\00045155.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.10:C:\Recycled\NPROTECT\00045163.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.10:C:\Recycled\NPROTECT\00045165.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.7:C:\Recycled\NPROTECT\00045881.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.9:C:\Recycled\NPROTECT\00045882.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.11:C:\Recycled\NPROTECT\00045884.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.12:C:\Recycled\NPROTECT\00045890.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.12:C:\Recycled\NPROTECT\00045891.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.12:C:\Recycled\NPROTECT\00045892.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.12:C:\Recycled\NPROTECT\00045893.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Recycled\NPROTECT\00046972.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\Recycled\NPROTECT\00046975.exe -> Spyware.FindSpy : Cleaned with backup
C:\Recycled\NPROTECT\00046976.exe -> Spyware.Msnagent : Cleaned with backup
:mozilla.12:C:\Recycled\NPROTECT\00047001.OLD -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Recycled\NPROTECT\00043497.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\Recycled\NPROTECT\00043499.exe -> Spyware.FindSpy : Cleaned with backup
C:\Recycled\NPROTECT\00043500.exe -> Spyware.Msnagent : Cleaned with backup
C:\Recycled\NPROTECT\00044636.exe -> Spyware.FindSpy : Cleaned with backup
C:\Recycled\NPROTECT\00044637.exe -> Spyware.Msnagent : Cleaned with backup
C:\Recycled\NPROTECT\00044701.dll -> Spyware.SBSoft : Cleaned with backup
C:\Recycled\NPROTECT\00044702.EXE -> TrojanDownloader.Agent.sy : Cleaned with backup
C:\Recycled\NPROTECT\00044703.EXE -> TrojanDownloader.Agent.sy : Cleaned with backup
C:\Recycled\NPROTECT\00044704.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\Recycled\NPROTECT\00044705.EXE -> TrojanDownloader.Small.ayl : Cleaned with backup
:mozilla.9:C:\Recycled\NPROTECT\00044813.MOZ -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.11:C:\Recycled\NPROTECT\00044813.MOZ -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.13:C:\Recycled\NPROTECT\00044813.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.30:C:\Recycled\NPROTECT\00044813.MOZ -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.45:C:\Recycled\NPROTECT\00044813.MOZ -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.46:C:\Recycled\NPROTECT\00044813.MOZ -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.47:C:\Recycled\NPROTECT\00044813.MOZ -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.63:C:\Recycled\NPROTECT\00044813.MOZ -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.64:C:\Recycled\NPROTECT\00044813.MOZ -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.69:C:\Recycled\NPROTECT\00044813.MOZ -> Spyware.Cookie.Findwhat : Cleaned with backup
:mozilla.12:C:\Recycled\NPROTECT\00044814.MOZ -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.14:C:\Recycled\NPROTECT\00044814.MOZ -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.16:C:\Recycled\NPROTECT\00044814.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.32:C:\Recycled\NPROTECT\00044814.MOZ -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.47:C:\Recycled\NPROTECT\00044814.MOZ -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.48:C:\Recycled\NPROTECT\00044814.MOZ -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.49:C:\Recycled\NPROTECT\00044814.MOZ -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.65:C:\Recycled\NPROTECT\00044814.MOZ -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.66:C:\Recycled\NPROTECT\00044814.MOZ -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.71:C:\Recycled\NPROTECT\00044814.MOZ -> Spyware.Cookie.Findwhat : Cleaned with backup
:mozilla.7:C:\Recycled\NPROTECT\00044815.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.20:C:\Recycled\NPROTECT\00044815.MOZ -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.22:C:\Recycled\NPROTECT\00044815.MOZ -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.24:C:\Recycled\NPROTECT\00044815.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.40:C:\Recycled\NPROTECT\00044815.MOZ -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.55:C:\Recycled\NPROTECT\00044815.MOZ -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.56:C:\Recycled\NPROTECT\00044815.MOZ -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.57:C:\Recycled\NPROTECT\00044815.MOZ -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.73:C:\Recycled\NPROTECT\00044815.MOZ -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.74:C:\Recycled\NPROTECT\00044815.MOZ -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.79:C:\Recycled\NPROTECT\00044815.MOZ -> Spyware.Cookie.Findwhat : Cleaned with backup
:mozilla.13:C:\Recycled\NPROTECT\00044826.MOZ -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.14:C:\Recycled\NPROTECT\00044826.MOZ -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.15:C:\Recycled\NPROTECT\00044826.MOZ -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.16:C:\Recycled\NPROTECT\00044826.MOZ -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.17:C:\Recycled\NPROTECT\00044826.MOZ -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.18:C:\Recycled\NPROTECT\00044826.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.19:C:\Recycled\NPROTECT\00044826.MOZ -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.20:C:\Recycled\NPROTECT\00044826.MOZ -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.21:C:\Recycled\NPROTECT\00044826.MOZ -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.22:C:\Recycled\NPROTECT\00044826.MOZ -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.23:C:\Recycled\NPROTECT\00044826.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.24:C:\Recycled\NPROTECT\00044826.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.25:C:\Recycled\NPROTECT\00044826.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.26:C:\Recycled\NPROTECT\00044826.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.27:C:\Recycled\NPROTECT\00044826.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.28:C:\Recycled\NPROTECT\00044826.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.42:C:\Recycled\NPROTECT\00044826.MOZ -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.44:C:\Recycled\NPROTECT\00044826.MOZ -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.46:C:\Recycled\NPROTECT\00044826.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.62:C:\Recycled\NPROTECT\00044826.MOZ -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.92:C:\Recycled\NPROTECT\00044826.MOZ -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.93:C:\Recycled\NPROTECT\00044826.MOZ -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.98:C:\Recycled\NPROTECT\00044826.MOZ -> Spyware.Cookie.Findwhat : Cleaned with backup
:mozilla.21:C:\Recycled\NPROTECT\00044840.MOZ -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.22:C:\Recycled\NPROTECT\00044840.MOZ -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.23:C:\Recycled\NPROTECT\00044840.MOZ -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.24:C:\Recycled\NPROTECT\00044840.MOZ -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.25:C:\Recycled\NPROTECT\00044840.MOZ -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.26:C:\Recycled\NPROTECT\00044840.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.27:C:\Recycled\NPROTECT\00044840.MOZ -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.28:C:\Recycled\NPROTECT\00044840.MOZ -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.29:C:\Recycled\NPROTECT\00044840.MOZ -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.30:C:\Recycled\NPROTECT\00044840.MOZ -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.31:C:\Recycled\NPROTECT\00044840.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.32:C:\Recycled\NPROTECT\00044840.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.33:C:\Recycled\NPROTECT\00044840.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.34:C:\Recycled\NPROTECT\00044840.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.35:C:\Recycled\NPROTECT\00044840.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.36:C:\Recycled\NPROTECT\00044840.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.49:C:\Recycled\NPROTECT\00044840.MOZ -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.51:C:\Recycled\NPROTECT\00044840.MOZ -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.53:C:\Recycled\NPROTECT\00044840.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.64:C:\Recycled\NPROTECT\00044840.MOZ -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.93:C:\Recycled\NPROTECT\00044840.MOZ -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.94:C:\Recycled\NPROTECT\00044840.MOZ -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.99:C:\Recycled\NPROTECT\00044840.MOZ -> Spyware.Cookie.Findwhat : Cleaned with backup
:mozilla.23:C:\Recycled\NPROTECT\00044874.MOZ -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.24:C:\Recycled\NPROTECT\00044874.MOZ -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.25:C:\Recycled\NPROTECT\00044874.MOZ -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.26:C:\Recycled\NPROTECT\00044874.MOZ -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.27:C:\Recycled\NPROTECT\00044874.MOZ -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.28:C:\Recycled\NPROTECT\00044874.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.29:C:\Recycled\NPROTECT\00044874.MOZ -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.30:C:\Recycled\NPROTECT\00044874.MOZ -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.31:C:\Recycled\NPROTECT\00044874.MOZ -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.32:C:\Recycled\NPROTECT\00044874.MOZ -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.33:C:\Recycled\NPROTECT\00044874.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.34:C:\Recycled\NPROTECT\00044874.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.35:C:\Recycled\NPROTECT\00044874.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.36:C:\Recycled\NPROTECT\00044874.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.37:C:\Recycled\NPROTECT\00044874.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.38:C:\Recycled\NPROTECT\00044874.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.51:C:\Recycled\NPROTECT\00044874.MOZ -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.53:C:\Recycled\NPROTECT\00044874.MOZ -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.55:C:\Recycled\NPROTECT\00044874.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.66:C:\Recycled\NPROTECT\00044874.MOZ -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.95:C:\Recycled\NPROTECT\00044874.MOZ -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.96:C:\Recycled\NPROTECT\00044874.MOZ -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.101:C:\Recycled\NPROTECT\00044874.MOZ -> Spyware.Cookie.Findwhat : Cleaned with backup
:mozilla.24:C:\Recycled\NPROTECT\00044895.MOZ -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.25:C:\Recycled\NPROTECT\00044895.MOZ -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.26:C:\Recycled\NPROTECT\00044895.MOZ -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.27:C:\Recycled\NPROTECT\00044895.MOZ -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.28:C:\Recycled\NPROTECT\00044895.MOZ -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.29:C:\Recycled\NPROTECT\00044895.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.30:C:\Recycled\NPROTECT\00044895.MOZ -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.31:C:\Recycled\NPROTECT\00044895.MOZ -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.32:C:\Recycled\NPROTECT\00044895.MOZ -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.33:C:\Recycled\NPROTECT\00044895.MOZ -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.34:C:\Recycled\NPROTECT\00044895.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.35:C:\Recycled\NPROTECT\00044895.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.36:C:\Recycled\NPROTECT\00044895.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.37:C:\Recycled\NPROTECT\00044895.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.38:C:\Recycled\NPROTECT\00044895.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.39:C:\Recycled\NPROTECT\00044895.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.52:C:\Recycled\NPROTECT\00044895.MOZ -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.54:C:\Recycled\NPROTECT\00044895.MOZ -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.56:C:\Recycled\NPROTECT\00044895.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.67:C:\Recycled\NPROTECT\00044895.MOZ -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.96:C:\Recycled\NPROTECT\00044895.MOZ -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.97:C:\Recycled\NPROTECT\00044895.MOZ -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.102:C:\Recycled\NPROTECT\00044895.MOZ -> Spyware.Cookie.Findwhat : Cleaned with backup
:mozilla.10:C:\Recycled\NPROTECT\00045134.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
D:\RECYCLER\NPROTECT\00000039.DLL -> Trojan.Puper.m : Cleaned with backup



Hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 10:32:51 AM, on 9/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\Fast.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

O1 - Hosts: localhost 127.0.0.1
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120741072718
O16 - DPF: {D3E33EA6-92BF-444E-9DF3-E7F879F2006F} (TSRFileManagerXControl Control) - http://www.sims2.the...ationWizard.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe


I tried Google search, it's still displaying wrong pages.
I'll check back to see what you think, thanks for your help!

[g2i2r4]

Please RIGHT-CLICK HERE to download Silent Runner's.

• Save it to the desktop.
• Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
• You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
• Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

[J4YH4WK]

Here is the Silent Runners log:

(By the way, norton antivirus just popped up something about the hclean32.exe virus just before I downloaded silent runners... don't know if that changes anything or not, just passing along the information.)

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"ccRegVfy" = ""C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"" ["Symantec Corporation"]
"EPSON Stylus Photo R200 Series" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"" ["SEIKO EPSON CORPORATION"]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs Inc."]
"SSC_UserPrompt" = "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"hclean32.exe" = "C:\WINDOWS\System32\hclean32.exe" [file not found]
"dmgbf.exe" = "C:\WINDOWS\System32\dmgbf.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{709C6E11-538F-4759-86AC-6ACB302AA0DE}" = "Desktop Manager"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msvdm.dll" [null data]
"{1530F7EE-5128-43BD-9977-84A4B0FAD7DF}" = "PhotoToys"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\phototoys.dll" [MS]
"{efb97cb8-a4a4-4357-a261-002ffaed0267}" = "CD Slideshow Powertoy"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\slideshow.dll" [MS]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1033\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{acb4a560-3606-11d3-aef4-00104bd0f92d}" = "KodakShellExtension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\KODAK\IFSCore\kodakshx.dll" ["Eastman Kodak Company"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{4ADF8C01-0AC7-4403-888C-012E6EA2F67E}" = "Sims2Pack Clean Installer Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "mscoree.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "cspqv.exe" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
moveonboot_delete\(Default) = "{12B23346-6BD8-4812-BF8C-75E7C386ACB8}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\GiPo@Utilities\GiPo@MoveOnBoot\mboot.dll" ["Gibin Software House (http://www.gibinsoft.net)"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
S2PCI\(Default) = "{4ADF8C01-0AC7-4403-888C-012E6EA2F67E}"
-> {CLSID}\InProcServer32\(Default) = "mscoree.dll" [MS]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\ssmypics.scr" [MS]

[g2i2r4]

Copy everything in the quote box below (starting with REGEDIT4) and paste it into Notepad. Go up to "File > Save As", then click the drop-down box to change the "Save As Type" to "All Files". Save it as fixware.reg on your desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""

Double-click fixware.reg and when asked if you want to merge with the registry click YES.

After the merged successfully prompt, please reboot your computer.

After reboot, please download RKFiles from HERE

• Unzip RKfiles.zip to the desktop
• Double-click RKFiles.bat to run it.
  • It may take a while.
• When it is finished a window should appear with a log.
• Please copy the contents of the log and paste them here
  • Note: the log with be saved at c:\log.txt

[J4YH4WK]

Here is the log:


C:\Documents and Settings\Mark Burns\Desktop

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\XpBlock.dll: UPX!
C:\WINDOWS\system32\rdsndin.exe: UPX!
C:\WINDOWS\system32\ntfsnlpa.exe: UPX!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\VBAR2132.DLL: dwProvSpec2

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye

[g2i2r4]

Download the Killbox.
Unzip it to the desktop

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINDOWS\system32\rdsndin.exe
C:\WINDOWS\system32\ntfsnlpa.exe
C:\WINDOWS\System32\dmgbf.exe
C:\WINDOWS\System32\hclean32.exe

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

After reboot, post a new HiJackThis log here.

Edited by g2i2r4, 04 September 2005 - 08:37 AM.

[J4YH4WK]

Ran the killbox program, and here's the latest HijackThis Log:


Logfile of HijackThis v1.99.1
Scan saved at 12:37:15 PM, on 9/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\Fast.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis.exe

O1 - Hosts: localhost 127.0.0.1
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [hclean32.exe] C:\WINDOWS\System32\hclean32.exe
O4 - HKLM\..\Run: [dmbru.exe] C:\WINDOWS\System32\dmbru.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120741072718
O16 - DPF: {D3E33EA6-92BF-444E-9DF3-E7F879F2006F} (TSRFileManagerXControl Control) - http://www.sims2.the...ationWizard.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe





***** thanks so much for your help, by the way!

[g2i2r4]

It's a pleasure to make this world a safer and cleaner place one computer at the time (I quote another user I helped recently ).

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [hclean32.exe] C:\WINDOWS\System32\hclean32.exe
O4 - HKLM\..\Run: [dmbru.exe] C:\WINDOWS\System32\dmbru.exe

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

Reboot once more. Can you post me another HijackThis log to check?

[J4YH4WK]

Latest Hijack This log:


Logfile of HijackThis v1.99.1
Scan saved at 8:27:48 PM, on 9/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\Fast.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis.exe

O1 - Hosts: localhost 127.0.0.1
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120741072718
O16 - DPF: {D3E33EA6-92BF-444E-9DF3-E7F879F2006F} (TSRFileManagerXControl Control) - http://www.sims2.the...ationWizard.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe


Google seems to be working great now, just did a search and clicked on the first 10 or so results... all went to the correct page! Also, haven't had any weird "your computer is infected" messages pop up either... I think you are knocking my computer into submission!!!

[g2i2r4]

Weldone then, looks like you did it

Shall I post you some tips for the future and close this topic?

[J4YH4WK]

Well, I would say that YOU did it! Thanks heaps for the help, and yes, any tips would be fantastic.

[g2i2r4]

Please follow these simple steps in order to keep your computer clean and secure:

• Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
  
  You can find instructions on how to enable and re-enable system restore here:
  
  Managing Windows Millenium System Restore
  
  or
  
  Windows XP System Restore Guide
  
  Re-enable system restore with the instructions from the tutorial above
  
  
• Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
    
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
• Use an AntiVirus Software - It is very important that your computer has an anti-virus software running. This alone can save you a lot of trouble with malware in the future.
  
  See this link for a listing of some online & their stand-alone antivirus programs:
  
  Virus, Spyware, and Malware Protection and Removal Resources
  
  
• Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
  
• Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
  
  For a tutorial on Firewalls and a listing of some available ones see the link below:
  
  Understanding and Using Firewalls
  
  
• Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer always has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with this program on a regular basis just as you would an antivirus software.
  
  A tutorial on installing & using this product can be found here:
  
  Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
  
  
• Install Ad-Aware – Download and install Ad-Aware. You should also scan your computer with this program on a regular basis just as you would an antivirus software in conjunction with Spybot.
  
  A tutorial on installing & using this product can be found here:
  
  Using Ad-aware to remove Spyware, Malware, & Hijackers from your Computer
  
  
• Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
  
  A tutorial on installing & using this product can be found here:
  
  Using SpywareBlaster to protect your computer from Spyware and Malware
  
  
• Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.